Chapter 35 - Using Windows NT Workstation on the Internet
This chapter introduces the components that enable a computer running Windows NT to access the Internet and explains how those components work together to let you use the Internet. This discussion focuses on using Windows NT Workstation as an Internet client. Peer Web Services is described in the final section.
This chapter covers these topics:
For general information about using the Internet, consult one of the many books available in your bookstore or library. Many resources about using the Internet are also available on the Internet itself.
Connecting to the Internet
Windows NT Workstation includes all the software you need to connect to and use the Internet. These components enable you to access the Internet:
In addition to the Windows NT Workstation software listed above, before you connect to the Internet, you need the following items:
This section provides procedures for connecting to the Internet or MSN, then gives a technical overview of installing TCP/IP and Dial-Up Networking and configuring them for Internet access.
To connect to the Internet
You can use The Microsoft Network as your Internet provider only if you have already created an MSN account by using Windows 95. When you use MSN to connect to the Internet through Windows NT, proprietary online services such as e-mail or bulletin boards are not available.
To connect to MSN
TCP/IP Internet Configuration
TCP/IP is the suite of network protocols used for all Internet traffic. The TCP/IP protocol included with Windows NT is fully compatible for use on the Internet.
You install TCP/IP by using the Network option in Control Panel. Once TCP/IP is installed, you might need to configure the following parameters to operate correctly on the Internet:
Dial-Up Networking Internet Configuration
Dial-Up Networking is used to connect to an Internet service provider (ISP) or other online service over a phone line or ISDN line. Windows NT Dial-Up Networking clients support the PPP protocol and the SLIP protocol. Most ISPs use these protocols, which enables Windows NT Workstation clients to connect to virtually all ISPs. Some ISPs support the Point-to-Point Tunneling Protocol (PPTP) and X.25 WAN protocols.
To connect to an ISP and use the Internet, you must configure Dial-Up Networking on your computer. Windows NT Dial-Up Networking steps you through the procedures to connect to the Internet.
To install Dial-Up Networking, double-click Dial-Up Networking in My Computer. Follow the instructions on-screen to complete Dial-Up Networking installation. For detailed instructions on installing Dial-Up Networking, see online Help.
Configuring Dial-Up Networking Entries for Internet Use
To call an Internet service provider, you must create an entry in Dial-Up Networking. The Windows NT Dial-Up Networking wizard steps you through creating the first entry. This section explains how to manually configure a Dial-Up Networking entry to work with an ISP.
Modifying an Entry
Double-click Dial-Up Networking in My Computer; or, click Start, point to Programs, point to Accessories, then click Dial-Up Networking. The first time Dial-Up Networking is started, the Dial-Up Networking wizard steps you through creating the first entry; otherwise, click New. Provide all the information requested by the Dial-Up Networking wizard. See the sections below for additional information about Internet configuration.
PPP or SLIP Settings
An Internet service provider must provide either PPP connections or SLIP connections to operate with Windows NT Dial-Up Networking.
To configure an entry for a PPP connection
Depending on your Internet service provider, you might need to make some modifications to your security settings, as described in the next section.
To configure an entry for a SLIP connection
Depending on your Internet service provider, you might need to make some modifications to your security settings, as described in the next section.
When you connect to the Internet service provider, some form of logon or authentication occurs. Your Internet service provider should tell you the logon sequence for its servers. You use the Script tab to configure Dial-Up Networking for logging on to the Internet service provider.
To configure an entry for authentication on the remote server
Modems and WAN Connections
Your connection to an ISP will probably be through a modem and telephone line, or through an ISDN card and ISDN line.
If you use a modem, the faster its speed, the faster you access pages on the Internet. Modems of 9600 bits per second (bps) or above are recommended. ISDN can provide speeds up to 128,000 bps.
Obtaining an Internet Account with a Service Provider
There are ISPs around the world. As with other online services or bulletin boards, you dial the service number and log on to the remote system. Once connected, you have access to the Internet and any other services, such as electronic mail, offered by the service provider. Fees usually apply for all commercial Internet services.
Windows NT Workstation provides three standard tools for accessing Internet servers: Internet Explorer, FTP, and Telnet.
A multitude of other tools are available to access the information and services on the Internet. For example, you can use an Internet Relay Chat (IRC) client to participate in real-time discussions in "rooms" hosted on an IRC server. You can use the Inbox application on the Windows NT Desktop to send and receive electronic mail. Which tools you choose depend on the information you want and how it is stored on the Internet.
This section briefly describes some Internet tools and provides the process for installing them on a computer running Windows NT. For comprehensive discussions of the tools available for using the Internet, consult the Internet or your local library or bookstore.
History of Internet Tools
The Internet has been evolving since the early 1970s. Early servers on the Internet conformed to original Internet protocols, such as the File Transfer Protocol (FTP) or Virtual Terminal Protocol (VTP, now called Telnet). These protocols generally provide a way to copy files and/or issue commands or start programs through a character-based interface or, more recently, through a graphical user interface such as Windows or X Windows.
Internet technology has now grown beyond the simple file transfers on character-based FTP or Telnet servers. Newer servers on the Internet now have graphical interfaces and present information and services to Internet users by using hypertext documents. World Wide Web (WWW) servers now automatically provide formatted text, sounds, and animation to Internet users. You must use the proper browser (such as Internet Explorer) to use these Internet servers. Fortunately, Internet Explorer also supports the older standards, such as FTP, so you can use Internet Explorer to access multiple servers and data types.
Internet Explorer is a Web browser that allows you to connect to Web servers and view the information provided by that server. The servers transmit the files by using the Hypertext Transport Protocol (HTTP). The files are typically text files that have been formatted by using the Hypertext Markup Language (HTML). However, the Internet and Internet Explorer support viewing (or downloading) nearly any file type.
Windows NT Workstation provides an FTP command-line utility that enables you to connect to FTP servers and transfer files. Multiple variations of FTP clients are also available on the Internet or commercially. FTP has the advantage of allowing clients to upload files to a remote FTP server.
Telnet is a graphical application that you use to log on to remote computers and issue commands as if you were at the computer's keyboard. By using Telnet, you can use the resources of remote computers to run programs and perform other functions.
Many other tools are available through the Internet or commercially. These tools include:
The Windows NT TCP/IP protocol provides FTP and Telnet. These tools can be used to gather more Internet tools. Two popular FTP sites for obtaining public-domain Internet tools (and other Windows Sockets applications) are sunsite.unc.edu and ftp.cica.indiana.edu.
Once you have a connection to an Internet service provider, you can use the FTP program provided with Windows NT TCP/IP to connect to an FTP server and download files, including Internet tools. The same tool can exist for different operating systems or processors. Make sure you obtain the correct version of the tool.
The files are probably compressed by using the shareware program Pkzip. Use the shareware program Pkunzip to expand the .zip files on your local hard disk. The shareware compression tools are often available on local bulletin boards or FTP servers in an uncompressed format.
After you uncompress the files for a particular program, read any available Readme files for specific information about installing and configuring the program, and comply with those instructions. Most public domain software designed for Windows 95, Windows for Workgroups, or Windows 3.1 works on Windows NT without modification.
To add shortcuts for easy access to the new programs, see online Help. With shortcuts you can start the Internet tool from the Windows NT Workstation Desktop.
Security for Internet Clients
It is important to remember that the Internet, like other networks, provides two-way communication. When you are connected to the Internet, other computers can see your computer. By default, Windows NT Workstation security protects your computer from casual intrusion. However, while it is very unlikely that your computer will be attacked while you are browsing the Internet, it is still a good idea to configure your computer securely. Before you install and configure TCP/IP and Dial-Up Networking, you should review the security configuration of your computer.
If your computer is also connected to an in-house network (an intranet), it is especially important to prevent access to your intranet from the Internet. This section provides tips to help you secure your computer before connecting to the Internet.
Review the security measures described in this section when configuring single computers running Windows NT Workstation.
Restrict User Rights Access
Review the User Rights policies in User Manager. You should remove the following groups from each user right. By default, the group Everyone is granted access to your computer from the network and the group Guests is permitted to log on locally. You should remove these default settings.
Eliminate the Server Service and Other Network Services
Disable any services not absolutely necessary on your computer by clearing them in the Services option in Control Panel. Specifically, you should disable the Server service; this prevents any access to your computer through this service.
The FTP Server service included with Windows NT versions 3.1 through 3.51 should also be disabled or configured to ensure adequate security.
You should review all other network services that you use, and remove or disable unused network services. The fewer services you run on your system, the less likely it is that a mistake in administration can occur and be exploited.
Eliminate Unnecessary Accounts and Use Good Passwords
You should remove all unnecessary user accounts. You should also remove any unnecessary accounts from the Administrator group. By limiting user accounts and the members of the Administrator group, you limit the number of users who might choose passwords that could expose your system.
Also, the password for the Administrator account should always be difficult to duplicate and should never be left empty.
Eliminate Shared Directories
Check the properties of shared directories available on your computer. Shared resources on your computer might be available to other remote computers, depending on your Internet service provider. Disable sharing or change the sharing properties of any resources you do not want remote computers to use. In the Shared Directory Properties dialog box, select the Not Shared check box to disable sharing of a resource, as shown in Figure 35.1.
Figure 35.1 The Shared Directory Properties dialog box
Multihomed computers — computers that run Windows NT Workstation and are connected to an intranet, and that also have one or more additional connections to the Internet — should comply with the security measures above, plus these additional precautions.
Unbind Unnecessary Services from Your Internet Adapter Cards
You should unbind unnecessary services from network cards connected to the Internet.
To unbind services from network adapter cards
Figure 35.2 shows the Bindings tab of the Network dialog box.
Figure 35.2 The Bindings tab of the Network dialog box
For example, you might use the Server service to copy new images and documents from computers in your internal network on an Intel EtherExpress 16 LAN Adapter. However, when you are connected to the Internet using Dial-Up Networking, Internet users also have direct access to your computer through the Server service through the Remote Access WAN Wrapper binding as shown in Figure 35.2.
The Remote Access WAN Wrapper binding under the Server service should be disabled to prevent attacks through the Server service.
Note You can use the Windows NT Server service over the Internet; however, you should fully understand the security implications and licensing issues. For more information about security and licensing, see Windows NT Server Concepts and Planning.
You should disable routing when you configure the TCP/IP protocol. If routing is enabled, you run the risk of passing data from your intranet to the Internet.
To configure the TCP/IP protocol,
Figure 35.3 shows the Routing tab with the Enable IP Forwarding check box cleared.
Figure 35.3 Disable routing by clearing the Enable IP Forwarding check box
Check Permissions on Network Shares
On a default installation, you do not need to change any network shares. However, note that Windows NT Workstation automatically creates special shares for administrative and system use. For example, the root of every directory is shared to the Administrators, Backup Operators, and Server Operators groups. The share uses the convention
For example, a share may be called \\maria2\c$. You cannot change this default setting. For more information about the default shares, see your Windows NT documentation.
If you do run the Server service on your Internet adapter cards, and you have created network shares, you should permit access only to those users and groups that you want to use the files. Double-check the permissions set on the shares you have created on the system. It is also wise to double-check the permissions set on the files contained in the shares' directories to ensure that you have set them correctly. In general, you should remove the group Everyone.
Maintain Strict Account Policies
User Manager provides a way for the system administrator to specify how quickly account passwords expire (thus forcing users to regularly change passwords), and to set other policies, such as how many incorrect logon attempts are tolerated before a user is locked out. You should change the default settings. User Manager is used to set account policies. Pay particular attention to accounts with Administrator access. These steps help prevent exhaustive or random password attacks.
Peer Web Services
You can use Peer Web Services for Windows NT Workstation version 4.0 and Windows 95 to publish web pages on a small scale, such as your own home page on your company's network. You can also use Peer Web Services to develop and test content and applications for Windows NT Server Internet Information Server without requiring that you run the Windows NT Server operating system on the computer used to create the content.
Peer Web Services is a subset of Internet Information Server. Although limited in capability, this personal version is still suitable for Web application development. Peer Web Services supports all extensions and filters supported by Internet Information Server.
Table 35.1 compares Peer Web Services and Internet Information Server.
Except for the restrictions listed on the previous page, Peer Web Services is completely compatible with Internet Information Server.
For more information about using either of these Microsoft web servers, see the Windows NT Server Internet Guide.