The Mole #16: Technical Answers from Inside Microsoft - Securing Groups, NT Upgrade, Internet Cache, 40 or 128-Bit

August 30, 1999

Editors Note The questions and answers below are from the Inside Microsoft column that appears regularly on the TechNet Web site at the following location: http://www.microsoft.com/technet/community/columns/insider/default.mspx. To find out how to submit questions of your own, see the end of this article or go to http://www.microsoft.com/technet/community/columns/insider/default.mspx.

The TechNet Mole provides expert answers from deep within Microsoft to questions from IT professionals. This installment focuses on these issues:

  • Strategies for Securing the Administrative Group

  • Windows NT Server Upgrade

  • The Temporary Internet Cache that Ate Chicago

  • 40 or 128-Bit—Which Version Do I Have?

  • Backtalk: Load Balancing with 3rd Party Utilities

On This Page

Strategies for Securing the Administrative Group
Windows NT Server Upgrade
The Temporary Internet Cache that Ate Chicago
40 or 128-Bit—Which Version Do I Have?
Backtalk: Load Balancing with 3rd Party Utilities
Got Questions? Mail the Mole
Credits

Strategies for Securing the Administrative Group

Hi, Is there a way to have Windows NT 4.0 Workstation/Server start without the C:drive default sharing? Otherwise is there a registry setting to change the default from C:\ Shared to C:\ Not Shared?

Richard J. Cardin

Dear Richard,

Nope. No way. Never happen.

Default administrative shares are created for the Windows NT root directory where the system files are kept, and for the root of each hard drive partition. The shares have a dollar sign ($) suffix, for example, WINNT$, C$, D$. They are invisible to network browsing, and are only accessible to accounts with administrator privileges on the particular machine. They cannot be removed permanently. The best you can do is to disable them for the current session.

When you restart Windows NT, the shares will be re-enabled. You cannot change the permissions on these shares, ever. Try and you'll get this message,

"This has been shared for administrative purposes. The permissions cannot be set."

It occurs to Mole that you have not confided why you want to make these changes. If it's about security, here are some alternative strategies to better secure the Administrator Group.

  1. Choose inscrutable passwords. All system passwords should be tough to guess, administrative passwords, next to impossible. Rule of thumb says a great password is long, mixed case, and uses both letters and numbers. It should have absolutely no connection to your real life, and it should be kept in a totally safe place. The waistband of your boxers should fit the bill. You can set passwords either with the User Manager utility, or in the Security dialog. This may seem like a no-brainer, but failing to heed password security is like leaving the front door standing open when you're not home.

  2. Rename the Administrator account. If the name of the system account(s) are not known, it's a lot harder to break into a system.

  3. Create individual user accounts for each administrator and add the user account(s) to the Administrator Global Group.

And here's a plug, Microsoft Windows NT 4.0 Security, Audit, and Control, a book from Microsoft Press,—is a very good read. Check out the following sample chapters on TechNet:

Windows NT Server Upgrade

Hallo,

I am searching for documentation about following scenario:

Running an existing Windows NT 4.0 domain with a fileserver, printserver, SNA- Gateway and users with access rights to these resources. Now I want to create a new Windows NT 4.0 domain and move the resources to new server machines into the new domain. Users are also moved to the new domain.

Is there any documentation/tools to let's say export the resource/user definitions e.g. to an ASCII file and import that data, altered where needed, into the new domain? Does new hardware have implications on this procedure?

Joachim Straub, Deutsche Bank AG, Frankfurt

Joachim,

Create a new domain and move resources and users into it—hmmmm. What this really sounds like is, you want to upgrade the hardware on the existing domain. You didn't mention whether you are renaming the domain or not.

Let's say you want to upgrade the server hardware. If this sounds scary, it probably should. The simplest way is basically to install Windows NT on a new, souped-up server that will become the new PDC. Install the server as a BDC. Run it until you're sure all account info has been replicated and everything's behaving properly. When you're satisfied that the new server is indeed ready for prime time, promote it from a BDC to the PDC.

You'll want to be sure your profiles and policies replicate to the new PDC and that users access them at the new location. (Actually, think about having profiles and policies on a server that's not a domain controller at all.) You also need to make sure shared resources are recreated on the new PDC, and that the account database replication is correctly set up.

Here's an article about moving SNA from one domain to another, appropriately named 186709:How to Move SNA from One Domain to Another.

Finally, you asked if there's a tool to export resource/user information to a file. Two utilities available in the MS Windows NT 4.0 Resource Kit, Supplement 4 Utilities should help: GRPCOPY, which copies the user names of an existing group to another group in the same or another domain, and SUBINACL, which obtains security information on files, registry keys, and services, and transfers this information from user to user, from local group or global group to group, and from domain to domain.

Mole hopes he's answered the right question here. Good luck.

The Temporary Internet Cache that Ate Chicago

Dear Mole:

I have just started working with a system that uses Windows NT server roaming profiles. The problem is that Internet Explorer is creating a huge cache in the temporary Internet files under the profile. This cache is exceeding over 300 MB sometimes. This is very bad for the network.

Why does Internet Explorer seem to use so much space?

Do I need to move the cache folder for each person? How can I change the cache folder in Internet Explorer for all users? Suggestions please!

Greg Hampton

Dear Greg,

Yikes! When it comes to bandwidth, that's one Big Gulp.

The problem isn't that Internet Explorer is such a pig, though, but that you're too generous.

Fortunately, the following Knowledge Base article offers a couple of solutions – one is to configure each client after the fact, and the other solution is to use the Internet Explorer 5 Administration Kit for Windows 3.x, 95, 98, NT 4, and Unix (affectionately and acronymically known as the IEAK) to make the appropriate settings before IE is rolled out to the client. You can download the IEAK at no charge from the above link.

And the article in question is:

  • 185255: How Not to Save Cached Internet Files with Roaming User Profiles

Do what it says and kiss the bloated cache bye-bye.

40 or 128-Bit—Which Version Do I Have?

Mole,

How can I tell if an installation on Windows NT 4.0 SP3 was installed as the 40-bit or the 128-bit security version? I want to install SP5 and I need to know which versions I am dealing with.

Mike Nielson

Dear Mike,

Mole loves straight questions with clear-cut answers!

You can determine the encryption level by looking at the Properties of the file \WINNT\system32\schannel.dll. On Properties, Version tab, the Description will include "US and Canada" if it is 128 bit. If the Description includes the text "Export Version" then it's 40-bit encryption.

Piece of cake. At the mention of which, Mole's stomach rumbles.

Backtalk: Load Balancing with 3rd Party Utilities

Mole,

In response to the question by SSgt. Kevin Fox of Hill AFB , Utah , true, native NT can't load balance like he wants. However, using 3rd party utilities, it's quite possible. NICExpress and BalanceSuite both allow multiple NIC's to appear as 1 virtual NIC (thus allowing for improved bandwidth, etc.) They also allow for a level of fault tolerance, in that if one or more of the NIC's in the "NIC Array" die, the others will continue on.

I evaluated the software for our own environment. Neither were 100% perfect, but they do basically what they're advertised to do.

Roger H. Longden

Roger

Thanks, Roger, for sharing the fruits of your experience.

As to the rest of you, remember, it isn't nice to hoard, artichokes or answers.

If you have an embellishment, or a better alternative, to one of Mole's replies, send it in and see your name in lights.

Got Questions? Mail the Mole

Communicate with Mole at [closed account]. Send him your toughest questions. And if you think you have a better answer than Mole's, or a different one, send that along, as well. Please include the following:

  • Your name

  • Your title

  • Your company

  • Your e-mail address

  • Your question/solution/compliment

Credits

Credit is once again due to Lon Collins.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

Show: