MCS-022 Solved Assignment 2015-16 PDF

MCS-022
Qst.1 (a) What is the significance of VPN? Name some VPN technologies supported by Windows 2000.
Ans: Virtual Private Networks: Windows supports Virtual private networks connection to access machines
remotely. A
VPN connection lets one system connect securely to another machine over the network.
A VPN is an extension of a private network that comprises links across shared or
public networks. But here in VPN, local network data is encrypted and is secure
(referred to as tunneling), for security considerations. For VPN connection either use
Point to Point (PPTP) or Layer 2 tunneling protocol (L2TP).
Windows 2000 remote access mechanism lets remote clients connect to corporate
networks or to the Internet. Windows 2000 supports two kinds of remote access
connection methods (Figure 1).
Dial up remote access
VPN (Virtual Private Network) remote access.
VPN provides a secure network connection between two remote machines.
It provides secure data transfer over a public network. Windows 2000 supports
PPTP and L2TP.
Remote Access Clients: Windows 2000, Win NT, WIN 98, Windows 95, MS-DOS,
MS LAN Manger are remote access clients that can connect to Windows2000 remote
access server. Third party clients like UNIX and Apple Macintosh too can connect to
windows 2000 remote access server.
Remote Access server: Windows 2000 server accepts requests from clients
connections and forwards it to other clients or to the network.
WAN Infrastructure depends upon the type of connection being made. There are
various networks like:
PSTN(Public switched telephone network
ISDN(Integrated services digital network
X.25 (ITY-T Protocol based WAN)
Windows 2000 support three types of Remote Access protocols PPP, SLIP and
asynchronous NetBEUI, also TCP/IP, IPX, AppleTalk.
Windows 2000 remote Access provides a variety of security features like:
User Authentication
Mutual authentication
Data encryption
Call back
Caller id
Remote access account lock out.
Remote Access Management involves managing users, addresses, accesses and
authentication.
Virtual private network is an extension of private network that involves encapsulation,
encryption, authentication to links across shared or private networks. A VPN mimics
the properties of a dedicated Private network through Internet; allowing data transfer
between two computers in a network. Corporate offices can use two different methods
For More Solutions Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P.
Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850
E_Mail_Id- Lucknowcomputerclasses@gmail.com, FB Page- facebook.com/bilalali0786 1
MCS-022
to connect to a network over the Internet:
Using dedicated lines or dial up lines VPN uses tunneling to transfer data in a VPN.
Tunneling is a secure method of using an internetwork infrastructure to transfer a
payload.
A tunneling protocol comprises tunnel maintenance protocol and tunnel data transfer
protocols. Two basic types of are:
1. Voluntary tunnels
2. Compulsory tunnels.
Protocols used by WIN 2000 for VPN are PPTP (Print to print tunnel Protocol),
L2TP (Layer 2 Transfer Protocol), IPSec (IP security), IP-IP.
VPN management involves managing user addresses, servers access, authentication,
and encryption. Troubleshooting VPN involves checking connectivity, remote access
connection establishment, routing, IPSec.
Windows 2000 provides a set of RRAS tools:
Routing And Remote Access Snap In enables RRAS, management of routing
interfaces, IPX routing configuration, creation of static IP address pool,
configuring remote access policies. This is available from Administrative Tools
folder.
Net Shell Command: Windows 2000 Netshell command is a command line
and scripting utility. It is named Netsh.exe and is installed in % systemroot
%\system32 when a Window 2000 is installed.
It provides secure data transfer over a public network. Windows 2000 supports
PPTP and L2TP.
Qst.1 (b) Write step by step procedure to configure a Linux machine to work with a network file system.
Ans: We can configure a Linux machine to work with a Network File System (NFS), where
files on other machines on tlie network can be made available as if they were local
files. A Linux machine can work as an NFS client, whereby it accesses files on the
network. You can also configure your Linux machine as an NFS server, whereby you
can let other machines access files on yours. In this section we will look at how this
can be done.
As we have seen for the webserver and DNS server cases, although yo11 can
construct an NFS configuration file by hand, Linux comes with a tool to ease the task.
This is the NFS Server Configuration Tool. It requires superuser or root access to use
tlie tool. Being graphical, you must have the X-Window system running to be able to
use the tool. But you can still start up the tool from the command line by issuing the
following command at the root prompt
[root@linux root]# redhat - con ig-nf s
The NFS Server Configuration Tool both reads from and writes to the configuration
.file /etc/exports, and so you can modify the configuration file by hand after using the
tool. If you use the tool again later, it will understand and recognize your changes,
provided you did the configuration correctly with the proper syntax. The main window
MCS-022
of the tool is shown in Figure 5 below:
Figure 5: NFS Server Configuration Tool Main Window

To share a directory, called adding an NFS share, you need to click on tlie Add button
above. This brings up a window with the title "Add NFS Share" that has three tabs.
The "Basic" tab allows you to specify a directory and a radio button lets you decide
whether you want to allow read-write or read only access to others on it. You also
have to specify the machines or hosts that are to be allowed access to that directory.
This can be done by:
Giving a fully qualified domain name. This should be something your niacliine
can resolve to an IP address.
Giving an IP address.
Giving a host name, again your machine should be able to resolve this to an IP
address.
Giving a group of machines by specifying them as a domain name or host name
with wildcards. You can use a * for matching any number of cliaracters except a
period, and a ? to match any single character.
Giving an 1P network by specifying the network and a / followed by the number
of bits in the netmask, or by specifying the netmask itself.
Doing the above makes the directory accessible to the host or hosts with permissions
as desired.
The "General Options" tab has five options as described below:
If you want to allow ordinary users to be able to start the NFS service and allow
shares, you have to allow the service to be started on ports higher than 1024.
This does make the service less secure because tlie share does not require the
concurrelice of tlie administrator.
You can decide to allow insecure file locking.
You can decide to disable subtree checking. This is useful if you have exported
an entire file system, because your server will no longer check to see whether a
file requested by a client is in the directory that has been shared.
You can choose to force synclironization of writes immediately.
You can choose to disable sy~ichronizationo f write options, where the server
first writes out to disk the changes caused by a request before replying to it.
MCS-022
The "User Access" tab has the following options that you can set.
You can allow the superuser of a client machine root privileges on your maclii~ie
This is a big security risk and sliould be used only if necessary. Otherwise, by
default, even tlie root user of tlie client is treated as an anonymous user on your
macliine.
You can map all users on the client to the anonymous ilser on your ~iiacliine. If
you clioose this option, you can set tlie user id and group id of tlie anonymous
user.
You can now click on tlie OK button to save the co~ifigurationy o11 have made. Of
course you can add as Inany directories as you wish to share. You call also edit
directory properties by selecting it and choosing tlie "Properties" button in the main
window. This button is initially greyed out when there are no directories shared.
Si~nilarlyy ou can delete a directory by selecting it and choosing the "Delete" button.
Whether you add, edit or delete a directory, tlie configuration takes effect immediately
after you save it. Tliis is done by generating tlie new /etc/exports file and restarting
the NFS server daemon.
Qst.2 (a) List any two existing virus protection tools available today in the Market for Windows.
Describe and compare its features.
Ans: Ther are many more virus protections are available in the market. We are discussed about the most
popular virus protection are available in the market are:
1.Quick Heal : Quick Heal Technologies Pvt. Ltd., founded in 1993, is an IT security[ solutions provider and an
ISO 9001 certified company. Quick Heal has partnered with Microsoft and Intel. The products are certified by
ICSA Labs and AV-Test. The company has global offices in UAE, US, Japan and Kenya. It has a network of
15000+ channel partners in more than 100 countries worldwide. Quick Heal Technologies has an active
customer base of over 17 million in 112+ countries and employs more than 1200 people across 33 branches in
the country.
History
Quick Heal was founded in 1993, as "CAT Computer Services (P) Ltd".
First branch was opened at Nashik in 2003. Opening of fully functional Mumbai and Nagpur branches In 2004,
Quick Heal starts operations at Hyderabad.[4] Opens branches in Delhi, Bangalore, Chennai[4] Branches opened
at Ahmedabad, Surat, Indore, Chandigarh [5]
In 2007, CAT changed its name to "Quick Heal Technologies (P) Ltd", for establishment of dedicated R&D
Lab. New R&D center opens at Pune in 2007.[6] Sales and support branch opened at Aurangabad, Coimbatore,
Vizag and Cochin in 2007.[4]
In 2008, Quick Heal were selected as hosts for the AVAR 2008 International conference held at Delhi.[5]
MCS-022
In 2010, Quick Heal received an investment of INR 60 Crores from Sequoia Capital[7] And new branch offices
were opened in Madurai, Tamil Nadu. In 2012, offices were opened in Japan and US, and in 2013, offices were
opened in in Africa and UAE.
In 2014, Quick Heal achieved Quality Management System Registration ISO 9001[8]
In 2015, Quick Heal grows to 31 branch offices and 1100+ employees, and has over 8 million customers
worldwide[9]
Product history
First Quick Heal AntiVirus for DOS released in 1994

Quick Heal for Win 3.1 released in 1995 followed by Quick Heal for Windows 95 in 1996[4]
Quick Heal 2005 Corporate edition 2.0 released[5]
CAT introduces DNA Scan technology in 2005
CAT releases Quick Heal 2006 with DNA scan technology capable of detecting unknown viruses in real
time without depending on latest signature patterns[4]
Bundling of Quick Heal AntiVirus with Microsoft Windows XP, MSWGA in 2006
Quick Heal is the first to detect Black worm in 2006[4]
Company launches Quick Heals multi-lingual version in Hindi, Marathi and Tamil in 2006[5]
Quick Heal PC Tuner gets Microsoft certification for Windows Vista in 2007 [5]
Quick Heal becomes a Certified Microsoft partner in 2008
Antivirus + Antispyware OESISOKTM designation from OPSWAT for Quick Heal AntiVirus Version
9.50 on Windows XP Operating system[5]
West Coast Labs' acclaimed Check-Mark certification on Windows Vista Business Edition[5]
Product for ISP customers released in 2010.[5]
Launches the Windows Mobile Scan for Windows Mobile Operating Systems[10]
Released 2012 version of Quick Heal Desktop Products with Cloud-based security for 360 degree
protection[11]
Launched Mobile Security Suite for Android and Blackberry[12]
Launched 2014 series with Advanced DNAScan, Machine Level Learning to reduce [4]
Releases Endpoint Security 5.3 with Device Control and extended support for Apple Mac OS X
platforms[13]
Completely revamped Endpoint Security 6.0 released with Data Loss Prevention, Asset Management,
File Activity Monitor and Advanced Devoice Controls [14]
Features are:
Advanced DNAScan
The ingenious Quick Heal DNAScan technology is now enhanced to combine behavioral and characteristic
inspection and monitoring of unsafe programs. This results in a clean, more up-to-date and accurate detection of
threats.
MCS-022
Vulnerability Scanner
Helps you identify and fix security vulnerabilities on your PC that can expose your computer and its data to
attackers.
Quick Heal Remote Device Management (RDM)
The RDM portal lets you manage your Quick Heal products. Via the portal, you can view the security status of
the products, renew, and manage their licenses.
This facility is free of cost. Visit Quick Heal RDM here.
Firewall
Allows you to set protection levels for Internet traffic and applications that try to connect to your network. It
also includes Stealth Mode that makes your system invisible to malicious threats.
Core Protection
The intelligent antivirus engine effectively detects and resolves threats (viruses, worms and other malware). The
additional features like AntiSpyware, AntiMalware, AntiRootkit, Silent Firewall and IDS/IPS provide all round
virus protection.
Browser Sandbox
Running your web browser in Sandbox Browser gives you an uninterrupted and secure browsing experience. It
provides internet security protection by acting like a screen between the PC's operating system and the
malicious threats. This feature now comes with a USB drive support.
Import and Export Settings
Users can now import Quick Heal security settings from a single computer and export it to other computers.
This is helpful in cases where reinstallations or multiple computer configurations are concerned.
Flash Drive Protection
Best antivirus automatically scans external storage devices. Protects USB drives from autorun infections.
Email Security
Quick Heal AntiVirus Pro gives cloud-based email security that prevents infected emails from reaching your
Inbox.
MCS-022
Stay Connected
Our users now have direct access to our Facebook and Twitter pages with just a click.
Improved Scan Engine
The revamped antivirus scan engine avoids rescanning files that have not been altered since the previous scan.
This reduces system resource usage.
Safe Mode Protection
This facility stops unauthorized users from changing Quick Heal security settings when the system is running
on Safe Mode.
Enhanced Self-Protection
The Self-protection feature now protects Quick Heal's running processes and services.
Silent Mode
Suppresses prompts across all Quick Heal antivirus modules thereby reducing system load and allowing
uninterrupted PC usage.
Web Security
Real time cloud security restricts access to malware infected websites. This feature gives internet security
protection by blocking threats transferred through websites hosting malicious codes.
TrackMyLaptop
Lost or stolen laptops can be a huge liability to your privacy. Quick Heal TrackMyLaptop Service helps track
the whereabouts of your lost or stolen laptop. The service is a social initiative that comes with every desktop
product of Quick Heal at no extra cost.
Kindly note that, Quick Heal users have to register their Quick Heal Product License key at the TrackMyLaptop
portal to avail this facility. Non-Quick Heal users have to register their Laptop's MAC ID. To know more, visit 2.Avira Professional: Avira Operations GmbH & Co. KG is a German multinational and family-owned
antivirus software company that provides IT-security for computers, smartphones, servers and networks
delivered as both software and cloud-based services.
MCS-022
Aviras headquarters are located near Lake Constance, in Tettnang, Germany, and the company has additional
European offices in Munich, Bucharest, and the Netherlands. Avira also has offices in Japan and China, as well
as an R&D facility in the USAs Silicon Valley.
With an estimated 9.6% of global market share according to OPSWAT, and over 100 million customers, Avira
was considered the sixth largest antivirus vendor in 2012.[1][3]
The company supports the Auerbach Stiftung, a foundation created by the company's founder, Tjark Auerbach.
It promotes charitable and social projects as well as the arts, culture and science
Virus Definition
Avira periodically "cleans out" the virus definition files, by replacing specific signatures with generic ones,
resulting in a general increase in performance and scanning speed. A database clean-out with the size of 15 MB
was made on 27 October 2008, causing problems to the users of the Free edition because of its large size and
slow servers of the Free edition. To solve the problem, Avira improved the updating process by reducing the
size of the individual up-datable files, resulting in the delivery of less data in each update. Nowadays there are
32 smaller definition files that are updated regularly in order to avoid peaks in the download of the updates.[5]
Features are:
Antivirus Scanner
Total protection from malware.
Real-time cloud protection
Protects you from emerging threats.
Blocks PUA
Blocks hidden applications bundled with legitimate software.
Email Protection
Scans emails for malware.
Network Protection
Scans files shared on your network.
MCS-022
Advanced Web Protection
Safely surf, shop, stream, download and bank online.
Game Mode
Suspends unnecessary notifications during games and movies.
Browser Tracking Blocker*
Prevents ad networks from monitoring what you do online.
Safe Browsing*
Blocks harmful websites before they load.
Avira Price Comparison*
Saves you money while shopping online.
Qst.2 (b) Describe the process of sharing network in Linux and Windows 2000.
Ans: Samba is an extremely useful networking tool for anyone who has both Windows and Unix systems on his
network. Running on a Unix system, it allows Windows to share files and printers on the Unix host, and it also
allows Unix users to access resources shared by Windows systems.
Samba is a suite of Unix applications that speak the Server Message Block (SMB) protocol. Microsoft
Windows operating systems and the OS/2 operating system use SMB to perform client-server networking for
file and printer sharing and associated operations. By supporting this protocol, Samba enables computers
running Unix to get in on the action, communicating with the same networking protocol as Microsoft Windows
and appearing as another Windows system on the network from the perspective of a Windows client. A Samba
server offers the following services:
Share one or more directory trees

Share one or more Distributed filesystem (Dfs) trees
Share printers installed on the server among Windows clients on the network
Assist clients with network browsing
Authenticate clients logging onto a Windows domain
Provide or assist with Windows Internet Name Service (WINS) name-server resolution
Let's take a quick tour of Samba in action. Assume that we have the following basic network configuration: a
Samba-enabled Unix system, to which we will assign the name toltec, and a pair of Windows clients, to which
we will assign the names maya and aztec, all connected via a local area network (LAN). Let's also assume that
MCS-022
toltec also has a local inkjet printer connected to it, lp, and a disk share named spiritboth of which it can offer
to the other two computers. A graphic of this network is shown in Figure 1-1.
Figure 1-1. A simple network set up with a Samba server

In this network, each computer listed shares the same workgroup. A workgroup is a group name tag that
identifies an arbitrary collection of computers and their resources on an SMB network. Several workgroups can
be on the network at any time, but for our basic network example, we'll have only one: the METRAN
workgroup.
Sharing a Disk Service
If everything is properly configured, we should be able to see the Samba server, toltec, through the Network
Neighborhood of the maya Windows desktop. In fact, Figure 1-2 shows the Network Neighborhood of the maya
computer, including toltec and each computer that resides in the METRAN workgroup. Note the Entire
Network icon at the top of the list. As we just mentioned, more than one workgroup can be on an SMB network
at any given time. If a user clicks the Entire Network icon, she will see a list of all the workgroups that currently
exist on the network.
MCS-022
Figure 1-2. The Network Neighborhood directory
We can take a closer look at the toltec server by double-clicking its icon. This contacts toltec itself and requests
a list of its sharesthe file and printer resourcesthat the computer provides. In this case, a printer named lp, a
home directory named jay, and a disk share named spirit are on the server, as shown in Figure 1-3. Note that the
Windows display shows hostnames in mixed case (Toltec). Case is irrelevant in hostnames, so you might see
toltec, Toltec, and TOLTEC in various displays or command output, but they all refer to a single system.
Thanks to Samba, Windows 98 sees the Unix server as a valid SMB server and can access the spirit folder as if
it were just another system folder.
Figure 1-3. Shares available on the Toltec server as viewed from maya
One popular Windows feature is the ability to map a drive letter (such as E:, F:, or Z:) to a shared directory on
the network using the Map Network Drive option in Windows Explorer.[1] Once you do so, your applications
can access the folder across the network using the drive letter. You can store data on it, install and run programs
from it, and even password-protect it against unwanted visitors. See Figure 1-4 for an example of mapping a
drive letter to a network directory.
MCS-022
Figure 1-4. Mapping a network drive to a Windows drive letter
Take a look at the Path: entry in the dialog box of Figure 1-4. An equivalent way to represent a directory on a
network computer is by using two backslashes, followed by the name of the networked computer, another
backslash, and the networked directory of the computer, as shown here:
\\network-computer\directory
This is known as the Universal Naming Convention (UNC) in the Windows world. For example, the dialog box
in Figure 1-4 represents the network directory on the toltec server as:
\\toltec\spirit
If this looks somewhat familiar to you, you're probably thinking of uniform resource locators (URLs), which
are addresses that web browsers such as Netscape Navigator and Internet Explorer use to resolve systems across
the Internet. Be sure not to confuse the two: URLs such as http://www.oreilly.com use forward slashes instead
of backslashes, and they precede the initial slashes with the data transfer protocol (i.e., ftp, http) and a colon (:).
In reality, URLs and UNCs are two completely separate things, although sometimes you can specify an SMB
share using a URL rather than a UNC. As a URL, the \\toltec\spirit share would be specified as
smb://toltec/spirit.
Once the network drive is set up, Windows and its programs behave as if the networked directory were a local
disk. If you have any applications that support multiuser functionality on a network, you can install those
programs on the network drive.[2] Figure 1-5 shows the resulting network drive as it would appear with other
storage devices in the Windows 98 client. Note the pipeline attachment in the icon for the J: drive; this indicates
that it is a network drive rather than a fixed drive.
MCS-022
Figure 1-5. The Network directory mapped to the client drive letter J
My Network Places, found in Windows Me, 2000, and XP, works differently from Network Neighborhood. It is
necessary to click a few more icons, but eventually we can get to the view of the toltec server as shown in
Figure 1-6. This is from a Windows 2000 system. Setting up the network drive using the Map Network Drive
option in Windows 2000 works similarly to other Windows versions.
Figure 1-6. Shares available on Toltec (viewed from dine)

Sharing a Printer
You probably noticed that the printer lp appeared under the available shares for toltec in Figure 1-3. This
indicates that the Unix server has a printer that can be shared by the various SMB clients in the workgroup.
Data sent to the printer from any of the clients will be spooled on the Unix server and printed in the order in
which it is received.
Setting up a Samba-enabled printer on the Windows side is even easier than setting up a disk share. By doubleclicking the printer and identifying the manufacturer and model, you can install a driver for this printer on the
Windows client. Windows can then properly format any information sent to the network printer and access it as
if it were a local printer. On Windows 98, double-clicking the Printers icon in the Control Panel opens the
Printers window shown in Figure 1-7. Again, note the pipeline attachment below the printer, which identifies it
as being on a network.
MCS-022
Figure 1-7. A network printer available on Toltec

Seeing things from the Unix side
As mentioned earlier, Samba appears in Unix as a set of daemon programs. You can view them with the Unix
ps command; you can read any messages they generate through custom debug files or the Unix syslog
(depending on how Samba is set up); and you can configure them from a single Samba configuration file:
smb.conf. In addition, if you want to get an idea of what the daemons are doing, Samba has a program called
smbstatus that will lay it all on the line. Here is how it works:
# smbstatus
Processing section "[homes]"
Processing section "[printers]"
Processing section "[spirit]"
Samba version 2.2.6
Service uid gid pid machine
----------------------------------------spirit
jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:17:14 2002
spirit
jay jay 7779 aztec (172.16.1.2) Sun Aug 12 12:49:11 2002
jay
jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:56:19 2002
Locked files:
Pid DenyMode R/W
Oplock Name
-------------------------------------------------7735 DENY_WRITE RDONLY NONE
/u/RegClean.exe Sun Aug 12 13:01:22 2002
Share mode memory usage (bytes):

1048368(99%) free + 136(0%) used + 72(0%) overhead = 1048576(100%) total
The Samba status from this output provides three sets of data, each divided into separate sections. The first
section tells which systems have connected to the Samba server, identifying each client by its machine name
MCS-022
(maya and aztec) and IP (Internet Protocol) address. The second section reports the name and status of the files
that are currently in use on a share on the server, including the read/write status and any locks on the files.
Finally, Samba reports the amount of memory it has currently allocated to the shares that it administers,
including the amount actively used by the shares plus additional overhead. (Note that this is not the same as the
total amount of memory that the smbd or nmbd processes are using.)
Qst.3 (a) What are the strategies followed in Windows 2000 for backup?
Ans:: Think how much time it would take to recreate everything on your computer...if you could. Given all the
threats to your data (viruses, natural disasters, computer crashes, and theft to name a few), a computer backup
strategy is essential. Fortunately, there are a number of computer backup strategies to choose from - from
simple
to
esoteric.
We have put together a small tutorial on backups and include several backup strategies including our favorite.
Our favorite backup strategy uses the venerable Acronis True Image software. The easy to use True Image
backs up to an external hard drive, off site (online), USB flash drive, or DVD/CD. It can be scheduled for offhours
backup
or
invoked
for
immediate
backup.
Backing up to an off-site area, such as the Internet, is crucial in disaster planning for a business or personal use.
True Image can handle disk image backups: everything (operating system, user settings, applications, data, etc)
is saved so your PC can be restored to a known state without reinstallation.
File-based backups can be specified so you choose exactly what and where they get backed up - including offsite.
Acronis True Image Highlights
Back up while using your computer

Restore individual files and/or folders
Restore entire PC, including operating system, applications, and settings
Schedule backups any time
Supports Windows 98, ME, NT 4.0, 2000, XP, Vista
Recovery manager enables recovery even if operating system is broken
Creates bootable media (CD or flash drive or floppy) in case computer cannot boot up
Has image verification tool to insure backup is error free.
Password protects backups
Archive can be compressed to save disk space
Archive can be split across multiple CDs
File security settings are preserved
Creates a log file of what was backed up
...and many other features
MCS-022
Types of Backups
Understanding the different types of backups will help in choosing the best backup type for a particular
situation.
Full
A full backup is the starting point for all other backups, and contains all the data in the folders and files that you
have selected to be backed up. Because a full backup stores all files and folders, frequent full backups result in
faster and easier restore operations. Remember that when you choose other backup types, restore jobs may take
longer.
Differential
A differential backup contains all files that have changed since the last full backup. The full backup + the latest
differential
backup
produce
the
latest
full
backup.
An
example:
Sunday
=
Monday
=
diff
backup
Tuesday = diff backup #2 (backs up up Mon, Tue)
full
#1
(backs
up
backup
Mon)
Incremental
An incremental backup stores all files and folders that have changed since the last full or incremental backup.
The advantage of an incremental backup is that it takes the least time to complete, however, during a restore
operation, each incremental backup must be processed, which could result in a lengthy restore job. To limit the
amount
of
incremental
backups,
make
a
full
backup
periodically.
An
Sunday
Monday
Tuesday
Thursday
Friday
example:
=
=
=
=
incremental
incremental
incremental
backup
backup
backup
#3
=
full
#1
(backs
up
#2
(backs
up
(backs
up
Wed
computer
Monday's
Tuesday's
and
Thu
backup
changes)
changes)
changes)
destroyed
A full restore would restore the full backup then incremental backups 1 then 2 then 3. All the work up to and
including Thursday would be restored.
MCS-022
Mirror
A mirror backup is identical to a full backup, with the exception that the files are not compressed and they
cannot be protected with a password. A mirror backup is most frequently used to create an exact copy of the
backup data. It has the benefit that the backup files can also be readily accessed using tools like Windows
Explorer.
RAID
RAID - redundant array of independent disks. RAID1 (mirroring) is supported by Windows 2000 and XP.
When one disk goes out the operating system automatically goes to the other. Note that backups are still needed.
back to top
Organize your Data
Organizing your data can go a long way toward making backups less painless. There are countless ways to set
up your computer but here are a few ideas:
1. Put your operating system and applications on the C drive and your data on the D drive.
If your computer only has a C drive you will have to create a D drive. Programs such as PartitionMagic make
this process easy.
There are several advantages to doing this.
1. If you have to reformat your operating system drive (e.g. due to corruption or a virus) or just want to install a
new one (like Windows ME to Windows XP) your data remains untouched.
2. To back up your data all you have to do is back up the D drive. Period.
If you use 'My Documents' to store data, it needs to be moved to the D drive because its default location is
where the operating system resides: the C drive. Just right-click on My Documents in Windows explorer, enter
in the path of where you want to put My Documents, then click 'move'.
An addition to this strategy is to create an E drive for archives (rarely changing files such as pictures and old
tax files). This drive only needs to be backed up periodically.
back to top
What to Back Up
The most important thing to back up, of course, is your data. The operating system and applications can be
backed up but since they can be restored it is not imperative. A full mirror backup saves -everything- so if your
computer
goes
bad
it
can
be
fully
restored.
MCS-022
Make sure all the data is backed up. Some programs, such as Outlook, store their data files in hard to find
places. Don't forget your browser favorites.
back to top
Where to Back Up
Storing your backup data is as important as making the backup. The backup media must be reliable and it is
recommended to have (at least) two versions of a backup (in case one is corrupted). Always make sure you can
restore a backup; I've seen cases where a company will dutifully do its backup and months down the road find
out every one of them was useless (tape drive did not write to the tape, the internet backup provider
"disappeared",
...)
Backup media includes DVDs, CDs, flash drive, external hard drive, and on the internet.
back to top
When to Back Up
When to back up depends on how often changes are made and how valuable you consider your data. Some
businesses do a full back up up every night while some people backup up only once a month. One scheme is to
do a full back up every week and an incremental backup every day.
back to top
Backup Program Features
Below is a list of features to look for in a backup program.
Can data be encrypted?

Is encryption technique proprietary or well-known?
Backup to external drive?
Erase rewriteable CDs?
Support UNC names? (like \\server\sharename)
Tape backup?
Schedule backups?
Split backups over several CDs
Verify backups
Verify backup media before it is used
Password-protect backup
Security attributes backed up?
Log file produced?
Locked files backed up? (i.e. can you use your computer while a backup occurs)
Can it run on a server?
Is backup customizable?
MCS-022
Email notification (something goes wrong, backup finished, ...)

Can entire computer be backed up?
Restore
o Pick and choose what to restore
o Restore exact directory structure
o Preview of what's going to be restored
back to top
Backup Programs
There are an abundance of backup programs available. We have culled the list down to a manageable size.
None
A backup can be as simple as copying your data files to backup media, such as a physically separate drive, an
external hard drive, or a flash drive. This is simple and easy to restore.
WinZip
WinZip is a program that compresses files. Nearly every file can be compressed to a size smaller than the
original - sometimes 90% smaller. WinZip has been around forever. Though it is not 'officially' a backup
program it does a good job and is easy to use. Restoring is simple: just open the zip file and extract the files to
wherever
you
want.
To do a backup, create a WinZip file and add all the files you want backed up. You can add an entire drive by
telling WinZip to add all the files of the D: drive, for example.
Windows XP backup
Windows XP Professional's Backup program has many good features, including full, incremental (only files
that have changed), and scheduled backups. Unfortunately, it lacks space-saving file compression and can't back
up to rewritable DVDs. Windows XP Home Edition users get a limited version of XP Professional's backup; it's
located on your Home Edition installation CD in the \valueadd\msft\ntbackup folder.
An easy way around the file compression is to make the backup (the backup file will end with a .bak) then
compress it using WinZip. Then move the WinZip file to your backup storage (DVD, flash drive, external hard
drive, or online). Use the date, and maybe time, in the backup filename (such as 2006-Jun-11-full-backup.zip).
back to top
MCS-022
Backup Strategies
The backup strategy chosen depends on the amount of data to back up, how critical it is, and how much data
was generated. Another factor to consider is whether the entire computer should be backed up or just the data.
One can always reinstall programs, though at the cost of time.
Strategy 1
Back
up
your
data
to
a
USB
flash
drive.
Flash drives, the size of a stick of gum, hold up to 4 GB of data. Insert them into a USB port and you are good
to go (no formatting necessary). Just drag-and-drop files to it or have your backup program put its backup on it.
The flash drive behaves just like a disk drive. It is available in Windows explorer as a drive. Use two of them
and alternate backups. They are great for on the go or keeping offsite (like a safety deposit box or someone's
house). And most of them they can be protected by a password. Our favorite is the SanDisk Cruzer series.
Strategy 2
Back
up
your
data
to
DVDs
or
CDs.
Use rewriteable DVDs, if possible. One thing to watch out for is that most backup programs cannot handle
writing directly to a DVD so it is best to write the backup to your hard disk then copy it to the DVD.
Strategy 3
Back up your data to an external hard drive or a zip drive.
External hard drives are relatively inexpensive. And they can hold a lot of data (up to 300 GB) and are easy to
connect. Most plug in to a USB port and are ready to go. Some come with a backup program. One advantage to
using an external hard drive is it is relatively easy to take with you.
Strategy 4
Back up your data online.
One of the newer avenues is to back up data online. Programs such as QuickBooks (an accounting program)
have a built-in way to back up accounting data online. Other vendors, such as Xdrive, supply as much space as
you need to do your backups. This method has several advantages:
no extra hardware to buy and configure

the backup is kept at another location which is good if there is a disaster
the backup can be automated. Just leave your computer on and at a specific time Xdrive will initiate the
backup
your backup data can be accessed from any computer
If you have a laptop, you can back up from any internet connection (hotel, friend's house, etc)
MCS-022
Strategy 5
Mirroring a system means making an exact copy of it and storing it offline. One can mirror a system to a DVD
if it can fit or to an external hard drive. An advantage of mirroring is one does not have to reinstall all the
programs. Mirroring takes up the most backup space since it includes the operating system and applications. A
mirror program could be run in the off hours. One mirror program I've used in industry for years with excellent
results is Norton Ghost.
Backup Tips
Make sure the backup does not have a virus

Make sure the backup can be restored
Do not back up directly to a DVD or CD since it is an unreliable method
Always have at least 2 sets of backups (different dates)
Keep a backup off site (out of your home or office)
Have passwords for your backups (in case they are stolen)
Keep backups in two locations (in case of theft or disaster)
Qst.3 (b) What are the contents of Password files and where are they located in Windows? Also, explain the
concept of Shadow passwords?
Ans: Many people ask me about the location in the Registry or file system that Windows applications store
the passwords. So I prepared a list of password storage locations for more than 20 popular applications and
Windows
components.
Be aware that even if you know the location of the saved password, it doesn't mean that you can move it from
one computer to another. many applications store the passwords in a way that prevent you from moving them to
another
computer
or
user
profile.
However, you can use this information to remove unwanted saved passwords from your system.
Windows Network Passwords (XP/Vista/2003): When you connect to the file system of another
computer on your network (something like \\MyComp\MyFolder), Windows allows you to save the
password. If you choose to save the password, the encrypted password is stored in a credential file.
The credential file is stored in the following locations:
o Windows
XP/2003: [Windows Profile]\Application Data\Microsoft\Credentials\[User
SID]\Credentials
and
[Windows
Profile]\Local
Settings\Application
Data\Microsoft\Credentials\[User SID]\Credentials
o Windows Vista: [Windows Profile]\AppData\Roaming\Microsoft\Credentials\[Random ID] and
[Windows Profile]\AppData\Local\Microsoft\Credentials\[Random ID]
You can use my Network Password Recovery utility to view all passwords stored in these Credentials
files.
Dialup/VPN Passwords (2000/XP/Vista/2003): Dialup/VPN passwords are stored as LSA secrets under
HKEY_LOCAL_MACHINE\Security\Policy\Secrets. This key contains multiple sub-keys, and the sub-
MCS-022
keys which store the dialup passwords contains one of the following strings: RasDefaultCredentials and
RasDialParams.
This key is not accessible from RegEdit and other tools by default, but you can use one of the following
methods to access this key:
1.
Use at command to run RegEdit.exe as SYSTEM user: (doesn't work under Vista)
For
Example:
at 16:14 /interactive regedit.exe
2. Change the permission of entire Security key. If you do that, it's recommeneded to return the
permissions back to the original after you finish.
Internet Explorer 4.00 - 6.00: The passwords are stored in a secret location in the Registry known as the
"Protected Storage". The base key of the Protected Storage is located under the following key:
"HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider". In order to view
the subkeys of this key in RegEdit, you must do the same process as explained for the LSA secrets.
Even when you browse the above key in the Registry Editor (RegEdit), you won't be able to watch the
passwords, because they are encrypted. Also, this key cannot easily moved from one computer to
another, like you do with regular Registry keys.
IE PassView and Protected Storage PassView utilities allow you to recover these passwords.
Internet Explorer 7.00 - 8.00: The new versions of Internet Explorer stores the passwords in 2 different
locations.
AutoComplete
passwords
are
stored
in
the
Registry
under
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\IntelliForms\Storage2.
HTTP
Authentication passwords are stored in the Credentials file under Documents and Settings\Application
Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.
IE PassView can be used to recover these passwords.
Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and
signons3.txt (depends on Firefox version) These password files are located inside the profile folder of
Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db,
located in the same folder, is used for encryption/decription of the passwords.
Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local
Settings\Application Data\Google\Chrome\User Data\Default\Web Data (This filename is SQLite
database which contains encrypted passwords and other stuff)
Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application
Data\Opera\Opera\profile
Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in
the Protected Storage, like the passwords of old versions of Internet Explorer.
Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected
Storage, like the passwords of old versions of Internet Explorer.
Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the
account
settings.
The
accounts
are
stored
in
the
Registry
under
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging
MCS-022
Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index] If you
use Outlook to connect an account on Exchange server, the password is stored in the Credentials file,
together with login passwords of LAN computers.
Mail PassView can be used to recover lost passwords of Outlook 2002-2008.
Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows
Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name] The account
filename is an xml file with .oeaccount extension.
Mail PassView can be used to recover lost passwords of Windows Live Mail.
ThunderBird: The password file is located under [Windows Profile]\Application

Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension.
Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]
Google
Desktop:
Email
passwords
are
stored
in
the
Registry
under
HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name]
MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following
locations:
0. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
2. In the Credentials file, with entry named as "Passport.Net\\*". (Only when the OS is XP or more)
MSN
Messenger
version
7.x:
The
passwords
are
stored
under
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry
name begins with "WindowsLive:name=". These passwords can be recovered by both Network
Password Recovery and MessenPass utilities.
Yahoo
Messenger
6.x:
The
password
is
stored
in
the
Registry,
under
HKEY_CURRENT_USER\Software\Yahoo\Pager ("EOptions string" value)
Yahoo Messenger 7.5 or later: The password is stored in the Registry, under
HKEY_CURRENT_USER\Software\Yahoo\Pager - "ETS" value. The value stored in "ETS" value
cannot be recovered back to the original password.
AIM
Pro:
The
passwords
are
stored
in
the
Registry,
under
HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name]
AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America
Online\AIM6\Passwords
ICQ
Lite
4.x/5.x/2003:
The
passwords
are
stored
in
the
Registry,
under
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number] (MainLocation value)
ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User
Name]\Owner.mdb (Access Database) (The password hash cannot be recovered back to the original
password)
Digsby: The main password of Digsby is stored in [Windows Profile]\Application
Data\Digsby\digsby.dat All other passwords are stored in Digsby servers.
MCS-022
PaltalkScene:
The
passwords
are
stored
HKEY_CURRENT_USER\Software\Paltalk\[Account Name].
in
the
Registry,
under
Concept Of Shadow Password :

By moving the passwords to the /etc/shadow file, we are effectively keeping the attacker from having access to
the encoded passwords with which to perform a dictionary attack.
Additionally, the Shadow Suite adds lots of other nice features:
A configuration file to set login defaults (/etc/login.defs)

Utilities for adding, modifying, and deleting user accounts and groups
Password aging and expiration
Account expiration and locking
Shadowed group passwords (optional)
Double length passwords (16 character passwords) NOT RECOMMENDED]
Better control over user's password selection
Dial-up passwords
Secondary authentication programs [NOT RECOMMENDED]
Shadow utils is a package in Linux that's installed by default in most of the distributions, used for separating
passwords from /etc/passwd. After implementing shadow-utils, passwords are now saved in /etc/shadow file in
Linux. This /etc/shadow file is only accessible by root. Let's see the contents of the /etc/shadow file, and also
its permission.
?
1[root@slashroot1 ~]# ll /etc/shadow
2-r-------- 1 root root 1140 Dec 14 23:17 /etc/shadow
3[root@slashroot1 ~]#
You can see that unlike the /etc/passwd file the /etc/shadow file only has the "r" (read) permission set for root
user. Which means no other user has access to this file. Let's see what's the content of this file.
?
1[root@slashroot1 ~]# cat /etc/shadow
2root:$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1:15651:0:99999:7:::
MCS-022
Let's understand each and every field of that output, that are separated by a ":".
1. The first field is self explanatory, its the USERNAME
2. The second field is the encoded password (Which is a one way hash..we will be discussing this in detail)
Format of the shadow file

The /etc/shadow file contains the following information:
username:passwd:last:may:must:warn:expire:disable:reserved
Where:
username
The User Name
passwd
The Encoded password
last
Days since Jan 1, 1970 that password was last changed
may
Days before password may be changed
must
Days after which password must be changed
warn
Days before password is to expire that user is warned
expire
Days after password expires that account is disabled
MCS-022
disable
Days since Jan 1, 1970 that account is disabled
reserved
A reserved field
The previous example might then be:
username:Npge08pfz4wuk:9479:0:10000::::
3. The third field is the day's since the UNIX time that password was changed.
Refer: What is UNIX time?
4. This field specifies the number of days, that are required between password changes.
5.No of days after which its necessary to change the password.
6.This is the number of days before the required password change, the user gets a warning
7.If the password has expired, after this number of days the account will be disabled
8.No of days from the Unix Time, the account is disabled
9. This field is not used yet...
Now you will be confused, that why does the /etc/shadow, file contains these many information's rather than
only the encoded password. This is because shadow-util's package provides some more advanced feature's
along with storing encoded passwords in /etc/shadow. The above mentioned fields of /etc/shadow, file tell's
those added feature's to a certain extent like age of the passwords and its expiry, and also below mentioned
feature's.
Default parametres for user account creation (/etc/login.defs)

Tools to modify user accounts and groups
Enforcing strict password selection
MCS-022
Qst.4 (a) Name the various methods of authentication available in the Windows 2000 operating system.
Ans:
Authentication Methods
There are a number of PPP authentication protocols that are supported by the RADIUS protocol. Each protocol
has advantages and disadvantages in terms of security, usability, and breadth of support. The protocol used is
determined by the configuration of the NAS device. See your NAS documentation if you are configuring a dialup network, or consult your ISP if you are using an ISP for dial-up access to your LAN.
The following sections focus on the advantages and disadvantages of the authentication protocols currently
supported by IAS. The information is also useful in configuring a particular authentication method for remote
access.
Password Authentication Protocol
Password Authentication Protocol (PAP) passes a password as a string from the user's computer to the NAS
device. When the NAS forwards the password, it is encrypted using the RADIUS shared secret as an encryption
key. PAP is the most flexible protocol because passing a plaintext password to the authentication server enables
that server to compare the password with nearly any storage format. For example, UNIX passwords are stored
as one-way encrypted strings that cannot be decrypted. PAP passwords can be compared to these strings by
reproducing the encryption method.
Because it uses a plaintext version of the password, PAP has a number of security vulnerabilities. Although the
RADIUS protocol encrypts the password, it is transmitted as plaintext across the dial-up connection.
Top Of Page
Enabling PAP
To enable PAP-based authentication, you must do the following:
1. Enable PAP as an authentication protocol on the remote access server. For information about a default
setting on a particular NAS, see your NAS documentation. On the Routing and Remote Access service,
PAP is disabled by default.
2. Enable PAP on the appropriate remote access policy. PAP is disabled by default.
3. Enable PAP on a remote access client.
Note
Enabling PAP as an authentication protocol means that user passwords are sent from a client to a NAS in
plaintext form. The NAS encrypts the password using the shared secret and sends it in an Access-Request
MCS-022
packet. Because a RADIUS proxy must encrypt the PAP password using the shared secret of its forwarding
RADIUS server, a RADIUS proxy must decrypt the PAP password using the shared secret between the
RADIUS proxy and the NAS. A malicious user at a RADIUS proxy can record user names and passwords for
PAP connections. For this reason, the use of PAP is highly discouraged, especially for virtual private network
connections.
Top Of Page
Challenge Handshake Authentication Protocol
Challenge Handshake Authentication Protocol (CHAP) is designed to address the concern of passing passwords
in plaintext. By using CHAP, the NAS sends a random number challenge to the user's computer. The challenge
and the user's password are then hashed by using MD5. The client computer then sends the hash as a response
to the NAS challenge and the NAS forwards both the challenge and response in the RADIUS Access-Request
packet.
When the authenticating server receives the RADIUS packet, it uses the challenge and the user's password to
create its own version of the response. If the version of the server matches the response supplied by the user's
computer, the access request is accepted.
CHAP responses cannot be reused because NAS devices send a unique challenge each time a client computer
connects to them. Because the algorithm for calculating CHAP responses is well known, it is very important
that passwords be carefully chosen and sufficiently long. CHAP passwords that are common words or names
are vulnerable to dictionary attacks if they can be discovered by comparing responses to the CHAP challenge
with every entry in a dictionary. Passwords that are not sufficiently long can be discovered by brute force by
comparing the CHAP response to sequential trials until a match to the user's response is found.
Historically, CHAP is the most common dial-up authentication protocol used. When the server does not store
the same password that was used to calculate the CHAP response, it cannot calculate an equivalent response.
Because standard CHAP clients use the plaintext version of the password to create the CHAP challenge
response, passwords must be stored in plaintext on the server to calculate an equivalent response.
Although the IAS server supports CHAP, a Windows NT 4.0based domain controller cannot validate CHAP
requests without support for storing reversibly encrypted passwords. This support is available in
Windows 2000; in Windows NT 4.0, this support is available through an update to the Windows NT 4.0based
domain controller.
Top Of Page
Enabling CHAP
To enable CHAP-based authentication, you must do the following:
MCS-022
1. Enable CHAP as an authentication protocol on the remote access server. For information about a default
setting on a particular NAS, see your NAS documentation. For the Routing and Remote Access service,
CHAP is enabled by default.
2. Enable CHAP on the appropriate remote access policy. CHAP is enabled by default.
3. Enable storage of a reversibly encrypted form of the user's password. For a Windows 2000based standalone server, use machine Group Policy to enable storage of reversibly encrypted passwords for all users
of the computer. For Windows 2000 domains, Group Policy at the domain or Organizational Unit (OU)
level can be used. For information about enabling reversibly encrypted passwords in a Windows 2000
domain, see Windows 2000 Server Help.
4. Force a reset of user's passwords so that the new password is in a reversibly encrypted form. When you
enable passwords to be stored in a reversibly encrypted form, the current passwords are in a
nonreversibly encrypted form and are not automatically changed. You must either reset user passwords
or set user passwords to be changed the next time you log on. After the password is changed, it is stored
in
a
reversibly
encrypted
form.
If you set user passwords to be changed at the next attempt to log on, the user must log on using a LAN
connection and change their password before they attempt to log on with a remote access connection
using CHAP. CHAP does not support the changing of passwords during the authentication process and
the logon attempt fails. One workaround for the remote access user is to temporarily log on using MSCHAP to change their password.
5. Enable CHAP on the remote access client.
Top Of Page
Microsoft Challenge Handshake Authentication Protocol
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a variant of CHAP that does not
require a plaintext version of the password on the authenticating server. In MS-CHAP the challenge response is
calculated with an MD4 hashed version of the password and the NAS challenge. This enables authentication
over the Internet to a Windows 2000 domain controller (or a Windows NT 4.0 domain controller on which the
update has not been installed).
MS-CHAP passwords are stored more securely at the server but have the same vulnerabilities to dictionary and
brute force attacks as CHAP. When using MS-CHAP, it is important to ensure that passwords are well chosen
(not found in a standard dictionary) and long enough that they cannot be calculated readily. Many large
customers require passwords to be at least six characters long with upper and lower case characters and at least
one numeral.
See your NAS documentation, or consult your ISP to see whether the ISP currently supports MS-CHAP.
Note
MCS-022
By default, MS-CHAP v1 for Windows 2000 supports LAN Manager authentication. If you want to prohibit the
use of LAN Manager authentication with MS-CHAP v1 for older Microsoft operating systems such as
Windows NT
3.5
x
and
Windows 95,
you
must
set
Allow
LM
Authentication
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Policy) to 0 on the
authenticating server.
If a user attempt authenticates using MS-CHAP using an expired password, MS-CHAP prompts the user to
change the password while connecting to the server. Other authentication protocols do not support this feature
effectively locking out the user who used the expired password.
Top Of Page
Enabling MS-CHAP
To enable MS-CHAP-based authentication, you must do the following:
1. Enable MS-CHAP as an authentication protocol on the remote access server. MS-CHAP is enabled by
default on the Routing and Remote Access service. For information about default settings on other
NASs, see your NAS documentation.
2. Enable MS-CHAP on the appropriate remote access policy. MS-CHAP is enabled by default.
3. Enable MS-CHAP on a remote access client.
Top Of Page
Microsoft Challenge Handshake Authentication Protocol Version 2
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) provides mutual
authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving.
For VPN connections, Windows 2000 servers offer MS-CHAP v2 before offering the legacy MS-CHAP.
Updated Windows clients accept MS-CHAP v2 when it is offered.
MS-CHAP v2 is a one-way encrypted password, mutual authentication process that works as follows:
1. The remote access server sends a challenge to the remote access client that consists of a session
identifier and an arbitrary challenge string.
2. The remote access client sends a response that contains:
o The user name.
o An arbitrary peer challenge string.
o A one-way encryption of the received challenge string, the peer challenge string, the session
identifier, and the user's password.
3. The remote access server checks the response from the client and sends back a response containing:
o An indication of the success or failure of the connection attempt.
o An authenticated response based on the sent challenge string, the peer challenge string, the
encrypted response of the client, and the user's password.
MCS-022
4. The remote access client verifies the authentication response and, if correct, uses the connection. If the
authentication response is not correct, the remote access client terminates the connection.
If a user authenticates by using MS-CHAP v2 and attempts to use an expired password, MS-CHAP prompts the
user to change the password while connecting to the server. Other authentication protocols do not support this
feature effectively locking out the user who used the expired password.
Top Of Page
Enabling MS-CHAP v2
To enable MS-CHAP v2based authentication, you must do the following:
1. Enable MS-CHAP v2 as an authentication protocol on the remote access server. MS-CHAP v2 is
enabled by default on the Routing and Remote Access service. For information about default settings on
other NASs, see your NAS documentation.
2. Enable MS-CHAP v2 on the appropriate remote access policy. MS-CHAP v2 is enabled by default.
3. Enable MS-CHAP v2 on the Windows 2000 remote access client.
Note
Windows 95 and Windows 98 support MS-CHAP v2 only for virtual private network (VPN) connections.
Windows 95 and Windows 98 do not support MS-CHAP v2 for dial-up connections.
Top Of Page
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is an extension to the Point-to-Point protocol (PPP) that works with
dial-up, PPTP, and L2TP clients. EAP allows the addition of new authentication methods known as EAP types.
Both the dial-in client and the remote access server must support the same EAP type for successful
authentication to occur.
Windows 2000 includes an EAP infrastructure and two EAP types, EAP-MD5 CHAP and EAP-TLS. The IAS
implementation in Windows 2000 has the ability to pass EAP messages to a RADIUS server (EAP-RADIUS).
Top Of Page
EAP-MD5 CHAP
Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP) is a required EAP type
that uses the same challenge-handshake protocol as PPP-based CHAP, but the challenges and responses are sent
MCS-022
as EAP messages. A typical use for EAP-MD5 CHAP is to authenticate the credentials of remote access clients
by using user name and password security systems. You can use EAP-MD5 CHAP to test EAP interoperability.
Top Of Page
EAP-TLS
EAP-Transport Level Security (EAP-TLS) is an EAP type that is used in certificate-based security
environments. If you are using smart cards for remote access authentication, you must use the EAP-TLS
authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the
encryption method, and secured private key exchange between the remote access client and the authenticating
server. EAP-TLS provides the strongest authentication and key exchange method. EAP-TLS is supported only
on a remote access server that is running Windows 2000 and is a member of a Windows 2000 mixed or native
domain.
Top Of Page
EAP-RADIUS
EAP-RADIUS is not an EAP type, but the passing of EAP messages of any EAP type by a remote access server
to a RADIUS server for authentication. The EAP messages sent between the remote access client and remote
access server are encapsulated and formatted as RADIUS messages between the remote access server and the
RADIUS server.
EAP-RADIUS is used in environments where RADIUS is used as the authentication provider. An advantage of
using EAP-RADIUS is that EAP types do not need to be installed at each remote access server, only at the
RADIUS server. In a typical use of EAP-RADIUS, a remote access server is configured to use EAP and to use
RADIUS as its authentication provider. When a connection is made, the remote access client negotiates the use
of EAP with the remote access server. When the client sends an EAP message to the remote access server, the
remote access server encapsulates the EAP message as a RADIUS message and sends it to its configured
RADIUS server. The RADIUS server processes the EAP message and sends a RADIUS-encapsulated EAP
message back to the remote access server. The remote access server then forwards the EAP message to the
remote access client. In this configuration, the remote access server is only a pass-through device. All
processing of EAP messages occurs at the remote access client and the RADIUS server.
Top Of Page
Enabling EAP
To enable EAP-based authentication, you must do the following:
1. Enable EAP as an authentication protocol on the remote access server.
2. Enable EAP; if needed, configure the EAP type on the appropriate remote access policy.
3. Enable and configure EAP on a remote access client.
MCS-022
In addition to the EAP types defined and supported in Windows 2000, new EAP authentication methods can be
included through the use of EAP Software Development Kit.
Top Of Page
Unauthenticated Access
The unauthenticated access method allows remote access users to log on without checking their credentials. For
example, IAS does not verify the user's name and password. The only user validation performed in the
unauthenticated access method is authorization. Enabling unauthenticated access presents security risks that
must be carefully considered when deciding whether to enable this authentication method.
This section discusses three scenarios of unauthenticated access:
Guest Access
Dialed Number Identification Service (DNIS) authorization
Automatic Number Identification/Calling Line Identification (ANI/CLI) authorization
Top Of Page
Guest Access for PPP Users
Guest access is the ability to log on to a domain without a user name and/or a password. Both Routing and
Remote Access service and IAS must be configured to support unauthenticated access.
When a remote access server receives a connection attempt, it negotiates with the user different authentication
types enabled at the server. If the client accepts one of them, it sends the appropriate credentials for the accepted
authentication type. It the user refuses authentication, Routing and Remote Access service checks its properties
to verify if unauthenticated access is enabled and, if enabled, forwards the Access-Request packet to IAS. This
Access-Request packet does not contain a User-Name attribute or any other credentials.
When IAS receives the packet without a User-Name attribute, it assumes that the user wants to dial in using
guest access. In this case, IAS uses the name of the guest account in a domain as the user identity. It proceeds to
evaluate policies in order to determine the right profile. If a match is found, and unauthenticated access is
enabled in the profile, other authorizations are validated, and an Access-Accept packet is returned. The
accounting log file logs the user identity and authentication type, which can be used to determine whether the
user was logged on with guest access.
Top Of Page
Enabling Guest Access
To enable Guest access, perform the following steps:
MCS-022
1.
2.
3.
4.
Enable unauthenticated access on the remote access server.

Enable unauthenticated access on the appropriate remote access policy.
Enable the Guest account.
Set the remote access permission on the Guest account to either Allow access or Control access
through Remote Access Policy depending on your remote access policy administrative model.
If you do not want to enable the Guest account, create a user account and set the remote access permission to
either Allow access or Control access through Remote Access Policy . Then set the Default User Identity
registry value (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy) on
the authenticating server (either the remote access server or the IAS server) to the name of the account.
For more information about enabling authentication protocols, configuring authentication, and enabling a
disabled user account, see Windows 2000 Server Help.
Top Of Page
Guest Access Example
1. During PPP negotiation, the dial-in client rejects all of the PPP authentication protocols of the NAS.
2. If the NAS is configured to allowed unauthenticated access, the NAS sends an Access-Request packet
without the User-Name attribute and without a password. For the Windows 2000 Routing and Remote
Access service, unauthenticated access is enabled from the Authentication tab on the properties of a
server in the Routing and Remote Access snap-in.
3. Because the User-Name attribute is not included in the Access-Request packet and by default the IAS
user identity is using the User-Name attribute, the user identity is set to Guest (or the value of Default
User Identity).
4. With the user identity of Guest and an unauthenticated connection attempt, the authentication and
authorization process as discussed earlier in the chapter is performed. If the connection attempt matches
a policy whose profile settings have unauthenticated access enabled and the Guest account is enabled
and has the appropriate remote access permission, IAS sends an Access-Accept packet to the NAS.
Top Of Page
DNIS Authorization
Dialed Number Identification Service (DNIS) authorization is the authorization of a connection attempt based
on the number called. This attribute is referred to as Called Station ID. DNIS is used by standard
telecommunication companies. This service returns the number called to the called party. Based on the Called
Station ID attribute, IAS can deliver different services to dial-up/remote access users.
Top Of Page
MCS-022
Enabling DNIS Authorization
The following steps are required in order to enable DNIS authorization:
1. Enable unauthenticated access on the remote access server.
2. Create a remote access policy on the authenticating server (remote access server or IAS server) for
DNIS-based authorization with the Called-Station-ID condition set to the phone number.
3. Enable unauthenticated access on the remote access policy for DNIS-based authorization.
ANI Authorization
ANI authorization is based on the number the user called from. This attribute is referred to as Calling Station
ID, or Caller ID. Based on the Calling-Station-ID attribute, IAS can deliver different services to dial-up/remote
access users.
Using ANI authorization is different from using the Caller ID dial-in property of a user account. ANI
authorization is performed when the user does not type in any user name or password, and refuses to use any
valid authentication method. In this case, IAS receives Calling-Station-ID, and no user name and password. To
support ANI authorization, the Active Directory must have user accounts with Caller IDs as user names. This
kind of authentication is used with the cellular phone authentication and by ISPs in Germany and Japan.
When using the Caller ID property on a user account, the user types in his credentials, such as a user name and
password, and uses a valid authentication method to log on. IAS uses the user name and password to
authenticate the user, and then compares the Calling-Station-ID attribute in the Access-Request to the Caller ID
property of the user account as a way of authorizing the connection attempt.
Enabling ANI Authorization
1. Enable unauthenticated access on the remote access server.
2. Enable unauthenticated access on the appropriate remote access policy for ANI/CLI-based
authentication.
3. Create a user account for each number calling, for which you want to provide ANI/CLI authorization.
The name of the user account must match the number that the user is dialing from. For example, if a user
is dialing in from 555-0100, create a "5550100" user account.
4. Set
the
User
Identity
Attribute
registry
value
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteAccess\Policy) to 31 on
the
authenticating
server.
This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31,
Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only
when
there
is
no
user
name
being
supplied
in
the
connection
attempt.
To always use the calling number as the user identity, set the Override User-Name registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\RemoteAccess\Policy
to
1
on
the
authenticating
server.
However, if you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating
MCS-022
server can perform only ANI/CLI-based authentication. Normal authentication by using authentication
protocols such as MS-CHAP, CHAP, and EAP is disabled.
ANI Example
The following example explains how ANI/CLI authorization works for an dial-up client dialing in from the
phone number 555-0100 and a user account called 5550100 exists.
1. During PPP negotiation, the dial-in client rejects all of the PPP authentication protocols of the NAS.
2. If the NAS is configured to allowed unauthenticated access, the NAS sends an Access-Request packet
without the User-Name attribute and without a password. For the Windows 2000 Routing and Remote
Access service, unauthenticated access is enabled from the Authentication tab on the properties of a
server in the Routing and Remote Access snap-in.
3. Because the User-Name attribute is not included in the Access-Request packet and the IAS user identity
is set to use the Calling-Station-ID attribute, the user identity is set to 5550100.
4. With the user identity of 5550100 and an unauthenticated connection attempt, the authentication and
authorization process as discussed earlier in the chapter is performed. If the connection attempt matches
a policy whose profile settings have unauthenticated access enabled and the 550100 account has the
appropriate remote access permission, IAS sends an Access-Accept packet to the NAS.
Qst.4 (b) How would you set the IP address of a LAN card in LINUX?
Ans: Every node participating in networking needs a valid IP address. On Linux command prompt IP address
is assigned by a network configuration window. This window can be invoked by selecting network
configuration sub menu form setup command or directly executing system-config-network commands.
Run setup command form root user
#setup
this will launch a new window select network configuration
MCS-022
now a new window will show you all available LAN card select your LAN card ( if you dont see any LAN
card here mean you dont have install driver)
assign IP in this box and click ok
MCS-022
click on ok, quit and again quit to come back on root prompt.
Alternately you can use system-config-network command directly to invoke this setup window
#system-config-network
whatever change you made in network configuration will not take place till you restart the LAN card
#service network restart
MCS-022
ifconfig
The ifconfig command will display the configuration of all active Ethernet card. Without specifying any
parameter this command will show all active Ethernet card. if you want to see the configuration of any specific
Ethernet card then use the name of that card as the command line arguments. for example to show the IP
configuration on loop back Interface execute this command
#ifconfig lo
ifup/ifdown
MCS-022
Each installed network adapter has a corresponding ifcfg-* file in /etc/sysconfig/network-scripts. You can
activate or deactivate that adapter with the ifup and ifdown commands. Either of the following commands will
activate the eth0 network adapter:
#ifup ifcfg-eth0 #ifup eth0
netstat
The netstat program provides real-time information on the status of your network connections, as well as
network statistics and the routing table. The netstat command has several options you can use to bring up
different sorts of information about your network.
arp
The Address Resolution Protocol associates the hardware address of a network adapter with an IP address. The
arp command (in the /sbin directory) displays a table of hardware and IP addresses on the local computer. With
arp, you can detect problems such as duplicate addresses on the network, or you can manually add arp entries as
required.
mii-tool
mii-tool command is used to check the link is activated or not. Most use of mii-tool command is to check to
physical link of Ethernet card on command line. With this command you can check on command prompt that
cable is plugged in LAN card or not.
MCS-022
ping
ping command is used to check the physical connectivity. If you get reply mean everything is ok. If you get
request time out response means there is some problem it could be unplugged cable power off switch or enabled
firewall on destination node. If you get Destination host unreachable means remote node is not in your network.
Use CTRL+C to abort the ping sequence
service network restart

Whatever change you made in network configuration files will not take place until you restart the network
services. To implement change this command is used.
Qst.6 (a) How Linux and Windows 2000 manage the domains? Also, explain how trust relationship is
created and managed between domains in Windows 2000?
Ans: Domains
A domain is a collection of accounts representing network computer uses, and group
of users all maintained in a control security database for care of administration.
In Windows 2000, domain is a collection of computers where a server computer
referred to as a Domain controller is responsible for the management of security for
the entire network. This type of logical grouping is desirable for corporate application.
Computers of a domain network have local user accounts, but are dependent on a
centralised information store called as Active Directory Service. Thus Active
MCS-022
Directory in Windows 2000 provides a centralised control.
Domains add several interesting features to Windows 2000 functionality.
Centralised storage of user information.
Each domain has domain controller associated with it. In Windows NT, domain
controllers are either BDC or primary domain controller. In Windows 2000 there
is only one type of domain controller.
Extension of the existing network becomes easy.
In Windows 2000 Active Directory unites namespace of internet with window
NT directory services since Windows 2000 domain naming uses DNS (Domain
Name System).
What is DNS, conceptually, the internet is divided into several domains (e.g., gov,
edu, com, net, etc.), where each domain covers many hosts. Each domain is
partitioned into several domains and these are further partitioned. The essence of
DNS is the invention of a hierarchical, domain-based naming scheme and a distributed
database system for implementing the naming scheme. It is primarily used for
mapping host names and e-mail destinations to IP addresses.
While creating a Windows 2000 domain, the DNS should be executing and properly
configured on the corresponding machine. If in case, DNS is not running, on creation
of a domain controller, it is automatically installed later. Thus domain provides
Windows 2000 with a grouping mechanism where not only accounts but also network
resources are grouped under a single domain name.
Joining a Domain
Windows 2000 has Join A Computer To The Domain permission for those
computers that wish to be a part of Domain. By obtaining this permission, an account
is created for that computer. It is like a class of objects, where all the objects of that
class are of the same type. The objects type may vary from users to computers. Active
Directory Service provides a hierarchy to various resources stored in domain. A
Domain has information about the objects it contains. It provides the network with a
secure boundary.
Qst.7 (a) Compare FAT 16 and FAT 32 file systems.
Ans: Windows 2000 provides read and write support for NTFS, FAT 16 and FAT 32 file
systems. FAT is designed for small disks and simple folder structure. Windows 2000
supports both FAT 16 and FAT 32 file system and FAT is designed for small disks
and simple folder structure.
A FAT 16 partition is divided into 512 byte sectors and disks have files in dusters in
the default cluster size dependent on partition size and can range from 8 sectors to 128
sectors. FAT 32 can support partition up to 2047 GB in size. The major advantage of
FAT 32 over FAT 16 is larger partition sizes.
NTFS (NT File System)
Windows2000 supports a new version of NIFS, i.e., NTFS version 5.0.
This new version of NTFS is better than in terms of reliability and better performance.
NTFS 5.0 includes the following features:
All of the new features of Windows 2000 Active Directory Services.
MCS-022
Storage features like reparse points.
Features for Software Management.
Enhanced security features for servers, which provides an authentication
mechanism to users before they can actually gain access to network resources.
It supports CDfs;
The fundamental unit of disk allocation in NTFS is cluster that comprises multiple
sectors.
Disk Storage Types:
In Windows 2000 two kinds of disk storage are possible:
Basic storage
Dynamic storage.
Disk should be initialised with a storage type before data could be stored on it. Either
of the two storage types can be used on one disk. But in a system with multiple disks
both storage types can be used. Basic disk storage is the default storage type for
Windows 2000. All disks are basic until converted to dynamic. Disks can be managed
on local and remote networks. Only Windows 2000 has support for Dynamic storage,
which can be resized unlike basic storage type.
Basic disk is divided into partitions. Disk partition can be primary or extended and
they function as disks in their own entirety.
Dynamic disk is divided into volumes. Volumes can be simple, spanned, mirrored,
striped or RAID-5. Only computers running Windows 2000 can access dynamic disks.
Qst.7 (b) Discuss the features of GNOME configuration tool.
Ans:
What are the GNOME System Tools?
Formerly known as the Ximian Setup Tools, the GST are a fully integrated set of tools aimed to make easy the
job that means the computer administration on an UNIX or Linux system. They're thought to help from the new
Linux or UNIX user to the system administrators. The GNOME System Tools are free software, licensed under
the terms of the GNU General Public License.
Internally, the GNOME System Tools use System Tools Backends to access and modify the system
configuration, s-t-b support a great variety of distributions, and is designed to be as easy as possible to adapt it
to more distros. If you're in doubt that g-s-t will work in your favourite distribution, have a look in the s-t-b
webpage for the list of supported distributions.
Nowadays there are tools for managing:
Users and groups

Date and time
Network configuration
Runlevels
Shared Folders through Samba or NFS
MCS-022
Features
Configure easily your network settings, including Hostname, domain, DNS, search domains and network
interfaces configuration
MCS-022
This tool will let you easily share your folders through Samba or NFS
Manage easily the users and the permissions that they have in your computer
MCS-022
Manage time, date and timezone, or synchronize automatically your clock with internet time servers
MCS-022
Specify the services and daemons that start at boot time

Getting the GNOME System Tools
You can get the GNOME System Tools in several ways:
Through FTP: in the GNOME FTP server you will find all the released tarballs.
Through CVS: you can find the latest crazy code in the gnome-system-tools module at the GNOME SVN
server.
Contributing/Contacting
If you want to join the project, or if only you want to expose an opinion, feel free to contact us by:
Bugzilla: if you have caught a bug or just have an enhacement request, this is the place.
MCS-022
IRC: you can contact us in the #gst channel at irc.gimp.org
Mailing lists: you can subscribe to our GST Mailing list. You can also view the historic archives here.
Qst.8 (a) Explain the role and importance of following tools for quota management in Linux.
Ans: Memory Maitagemen* Subsystem
I Linux is made up of a number of functionally separate pieces that, together, comprise the
II
operating system. One obvious part of Linux is the kernel itself; but even that would be
useless without libraries or shells. In this section we will discusss the various components
I of Linux kernel.
I
i One of the basic objectives of any operating system is to make one feel that there is a
I large amount of memory although it is having a small physical memory. This
apparently large memory is known as virtual memory. The system divides the
memory into easily handled pages (logical unit) and swaps these pages onto a hard
disk as the system runs.
The memory management subsystem is one of the most important parts of the
operating system. Since the early days of computing, there has been a need for more
memory than exists physically in a system. Strategies have been developed to
overcome this limitation and the most successful of these is virtual memory. Virtual
memory makes the system appear to have more memory than it actually has by
sharing it between competing processes as they need it.
Virtual memory does more than just make your computer's memo? go further. The
memory management subsystem includes:
Large Address Spaces: The operating system makes the system appear as if it has
a larger amount of memory than it actually has. The virtual memory can be many
times larger than the physical memory in the system.
Protection: Each process in the system has its own virtual address space. These
virtual address spaces are completely separate from each other and so a process
running one application cannot affect another. Also, the hardware virtual memory
mechanisms allow areas of memory to be,protected against writing. This protects
code and data from being overwritten by rogue applications.
Memory Mapping: Memory mapping is used to map image and data files into a
processes address space. In memory mapping, the contents of a file are linked
directly into the virtual address space of a process.
Fair Physical Memory Allocation: The memory management subsystem allows
MCS-022
each running process in the system a fair share of the physical memory of the system.
Shared Virtual Memory: Although virtual memory allows processes to have
separate (virtual) addresses spaces, there are times when you need processes to share
memory. For example, there could be several processes in the system running
concurrently and simultaneously depending upon the number of processors residing in
the system but might be using the common file, e.g., C-amplifier.
Therefore, it is better to have only one copy in physical memory and all of the
processes running sharing it. Dynamic libraries are another common example of
executing code shared between several processes.
Another example of shared memory is that it can also be used as an Inter Process
Communication (IPC) mechanism, with two or more processes exchanging
information via memory common to all of them. Linux supports the UnixTMS ystem V
shared memory IPC.
Linux Process and Thread Managemebt
Processes carry out tasks within the operating system. A program is a set of machine
code instructions and data stored in an executable image on disk and is, as such, a
passive entity; a process can be thought of as a computer program in running state. It
is a dynamic entity, constantly changing as the machine code instructions are executed
by the processor. As well as the program's instructions and data, the process also
includes the program counter and all of the CPU's registers as well as the process
stacks containing temporary data such as routine parameters, return addresses and
saved variables. Linux is a multiprocessing operating system which can support many
processes running in parallel. Processes are separate tasks each with their own rights
and responsibilities and also running in their own address spaces. If one process
crashes it will not cause another process in the system to crash. Each individual
process runs in its own virtual address space and is not capable of interacting with Introduction to Linux
another process except through secure mechanisms to be managed by kernel. Operating System
The most precious resource in the system is the CPU, usually there is only one except
in a multi-processors based system. Linux is a ~nultiprocessingo perating system, its
objective is to have a process running on each CPU in the system at all times, to
maximize CPU utilization. If there are more processes than CPUs (and there usually
are), the rest of the processes must wait before a CPU becomes free until they can
be run. In a multiprocessing system many processes are kept in memory at the same
time. Whenever a process has to wait, the operating system takes the CPU away
from that process and gives it to another, more deserving process. It is the scheduler
which chooses which is the most appropriate process to run next and Linux uses a
number of scheduling strategies to ensure fairness.
Linux supports a number of different executable file formats, ELF (Executably and
linkable fonnat) is one, Java is another and these must be managed transparently.
Although the task-struct data structure is quite large and complex, its fields can be
divided into a number of functional areas:
State: As a process executes its changes state according to its circumstances. Linux
processes have the following states:
Running: The process is either running (it is the current process in the system) or it is
ready to run ( it is waiting to be assigned to one of the system's CPUs).
MCS-022
Waitiag: The process is waiting for an event or for a resource. Linux differentiates
between two types of waiting process; interruptible and uninterruptible. Interruptible
waiting processes can be interrupted by signals whereas uninterruptible waiting
processes are waiting directly on hardware conditions and cannot be interrupted under
any circumstances.
Stopped: The process has been stopped, usually by receiving a signal. A process
that is being debugged can be in a stopped state.
Zombie: This is a halted process which, for some reason, still has a task-struct data
structure in tlie task vector. It is what it sounds like, a dead process.
Scheduling Information: The scheduler needs this i,nformation in order to fairly
decide which process in the system most deserves to run,
Identifiers: Every process in the system has a process identifier. The process
identifier is not an index into the task vector, it is simply a number. Each process also
has User and group identifiers, these are used to control this processes access to the
files and devices in the system.
Inter-Process Communication (IPC): Linux supports the classic UnixTMIP C
mechanisms of signals, pipes and semaphores and also the System V IPC mechanisms
of shared memory, semaphores and message queues to allow processes to
communicate with each other and with the kernel to coordinate their activities.
Links: In a Linux system no process is independent of any other process. Every
process in the system, except the initial process has a parent process. In Unix
operating system the initial process is known as init. New processes are not created,
they are copied, or rather cloned from previous processes. Every task-struct
representing a process keeps pointers to its parent process and to its siblings (those
processes with the same parent process) as well as to its own child processes.
Times and Timers: The kernel keeps track of a processes creation time as well as
the CPU time that it consumes during its lifetime. Each clock tick, the kernel updates
the amount of time in jiffies that the current prdcess has spent in system and in user
mode. Linux also supports process specific interval timers, processes can use system
calls to set up timers to send signals to themselves when the timers expire. These
timers can be single-shot or periodic timers.
File System: Processes can open and close files as they includes pointers to any files
opened by this process.
Virtual memory: Most processes have some virtual memory (kernel threads and
daemons do not) and the Linux kernel must track how that virtual memory is mapped
onto the system's physical memory.
Processor Specific Context: A process could be thought of as the sum total of the
system's current state. Whenever a process is running it is using the processor's
registers, stacks and so on. This is the processes context and, when a process is
suspended, all of that CPU specific context must be saved in the task-struct for the
process. When a process is restarted by the scheduler its context is restored from
here.
Linux Threads
A new process is created in Linux by copying the attributes of the current process. A
new process call be cloned so that it shares resources, such as files, signal handlers,
MCS-022
and virtual memory. When the tm processes share the same virtual memory, they
function as threads within a single process. However, no separate type of data
structure is defined for a thread. Thus, Linux makes no distinction between a thread
and a process.
1.4.3 File Management Subsystem
In Linux, as it is for Unix, the separate filesystems that the system may use are not
accessed by device identifiers (such as a drive number or a drive name) but instead
they are combined into a single hierarchical tree structure that represents the filesystem
as a single entity. Linux adds each new filesystem into this single filesystem tree as
they are mounted onto a mount directory, for example 1 mntlcdrom. One of the most
important features of Linux is its support for many different filesystems. This makes it
very flexible and well able to coexist with other operating systems. The most popular
filesystem for Linux is the EXT2 filesystem and this is the filesystem supported by most
ofthe Linux distributions.
A filesystem gives the user a sensible view of files and directories held on the hard
disks of the system regardless of the filesystem type or the characteristics of the
underlying physical device. Linux transparently supports many different filesystems
(for example MS-DOS and EXT2) and presents all of the mounted files and
lilesystems as one integrated virtual filesystem. SO, in general, users and processes do Introduction to Linux
not need to know what sort of filesystem that any file is part of, they just use them. Operating System
The block device drivers hide the differences between the physical block device types
(for example, IDE and SCSI) and, so far as each filesystem is concerned, the physical
devices are just linear collections of blocks of data. The block sizes may vary
between devices, for example 5 12 bytes is common for floppy devices whereas 1024
bytes is common for IDE devices and, again, this is hidden from the users of the
system. An EXT2 filesystem looks the same no matter what device holds it.
1.4.4 Device Drivers
Device drivers make up the major part of the Linux kernel. Like other parts of the
operating system, they operate in a highly privileged environment and can cause disaster
if they get things wrong. Device drivers co~ltrotlh e interaction between the operating
system and the peripheral devices that they are controlling. For example, the filesystem
makes use of a general block device interface when writing blocks to a disk. The driver
takes care of the details and makes device specific things happcn. Device drivers are
specific to thc controller chip that they are driving.
Qst.8 (b) List and describe the various security features in Linux.
Ans: Linux Has Several features :
STANDARD BASIC SECURITY FEATURES
For the basic security features, Linux has password authentication, file system discretionary access control, and
security auditing. These three fundamental features are necessary to achieve a security evaluation at the C2
MCS-022
level [4]. Most commercial server-level operating systems, including AIX (IBM), Windows NT, and Solaris,
have been certified to this C2 level. By expanding the basic standard security features we have:
1.
2.
3.
4.
1.
User and group separation

File system security
Audit trails
PAM authentication
User and Group Separation
User accounts are used to verify the identity of the person using a computer system. By checking the identity of
a user through username and password credentials, the system is able to determine if the user is permitted to log
into the system and, if so, which resources the user is allowed to access.
Groups are logical constructs that can be used to group user accounts together for a particular purpose. For
example, if a company has a group of system administrators, they can all be placed in a system administrator
group with permission to access key resources of the OS. In addition, through group creation and assignment of
privileges, access to restricted resources can be controlled for those who need them and denied to others.
The ability for a user to access a machine is determined by whether or not that user's account exists. Access to
an application or file is granted based on the permission settings for the file. This helps to ensure the integrity of
sensitive information and key resources against accidental or purposeful damage by users.
After a normal user account is created, the user can log into the system and access any applications or files they
are permitted to access. Linux determines whether or not a user or group can access these resources based on
the permissions assigned to them.
There are three permissions for files, directories, and applications. Table 1 lists the symbols used to indicate
each of them. Each of the three permissions is assigned to three defined categories of users. The categories are
listed in Table 2.
Table 1. Permission character symbols
Symbol
r
w
x
-
Description
Indicates that a given category of user can read a file.
Indicates that a given category of user can write to a file.
Indicates that a given category of user can execute the file.
A fourth symbol indicates that no access is permitted.
Table 2. Permission categories
MCS-022
Category
Owner
Group
Everyone
Description
The owner of the file or application.
The group that owns the file or application.
All users with access to the system.
ne can easily view the permissions for a file by invoking a long format listing using the command ls -l. For
instance, if the user kambing creates an executable file named foo, the output of the command ls -l foo would
look something like this:
-rwxrwxr-x 1 kambing kambing 0 Sep 2 12:25 foo
The permissions for this file are listed at the start of the line, starting with set of rwx.
This first set of symbols defines owner access.

The next set of rwx symbols define group access,

The last set of symbols defining access permitted for all other users.
This listing indicates that the file is readable, writable, and executable by the user who owns the file (user
kambing) as well as the group owning the file (which is a group named kambing). The file is also worldreadable and world-executable, but not world-writable.
2
File System Security
A very true statement of a UNIX/Linux system, everything is a file; if something is not a file, it is a process.
Most files are just files, called regular files; they contain normal data, for example text files, executable files or
programs, input to or output from a program and so on. While it is practically safe to say that everything you
encounter on a Linux system is a file, there are some exceptions as listed below:

Directories: files that are lists of other files.

Special files: the mechanism used for input and output. Most special files are in /dev for example USB
and CD-ROM.
Links: a system to make a file or directory visible in multiple parts of the system's file tree. It is a
shortcut.
(Domain) sockets: a special file type, similar to TCP/IP sockets, providing inter-process networking
protected by the file system's access control.
Named pipes: act more or less like sockets and form a way for processes to communicate with each
other, without using network socket semantics.
MCS-022
The following table gives an overview of the characters determining the file type:
Table 3. File types character symbols
Symbol
d
l
c
s
p
b
Meaning
Regular file
Directory
Link
Special file
Socket
Named pipe
Block device
On Linux system, every file is owned by a user and a group user. There is also a third category of users, those
that are not the user owner and don't belong to the group owning the file. For each category of users, read, write
and execute permissions can be granted or denied.
The long option to list files using the ls -l command, also displays file permissions for these three user
categories; they are indicated by the nine characters that follow the first character, which is the file type
indicator at the beginning of the file properties line. As seen in the following examples, the first three characters
in this series of nine display access rights for the actual user that owns the file.
ls -l Mine
-rw-rw-r-- 1 mike users 5 Jul 15 12:39 Mine
ls -l /bin/ls
-rwxr-xr-x 1 root root 45948 Aug 10 15:01 /bin/ls*
The next three are for the group owner of the file, the last three for other users. The permissions are always in
the same order: read, write, execute for the user, the group and the others. The first file is a regular file (first
dash). Users with user name mike or users belonging to the group users can read and write
(change/move/delete) the file, but they can't execute it (second and third dash). All other users are only allowed
to read this file, but they can't write or execute it (fourth and fifth dash).
The second example is an executable file, the difference is everybody can run this program, but you need to be
root to change it.
For easy use with commands, both access rights or modes and user groups have a code shown in Table 4 and 5.
Table 4. Access mode codes
Code
Meaning
MCS-022
0 or 4 or r
2 or w
1 or x
The access right that is supposed to be on this place is not granted.

read access is granted to the user category defined in this place
write permission is granted to the user category defined in this place
execute permission is granted to the user category defined in this place
Table 5. User group codes

Code
u
g
o
Meaning
user permissions
group permissions
permissions for others
This straight forward scheme is applied very strictly, which allows a high level of security even without
network security. Among other functions, the security scheme takes care of user access to programs; it can
serve files on a need-to-know basis or least privilege and protect sensitive data such as home directories and
system configuration files. We can use the chmod command to modify the file permission, changing of the
access mode of a file. The chmod command can be used with alphanumeric or numeric options, whatever you
like best. The following shows the examples.
>/hello
bash: ./hello: bad interpreter: Permission denied
>cat hello
#!/bin/bash
echo "Hello, World"
>ls -l hello
-rw-rw-r-- 1 mike mike 32 Jul 1 16:29 hello
>chmod u+x hello
MCS-022
>./hello
Hello, World
>ls -l hello
-rwxrw-r-- 1 mike mike 32 Jul 1 16:29 hello*
The + and - operators are used to grant or deny a given right to a given group. Combinations separated by
commas are allowed. The following is another example, which makes the file from the previous example a
private file to user mike:
>chmod u+rwx,go-rwx hello
>ls -l hello
-rwx------ 1 mike mike 32 Jan 15 16:29 hello*
If you encounter problems resulting in an error message saying that permission is denied, it is usually a problem
with access rights in most cases.
When using chmod with numeric arguments, the values for each granted access right have to be counted
together per group. Thus we get a 3-digit number, which is the symbolic value for the settings chmod has to
make. The following table lists the most common combinations:
Table 5. File protection with chmod

Command
Meaning
chmod 400 file
To protect a file against accidental overwriting.
chmod
500 To protect you from accidentally removing, renaming or moving files from this directory.
MCS-022
directory
chmod 600 file
chmod 644 file
chmod 660 file
chmod 700 file
chmod
755
directory
chmod 775 file
chmod 777 file
A private file only changeable by the user who entered this command.
A publicly readable file that can only be changed by the issuing user.
Users belonging to your group can change this file; others don't have any access to it at all.
Protects a file against any access from other users, while the issuing user still has full access.
For files that should be readable and executable by others, but only changeable by the issuing user.
Standard file sharing mode for a group.
Everybody can do everything to this file.
If you enter a number with less than three digits as an argument to chmod, omitted characters are replaced with
zeros starting from the left. There is actually a fourth digit on Linux systems that precedes the first three and
sets special access modes.
2.2.1
The File Mask
When a new file is saved somewhere, it is first subjected to the standard security procedure. Files without
permissions don't exist on Linux. The standard file permission is determined by the mask for new file creation.
The value of this mask can be displayed using the umask command:
>umask
0002
Instead of adding the symbolic values to each other, as with chmod, for calculating the permission on a new file
they need to be subtracted from the total possible access rights. In the example above, however, we see 4 digits
displayed, yet there are only 3 permission categories: user, group and other. The first zero is part of the special
file attributes settings. It might just as well be that this first zero is not displayed on your system when entering
the umask command and that you only see 3 numbers representing the default file creation mask.
Each UNIX-like system has a system function for creating new files, which is called each time a user uses a
program that creates new files, for instance, when downloading a file from the Internet, when saving a new text
document. This function creates both new files and new directories. Full read, write and execute permission is
MCS-022
granted to everybody when creating a new directory. When creating a new file, this function will grant read and
write permissions for everybody, but set execute permissions to none for all user categories. In this case, before
the mask is applied, a directory has permissions 777 or rwxrwxrwx, a plain file 666 or rw-rw-rw-.
The umask value is subtracted from these default permissions after the function has created the new file or
directory. Thus, a directory will have permissions of 775 by default, a file 664, if the mask value is (0)002. This
is demonstrated in the following examples:
>mkdir newdir
>ls -ld newdir
drwxrwxr-x 2 mike mike 2096 Jul 28 13:45 newdir/
>touch newfile
>ls -l newfile
-rw-rw-r-- 1 mike mike 0 Jul 28 13:52 newfile
A directory gets more permission by default, it always has the execute permission. If it wouldn't have that, it
would not be accessible.
If you log in to another group using the newgrp command, the mask remains unchanged. Thus, if it is set to 002,
files and directories that you create while being in the new group will also be accessible to the other members of
that group; you don't have to use chmod. The root user usually has stricter default file creation permissions as
shown below:
[root@tenouk root]# umask
022
These defaults are set system-wide in the shell resource configuration files, for instance /etc/bashrc or
/etc/profile. You can change them in your own shell configuration file.
3
Audit Trails
Linux kernel 2.6 comes with auditd daemon. Its responsible for writing audit records to the disk. During
startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make
changes such as setup audit file log location and other option. The default file is good enough to get started with
auditd. In order to use audit facility you need to use following utilities:
MCS-022
able 6. Audit utility
Utility
Description
auditctl
A command to assist controlling the kernels audit system. You can get status, and add or delete rules
into kernel audit system
A command that can query the audit daemon logs based for events based on different search criteria.
ausearch
A tool that produces summary reports of the audit system logs.
aureport
Pluggable Authentication Modules authentication (PAM)
PAM [5] was invented by SUN Microsystems. Linux-PAM provides a flexible mechanism for authenticating
users. It consists of a set of libraries that handle the authentication tasks of applications on the system. The
library provides a stable general interface to which privilege-granting programs (such as login) defer to perform
standard authentication tasks.
Historically, authentication of Linux users relied on the input of a password which was checked with the one
stored in /etc/passwd. At each improvement (e.g. /etc/shadow, one-time passwords) each program (e.g. login,
ftp) had to be rewritten. PAM is a more flexible user authentication mechanism. Programs supporting PAM
must dynamically link themselves to the modules in charge of authentication. The administrator is in charge of
the configuration and the attachment order of modules. All applications using PAM must have a configuration
file in /etc/pam.d. Each file is composed of four columns:
Linux is inexpensive
The first benefit of Linux is cost. All versions of Linux may be freely downloaded from
the web. If you don't want to download, prepackaged versions of Linux may be purchased
online. In addition, the sofhvare may be legally shared with your friends. In addition,
when the time comes to upgrade the operating system, the Linux upgrade would be free.
In addition to being inexpensive, Linux can run on the old system. Its products can run
on Intel 386 microprocessors, which were popular in the late 1980s. The server has
never slowed down despite increased use.
Linux is Fast
Linux runs respectably well on old computers, and it is even faster on newer, more
powerful computers. This is because Linux programs are very efficient and lean. They
use as few resources as possible, and unlike Windows, Linux programs use little, if any,
graphics. Graphics can slow a system's response time, making it slower than it truly is.
Linux may not be pretty, but it is fast.
Linux is Stable
The Linux code is well written. This both increases the speed at which Linux runs and
improves the stability of the operating system. Linux is next to impossible to crash. If
MCS-022
an application crashes, you can simply remove the program from memory to restart
your computer. In older versions of Windows, a crashing program had the potential to
take down the entire computer. This is one of the reasons why Linux is used on many
web servers where stability is crucial. With Linux, web-hosting providers can
guarantee 99.9 percent uptime.
Open-Source Software
Finally, Linux has open-source sofhvare. This means that users can read the source
code and modify it as needed. This probably means little to the average user of the
final version of a Linux kernel. However, during development, "beta" releases of the
kernel are available to developers who will download the code and test it thoroughly.
When possible, they will find any problems and correct the code. This process helps to
ensure that the final release of the kernel is as well written as possible.

MCS-022 Solved Assignment 2015-16 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MCS-022 Solved Assignment 2015-16 PDF

Uploaded by

Copyright:

Available Formats

MCS-022

Figure 5: NFS Server Configuration Tool Main Window

First Quick Heal AntiVirus for DOS released in 1994

Share one or more directory trees

Figure 1-1. A simple network set up with a Samba server

Figure 1-6. Shares available on Toltec (viewed from dine)

Figure 1-7. A network printer available on Toltec

/u/RegClean.exe Sun Aug 12 13:01:22 2002

Share mode memory usage (bytes):

Back up while using your computer

Can data be encrypted?

Email notification (something goes wrong, backup finished, ...)

no extra hardware to buy and configure

Make sure the backup does not have a virus

ThunderBird: The password file is located under [Windows Profile]\Application

Concept Of Shadow Password :

A configuration file to set login defaults (/etc/login.defs)

Format of the shadow file

Default parametres for user account creation (/etc/login.defs)

Enable unauthenticated access on the remote access server.

this will launch a new window select network configuration

assign IP in this box and click ok

service network restart

What are the GNOME System Tools?

Users and groups

Specify the services and daemons that start at boot time

User and group separation

Table 2. Permission categories

The next set of rwx symbols define group access,

File System Security

Directories: files that are lists of other files.

The access right that is supposed to be on this place is not granted.

Table 5. User group codes

>chmod u+x hello

>chmod u+rwx,go-rwx hello

Table 5. File protection with chmod

The File Mask

You might also like