Chapter 35 - Using Windows NT Workstation on the Internet

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This chapter introduces the components that enable a computer running Windows NT to access the Internet and explains how those components work together to let you use the Internet. This discussion focuses on using Windows NT Workstation as an Internet client. Peer Web Services is described in the final section.

This chapter covers these topics:

  • Connecting to the Internet

  • Security

  • Using Peer Web Services

For general information about using the Internet, consult one of the many books available in your bookstore or library. Many resources about using the Internet are also available on the Internet itself.

Connecting to the Internet

Cc750591.spacer(en-us,TechNet.10).gif Cc750591.spacer(en-us,TechNet.10).gif

Windows NT Workstation includes all the software you need to connect to and use the Internet. These components enable you to access the Internet:

  • The Transmission Control Protocol/Internet Protocol (TCP/IP) network protocol in Windows NT version 4.0.

    The TCP/IP network protocol is used by virtually all computers on the Internet.

  • Windows NT Workstation Dial-Up Networking.

    Dial-Up Networking is used to connect to an Internet service provider (ISP) or other online service over a modem and phone line or by using an Integrated Services Digital Network (ISDN) card and ISDN line.

    You can install Dial-Up Networking and the TCP/IP protocol by using the Networks option in Control Panel. For more information, see "TCP/IP Internet Configuration" and "Dial-Up Networking Internet Configuration" in this chapter or the corresponding topics in online Help or the Windows NT Server Networking Supplement.

    There are two methods used to connect clients to the Internet:

    • By using Point to Point Protocol (PPP).

    • By using Serial Line Internet Protocol (SLIP).

      The most popular and more robust method is PPP. The Microsoft Network (MSN) acts as a PPP provider, connecting users who have MSN accounts to the Internet. See the procedure in the next section for an example of how to connect to MSN.

In addition to the Windows NT Workstation software listed above, before you connect to the Internet, you need the following items:

  • A modem and telephone line or ISDN card and ISDN line.

  • An account with an Internet service provider .

    An Internet service provider is a company that gives remote users access to the Internet. ISPs now offer Internet access at reasonable rates in many places worldwide.

  • Internet tools such as Internet Explorer, FTP, and Telnet.

    Internet Explorer, FTP, and Telnet are all Internet clients provided in Windows NT Workstation.

Procedural Overview

This section provides procedures for connecting to the Internet or MSN, then gives a technical overview of installing TCP/IP and Dial-Up Networking and configuring them for Internet access.

To connect to the Internet

  1. Secure your computer and disks.

    For information on how to do this, see "Security for Internet Clients," later in this chapter.

  2. Install the TCP/IP network protocol.

  3. Install and start Dial-Up Networking.

  4. In the Dial-Up Networking dialog box, click New.

    If this is the first time you have used Dial-Up Networking, in the Dial-Up Networking wizard, select the check box to edit the phonebook directly, and click Finish.

  5. On the Basic tab, type a name for your entry, for example, Internet.

  6. Type the phone number to your ISP and select a modem to use.

  7. On the Server tab, select the TCP/IP protocol.

  8. Click OK and then click Dial.

You can use The Microsoft Network as your Internet provider only if you have already created an MSN account by using Windows 95. When you use MSN to connect to the Internet through Windows NT, proprietary online services such as e-mail or bulletin boards are not available.

To connect to MSN

  1. Secure your computer and disks.

    For information on how to do this, see "Security for Internet Clients," later in this chapter.

  2. Install the TCP/IP network protocol.

  3. Install and start Dial-Up Networking.

  4. In the Dial-Up Networking dialog box, click New.

    If this is the first time you have used Dial-Up Networking, in the Dial-Up Networking wizard, select the checkbox to edit the phonebook directly, and click Finish.

  5. On the Basic tab, type a name for your entry, for example, MSN.

  6. Enter the phone number for the local MSN number that allows Internet access.

  7. Select a modem and use the default modem configuration.

  8. On the Server tab, in the Dial-Up Server Type box, select PPP.

    In the Protocols box, select only the TCP/IP protocol.

    Clear the Enable PPP LCP Extensions box.

  9. On the Security tab, select the Accept any authentication including clear text check box and click OK.

  10. Click Dial. In the Authentication dialog box, supply your MSN user name by typing **MSN/**username. 

  11. Type your MSN password and click OK.

TCP/IP Internet Configuration

TCP/IP is the suite of network protocols used for all Internet traffic. The TCP/IP protocol included with Windows NT is fully compatible for use on the Internet.

You install TCP/IP by using the Network option in Control Panel. Once TCP/IP is installed, you might need to configure the following parameters to operate correctly on the Internet:

  • IP Address. The IP address configuration you specify by using the Network option in Control Panel is for your intranet use and will be assigned to the network card in your computer. Usually you have only one network card and IP address for intranet use, although you can have multiple network card and IP addresses. You can obtain an additional IP address for your connection to the Internet that uses Dial-Up Networking. The Dial-Up Networking IP address is usually randomly assigned by your ISP on each connection, but you might need to enter a fixed IP address in the Dial-Up Networking entry for your ISP.

  • Default Gateway. If you connect to an Internet server through Dial-Up Networking, the default gateway configured through Dial-Up Networking is used.

  • DNS. If the Domain Name System (DNS) configuration on your computer is for use on your intranet only, to efficiently access the Internet you might need to add DNS server IP addresses in the Dial-Up Networking entry for your ISP.

  • HOSTS or LMHOSTS file. You can improve efficiency of connections to frequently accessed servers on the Internet by adding entries to your HOSTS file. In some cases, you can connect to a computer on the Internet by using its NetBIOS name; NetBIOS names are mapped to IP addresses in the LMHOSTS file. Windows NT consults these local files for name resolution before consulting a DNS server on the Internet.

Dial-Up Networking Internet Configuration

Dial-Up Networking is used to connect to an Internet service provider (ISP) or other online service over a phone line or ISDN line. Windows NT Dial-Up Networking clients support the PPP protocol and the SLIP protocol. Most ISPs use these protocols, which enables Windows NT Workstation clients to connect to virtually all ISPs. Some ISPs support the Point-to-Point Tunneling Protocol (PPTP) and X.25 WAN protocols.

To connect to an ISP and use the Internet, you must configure Dial-Up Networking on your computer. Windows NT Dial-Up Networking steps you through the procedures to connect to the Internet.

To install Dial-Up Networking, double-click Dial-Up Networking in My Computer. Follow the instructions on-screen to complete Dial-Up Networking installation. For detailed instructions on installing Dial-Up Networking, see online Help.

Configuring Dial-Up Networking Entries for Internet Use

To call an Internet service provider, you must create an entry in Dial-Up Networking. The Windows NT Dial-Up Networking wizard steps you through creating the first entry. This section explains how to manually configure a Dial-Up Networking entry to work with an ISP.

Modifying an Entry

Double-click Dial-Up Networking in My Computer; or, click Start, point to Programs, point to Accessories, then click Dial-Up Networking. The first time Dial-Up Networking is started, the Dial-Up Networking wizard steps you through creating the first entry; otherwise, click New. Provide all the information requested by the Dial-Up Networking wizard. See the sections below for additional information about Internet configuration.

PPP or SLIP Settings

An Internet service provider must provide either PPP connections or SLIP connections to operate with Windows NT Dial-Up Networking.

To configure an entry for a PPP connection

  1. Double-click Dial-Up Networking. Select a Phonebook entry to dial. Click More and select Edit entry and modem properties.

  2. On the Server tab, in the Dial-up server type box, select PPP.

  3. The TCP/IP and NetBEUI check boxes are automatically selected. Clear the IPX check box if it is selected. The Enable PPP LCP extensions (RFC 1570) check box enables newer PPP features and should be cleared only if you are unable to establish a connection while this setting is enabled. The Enable software compression check box should be selected.

  4. Click TCP/IP Settings.

  5. If your Internet service provider has assigned an IP address for your use, enter that number in the Specify an IP address box. If no number was assigned or if you know the server assigns IP addresses, select the Server assigned IP address check box.

  6. If your Internet service provider has assigned primary and secondary DNS and/or WINS server IP addresses for your use, enter those numbers in the Specify name server addresses box. If no numbers were assigned or if you know the server assigns name server addresses, select the Server assigned name server addresses check box.

  7. Leave the Use default gateway on remote network and Use IP header compression boxes selected.

Depending on your Internet service provider, you might need to make some modifications to your security settings, as described in the next section.

To configure an entry for a SLIP connection

  1. Double-click Dial-Up Networking. Select a Phonebook entry to dial. Click More and select Edit entry and modem properties.

  2. On the Server tab, in the Dial-up server type box, select SLIP.

  3. The TCP/IP check box is automatically selected.

  4. Click TCP/IP Settings.

  5. Enter the IP address provided by your ISP in the IP address box.

  6. Enter the primary and secondary DNS server IP addresses and the primary and secondary WINS server IP addresses in the Name server addresses box.

  7. Leave the Use default gateway on remote network and Force IP header compression check boxes selected. Select a frame size in the Frame size box if indicated by your ISP, otherwise leave the default setting.

Depending on your Internet service provider, you might need to make some modifications to your security settings, as described in the next section.

Security Settings

When you connect to the Internet service provider, some form of logon or authentication occurs. Your Internet service provider should tell you the logon sequence for its servers. You use the Script tab to configure Dial-Up Networking for logging on to the Internet service provider.

To configure an entry for authentication on the remote server

  1. Click the Dial-Up Networking icon. Select a Phonebook entry to dial. Click More and select Edit entry and modem properties.

  2. On the Security tab, select the authentication method specified by your Internet service provider.

    Many Internet service providers require a clear-text terminal logon. If in doubt, select the Accept any authentication including clear text check box.

    If you select Accept any authentication including clear text, you must also know the sequence of logon for your ISP, and any required commands.

  3. If your Internet service provider has a well-defined logon sequence, you can create a script in the Switch.inf file that provides the required commands automatically at logon. You create and activate a script on the Script tab.

  4. After you have selected the security and script settings, click OK. Click OK again to complete security configurations.

Modems and WAN Connections

Your connection to an ISP will probably be through a modem and telephone line, or through an ISDN card and ISDN line.

If you use a modem, the faster its speed, the faster you access pages on the Internet. Modems of 9600 bits per second (bps) or above are recommended. ISDN can provide speeds up to 128,000 bps.

Obtaining an Internet Account with a Service Provider

There are ISPs around the world. As with other online services or bulletin boards, you dial the service number and log on to the remote system. Once connected, you have access to the Internet and any other services, such as electronic mail, offered by the service provider. Fees usually apply for all commercial Internet services.

Internet Tools

Windows NT Workstation provides three standard tools for accessing Internet servers: Internet Explorer, FTP, and Telnet.

A multitude of other tools are available to access the information and services on the Internet. For example, you can use an Internet Relay Chat (IRC) client to participate in real-time discussions in "rooms" hosted on an IRC server. You can use the Inbox application on the Windows NT Desktop to send and receive electronic mail. Which tools you choose depend on the information you want and how it is stored on the Internet.

This section briefly describes some Internet tools and provides the process for installing them on a computer running Windows NT. For comprehensive discussions of the tools available for using the Internet, consult the Internet or your local library or bookstore.

History of Internet Tools

The Internet has been evolving since the early 1970s. Early servers on the Internet conformed to original Internet protocols, such as the File Transfer Protocol (FTP) or Virtual Terminal Protocol (VTP, now called Telnet). These protocols generally provide a way to copy files and/or issue commands or start programs through a character-based interface or, more recently, through a graphical user interface such as Windows or X Windows.

Internet technology has now grown beyond the simple file transfers on character-based FTP or Telnet servers. Newer servers on the Internet now have graphical interfaces and present information and services to Internet users by using hypertext documents. World Wide Web (WWW) servers now automatically provide formatted text, sounds, and animation to Internet users. You must use the proper browser (such as Internet Explorer) to use these Internet servers. Fortunately, Internet Explorer also supports the older standards, such as FTP, so you can use Internet Explorer to access multiple servers and data types.

Internet Explorer

Internet Explorer is a Web browser that allows you to connect to Web servers and view the information provided by that server. The servers transmit the files by using the Hypertext Transport Protocol (HTTP). The files are typically text files that have been formatted by using the Hypertext Markup Language (HTML). However, the Internet and Internet Explorer support viewing (or downloading) nearly any file type.

FTP

Windows NT Workstation provides an FTP command-line utility that enables you to connect to FTP servers and transfer files. Multiple variations of FTP clients are also available on the Internet or commercially. FTP has the advantage of allowing clients to upload files to a remote FTP server.

Telnet

Telnet is a graphical application that you use to log on to remote computers and issue commands as if you were at the computer's keyboard. By using Telnet, you can use the resources of remote computers to run programs and perform other functions.

Other Tools

Many other tools are available through the Internet or commercially. These tools include:

  • IRC

  • CUSEEME

  • Gopher

  • E-mail

The Windows NT TCP/IP protocol provides FTP and Telnet. These tools can be used to gather more Internet tools. Two popular FTP sites for obtaining public-domain Internet tools (and other Windows Sockets applications) are sunsite.unc.edu and ftp.cica.indiana.edu.

Once you have a connection to an Internet service provider, you can use the FTP program provided with Windows NT TCP/IP to connect to an FTP server and download files, including Internet tools. The same tool can exist for different operating systems or processors. Make sure you obtain the correct version of the tool.

The files are probably compressed by using the shareware program Pkzip. Use the shareware program Pkunzip to expand the .zip files on your local hard disk. The shareware compression tools are often available on local bulletin boards or FTP servers in an uncompressed format.

After you uncompress the files for a particular program, read any available Readme files for specific information about installing and configuring the program, and comply with those instructions. Most public domain software designed for Windows 95, Windows for Workgroups, or Windows 3.1 works on Windows NT without modification.

To add shortcuts for easy access to the new programs, see online Help. With shortcuts you can start the Internet tool from the Windows NT Workstation Desktop.

Security for Internet Clients

Cc750591.spacer(en-us,TechNet.10).gifCc750591.spacer(en-us,TechNet.10).gif

It is important to remember that the Internet, like other networks, provides two-way communication. When you are connected to the Internet, other computers can see your computer. By default, Windows NT Workstation security protects your computer from casual intrusion. However, while it is very unlikely that your computer will be attacked while you are browsing the Internet, it is still a good idea to configure your computer securely. Before you install and configure TCP/IP and Dial-Up Networking, you should review the security configuration of your computer.

If your computer is also connected to an in-house network (an intranet), it is especially important to prevent access to your intranet from the Internet. This section provides tips to help you secure your computer before connecting to the Internet.

Single Workstations

Review the security measures described in this section when configuring single computers running Windows NT Workstation.

Restrict User Rights Access

Review the User Rights policies in User Manager. You should remove the following groups from each user right. By default, the group Everyone is granted access to your computer from the network and the group Guests is permitted to log on locally. You should remove these default settings.

User Right

Remove Group

Access this computer from the network

Everyone

Log on locally

Guests
Eliminate the Server Service and Other Network Services

Disable any services not absolutely necessary on your computer by clearing them in the Services option in Control Panel. Specifically, you should disable the Server service; this prevents any access to your computer through this service.

The FTP Server service included with Windows NT versions 3.1 through 3.51 should also be disabled or configured to ensure adequate security.

You should review all other network services that you use, and remove or disable unused network services. The fewer services you run on your system, the less likely it is that a mistake in administration can occur and be exploited.

Eliminate Unnecessary Accounts and Use Good Passwords

You should remove all unnecessary user accounts. You should also remove any unnecessary accounts from the Administrator group. By limiting user accounts and the members of the Administrator group, you limit the number of users who might choose passwords that could expose your system.

Also, the password for the Administrator account should always be difficult to duplicate and should never be left empty.

Eliminate Shared Directories

Check the properties of shared directories available on your computer. Shared resources on your computer might be available to other remote computers, depending on your Internet service provider. Disable sharing or change the sharing properties of any resources you do not want remote computers to use. In the Shared Directory Properties dialog box, select the Not Shared check box to disable sharing of a resource, as shown in Figure 35.1.

Cc750591.xwrii01(en-us,TechNet.10).gif

Figure 35.1 The Shared Directory Properties dialog box 

Networked Workstations

Multihomed computers — computers that run Windows NT Workstation and are connected to an intranet, and that also have one or more additional connections to the Internet — should comply with the security measures above, plus these additional precautions.

Unbind Unnecessary Services from Your Internet Adapter Cards

You should unbind unnecessary services from network cards connected to the Internet.

To unbind services from network adapter cards

  1. Double-click Network in Control Panel.

  2. On the Bindings tab, show the bindings for all services, then select the binding under the service and click Disable.

Figure 35.2 shows the Bindings tab of the Network dialog box.

Cc750591.xwrii02(en-us,TechNet.10).gif

Figure 35.2 The Bindings tab of the Network dialog box 

For example, you might use the Server service to copy new images and documents from computers in your internal network on an Intel EtherExpress 16 LAN Adapter. However, when you are connected to the Internet using Dial-Up Networking, Internet users also have direct access to your computer through the Server service through the Remote Access WAN Wrapper binding as shown in Figure 35.2.

The Remote Access WAN Wrapper binding under the Server service should be disabled to prevent attacks through the Server service.

Note You can use the Windows NT Server service over the Internet; however, you should fully understand the security implications and licensing issues. For more information about security and licensing, see Windows NT Server Concepts and Planning.

Disable Routing

You should disable routing when you configure the TCP/IP protocol. If routing is enabled, you run the risk of passing data from your intranet to the Internet.

To configure the TCP/IP protocol,

  1. Double-click Network in Control Panel.

  2. Click the Protocols tab, select TCP/IP Protocol, and click Properties.

  3. On the Routing tab, clear the Enable IP Forwarding check box if it is selected.

Figure 35.3 shows the Routing tab with the Enable IP Forwarding check box cleared.

Cc750591.xwrii03(en-us,TechNet.10).gif

Figure 35.3 Disable routing by clearing the Enable IP Forwarding check box 

Check Permissions on Network Shares

On a default installation, you do not need to change any network shares. However, note that Windows NT Workstation automatically creates special shares for administrative and system use. For example, the root of every directory is shared to the Administrators, Backup Operators, and Server Operators groups. The share uses the convention

\\Computername\Driveletter**$** 

For example, a share may be called \\maria2\c$. You cannot change this default setting. For more information about the default shares, see your Windows NT documentation.

If you do run the Server service on your Internet adapter cards, and you have created network shares, you should permit access only to those users and groups that you want to use the files. Double-check the permissions set on the shares you have created on the system. It is also wise to double-check the permissions set on the files contained in the shares' directories to ensure that you have set them correctly. In general, you should remove the group Everyone.

Maintain Strict Account Policies

User Manager provides a way for the system administrator to specify how quickly account passwords expire (thus forcing users to regularly change passwords), and to set other policies, such as how many incorrect logon attempts are tolerated before a user is locked out. You should change the default settings. User Manager is used to set account policies. Pay particular attention to accounts with Administrator access. These steps help prevent exhaustive or random password attacks.

Peer Web Services

Cc750591.spacer(en-us,TechNet.10).gifCc750591.spacer(en-us,TechNet.10).gif

You can use Peer Web Services for Windows NT Workstation version 4.0 and Windows 95 to publish web pages on a small scale, such as your own home page on your company's network. You can also use Peer Web Services to develop and test content and applications for Windows NT Server Internet Information Server without requiring that you run the Windows NT Server operating system on the computer used to create the content.

Peer Web Services is a subset of Internet Information Server. Although limited in capability, this personal version is still suitable for Web application development. Peer Web Services supports all extensions and filters supported by Internet Information Server.

Table 35.1 compares Peer Web Services and Internet Information Server.

Feature

Peer Web Services

Internet Information Server

Operating system

Windows NT Workstation 4.0 and Windows 95

Windows NT Server 4.0

Version

2.0

2.0

Purpose

For low-volume personal publishing on a non-dedicated workstation in the corporate intranet—similar to peer-level file services

For publishing on the Internet or corporate intranet

Services

WWW, FTP, and Gopher

WWW, FTP, and Gopher

Control access via IP address

No

Yes

Virtual servers

No

Yes

Log to ODBC database

No

Yes

Limit network bandwidth

No

Yes

Internet Database Connector

Included

Included

SSL support

40-bit keys

40-bit and 128-bit keys
(128-bit support available in U.S. and Canadian versions only)

HTML-based administration

Yes

Yes

HTTP version string

Microsoft-IIS-W/2.0
Microsoft-IIS-W95/2.0 (Windows 95)

Microsoft-IIS-S/2.0

TransmitFile()

Restricted to two concurrent TransmitFile() operations

Yes

Concurrent connect limit

No limit

No limit

Completion ports used

Yes

Yes

Remote IIS server discovery

No

Yes

File handle caching

No

Yes

CPU scaling for threads

No

Yes

Socket listen backlog

5

None

Except for the restrictions listed on the previous page, Peer Web Services is completely compatible with Internet Information Server.

For more information about using either of these Microsoft web servers, see the Windows NT Server Internet Guide.

Cc750591.spacer(en-us,TechNet.10).gif