WINS and the NetBIOS naming system is not the most secure of protocols, largely because it was never designed with security in mind, and it was certainly never envisaged as having to cope with networks of the size now common in many environments. The world in which WINS was created was also a safer place, where hackers and crackers were rare and the idea of a network connected to the Internet was relatively uncommon, particularly at the client level.
The primary problem with WINS is that it’s an unauthenticated protocol.
Machines name themselves, whether or not a user a logged on to the network, and it’s possible for one machine to register a name that clashes with another without any redress. This can cause horrendous problems. Imagine two ma-chines, one a client and one a server, called fileserver—if the server crashes and the client manages to register itself, future requests by other clients may try to access the client rather than the server.
Color profile: Generic CMYK printer profile Composite Default screen
Protecting yourself from this is easy:
•
Prevent unauthorized access to your network. Ensure your firewall is configured to block unnecessary access and make sure that users are not attaching their own computers and peripherals to the network.Also ensure that any wireless networking devices are suitable secured.
•
Enable WINS logging and study the logs to ensure clients are correctly registering themselves with addresses within the expected range.•
Use Network Monitor to capture and examine the raw packets that make up a WINS request if you suspect an attack. You should be able to determine from that the physical Ethernet address of the machines on the network and therefore the machine originating the attack.•
Use static WINS addresses for your servers. Static addresses cannot be overwritten, so it should be impossible for a user to use this method to update your server with an alternative address.•
Restrict who can enable, configure, and disable the WINS service on your server. You must be a member of the Administrators group to manage the WINS service. If you need to have users with read-only access to the WINS database, add them to the WINS Users group.•
Don’t move the WINS database files from their default location (%systemroot%\system32\Wins).CHECKPOINT
✔
Objective 3.01: Planning a DNS Strategy You should be able to plan a DNS namespace and, if necessary, subdivide your clients into departments, geographic location, or both. There should be two DNS servers for each set of clients. You can share information between servers by using zone trans-fers. Active Directory domain controllers automatically share the DNS in-formation, but a domain controller must also be a DNS server to provide DNS resolving services. The placement of DNS servers is important because it may affect the security of your network and of the DNS service. When in-tegrating with a third-party DNS server, it is generally easier to create a new subdomain within the main domain to hold AD DNS data, and then dele-gate the responsibility for the subdomain to the AD domain controller.CHAPTER 3 Planning a Host Resolution Strategy
123
Passport/ Mike Meyers' MCSE Passport / Brown & McCain / 222569-6 / Chapter 3
✔
Objective 3.02: Planning a WINS Strategy WINS is an older service that resolves names for older versions of Windows such as Windows 98 and Win-dows NT. There are four types of WINS client: B-node, P-node, M-node, and H-node. H-node is the default type. WINS also provides lookup services to convert names into IP addresses, and you can share the responsibility of this process by using replication to exchange information between WINS servers. You can deploy WINS resolving services either through a dedicated WINS server, which clients must register with, the WINS built-in broadcast system, or the Lmhosts file.REVIEW QUESTIONS
1. Your network consists of approximately 4,000 computers. You are using AD split into a number of organizational units across your company to logically separate departments. Up until now, you have used a separate DNS service to provide your name resolving, but you want to migrate this into an AD-integrated domain to make managing and updating the information easier. The current service uses a single domain name to hold the addresses of all your servers and printers and a set of generic names for DHCP clients. You want to move to dynamic updates for clients and static entries for the servers. How should you organize the DNS namespace when moving it to AD? (Choose one.) A. Import the DNS data directly into the primary domain and enable
dynamic updates.
B. Create new records for the servers within the appropriate OU and enable dynamic updates.
C. Dump the existing DNS table and enable dynamic updates to build a new DNS table.
D. Import the DNS data directly into the primary domain, delete the client records, and enable dynamic updates so that the tables can be re-created automatically.
2. You want to configure all the client machines within your network to use WINS server addresses of 192.168.1.2 and 192.168.1.34 and set the client node type to use M-node resolution. Which of the following services can be used to accomplish this? (Choose one.)
A. DNS B. WINS C. Group policy D. DHCP
Color profile: Generic CMYK printer profile Composite Default screen
3. What is the default WINS node type for Windows XP clients when no WINS clients have been configured? (Choose one.)
A. B-node B. P-node C. M-node D. H-node
4. Your network consists of two primary locations, London and Birmingham, connected via a low-speed link. You have servers located at both locations. The primary location is London and has a DNS domain of corp.com. The Birmingham location has a DNS domain of Birmingham.corp.com. You have two DNS servers at each location, each holding the local domain information. Users at each location need to resolve the names of servers at the other office. Which of the following solutions could you use? (Choose two; each answer is a complete solution.)
A. Set up forwarding from Birmingham to London and delegation between London and Birmingham.
B. Set up forwarding from London to Birmingham and delegation between Birmingham and London.
C. Configure servers at London to delegate requests to Birmingham for the Birmingham subdomain and configure all clients to send requests to Birmingham.
D. Configure servers at London to delegate requests to Birmingham for the Birmingham subdomain and configure all clients to send requests to London.
E. Configure servers at both locations to act as secondary domain servers for the other domain.
5. You want to use an Lmhosts file to provide WINS name resolving information for the clients on your network. There are approximately 500 machines on your network at present. You are also in the process of going through a massive server reorganization that may result in the IP addresses and names changing a number of times over the next few months. You want to keep the Lmhosts file updated in the most efficient way, with the least amount of administrative effort. What solution should you use? (Choose one.)
A. Use a shared Lmhosts file with localized Lmhosts files including the shared Lmhosts data.
B. Use File Replication Services to distribute a new Lmhosts file to clients when an update is necessary.
C. Copy the Lmhosts to the client computers each time an update occurs.
D. Create a logon script for the users that automatically copies the Lmhosts file to the client computer during logon.
6. You are using AD at your company with AD-integrated DNS zones.
There are two domain controllers for your company. You have populated the zones with information and configured your clients to use the domain controllers as their DNS servers. However, when you try to access a server, you cannot access it by name. Access through IP address still works fine. What do you need to do to fix the
configuration? (Choose one.)
A. Enable DNS on one of the domain controllers.
B. Enable DNS on all domain controllers.
C. Enable DNS on one server and configure the DNS service to replicate the zones from the other domain controller.
D. Configure your DHCP server with the appropriate DNS server records and set clients to obtain their IP address automatically.
E. Configure your DHCP server with the appropriate WINS server records and set clients to obtain their IP address automatically.
REVIEW ANSWERS
1. This allows all the other devices to register themselves with the server. Because they will already be part of the domain tree, they will automatically register themselves within the right OU and therefore DNS name.
2. Only DHCP can configure a client’s WINS and node type information.
3. B-nodes resolve using the broadcast method first, followed by Lmhosts, and this mode is automatically selected when there is no WINS server to talk to at any stage.
4. You cannot delegate up a domain, only down, so that
eliminates B. C is impossible unless Birmingham forwards requests for London domains to London. D would increase the load on the WAN link for clients in Birmingham.
CHAPTER 3 Planning a Host Resolution Strategy
125
Passport/ Mike Meyers' MCSE Passport / Brown & McCain / 222569-6 / Chapter 3 Color profile: Generic CMYK printer profile
Composite Default screen
5. All the other methods rely on copying the information, which is time consuming and prone to problems. If you copy the Lmhosts file once and then use #INCLUDE to incorporate the UNC shared copy, you need only update one file.
6. A domain controller does not automatically operate as a DNS server unless it has been enabled to do so. Although A would work, the solution would fail if the primary domain controller was unavailable. D and E wouldn’t work without enabling DNS on the servers.
II II
Network
Infrastructure
Chapter 4 Planning, Implementing, and Maintaining a Network Infrastructure
Chapter 5 Planning Routing and Remote Access Chapter 6 Planning Network Security
Passport/ Mike Meyers' MCSE Passport / Brown & McCain / 222569-6 / Chapter 4 Color profile: Generic CMYK printer profile
Composite Default screen
Passport/ Mike Meyers' MCSE Passport / Brown & McCain / 222569-6 / Chapter 4
ITINERARY