MCS-022 Qst.1 (a) What is the significance of VPN? Name some VPN technologies supported by Windows 2000. Ans: Virtual Private Networks: Windows supports Virtual private networks connection to access machines remotely. A VPN connection lets one system connect securely to another machine over the network. A VPN is an extension of a private network that comprises links across shared or public networks. But here in VPN, local network data is encrypted and is secure (referred to as tunneling), for security considerations. For VPN connection either use Point to Point (PPTP) or Layer 2 tunneling protocol (L2TP). Windows 2000 remote access mechanism lets remote clients connect to corporate networks or to the Internet. Windows 2000 supports two kinds of remote access connection methods (Figure 1). • Dial up remote access • VPN (Virtual Private Network) remote access. VPN provides a secure network connection between two remote machines. It provides secure data transfer over a public network. Windows 2000 supports PPTP and L2TP.
m o .c
t o p
Remote Access Clients: Windows 2000, Win NT, WIN 98, Windows 95, MS-DOS, MS LAN Manger are remote access clients that can connect to Windows2000 remote access server. Third party clients like UNIX and Apple Macintosh too can connect to windows 2000 remote access server. Remote Access server: Windows 2000 server accepts requests from client’s connections and forwards it to other clients or to the network. WAN Infrastructure depends upon the type of connection being made. There are various networks like: PSTN(Public switched telephone network ISDN(Integrated services digital network X.25 (ITY-T Protocol based WAN) Windows 2000 support three types of Remote Access protocols PPP, SLIP and asynchronous NetBEUI, also TCP/IP, IPX, AppleTalk. Windows 2000 remote Access provides a variety of security features like: • User Authentication • Mutual authentication • Data encryption • Call back • Caller id • Remote access account lock out. Remote Access Management involves managing users, addresses, accesses and authentication. Virtual private network is an extension of private network that involves encapsulation, encryption, authentication to links across shared or private networks. A VPN mimics the properties of a dedicated Private network through Internet; allowing data transfer between two computers in a network. Corporate offices can use two different methods
s g lo
b . 6
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 1
MCS-022 to connect to a network over the Internet: Using dedicated lines or dial up lines VPN uses tunneling to transfer data in a VPN. Tunneling is a secure method of using an internetwork infrastructure to transfer a payload. A tunneling protocol comprises tunnel maintenance protocol and tunnel data transfer protocols. Two basic types of are: 1. Voluntary tunnels 2. Compulsory tunnels. Protocols used by WIN 2000 for VPN are PPTP (Print to print tunnel Protocol), L2TP (Layer 2 Transfer Protocol), IPSec (IP security), IP-IP. VPN management involves managing user addresses, servers access, authentication, and encryption. Troubleshooting VPN involves checking connectivity, remote access connection establishment, routing, IPSec. Windows 2000 provides a set of RRAS tools: • Routing And Remote Access Snap In enables RRAS, management of routing interfaces, IPX routing configuration, creation of static IP address pool, configuring remote access policies. This is available from Administrative Tools folder. • Net Shell Command: Windows 2000 Netshell command is a command line and scripting utility. It is named Netsh.exe and is installed in % systemroot %\system32 when a Window 2000 is installed.
m o .c
t o p
s g lo
b . 6
It provides secure data transfer over a public network. Windows 2000 supports PPTP and L2TP.
0 0 ia
Qst.1 (b) Write step by step procedure to configure a Linux machine to work with a network file system. Ans: We can configure a Linux machine to work with a Network File System (NFS), where files on other machines on tlie network can be made available as if they were local files. A Linux machine can work as an NFS client, whereby it accesses files on the network. You can also configure your Linux machine as an NFS server, whereby you can let other machines access files on yours. In this section we will look at how this can be done. As we have seen for the webserver and DNS server cases, although yo11 can construct an NFS configuration file by hand, Linux comes with a tool to ease the task. This is the NFS Server Configuration Tool. It requires superuser or root access to use
n o o
p l i n
su
tlie tool. Being graphical, you must have the X-Window system running to be able to use the tool. But you can still start up the tool from the command line by issuing the following command at the root prompt [root@linux root]# redhat - con£ ig-nf s The NFS Server Configuration Tool both reads from and writes to the configuration .file /etc/exports, and so you can modify the configuration file by hand after using the tool. If you use the tool again later, it will understand and recognize your changes, provided you did the configuration correctly with the proper syntax. The main window
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 2
MCS-022 of the tool is shown in Figure 5 below:
Figure 5: NFS Server Configuration Tool Main Window To share a directory, called adding an NFS share, you need to click on tlie Add button above. This brings up a window with the title "Add NFS Share" that has three tabs. The "Basic" tab allows you to specify a directory and a radio button lets you decide whether you want to allow read-write or read only access to others on it. You also have to specify the machines or hosts that are to be allowed access to that directory. This can be done by: Giving a fully qualified domain name. This should be something your niacliine can resolve to an IP address. Giving an IP address. Giving a host name, again your machine should be able to resolve this to an IP address. Giving a group of machines by specifying them as a domain name or host name with wildcards. You can use a * for matching any number of cliaracters except a period, and a ? to match any single character. Giving an 1P network by specifying the network and a / followed by the number of bits in the netmask, or by specifying the netmask itself. Doing the above makes the directory accessible to the host or hosts with permissions as desired. The "General Options" tab has five options as described below: If you want to allow ordinary users to be able to start the NFS service and allow shares, you have to allow the service to be started on ports higher than 1024. This does make the service less secure because tlie share does not require the concurrelice of tlie administrator. You can decide to allow insecure file locking. You can decide to disable subtree checking. This is useful if you have exported an entire file system, because your server will no longer check to see whether a file requested by a client is in the directory that has been shared. You can choose to force synclironization of writes immediately. You can choose to disable sy~ichronizationo f write options, where the server first writes out to disk the changes caused by a request before replying to it.
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 3
MCS-022 The "User Access" tab has the following options that you can set. You can allow the superuser of a client machine root privileges on your maclii~ie This is a big security risk and sliould be used only if necessary. Otherwise, by default, even tlie root user of tlie client is treated as an anonymous user on your macliine. You can map all users on the client to the anonymous ilser on your ~iiacliine. If you clioose this option, you can set tlie user id and group id of tlie anonymous user. You can now click on tlie OK button to save the co~ifigurationy o11 have made. Of course you can add as Inany directories as you wish to share. You call also edit directory properties by selecting it and choosing tlie "Properties" button in the main window. This button is initially greyed out when there are no directories shared. Si~nilarlyy ou can delete a directory by selecting it and choosing the "Delete" button. Whether you add, edit or delete a directory, tlie configuration takes effect immediately after you save it. Tliis is done by generating tlie new /etc/exports file and restarting the NFS server daemon.
m o .c
Qst.2 (a) List any two existing virus protection tools available today in the Market for Windows. Describe and compare its features. Ans: Ther are many more virus protections are available in the market. We are discussed about the most popular virus protection are available in the market are:
t o p
s g lo
1.Quick Heal : Quick Heal Technologies Pvt. Ltd., founded in 1993, is an IT security[ solutions provider and an ISO 9001 certified company. Quick Heal has partnered with Microsoft and Intel. The products are certified by ICSA Labs and AV-Test. The company has global offices in UAE, US, Japan and Kenya. It has a network of 15000+ channel partners in more than 100 countries worldwide. Quick Heal Technologies has an active customer base of over 17 million in 112+ countries and employs more than 1200 people across 33 branches in the country.
b . 6
0 0 ia
n o o
p l i n
History
Quick Heal was founded in 1993, as "CAT Computer Services (P) Ltd".
su
First branch was opened at Nashik in 2003. Opening of fully functional Mumbai and Nagpur branches In 2004, Quick Heal starts operations at Hyderabad.[4] Opens branches in Delhi, Bangalore, Chennai[4] Branches opened at Ahmedabad, Surat, Indore, Chandigarh [5] In 2007, CAT changed its name to "Quick Heal Technologies (P) Ltd", for establishment of dedicated R&D Lab. New R&D center opens at Pune in 2007.[6] Sales and support branch opened at Aurangabad, Coimbatore, Vizag and Cochin in 2007.[4] In 2008, Quick Heal were selected as hosts for the AVAR 2008 International conference held at Delhi.[5]
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 4
MCS-022 In 2010, Quick Heal received an investment of INR 60 Crores from Sequoia Capital[7] And new branch offices were opened in Madurai, Tamil Nadu. In 2012, offices were opened in Japan and US, and in 2013, offices were opened in in Africa and UAE. In 2014, Quick Heal achieved Quality Management System Registration ISO 9001[8] In 2015, Quick Heal grows to 31 branch offices and 1100+ employees, and has over 8 million customers worldwide[9] Product history • • • • • • • • • • • • • • • • • • •
First Quick Heal AntiVirus for DOS released in 1994 Quick Heal for Win 3.1 released in 1995 followed by Quick Heal for Windows 95 in 1996[4] Quick Heal 2005 Corporate edition 2.0 released[5] CAT introduces DNA Scan technology in 2005 CAT releases Quick Heal 2006 with DNA scan technology capable of detecting unknown viruses in real time without depending on latest signature patterns[4] Bundling of Quick Heal AntiVirus with Microsoft Windows XP, MSWGA in 2006 Quick Heal is the first to detect Black worm in 2006[4] Company launches Quick Heal’s multi-lingual version in Hindi, Marathi and Tamil in 2006[5] Quick Heal PC Tuner gets Microsoft certification for Windows Vista in 2007 [5] Quick Heal becomes a Certified Microsoft partner in 2008 Antivirus + Antispyware OESISOKTM designation from OPSWAT for Quick Heal AntiVirus Version 9.50 on Windows XP Operating system[5] West Coast Labs' acclaimed Check-Mark certification on Windows Vista Business Edition[5] Product for ISP customers released in 2010.[5] Launches the Windows Mobile Scan for Windows Mobile Operating Systems[10] Released 2012 version of Quick Heal Desktop Products with Cloud-based security for 360 degree protection[11] Launched Mobile Security Suite for Android and Blackberry[12] Launched 2014 series with Advanced DNAScan, Machine Level Learning to reduce [4] Releases Endpoint Security 5.3 with Device Control and extended support for Apple Mac OS X platforms[13] Completely revamped Endpoint Security 6.0 released with Data Loss Prevention, Asset Management, File Activity Monitor and Advanced Devoice Controls [14]
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
su
Features are: Advanced DNAScan The ingenious Quick Heal DNAScan technology is now enhanced to combine behavioral and characteristic inspection and monitoring of unsafe programs. This results in a clean, more up-to-date and accurate detection of threats.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 5
MCS-022 Vulnerability Scanner Helps you identify and fix security vulnerabilities on your PC that can expose your computer and its data to attackers. Quick Heal Remote Device Management (RDM) The RDM portal lets you manage your Quick Heal products. Via the portal, you can view the security status of the products, renew, and manage their licenses. This facility is free of cost. Visit Quick Heal RDM here. Firewall Allows you to set protection levels for Internet traffic and applications that try to connect to your network. It also includes Stealth Mode that makes your system invisible to malicious threats.
m o .c
t o p
Core Protection
s g lo
The intelligent antivirus engine effectively detects and resolves threats (viruses, worms and other malware). The additional features like AntiSpyware, AntiMalware, AntiRootkit, Silent Firewall and IDS/IPS provide all round virus protection.
b . 6
Browser Sandbox
0 0 ia
Running your web browser in Sandbox Browser gives you an uninterrupted and secure browsing experience. It provides internet security protection by acting like a screen between the PC's operating system and the malicious threats. This feature now comes with a USB drive support.
n o o
p l i n
Import and Export Settings
su
Users can now import Quick Heal security settings from a single computer and export it to other computers. This is helpful in cases where reinstallations or multiple computer configurations are concerned. Flash Drive Protection Best antivirus automatically scans external storage devices. Protects USB drives from autorun infections. Email Security Quick Heal AntiVirus Pro gives cloud-based email security that prevents infected emails from reaching your Inbox.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 6
MCS-022 Stay Connected Our users now have direct access to our Facebook and Twitter pages with just a click. Improved Scan Engine The revamped antivirus scan engine avoids rescanning files that have not been altered since the previous scan. This reduces system resource usage. Safe Mode Protection This facility stops unauthorized users from changing Quick Heal security settings when the system is running on Safe Mode. Enhanced Self-Protection The Self-protection feature now protects Quick Heal's running processes and services.
m o .c
t o p
Silent Mode
s g lo
Suppresses prompts across all Quick Heal antivirus modules thereby reducing system load and allowing uninterrupted PC usage.
b . 6
Web Security
0 0 ia
Real time cloud security restricts access to malware infected websites. This feature gives internet security protection by blocking threats transferred through websites hosting malicious codes.
n o o
p l i n
TrackMyLaptop
Lost or stolen laptops can be a huge liability to your privacy. Quick Heal TrackMyLaptop Service helps track the whereabouts of your lost or stolen laptop. The service is a social initiative that comes with every desktop product of Quick Heal at no extra cost.
su
Kindly note that, Quick Heal users have to register their Quick Heal Product License key at the TrackMyLaptop portal to avail this facility. Non-Quick Heal users have to register their Laptop's MAC ID. To know more, visit 2.Avira Professional: Avira Operations GmbH & Co. KG is a German multinational and family-owned antivirus software company that provides IT-security for computers, smartphones, servers and networks – delivered as both software and cloud-based services.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 7
MCS-022 Avira’s headquarters are located near Lake Constance, in Tettnang, Germany, and the company has additional European offices in Munich, Bucharest, and the Netherlands. Avira also has offices in Japan and China, as well as an R&D facility in the USA’s Silicon Valley. With an estimated 9.6% of global market share according to OPSWAT, and over 100 million customers, Avira was considered the sixth largest antivirus vendor in 2012.[1][3] The company supports the Auerbach Stiftung, a foundation created by the company's founder, Tjark Auerbach. It promotes charitable and social projects as well as the arts, culture and science Virus Definition Avira periodically "cleans out" the virus definition files, by replacing specific signatures with generic ones, resulting in a general increase in performance and scanning speed. A database clean-out with the size of 15 MB was made on 27 October 2008, causing problems to the users of the Free edition because of its large size and slow servers of the Free edition. To solve the problem, Avira improved the updating process by reducing the size of the individual up-datable files, resulting in the delivery of less data in each update. Nowadays there are 32 smaller definition files that are updated regularly in order to avoid peaks in the download of the updates.[5]
m o .c
t o p
Features are:
s g lo
Antivirus Scanner Total protection from malware.
b . 6
0 0 ia
Real-time cloud protection
n o o
Protects you from emerging threats.
p l i n
Blocks PUA
su
Blocks hidden applications bundled with legitimate software. Email Protection Scans emails for malware. Network Protection Scans files shared on your network.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 8
MCS-022 Advanced Web Protection Safely surf, shop, stream, download and bank online. Game Mode Suspends unnecessary notifications during games and movies. Browser Tracking Blocker* Prevents ad networks from monitoring what you do online. Safe Browsing* Blocks harmful websites before they load.
m o .c
Avira Price Comparison*
t o p
Saves you money while shopping online.
s g lo
Qst.2 (b) Describe the process of sharing network in Linux and Windows 2000.
b . 6
Ans: Samba is an extremely useful networking tool for anyone who has both Windows and Unix systems on his network. Running on a Unix system, it allows Windows to share files and printers on the Unix host, and it also allows Unix users to access resources shared by Windows systems.
0 0 ia
n o o
Samba is a suite of Unix applications that speak the Server Message Block (SMB) protocol. Microsoft Windows operating systems and the OS/2 operating system use SMB to perform client-server networking for file and printer sharing and associated operations. By supporting this protocol, Samba enables computers running Unix to get in on the action, communicating with the same networking protocol as Microsoft Windows and appearing as another Windows system on the network from the perspective of a Windows client. A Samba server offers the following services:
p l i n
• • • • • •
su
Share one or more directory trees Share one or more Distributed filesystem (Dfs) trees Share printers installed on the server among Windows clients on the network Assist clients with network browsing Authenticate clients logging onto a Windows domain Provide or assist with Windows Internet Name Service (WINS) name-server resolution
Let's take a quick tour of Samba in action. Assume that we have the following basic network configuration: a Samba-enabled Unix system, to which we will assign the name toltec, and a pair of Windows clients, to which we will assign the names maya and aztec, all connected via a local area network (LAN). Let's also assume that
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 9
MCS-022 toltec also has a local inkjet printer connected to it, lp, and a disk share named spirit—both of which it can offer to the other two computers. A graphic of this network is shown in Figure 1-1.
Figure 1-1. A simple network set up with a Samba server
m o .c
In this network, each computer listed shares the same workgroup. A workgroup is a group name tag that identifies an arbitrary collection of computers and their resources on an SMB network. Several workgroups can be on the network at any time, but for our basic network example, we'll have only one: the METRAN workgroup.
t o p
s g lo
Sharing a Disk Service
b . 6
If everything is properly configured, we should be able to see the Samba server, toltec, through the Network Neighborhood of the maya Windows desktop. In fact, Figure 1-2 shows the Network Neighborhood of the maya computer, including toltec and each computer that resides in the METRAN workgroup. Note the Entire Network icon at the top of the list. As we just mentioned, more than one workgroup can be on an SMB network at any given time. If a user clicks the Entire Network icon, she will see a list of all the workgroups that currently exist on the network.
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 10
MCS-022 Figure 1-2. The Network Neighborhood directory We can take a closer look at the toltec server by double-clicking its icon. This contacts toltec itself and requests a list of its shares—the file and printer resources—that the computer provides. In this case, a printer named lp, a home directory named jay, and a disk share named spirit are on the server, as shown in Figure 1-3. Note that the Windows display shows hostnames in mixed case (Toltec). Case is irrelevant in hostnames, so you might see toltec, Toltec, and TOLTEC in various displays or command output, but they all refer to a single system. Thanks to Samba, Windows 98 sees the Unix server as a valid SMB server and can access the spirit folder as if it were just another system folder.
m o .c
t o p
s g lo
Figure 1-3. Shares available on the Toltec server as viewed from maya
b . 6
One popular Windows feature is the ability to map a drive letter (such as E:, F:, or Z:) to a shared directory on the network using the Map Network Drive option in Windows Explorer.[1] Once you do so, your applications can access the folder across the network using the drive letter. You can store data on it, install and run programs from it, and even password-protect it against unwanted visitors. See Figure 1-4 for an example of mapping a drive letter to a network directory.
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 11
MCS-022 Figure 1-4. Mapping a network drive to a Windows drive letter Take a look at the Path: entry in the dialog box of Figure 1-4. An equivalent way to represent a directory on a network computer is by using two backslashes, followed by the name of the networked computer, another backslash, and the networked directory of the computer, as shown here: \\network-computer\directory This is known as the Universal Naming Convention (UNC) in the Windows world. For example, the dialog box in Figure 1-4 represents the network directory on the toltec server as: \\toltec\spirit If this looks somewhat familiar to you, you're probably thinking of uniform resource locators (URLs), which are addresses that web browsers such as Netscape Navigator and Internet Explorer use to resolve systems across the Internet. Be sure not to confuse the two: URLs such as http://www.oreilly.com use forward slashes instead of backslashes, and they precede the initial slashes with the data transfer protocol (i.e., ftp, http) and a colon (:). In reality, URLs and UNCs are two completely separate things, although sometimes you can specify an SMB share using a URL rather than a UNC. As a URL, the \\toltec\spirit share would be specified as smb://toltec/spirit.
m o .c
t o p
s g lo
Once the network drive is set up, Windows and its programs behave as if the networked directory were a local disk. If you have any applications that support multiuser functionality on a network, you can install those programs on the network drive.[2] Figure 1-5 shows the resulting network drive as it would appear with other storage devices in the Windows 98 client. Note the pipeline attachment in the icon for the J: drive; this indicates that it is a network drive rather than a fixed drive.
b . 6
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 12
MCS-022 Figure 1-5. The Network directory mapped to the client drive letter J My Network Places, found in Windows Me, 2000, and XP, works differently from Network Neighborhood. It is necessary to click a few more icons, but eventually we can get to the view of the toltec server as shown in Figure 1-6. This is from a Windows 2000 system. Setting up the network drive using the Map Network Drive option in Windows 2000 works similarly to other Windows versions.
m o .c
s g lo
Figure 1-6. Shares available on Toltec (viewed from dine) Sharing a Printer
t o p
b . 6
You probably noticed that the printer lp appeared under the available shares for toltec in Figure 1-3. This indicates that the Unix server has a printer that can be shared by the various SMB clients in the workgroup. Data sent to the printer from any of the clients will be spooled on the Unix server and printed in the order in which it is received.
0 0 ia
n o o
Setting up a Samba-enabled printer on the Windows side is even easier than setting up a disk share. By doubleclicking the printer and identifying the manufacturer and model, you can install a driver for this printer on the Windows client. Windows can then properly format any information sent to the network printer and access it as if it were a local printer. On Windows 98, double-clicking the Printers icon in the Control Panel opens the Printers window shown in Figure 1-7. Again, note the pipeline attachment below the printer, which identifies it as being on a network.
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 13
MCS-022
Figure 1-7. A network printer available on Toltec
m o .c
Seeing things from the Unix side
As mentioned earlier, Samba appears in Unix as a set of daemon programs. You can view them with the Unix ps command; you can read any messages they generate through custom debug files or the Unix syslog (depending on how Samba is set up); and you can configure them from a single Samba configuration file: smb.conf. In addition, if you want to get an idea of what the daemons are doing, Samba has a program called smbstatus that will lay it all on the line. Here is how it works:
t o p
# smbstatus Processing section "[homes]" Processing section "[printers]" Processing section "[spirit]"
s g lo
b . 6
0 0 ia
n o o
Samba version 2.2.6 Service uid gid pid machine ----------------------------------------spirit jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:17:14 2002 spirit jay jay 7779 aztec (172.16.1.2) Sun Aug 12 12:49:11 2002 jay jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:56:19 2002
p l i n
su
Locked files: Pid DenyMode R/W Oplock Name -------------------------------------------------7735 DENY_WRITE RDONLY NONE
/u/RegClean.exe Sun Aug 12 13:01:22 2002
Share mode memory usage (bytes): 1048368(99%) free + 136(0%) used + 72(0%) overhead = 1048576(100%) total The Samba status from this output provides three sets of data, each divided into separate sections. The first section tells which systems have connected to the Samba server, identifying each client by its machine name
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 14
MCS-022 (maya and aztec) and IP (Internet Protocol) address. The second section reports the name and status of the files that are currently in use on a share on the server, including the read/write status and any locks on the files. Finally, Samba reports the amount of memory it has currently allocated to the shares that it administers, including the amount actively used by the shares plus additional overhead. (Note that this is not the same as the total amount of memory that the smbd or nmbd processes are using.) Qst.3 (a) What are the strategies followed in Windows 2000 for backup? Ans:: Think how much time it would take to recreate everything on your computer...if you could. Given all the threats to your data (viruses, natural disasters, computer crashes, and theft to name a few), a computer backup strategy is essential. Fortunately, there are a number of computer backup strategies to choose from - from simple to esoteric. We have put together a small tutorial on backups and include several backup strategies including our favorite. Our favorite backup strategy uses the venerable Acronis True Image software. The easy to use True Image backs up to an external hard drive, off site (online), USB flash drive, or DVD/CD. It can be scheduled for offhours backup or invoked for immediate backup.
m o .c
Backing up to an off-site area, such as the Internet, is crucial in disaster planning for a business or personal use.
t o p
True Image can handle disk image backups: everything (operating system, user settings, applications, data, etc) is saved so your PC can be restored to a known state without reinstallation.
s g lo
File-based backups can be specified so you choose exactly what and where they get backed up - including offsite. Acronis True Image Highlights
0 0 ia
• • • • • • • • • • • • • •
b . 6
n o o
Back up while using your computer Restore individual files and/or folders Restore entire PC, including operating system, applications, and settings Schedule backups any time Supports Windows 98, ME, NT 4.0, 2000, XP, Vista Recovery manager enables recovery even if operating system is broken Creates bootable media (CD or flash drive or floppy) in case computer cannot boot up Has image verification tool to insure backup is error free. Password protects backups Archive can be compressed to save disk space Archive can be split across multiple CDs File security settings are preserved Creates a log file of what was backed up ...and many other features
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 15
MCS-022 Types of Backups Understanding the different types of backups will help in choosing the best backup type for a particular situation. Full A full backup is the starting point for all other backups, and contains all the data in the folders and files that you have selected to be backed up. Because a full backup stores all files and folders, frequent full backups result in faster and easier restore operations. Remember that when you choose other backup types, restore jobs may take longer. Differential A differential backup contains all files that have changed since the last full backup. The full backup + the latest differential backup produce the latest full backup.
m o .c
t o p
An Sunday = Monday = diff backup Tuesday = diff backup #2 (backs up up Mon, Tue) Incremental
s g lo full
#1
(backs
example:
up
backup Mon)
b . 6
0 0 ia
An incremental backup stores all files and folders that have changed since the last full or incremental backup. The advantage of an incremental backup is that it takes the least time to complete, however, during a restore operation, each incremental backup must be processed, which could result in a lengthy restore job. To limit the amount of incremental backups, make a full backup periodically. An
n o o
p l i n
su
Sunday Monday Tuesday Thursday Friday
= = =
=
incremental incremental incremental
backup backup backup #3 =
example: full #1 (backs up #2 (backs up (backs up Wed computer
Monday's Tuesday's and Thu
backup changes) changes) changes) destroyed
A full restore would restore the full backup then incremental backups 1 then 2 then 3. All the work up to and including Thursday would be restored.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 16
MCS-022 Mirror A mirror backup is identical to a full backup, with the exception that the files are not compressed and they cannot be protected with a password. A mirror backup is most frequently used to create an exact copy of the backup data. It has the benefit that the backup files can also be readily accessed using tools like Windows Explorer. RAID RAID - redundant array of independent disks. RAID1 (mirroring) is supported by Windows 2000 and XP. When one disk goes out the operating system automatically goes to the other. Note that backups are still needed. back to top Organize your Data
m o .c
Organizing your data can go a long way toward making backups less painless. There are countless ways to set up your computer but here are a few ideas:
t o p
s g lo
1. Put your operating system and applications on the C drive and your data on the D drive. If your computer only has a C drive you will have to create a D drive. Programs such as PartitionMagic make this process easy. There are several advantages to doing this.
0 0 ia
b . 6
1. If you have to reformat your operating system drive (e.g. due to corruption or a virus) or just want to install a new one (like Windows ME to Windows XP) your data remains untouched.
n o o
2. To back up your data all you have to do is back up the D drive. Period.
p l i n
If you use 'My Documents' to store data, it needs to be moved to the D drive because its default location is where the operating system resides: the C drive. Just right-click on My Documents in Windows explorer, enter in the path of where you want to put My Documents, then click 'move'.
su
An addition to this strategy is to create an E drive for archives (rarely changing files such as pictures and old tax files). This drive only needs to be backed up periodically. back to top What to Back Up The most important thing to back up, of course, is your data. The operating system and applications can be backed up but since they can be restored it is not imperative. A full mirror backup saves -everything- so if your computer goes bad it can be fully restored.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 17
MCS-022 Make sure all the data is backed up. Some programs, such as Outlook, store their data files in hard to find places. Don't forget your browser favorites. back to top Where to Back Up Storing your backup data is as important as making the backup. The backup media must be reliable and it is recommended to have (at least) two versions of a backup (in case one is corrupted). Always make sure you can restore a backup; I've seen cases where a company will dutifully do its backup and months down the road find out every one of them was useless (tape drive did not write to the tape, the internet backup provider "disappeared", ...) Backup media includes DVDs, CDs, flash drive, external hard drive, and on the internet. back to top
m o .c
When to Back Up
t o p
When to back up depends on how often changes are made and how valuable you consider your data. Some businesses do a full back up up every night while some people backup up only once a month. One scheme is to do a full back up every week and an incremental backup every day.
s g lo
b . 6
back to top
0 0 ia
Backup Program Features
Below is a list of features to look for in a backup program. • • • • • • • • • • • • • • • •
n o o
Can data be encrypted? Is encryption technique proprietary or well-known? Backup to external drive? Erase rewriteable CDs? Support UNC names? (like \\server\sharename) Tape backup? Schedule backups? Split backups over several CDs Verify backups Verify backup media before it is used Password-protect backup Security attributes backed up? Log file produced? Locked files backed up? (i.e. can you use your computer while a backup occurs) Can it run on a server? Is backup customizable?
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 18
MCS-022 • • •
Email notification (something goes wrong, backup finished, ...) Can entire computer be backed up? Restore o Pick and choose what to restore o Restore exact directory structure o Preview of what's going to be restored
back to top Backup Programs There are an abundance of backup programs available. We have culled the list down to a manageable size. None
m o .c
A backup can be as simple as copying your data files to backup media, such as a physically separate drive, an external hard drive, or a flash drive. This is simple and easy to restore.
t o p
WinZip
s g lo
WinZip is a program that compresses files. Nearly every file can be compressed to a size smaller than the original - sometimes 90% smaller. WinZip has been around forever. Though it is not 'officially' a backup program it does a good job and is easy to use. Restoring is simple: just open the zip file and extract the files to wherever you want. To do a backup, create a WinZip file and add all the files you want backed up. You can add an entire drive by telling WinZip to add all the files of the D: drive, for example.
b . 6
0 0 ia
n o o
Windows XP backup
p l i n
Windows XP Professional's Backup program has many good features, including full, incremental (only files that have changed), and scheduled backups. Unfortunately, it lacks space-saving file compression and can't back up to rewritable DVDs. Windows XP Home Edition users get a limited version of XP Professional's backup; it's located on your Home Edition installation CD in the \valueadd\msft\ntbackup folder.
su
An easy way around the file compression is to make the backup (the backup file will end with a .bak) then compress it using WinZip. Then move the WinZip file to your backup storage (DVD, flash drive, external hard drive, or online). Use the date, and maybe time, in the backup filename (such as 2006-Jun-11-full-backup.zip). back to top
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 19
MCS-022 Backup Strategies The backup strategy chosen depends on the amount of data to back up, how critical it is, and how much data was generated. Another factor to consider is whether the entire computer should be backed up or just the data. One can always reinstall programs, though at the cost of time. Strategy 1 Back up your data to a USB flash drive. Flash drives, the size of a stick of gum, hold up to 4 GB of data. Insert them into a USB port and you are good to go (no formatting necessary). Just drag-and-drop files to it or have your backup program put its backup on it. The flash drive behaves just like a disk drive. It is available in Windows explorer as a drive. Use two of them and alternate backups. They are great for on the go or keeping offsite (like a safety deposit box or someone's house). And most of them they can be protected by a password. Our favorite is the SanDisk Cruzer series.
m o .c
Strategy 2
t o p
Back up your data to DVDs or CDs. Use rewriteable DVDs, if possible. One thing to watch out for is that most backup programs cannot handle writing directly to a DVD so it is best to write the backup to your hard disk then copy it to the DVD. Strategy 3
s g lo
b . 6
Back up your data to an external hard drive or a zip drive.
0 0 ia
External hard drives are relatively inexpensive. And they can hold a lot of data (up to 300 GB) and are easy to connect. Most plug in to a USB port and are ready to go. Some come with a backup program. One advantage to using an external hard drive is it is relatively easy to take with you.
n o o
p l i n
Strategy 4
su
Back up your data online.
One of the newer avenues is to back up data online. Programs such as QuickBooks (an accounting program) have a built-in way to back up accounting data online. Other vendors, such as Xdrive, supply as much space as you need to do your backups. This method has several advantages: • • • • •
no extra hardware to buy and configure the backup is kept at another location which is good if there is a disaster the backup can be automated. Just leave your computer on and at a specific time Xdrive will initiate the backup your backup data can be accessed from any computer If you have a laptop, you can back up from any internet connection (hotel, friend's house, etc)
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 20
MCS-022 Strategy 5 Mirroring a system means making an exact copy of it and storing it offline. One can mirror a system to a DVD if it can fit or to an external hard drive. An advantage of mirroring is one does not have to reinstall all the programs. Mirroring takes up the most backup space since it includes the operating system and applications. A mirror program could be run in the off hours. One mirror program I've used in industry for years with excellent results is Norton Ghost. Backup Tips • • • • • • •
Make sure the backup does not have a virus Make sure the backup can be restored Do not back up directly to a DVD or CD since it is an unreliable method Always have at least 2 sets of backups (different dates) Keep a backup off site (out of your home or office) Have passwords for your backups (in case they are stolen) Keep backups in two locations (in case of theft or disaster)
m o .c
t o p
Qst.3 (b) What are the contents of Password files and where are they located in Windows? Also, explain the concept of Shadow passwords?
s g lo
Ans: Many people ask me about the location in the Registry or file system that Windows applications store the passwords. So I prepared a list of password storage locations for more than 20 popular applications and Windows components. Be aware that even if you know the location of the saved password, it doesn't mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile. However, you can use this information to remove unwanted saved passwords from your system.
b . 6
0 0 ia
•
n o o
p l i n
Windows Network Passwords (XP/Vista/2003): When you connect to the file system of another computer on your network (something like \\MyComp\MyFolder), Windows allows you to save the password. If you choose to save the password, the encrypted password is stored in a credential file. The credential file is stored in the following locations: o Windows XP/2003: [Windows Profile]\Application Data\Microsoft\Credentials\[User SID]\Credentials and [Windows Profile]\Local Settings\Application Data\Microsoft\Credentials\[User SID]\Credentials o Windows Vista: [Windows Profile]\AppData\Roaming\Microsoft\Credentials\[Random ID] and [Windows Profile]\AppData\Local\Microsoft\Credentials\[Random ID]
su
You can use my Network Password Recovery utility to view all passwords stored in these Credentials files. •
Dialup/VPN Passwords (2000/XP/Vista/2003): Dialup/VPN passwords are stored as LSA secrets under HKEY_LOCAL_MACHINE\Security\Policy\Secrets. This key contains multiple sub-keys, and the sub-
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 21
MCS-022 keys which store the dialup passwords contains one of the following strings: RasDefaultCredentials and RasDialParams. This key is not accessible from RegEdit and other tools by default, but you can use one of the following methods to access this key: 1. Use at command to run RegEdit.exe as SYSTEM user: (doesn't work under Vista) For Example: at 16:14 /interactive regedit.exe 2. Change the permission of entire Security key. If you do that, it's recommeneded to return the permissions back to the original after you finish. • Internet Explorer 4.00 - 6.00: The passwords are stored in a secret location in the Registry known as the "Protected Storage". The base key of the Protected Storage is located under the following key: "HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider". In order to view the subkeys of this key in RegEdit, you must do the same process as explained for the LSA secrets. Even when you browse the above key in the Registry Editor (RegEdit), you won't be able to watch the passwords, because they are encrypted. Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.
m o .c
t o p
IE PassView and Protected Storage PassView utilities allow you to recover these passwords. •
s g lo
Internet Explorer 7.00 - 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations. AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.
b . 6
0 0 ia
n o o
IE PassView can be used to recover these passwords. •
•
• • • •
Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords. Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data (This filename is SQLite database which contains encrypted passwords and other stuff) Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer. Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer. Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings. The accounts are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 22
MCS-022 Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index] If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers. Mail PassView can be used to recover lost passwords of Outlook 2002-2008. •
Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name] The account filename is an xml file with .oeaccount extension. Mail PassView can be used to recover lost passwords of Windows Live Mail.
• • • •
• •
• •
• • • •
•
ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension. Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name] Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name] MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations: 0. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger 1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService 2. In the Credentials file, with entry named as "Passport.Net\\*". (Only when the OS is XP or more) MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name] Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with "WindowsLive:name=". These passwords can be recovered by both Network Password Recovery and MessenPass utilities. Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager ("EOptions string" value) Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager - "ETS" value. The value stored in "ETS" value cannot be recovered back to the original password. AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name] AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number] (MainLocation value) ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database) (The password hash cannot be recovered back to the original password) Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat All other passwords are stored in Digsby servers.
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 23
MCS-022 •
PaltalkScene: The passwords are stored HKEY_CURRENT_USER\Software\Paltalk\[Account Name].
in
the
Registry,
under
Concept Of Shadow Password : By moving the passwords to the /etc/shadow file, we are effectively keeping the attacker from having access to the encoded passwords with which to perform a dictionary attack. Additionally, the Shadow Suite adds lots of other nice features: • • • • • • • • •
A configuration file to set login defaults (/etc/login.defs) Utilities for adding, modifying, and deleting user accounts and groups Password aging and expiration Account expiration and locking Shadowed group passwords (optional) Double length passwords (16 character passwords) NOT RECOMMENDED] Better control over user's password selection Dial-up passwords Secondary authentication programs [NOT RECOMMENDED]
m o .c
t o p
s g lo
Shadow utils is a package in Linux that's installed by default in most of the distributions, used for separating passwords from /etc/passwd. After implementing shadow-utils, passwords are now saved in /etc/shadow file in Linux. This /etc/shadow file is only accessible by root. Let's see the contents of the /etc/shadow file, and also its permission.
b . 6
0 0 ia
n o o
?
1[root@slashroot1 ~]# ll /etc/shadow
p l i n
2-r-------- 1 root root 1140 Dec 14 23:17 /etc/shadow
su
3[root@slashroot1 ~]#
You can see that unlike the /etc/passwd file the /etc/shadow file only has the "r" (read) permission set for root user. Which means no other user has access to this file. Let's see what's the content of this file. ? 1[root@slashroot1 ~]# cat /etc/shadow 2root:$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1:15651:0:99999:7:::
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 24
MCS-022 Let's understand each and every field of that output, that are separated by a ":". 1. The first field is self explanatory, its the USERNAME 2. The second field is the encoded password (Which is a one way hash..we will be discussing this in detail)
Format of the shadow file The /etc/shadow file contains the following information: username:passwd:last:may:must:warn:expire:disable:reserved Where:
m o .c
username
t o p
The User Name passwd The Encoded password last
s g lo
b . 6
0 0 ia
Days since Jan 1, 1970 that password was last changed
n o o
may
p l i n
Days before password may be changed must
su
Days after which password must be changed
warn Days before password is to expire that user is warned expire Days after password expires that account is disabled
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 25
MCS-022 disable Days since Jan 1, 1970 that account is disabled reserved A reserved field The previous example might then be: username:Npge08pfz4wuk:9479:0:10000::::
3. The third field is the day's since the UNIX time that password was changed.
m o .c
Refer: What is UNIX time?
t o p
4. This field specifies the number of days, that are required between password changes.
s g lo
5.No of days after which its necessary to change the password.
b . 6
6.This is the number of days before the required password change, the user gets a warning
0 0 ia
7.If the password has expired, after this number of days the account will be disabled 8.No of days from the Unix Time, the account is disabled
n o o
9. This field is not used yet...
p l i n
Now you will be confused, that why does the /etc/shadow, file contains these many information's rather than only the encoded password. This is because shadow-util's package provides some more advanced feature's along with storing encoded passwords in /etc/shadow. The above mentioned fields of /etc/shadow, file tell's those added feature's to a certain extent like age of the passwords and its expiry, and also below mentioned feature's.
su
• • •
Default parametres for user account creation (/etc/login.defs) Tools to modify user accounts and groups Enforcing strict password selection
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 26
MCS-022 Qst.4 (a) Name the various methods of authentication available in the Windows 2000 operating system. Ans:
Authentication Methods
There are a number of PPP authentication protocols that are supported by the RADIUS protocol. Each protocol has advantages and disadvantages in terms of security, usability, and breadth of support. The protocol used is determined by the configuration of the NAS device. See your NAS documentation if you are configuring a dialup network, or consult your ISP if you are using an ISP for dial-up access to your LAN. The following sections focus on the advantages and disadvantages of the authentication protocols currently supported by IAS. The information is also useful in configuring a particular authentication method for remote access. Password Authentication Protocol
m o .c
Password Authentication Protocol (PAP) passes a password as a string from the user's computer to the NAS device. When the NAS forwards the password, it is encrypted using the RADIUS shared secret as an encryption key. PAP is the most flexible protocol because passing a plaintext password to the authentication server enables that server to compare the password with nearly any storage format. For example, UNIX passwords are stored as one-way encrypted strings that cannot be decrypted. PAP passwords can be compared to these strings by reproducing the encryption method.
t o p
s g lo
b . 6
Because it uses a plaintext version of the password, PAP has a number of security vulnerabilities. Although the RADIUS protocol encrypts the password, it is transmitted as plaintext across the dial-up connection. Top Of Page
0 0 ia
n o o
Enabling PAP
p l i n
To enable PAP-based authentication, you must do the following:
su
1. Enable PAP as an authentication protocol on the remote access server. For information about a default setting on a particular NAS, see your NAS documentation. On the Routing and Remote Access service, PAP is disabled by default. 2. Enable PAP on the appropriate remote access policy. PAP is disabled by default. 3. Enable PAP on a remote access client.
Note Enabling PAP as an authentication protocol means that user passwords are sent from a client to a NAS in plaintext form. The NAS encrypts the password using the shared secret and sends it in an Access-Request
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 27
MCS-022 packet. Because a RADIUS proxy must encrypt the PAP password using the shared secret of its forwarding RADIUS server, a RADIUS proxy must decrypt the PAP password using the shared secret between the RADIUS proxy and the NAS. A malicious user at a RADIUS proxy can record user names and passwords for PAP connections. For this reason, the use of PAP is highly discouraged, especially for virtual private network connections. Top Of Page Challenge Handshake Authentication Protocol Challenge Handshake Authentication Protocol (CHAP) is designed to address the concern of passing passwords in plaintext. By using CHAP, the NAS sends a random number challenge to the user's computer. The challenge and the user's password are then hashed by using MD5. The client computer then sends the hash as a response to the NAS challenge and the NAS forwards both the challenge and response in the RADIUS Access-Request packet.
m o .c
When the authenticating server receives the RADIUS packet, it uses the challenge and the user's password to create its own version of the response. If the version of the server matches the response supplied by the user's computer, the access request is accepted.
t o p
s g lo
CHAP responses cannot be reused because NAS devices send a unique challenge each time a client computer connects to them. Because the algorithm for calculating CHAP responses is well known, it is very important that passwords be carefully chosen and sufficiently long. CHAP passwords that are common words or names are vulnerable to dictionary attacks if they can be discovered by comparing responses to the CHAP challenge with every entry in a dictionary. Passwords that are not sufficiently long can be discovered by brute force by comparing the CHAP response to sequential trials until a match to the user's response is found.
b . 6
0 0 ia
n o o
Historically, CHAP is the most common dial-up authentication protocol used. When the server does not store the same password that was used to calculate the CHAP response, it cannot calculate an equivalent response. Because standard CHAP clients use the plaintext version of the password to create the CHAP challenge response, passwords must be stored in plaintext on the server to calculate an equivalent response.
p l i n
su
Although the IAS server supports CHAP, a Windows NT 4.0–based domain controller cannot validate CHAP requests without support for storing reversibly encrypted passwords. This support is available in Windows 2000; in Windows NT 4.0, this support is available through an update to the Windows NT 4.0–based domain controller. Top Of Page Enabling CHAP To enable CHAP-based authentication, you must do the following:
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 28
MCS-022 1. Enable CHAP as an authentication protocol on the remote access server. For information about a default setting on a particular NAS, see your NAS documentation. For the Routing and Remote Access service, CHAP is enabled by default. 2. Enable CHAP on the appropriate remote access policy. CHAP is enabled by default. 3. Enable storage of a reversibly encrypted form of the user's password. For a Windows 2000–based standalone server, use machine Group Policy to enable storage of reversibly encrypted passwords for all users of the computer. For Windows 2000 domains, Group Policy at the domain or Organizational Unit (OU) level can be used. For information about enabling reversibly encrypted passwords in a Windows 2000 domain, see Windows 2000 Server Help. 4. Force a reset of user's passwords so that the new password is in a reversibly encrypted form. When you enable passwords to be stored in a reversibly encrypted form, the current passwords are in a nonreversibly encrypted form and are not automatically changed. You must either reset user passwords or set user passwords to be changed the next time you log on. After the password is changed, it is stored in a reversibly encrypted form. If you set user passwords to be changed at the next attempt to log on, the user must log on using a LAN connection and change their password before they attempt to log on with a remote access connection using CHAP. CHAP does not support the changing of passwords during the authentication process and the logon attempt fails. One workaround for the remote access user is to temporarily log on using MSCHAP to change their password. 5. Enable CHAP on the remote access client.
m o .c
t o p
s g lo
Top Of Page
b . 6
Microsoft Challenge Handshake Authentication Protocol
0 0 ia
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a variant of CHAP that does not require a plaintext version of the password on the authenticating server. In MS-CHAP the challenge response is calculated with an MD4 hashed version of the password and the NAS challenge. This enables authentication over the Internet to a Windows 2000 domain controller (or a Windows NT 4.0 domain controller on which the update has not been installed).
n o o
p l i n
MS-CHAP passwords are stored more securely at the server but have the same vulnerabilities to dictionary and brute force attacks as CHAP. When using MS-CHAP, it is important to ensure that passwords are well chosen (not found in a standard dictionary) and long enough that they cannot be calculated readily. Many large customers require passwords to be at least six characters long with upper and lower case characters and at least one numeral.
su
See your NAS documentation, or consult your ISP to see whether the ISP currently supports MS-CHAP.
Note
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 29
MCS-022 By default, MS-CHAP v1 for Windows 2000 supports LAN Manager authentication. If you want to prohibit the use of LAN Manager authentication with MS-CHAP v1 for older Microsoft operating systems such as Windows NT 3.5 x and Windows 95, you must set Allow LM Authentication (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Policy) to 0 on the authenticating server. If a user attempt authenticates using MS-CHAP using an expired password, MS-CHAP prompts the user to change the password while connecting to the server. Other authentication protocols do not support this feature effectively locking out the user who used the expired password. Top Of Page Enabling MS-CHAP To enable MS-CHAP-based authentication, you must do the following:
m o .c
1. Enable MS-CHAP as an authentication protocol on the remote access server. MS-CHAP is enabled by default on the Routing and Remote Access service. For information about default settings on other NASs, see your NAS documentation. 2. Enable MS-CHAP on the appropriate remote access policy. MS-CHAP is enabled by default. 3. Enable MS-CHAP on a remote access client.
t o p
Top Of Page
s g lo
b . 6
Microsoft Challenge Handshake Authentication Protocol Version 2
0 0 ia
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving. For VPN connections, Windows 2000 servers offer MS-CHAP v2 before offering the legacy MS-CHAP. Updated Windows clients accept MS-CHAP v2 when it is offered.
n o o
p l i n
MS-CHAP v2 is a one-way encrypted password, mutual authentication process that works as follows:
su
1. The remote access server sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string. 2. The remote access client sends a response that contains: o The user name. o An arbitrary peer challenge string. o A one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user's password. 3. The remote access server checks the response from the client and sends back a response containing: o An indication of the success or failure of the connection attempt. o An authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user's password.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 30
MCS-022 4. The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection. If a user authenticates by using MS-CHAP v2 and attempts to use an expired password, MS-CHAP prompts the user to change the password while connecting to the server. Other authentication protocols do not support this feature effectively locking out the user who used the expired password. Top Of Page Enabling MS-CHAP v2 To enable MS-CHAP v2–based authentication, you must do the following: 1. Enable MS-CHAP v2 as an authentication protocol on the remote access server. MS-CHAP v2 is enabled by default on the Routing and Remote Access service. For information about default settings on other NASs, see your NAS documentation. 2. Enable MS-CHAP v2 on the appropriate remote access policy. MS-CHAP v2 is enabled by default. 3. Enable MS-CHAP v2 on the Windows 2000 remote access client.
m o .c
t o p
s g lo
Note
b . 6
Windows 95 and Windows 98 support MS-CHAP v2 only for virtual private network (VPN) connections. Windows 95 and Windows 98 do not support MS-CHAP v2 for dial-up connections. Top Of Page
0 0 ia
n o o
Extensible Authentication Protocol
p l i n
Extensible Authentication Protocol (EAP) is an extension to the Point-to-Point protocol (PPP) that works with dial-up, PPTP, and L2TP clients. EAP allows the addition of new authentication methods known as EAP types. Both the dial-in client and the remote access server must support the same EAP type for successful authentication to occur.
su
Windows 2000 includes an EAP infrastructure and two EAP types, EAP-MD5 CHAP and EAP-TLS. The IAS implementation in Windows 2000 has the ability to pass EAP messages to a RADIUS server (EAP-RADIUS). Top Of Page EAP-MD5 CHAP Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP) is a required EAP type that uses the same challenge-handshake protocol as PPP-based CHAP, but the challenges and responses are sent
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 31
MCS-022 as EAP messages. A typical use for EAP-MD5 CHAP is to authenticate the credentials of remote access clients by using user name and password security systems. You can use EAP-MD5 CHAP to test EAP interoperability. Top Of Page EAP-TLS EAP-Transport Level Security (EAP-TLS) is an EAP type that is used in certificate-based security environments. If you are using smart cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the encryption method, and secured private key exchange between the remote access client and the authenticating server. EAP-TLS provides the strongest authentication and key exchange method. EAP-TLS is supported only on a remote access server that is running Windows 2000 and is a member of a Windows 2000 mixed or native domain.
m o .c
Top Of Page EAP-RADIUS
t o p
EAP-RADIUS is not an EAP type, but the passing of EAP messages of any EAP type by a remote access server to a RADIUS server for authentication. The EAP messages sent between the remote access client and remote access server are encapsulated and formatted as RADIUS messages between the remote access server and the RADIUS server.
s g lo
b . 6
0 0 ia
EAP-RADIUS is used in environments where RADIUS is used as the authentication provider. An advantage of using EAP-RADIUS is that EAP types do not need to be installed at each remote access server, only at the RADIUS server. In a typical use of EAP-RADIUS, a remote access server is configured to use EAP and to use RADIUS as its authentication provider. When a connection is made, the remote access client negotiates the use of EAP with the remote access server. When the client sends an EAP message to the remote access server, the remote access server encapsulates the EAP message as a RADIUS message and sends it to its configured RADIUS server. The RADIUS server processes the EAP message and sends a RADIUS-encapsulated EAP message back to the remote access server. The remote access server then forwards the EAP message to the remote access client. In this configuration, the remote access server is only a pass-through device. All processing of EAP messages occurs at the remote access client and the RADIUS server.
n o o
p l i n
su
Top Of Page Enabling EAP To enable EAP-based authentication, you must do the following: 1. Enable EAP as an authentication protocol on the remote access server. 2. Enable EAP; if needed, configure the EAP type on the appropriate remote access policy. 3. Enable and configure EAP on a remote access client.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 32
MCS-022 In addition to the EAP types defined and supported in Windows 2000, new EAP authentication methods can be included through the use of EAP Software Development Kit. Top Of Page Unauthenticated Access The unauthenticated access method allows remote access users to log on without checking their credentials. For example, IAS does not verify the user's name and password. The only user validation performed in the unauthenticated access method is authorization. Enabling unauthenticated access presents security risks that must be carefully considered when deciding whether to enable this authentication method. This section discusses three scenarios of unauthenticated access: • • •
Guest Access Dialed Number Identification Service (DNIS) authorization Automatic Number Identification/Calling Line Identification (ANI/CLI) authorization
m o .c
t o p
Top Of Page
s g lo
Guest Access for PPP Users
Guest access is the ability to log on to a domain without a user name and/or a password. Both Routing and Remote Access service and IAS must be configured to support unauthenticated access.
b . 6
0 0 ia
When a remote access server receives a connection attempt, it negotiates with the user different authentication types enabled at the server. If the client accepts one of them, it sends the appropriate credentials for the accepted authentication type. It the user refuses authentication, Routing and Remote Access service checks its properties to verify if unauthenticated access is enabled and, if enabled, forwards the Access-Request packet to IAS. This Access-Request packet does not contain a User-Name attribute or any other credentials.
n o o
p l i n
When IAS receives the packet without a User-Name attribute, it assumes that the user wants to dial in using guest access. In this case, IAS uses the name of the guest account in a domain as the user identity. It proceeds to evaluate policies in order to determine the right profile. If a match is found, and unauthenticated access is enabled in the profile, other authorizations are validated, and an Access-Accept packet is returned. The accounting log file logs the user identity and authentication type, which can be used to determine whether the user was logged on with guest access.
su
Top Of Page Enabling Guest Access To enable Guest access, perform the following steps:
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 33
MCS-022 1. 2. 3. 4.
Enable unauthenticated access on the remote access server. Enable unauthenticated access on the appropriate remote access policy. Enable the Guest account. Set the remote access permission on the Guest account to either Allow access or Control access through Remote Access Policy depending on your remote access policy administrative model.
If you do not want to enable the Guest account, create a user account and set the remote access permission to either Allow access or Control access through Remote Access Policy . Then set the Default User Identity registry value (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy) on the authenticating server (either the remote access server or the IAS server) to the name of the account. For more information about enabling authentication protocols, configuring authentication, and enabling a disabled user account, see Windows 2000 Server Help. Top Of Page
m o .c
Guest Access Example
t o p
1. During PPP negotiation, the dial-in client rejects all of the PPP authentication protocols of the NAS. 2. If the NAS is configured to allowed unauthenticated access, the NAS sends an Access-Request packet without the User-Name attribute and without a password. For the Windows 2000 Routing and Remote Access service, unauthenticated access is enabled from the Authentication tab on the properties of a server in the Routing and Remote Access snap-in. 3. Because the User-Name attribute is not included in the Access-Request packet and by default the IAS user identity is using the User-Name attribute, the user identity is set to Guest (or the value of Default User Identity). 4. With the user identity of Guest and an unauthenticated connection attempt, the authentication and authorization process as discussed earlier in the chapter is performed. If the connection attempt matches a policy whose profile settings have unauthenticated access enabled and the Guest account is enabled and has the appropriate remote access permission, IAS sends an Access-Accept packet to the NAS.
s g lo
b . 6
0 0 ia
n o o
Top Of Page
p l i n
su
DNIS Authorization
Dialed Number Identification Service (DNIS) authorization is the authorization of a connection attempt based on the number called. This attribute is referred to as Called Station ID. DNIS is used by standard telecommunication companies. This service returns the number called to the called party. Based on the Called Station ID attribute, IAS can deliver different services to dial-up/remote access users. Top Of Page
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 34
MCS-022 Enabling DNIS Authorization The following steps are required in order to enable DNIS authorization: 1. Enable unauthenticated access on the remote access server. 2. Create a remote access policy on the authenticating server (remote access server or IAS server) for DNIS-based authorization with the Called-Station-ID condition set to the phone number. 3. Enable unauthenticated access on the remote access policy for DNIS-based authorization. ANI Authorization ANI authorization is based on the number the user called from. This attribute is referred to as Calling Station ID, or Caller ID. Based on the Calling-Station-ID attribute, IAS can deliver different services to dial-up/remote access users.
m o .c
Using ANI authorization is different from using the Caller ID dial-in property of a user account. ANI authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, IAS receives Calling-Station-ID, and no user name and password. To support ANI authorization, the Active Directory must have user accounts with Caller IDs as user names. This kind of authentication is used with the cellular phone authentication and by ISPs in Germany and Japan.
t o p
s g lo
When using the Caller ID property on a user account, the user types in his credentials, such as a user name and password, and uses a valid authentication method to log on. IAS uses the user name and password to authenticate the user, and then compares the Calling-Station-ID attribute in the Access-Request to the Caller ID property of the user account as a way of authorizing the connection attempt.
b . 6
Enabling ANI Authorization
0 0 ia
n o o
1. Enable unauthenticated access on the remote access server. 2. Enable unauthenticated access on the appropriate remote access policy for ANI/CLI-based authentication. 3. Create a user account for each number calling, for which you want to provide ANI/CLI authorization. The name of the user account must match the number that the user is dialing from. For example, if a user is dialing in from 555-0100, create a "5550100" user account. 4. Set the User Identity Attribute registry value (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteAccess\Policy) to 31 on the authenticating server. This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31, Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only when there is no user name being supplied in the connection attempt. To always use the calling number as the user identity, set the Override User-Name registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Policy to 1 on the authenticating server. However, if you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 35
MCS-022 server can perform only ANI/CLI-based authentication. Normal authentication by using authentication protocols such as MS-CHAP, CHAP, and EAP is disabled. ANI Example The following example explains how ANI/CLI authorization works for an dial-up client dialing in from the phone number 555-0100 and a user account called 5550100 exists. 1. During PPP negotiation, the dial-in client rejects all of the PPP authentication protocols of the NAS. 2. If the NAS is configured to allowed unauthenticated access, the NAS sends an Access-Request packet without the User-Name attribute and without a password. For the Windows 2000 Routing and Remote Access service, unauthenticated access is enabled from the Authentication tab on the properties of a server in the Routing and Remote Access snap-in. 3. Because the User-Name attribute is not included in the Access-Request packet and the IAS user identity is set to use the Calling-Station-ID attribute, the user identity is set to 5550100. 4. With the user identity of 5550100 and an unauthenticated connection attempt, the authentication and authorization process as discussed earlier in the chapter is performed. If the connection attempt matches a policy whose profile settings have unauthenticated access enabled and the 550100 account has the appropriate remote access permission, IAS sends an Access-Accept packet to the NAS.
m o .c
t o p
s g lo
Qst.4 (b) How would you set the IP address of a LAN card in LINUX?
Ans: Every node participating in networking needs a valid IP address. On Linux command prompt IP address is assigned by a network configuration window. This window can be invoked by selecting network configuration sub menu form setup command or directly executing system-config-network commands.
b . 6
Run setup command form root user
0 0 ia
n o o
#setup
p l i n
su
this will launch a new window select network configuration
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 36
MCS-022
m o .c
now a new window will show you all available LAN card select your LAN card ( if you don’t see any LAN card here mean you don’t have install driver)
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
assign IP in this box and click ok
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 37
MCS-022
m o .c
click on ok, quit and again quit to come back on root prompt.
Alternately you can use system-config-network command directly to invoke this setup window
t o p
#system-config-network
s g lo
b . 6
whatever change you made in network configuration will not take place till you restart the LAN card
0 0 ia
#service network restart
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 38
MCS-022 ifconfig
m o .c
t o p
s g lo
The ifconfig command will display the configuration of all active Ethernet card. Without specifying any parameter this command will show all active Ethernet card. if you want to see the configuration of any specific Ethernet card then use the name of that card as the command line arguments. for example to show the IP configuration on loop back Interface execute this command
b . 6
0 0 ia
n o o
#ifconfig lo
p l i n
su ifup/ifdown
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 39
MCS-022 Each installed network adapter has a corresponding ifcfg-* file in /etc/sysconfig/network-scripts. You can activate or deactivate that adapter with the ifup and ifdown commands. Either of the following commands will activate the eth0 network adapter: #ifup ifcfg-eth0 #ifup eth0 netstat
The netstat program provides real-time information on the status of your network connections, as well as network statistics and the routing table. The netstat command has several options you can use to bring up different sorts of information about your network.
m o .c
t o p
arp
s g lo
b . 6
0 0 ia
The Address Resolution Protocol associates the hardware address of a network adapter with an IP address. The arp command (in the /sbin directory) displays a table of hardware and IP addresses on the local computer. With arp, you can detect problems such as duplicate addresses on the network, or you can manually add arp entries as required.
n o o
p l i n
mii-tool
su
mii-tool command is used to check the link is activated or not. Most use of mii-tool command is to check to physical link of Ethernet card on command line. With this command you can check on command prompt that cable is plugged in LAN card or not.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 40
MCS-022 ping ping command is used to check the physical connectivity. If you get reply mean everything is ok. If you get request time out response means there is some problem it could be unplugged cable power off switch or enabled firewall on destination node. If you get Destination host unreachable means remote node is not in your network. Use CTRL+C to abort the ping sequence
m o .c
service network restart
t o p
Whatever change you made in network configuration files will not take place until you restart the network services. To implement change this command is used.
s g lo
b . 6
0 0 ia
n o o
p l i n
su
Qst.6 (a) How Linux and Windows 2000 manage the domains? Also, explain how trust relationship is created and managed between domains in Windows 2000? Ans: Domains A domain is a collection of accounts representing network computer uses, and group of users all maintained in a control security database for care of administration. In Windows 2000, domain is a collection of computers where a server computer referred to as a Domain controller is responsible for the management of security for the entire network. This type of logical grouping is desirable for corporate application. Computers of a domain network have local user accounts, but are dependent on a centralised information store called as Active Directory Service. Thus Active
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 41
MCS-022 Directory in Windows 2000 provides a centralised control. Domains add several interesting features to Windows 2000 functionality. • Centralised storage of user information. • Each domain has domain controller associated with it. In Windows NT, domain controllers are either BDC or primary domain controller. In Windows 2000 there is only one type of domain controller. • Extension of the existing network becomes easy. In Windows 2000 Active Directory unites namespace of internet with window NT directory services since Windows 2000 domain naming uses DNS (Domain Name System). What is DNS, conceptually, the internet is divided into several domains (e.g., gov, edu, com, net, etc.), where each domain covers many hosts. Each domain is partitioned into several domains and these are further partitioned. The essence of DNS is the invention of a hierarchical, domain-based naming scheme and a distributed database system for implementing the naming scheme. It is primarily used for mapping host names and e-mail destinations to IP addresses. While creating a Windows 2000 domain, the DNS should be executing and properly configured on the corresponding machine. If in case, DNS is not running, on creation of a domain controller, it is automatically installed later. Thus domain provides Windows 2000 with a grouping mechanism where not only accounts but also network resources are grouped under a single domain name. Joining a Domain Windows 2000 has “Join A Computer To The Domain” permission for those computers that wish to be a part of Domain. By obtaining this permission, an account is created for that computer. It is like a class of objects, where all the objects of that class are of the same type. The objects type may vary from users to computers. Active Directory Service provides a hierarchy to various resources stored in domain. A Domain has information about the objects it contains. It provides the network with a secure boundary.
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
Qst.7 (a) Compare FAT 16 and FAT 32 file systems. Ans: Windows 2000 provides read and write support for NTFS, FAT 16 and FAT 32 file systems. FAT is designed for small disks and simple folder structure. Windows 2000 supports both FAT 16 and FAT 32 file system and FAT is designed for small disks and simple folder structure. A FAT 16 partition is divided into 512 byte sectors and disks have files in dusters in the default cluster size dependent on partition size and can range from 8 sectors to 128 sectors. FAT 32 can support partition up to 2047 GB in size. The major advantage of FAT 32 over FAT 16 is larger partition sizes. NTFS (NT File System) Windows2000 supports a new version of NIFS, i.e., NTFS version 5.0. This new version of NTFS is better than in terms of reliability and better performance. NTFS 5.0 includes the following features: • All of the new features of Windows 2000 Active Directory Services.
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 42
MCS-022 • Storage features like reparse points. • Features for Software Management. • Enhanced security features for servers, which provides an authentication mechanism to users before they can actually gain access to network resources. • It supports CDfs; The fundamental unit of disk allocation in NTFS is cluster that comprises multiple sectors. Disk Storage Types: In Windows 2000 two kinds of disk storage are possible: Basic storage • Dynamic storage. Disk should be initialised with a storage type before data could be stored on it. Either of the two storage types can be used on one disk. But in a system with multiple disks both storage types can be used. Basic disk storage is the default storage type for Windows 2000. All disks are basic until converted to dynamic. Disks can be managed on local and remote networks. Only Windows 2000 has support for Dynamic storage, which can be resized unlike basic storage type. Basic disk is divided into partitions. Disk partition can be primary or extended and they function as disks in their own entirety. Dynamic disk is divided into volumes. Volumes can be simple, spanned, mirrored, striped or RAID-5. Only computers running Windows 2000 can access dynamic disks.
m o .c
t o p
b . 6
Qst.7 (b) Discuss the features of GNOME configuration tool. Ans:
0 0 ia
What are the GNOME System Tools?
s g lo
n o o
Formerly known as the Ximian Setup Tools, the GST are a fully integrated set of tools aimed to make easy the job that means the computer administration on an UNIX or Linux system. They're thought to help from the new Linux or UNIX user to the system administrators. The GNOME System Tools are free software, licensed under the terms of the GNU General Public License.
p l i n
su
Internally, the GNOME System Tools use System Tools Backends to access and modify the system configuration, s-t-b support a great variety of distributions, and is designed to be as easy as possible to adapt it to more distros. If you're in doubt that g-s-t will work in your favourite distribution, have a look in the s-t-b webpage for the list of supported distributions. Nowadays there are tools for managing: • • • • •
Users and groups Date and time Network configuration Runlevels Shared Folders through Samba or NFS
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 43
MCS-022 Features
m o .c
t o p
s g lo
b . 6
0 0 ia
Configure easily your network settings, including Hostname, domain, DNS, search domains and network interfaces configuration
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 44
MCS-022
m o .c
t o p
s g lo
This tool will let you easily share your folders through Samba or NFS
b . 6
0 0 ia
n o o
p l i n
su
Manage easily the users and the permissions that they have in your computer
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 45
MCS-022
m o .c
t o p
s g lo
b . 6
Manage time, date and timezone, or synchronize automatically your clock with internet time servers
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 46
MCS-022
m o .c
t o p
Specify the services and daemons that start at boot time Getting the GNOME System Tools
s g lo
0 0 ia
b . 6
n o o
You can get the GNOME System Tools in several ways: • •
p l i n
Through FTP: in the GNOME FTP server you will find all the released tarballs. Through CVS: you can find the latest crazy code in the gnome-system-tools module at the GNOME SVN server.
su
Contributing/Contacting If you want to join the project, or if only you want to expose an opinion, feel free to contact us by: Bugzilla: if you have caught a bug or just have an enhacement request, this is the place.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 47
MCS-022 IRC: you can contact us in the #gst channel at irc.gimp.org
Mailing lists: you can subscribe to our GST Mailing list. You can also view the historic archives here.
Qst.8 (a) Explain the role and importance of following tools for quota management in Linux. Ans: Memory Maitagemen* Subsystem I Linux is made up of a number of functionally separate pieces that, together, comprise the II operating system. One obvious part of Linux is the kernel itself; but even that would be useless without libraries or shells. In this section we will discusss the various components I of Linux kernel. I i One of the basic objectives of any operating system is to make one feel that there is a I large amount of memory although it is having a small physical memory. This apparently large memory is known as virtual memory. The system divides the memory into easily handled pages (logical unit) and swaps these pages onto a hard disk as the system runs.
m o .c
t o p
s g lo
b . 6
0 0 ia
The memory management subsystem is one of the most important parts of the operating system. Since the early days of computing, there has been a need for more memory than exists physically in a system. Strategies have been developed to overcome this limitation and the most successful of these is virtual memory. Virtual memory makes the system appear to have more memory than it actually has by sharing it between competing processes as they need it. Virtual memory does more than just make your computer's memo? go further. The memory management subsystem includes: Large Address Spaces: The operating system makes the system appear as if it has a larger amount of memory than it actually has. The virtual memory can be many times larger than the physical memory in the system. Protection: Each process in the system has its own virtual address space. These virtual address spaces are completely separate from each other and so a process running one application cannot affect another. Also, the hardware virtual memory mechanisms allow areas of memory to be,protected against writing. This protects code and data from being overwritten by rogue applications. Memory Mapping: Memory mapping is used to map image and data files into a processes address space. In memory mapping, the contents of a file are linked directly into the virtual address space of a process. Fair Physical Memory Allocation: The memory management subsystem allows
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 48
MCS-022 each running process in the system a fair share of the physical memory of the system. Shared Virtual Memory: Although virtual memory allows processes to have separate (virtual) addresses spaces, there are times when you need processes to share memory. For example, there could be several processes in the system running concurrently and simultaneously depending upon the number of processors residing in the system but might be using the common file, e.g., C-amplifier. Therefore, it is better to have only one copy in physical memory and all of the processes running sharing it. Dynamic libraries are another common example of executing code shared between several processes. Another example of shared memory is that it can also be used as an Inter Process Communication (IPC) mechanism, with two or more processes exchanging information via memory common to all of them. Linux supports the UnixTMS ystem V shared memory IPC. Linux Process and Thread Managemebt Processes carry out tasks within the operating system. A program is a set of machine code instructions and data stored in an executable image on disk and is, as such, a passive entity; a process can be thought of as a computer program in running state. It is a dynamic entity, constantly changing as the machine code instructions are executed by the processor. As well as the program's instructions and data, the process also includes the program counter and all of the CPU's registers as well as the process stacks containing temporary data such as routine parameters, return addresses and saved variables. Linux is a multiprocessing operating system which can support many processes running in parallel. Processes are separate tasks each with their own rights and responsibilities and also running in their own address spaces. If one process crashes it will not cause another process in the system to crash. Each individual process runs in its own virtual address space and is not capable of interacting with Introduction to Linux another process except through secure mechanisms to be managed by kernel. Operating System The most precious resource in the system is the CPU, usually there is only one except in a multi-processors based system. Linux is a ~nultiprocessingo perating system, its objective is to have a process running on each CPU in the system at all times, to maximize CPU utilization. If there are more processes than CPUs (and there usually are), the rest of the processes must wait before a CPU becomes free until they can be run. In a multiprocessing system many processes are kept in memory at the same time. Whenever a process has to wait, the operating system takes the CPU away from that process and gives it to another, more deserving process. It is the scheduler which chooses which is the most appropriate process to run next and Linux uses a number of scheduling strategies to ensure fairness. Linux supports a number of different executable file formats, ELF (Executably and linkable fonnat) is one, Java is another and these must be managed transparently. Although the task-struct data structure is quite large and complex, its fields can be divided into a number of functional areas: State: As a process executes its changes state according to its circumstances. Linux processes have the following states: Running: The process is either running (it is the current process in the system) or it is ready to run ( it is waiting to be assigned to one of the system's CPUs).
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 49
MCS-022 Waitiag: The process is waiting for an event or for a resource. Linux differentiates between two types of waiting process; interruptible and uninterruptible. Interruptible waiting processes can be interrupted by signals whereas uninterruptible waiting processes are waiting directly on hardware conditions and cannot be interrupted under any circumstances. Stopped: The process has been stopped, usually by receiving a signal. A process that is being debugged can be in a stopped state. Zombie: This is a halted process which, for some reason, still has a task-struct data structure in tlie task vector. It is what it sounds like, a dead process. Scheduling Information: The scheduler needs this i,nformation in order to fairly decide which process in the system most deserves to run, Identifiers: Every process in the system has a process identifier. The process identifier is not an index into the task vector, it is simply a number. Each process also has User and group identifiers, these are used to control this processes access to the files and devices in the system. Inter-Process Communication (IPC): Linux supports the classic UnixTMIP C mechanisms of signals, pipes and semaphores and also the System V IPC mechanisms of shared memory, semaphores and message queues to allow processes to communicate with each other and with the kernel to coordinate their activities. Links: In a Linux system no process is independent of any other process. Every process in the system, except the initial process has a parent process. In Unix operating system the initial process is known as init. New processes are not created, they are copied, or rather cloned from previous processes. Every task-struct representing a process keeps pointers to its parent process and to its siblings (those processes with the same parent process) as well as to its own child processes. Times and Timers: The kernel keeps track of a processes creation time as well as the CPU time that it consumes during its lifetime. Each clock tick, the kernel updates the amount of time in jiffies that the current prdcess has spent in system and in user mode. Linux also supports process specific interval timers, processes can use system calls to set up timers to send signals to themselves when the timers expire. These timers can be single-shot or periodic timers. File System: Processes can open and close files as they includes pointers to any files opened by this process. Virtual memory: Most processes have some virtual memory (kernel threads and daemons do not) and the Linux kernel must track how that virtual memory is mapped onto the system's physical memory. Processor Specific Context: A process could be thought of as the sum total of the system's current state. Whenever a process is running it is using the processor's registers, stacks and so on. This is the processes context and, when a process is suspended, all of that CPU specific context must be saved in the task-struct for the process. When a process is restarted by the scheduler its context is restored from here. Linux Threads A new process is created in Linux by copying the attributes of the current process. A new process call be cloned so that it shares resources, such as files, signal handlers,
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 50
MCS-022 and virtual memory. When the tm processes share the same virtual memory, they function as threads within a single process. However, no separate type of data structure is defined for a thread. Thus, Linux makes no distinction between a thread and a process. 1.4.3 File Management Subsystem In Linux, as it is for Unix, the separate filesystems that the system may use are not accessed by device identifiers (such as a drive number or a drive name) but instead they are combined into a single hierarchical tree structure that represents the filesystem as a single entity. Linux adds each new filesystem into this single filesystem tree as they are mounted onto a mount directory, for example 1 mntlcdrom. One of the most important features of Linux is its support for many different filesystems. This makes it very flexible and well able to coexist with other operating systems. The most popular filesystem for Linux is the EXT2 filesystem and this is the filesystem supported by most ofthe Linux distributions. A filesystem gives the user a sensible view of files and directories held on the hard disks of the system regardless of the filesystem type or the characteristics of the underlying physical device. Linux transparently supports many different filesystems (for example MS-DOS and EXT2) and presents all of the mounted files and lilesystems as one integrated virtual filesystem. SO, in general, users and processes do Introduction to Linux not need to know what sort of filesystem that any file is part of, they just use them. Operating System The block device drivers hide the differences between the physical block device types (for example, IDE and SCSI) and, so far as each filesystem is concerned, the physical devices are just linear collections of blocks of data. The block sizes may vary between devices, for example 5 12 bytes is common for floppy devices whereas 1024 bytes is common for IDE devices and, again, this is hidden from the users of the system. An EXT2 filesystem looks the same no matter what device holds it. 1.4.4 Device Drivers Device drivers make up the major part of the Linux kernel. Like other parts of the operating system, they operate in a highly privileged environment and can cause disaster if they get things wrong. Device drivers co~ltrotlh e interaction between the operating system and the peripheral devices that they are controlling. For example, the filesystem makes use of a general block device interface when writing blocks to a disk. The driver takes care of the details and makes device specific things happcn. Device drivers are specific to thc controller chip that they are driving.
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
su
Qst.8 (b) List and describe the various security features in Linux. Ans: Linux Has Several features : STANDARD BASIC SECURITY FEATURES For the basic security features, Linux has password authentication, file system discretionary access control, and security auditing. These three fundamental features are necessary to achieve a security evaluation at the C2
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 51
MCS-022 level [4]. Most commercial server-level operating systems, including AIX (IBM), Windows NT, and Solaris, have been certified to this C2 level. By expanding the basic standard security features we have: 1. 2. 3. 4. 1.
User and group separation File system security Audit trails PAM authentication User and Group Separation
User accounts are used to verify the identity of the person using a computer system. By checking the identity of a user through username and password credentials, the system is able to determine if the user is permitted to log into the system and, if so, which resources the user is allowed to access. Groups are logical constructs that can be used to group user accounts together for a particular purpose. For example, if a company has a group of system administrators, they can all be placed in a system administrator group with permission to access key resources of the OS. In addition, through group creation and assignment of privileges, access to restricted resources can be controlled for those who need them and denied to others.
m o .c
t o p
s g lo
The ability for a user to access a machine is determined by whether or not that user's account exists. Access to an application or file is granted based on the permission settings for the file. This helps to ensure the integrity of sensitive information and key resources against accidental or purposeful damage by users.
b . 6
After a normal user account is created, the user can log into the system and access any applications or files they are permitted to access. Linux determines whether or not a user or group can access these resources based on the permissions assigned to them.
0 0 ia
n o o
There are three permissions for files, directories, and applications. Table 1 lists the symbols used to indicate each of them. Each of the three permissions is assigned to three defined categories of users. The categories are listed in Table 2.
p l i n
su
Table 1. Permission character symbols Symbol r w x -
Description Indicates that a given category of user can read a file. Indicates that a given category of user can write to a file. Indicates that a given category of user can execute the file. A fourth symbol indicates that no access is permitted.
Table 2. Permission categories
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 52
MCS-022 Category Owner Group Everyone
Description The owner of the file or application. The group that owns the file or application. All users with access to the system.
ne can easily view the permissions for a file by invoking a long format listing using the command ls -l. For instance, if the user kambing creates an executable file named foo, the output of the command ls -l foo would look something like this: -rwxrwxr-x 1 kambing kambing 0 Sep 2 12:25 foo The permissions for this file are listed at the start of the line, starting with set of rwx. This first set of symbols defines owner access. The next set of rwx symbols define group access, The last set of symbols defining access permitted for all other users.
m o .c
t o p
This listing indicates that the file is readable, writable, and executable by the user who owns the file (user kambing) as well as the group owning the file (which is a group named kambing). The file is also worldreadable and world-executable, but not world-writable. 2
s g lo
b . 6
File System Security
0 0 ia
n o o
A very true statement of a UNIX/Linux system, everything is a file; if something is not a file, it is a process. Most files are just files, called regular files; they contain normal data, for example text files, executable files or programs, input to or output from a program and so on. While it is practically safe to say that everything you encounter on a Linux system is a file, there are some exceptions as listed below:
p l i n
su
Directories: files that are lists of other files. Special files: the mechanism used for input and output. Most special files are in /dev for example USB and CD-ROM. Links: a system to make a file or directory visible in multiple parts of the system's file tree. It is a shortcut. (Domain) sockets: a special file type, similar to TCP/IP sockets, providing inter-process networking protected by the file system's access control. Named pipes: act more or less like sockets and form a way for processes to communicate with each other, without using network socket semantics.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 53
MCS-022 The following table gives an overview of the characters determining the file type: Table 3. File types character symbols Symbol d l c s p b
Meaning Regular file Directory Link Special file Socket Named pipe Block device
On Linux system, every file is owned by a user and a group user. There is also a third category of users, those that are not the user owner and don't belong to the group owning the file. For each category of users, read, write and execute permissions can be granted or denied.
m o .c
t o p
The long option to list files using the ls -l command, also displays file permissions for these three user categories; they are indicated by the nine characters that follow the first character, which is the file type indicator at the beginning of the file properties line. As seen in the following examples, the first three characters in this series of nine display access rights for the actual user that owns the file.
b . 6
ls -l Mine
0 0 ia
-rw-rw-r-- 1 mike users 5 Jul 15 12:39 Mine
s g lo
n o o
ls -l /bin/ls
-rwxr-xr-x 1 root root 45948 Aug 10 15:01 /bin/ls*
p l i n
The next three are for the group owner of the file, the last three for other users. The permissions are always in the same order: read, write, execute for the user, the group and the others. The first file is a regular file (first dash). Users with user name mike or users belonging to the group users can read and write (change/move/delete) the file, but they can't execute it (second and third dash). All other users are only allowed to read this file, but they can't write or execute it (fourth and fifth dash).
su
The second example is an executable file, the difference is everybody can run this program, but you need to be root to change it. For easy use with commands, both access rights or modes and user groups have a code shown in Table 4 and 5. Table 4. Access mode codes Code
Meaning
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 54
MCS-022 0 or 4 or r 2 or w 1 or x
The access right that is supposed to be on this place is not granted. read access is granted to the user category defined in this place write permission is granted to the user category defined in this place execute permission is granted to the user category defined in this place
Table 5. User group codes Code u g o
Meaning user permissions group permissions permissions for others
This straight forward scheme is applied very strictly, which allows a high level of security even without network security. Among other functions, the security scheme takes care of user access to programs; it can serve files on a need-to-know basis or least privilege and protect sensitive data such as home directories and system configuration files. We can use the chmod command to modify the file permission, changing of the access mode of a file. The chmod command can be used with alphanumeric or numeric options, whatever you like best. The following shows the examples.
m o .c
t o p
>/hello
b . 6
0 0 ia
bash: ./hello: bad interpreter: Permission denied
s g lo
n o o
p l i n
>cat hello
su
#!/bin/bash
echo "Hello, World"
>ls -l hello -rw-rw-r-- 1 mike mike 32 Jul 1 16:29 hello
>chmod u+x hello
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 55
MCS-022
>./hello Hello, World
>ls -l hello -rwxrw-r-- 1 mike mike 32 Jul 1 16:29 hello*
The + and - operators are used to grant or deny a given right to a given group. Combinations separated by commas are allowed. The following is another example, which makes the file from the previous example a private file to user mike:
m o .c
t o p
s g lo
>chmod u+rwx,go-rwx hello
b . 6
0 0 ia
>ls -l hello
-rwx------ 1 mike mike 32 Jan 15 16:29 hello*
n o o
p l i n
If you encounter problems resulting in an error message saying that permission is denied, it is usually a problem with access rights in most cases.
su
When using chmod with numeric arguments, the values for each granted access right have to be counted together per group. Thus we get a 3-digit number, which is the symbolic value for the settings chmod has to make. The following table lists the most common combinations:
Table 5. File protection with chmod Command Meaning chmod 400 file To protect a file against accidental overwriting. chmod 500 To protect you from accidentally removing, renaming or moving files from this directory.
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 56
MCS-022 directory chmod 600 file chmod 644 file chmod 660 file chmod 700 file chmod 755 directory chmod 775 file chmod 777 file
A private file only changeable by the user who entered this command. A publicly readable file that can only be changed by the issuing user. Users belonging to your group can change this file; others don't have any access to it at all. Protects a file against any access from other users, while the issuing user still has full access. For files that should be readable and executable by others, but only changeable by the issuing user. Standard file sharing mode for a group. Everybody can do everything to this file.
If you enter a number with less than three digits as an argument to chmod, omitted characters are replaced with zeros starting from the left. There is actually a fourth digit on Linux systems that precedes the first three and sets special access modes.
2.2.1
m o .c
t o p
The File Mask
s g lo
When a new file is saved somewhere, it is first subjected to the standard security procedure. Files without permissions don't exist on Linux. The standard file permission is determined by the mask for new file creation. The value of this mask can be displayed using the umask command:
b . 6
0 0 ia
n o o
>umask
p l i n
0002
su
Instead of adding the symbolic values to each other, as with chmod, for calculating the permission on a new file they need to be subtracted from the total possible access rights. In the example above, however, we see 4 digits displayed, yet there are only 3 permission categories: user, group and other. The first zero is part of the special file attributes settings. It might just as well be that this first zero is not displayed on your system when entering the umask command and that you only see 3 numbers representing the default file creation mask. Each UNIX-like system has a system function for creating new files, which is called each time a user uses a program that creates new files, for instance, when downloading a file from the Internet, when saving a new text document. This function creates both new files and new directories. Full read, write and execute permission is
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 57
MCS-022 granted to everybody when creating a new directory. When creating a new file, this function will grant read and write permissions for everybody, but set execute permissions to none for all user categories. In this case, before the mask is applied, a directory has permissions 777 or rwxrwxrwx, a plain file 666 or rw-rw-rw-. The umask value is subtracted from these default permissions after the function has created the new file or directory. Thus, a directory will have permissions of 775 by default, a file 664, if the mask value is (0)002. This is demonstrated in the following examples: >mkdir newdir >ls -ld newdir drwxrwxr-x 2 mike mike 2096 Jul 28 13:45 newdir/
m o .c
>touch newfile
t o p
>ls -l newfile
s g lo
-rw-rw-r-- 1 mike mike 0 Jul 28 13:52 newfile
A directory gets more permission by default, it always has the execute permission. If it wouldn't have that, it would not be accessible.
b . 6
0 0 ia
If you log in to another group using the newgrp command, the mask remains unchanged. Thus, if it is set to 002, files and directories that you create while being in the new group will also be accessible to the other members of that group; you don't have to use chmod. The root user usually has stricter default file creation permissions as shown below:
n o o
p l i n
[root@tenouk root]# umask
su 022
These defaults are set system-wide in the shell resource configuration files, for instance /etc/bashrc or /etc/profile. You can change them in your own shell configuration file. 3
Audit Trails
Linux kernel 2.6 comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd. In order to use audit facility you need to use following utilities:
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 58
MCS-022 able 6. Audit utility Utility
Description
auditctl
A command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system A command that can query the audit daemon logs based for events based on different search criteria.
ausearch A tool that produces summary reports of the audit system logs. aureport Pluggable Authentication Modules authentication (PAM) PAM [5] was invented by SUN Microsystems. Linux-PAM provides a flexible mechanism for authenticating users. It consists of a set of libraries that handle the authentication tasks of applications on the system. The library provides a stable general interface to which privilege-granting programs (such as login) defer to perform standard authentication tasks.
m o .c
t o p
s g lo
Historically, authentication of Linux users relied on the input of a password which was checked with the one stored in /etc/passwd. At each improvement (e.g. /etc/shadow, one-time passwords) each program (e.g. login, ftp) had to be rewritten. PAM is a more flexible user authentication mechanism. Programs supporting PAM must dynamically link themselves to the modules in charge of authentication. The administrator is in charge of the configuration and the attachment order of modules. All applications using PAM must have a configuration file in /etc/pam.d. Each file is composed of four columns:
b . 6
0 0 ia
n o o
Linux is inexpensive The first benefit of Linux is cost. All versions of Linux may be freely downloaded from the web. If you don't want to download, prepackaged versions of Linux may be purchased online. In addition, the sofhvare may be legally shared with your friends. In addition, when the time comes to upgrade the operating system, the Linux upgrade would be free. In addition to being inexpensive, Linux can run on the old system. Its products can run on Intel 386 microprocessors, which were popular in the late 1980s. The server has never slowed down despite increased use. Linux is Fast Linux runs respectably well on old computers, and it is even faster on newer, more powerful computers. This is because Linux programs are very efficient and lean. They use as few resources as possible, and unlike Windows, Linux programs use little, if any, graphics. Graphics can slow a system's response time, making it slower than it truly is. Linux may not be pretty, but it is fast. Linux is Stable The Linux code is well written. This both increases the speed at which Linux runs and improves the stability of the operating system. Linux is next to impossible to crash. If
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 59
MCS-022 an application crashes, you can simply remove the program from memory to restart your computer. In older versions of Windows, a crashing program had the potential to take down the entire computer. This is one of the reasons why Linux is used on many web servers where stability is crucial. With Linux, web-hosting providers can guarantee 99.9 percent uptime. Open-Source Software Finally, Linux has open-source sofhvare. This means that users can read the source code and modify it as needed. This probably means little to the average user of the final version of a Linux kernel. However, during development, "beta" releases of the kernel are available to developers who will download the code and test it thoroughly. When possible, they will find any problems and correct the code. This process helps to ensure that the final release of the kernel is as well written as possible.
m o .c
t o p
s g lo
b . 6
0 0 ia
n o o
p l i n
su
For More Solution’s Contact To Mr. Bilal Ali : Brain Cafe Computer Classes, Near U.P. Tech. Chowk Lucknow. Contact Number:+91 9984736691,+91 9450148850 E_Mail_Id-
[email protected], FB Page- facebook.com/bilalali0786 60
