Ask Dr. Bob Your NT Questions - 01 Jan 1998

Send us your tips and questions. You can also visit Bob Chronister's online Tricks & Traps at http://www.winntmag.com/forums/index.html.

In October 1997, I told you how to automatically shut down Windows NT 4.0 using a Registry setting, much like the feature in Windows 95. Unfortunately, I forgot to mention that this setting takes effect only if the BIOS on your machine supports a software shutdown. Apologies to those of you who tried it, only to see your system reboot instead of shut down.

Q: Although I am aware of the advantages of securing machines that connect to the Internet, my company simply does not have the money to build a firewall. Is an alternative available?

You can set up a reasonably secure Internet environment on a shoestring budget, but you end up playing games with protocols and bindings. I'm assuming that you will use NetBEUI internally (because it's not routable) and use TCP/IP for Internet access. Go to the Network applet of the Windows NT Control Panel. You will need to perform the following tasks:

1. Disable the session bindings for
NetBIOS —> TCP/IP
Workstation —> TCP/IP
Server —> TCP/IP

2. Enable session bindings for
NetBIOS —> NetBEUI
Workstation —> NetBIOS
Server —> NetBIOS

3. Enable transport bindings for
NetBEUI —> The network card
TCP/IP —> Modem Remote Access Service (RAS) connection

Configuring these settings results in a poor man's firewall because a would-be hacker can't route over NetBEUI and, therefore, can't access your internal network.

Q: Someone told me that Microsoft has finally published a list of error codes for Windows NT 4.0. Is this rumor true?

Indeed, Microsoft has published a list of NT 4.0 error codes and their meanings. The list is long, and many of the errors occur very infrequently. You can find the complete list of error codes at http://support.microsoft.com/support/kb/articles/Q155/0/11.asp and /12.asp. An excerpt from this list is in Table 1, page 224.

Q: I use ntbackup a lot, but I have trouble with bad tapes and broken spanned datasets. I recall hearing about switches that can overcome these problems. What are they?

The two switches you are looking for are /nopoll and /missingtape. The first, /nopoll, specifies that you want to erase the tape. Do not use /nopoll with any other parameters. (This feature is great for erasing troublesome tapes.) The second switch, /missingtape, specifies that a tape is missing from the backup set when the set spans several tapes. This switch makes each tape one unit as opposed to being part of the set.

In addition to these two switches, you can use the syntax and switches shown in Figure 1, page 224, for ntbackup at the Command Prompt. For example, the command

ntbackup backup f:\myfiles /t normal /d "myfiles" /hc:on

backs up all files in myfiles and labels the backup as "myfiles."

You can use the AT scheduler command (you need to start the Scheduler service) with ntbackup to schedule a time to back up files. For example, you can specify

at 02:00 /every: M,T,W,Th,F "cmd ntbackup backup f:\  /a /t incremental" 

This command will perform an incremental backup of all files modified on F since the last backup. Ntbackup will append the files to the tape and perform the backup Monday through Friday at 2:00 a.m.

Q: How do I assign domain users to the local Administrators group of a Windows NT Workstation client during an unattended setup? I can successfully add local users to the Administrators group using the net localgroup command, but I get an error message that says, "There is no such global user or group: SOMEDOMAIN\SomeUser" when I run the command

"net localgroup Administrators SOMEDOMAIN\SomeUser /add" 

from the Cmdlines.txt file.

You need to use the Net Start Netlogon command to start the Netlog service. Try entering the following series of commands in your unattended installation:

net use \\PDC /user:DOMAIN\User password 
net start netlogon 
net localgroup Administrators "DOMAIN\Support_group" /add 

Q: What are the alternatives to using sysdiff.exe to install Office 97 on an unattended rollout?

The Network Installation Wizard (niw.exe) utility comes with the Microsoft Office 97 Resource Kit. After you purchase the resource kit, you can use the Network Installation Wizard to specify options for the installation, and you can set up a batch installation that does not require user intervention. You will want to follow a few basic steps when using this approach.

To begin, create a network share for the installation on a hard disk, and copy the Office 97 CD-ROM to the share. Disable the Read Only attribute on the off97pro.inf file (or off97pro.stf file if you're using the professional version of Office 97). Open the Office 97 Network Installation Wizard, and point the wizard to the network share you just created.

When you start the Network Installation Wizard, it will ask you a series of questions. First, you need to identify where you want to store most of the Office 97 files, as you see in Screen 1. Usually, you install the files to a default directory on the workstations, but you can easily change this destination.

The wizard then asks you to supply a default directory for saving your documents. After you specify a location for your documents, the wizard asks you to specify a location for the shared files that Office 97 uses, as you see in Screen 2. You can specify a local drive or a network drive, or let the user decide.

The next screen in the wizard asks whether you want to create an installation log to store information about users who install Office 97 from a shared disk. After you specify where you want to store all the files for the installation, the wizard asks you to specify the type of installation, as you see in Screen 3. I generally choose a custom installation so I can pick the applications and accessories that I want to install.

If you perform a custom installation, the wizard presents a list of components, as you see in Screen 4, so you can select which ones to install. As you see in Screen 4, I chose not to install the Microsoft Binder, Microsoft Access, the HTML tools, or the Getting Results Book.s

After you specify which components to install, you have to tell the wizard which items to place in Program Manager. I never install Fast Find because it is a major memory leak in NT. The final step in the wizard completes the installation parameters and rewrites offpro.inf or off97pro.stf.

To perform an unattended installation after you complete the Network Installation Wizard, you simply create a batch file that can access the Office 97 share. To access the share (where the modified .stf and .inf files reside) and do an unattended install, use the syntax shown in Figure 2, page 226, for the batch command in Cmdlines.txt. Setup is an installation file in the shared directory where the .stf and .inf files reside. This installation method sets up Office 97 on the local hard disk. Other switches are available but are not necessary for a network installation (see the Microsoft Office 97 Resource Kit).

Q: I am responsible for backing up files for 70 employees in my company. I try to perform workstation backups at night, but not everyone likes having a machine backed up automatically. In addition, I support several notebook users who are in and out of the office daily, and many of them take their computers home at night. This situation forces me to back up their machines during peak hours when the network is congested. What options do I have to back up all these desktop and portable machines?

This question raises some important issues that many MIS employees have to face. Let's examine some available options:

1. You can stop trying to back up the workstations. Just remember that if the company's executives agree to this policy, you could be at some risk if a user loses critical files.

2. You can continue to back up the workstations routinely. This option requires that you perform additional work to stay on top of all the backups, and it requires a lot of storage space because you might be backing up files that have already been backed up. This approach can also involve backing up personal files that might not be related to the business.

3. You can have users save files to a server, and then you can back up the server. This approach is ideal, but it requires that users comply (getting users to comply can be difficult). One way around this problem is to use terminals that run applications from a server. Although company executives usually love this approach, users might find it less favorable.

A related solution is to run daily batch files that copy important files from the workstations to a server where you can back up the files. Many large networks use this approach.

4. You can use a backup application (e.g., Legato's NetWorker) that lets users initiate backup. In this scenario, users initiate the backup when they deem it necessary. This approach places the burden on users to manage their backups. Although far from ideal, user-assisted backups can help you maintain the integrity and safety of your network.

Which approach would I take? Options 3 and 4 are probably the safest, depending on the circumstances. Whereas buying licenses for backup software for every workstation on a network may not be feasible in one environment, such an approach might be ideal in another. Using batch files (or even an application such as Octopus) to copy files to a central location for backup is a workable solution and one that I endorse strongly. You can even set up a schedule to copy files from each workstation. Unfortunately, no one simple solution exists for every backup situation.

Q: My company is setting up a Windows NT 4.0-based network, and security is a major issue. Can you provide some basic security guidelines?

You can take several steps to help secure your NT network from attacks. Keep in mind that the steps I'm listing below are basic steps for security. For more information about securing your NT system, see the October 1996 and October 1997 issues of Windows NT Magazine.

1. Use NTFS.
2. Rename the Administrator account. This account is the one hackers try to obtain first.
3. Make the Administrator's password difficult to guess.
4. Minimize the number of administrators on the network.
5. Limit the number of backup operators. This group can read any file in any directory.
6. Limit the distribution of sensitive files on the network. Breaking into a nonexistent file is hard.
7. Keep the operating system on a separate disk from the data on your network.
8. Implement account lockout in the accounts policy window.
9. Disable the Guest account.
10. Make sure you set up TCP/IP security correctly by limiting the number of extra ports available for use (Screen 5 shows the TCIP/IP security configuration window and the default port settings for TCP/IP).

Also, follow some basic rules when configuring passwords:

1. Don't use a password that contains fewer than six characters.
2. Do mix upper- and lowercase characters in passwords.
3. Don't use any part of the account name as a password.
4. Use nonalphanumeric characters in the password. (Who can guess ZX%oc&*A? The problem with such a password is remembering it.)
5. Don't use a common name or date (i.e., the name of a family member or the date of a birthday) as a password. Hackers can usually find out this information.
6. Change your password regularly.
7. Don't use a password that is a word in the dictionary, and don't write down your password.

If you connect to the Internet, a good idea is to enable all auditing features on your NT system. This layer of protection will slow your system down, but you will be able to see everything that happens on the machine. Be sure you have enough disk space to allow sufficient size for the auditing file. As a final note, be certain to use the appropriate type of firewall to restrict access to the network.