100 Things Netadmin

8/6/2019 100 Things Netadmin

1/29

Page 1Copyright 2005 CNET Networks, Inc. All rights reserved.

For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

Version 1.0

November 7, 2005

100 things you should know abouthandling net admin tasks more effectively

This collection of tips comes from TechRepublic downloads written by David Davis, Scott Lowe, Scott Robinson,Deb Shinder, Dr. Thomas W. Shinder, and Rick Vanover. To see a current listing of "10 things" resources, clickhere.

Table of contents

10 things you should know about troubleshooting VPN connections..........................................210 things you should know about securing wireless connections ...............................................510 things you should know about AD domain trusts ...................................................................710 things you should know about the NETSH tool......................................................................910 things you should know about working with permissions.....................................................1210 things you should know about Microsoft SQL Server 2005 .................................................1510 things you should know about Microsoft SharePoint Services.............................................1710 things you should know about Microsoft Windows Server Update Services (WSUS)..........20 10 things you should know about Cisco IOS access control lists (ACLs) .................................2210 things you should know about managing IT projects ...........................................................25
http://techrepublic.com.com/5048-22-0.html?nodeIds=all&go=GO&nodeIds=all&tag=search&queryType=4&SearchThis=10+thingshttp://techrepublic.com.com/5048-22-0.html?nodeIds=all&go=GO&nodeIds=all&tag=search&queryType=4&SearchThis=10+things


2/29

100 things you should know about handling net admin tasks more effectively

10 things you should know about troubleshooting VPN connections

Users can't access file servers

If the user can access the file server using an IP address but not a name, then the most likely reason for failure toconnect is a name resolution problem. Name resolution can fail for NetBIOS or DNS host names. If the clientoperating system is NetBIOS dependent, the VPN clients should be assigned a WINS server address by the VPN

server. If the client operating system uses DNS preferentially, VPN clients should be assigned an internal DNSserver that can resolve internal network host names.

When using DNS to resolve internal network host names for VPN clients, make sure that these clients are able tocorrectly resolve unqualified fully qualified domain names used on the corporate network. This problem is seen mostoften when non-domain computers attempt to use DNS to resolve server names on the internal network behind theVPN server.

Users can't access anything on the corporate network

Sometimes users will be able to connect to the remote access VPN server but are unable to connect to anyresources on the corporate network. They are unable to resolve host names and unable to even ping resources onthe corporate network.

The most common reason for this problem is that users are connected to a network on the same network ID as thecorporate network located behind the VPN server. For example, the user is connected to a hotel broadband networkand is assigned a private IP address on network ID 10.0.0.0/24. If the corporate network is also on network ID10.0.0.0/24, they won't able to connect because the VPN client machine sees the destination as being on the localnetwork and will not send the connection to the remote network through the VPN interface.

Another common reason for communications failures is that the VPN clients are not allowed access to resources onthe corporate network due to firewall rules on the colocated VPN server/firewall device to which they are connected.The solution is to configure the firewall to allow the VPN clients access to the appropriate network resources.

Users can't connect to VPN server from behind NAT devices

Most firewalls and NAT routers support the PPTP VPN protocol from behind a NAT. However, some high profilenetwork equipment vendors don't include a NAT editor for the PPTP VPN protocol. If the user is located behind sucha device, the VPN connection will fail for PPTP attempts but may work for alternate VPN protocols.

All NAT devices and firewalls support IPSec passthrough for IPSec-based VPN protocols. These VPN protocolsinclude proprietary implementations of IPSec tunnel mode and RFC compliant L2TP/IPSec. These VPN protocolscan support NAT traversal by encapsulating the IPSec communications in a UDP header.

If your VPN client and server support NAT traversal and the client attempts to use L2TP/IPSec to connect to a NAT-T compliant VPN server from across a NAT, the most likely reason for this failure is that the client is runningWindows XP Service Pack 2. Service Pack 2 broke NAT traversal for L2TP/IPSec VPN clients. You can solve thisproblem with a Registry entry on the VPN client computer, as described in a KB article athttp://support.microsoft.com/default.aspx?scid=kb;en-us;885407.

Users complain of slow performance

Slow performance is one of the most difficult problems to troubleshoot. There are a number of reasons for why VPNclients appear to perform poorly and its critical to have the users describe exactly what they are doing when theyexperience poor performance.

One of the more common reasons for poor performance for VPN clients is when those clients are located behindDSL networks employing PPPoE. These network connections often encounter MTU problems that can cause bothconnectivity and performance issues. For more information on MTU issues for Windows clients, check outhttp://support.microsoft.com/default.aspx?scid=kb;en-us;283165

4

3

2

1


http://support.microsoft.com/default.aspx?scid=kb;en-us;885407http://support.microsoft.com/default.aspx?scid=kb;en-us;283165http://support.microsoft.com/default.aspx?scid=kb;en-us;283165http://support.microsoft.com/default.aspx?scid=kb;en-us;885407


3/29


Users can connect via PPTP but not L2TP/IPSec

PPTP is a simple protocol to set up on both the VPN server and client. All the user requires is the built-in VPN clientsoftware included with all versions of Microsoft operating system and a valid user name and password for anaccount that has remote access permissions. The VPN server component, if based on Windows Routing andRemote Access Service (and just about any other VPN server supporting PPTP remote access VPN clientconnections) is easy to set up and usually works automatically after running a short configuration wizard.

L2TP/IPSec is more complex. Both the user and the users machine must be able to authenticate with the VPNserver. Machine authentication can use either a pre-shared key or machine certificate. If you use pre-shared keys(not recommended for security reasons), check that the VPN client is configured to use the same pre-shared key asthe server. If you use machine certificates, confirm that the VPN client machine has a machine certificate and that isalso trusts the certificate authority that issued the VPN servers machine certificate.

Site-to-site VPNs connect but no traffic passes between the VPN gateways

When creating site-to-site VPN connections between Windows RRAS servers, you may find that the VPNconnection seems to be established, but traffic does not move between the connected networks. Name resolutionfails between the networks and hosts are unable to even ping hosts on the remote site network.

The most common reason for this failure is that both sides of the site-to-site network connection are on the samenetwork ID. The solution is to change the IP addressing scheme on one or more networks so that all networks joinedby the site-to-site VPN are on different network IDs.

Users can't establish IPSec tunnel mode connections from behind somefirewalls

Often, the VPN server and clients are correctly configured to use IPSec tunnel mode or L2TP/IPSec NAT-Tconnection to connect to a remote VPN server and the connection fails. Sometimes, youll see this happen after afirst client makes a successful connection, but subsequent clients from behind the same NAT device fail.

The reason for this problem is that not all IPSec NAT-T VPN servers are RFC compliant. RFC compliance requiresthat the destination NAT-T VPN server support IKE negotiations from source port UDP 500 and that they be able to

multiplex connections from multiple clients behind the same VPN gateway.

The solution to this problem is to contact your VPN server vendor and confirm that their implementation of VPNIPSec NAT-T is RFC compliant. If not, ask if there is a firmware update.

Users can't reach some network IDs on the corporate network

Users sometimes report that they can connect to some servers after establishing the VPN connection but not toother servers to which they should have access. When they test the connection, they can't ping the destinationserver using either a name or IP address.

A common reason for this problem is that the VPN server does not have routing table entries for all network IDs thatthe VPN clients need to connect to. Users are able to connect to servers that are on-subnet with the VPN server but

are unable to connect to network IDs remote from the VPN server. The solution to this problem is to populate therouting table on the VPN server so that it has a gateway address for all network IDs that VPN must be able toconnect.

8

7

6

5




4/29


Users can't connect to the Internet when connected to the VPN server

Sometimes, users are unable to connect to the Internet after the VPN link is established. Once the VPN link isdisconnected, the users have no problem connecting to the Internet.

This problem arises when the VPN client software is configured to use the VPN server as its default gateway. This isthe default setting for the Microsoft VPN client software. Since all Internet hosts are remote from the VPN clients

location, Internet connections are routed to the VPN server. If the VPN server is not configured to allow Internetconnections from VPN clients, the Internet connection attempts fail.

The solution to this problem is to configure the VPN server to allow VPN clients access to the Internet. The WindowsRRAS server supports this configuration, and so do many firewalls. Resist the urge to disable the setting configuringthe VPN client to use the VPN server as its default gateway, as this enables split tunneling, which is a well-knownVPN client security risk.

Multiple users connect to the VPN server using the same PPPauthentication credentials

A risk for all organizations implementing remote access VPN servers is that users will share username andpassword information with one another. Most VPN server implementations enable you to not only authenticate usersbefore allowing a VPN connection, but also to authorize a VPN connection. A user might be able to successfullyauthenticate, but if that user is not authorized to access the network via VPN, the connection request is dropped. Ifusers share credentials, this creates a situation where an unauthorized user can access the network with anauthorized users credentials.

A solution to this problem is to use an extended authentication scheme. For example, you can assign users client(user) certificates for authentication, so that user credentials are never entered by the user. Other schemes includesmart card authentication, biometric authentication, and other forms of two-factor authentication.

10

9




5/29


10 things you should know about securing wireless connections

Use encryption

Encryption is the number one security measure, but many wireless access points (WAPs) dont have encryptionenabled by default. Although most WAPs support the Wired Equivalent Privacy (WEP) protocol, it's not enabled bydefault. WEP has a number of security flaws, and a knowledgeable hacker can crack it, but its better than noencryption at all. Be sure to set the WEP authentication method for shared key rather than open system. Thelatter does notencrypt the data; it only authenticates the client. Change the WEP key frequently and use 128-bitWEP rather than 40 bit.

Use strongencryption

Because of WEPs weaknesses, you should use the Wi-Fi Protected Access (WPA) protocol instead of WEP ifpossible. To use WPA, your WAP must support it (you may be able to add support to an older WAP with a firmwareupgrade);your wireless network access cards (NICs) must support it (again, a firmware update may be necessary);and your wireless client software must support it. Windows XP Service Pack 2 installs the WPA client. SP1machines can be updated to support WPA by installing the Windows WPA client with the Wireless Update RollupPackage (see http://support.microsoft.com/kb/826942/). Another encryption option is to use IPsec, if your wireless router

supports it.

Change the default administrative password

Most manufacturers use the same default administrative password for all their wireless access points (or at least, allthose of a particular model). Those default passwords are common knowledge among hackers, who can use themto change your WAP settings. The first thing you should do when you set up a WAP is change the default passwordto a strong password (eight characters or more in length, using a combination of alpha and numeric characters, notusing words that are in the dictionary).

Turn off SSID broadcasting

The Service Set Identifier (SSID) is the name of your wireless network. By default, most WAPs broadcast the SSID.This makes it easy for users to find the network, as it shows up on their list of available networks on their wirelessclient computers. If you turn off broadcasting, users will have to know the SSID to connect. Some folks will tell youthat turning off SSID broadcasting is useless because a hacker can use packet sniffing software to capture the SSIDeven if broadcasting is turned off. Thats true, but why make it easier for them? Thats like saying burglars can buylockpicks, so locking the door is useless. Turning off broadcasting wont deter a serious hacker, but it will protectfrom the casual piggybacker (for example, a next door neighbor who notices the new network and decides to tryconnecting just for fun).

Turn off the WAP when not in use

This one may seem simplistic, but few companies or individuals do it. If you have wireless users connecting only atcertain times, theres no reason to run the wireless network all the time and provide an opportunity for intruders. Youcan turn off the access point when its not in usesuch as at night when everyone goes home and there is no needfor anyone to connect wirelessly.

5

4

3

2

1


http://support.microsoft.com/kb/826942/http://support.microsoft.com/kb/826942/


6/29


Change the default SSID

Manufacturers provide a default SSID, often the equipment name (such as Linksys). The purpose of turning off SSIDbroadcasting was to prevent others from knowing the network name, but if you use the default name, its not toodifficult to guess. As mentioned, hackers can use tools to sniff the SSID, so dont change the name to somethingthat gives them information about you or your company (such as the company name or your physical address).

Use MAC filtering

Most WAPs (although not some of the cheapest ones) will allow you to use media access control (MAC) addressfiltering. This means you can set up a sort of white list of computers that are allowed to connect to your wirelessnetwork, based on the MAC or physical addresses assigned to their network cards. Communications from MACaddresses that arent on the list will be refused.

The method isnt foolproof, since its possible for hackers to capture packets transmitted over the wireless networkand determine a valid MAC address of one of your users and then spoof the address. But it does make things moredifficult for a would-be intruder, and thats what security is really all about.

Isolate the wireless network from the rest of the LAN

To protect your wired internal network from threats coming over the wireless network, create a wireless DMZ orperimeter network thats isolated from the LAN. That means placing a firewall between the wireless network and theLAN. Then you can require that in order for any wireless client to access resources on the internal network, he orshe will have to authenticate with a remote access server and/or use a VPN. This provides an extra layer ofprotection.

For instructions on how to allow VPN access to your network from a wireless DMZ created with Microsofts ISAServer firewall, see http://techrepublic.com.com/5100-6350_11-5807148.html. [You'll need a TechProGuild subscription toaccess this content.]

Control the wireless signal

The typical 802.11b WAP transmits up to about 300 feet. However, this range can be extended by a more sensitiveantenna. By attaching a high gain external antenna to your WAP, you can get a longer reach but this may exposeyou to war drivers and others outside your building. A directional antenna will transmit the signal in a particulardirection, instead of in a circle like the omnidirectional antenna that usually comes built into the WAP. Thus, throughantenna selection you can control both the signal range and its direction to help protect from outsiders. In addition,some WAPs allow you to adjust signal strength and direction via their settings.

Transmit on a different frequency

One way to hide from hackers who use the more common 802.11b/g wireless technology is to go with 802.11ainstead. Since it operates on a different frequency (the 5 GHz range, as opposed to the 2.4 GHz range in which b/goperate), NICs made for the more common wireless technologies wont pick up its signals. Sure, this is a type ofsecurity through obscuritybut its perfectly valid when used in conjunction with other security measures. After all,

security through obscurity is exactly what we advocate when we tell people not to let others know their socialsecurity numbers and other identification information.

A drawback of 802.11a, and one of the reasons its less popular than b/g, is that the range is shorter: about half thedistance of b/g. It also has difficulty penetrating walls and obstacles. From a security standpoint, this disadvantageis actually an advantage, as it makes it more difficult for an outsider to intercept the signal even with equipmentdesigned for the technology.

10

9

8

7

6


http://techrepublic.com.com/5100-6350_11-5807148.htmlhttp://techrepublic.com.com/5100-6350_11-5807148.html


7/29


10 things you should know about AD domain trusts

Determine what kind of trust you should use

Before deploying a domain trust, you should ensure that the type(s) used are correct for the tasks at hand.Consider the following dimensions of a trust:

Type: Identifies the types of domains involved in trust(s). Transitivity: Determines whether one trust can let a trusted domain pass through to a third domain.

Direction: Identifies the direction of access and trust (trusted accounts and trusting resources).

Type Transitivity Direction

Parent and Child Transitive 2-way

Tree-root Transitive 2-way

External Nontransitive 1-way OR 2-way

Realm Transitive or Nontransitive 1-way OR 2-way

Forest Transitive 1-way OR 2-wayShortcut Transitive 1-way OR 2-way

Get familiar with the Active Directory Domains And Trusts Console

Trust relationships are managed via the Active Directory Domains And Trusts Console. It lets you perform thesebasic tasks:

Raise domain functional level

Raise forest functional level

Add UPN suffixes

Manage domain trust

Manage forest trust

For details on using this tool, see "TechRepublic Guided Tour: Active Directory Domains And Trusts Console."(Note: A TechProGuild membership is required to access the article.)

Know the tools

As with most other elements of the Windows Server family, command-line tools can be used to script repetitivetasks or to ensure consistency in the case of trust creation. Some of the top tools include:

NETDOM: Used to establish or break trust types.

NETDIAG: The output of this tool can give basic status on trust relationships.

NLTEST: Can be used to verify a trust relationship.You can also use Windows Explorer to view membership to shared resources as they are assigned from trusteddomains and/or forests. Active Directory Users And Computers can also provide membership details of ActiveDirectory Objects that have members from trusted domains and/or forests.

Set up a test environment

Depending on your environment and usage requirements, a simple mishap in the creation of domain trusts canhave enterprise-wide repercussions. But it's difficult to set up a completely similar test environment to replicatemulti-domain and forest issues. Having similar domain scenarios is easier to facilitate, as a means to reinforce the

4

3

1

2


http://techrepublic.com.com/5100-6345_11-5160515.htmlhttp://techrepublic.com.com/5100-6345_11-5160515.html


8/29


principles and test basic functionality. Consider also template Active Directory objects to test on the live domainrelationships to ensure that the desired functionality is obtained but not exceeded before using live groups,accounts, and other objects.

Review privileges

When trusts are created, it's important to ensure that the desired functionality is achieved. But be sure to review

the configured trust to verify that the direction of access is correct. For example, if domain A needs to access onlya limited amount of resources on domain B; a two-way trust would suffice. However, an administrator fromdomain B may be able to assign access to resources on domain A. Ensuring the desired direction, type, andtransititivity of trusts is critical.

Map out the trusts

Create a map of trusts with simple arrows and boxes illustrating which domains will be trusting and trusted andwhich trusts will be 1-way and 2-way. Then, with the simple picture(s) in place, map out which domains will trustwhichand determine the transititivity as well. This simple chart will make more sense of the greater task at handand allow you to determine which domains need direction of access and in which direction. Some domains willsimply act as a gateway for transitive access to other domains.

Document trust relationships

As organizations marry (and divorce) in todays business world, it's important to have clear documentation of thetrust inventoryand to make sure it's accessible without the trust or domain. For example, if you're in Domain Band your headquarters in Domain A sells your division and breaks your trust, your concise documentation savedon a server in Domain A does you little good. Document the type of trust, transitivity, direction, business need forthe trust, anticipated duration of the trust, credentials, domain/forest principal information (name, DNS, IPaddresses, locations, computer names, etc.), and contact person(s) for the corresponding domains.

Avoid making trust relationships too deep

In the interest of everyones time, don't nest membership more than one deep when using trusts in multipledomains and forests. Nesting membership can consolidate the number of manageable Active Directory objects,but determining actual membership administration is greatly increased.

Know how to manage different versions of Windows

When running in Windows 2000 and Windows Server 2003 native mode for Active Directory, full functionality ismaintained for member domains and forests. If any NT domains or member systems are present in the enterprise,their trust entry functionality is limited by the inability to recognize the Active Directory objects. A frequent strategyin this scenario is to have domain islands of those that don't connect to the more common enterpriseinfrastructure.

Remove expired or overlapping trusts

Changes in business organization may have left unused trusts in place on your domain. Clear out any trusts thatare not actively being used. You should also ensure that the trusts you have are set up correctly for the requiredaccess and usage patterns. An audit of your trust inventory can be a strong supplement to your well-roundedsecurity policy.

10

9

8

7

6

5




9/29


10 things you should know about the NETSH tool

What is NETSH?

NETSH is one of the most powerful yet least known networking tools included with Windows 2000 and WindowsServer 2003. It's installed by default and is located in the %systemroot%\system32 folder. NETSH is also

available on Windows XP.NETSH enables you to display, modify, import, and export many aspects of the network parameters of a system.It can also connect remotely to other systems with a remote machine parameter (-r).

Contexts for NETSH

Contexts are specific dimensions of the network configuration that can be managed by NETSH. The commandsand options within NETSH are context sensitive, and the same command may exist in multiple context areas buthave different commands and results in each context. Here are the Windows Server 2003 NETSH context areas:

Context Description

aaaa Authentication, authorization, accounting, and auditing

dhcp DHCP server administration

diag OS and network service parameters

interface NIC configuration; includes subcontexts

ipsec Alternative to IP Security Policy Management

netshbridge Network bridging configuration

ras Remote access server configuration

routing Routing administration (instead of RRAS)

rpc Subnet and interface settings

wins Windows Internet Name Service administration

Now, to add to the confusion, a context can have a subcontext. For example, the interface context has threesubcontexts, ip, ipv6, and portproxy. NETSH refers to these subcontexts as a context, such as the netshinterface ip context. Note that Windows XP has a different set of contexts. When using the import and exportoperations in noninteractive mode, you must specify context or subcontext configuration.

2

1




10/29


Coordinating network change control with NETSH

You can use NETSH to export and import network configurations. A good example of using NETSH withnetworking change control would be when a system is going to be placed on a different network, but thecommunication channels need to be maintained to various other systems. A NETSH export will allow all parties toagree on various network settings. For example, consider the following portion of a NETSH export of the interfacecontext from a dump operation:

set address name = "Teamed NIC" source = static addr = 10.64.32.100 mask = 255.255.252.0

set address name = "Teamed NIC" gateway = 10.25.44.1 gwmetric = 1

set dns name = "Teamed NIC" source = static addr = 10.64.22.50

add dns name = "Teamed NIC" addr = 10.95.61.22

add dns name = "Teamed NIC" addr = 10.95.45.34

set wins name = "Teamed NIC" source = static addr = 10.95.45.70

add wins name = "Teamed NIC" addr = 10.95.45.25

Reviewing a NETSH export with all parties involved can ensure that the system will be routed correctly, using thecorrect DNS, WINS, and subnet mask. The best part is that you can then import the entire file into the Windows

system after all appropriate entries have been made without any chance of entering the information incorrectly.And this is only for the interface context. The same applies for all other context scripts.

Using NETSH to dynamically change TCP/IP addresses

You can use NETSH to make dynamic IP address changes from a static IP address to DHCP simply by importinga file. NETSH can also bring in the entire Layer-3 configuration (TCP/IP Address, DNS settings, WINS settings, IPaliases, etc.). This can be handy when you're working on networks without DHCP and have a mobile computerthat connects to multiple networks, some of which have DHCP. NETSH shortcuts will far exceed the capabilitiesof using Windows Automatic Pubic IP Addressing. Here is an example of running a dynamic update of an IPaddress:

C:\NETSH f filename.netsh

In this example, filename.netshis the NETSH file that contains an interface dump configuration. You can makeshortcuts in Windows to a .BAT file that will run that command so you can easily add shortcuts to get a DHCPaddress and switch to a static IP address for a customer site, DMZ network, or any other static IP network.

Best practice: Using a .NETSH extension

NETSH import and export operations are in a native plain text format and can be read and edited from any texttool. However, NETSH files should be handled as a special file type because they're used to document networkconfigurations, as well as for the import and export process. A best practice would be to make all exportoperations refer to a FILE.NETSH, where this file is what has been exported from NETSH. This is especiallyimportant because a NETSH export file doesn't contain the word NETSH in it. This way, even a novice can figureout what the file contains.

The file extension from export (dump) and import (-f) operations are entirely user specified. For convenience, youcan associate the .NETSH extension with your Windows installation to allow native double-click editing.

5

4

3




11/29


NETSH in interactive modeNETSH is one of the Windows tools that can be run in either an interactive or a noninteractive

environment. Interactive tools (such as nslookup and dnscmd) have effectively different usage scenariosdepending on the mode chosen.

Interactive mode also has two submodes, online and offline. Online mode is a direct interaction with thenetworking components while in interactive mode. Offline mode lets you interactively make changes and then roll

them all online instantly by going to online mode.

NETSH in noninteractive mode

In noninteractive mode, you can implement NETSH commands by importing a file. Using noninteractive mode isrecommended for file import and export operations. With NETSH in noninteractive mode, you can export keysettings from each context as a specific aspect of your system documentation. In addition, if an issue arises andyou can trace it back to a specific networking topic for which you have a NETSH script exported from a knownworking time, you can re-import that NETSH script in noninteractive mode and restore your networkingfunctionality to that point. Please note that NETSH does notback up data within the contexts, such as the WINSdatabase.

Clarifying the scripts

When exchanging NETSH scripts, you can insert comments to solicit feedback. This will allow you to explain anentry or use it as a training tool for others. Simply insert REM in a NETSH exported file to add a comment. Don'tput in too many comments, however; just what is necessary.

NETSH precautions

NETSH is a powerful tool and should be used with caution. Using interactive online mode (the default) forchanges on the fly can be more risky than implementing a change in interactive offline mode and going online tocommit the changes. However, using noninteractive mode to perform changes is popular as well because thechanges can be scripted. Try your hand at NETSH on a virtual machine or test system first.

Navigating NETSH

The large array of features available in NETSH may seem overwhelming at first. It's helpful to get into NETSH tosee the options available and practice using the interface in interactive mode (a little different for those of us usedto noninteractive tools). Getting into NETSH in interactive mode is easy: Simply type NETSHat the commandprompt. Then, use these guidelines to investigate the command options:

To change to another context, type the name of the context. For example, typing interface ipwill goimmediately to the interface ip context from which ever context you are presently located.

To change your mode, type offlineor online. Typing offlinewill send the interactive session offline, so anychanges won't be brought in immediately. Typing onlinewill bring the interactive session online, so changes

will immediately be brought into the networking elements of the system. Typing show modewill display the current mode (offline or online). The default mode is online, so be sure to

immediately jump offline if you are experimenting.

Typing ? or helpwill show the available commands for your current context location. If you're in the root of thetool, there is no active context and your interface to the tool will be a netsh> prompt.

10

9

8

7

6

Global commands, such as onlineand quit, are those you can use everywhere. Context commands areavailable only in the current context. For example, from the netsh interface ip> context, you can view thenetwork configuration by running show dns, but this command may not work other contexts or subcontexts.

In contexts, running setand showwill provide the context-sensitive command options.




12/29


10 things you should know about working with permissions

NTFS vs. share permissions

The biggest point of confusion about sharing with Windows systems is that the NTFS and share-level permissionsboth have an effect on the user's ability to access resources on a network. This is especially important to

remember for Windows XP and Windows Server 2003and likely subsequent versions of Windowswhich havedefault share permissions as read-only. This makes the NTFS permissions limited to read when accessing themover the network.

The best way to distinguish share permissions from NTFS permissions is to consider share permissions as anentry point to the resources. Only after the share permissions offer Change and/or Full Control can the NTFSpermissions of that type be used.

The combination of share-level and NTFS permissions can seem like administrative overhead, but consider this:Share permissions act as a point of entry for the NTFS permissions over the network. When you enter a networkresource through a share, the share permissions dictate what you cando through the share as a whole. TheNTFS permissions dictate what you can do to specific files and folders. In the troubleshooting mode, identifywhether share-level permissions can be ruled out of the issue.

Avoid nested shares

Troubleshooting issues that deal with both NTFS and share permissions can seem overwhelming. Avoid havingnested shares in your file structures because they can create conflicting behavior for the same network resourcesif accessed through different shares. This can be asking for trouble, especially when the share permissions aredifferent. A nested share is a shared folder that resides in a separate shared folder. There are, of course, thedefault hidden shares (C$, D$, etc.), which make all shares nested beneath them, and they're a default. However,if your users use two separate nonhidden shares that are nested, there can be conflicting share permissions.

Use CACLS and XCACLS for granularity

You can use CACLS and XCACLS to gather information on files that are a reflection of the NTFS permissions you

have configured. These tools will deliver data about the permissions for specific file and folder resources. What'sthe difference between NTFS permissions and an ACL (access control list)? The NTFS permissions are set inWindows Explorer or via an automated mechanism for files and folders, whereas an ACL (via these tools) is adisplay or management of allowed or denied file operations for the same resource.

2

3

1

You can use CACLS and XCACLS to add or remove NTFS permissions in a scripted fashion as well. So if youhave a great deal of permissions to adjust, a sophisticated script using these tools may be in order.

A good matter of practice for important shared files and folders with unique NTFS permissions is to make a scriptutilizing the CACLS.EXE tool to document the ACL for individual files and folders (or manually execute the stepsto do this). But be careful: You can easily document your NTFS permissions by running CACLS * /T from acommand prompt and document a folder, its contents, and subdirectories. This is very resource intensive and canrequire 100% CPU utilization on some systems when traversing extremely large folder paths. Depending on manyfactors, a large recursive ACL audit can take large amounts of time as well. This is similar to the scenario where

new NTFS permissions are propagated to a large folder.




13/29


Distinguish between basic and special NTFS permissions

Only a right-click away, special permissions give more options to particular access requirements. It's important tonote that using special permissions will increase the administrative overhead associated with NTFS permissionssimply by being more complicated. Therefore, a best practice would be to use the special permissions only whenneeded. The standard NTFS permissions provide most of the necessary functionality to offer secure access toshared and local resources. However, there are scenarios where using the special permissions makes sense.

Note: Be sure to rule out special permissions in troubleshooting. Every administrator has at one point not beensure of the application of various permissionsshare permissions, NTFS permissions, group memberships,multiple user accounts, etc. Taking a quick look at the special permissions can quickly provide a hint as towhether they're part of the issue you are troubleshooting.

Keep resources warranting special permissions separate

If the scenario permits, it can be a good practice to keep resources requiring special permissions grouped inseparate shares or folders with other resources that have special permissions. Having standard permissionsintermixed with special permissions in the same location can add administrative overhead.

Understand inherited permissions

Inherited permissions is a default attribute of NTFS permissions on Windows Server 2003 and 2000 systems.Inherited permissions allow NTFS settings for a folder be applied to its contents and all objects and folderscontained within the top folder.

Inheritance is fairly easy to understand when all defaults are used. But when inheritance is blocked, it becomesmore difficult to troubleshoot. This difficulty is manifested when a folder deep within another folder has the InheritPermissions option cleared. In troubleshooting inherited permissions, it is best to start at the root of the problemand work your way up the folder structure.

If clearing inheritance, be careful

When you clear inheritance of NTFS permissions from a parent container, you are presented with two optionsCopy and Remove. The Copy option will recurse the child objects and write the NTFS permissions from theparent folder. The Remove option removes all default NTFS-created permissionsthat of Administrators, Users,Creator Owner, System, etc.from the list of Group or User Names. Exercise caution when using the Removeoption on inheritance blocking!

Dont dodge the issue

The worst thing you can do to solve a rights problem is to make someone a member of Administrators or someother powerful group to circumvent a permissions issue. Simply giving more rights to a user does not address theissue. Always identify the issue to determine the best solution.

8

7

6

5

4




14/29


Never over-privilege

A common misstep is to provide too many rightsusually through group membershipsto users for access toresources. Especially if you are using Active Directory, a clearly organized structure with the membership andaccess requirements defined will lend to a more correctly administered user or group. Take the firewall stance ofgranting that which is explicitly required.

Too many permissions may not arise as a problem in a troubleshooting mode, but you may see one group orother membership attribute that gives too many rightsaccidentally.

Group membership is one of the easiest ways to over- or under-privilege access to resources. Especially indomain configurations, the complexity is increased by multiple memberships and/or nested groups. Use theEffective Permissions tool to see what the resultant set of access is, determined by group membership whenusing Active Directory. Although this is not a direct display of NTFS permissions, you can then examine eachgroup membership for an object as part of troubleshooting NTFS permissions.

Know when to copy and when to move

Standard copy and move operations deliver default results that can maintain your configured permissionsorbreak them. A good way to remember this is that copy operations will create the permissions of the destination

container, and move operations will maintain that of the parent container.

10

9

Memorization mechanism: CC/MM CopiesCreate/MovesMaintain or CopiesCreate/MovesMake.

Of course, there is also the need to copy resources andmaintain NTFS permissions that would be difficult to re-create. The fallen SCOPY utility has given way to XCOPY with the /O and /X parameters to perform this type offunction. Using XCOPY with these parameters will allow copy operations to copy the files and/or folders to a newlocation and create them with the NTFS permissions equal to that of the source container.




15/29


10 things you should know about Microsoft SQL Server 2005

There is now an XML data type

If there's any feature of SQL Server 2005 to jump up and down about, it's the new native XML data type. Why?Apart from the giant leap forward of an already Web-friendly agenda, the new type offers us design options that

are atypical of Microsoft, which generally likes to do our designing for us.The new XML data type:

Can be used in a table column.

Can be used in a stored procedure, as a parameter or as a variable.

Can store untyped data.

Can check against a schema to see if data stored in a column typed as XML matches that associated schema(if there's no schema, the data is considered untyped).

And the mapping between XML data and relational data is bidirectional.

Distributed Management Objects (DMO) becomes SQL ServerManagement Objects (SMO)

SQL Server Management Objects (SMO) is a .NET Framework -based management framework that lets you createcustom applications for server management. SMO (like DMO before it) allows you to handle columns, tables,databases, and servers as objects, programmaticallyand SMO supports SQL Server 2005's new features, likeService Broker.

SMOs are optimized, not instantiating objects fully (with all the properties retrieved) until the object is explicitlyreference. You can also batch SQL commands, and create scripts to create objects. Your custom servermanagement apps can be used to manage SQL Server 7 in SQL Server 2000 systems as well.

Common Table Expresssions (CTEs)recursive queries

A common table expression (CTE) enables queries to be recursive. A CTE can be self-referential, with an upper

limit on the incursions. You can use the CTE as a part of a WITH, in a SELECT, UPDATE, INSERT or DELETEcommand.

The Service Broker makes SQL Server traffic asynchronous

There's a front-end queuing system, and it changes everything. You can now manage SQL Server traffic byrendering it asynchronous with the new Service Broker feature. It enhances scalability by enabling your system tohandle more traffic logically that it can handle physically. The Service Broker can be accessed via SQLcommands and allows transactions to include queued events.

Those who know me well would never accuse me of being a Microsoft disciple, but this feature impresses me inno small measure and I'm pleased to call attention to it. Adding easily-configured asynchronicity to the data layerof an enterprise system is a boon to developers and opens up huge possibilities for Web apps. The economy with

which those apps can now scale can't be overstated. Service Broker alone is a reason to consider upgrading toSQL Server 2005.

Create .NET triggers5

4

3

2

1

SQL Server 2005 is .NET-integrated to a promising degree (it has distressed us for some time that Microsoft'scommitment to .NET is as hedged as it is), and one useful consequence of this integration is the ability to createuser-defined triggers (UDTs) through Visual Studio 2005.

The Trigger option can be pulled from the template list in Visual Studio, generating a file for the code to betriggered. The mechanism tying this code to SQL is a SqlPipe. It's deployed in your Build | Deploy. You can work


http://techrepublic.com.com/5100-3513-5805291.htmlhttp://techrepublic.com.com/5100-9592_11-5796703.htmlhttp://techrepublic.com.com/5100-3513_11-5782941.htmlhttp://techrepublic.com.com/5100-22_11-5087336.htmlhttp://techrepublic.com.com/5100-22_11-5087336.htmlhttp://techrepublic.com.com/5100-3513_11-5782941.htmlhttp://techrepublic.com.com/5100-9592_11-5796703.htmlhttp://techrepublic.com.com/5100-3513-5805291.html


16/29


it in the other direction (i.e., from CLR) by referencing the Trigger object in a T-SQL CREATE TRIGGERcommand.

SQL Server 2005 configuration is dynamic

If you're running SQL Server 2005 on Windows Server 2003, its configuration is fully dynamicyou can changeconfiguration values on-the-fly without restarting the server, and get immediate response (the same is true forAddress Windowing Extensions).

Define your own data types

The user-defined type, enabled by the integration of SQL Server 2005 and the .NET CLR, is a consolidation ofprevious practices, allowing you to create application- or environment-specific types. You can extend moregeneral types into variations that only except values you defineno more triggering or constraints. Validation isbuilt into the field.

Many active result sets, one connection

This is another feature not just to make note of, but to get excited about. MARS (Multiple Active Result Sets )

enables you to execute multiple queries yielding multiple results, over a single connection. An application canmove between open result sets as needed. The performance and scalability benefits are obvious.

This new trick is courtesy of the new ADO.NET, in tandem with SQL Server 2005's ability to accommodatemultiple active commands. Since MARS is part SQL Server 2005 and part ADO.NET 2.0, it is only available ifyou're using both.

WAITFOR ... RECEIVE

In previous versions of SQL, WAITFOR was static. We fed it some wait-time value, and that was what it could do.Now WAITFOR is dynamic; tell it to wait for a RECEIVE statement's results, whenever that might be delivered.

Beyond the usual this-is-cool, we can appreciate this feature because of the manner in which it accommodatesthe new Service Broker (see #2). Since Service Broker makes database query ability asynchronous via queuing

(and therefore extremely dynamic), and a particular database query may sit in a queue for an undeterminedperiod, the new dynamic WAITFOR his ideal for responding to RECEIVE results that will emerge at the discretionof Service Broker.

DTS is now Integration Services

There's a new architecture underlying data transformation. The very popular and widely used DTS is nowIntegration Services , and consists of a Data Transformation Pipeline and a Data Transformation Runtime.

The pipeline connects data source to data target by means of data adapters, with transformations between them.It's a conventional structure, but implemented in such a way as to enable considerable complexity: for instance,you can do one-to-many mappings, and create columns with output derived from a transform.

10

9

8

7

6

The Data Transformation Runtime gives you components for organizing data loading and transformation

processes into production-oriented operations, within which you can manage connections and manipulatevariables. It's basically a run-time object framework that can be bundled into managed .NET apps.

DTP and DTR components are used to create Integration Services packages, similar in principle to the familiarDTS packages but with much greater levels of configurability and control, particularly in the area of workflow.


http://techrepublic.com.com/5100-22_11-5161213.htmlhttp://techrepublic.com.com/5100-3513_11-5765005.htmlhttp://techrepublic.com.com/5100-3513_11-5765005.htmlhttp://techrepublic.com.com/5100-22_11-5161213.html


17/29


10 things you should know about Microsoft SharePoint Services

SharePoint extends Exchange Server

If you're using Exchange Server to handle your e-mail traffic, SharePoint can greatly simplify distribution. You cancreate a SharePoint site as a singular point for receiving Exchange traffic and, at a stroke, have de facto

distribution of that traffic to a particular group or groups, with all the security and membership built in. By settingup a public folder for SharePoint in Exchange, Exchange's work is doneSharePoint pulls from the folder anddoes the work.

SharePoint collaboration solutions are scalable

Its well publicized by Microsoft that SharePoint Services is essentially a collaborative solution toolkit. Creatingsites for team interaction, sharing, and management of project-specific documents and files, testing, and othercollaborative functions are a natural application of SharePoint.

A less hyped aspect of SharePoint is that this collaborative utility is highly scalable. What begins as a resourcelibrary shared by a team can be telescoped out to accommodate the entire organization or an even broadercustomer communitySharePoint Services can be readily deployed across multiple servers in a server farm,

enabling the creation of massive data stores.

SharePoint sites are highly customizable

SharePoint Services comes fully integrated with FrontPage 2003, so all of FrontPage's WYSIWYG Web editingtools are available for use in crafting SharePoint sites. (If your organization swims in the deep end, development-wise, all of this comes with ASP.NET as well.)

Via FrontPage, you can leverage the utility of Web Parts, modular chunks of code you can re-use in SharePointsites, to grab live data from a broad range of possible sources (Also see #8). You can allow users to control thesemodules of code by inserting Web Part zones in your sites, enabling sophisticated drag-and-drop controls. Youhave complete control over style through XSLT, which you can manipulate either directly or through FrontPage

and you can employ conditional formatting if it desired.

SharePoint extends InfoPath

InfoPath 2003 is Microsoft's desktop application technology for integrated forms management and data transport.InfoPath is a powerful and underrated technology in itself, and both its XML backbone and forms-friendlinessmesh well with SharePoint.

4

3

2

1

Specifically, youll find it useful to publish InfoPath forms directly to a SharePoint library. In such a library, formscan be stored and (more importantly) shared, and accessible to working teams leveraging SharePoint as acollaborative tool. (The base form is stored in the library header; populated XML result sets make up the libraryitself.)

And with SharePoint Portal, you can leverage SharePoint Portal Web services to enhance the utility of InfoPathforms for your desktop community, by accessing information in other systems within your organization (or fromoutside, for that matter) and populating forms with it as needed.




18/29


Metadata can be used to create dynamically parsed storage systems

Metadata is critical to the SharePoint Server concept, and comes in several flavors. With metadata you caneffectively create customized search arguments that permit you to organize information dynamically, and to usesearch criteria from one document library to retrieve information from another.

Put another way, you can forego the traditional hierarchical folders in organizing your document libraries, if it'sappropriate. Instead, you can create metadata lookups that can not only be used as organizational keys fordocuments in one library, but can be used as search arguments to locate documents in other libraries. In this way,you can create searchable document pools with effectively dynamic organization, not only searchable but re-organizable without any physical manipulation of the documents themselves.

SharePoint can be a data transport mechanism

SharePoint's primary features include the ability to set up shared distribution points for data from a wide range ofsources, moved by different modes of transport (see #1, #4). But its data transport role doesn't end there.Depending on what your organization's sites contain, content-wise, and the role(s) the sites are playing in yoursystem, you can actually distribute data from server to server by means of SharePoint's site-moving utilities (see#10).

For instance, if you have SharePoint sites deployed internally to represent data in different workflow stages, theSharePoint content databases of those sites can be rotated in a de facto batch process using these utilities (whichare Command Line programs and therefore scriptable).

Use the Task Pane to turn Word libraries into collaborative systems withbuilt-in administration

SharePoint Services is primarily about document management. Saving Word documents to SharePoint, placingdocuments in libraries, and checking them in and out are SharePoint's most obvious functions.

But the extension of those functions into shared workspaces is where those features become really empowering,rather than simply utilitarian. You have a Task Pane that ties documents to libraries, and within it lie a number ofimportant features that take you from the simple management of documents to real collaboration andadministration. Through the Task Pane, you can:

Track status and versioning of documents

Define and track who has site/document access

Do task monitoring

Create alerts

You can, of course, save from all Office applicationsnot just Wordto SharePoint.

SharePoint can pull data from external databases and other data sources

Web Parts and Web Part architecture (available to your SharePoint development by way of FrontPage 2003 orASP.NET) can become a powerful component of your SharePoint sites. In particular, Data View Web Parts allow

you to add views to your sites from a variety of data sources. You can create views specific to your SharePointsites and link views together. Data sources can be databases, Web services, or any XML source (InfoPathdocuments, etc.).

8

7

6

5




19/29


Leverage Excel for data management

Exporting data to Excel is well-supported in SharePoint and makes graphing and printing convenient (via the Printwith Excel and Chart with Excel options). But it's also possible (and may often be desirable) to export data toExcel just for the sake of manageability. The Excel Export function creates an Excel Web query linking to theoriginal data. In this way, you can create spreadsheets that will accept data, and then push that data toSharePoint.

This can be done by generating an Excel spreadsheet, then linking the spreadsheet to SharePoint (by usingExport and Link to Excel from a Datasheet Task Pane). Once this is done, data can be entered into thespreadsheet and pushed from the spreadsheet to Excel with the Synchronize List option.

Sites and entire site collections can be backed up in a single operation

The ability to move a site, lock-stock-and-barrel (and even more so a site collection, which includes primary site,sub-sites and all their contents), should not be underappreciated. Anyone who's migrated sites the hard wayknows it can be maddeningly frustrating. SharePoint Services includes two utilities that will greatly reduce thefrustration: STSADM and SMIGRATE.

SMIGRATE began life as an upgrade utility, shepherding data from old SharePoint to new. Now it's for

backup/restore and for moving sites wholesale. It's a command line utility, so it's tailor-made for scripting, and cansimplify the process of moving a site and its contents to the point that it can conceivably be a content distributiontool in some scenarios.

10

9

Its weakness is that when a site is moved with the SMIGRATE utility, its security settings don't all move with it.Remember to check your settings after a move or restore.

And while SMIGRATE will not preserve your security settings, STSADM will. This utility will move not only a sitebut a site collection, and does far more: you can use it to create sites, delete site collections, import templates,and move data (see #6).




20/29


10 things you should know about Microsoft Windows Server Update Services(WSUS)

Updates more than just Windows

SUS, the predecessor for WSUS, was able to keep Windows 2000 SP2 or later, Windows XP Professional, and

Windows Server 2003 current with updates. WSUS manages updates for many more Microsoft products. The initialWSUS release will update Windows 2000 and later Windows versions, Office XP and 2003, Exchange Server 2003,and SQL Server 2000, including the desktop edition and MSDE 2000. Microsoft intends for WSUS to eventuallyhandle all Microsoft product updates.

WSUS client and server system requirements

WSUS server components run on Windows 2000 SP4 or Windows Server 2003 and require the .NET Framework1.1 SP1, IIS, MSDE (included with the WSUS download) or SQL Server 2000 SP3a+, IE 6 SP1+, the BackgroundIntelligent Transfer Services 2.0 (BITS) and WinHTTP 5.1. On the client side, Windows 2000 SP3+, Windows XP, orWindows Server 2003 are required. On the hardware side, Microsoft recommends a 1GHz or faster processor and1GB of RAM for systems that will update 500 or fewer clients, a 3GHz or faster processor and 1GB of RAM for

systems that will updated 500 to 10,000 clients, and dual processors with 1GB of RAM for systems that will updatemore than 10,000 clients.

Microsoft Systems Management Server (SMS) vs. WSUS?

SMS and WSUS have much in common and both will patch servers and desktop systems. WSUS however, lacksSMS ability to deploy and manage systems beyond patching. SMS offers additional capabilities, such as inventorymanagement, advanced reporting, and remote administration.

Bandwidth allocation is better with BITS

WSUS and Windows Update download client updates through the Background Intelligent Transfer Services (BITS)2.0. BITS uses available bandwidth to download updates in the background. BITS can download large updates andsurvive network disconnections and other problems. This is an improvement over previous update mechanisms that,during large update downloads, could degrade overall network performance for all users. While its not a perfectsolution to the bandwidth allocation problem, BITS does make an effort to keep update traffic in the background.

WSUS has reporting capabilities

SUS lacked a decent reporting function. Microsoft corrected this oversight by giving WSUS significant reportingcapabilities. WSUS' patch status reports will help you identify machines that need patches and could pose a securityrisk. Other standard reports provide an overall look at WSUS configuration settings, client update compliance statusfor an individual update or for an individual computer, or the overall status of each computer using WSUS.

WSUS can handle updates in multiple ways

WSUS clients can download full updates from your WSUS server or directly from Microsofts update servers.Downloading updates from a local WSUS server provides the best performance when clients are connected to theWSUS server via a dedicated, high-speed network. For locations with limited connectivity to your WSUS server,clients can download updates directly from Microsofts servers.

6

5

4

3

2

1




21/29


You control update deployment via server-side or client-side targeting

WSUS lets you target your updates using machine groups created via two methods: server-side targeting or client-side targeting. To use server-side targeting, you create and define groups from the WSUS console's Computers tab.With client-side targeting, you assign to groups either through Group Policy or via registry modifications. To create anew group in the WSUS console, choose Computers | Create A Computer Group, provide a new name, and clickOK.

WSUS includes command line capabilities

The wsusutil.exe program includes command-line options that allow you to import and export update metadata,migrate update approvals from a SUS server to WSUS, and list and remove inactive approvals. Wsusutil.exe is, bydefault, located at C:\Program Files\Update Services\Tools on your WSUS server. Type C:\Program Files\UpdateServices\Tools\wsusutil /?for assistance with WSUS command-line parameters.

WSUS is scalable

Even though a single WSUS server can support a great number of clients (more than 10,000), Microsoft built further

scalability into the product through upstream and downstream servers. A downstream WSUS server gets itsupdates from the next server upstream. Eventually, one of the servers in this chain gets its updates directly fromMicrosoft Update. WSUS also supports the concept of replicas, where multiple servers can mirror most of thesettings from a master WSUS server, providing a more distributed update topology.

WSUS requires the latest Automatic Update client10

9

8

7

WSUS requires updates to the way that Automatic Updates are applied to some systems. While WSUS makesevery attempt to appropriately update the clients version of Automatic Updates, its not always successful. Anunsuccessful update can prevent clients from appearing in the WSUS console. Microsoft created a guide that helpsyou correct common client update problems. The guide can be found here.


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/WSUS/WSUSOperationsGuideTC/b23562a8-1a97-45c0-833e-084cd463d037.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/WSUS/WSUSOperationsGuideTC/b23562a8-1a97-45c0-833e-084cd463d037.mspx


22/29


10 things you should know about Cisco IOS access control lists (ACLs)

What is an access control list (ACL)?

In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic,an administrator can specify various events that can happen to that traffic.

What's the most common type of ACL?

IP ACLs are the most popular type of access lists because IP is the most common type of traffic. There are twotypes of IP ACLs: standard and extended. Standard IP ACLs can only control traffic based on the SOURCE IPaddress. Extended IP ACLs are far more powerful; they can identify traffic based on source IP, source port,destination IP, and destination port.

What are the most common numbers for IP ACLs?

The most common numbers used for IP ACLs are 1 to 99 for standard lists and 100 to 199 for extended lists.However, many other ranges are also possible.

Standard IP ACLs: 1 to 99 and 1300 to 1999

Extended IP ACLs: 100 to 199 and 2000 to 2699

How can you filter traffic using ACLs?

You can use ACLs to filter traffic according to the "three P's"per protocol, per interface, and per direction. Youcan only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACLper direction (i.e., IN or OUT).

How can an ACL help protect my network from viruses?

You can use an ACL as a packet sniffer to list packets that meet a certain requirement. For example, if there's avirus on your network that's sending out traffic over IRC port 194, you could create an extended ACL (such asnumber 101) to identify that traffic. You could then use the "debug ip packet 101 detail" command on yourInternet-facing router to list all of the source IP addresses that are sending packets on port 194.

What's the order of operations in an ACL?

Routers process ACLs from top to bottom. When the router evaluates traffic against the list, it starts at thebeginning of the list and moves down, either permitting or denying traffic as it goes. When it has worked its waythrough the list, the processing stops.

That means whichever rule comes first takes precedence. If the first part of the ACL denies traffic, but a lower part

of the ACL allows it, the router will still deny the traffic. Let's look at an example:Access-list 1 permit any

Access-list 1 deny host 10.1.1.1

6

5

4

3

2

1

Access-list 1 deny any

What does this ACL permit? The first line permits anything. Therefore, all traffic meets this requirement, so therouter will permit all traffic, and processing will then stop.




23/29


What about traffic you don't specifically address in an ACL?

At the end of an ACL is an implicit deny statement. Whether you see the statement or not, the router denies alltraffic that doesn't meet a condition in the ACL. Here's an example:


Access-list 1 deny 192.168.1.0 0.0.0.255

What traffic does this ACL permit? None: The router denies all traffic because of the implicit deny statement. Inother words, the ACL really looks like this:


Access-list 1 deny 192.168.1.0 0.0.0.255

Access-list 1 deny ANY

Can I name an ACL?

Numberswho needs numbers? You can also name your ACLs so you can more easily identify their purpose.You can name both standard and extended ACLs. Here's an example of using a named ACL:

router(config)# ip access-list ?

extended Extended Access List

log-update Control access list log updates

logging Control access list logging

resequence Resequence Access List

standard Standard Access List

router(config)# ip access-list extended test

router(config-ext-nacl)#

router(config-ext-nacl)# 10 deny ip any host 192.168.1.1

router(config-ext-nacl)# exit

router(config)# exit

router# show ip access-list

Extended IP access list test

10 deny ip any host 192.168.1.1

What's a numbering sequence?

In the "old days," you couldn't edit an ACLyou could only copy it to a text editor (such as Notepad), remove it,edit it in notepad, and then re-create it. In fact, this is still a good way to edit some Cisco configurations.

However, this approach can also create a security risk. During the time you've removed the ACL to modify it, therouter isn't controlling traffic as needed. But it's possible to edit a numbered ACL with commands. Here's anexample:

router(config)# access-list 75 permit host 10.1.1.1

router(config)# ^Z

router# conf t

Enter configuration commands, one per line. End with CNTL/Z.

9

8

7




24/29


router(config)# ip access-list standard 75

router(config-std-nacl)# 20 permit any

router(config-std-nacl)# no 10 permit 10.1.1.1

router(config-std-nacl)# ^Z

router# show ip access-lists 75

Standard IP access list 75

20 permit any

router#

How else can I use an ACL?

ACLs aren't just for filtering traffic. You can also use them for a variety of operations. Let's look at some of theirpossible other uses:

To control debug output. You can use the debug list X command to control debug output. By using thiscommand before another debug command, the command applies only to what you've defined in the list.

To control route access. You can use a routing distribute-list ACL to only permit or deny certain routeseither into or out of your routing protocol.

As a BGP AS-path ACL. You can use regular expressions to permit or deny BGP routes.

10

For router management. You can use an ACL to control which workstation or network manages your routerwith an ACL and an access-class statement to your VTY lines.

For encryption. You can use ACLs to determine how to encrypt traffic. When encrypting traffic between tworouters or a router and a firewall, you must tell the router what traffic to encrypt, what traffic to sendunencrypted, and what traffic to drop.




25/29


10 things you should know about managing IT projects

Get professional

IT projects historically have a negative reputation for being over budget, late, and poorly implemented. Having aprofessional individual in charge of the project can add great organization and credibility to your efforts. If your

project is of a size where a project manager role can be used, go for it.Working with a Project Management Institute (PMP)-certified individual will greatly enhance the effectiveness ofyour software projects. The PMP is also a good benchmark across all project management disciplines and is a bigcredibility booster when a project integrates with non-IT individuals, external customers, business partners, or partof a larger project.

Identify the leadership roles

Having individuals responsible for specifics metrics of the project is important. This should be done in a way thatputs capable individuals in roles that are best suited for their talents but that doesn't overwhelm individual teammembers. IT projects often put too much emphasis on the technical contributions of a small number ofindividualsor even just one personand effectiveness is limited when these resources are maximized during

the project cycle.You should also ensure that individuals in charge of specific areas of the project do not hoard responsibility. Forexample, a person or small group may make great contributions to the progress of the project in regard to overallsystems performance, not using so much time for the project (when working from a fixed-price/hours amountproject), and getting finished ahead of schedule. But these efficiencies may come at the price of this individual orgroup not updating project documentation or ensuring revision control with authoritative instances of documentsor code and possibly missing the little things in the project.

Individuals with leadership roles within the project can ensure that the project follow-through is done according tothe required standards. Examples of this include roles such as Technical Lead, Project Lead, or DocumentationLead. These leadership roles can provide checks and balances in the event that a person becomes reassignedunexpectedly or leaves the organization. The continuity chain can be made stronger by tighter integration acrossindividuals for progress points and ensuring the administrative follow-through of the project.

Focus on scope management

Scope management is one of the most important aspects of IT projects, and it's the teams responsibility to makesure that any scope changes are introduced in the correct forum. The project process should include proceduresfor making a scope change proposal.

It's also important to ensure that the official mechanism for project documentation maintains robust revisioncontrol, because scope can change functionality requirements and thus change the documentation thataccompanies a project. In the event that a scope change is backed out, proper revision control will ensure that theoriginal functional levels are available from a documentation standpoint.

Real-world exampleWe solicited feedback from Bill Reits, a certified PMP at Siemens Logistics and Assembly Systems for somecomments on scope management. He said that one of the most common and troublesome scope problems withinIT projects is Gold Plating.

Gold Plating is adding undefined features to a project that were not within the agreed scope of the project. It'scommon in the software industry because programmers, software engineers, and IT pros decide on their own toadd cool features that they determined would be fun to code, tools, or other benefits to the implementationproject or customers deliverable system. Although the intentions are often well meaning, Gold Plating can havethe following costly consequences:

3

2

1


http://www.pmi.org/http://www.pmi.org/


26/29


The individual can underestimate the effort, get caught up in developing orshowcasing unnecessary features, and end up taking a great deal of time thatwas not budgeted at the expense of deliverable requirements.

Because the task was not planned, it often affects other areas of the project thatwere not considered. This can be negative performance impacts, unclear trainingmaterials that differ from practice, or other methods.

If the tasks introduce a nonconformance (a.k.a. software bug), a great deal of

warranty effort can be expended correcting something that was never within thescope of the project.

When an individual adds a feature that was not in the scope of the project,additional work from other team members can be required. For example, thefeature must be added to the master documentation, the functional specification,the operators manual, the unit test plans, the integration test plans, theacceptance test plans, the traceability matrix, etc. It should be obvious that onesmall easy-to-code feature can add many hours to a project.

It may be possible, that the added feature is not desired by the customer,resulting in time and effort to remove it and in customer dissatisfaction. Forinstance, a slick feature may be added to a banking application that is againstgovernment regulations or bank policy.

Create the project definition or charter

Having the project clearly defined can pave the way for all subsequent aspects of the project to be implementedcorrectly. A well-defined project definition and corresponding processes gives the project a strong foundation.

The project definition will define an agreed-upon performance baseline, costs, efforts required, expectedfunctionality, implementation requirements, and customer requirements, and it identifies the individuals andorganizations involved in the project. Project definitions that include specific technology details on how a task is tobe accomplished will benefit all stakeholders of the project.

Real-world exam le

One TechRepublic member was implementing a project whose initial project definition referenced communicationbetween two systems as the following:

The host system automatically will send the order system the order information over the network using astandard interface.

This language spells trouble, since it could mean so many things: An EDI transaction, an FTP exchange betweenthe two systems, two custom socket interfaces exchanging a messaging formats, an XML file, connectivitythrough a standard product like MQ series, SQL database replication, or any other number of ways of twosystems exchanging data.

Identify the risks5

4

IT projects can incur risk in unique ways, as IT projects make frequent use of vendors, consultants, andcontractors. For example, if your organization contracts Acme IT Services to assist your IT staff in its upcomingActive Directory and Windows 2000 Professional to Windows XP Professional client migration, you may face therisk that Acme IT Services could go out of business, get a "more important" client, or do an inferior job.

Each element of riskresources, schedule, performance, cost, etc.should have assessments performed.These tasks are usually delegated to the project manager or individual most closely associated with that role.Periodic risk assessments and tracking are due diligence of the project process. Risks manifesting themselves inthe project cycle should have recourses as well. For example, if Acme IT Services leaves your project for anotherclient, ensure that there are recourses to working with this agency.




27/29


Manage relationships with external parties

IT projects will almost always have some level of involvement with external parties. These parties can be:

Consultants

Business partners

Service providers

Vendors Software publishers

Equipment manufacturers

Having external parties involved in the project will add resources and ability to the appropriate deliverable of theproject. However, ensure that each organizations role and need is clear. The project plan should identify anindividual to be in charge of administering the relationship and availabil ity of external parties. If your organizationexecutes many projects at once, this individual may perform this function for all active projects.

Maintain strong documentation standards

Documentation is the key to a successful IT project, especially when changes need to be made after

implementation. Ensure that your organization has clearly defined documentation expectations as well asstandardized repositories for various types of documentation. Revision control mechanisms are also important ifcustom development is being performed.

In addition, it makes sense to have documentation that defines the documentation requirements. That may seemlike overkill, but as a project scales in complexity, this becomes more valuable to the success of the projectimplementation and manageability.

Strong documentation standards offer the following benefits to IT projects:

New team members can assimilate more easily.

Future work related to this effort are more easily started.

Functionality changes are easier to stage or test.

Build effective communication channels

Project management should coordinate clear communications. E-mail seems to be the preferred mechanism forthis, but it can easily become overwhelming and inefficient. One popular good practice is to identify specificindividual(s) when a response is required. By using the TO: and CC: fields appropriately, you can avoid unclearmessages about who needs to do what. The figure below shows a good example of an e-mail communication thatoutlines specific responsibilities.

This e-mail messageclearly identifies thatits target is William. Ifthere are any issueswith the topics

presented, it is theprimary responsibilityof William to raisethem. The othermembers arepresented with anopportunity to raiseconcerns and toshare them with theselected distribution.

8

7

6




28/29


Little habits can add great effectiveness to the communication patterns, especially when involving externalparties. For instance, in the example above, members from each organization are grouped to give clarity todistribution. How many e-mail messages have you received where you aren't even sure whether you're beingaddressed, much less whom you should reply to?

Also make it a priority to communicate the schedule (and its changes), status reports, scope topics, and newissues that arise in the project process. Clear, concise, and targeted communications are all positive habits for ITprojects.

Keep an eye on costs

The closer you are to the technology, the less pleasant the topic of cost becomes. Nevertheless, cost is amongthe most important aspects of the project process. Each project member should be aware of the costs associatedwith his or her aspects of the project. This also becomes important if it's determined that the scope of a projectshould be changed. For example, consider the following technology scenarios:

A new version of a critical software component is released.

A security risk for a software component is discovered.

Newer or faster computer equipment is required or desired.

Scope change can address these topics, but there may be dependency scope changes that go with them, whichcan greatly increment the costs involved. Licensing, space concerns, "lost licensing" or unused equipment and

software, and rework or lost time all can add to the cost of scope change.

Fear of the price impact should not deter scope change, but it's an element the project team must keep in mind.

Dont forget the closeout10

9

Once the deliverables of the project have been m

100 Things Netadmin

Documents