[Editor's Note: Share your NT discoveries, comments, problems, solutions, and experiences with products and reach out to other Windows NT Magazine readers (including Microsoft). Email your contributions (400 words or less) to r2r@winntmag.com. Please include your phone number. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.]
NT System Policy Editor
In my domain, I use system policies extensively (sometimes to the dismay of users who want to install custom screen savers). These policies disable certain privileges depending on users' group affiliations. My coworker was working on a Windows 95 machine and was having trouble accessing the network configuration and running regedit to change his permissions, because of the policy restrictions I had set. I had removed the config.pol file for Win95 from my PDC, leaving the previous user's restrictions in effect on the machine.
My coworker's first thought was to reinstall Windows to gain access to the Registry. However, I had disabled Registry editing, so a reinstallation wouldn't let him change the Registry settings. To solve the problem, I used Windows NT's System Policy Editor (SPE). I copied the poledit.exe and admin.adm files to a 3.5" disk and ran poledit.exe from the disk. Then, I used the admin.adm file to open the Registry from SPE and made the changes to restore my coworker's permissions. (For more information about SPE, see Clayton Johnson, "Expanding Your System Policy Capabilities," December 1998.)
—Jon D. Paskett
jpaskett@hom.net
SMS Security Manager Template
The Microsoft article "SMS: How to Create a Custom Remote Control Group in SMS" at http://support.microsoft.com/ support/kb/articles/ q191/3/36.asp discusses the permissions a typical Help desk person needs. A problem with this recommendation is that you can't create a template in Microsoft's Systems Management Server (SMS) Security Manager. The SMS database's SecurityUserTemplates table stores SMS templates. The script in Listing 1, page 28, lets you easily create an SMS Security Manager Help desk template based on Microsoft's recommended settings. (For information about SMS 2.0, see Ethan Wilansky, Systems Management Server 2.0 Client Features," May 1999.)
—John Austad
john.austad@thefirstsource.com
—Eric Higginbotham
eric@higginbotham.com
DMZ with Proxy Server 2.0
You can't use Microsoft Proxy Server 2.0's Winsock proxy service to reverse-host network applications and services such as Windows NT file and print services and PPTP servers or UNIX- or mainframe-based terminal services. However, you can create a demilitarized zone (DMZ) to provide this kind of service from behind the proxy server while protecting the internal networks (private and DMZ) with Proxy Server's packet filters. (For a detailed article about Proxy Server, see Zubair Ahmad, "Proxy Server 2.0," October 1998.)
Microsoft's "How to Create a DMZ Network with Proxy Server 2.0" at http://support.microsoft.com/support/kb/ articles/q191/1/46.asp describes DMZ setup with Proxy Server 2.0. This article recommends that you use three NICs in the Proxy Server computer to split three networks (i.e., Internet, intranet, DMZ) into separate physical segments.
However, you don't need a separate NIC for DMZ. You can create a DMZ on the same segment as your intranet. You must assign the second IP address (i.e., the DMZ's address) to the proxy server's internal NIC, and assign appropriate IP addresses and default gateways (i.e., the proxy server's internal DMZ IP address) to the hosts that will comprise the DMZ. Switched media prevents DMZ traffic from congesting the network.
When you implement a DMZ, you need to analyze the security of services that you expose to the Internet. You can easily configure a DMZ to provide Telnet access to an internal UNIX host, but Telnet sessions are insecure. SSH Communications Security (http://www.ssh.fi) provides such services in a secure manner.
Rather than exposing network services via a DMZ, you might want to implement a VPN solution such as RRAS or PPTP. However, VPNs aren't suitable for public access.
—Svyatoslav Pidgorny
slavickp@yahoo.com
Prev. page
[1]
2
3
next page 
