Last Updated May 18, 1996. Fundamentals of Windows NT Presented by: Keith Cotton Keith Cotton is a subject matter expert for Microsoft Education Services within the Business Systems Division. Keith is a Microsoft Certified System Engineer and has his Novell CNE certification. The Microsoft Networking Family Windows NT Features Architecture Overview User and Group Accounts Group Accounts Managing Security Policies File Systems Windows NT Resource Security Model Windows NT Network Architecture Introduction to the Browser Service Printing from Windows NT Remote Access Service (RAS) ------------------------------------------------------------------------ The Microsoft Networking Family Both the Microsoft® Windows NT™ Server network operating system and the Windows NT Workstation operating system provide a 32-bit operating system for users who require a fast, multitasking environment. Corporate systems managers use Windows NT Workstation to establish a general purpose computing environment, which at the same time can reliably host a line of business applications. Developers and engineers, as well as financial and technical users, can take advantage of these operating systems for business needs such as mechanical and electronic design automation, architectural planning, engineering and construction, manufacturing and process control, custom software development, accounting, financial analysis, investment trader workstations, and real-time systems. In addition, any user who needs the power of a multiprocessing system can use the Microsoft Windows NT™ operating system to run multiple applications at the same time. Windows NT Server 3.5 Windows NT Server 3.5 is a powerful network server operating system designed for organizations that must implement mission-critical business applications. Windows NT Server 3.5 provides the networking foundation for a new generation of server applications and tools, as well as file and print services. Its client-server platform is designed to integrate current and future technologies and provide a competitive advantage through better information access. Windows NT Server 3.5 is the operating system for implementation of the Microsoft BackOffice strategy. BackOffice includes the following: * Microsoft Windows NT Server 3.5 * Microsoft SQL Server™ client-server database management system 4.21a * Microsoft Systems Management Server centralized management for distributed systems * Microsoft SNA Server connectivity for IBM® enterprise networks 2.1 * Microsoft Exchange Server client-server messaging and groupware Windows NT Workstation 3.5 The Microsoft Windows NT Workstation 3.5 operating system includes all the capabilities of the Windows® for Workgroups operating system with integrated networking elevated to a more powerful, multitasking level. Windows NT Workstation can be used alone as a powerful desktop operating system, networked in a peer-to-peer workgroup environment, or used as a workstation in a Windows NT Server 3.5 domain environment. Windows NT Workstation 3.5 can be used as a client in the Microsoft BackOffice strategy, accessing resources from all the BackOffice products. Clients Windows for Workgroups is a peer-to-peer network client based on the Microsoft Windows® operating system and designed for resource sharing among small numbers of people with similar tasks. The Microsoft Windows operating system version 3.x is intended primarily for the single user in a desktop environment based on the Microsoft MS-DOS® operating system. The Windows and Windows for Workgroups are both ideal products for group or small business environments Document Contents ------------------------------------------------------------------------ Windows NT Features Features and Windows NT Workstation Windows NT Server 3.5 Services 3.5 Concurrent Client 10 inbound connection Unlimited Connections limit; unlimited outbound Symmetric 2 processors (out of the 4 processors (out of Multiprocessing box) the box) Remote Access One session only Up to 256 sessions Service Directory Import only Import and export Replication Logon Validation No Yes Services for No Yes Macintosh® Disk Fault No Yes Tolerance Windows NT Workstation Windows NT Workstation combines the power of a 32-bit multitasking workstation with the ease of use, compatibility, and productivity of a personal computer. It provides unlimited outbound peer-to-peer connections and up to 10 simultaneous inbound connections. Remote Access Service (RAS) supports one inbound session for a user who is dialing in using a modem. Windows NT Workstation supports up to two processors in a symmetric multiprocessing environment. These features are a few of the reasons why Windows NT Workstation 3.5 is a powerful multitasking client desktop operating system. Windows NT Server Windows NT Server provides the network operating system foundation for enterprise networking. It is optimized to be an excellent file, print, and applications server that scales from small workgroups to an enterprise network. Windows NT Server supports up to four processors in a symmetric multiprocessing environment. Original Equipment Manufacturers' implementations of Windows NT Server support up to 32 multiprocessors. (See the hardware compatibility list for a list of OEMs.) In addition, Windows NT Server provides all services necessary for sharing business applications and host connectivity, including Macintosh support, unlimited network connections, and 256 inbound RAS sessions. Tools are integrated for building secure, reliable databases, accessing mainframe and minicomputer data, building a messaging infrastructure, and managing all the Windows NT server and client computers on the network. Workgroups and Domains By looking at the purpose of a workgroup and a domain, you will know when to implement Windows NT into a workgroup or a domain environment on your network. Workgroup A workgroup is a logical collection of computers grouped together for a common purpose, such as sharing departmental hard disk or printer resources. Members of the workgroup can see and access resources shared by other computers within the group. Each computer in the workgroup has to manage its own user accounts database and security policy. Each workgroup is identified by a unique name. Domain A domain in a Windows NT environment is a logical collection of computers sharing a common user accounts database and security policy. A domain also provides logon validation to ensure that domain user accounts and security policies are enforced within the domain. Each domain has a unique name. Windows NT Workstation is designed to participate in either a workgroup or a domain. As part of a workgroup, Windows NT Workstation interacts within a common group of computers on a peer-to-peer level. In this environment, resources and user accounts are managed at each computer. A workgroup works well for small groups in which a small number of users needs access to resources on other computers. Both Windows NT Server and Windows NT Workstation are designed to participate in a domain. Like a workgroup, a domain is a logical grouping of computers and users. Unlike a workgroup, where each computer has its own user account database, a domain is managed by servers and has one user accounts database that is shared by all the servers. The Windows NT Server network operating system is designed to administer domain account privileges, security, and network resources centrally; for example, a large company may have 1,000 computers in a network. A group of users on this network needs exclusive rights to share files and applications. A Windows NT Server domain provides them with a secured environment in which they can share the files and applications, and log on from any Windows NT Workstation that is part of that domain. Document Contents ------------------------------------------------------------------------ Architecture Overview The Windows NT operating system uses an object model to provide user access to local and network resources, and to run applications of various types. An object can be thought of as any resource within the Windows NT system, such as files, directories, and printers. The object model used by Windows NT is that of a modular operating system, composed of a group of relatively independent components. Each component performs a specific task within the context of the operating system as a whole. This is accomplished through subsystems and executive services that form the foundation on which applications can run. Environment Subsystems One of the features of Windows NT is its ability to execute applications written for multiple operating systems. This is accomplished through the environment subsystems in Windows NT. The environment subsystems can run applications written for several operating systems by emulating those operating systems. Executive Services Underneath the user applications lies the Windows NT operating system. The Windows NT operating system provides the support for user applications. It comprises many components, the majority of which are called the Executive and its Managers. The Executive Services can be compared to a company president who oversees an entire organization. In Windows NT the Executive Services coordinate the activities of the operating system, such as providing access to hard disk resources, printers, memory, and the network. The Managers can be compared to vice presidents who oversee specific areas of the company. In Windows NT the Manager services are the actual code that manages the specific functions overseen by the Executive. The Memory Model of Windows NT The memory architecture for Windows NT is a demand-paged, virtual memory system. It is based on a flat, linear address space accessed by 32-bit addresses. Windows NT uses a 32-bit flat memory model, which means that applications can access up to 2 GB of RAM directly, rather than 64K segments, allowing programmers to create larger applications. The Virtual Memory Manager maps virtual addresses for the application into physical pages in the computer's memory (1). In doing so, it hides the organization of physical memory from the application. This ensures that when applications call for memory locations they are mapped to non-conflicting memory addresses. Demand paging refers to a method by which data is moved in pages from (2 ) physical memory to a temporary paging file on-disk (3). As the data is needed by an application, it is paged back into physical memory. The algorithm for paging is optimized to perform per-process paging as opposed to systemwide paging. This linear addressing scheme helps make Windows NT portable because it is compatible with the memory addressing of processors such as the MIPS® R4000™ and DEC™ Alpha AXP™. Document Contents ------------------------------------------------------------------------ User and Group Accounts A user account defines a user to Windows NT. This includes the name and password required for the user to log on, the groups in which the user account has membership, and any user rights for using the assigned computer. When a user logs onto a workstation and attempts to perform a particular action on that computer, Windows NT checks information in the user's account to determine whether the user is authorized to perform that action. Multiple User Accounts Provide Different Levels of Security An individual may have more than one account, each account providing and allowing different capabilities within the Windows NT Workstation security system. For example, an administrator can have both an administrative account that provides the access rights necessary to manage the system, and a user account for routine use. Default User Accounts The Windows NT installation program creates three default user accounts with associated privileges when Windows NT Workstation is first installed: Administrator, Guest, and an "Initial User" account. Each default account has specific privileges on the system. Administrator Account The Administrator account is used by the person who manages the computer's overall configuration. Through this account, an Administrator can perform such tasks as: managing security policies; creating, modifying, or deleting user and group accounts; modifying operating system software; creating and connecting to shared directories (including administrative shares); installing and connecting to printers; partitioning and formatting a fixed disk; and more. Guest Account The Guest account is provided as a convenience, so that occasional or one-time users can log on and be granted limited abilities on the local computer. This allows users without a valid user account on the computer to log on as Guest, and access appropriate resources for the Guest account while using the system. Initial User Account An "Initial User" account is created during installation of Windows NT Workstation. This account, which is assigned a name during installation, is a member of the Administrator's group and therefore has all administrator rights and privileges. Creating User Accounts Additional user accounts can be added to allow other users to log on locally or access local resources from over the network. This is done either by creating new user accounts, or by making copies of existing user accounts. Creating user accounts involves adding user information, adding the user to groups, and establishing the user environment profile. Before creating new user accounts, it is a good idea to establish a standard naming convention. A standard naming convention speeds up the lookup process in User Manager when maintaining and troubleshooting the system, or if duplicate names occur. Copying User Accounts When creating multiple user accounts with similar account properties, it is recommended that a template be created for each type of user. For example, create a template with all the appropriate options and group memberships established for users in the accounting department. Then, when an account is needed for a new user in the accounting department, you can simply copy the template. New User Items Copied User accounts can be copied, but not all of the items in the User Properties dialog box are copied to the new user account. The items copied directly from an existing user account to a new user account are as follows: * The description. * Group account memberships. * Profile settings, such as home directory. * "User cannot change password" is copied from source account. * "Password never expires" is copied from source account. New User Items Settings after Copying After copying an existing user account to create a new user, the following items are cleared: * The Username and Full Name * "User must change password at next logon" * "Account disabled" Any rights and permissions that have been granted to a user account are not copied. The only way that user rights are copied, is if the user rights have been assigned to a group, since group memberships are copied. Renaming User Accounts It is possible to rename any user account, including the default accounts. When a user account is renamed, it retains all of its other properties. The only thing that changes is the account name. Deleting and Disabling User Accounts Although you can delete user accounts at any time, it is recommended that you do so only if a user will never again need to log on or access that Windows NT Workstation. Deleting user accounts also removes security identifiers. Security identifiers (SIDs) are unique numbers that identify users who are logged on to the Windows NT security system. A security ID can identify an individual user or a group of users. Deleting User Accounts If a user account is deleted and a new account is created with the same name, it will have a different SID, and as such will be unable to access anything the previous account was able to access without reassigning the appropriate permissions and privileges. The new account must have the appropriate access permissions, user rights, and group memberships established for it to behave in the same way as the deleted account. Setting the User Environment Profile The user environment profile provides a location for storage of personal files and provides consistent network resources every time a user logs on. This provides a user with their own unique environment on desktops shared by multiple users. The User Environment Profile dialog box allows you to configure the user's logon script name and location of the user's home directory. Logon Script Name When a user logs on to Windows NT, the user's profile can be configured so that a logon script runs automatically to configure the working environment for the user. A logon script is normally a batch file (.BAT or .CMD extension) that issues MS-DOS or OS/2® operating system commands, or calls executable files, though an executable file can also be used for the logon script. When using executable files, remember to use the correct version of the executable if the user may be logging on at computers with different CPU types (e.g., x86, MIPS, Alpha). The %PROCESSOR% environment variable can be used to select the right executable in a logon script. Other environment variables that can be used in logon scripts include %HOMEDRIVE%, %HOMEPATH%, %HOMESHARE%, %OS%, %USERDOMAIN%, and %USERNAME%. Home Directory A home directory provides the user with a consistent location to store all personal program and data files. In general, administrators should configure home directories so they are not accessible to anyone but the individual user. Home directories are normally stored locally on Windows NT workstations, but can be located on a server. * A home directory is used as the default directory when the command prompt is started. In addition, the home directory is also the default directory for saving a file in applications that do not supply a default working directory. Assigning Group Membership A group is defined as an account containing other accounts (members). Groups are basically "aliases" for a set of users, and can be assigned permissions and user rights just like a user account. As a result, the permissions and rights granted to the group are applied to its members automatically. This makes groups a convenient way to grant common capabilities to a collection of user accounts. The limit to the number of groups to which a user can be a member is 1,000. Document Contents ------------------------------------------------------------------------ Group Accounts A group is an account that contains user accounts. The accounts contained within a group are members of that group. Groups are used to give users permissions to perform system tasks, such as backing up and restoring files or changing the system time, and to grant access to resources, such as files, directories, and printers. Group accounts are useful because they simplify administration by organizing user accounts into a single administrative unit. Group accounts provide a convenient method of controlling access for several users who will be using Windows NT to perform similar tasks. By placing multiple users in a group, you can assign the same abilities and/or restrictions to all of the users at the same time by assigning the rights and/or permissions to the group. Without groups, user rights and access permissions would have to be assigned to the individual users accounts. User accounts can still be modified individually, even if they are members of one or more groups. Windows NT Workstation allows the creation of local groups. Windows NT Sever allows the creation of both local and global groups. Local Groups This type of group can include any user accounts created in the local accounts database. Additionally, if the Windows NT Workstation has joined a Windows NT Server domain, a local group can also contain any global accounts from the Windows NT Server domain. Local groups created on a Windows NT Workstation are only available on that workstation. They cannot be accessed on other Windows NT-based computers. Global Groups Global groups contain accounts outside of the local computer. They are assigned user rights and permissions to resources on the local computer where the global group resides, or from any Windows NT Workstation that has joined the domain. Global groups provide a way to create groups of users from the domain. If your Windows NT Workstation is a member of a domain, then it is possible to grant permissions to any global groups that have been created in the domain. Default Group Accounts There are several default group accounts built into the Windows NT Workstation operating system. The built-in groups are Guests, Users, Power Users, Administrators, Replicator, and Backup Operators. By default, all user accounts created on a Windows NT Workstation are made members of a group called Users. There is also a special group account named "Everyone" The Everyone group includes every user account created on the local computer and as such, does not appear in the listing of group accounts and does not permit the adding of users. It can be used to assign user rights and access permissions to resources, and would permit every user (including Guest) the privileges assigned to the Everyone group. Guests The Guest group offers limited access to resources on the system. The Guest user account is automatically added as a member of the Guests group account. Since anyone on a network can connect to a computer's shared resources through the Guests group, permissions must be assigned on shared resources to control how users can access those resources. To grant a specific user the same access to the computer as someone who logs on as a Guest, add that user account to the Guests group. Users The Users group account provides the user with the necessary rights to operate the computer as an end user, such as running applications and managing files. By default, every user account created is added to the Users group. Power Users The Power Users group account gives members the ability to perform certain system administrative functions, without giving the user complete control over the computer. Administrators A user logged on as a member of the Administrators group account has complete control over the entire Windows NT computer. Replicator This group account is used when configuring the directory replicator service. The directory replicator service is used to automatically copy files, such as user logon scripts, between Windows NT-based computers. Backup Operators The Backup Operators group account allows the user to backup and restore files on the computer. Any user can backup and restore files for which they have the appropriate file and directory permissions without being a member of the Backup Operators group. The Backup Operators group overrides any permissions on files and directories that would normally prohibit a user from accessing those files, and allows users who are members of the group to backup any and all files on a drive, regardless of the file and directory permissions. Permissions to all files are only granted while the user is using Windows NT Backup to backup or restore files and directories. Deleting Local Groups Account Deleting a local group account removes only that local group. It does not delete any user accounts that were members of the deleted local group account. Groups that have been created with User Manager can be deleted, while the built-in groups provided with Windows NT Workstation, such as Administrators and Guests, cannot be deleted. Document Contents ------------------------------------------------------------------------ Managing Security Policies Security policies provide an administrator an additional level of computer and network control. However, an administrator needs to carefully consider what security policies need to be configured in an environment, and realize what affect the configured policy will have on the security of the local computer. Windows NT provides the following security policies: Security policy Description Account Controls the way passwords are assigned and maintained by users. It also controls the account lockout feature of Windows NT. User Rights Controls the explicit rights that can be assigned to the group and user accounts of the workstation. Audit Controls the types of events that will be recorded in the audit logs. The Account Policy The Account Policy sets the minimum and maximum ages, minimum length, and uniqueness of passwords, and configures the account lockout feature. Changes to this policy affect each user at the next logon. The Account Policy is accessed from the Policies menu of User Manager. The User Rights Policy The User Rights Policy manages the rights granted to group and user accounts. User Rights authorize a user to perform certain actions on the computer. User Rights apply to the computer as a whole and are different from permissions, which apply to specific resources, such as files and printers. In general, you will not need to change the User Rights policy for the default groups, because the User Rights of these groups should support the needs of typical users within each group. There are two levels of User Rights that can be assigned: User Rights and Advanced User Rights. The most commonly modified rights are User Rights. Document Contents ------------------------------------------------------------------------ File Systems In choosing a file system, it is important to note that you can format multiple partitions with different file systems on the same Windows NT workstation, depending on the operating system and security needs of the computer. File System Supporting Operating Systems FAT MS-DOS, Windows NT, and OS/2 HPFS OS/2 and Windows NT NTFS Windows NT The File Allocation Table (FAT) File System The FAT file system is widely used and supported by a variety of operating systems, such as MS-DOS, Windows NT, and OS/2. If you plan to dual boot your Windows NT Workstation computer with the MS-DOS operating system, the system partition must be formatted with the FAT file system. FAT Naming Conventions The MS-DOS FAT file and directory naming convention can consist of three parts: a filename of up to eight characters, a period (.) separator, and a three-character extension. The following table describes some basic characteristics of the File Allocation Table on Windows NT 3.5. Filename/Directory length 255 File Size 4 GB (232 bytes) Partition Size 4 GB (232 bytes) Attributes Read-only, Archive, System, and Hidden Directories *Linked List Accessible Through MS-DOS, OS/2, and Windows NT * Linked List = To enable MS-DOS to locate a file, the file's directory entry contains its beginning FAT entry number. This FAT entry, in turn, contains the entry number of the next cluster if the file is larger than one cluster, or a marker that designates this is the last cluster. A file whose size implies that it occupies 10 clusters will have 10 FAT entries and 9 FAT links. This method of storing the information of files forms the linked list. FAT File System Considerations The following considerations are important in implementing a FAT file system: * You cannot undelete a file on any of the supported file systems because undelete utilities access the hardware directly, which is not allowed under the Windows NT operating system. However, if the deleted file is on a FAT partition and the system is restarted under the MS-DOS operating system, it may be possible to undelete the file if it has not been written over. * FAT has minimal file-system overhead (less than 1 MB). * FAT is the most efficient file system for partitions less than 200 MB. Performance declines with large numbers of files, because FAT uses a linked list for the directory structure. If the amount of data in a file grows, the file becomes fragmented on the hard disk, and the process of retrieving the file from disk becomes slower. * FAT is the required file system for the boot partition on ARC-compliant computers (RISC processors-based computers supported by Windows NT). * A FAT partition cannot be protected by the file or directory security features of Windows NT. The High-Performance File System (HPFS) HPFS is the same file system supported by OS/2. Windows NT provides no enhancements to the HPFS file system. It is typically used to ease the migration from OS/2 to Windows NT. HPFS Naming Conventions The following rules must be observed when naming files on HPFS partitions: * HPFS supports long filenames up to 254 characters, with multiple extensions. * The names preserve case, but are not case-sensitive. * Names can contain any characters (including spaces) except the following: ? " / \ < > * | : HPFS File System Considerations The following considerations are important in implementing a HPFS file system: * HPFS files with long filenames are not visible to Windows 16-bit and MS-DOS - based applications running under Windows NT, because short filenames are not created automatically. * HPFS partitions are typically used to ease the migration from OS/2 to Windows NT. * HPFS does not scale well to large drives. With drives larger than 400 MB, you might see some performance degradation. * HPFS has approximately 2 MB of overhead in system files. * An HPFS partition cannot be protected by the file or directory security features of Windows NT. The following table describes some basic characteristics of the High Performance File System: Filename/Directory length 254 File Size 4 GB (232 bytes) Partition Size 2 TB theoretical (241 bytes) 7.8 GB actual (due to disk geometry) Attributes *R, A, S, H and *Extended Directories *B-tree Accessible Through OS/2 and Windows NT * R, A, S, H = Read-only, archive, system, hidden attributes * Extended = Allows additional attributes, which are represented as text strings, and can be used by arbitrarily by applications. These extended attributes could be icons for the file, the names of the associated application, and so on. * B-tree = The method in which HPFS searches for files. In a B-tree directory environment, the directory entries are stored alphabetically in the tree, and binary searches are used to search for the target file in the directory list. NT File System (NTFS) NTFS is the preferred file system under Windows NT for a number of reasons, primarily security. However, there may be cases where it is necessary to use another file system on the same computer as Windows NT Workstation. If the computer will be running another operating system, at least one partition must be formatted with a file system supported by that operating system. Only Windows NT supports NTFS. * Another advantage of NTFS is that it has considerably larger partition capacities than the other file systems. Under NTFS, a file can be up to 16 exabytes in size. * The minimum NTFS partition size is 5 MB. Design Goals of NTFS Here are some of the design goals of NTFS: * Provide improved reliability (desirable for high-end computers and file servers). o NTFS is a recoverable file system because it keeps track of transactions against the file system. When a CHKDSK is performed on FAT or HPFS, the consistency of pointers within the directory, allocation, and file tables are being checked. NTFS will automatically log all directory and file updates. That information can be used to redo or undo failed operations due to system failure, power loss, and so on. o In addition, NTFS supports hot fixing. Hot fixing is a trouble shooting technique. For example, if an error occurs because of a bad sector on the hard disk, the file system moves the information to a different sector and marks the original sector as bad. This is all done transparently to any applications that are performing disk I/O, i.e. the application never knows that there were any problems with the hard drive. * Support the Windows NT security model, so that permissions and auditing can be configured on files and directories. * Remove the file and partition size limitations of FAT and HPFS file systems. NTFS supports much larger file and partition sizes than the previous file systems. * Support POSIX requirements. NTFS is the most POSIX.1 compliant of the supported file systems because it supports the following POSIX.1 requirements: * Case sensitive naming-Under POSIX, README.TXT, Readme.txt, and readme.txt are all different files. * Additional time stamp-The Additional time stamp supplies the time at which the file was last accessed. * Hard links-A hard link is when two different filenames, which can be located in different directories, point to the same data. NTFS Naming Conventions The following rules must be observed when naming NTFS files: * File and directory names can be up to 255 characters long, including extensions. * Names preserve case, but are not case-sensitive. NTFS makes no distinction between filenames based on case. * Names can contain any characters (including spaces) except the following: ? " / \ < > * | : NTFS File System Considerations The following considerations are important in implementing a NTFS file system: * Recoverability is designed into NTFS so that users will not have to run a disk repair utility on an NTFS partition. * NTFS provides security on files and directories, but no file encryption. * There is no way in which a deleted file can be undeleted on an NTFS partition. * NTFS utilizes more system file overhead than FAT or HPFS. * The recommended minimum partition size for an NTFS partition is 50 MB because of the overhead involved in using NTFS. * It is not possible to format a floppy disk with NTFS because of the amount of overhead involved in NTFS. * Fragmentation is greatly reduced on NTFS partitions. NTFS always attempts to locate a contiguous block of hard disk space large enough to hold the entire file being stored. Once on the drive, if a file grows in size, it could potentially become fragmented depending on the drives disk space usage. To un-fragment the file, copy the file to another drive and copy it back to the original drive again. When it is copied back to the original drive, NTFS will attempt to place it in a contiguous block on the drive. The following table describes some basic characteristics of the NTFS File System. Filename/Directory length 255 File Size 16 EB (264 bytes) Partition Size 16 EB (264 bytes) Attributes *Further extended Directories B-tree Accessible Through Windows NT *Further extended = such as maintaining the file creation, as well as last modified, date and time for files and directories Converting to NTFS If you have existing hard disk partitions that are FAT or HPFS, and wish to benefit from the enhanced features of NTFS, it is possible to convert the existing partition(s) to NTFS. Converting a partition from FAT, or HPFS, to NTFS preserves all data on the partition, unlike formatting the partition, which destroys all data. Windows NT includes an executable that converts FAT or HPFS partitions to NTFS. To convert a FAT or HPFS partition to an NTFS volume use the CONVERT.EXE utility provided with Windows NT. Note that the conversion is a one-way process, there is no way to convert an NTFS volume to FAT or HPFS. File System Advantages and Disadvantages Here's a summary of the advantages and disadvantages of each of the file systems. File System Advantages Disadvantages FAT Low system overhead. Using FAT with drives or Best for drives and/or partitions over 200 MB may partitions under about 200 decrease performance. MB. Cannot set permissions on files or directories. HPFS Best for drives in the Not efficient for a volume of 200-400 MB range. under 200 MB, because of Attempts to avoid overhead involved. fragmentation by searching Does not support Hot Fixing. for a band that can hold Cannot set file or directory the entire file. permissions on Windows NT HPFS partitions. NTFS Best for use on volumes of Not recommended for use on about 400 MB or more. volumes smaller than 400 MB, Recoverability because of impact on (transaction logging) performance. Disk space designed into NTFS is such overhead ranges from 1 to 5 that a user should never MB depending on size of the have to run any sort of partition. disk repair utility on an NTFS partition. It is possible to set permissions on files and directories. Long Filenames on FAT Partitions Windows NT supports multiple file systems. As a result you need to consider the differences in naming structures when transferring files from one file system to another. For every long filename, (LFN) created on a Windows NT 3.5 FAT partition, there is an auto-generated short filename. This short filename complies with the 8.3 naming convention for backwards compatibility and provides an "alias" for the long filenames. On FAT partitions, a LFN will take one directory entry for every 13 characters plus another directory entry for its alias. For example, if a filename is 12 characters long, it will have one directory entry for the LFN and another for the alias. A 36-character LFN will take three directory entries for the LFN, plus another for its alias, for a total of four directory entries. A directory entry is the listing in File Manager or a DIR command that displays all files and directories. Directory entries are used to store the LFN. Each LFN entry has the following attributes: * Volume-a special attribute that designates the entry as a hard disk partition, as opposed to a file or directory. * Read-Only-allows only read privileges. You cannot write to the file. * System-Identifies the file as a system file, not a normal user accessible file. * Hidden-Prevents the file from appearing in the directory. No other MS-DOS filename entry will have all four of these attributes. A file may have RSH but would not also have a Volume attribute. Conversely, a Volume will not have RSH attributes. Having this special attribute combination should protect these entries from most disk utilities. 8.3 Namespace Under Windows NT 3.5 NTFS and FAT Under Windows NT 3.5, long filenames are converted to 8.3 names to create an alias for supporting MS-DOS-based clients. This conversion takes the first 6 characters of the long name and uses a ~number suffix to keep the name unique. For example, in the graphic below, My Term Paper A.doc becomes MYTERM~1.DOC and successive iterations would look like MYTERM~2.DOC, MYTERM~3.DOC, MYTERM~4.DOC After the fourth file with the same first 6 characters, the naming convention changes. The fifth attempt will use the first two characters of the long name, but the next four will be generated by a hashing algorithm. For example, after the fourth attempt, My Term Paper E.doc becomes MY0F58~5.DOC. Notice the last two characters are "~5". Only when the hashing of the middle 4 characters fails to produce a unique name will the ~5 be incremented to a ~6 and so on. This method is used on both NTFS and FAT partitions to create alias' for long filenames. Long and Short Filename Creation Considerations If you are using HPFS, it is important to note that HPFS does not automatically generate short filenames. As a result, MS-DOS- and Windows 3.x-based applications will not be able to access files with long names on a HPFS partition, and dir/x will display a blank column where the 8.3 character-length filename is normally listed. By creating 8.3 character-length filenames for files, NTFS and FAT allow Windows 3.x- and MS-DOS-based applications to recognize and load these files even though they have long filenames. Using COPY and XCOPY with Long Filenames By default, COPY and XCOPY attempt to copy a file using its long filename. Therefore, when copying a file with a long filename from either HPFS or NTFS to FAT, the following error will occur if FAT long filenames are turned off: The filename, directory name, or volume label syntax is incorrect. When using COPY or XCOPY to copy from an NTFS partition to a FAT partition, consider using the /n switch. This switch will have COPY or XCOPY use the short 8.3 NTFS generated filename when copying the file from an NTFS partition. When trying to copy a file from an HPFS partition, the file will have to be renamed when copying to a FAT partition that has long filenames turned off, since HPFS does not generate short filenames. Case Sensitive Filenames NTFS supports case sensitive names, a requirement of POSIX. However, MS-DOS, WIN 16, OS/2, and the Win32® application programming interface do not currently support case sensitive naming. Therefore, any applications running in any of these environments may be confused by files with case sensitive names. Using Disk Administrator Disk Administrator is a graphical tool for managing hard disk drives. This tool encompasses and extends the functionality of character-based disk management tools, such as MS-DOS Fdisk and the Microsoft LAN Manager local area network software Fault Tolerance character applications, into one graphical interface. Primarily, it is used to set up, configure, and organize the system's hard disk(s) to function more efficiently. Disk Administrator displays the system's disk resources through a status bar and legend. This legend can be customized by colors and patterns to display disk regions and types of disk usage. Creating and Formatting Partitions Disk Administrator provides a simple way to manage disks by providing administrators the capability to create, format, and delete partitions within a graphical application. As you recall, partitioning the hard disk on a new computer is performed during initial setup when you install Windows NT. After Windows NT is installed, use Disk Administrator to make changes to the computer's hard disks or to partition a new hard disk. Keep in mind that a disk must be partitioned before it can be formatted with a file system. Disk partitions are a portion of a physical disk that functions as if it was a physically separate unit. For example, one hard disk could be partitioned to function as if it were two disks. Document Contents ------------------------------------------------------------------------ Windows NT Resource Security Model Windows NT protects its resources, including files, printers, and applications, by controlling access to them. For a resource to be protected or secured, the resource must be accessible to authorized users and inaccessible to unauthorized users. There are two basic approaches to resource security. One method associates an access code with each resource. Any user who knows the code receives access. Another method associates users with resources. Any user that is granted permission to the resource receives access. In Windows NT, users are associated with a resource. Windows NT Objects All Windows NT resources are represented as objects that can be accessed only by authorized Windows NT services and users. An object in Windows NT is defined as a set of data used by the system, and the set of actions that manipulate that data. For example, a file object consists of data stored in a file and a set of functions that allow you to read, write, or delete data in that file. This definition can be applied to any object used by the system, including memory, printers, or processes. Everything in Windows NT is represented to the operating system as an object. The following are examples of Windows NT objects: * Directories * Symbolic links * Printers * Processes * Network shares * Ports * Devices * Windows * Files * Threads Access Control Lists All functions used to access an object, (for example, open a file), are directly associated with a specific object. In addition, the users and groups that are permitted to use the function are also associated with the object. Only users with the appropriate rights are allowed to use functions on an object. As a result, functions from one process cannot access objects that belong to another process. This characteristic of objects provides built-in security. Access to each object is controlled through an Access Control List (ACL). The ACL contains the user (and group) accounts that have access and permissions to the object. When a user wants to access an object, the system checks the user's security identifier and group memberships with the ACL to determine whether or not this user is allowed to complete the request. Access Control Entries Every user of the system needs to have a user account which can be added to resource access control lists. This includes applications and services which need to access resources as well as people. When an administrator grants access to a resource, the user account is added to the ACL for that resource along with any specific permissions. For example User-1 has read permissions to a file, while User-2 has read, write, and delete permissions to the same file. These ACL entries are called Access Control Entries (ACEs). Each entry identifies a user or group and the permissions that have been granted or denied for the object. An ACE is added to the ACL for each user or group that is granted or denied access to an object. Entries that deny access are listed first in the ACL, and entries that permit access will be listed next. The only time this order is changed is if a company has written their own application that edits the ACL of a resource. In this case, they can place the ACE anywhere in the ACL they wish. Securing Access to Resources Access to resources begins with the user logging on. Windows NT requires that users log on before they can access any resources. When a user successfully logs on, he or she receives an access token that remains with the user process until logging off. Each time the user attempts to access a resource, the access token is compared to the resource ACL to determine whether access is granted or denied. Mandatory Logon Windows NT requires each user to provide a unique username and password to log on to a computer. This mandatory logon process cannot be disabled. When a user logs on to Windows NT, the security subsystem creates an access token for the user. The access token includes information such as the user's name and the groups to which the user belongs. Access to the system is allowed after the user has received this access token. During the time a user is logged into a system they are identified to the system by this access token. Access Tokens When a user's process attempts to access any object, Windows NT checks the user ID and list of groups in the user process's access token against the object's Access Control List (ACL). This check determines if the user is granted the requested access to the object. The access token is permanently attached to each of the user's processes and serves as the process's "identity card" whenever it attempts to use system resources. Access tokens are objects and have attributes and services just like any other system object. Security IDs Even though user and group identifications are represented here as names, the computer actually stores this information as a security identifier (SID) and group security identifiers (group SIDs). A SID is a unique identifier used to represent a user, group, or some type of security authority. SIDs are used within access tokens and ACLs instead of usernames or group names. A SID is represented as a unique number, such as: S-1-5-21-76965814-1898335404-322544488-1001 The result of identifying users by SIDs is that the same user account name may have been created multiple times on the same computer, but each instance of the account name will have a unique SID. For example, you have user account for User-1. If you delete this account and create a new account for User-1 using the same name, the new account will not have access to the same resources as the old account. This is a result of the SID being different, even when the account name is the same. Checking Permissions Windows NT compares the information in the access token to the information in the ACL to determine whether or not access should be granted. When a user attempts to access a resource on the system, the security subsystem compares the user's access token to the ACL to validate or deny the requested permission to the resource. It goes through the following steps: 1. Starting at the top of the ACL, it checks each Access Control Entry (ACE) to see if it explicitly denies the user (or any of the groups that appear in the user's access token) the type of access that is being requested. 2. It checks to see if the type of access requested has been explicitly granted to the user or any of the groups in the user's access token. 3. It repeats step 1 and 2 for each entry in the ACL until either it has encountered a deny, or until it has accumulated all the necessary permissions to grant the requested access. 4. If neither a deny or a grant appears in the ACL for each of the requested permissions, the user will be denied access. Optimizing Permission Checking When Windows NT grants access to an object, what it really does is gives the user's process a pointer (handle) to the object. A handle is an identifier used internally by the system to identify and access a resource. The system also creates a list of allowed permissions called the list of granted access rights. This information is then stored in the user's process. In this way, an ACL is only checked when the object is initially opened. Subsequent actions performed on an opened object are checked against the list of granted access rights that have been stored in the user's process table for that handle. Document Contents ------------------------------------------------------------------------ Windows NT Network Architecture A significant difference between the Microsoft Windows NT operating system and other operating systems is that networking capabilities are built into Windows NT. With MS-DOS, Windows 3.x, and OS/2, networking was added on top of the operating system. By providing both client and server capabilities within Windows NT, your computer is able to participate with other network computers to share files, printers, and applications. A Windows NT-based computer can participate as either a client or server in a distributed application environment, as well as in a peer-to-peer networking environment. Windows NT provides the ability to interoperate in many different network environments simultaneously from a single Windows NT computer. The following networking environments are supported by Windows NT: * Microsoft networks, including Windows NT Server 3.5, Windows NT 3.1, Windows for Workgroups, LAN Manager, and other networks based on the Microsoft Networks local area network operating system. * Novell® NetWare® * Transmission Control Protocol/Internet Protocol (TCP/IP) hosts (including UNIX® environments) * Apple® Macintosh AppleTalk® * Remote Access clients Components and Interfaces To support this diverse network interoperability, Windows NT provides modular network components. This means a network component, such as a network protocol, can be replaced with a newer version without affecting the networking components. In addition, new components can be integrated with the default networking components to provide increased interoperability with other networking operating systems. Windows NT networking components can be organized into three categories: file system drivers, transport protocols, and network adapter card drivers. Each plays a distinctive role. These components communicate with each other through interface layers known as boundary layers. Boundary layers translate data into a format the receiving component understands. The boundary layers include programming interfaces, the Transport Driver Interface (TDI), and NDIS 3.0. Network Components and OSI The Windows NT networking components and the boundary layers can be compared to the seven-layer OSI model. File system drivers access system resources, such as an I/O call to an NTFS partition or a network file. They operate at the Application and Presentation layer of the OSI model, receiving input from user mode applications. FAT, HPFS, and NTFS each have their own file system driver for local file partitions. In addition, there are several file system drivers for use in a network environment. Transport protocols define the rules governing communications between two computers. They operate at the Date Link layer and typically cover responsibilities up to the Session layer in the OSI model. Each transport protocol has advantages and disadvantages in its implementation, although it is possible to install and run several protocols at once. Network adapter card drivers coordinate communication between network adapter card and the computer's hardware and software. For every network adapter card, there is a network adapter card driver. These drivers must be NDIS 3.0 compliant to operate with Windows NT. Network adapter card drivers operate at the Media Access Control sublayer while the card itself represents the Physical layer of the OSI model. Boundary Layers A boundary is the unified interface between the layers in the Windows NT network architecture model. Creating boundaries as a breakpoint in the network layers helps open the system to outside development. It makes it easier for vendors to develop network drivers and services, since the functionality that must be implemented between the layers is well defined. Vendors only need to program between the boundary layers instead of writing to the entire OSI model. Boundary layers eliminate the need for rewriting software written for adjacent layers by allowing software to be mixed and matched. Programming Interfaces Programming interfaces provide a means of communicating over the network. There are several programming interfaces available. Windows NT supports NetBIOS, Windows Sockets, Remote Procedure Calls, and Network Dynamic Data Exchange (NetDDE). Transport Driver Interface (TDI) The TDI boundary layer provides a common interface for a file system driver, such as a redirector or server, to communicate with the various network transports. This allows redirectors and servers to remain independent from transports. NDIS 3.0 (Network Driver Interface Specification) The NDIS 3.0 boundary layer provides the interface to the NDIS wrapper and network adapter card drivers. All transport protocols call the NDIS interface to access network adapter cards. NDIS (Network Driver Interface Specification) is a standard that allows for multiple network adapters and multiple protocols to coexist in a single computer. NDIS permits the high-level protocol components to be independent of the network interface card by providing a standard interface. The network adapter card driver is at the very bottom of the Windows NT network architecture. Since Windows NT supports NDIS 3.0, it requires network adapter card drivers written to the NDIS 3.0 specification. NDIS 3.0 allows an unlimited number of network adapter cards in a computer and an unlimited number of protocols that can be bound to a single adapter card. Boundary layer components are examples of the modular Windows NT network components. Components Built into Windows NT At the center of the Windows NT networking environment are the components that provide the user with the ability to create and access resources across the network Windows NT networking components, from the bottom layer going up, include: * Transport protocols (DLC, NetBEUI, NWLink IPX/SPX, and TCP/IP). * File System Drivers. o Named pipes (NPFS) and mailslots (MSFS) provide inter-process communication (IPC) over a network. o The Server (SRV) and Workstation (RDR) services provide file and print sharing. The Server allows resources to be made available on a network and the Workstation provides the ability to access network resources. * Programming Interfaces (NetBIOS, Windows Sockets, RPC, NetDDE). * The Multiple UNC Provider (MUP) and Multi-Provider Router (MPR). The UNC and the MUP make it possible to write applications that use a single API to communicate on the network using any network vendor's redirector. These are helper components which determine which file system driver to use when a network request is made. Windows NT Network Protocols Above the NDIS wrapper are the transport protocols. Windows NT ships with four transport protocols: NWLink, TCP/IP, NetBEUI, and DLC. NetBEUI NetBEUI stands for NetBIOS Extended User Interface and was first introduced by IBM in 1985. NetBEUI was developed for small departmental LANs of 20 to 200 computers. It was assumed that these LANs would be connected by gateways to other LAN segments and mainframes. NetBEUI's primary disadvantage is that it cannot be routed, so it must be connected using bridges and not routers. As such, it is primarily used in a local area network consisting of mainly Microsoft clients and servers, including LAN Manager. NWLink IPX/SPX NWLink is an IPX/SPX-compatible protocol for Windows NT. It can be used to establish connections between Windows NT-based computers and MS-DOS-, OS/2-, Windows-, or other Windows NT-based computers through a variety of communication mechanisms. It is often used in environments that consist of both Microsoft and Novell networks, in which the Microsoft clients need access to resources on NetWare file servers. NWLink is simply a protocol. By itself, it does not allow a Windows NT computer to access files or printers on a NetWare server, or to act as a file or print server to a NetWare client. To access files or printers on a NetWare server, you must use a redirector, such as Microsoft Client Service for NetWare (CSNW) or Novell NetWare Client for Windows NT. TCP/IP TCP/IP stands for Transmission Control Protocol/Internet Protocol and is an industry-standard suite of protocols designed for wide-area networking. It was developed in 1969, resulting from a Defense Advanced Research Projects Agency (DARPA) research project on network interconnection. TCP/IP is commonly used in wide area networks that consist of a variety of network hosts. DARPA developed TCP/IP to connect its research networks together. This combination of networks continued to grow and now includes many government agencies, universities, and corporations. This global wide area network is referred to as the Internet. In Windows NT, TCP/IP allows users to connect to the Internet as well as any machine running TCP/IP and providing TCP/IP services. DLC DLC stands for Data Link Control, unlike the other protocols in Windows NT (NetBEUI, NWLink IPX/SPX, TCP/IP), the DLC protocol is not designed to be a primary protocol for use between personal computers, as it does not provide a NetBIOS interface. DLC only provides applications with direct access to the data link layer, and thus is not used by the Windows NT redirector. Since the redirector cannot use DLC, this protocol is not used for normal session communication between Windows NT-based computers. DLC only needs to be installed on computers performing the above tasks and not on the other computers on the network. An example would be a print server sending data to a network HP® printer. Client computers sending print jobs to the network printer do not need to be using the DLC protocol, only the print server communicating directly with the printer needs the DLC protocol installed. IPC Mechanisms for Distributed Processing In distributed computing, the computing task is divided into two sections, a client component and a server component. The goal is to move the actual application processing from the client computer to a server system with the power to run large applications. Windows NT-based computers can perform the role of either the client or the server for distributed application support. IPC Client The client component of a client-server application is typically the user interface for the application. It runs on the client computer and utilizes a smaller amount of computing power than the server application, but typically requires a lot of network bandwidth to communicate with the server component. IPC Server The server component of a client-server application typically requires larger amounts of data storage, computing power, or specialized hardware. It includes operations such as database lookups and updates, or mainframe data access. Interprocess Communication (IPC) Mechanisms There must be a network connection between the client and server portions of distributed applications that allows data to flow in both directions. There are a number of different ways to establish this connection. Windows NT provides several different Interprocess Communication (IPC) mechanisms. Included are: * Named Pipes File Systems (NPFS) * Mailslots File Systems (MSFS) * NetBIOS * Windows Sockets * Remote Procedure Calls (RPC) * Network Dynamic Data Exchange (Net DDE) Named Pipes Named pipes provide connection-oriented messaging services that allow applications to share memory over the network. Windows NT provides a special application programming interface (API) which increases security when using named pipes. One feature added to named pipes is impersonation. When using impersonation, the server can change its security identifier to that of the client at the other end of the connection. For example, suppose a database server system uses named pipes to receive read and write requests from clients. When a request comes in, the database server program can impersonate the client before attempting to perform the request. Thus, if the client does not have the authority to perform the function the request would be denied, even though the server program might have the proper permissions to complete the task. Mailslots Mailslots are used to provide connection-less messaging services on a local area network. Windows NT implements second-class mailslots, which are used most commonly for the following: * Registration of computer, workgroup or domain, and user names on the network * The Computer Browser service * Sending broadcast messages to computers or users Programming Interfaces The following programming interfaces provide communication between user mode applications and file system drivers. NetBIOS NetBIOS is a standard programming interface in the personal computer environment for developing client-server applications. NetBIOS has been used as an IPC mechanism since the introduction of the interface in the early 1980s. From a programming perspective, higher level interfaces such as named pipes and RPC are superior in their flexibility and portability. A NetBIOS client-server application can communicate over various protocols: NetBEUI protocol (NBF), NWLink NetBIOS (NWNBLink), and NetBIOS over TCP/IP (NetBT). The NetBIOS Interface provides the NetBIOS mapping layer between NetBIOS applications and the TDI compliant protocols. Windows Sockets The Windows Sockets API provides a standard Windows interface to many transports with different addressing schemes, such as TCP/IP and IPX. The Windows Sockets API was developed to accomplish two things. One was to migrate the sockets interface, developed at the University of California, Berkeley in the early 1980s, into the Windows and Windows NT environments. The other was to help standardize an API for all platforms. Windows NT provides Windows Sockets support on both NWLink and TCP/IP transport protocols. Remote Procedure Calls (RPC) The RPC mechanism can use other IPC mechanisms to establish communications between the computers on which the client and the server portions of the application exist. If the client and server are on the same computer, the Local Procedure Call (LPC) mechanism can be used to transfer information between processes and subsystems. This makes RPC the most flexible and portable IPC choice. The components of the remote procedure call mechanism are: * Remote Procedure Stub-Packages remote procedure calls to be sent to the server by means of the RPC runtime. * RPC Runtime-Responsible for communications between the local and remote computer, including the passing of parameters. * Application Stub-Accepts RPC requests from the RPC Runtime, unwraps the package, and makes the appropriate call to the remote procedure. * Remote Procedure-The actual procedure that is called over the network. * The remote procedure call facility provided in Windows NT is compatible with the Open Software Foundation's (OSF) distributed computing environment (DCE) specification. Windows NT workstations can use RPC to interoperate with any other workstations that support this standard. Network Dynamic Data Exchange (Net DDE) NetDDE provides information sharing capabilities by opening two one-way pipes between applications. NetDDE is an extension of Dynamic Data Exchange (DDE) that can be used between two computers across the network. By default, the NetDDE services are not automatically started. They can be started using Control Panel Services option. File and Print Sharing Components The ability to use and share file and print resources is accomplished primarily by two Windows NT components: Workstation (RDR) and Server (SVR). Both the Workstation and Server execute as 32-bit services. These services are implemented as File System Drivers (FSD). There is an FSD for each of the file systems (FAT, HPFS, NTFS, CDFS) as well as the Workstation and Server services. The Workstation Service The Workstation service of a Windows NT computer allows that computer to access resources on the network, including the ability to log on to a domain, connect to shared directories and printers, and use client-server applications over the network. All user mode requests go through the Workstation service. This service consists of two components: * The user-mode interface (such as File Manager connections or net use commands). * The redirector (RDR.SYS)-The redirector provides file system and print service translation to access remote drives and printers. Workstation Service Dependencies The Workstation service is dependent on the following components: * A protocol that exposes the TDI interface at its top level must be started for the Workstation service to load. * Multiple Universal Naming Convention Provider (MUP) The Workstation Service (Redirector) as a File System Driver The redirector is a component through which one computer gains access to another computer. The Windows NT redirector allows connection to Windows NT, Windows for Workgroups, LAN Manager, LAN Server, and other Microsoft Networks servers. The redirector communicates to the protocols via the TDI interface. Accessing a Remote File When a process on a Windows NT computer tries to open a file that resides on a remote computer, the following steps occur: * The process calls the I/O Manager to request that the file be opened. * The I/O Manager recognizes that the request is for a file on a remote computer, so it passes it to the redirector file system driver. * The redirector passes the request to lower-level network drivers that transmit it to the remote Server for processing. The Server Service The Windows NT Server service allows a Windows NT computer to create and secure shared resources, such as directories and printers, and to function as a server in a client-server application. Like the redirector, the Server service is implemented as a file system driver and directly interacts with various other file system drivers to satisfy I/O requests such as reading or writing to a file. The Server service processes the connections requested by client redirectors, and provides them with access to the resources they request. Like the Workstation service, the Server service is composed of two parts: Server service-A service that runs in the SERVICES.EXE process. Unlike the Workstation service, it is not dependent on the MUP service, since the Server is not a UNC provider. It does not attempt to connect to other computers, but other computers connect to it. SRV.SYS-A file system driver that handles the interaction with the lower layers and interacts directly with various file system devices to satisfy command requests, such as file read and write. Multiple Universal Naming Convention Provider (MUP) It is possible to have more than one redirector installed on the system for use with other network operating systems such as NetWare. Applications reside above the redirector and server services in user mode. Like all other layers in the Windows NT networking architecture, there is a single unified interface to access network resources, independent of the redirector(s) installed on the system. This is done through two components: MUP and the Multi-Provider Router (MPR). The MUP provides a communication link between applications that make UNC calls and the redirectors installed on the system. The MUP is a component that finds out which redirector should receive a UNC call from an application. The MPR provides a communication link between applications that make Win32 Network API calls and the redirectors installed on the system. When applications make I/O calls containing UNC names, these requests are passed to MUP. MUP selects the appropriate UNC provider (redirector) to handle the I/O request. Universal Naming Convention (UNC) Names The UNC is a naming convention for describing network servers and share points on those servers. UNC names start with two backslashes followed by the server name. All other fields in the name are separated by a single backslash. A typical UNC name would appear as: \\server\share\subdirectory\filename Not all of the components of the UNC name need to be present with each command; only the share component is required. For example, dir \\server\share can be used to obtain a directory listing of the root of the specified share. Why MUP? One of the major design goals for networking in the Windows NT environment was to provide a uniform platform upon which vendors could build networking services. MUP is a vital part in allowing multiple redirectors to coexist in the computer at the same time. MUP frees applications from maintaining UNC provider listings themselves. This allows a client computer to have multiple redirectors loaded, and use File Manager to browse and access network resources without having to a provide unique syntax to each network redirector. The Multi-Provider Router (MPR) The MPR provides a communication layer between applications that make Win32 Network API calls and the redirectors installed on the system. Not all programs use UNC names in their I/O requests. Some applications use WNet APIs (which are the Win32 network APIs). The Multi-Provider Router (MPR) was created to support these applications. MPR is very much like MUP. This layer receives WNet commands, determines the appropriate redirector, and passes the command to that redirector. Since different network vendors will use different interfaces for communicating with their redirector, there is a series of provider DLLs between the MPR and the redirectors. The provider DLLs expose a standard interface so that MPR can communicate with the provider, and they know how to take the request from MPR and communicate it to their corresponding redirector. The provider DLLs are supplied by the network vendor that wrote the redirector and should be installed automatically when the redirector is installed. Document Contents ------------------------------------------------------------------------ Introduction to the Browser Service To efficiently share resources across a network, users should be able to find out what resources are available. Windows NT provides the Computer Browser service to display a list of currently available resources. The Microsoft Windows NT Computer Browser service provides a centralized location for a list of available network resources. This list is distributed to specially assigned computers that, along with their other normal services, perform browsing services. "Browser" computers eliminate the need for all computers to maintain a list of all shared resources on the network. The Browser service lowers the amount of network traffic needed to build and maintain a list of all shared resources on the network by assigning the browser role to specific computers. This also frees the CPU time each computer would have had to use creating a network resource list. Browser Server Roles The responsibility of providing a list of network resources to clients is distributed among multiple computers on a network. The Browsing roles of these computers are known to the Browser service as Potential Browser, Master Browser, Backup Browser, and Browser Clients (Non-Browsers). Both Windows NT 3.5 Workstations and Windows NT 3.5 Server computers can perform any of these roles. These computers collect and maintain a list of available network resources. These roles are defined below: Master Browser The Master Browser is the computer that maintains the master copy of the network resource list, and is responsible for collecting the information used to create the list. It is also responsible for distributing the browse list to the Backup browsers. Preferred Master Browser An administrator can configure a specific computer to be the Preferred Master Browser. When this computer is started, it will designate itself as the Master Browser for the domain or workgroup. If there is already a Master Browser, and other computers are up and running in the workgroup before this one was turned on, the Preferred Master Browser forces an "election." The election process ensures that there will only be one Master Browser per workgroup or domain and results in the Preferred Master Browser assuming the role of the Master Browser. A Preferred Master Browser will not win an election over a Primary Domain Controller as a PDC always functions as the Master Browser of the domain. More about the election process is covered later in this chapter. Backup Browsers A Backup Browser is a computer that receives a copy of the network resource list from the Master Browser. It then distributes the list to the Browser clients upon request. Potential Browser A Potential Browser is a computer that is capable of a maintaining a network resource (browse) list, but will not do so unless instructed to by a Master Browser. Non-Browser A non browser is a computer that has been configured so that it will not maintain a network resource (browse) list. Client computers are commonly non-browsers. The Browse Process The Windows NT Computer Browser service operates in the following manner: 1. After startup, all computers that are running the Server service announce their presence to the Master Browser in their workgroup or domain. This happens regardless of whether they have shared resources to advertise. 2. The first time a client computer attempts to locate available network resources, it contacts the Master Browser for the domain or workgroup for a list of Backup Browsers. 3. The client then requests the network resource list from a Backup Browser. 4. The Backup Browser responds to the requesting client with a list of domains and workgroups and the list of servers local to the client's domain or workgroup. 5. The user at the client either selects a local server or a domain or workgroup to view available servers. 6. Finally the user selects the appropriate server and searches for the desired resource on which to establish a session to use that resource, and contacts the appropriate server. For example, a Windows NT Workstation computer that belongs to a domain is turned on (Step 1). A domain user logs on to the domain and starts File Manager. The user chooses the Connect Network Drive button on the toolbar and sees "Working..." in the Shared Directories box (Steps 2, 3, and 4). The user sees a list of workgroups and domains and selects the domain to expand the list of computers (Step 5). Then the user selects one of the computers and expands a list of available shared directories on that computer (Step 6). Browser Criteria Browser criteria is a means in which to determine the hierarchical order of the different types of computer systems that are in the workgroup or domain. Each Browser computer has certain criteria, depending on the type of system it is. The criteria include: * The operating system * The operating system version * Its current role in the browsing environment The criteria ranking is used during an election. An election is used as a "voting" process in determining which computer should be the Master Browser in the event the current Master Browser is determined unavailable. The Browser Election Process The election process insures that only one Master Browser exists per workgroup or domain. An election is initiated by a computer when any of the following occurs: * A client computer cannot locate a Master Browser. * A Backup Browser attempts to update its network resource list and cannot locate the Master Browser. * A computer that has been designated as a Preferred Master Browser comes online. Any of these computers can initiate an election by broadcasting a special packet called an election packet. This election packet contains that requesting computer's criteria value. All Browsers will receive the election packet. When a Browser receives an election packet, the Browser examines the packet and compares the requesting computer's criteria value with its own election criteria. If the receiving Browser has better election criteria than the issuer of the election packet, the Browser will issue its own election packet and enter what is referred to as an "election in progress" state. This process will continue until a Master Browser is elected, based on having the highest ranking criteria value. Configuring a Browser To determine whether or not a Windows NT computer will become a Browser, when it initializes, the Browser service looks in the Registry for the following parameter: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Browser\Parameters\MaintainServerList For optimization purposes, it is possible to configure a computer to become a Browser, or to prevent a computer from becoming a Browser. The MaintainServerList parameter can have the following values: Parameter Value No This computer will NEVER participate as a Browser server. Yes This computer will become a Browser server. Upon startup, this computer will attempt to contact the Master Browser to get a current browse list. If the Master Browser cannot be found, the computer will force one to be elected. This computer will either be elected as the Master Browser or become a Backup Browser. Yes is the default value for Windows NT Server domain controller computers. Auto This computer may or may not become a Browser server, depending on the number of currently active Browsers, and is referred to as a Potential Browser. This computer will be notified by the Master Browser as to whether or not it should become a Backup Browser. Auto is the default value for Windows NT Workstation and Windows NT Server (non-domain controller) computers. Configuring a Preferred Master Browser A Windows NT Workstation or Windows NT Server can be configured as a Preferred Master Browser. When the Browser service is started on a computer configured as a Preferred Master Browser, the Browser service will force a Browser election to occur. Preferred Master Browsers are given an advantage in elections, such that if all other things are equal, a Preferred Master Browser will always win an election and become the Master Browser. To configure a computer as a Preferred Master Browser, set the following Registry parameter value to True or Yes: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters \IsDomainMaster Unless the computer has been already been configured as the Preferred Master Browser, this value will be False or No. This is true even if the computer is currently the Master Browser. Browser Operations As the Master Browser and Backup Browsers are established, each has its own role to play in the operation of the browsing environment. The Browsers need to communicate with each other and provide service to client computers. Browser Announcements When a computer that is running the Server service comes online, it must inform the Master Browser that it is available. It does this by announcing itself on the network. All Servers Each computer announces itself to the Master Browser periodically by broadcasting on the network. Initially each computer announces itself every minute. As the computer stays running, the announcement time will be extended to once every 12 minutes. If the Master Browser has not heard from the computer for three announcement periods, the Master Browser will remove the computer from the browse list. Backup Browsers In addition to announcing themselves, Backup Browsers call the Master Browser every 15 minutes to obtain an updated network resource (browse) list, as well as a list of workgroups and domains. The Backup Browser caches these lists and will return the browse list to any clients who send out a browse request to the Backup Browser. If the Backup Browser cannot find the Master Browser, it forces an election. Master Browsers In addition, Master Browsers periodically announce themselves to the Backup Browsers with a broadcast. When Backup Browsers receive this announcement, they refresh their Master Browser name with the new information. Master Browser Master Browsers are responsible for overseeing the entire browsing system and are responsible for receiving announcements from Windows NT 3.1, Windows NT Advanced Server 3.1, Windows for Workgroups, Windows NT Workstation 3.5, Windows NT Server 3.5, and LAN Manager systems. Master Browsers also return lists of Backup Browsers to Windows NT 3.1, Windows NT Advanced Server 3.1, Windows NT Workstation 3.5, Windows NT Server 3.5, and Windows for Workgroups clients for their local subnet. As was discussed earlier in this section, when a system starts and its MaintainServerList parameter is Auto, the Master Browser is responsible for telling the system whether or not to become a Backup Browser. If the Master Browser has just won an election and its browse list is empty, it can force all systems to register with it. The Master Browser does this by broadcasting a "RequestAnnouncement" packet. All systems that receive this packet must answer randomly within 30 seconds. This 30 second range for responses prevents the Master Browser from becoming overloaded and losing replies, and also prevents the network from being flooded with responses. If a Master Browser receives an announcement from another computer that claims to be the Master Browser, the Master Browser will demote itself from Master Browser and force an election. This ensures that there is never more than one Master Browser in each workgroup or domain. Determining the Number of Browsers Workgroup The number of Browsers in a workgroup is determined by the number of computers in the workgroup. Number of Number of Number of Master Systems Backup Browsers Browsers 1 0 1 2-31 1 1 32-63 2 1 In cases where a computer has its MaintainServerList parameter set to Auto, the Master Browser will determine the number of Backup Browsers based on the table. After this, for each additional 32 computers added to the workgroup, there will be another Backup Browser added to the workgroup. Domain In a domain there will be three Backup Browsers at most. This is regardless of the number of computers in the domain. If you have a large domain, you may want to either break it up, or increase the system performance for the Backup Browsers in the domain. How Client Computers Access the Browse List The Master Browser maintains a list of network resources and makes this list available to Backup Browsers on the network. A client computer goes to a Backup Browser to get the current list. A client computer needs to see the browse list whenever a "net view" command is run at the Command Prompt, or when the File Manager Connect Network Drive dialog box is displayed. If this is the first time that the client has tried to access the browse list, it needs to find out which computers are the Backup Browsers for its workgroup or domain. The client does this by issuing a "QueryBrowserServers" broadcast. The QueryBrowserServers request is received and processed by the Master Browser for the client computer's workgroup or domain. The Master Browser returns a list of Backup Browsers that are active within the workgroup or domain being queried. Browsing Failures If a computer fails or simply goes off-line, it will be removed from the browse list in a predetermined time frame. If the computer played a role in the browse environment, further action takes place depending on what role it played. Non-Browser Computers If a Non-Browser computer fails to announce itself to the Master Browser, it will eventually be removed from the list. For example, if the computer is powered off without being shutdown or if the Server service fails, it will not announce itself. In this case, it is removed from the network resource list. After three missed announcement periods (between 1 and 12 minutes each) the Master Browser removes the computer from the browse list. Therefore, it may take up to 51 minutes before all of the Browsers know of a systems failure, up to 36 minutes for the Master Browser to detect the failure, and 15 minutes for all of the Backup Browsers to retrieve the updated list from the Master Browser. Backup Browsers If a Backup Browser fails, it will be removed from the Master Browser browse list in the same amount of time as a Non-Browser. This is because they announce themselves in the same manner. If a client attempts to retrieve a browse list from the missing Backup Browser, the client will select another Backup Browser from its list of three Backup Browsers. If all of the clients' known Backup Browsers fail, the client will attempt to get a new list of Backup Browsers from the Master Browser. If the client is unable to contact the Master Browser, the client will force an election. Master Browser When a Master Browser fails, a Backup Browser will detect the failure within 15 minutes. When this happens, a Backup Browser will force an election to select a new Master Browser. Server Shut Down When the computer is shut down normally it will make an announcement that will cause the Master Browser to remove it from the list. If a Backup Browser is shutting down, it will send an announcement to the Master Browser that does NOT specify the Browser service in the list of running services. If a Master Browser is shutting down, it will send a "ForceElection" broadcast so that a new Master Browser can be chosen. Browsing Across Multiple Workgroups and/or Domains Not only do Master Browsers need to communicate within a workgroup or domain, but they need to communicate between workgroups and domains. This allows users to be able to retrieve lists of other workgroups and domains. Windows NT adds a new level of functionality to the "net view" and File Manager connect requests that allows clients to retrieve a list of available workgroups and domains from the Master Browser. Upon becoming a Master Browser, each Master Browser will broadcast a "DomainAnnouncement" to each domain every minute for the first five minutes of its life as Master Browser. After the first five minutes, the Master Browser will make "DomainAnnouncement" broadcasts once every 15 minutes. If a workgroup or domain has not announced itself for a period equaling three times the announcement period, the workgroup or domain will be removed from the list of workgroups and domains. Therefore, it is possible that a workgroup or domain will appear in the browse list for up to 45 minutes after the workgroup or domain has ceased operations. It is the responsibility of the Master Browser in each workgroup or domain to receive "DomainAnnouncement" packets from other workgroups and domains. The Master Browser uses these announcements to build a list of available workgroups and domains. This list is also given to the Backup Browsers every 15 minutes so that they can return a list of network resources available in their workgroup or domain as well as being able to return a list of other workgroups and domains. The "DomainAnnouncement" packet contains the name of the domain, the name of the Master Browser for that domain, and whether the Master Browser is running Windows NT Workstation or Windows NT Server. In addition, if the Master Browser is running Windows NT Server, the "DomainAnnouncement" will also specify if the system is the domain's PDC. Document Contents ------------------------------------------------------------------------ Printing from Windows NT Windows NT Printing Terminology Windows NT uses its own printing terminology to describe the printing process. Printing Device versus Printer Under Microsoft Windows NT, a printing device refers to the actual hardware device that produces printed output. A printer refers to the software interface between the application and printing device. Each printer appears as a separate window that is managed using the Windows NT Print Manager application. Multiple printers can be routed to one printing device. For example, if you have a printing device capable of using both PostScript® and HP PCL modes, you might want to use Print Manager to create a printer for each mode. Each printer would use a different printer driver. Printers can be assigned priorities, or be configured to print during certain hours. For example, longer or lower priority jobs could be sent to a printer that prints only at night. Printer Versus Print Queue In Windows NT, print jobs are sent to a printer, where they are then spooled before being sent to the printing device. In many network environments, the term print queue is used instead of printer. For example: Windows NT users submit print jobs to a printer, but OS/2 and NetWare users submit print jobs to a print queue. Physical Versus Logical Printer Port A physical port is a hardware connection, such as LPT1: or COM2:, between the local computer and a printing device. A logical port is a network connection to a remote print server or printing device, referred to as \\server\printer. Windows NT allows you to create a printer to use a logical or a physical port as the print destination. Local and Remote Printers and Printing Devices Local printing devices are attached directly to a Windows NT Workstation or Windows NT Server computer. Remote printing devices are accessed across the network. Network-interface printing devices are printing devices with built-in network cards, and are connected directly to the network. Printer Pools In a printer pool, multiple printing devices are associated with a single printer. The devices within a printer pool must be identical or must all emulate the same type of printing device. In other words, they must all be able to use the same printer driver. Windows NT imposes no limits on the number of printing devices in a printer pool. Printer pools enable administrators to add printing devices without modifying user environments. Since printer pools are created by adding new devices to existing printers, user configurations will not need to be changed. Using Print Manager Print Manager is the Windows NT administrative tool that allows administrators to perform all network printer administration tasks including creating, securing, connecting to, and configuring printers. Print Manager also allows users to interact with local and remote printers. Print Manager is used to: * Create printers (install printer drivers). * Control printer characteristics, such as fonts and paper size. * Set permissions for printer access. * Set up auditing of printer use. * Administer printers from a remote location. * Redirect printer output. * Connect to remote printers. * Check local and remote printer status. Print Manager can be started from the Print Manager icon in the Main group or from the Control Panel Printers icon. Creating a Printer The Create Printer dialog box is used to install and configure printer drivers on Windows NT-based computers. This works for either a local printing device (a printing device that is physically attached to the computer) or a network printer. If the print server is Windows NT based, then it may be easier to use the Connect to Printer command to avoid installing a local print driver. Connecting to a Printer The second way to access a printer is to connect to a printer. To connect to a shared network printer on another Windows NT-based computer, use the Connect to Printer command. If you are printing to a printer on a Windows NT print server, the client computer does not need to have the appropriate printer driver installed locally. Instead, the printer driver is copied across the network from the print server to the client computer. This allows the application that is printing to query the printer driver for the current printer settings, such as font information. This provides two main benefits: * The administrator only needs to update the driver on the print server. Clients automatically get the new driver when they connect to the printer. * The client computer does not need to have the appropriate driver installed in order to use the printing device. This can be very useful with portable computers, or computers that may use several different printing devices. The Connect to Printer command is not intended for use in connecting to a shared printer on a Windows for Workgroups-based computer or other network printer server. If the command is used for that purpose, a message will appear informing the user that the computer being connected to does not have a printer driver and then give you the opportunity to create a printer. Installing Intel®-Based Print Drivers on RISC-Based Platforms The Windows NT printer drivers are platform specific. RISC-based computers cannot use Intel printer drivers, and vice versa. In addition, the printer drivers are different for each of the supported RISC platforms. Therefore, to perform a "connect to" from one platform to any other platform requires the drivers for each client platform to be installed. To avoid installing a printer driver on every Intel-based computer that will be printing to a RISC-based Windows NT print server, the Intel version of the printer device driver should be installed on the print server. Likewise, if the print server is Intel-based and the client computers are RISC-based, you should install the RISC-based drivers on the print server. That way, when any platform client connects to a print server, the appropriate printer driver will be downloaded to the client for use. Administering Remote Printers Print Manager allows you to administer network print servers remotely. You can change the properties of existing printers, as well as install new printers or remove printers. To administer printers you must have Administrator or Full Control permission on the printer at the print server. Implementing Printer Pools A printer pool is a grouping of multiple printing devices connected to a single printer. A printer pool allows users to print to a single printer and let the print spooler determine which printing device is available. When a printer is created, you should select the port in the Print To list that has the most efficient printing device attached to it. This will be the first printing device considered by the spooler. To add more printing devices to the pool, choose the Details button in the Create Printer dialog box and select the additional ports you want. The selected ports can be of a mixed variety, such as serial, parallel, and so on. Routing is based on the order in which the ports are chosen, so add the fastest ports first. All printing devices in a printer pool must be able to use the same printer driver. This list box can also be used to remove a persistent network connection to a print server. All printing devices in the printer pool share the same printer name and act as a single device. Pausing the printer will pause the entire printer pool, and changing any properties will affect all printing devices in the printer pool. Document Contents ------------------------------------------------------------------------ Remote Access Service (RAS) RAS connects users over phone lines through the Remote Access Service to a remote network. Once a user has made a connection, the phone lines become transparent and the user can access all network resources as if they were sitting at a computer in an office that was directly attached to the network. RAS makes a modem act like a network card, projecting your remote computer onto a LAN. Supported Dial-in Servers Windows NT RAS clients can connect to LAN Manager, Windows for Workgroups, Windows NT 3.1, and Windows NT Server 3.5 RAS servers. In addition RAS clients can also connect to non-Microsoft dial-in servers, such as UNIX-based dial-in servers (via the SLIP and PPP standards) Supported Dial-in Clients Windows NT RAS servers can be connected to by LAN Manager, Windows for Workgroups, Windows NT Workstation, and Windows NT Server 3.5 RAS clients. In addition non-Microsoft clients can also connect to Microsoft servers, such as UNIX-based dial-in clients (via the PPP standard). Supported Network Interfaces Any network application that uses any of the following interfaces will work over RAS: * Windows Sockets-A bi-directional pipe for incoming and outgoing data between networked computers. The Windows Sockets API is a networking API used by programmers creating IPX or TCP/IP sockets applications. * Network basic input/output system (NetBIOS)-A software basic input/output system used to connect to network resources. * Mailslots-A message delivery system used for announcing and locating network services and resources. * Named pipes-The interprocess communication mechanism that allows one process to communicate with another local or remote process. * Remote Procedure Calls (RPCs)-A message-passing facility that allows a distributed application to call services available on various computers in a network. Used during remote administration of computers. * Windows NT network (Win32) and LAN Manager APIs-Application programming interfaces available for applications to call functions of Windows NT or LAN Manager operating systems. Windows NT RAS Connection Limitations Windows NT RAS supports up to 256 simultaneous inbound connections in the Windows NT Server network operating system, and one inbound connection in Windows NT Workstation. A multiport serial device, such as a Digiboard® adapter, can provide multiple serial ports on one RAS server. The drivers for Digiboard adapters ship with Windows NT Workstation and Windows NT Server 3.5. When accessing NetBIOS resources, the limit to the number of simultaneous connections is 250. This is a limitation of the number of NetBIOS names that can be registered by a single system. When using Windows Sockets over TCP/IP or IPX, there are no software limitations to the number of simultaneous connections that can be made to the RAS Server. The maximum number of simultaneous connections that has been tested by Microsoft is 256. RAS Software Compression RAS software compression is now supported in Windows NT 3.5. This software compression is based on the Microsoft DRVSPACE compression algorithm (from the MS-DOS operating system 6.22) with an average 2:1 compression ratio. Using software compression can improve connection speeds as much as eight times faster than a connection without compression. Scalability The RAS server is multithreaded and can take advantage of multiprocessors. This allows threads of the Remote Access Service to run on multiple processors in a computer at the same time, improving RAS performance. WAN Support RAS supports the following methods for establishing a connection between the RAS client and the RAS server. * Standard phone lines (Public Switched Telephone Networks) Windows NT RAS uses standard modem connections over Public Switched Telephone Networks (PSTN). * X.25 An X.25 network transmits data with a packet-switching protocol. This protocol relies on an elaborate worldwide network of packet-forwarding nodes that participate in delivering an X.25 packet to the correct address. All remote workstations will be able to use an X.25 network by dialing an X.25 Packet Assembler/Disassembler (PAD). Windows NT Server 3.5 Remote Access Services have direct access via X.25 adapters, and Windows NT Workstation computers have direct X.25 connectivity in addition to asynchronous access to X.25 PADs. * Integrated Services Digital Network (ISDN) ISDN offers much faster communication speed than a standard telephone communicating at speeds of 64 to 128 kilobits per second. RAS Security Windows NT Remote Access Service implements a number of security measures to ensure that the remote user is a valid remote access user on the network. In some ways, going through RAS is more secure than sitting right at your network. Integrated Domain Security The RAS server uses the same user account database as the Windows NT 3.5 Server. This provides for easier administration, since users will log on with the same user account that they use at the office. This ensures that users will have the same privileges and permissions they normally have. In order to connect, a user must have a valid Windows NT user account as well as the RAS dialin permission. Users must be authenticated by RAS before they are even allowed to attempt to log on to Windows NT. Encrypted Authentication and Log on All authentication and logon information is encrypted when transmitted over the phone line. Auditing With auditing enabled, RAS will generate audit information on all remote connections, including activities such as authentication, log ons, and so on. Intermediary Security Hosts It is possible to add another level of security to a RAS configuration by connecting an intermediary security host between the RAS Client(s) and the RAS Server(s). When an intermediary security host is used, the user will have to type a password or code to get past the security device before a connection will be established with the RAS Server. Call Back Security The RAS server can be configured to provide call backs as a means for increasing security. This allows another level of security by having the RAS server call the remote user to verify connection to the local network. © 1995 Microsoft Corporation. THESE MATERIALS ARE PROVIDED "AS-IS," FOR INFORMATIONAL PURPOSES ONLY. NEITHER MICROSOFT NOR ITS SUPPLIERS MAKES ANY WARRANTY, EXPRESS OR IMPLIED WITH RESPECT TO THE CONTENT OF THESE MATERIALS OR THE ACCURACY OF ANY INFORMATION CONTAINED HEREIN, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW EXCLUSIONS OF IMPLIED WARRANTIES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. NEITHER MICROSOFT NOR ITS SUPPLIERS SHALL HAVE ANY LIABILITY FOR ANY DAMAGES WHATSOEVER INCLUDING CONSEQUENTIAL INCIDENTAL, DIRECT, INDIRECT, SPECIAL, AND LOSS PROFITS. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IN ANY EVENT, MICROSOFT'S AND ITS SUPPLIERS' ENTIRE LIABILITY IN ANY MANNER ARISING OUT OF THESE MATERIALS, WHETHER BY TORT, CONTRACT, OR OTHERWISE SHALL NOT EXCEED THE SUGGESTED RETAIL PRICE OF THESE MATERIALS. Document Contents ------------------------------------------------------------------------ Search the TechNet site How to Subscribe ------------------------------------------------------------------------ ©1996 Microsoft Corporation TechNet Home Page Microsoft Home Page