Overview of IPv4

IPv4 is a mature networking protocol and is widely used on most internet-connected client devices. Each client on an IPv4 network is assigned a unique IPv4 configuration that identifies that client device. This configuration is based on a number of elements:

• An IPv4 address IPv4 uses a 32-bit binary address, which is divided into four octets (or groups of eight digits), each of which is converted to a decimal number. Thus, 11000000101010000001000100000001 becomes 11000000.10101000.00010001.00000001 and converts to 192.168.17.1.

• A subnet mask A subnet mask is also a 32-bit binary string, entered as four decimal digits; it is used to indicate the client’s unique identity, known as the host ID, and the subnet where the client resides, known as the network ID.

• A default gateway address To facilitate communications between network segments, or subnets, each client device is assigned the IPv4 address of a router in the local network that is used to forward network traffic destined for devices in other subnets.

• A Domain Name System (DNS) server address DNS enables the client computer to resolve names into IPv4 or IPv6 addresses.

Subnets

A subnet is a network segment. One or more routers separate the subnet from other subnets. Each subnet on an internet has a unique ID, just as each host within a subnet has a unique ID. You must use the 32 bits of an IPv4 address to define both the host’s ID and the subnet ID in which that host resides.

Simple networks

Remember that each 32-bit IPv4 address is divided into four octets. In simple IPv4 subnetting, whole octets are reserved for defining the subnet portion of the IPv4 address, as shown in Figure 3-1; consequently, the remaining whole octets are available for defining the host portion of the address.

This simple subnetting is referred to as classful addressing, by which the address class, A, B, or C, defines the number of octets reserved for host and subnet IDs. Table 3-1 shows how this works.

Class	First Octet	Default Subnet Mask	Number of Networks	Number of Hosts per Network
A	1 to 127	255.0.0.0	126	16,777,214
B	128 to 191	255.255.0.0	16,384	65,534
C	192 to 223	255.255.255.0	2,097,152	254

Note Other Address Classes

There are also class D and class E addresses. Class D addresses are used for multicasting when a client device is part of a group. Class E addresses are reserved and are not used for hosts or subnets.

Complex networks

For some situations, using a classful addressing scheme can be ideal. But for many situations, it might be important to have more flexibility over the number of bits allocated to the subnet address portion of an IPv4 address. For example, instead of using 8, 16, or 24 bits for the subnet, you can use 12 or 18.

Bear in mind that the more bits you allocate to subnetting, the fewer bits remain for the host portion of the IPv4 address. That is, you can have more subnets, each containing fewer hosts, or you can have few subnets, each containing many hosts. Figure 3-2 shows how changing the subnet mask changes the subnet ID without changing the octets that define the whole IPv4 address. This scheme is often referred to as classless addressing, or Classless Interdomain Routing (CIDR).

In Figure 3-2, notice how changing the subnet mask from 255.255.255.0 to 255.255.240.0 shifts the device from subnet 192.168.17.0 to 192.168.16.0. In this case, by shifting the mask to the left, we have allocated more bits to describe hosts in each subnet, with correspondingly fewer subnets. You can see that to express a host’s IPv4 configuration properly, not only must you state the IPv4 address, but you must also state the subnet mask. For example, in Figure 3-2 this host has an IPv4 configuration of 192.168.17.1/255.255.240.0.

Exam Tip

You will often see devices with IPv4 configurations shown as 192.168.17.1/20. The number after the slash denotes the number of sequential binary 1s in the subnet mask (20 in this instance). If the mask were 255.255.248.0, that would be represented as /21.

Need More Review? IPV4 Routing

To review further details about IPv4 subnetting and routing, refer to the Microsoft website at https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379495(v=ws.10).

Public and private addressing

Devices that connect directly to the internet require a unique public IPv4 configuration. However, because of the limitation of the 32-bit addressing scheme of IPv4, there is a limit to the number of hosts that can be connected to the internet using a public configuration. To alleviate this potential but significant problem, many organizations use private IPv4 configurations for their network clients, only using public IPv4 configurations for internet-facing devices, such as routers.

The Internet Assigned Numbers Authority (IANA) has defined the address ranges shown in Table 3-2 as being available for private use. A technology such as network address translation (NAT) is used to enable devices using private IPv4 configurations to communicate with the internet.

Configuring an IPv4 connection

Devices running Windows 10 are configured to obtain an IPv4 configuration automatically by default, as shown in Figure 3-3.

Typically, Windows 10-based devices obtain their IPv4 configurations from a Dynamic Host Configuration Protocol (DHCP) service, perhaps running on a Windows Server 2019 server computer, or provided as a service on a device such as a router or wireless access point (wireless AP).

To view or configure the IPv4 settings on your computer, perform the following procedure:

1. Right-click the network icon in the system tray and then select Open Network & Internet settings.

2. Select Change adapter options.

3. Right-click the appropriate network adapter and then select Properties.

4. Double-click Internet Protocol Version 4 (TCP/IPv4).

You can then configure the IPv4 settings. Select Use The Following IP Address and then specify the following: IP Address, Subnet Mask, Default Gateway, Preferred DNS Server, and Alternative DNS Server (Optional).

You can also configure a number of options from the Advanced TCP/IP Settings dialog box. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Advanced to open the Advanced TCP/IP Settings dialog box, shown in Figure 3-4.

Configure the options on the following tabs:

• IP Settings Enables you to configure additional IPv4 addresses and default gateways manually for this network interface.

• DNS You can define additional DNS server addresses for name resolution and additional DNS suffix processing options.

• WINS The Windows Internet Name Service (WINS) is an older name resolution service used by earlier versions of Windows and Windows Server. Generally, you do not need to configure anything here.

Netsh interface ipv4 set address name="Ethernet" source=static addr=192.168.17.1
mask=255.255.240.0 gateway=192.168.31.254

Set-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.17.1

Overview of IPv6

It’s still the case that almost all computers and other devices connect to the internet by using an IPv4 configuration. However, more network services and devices now require an IPv6 configuration, so it’s important to understand the IPv6 fundamentals, including how to configure IPv6. There are a number of reasons to consider IPv6. These include:

• Services that require IPv6 Services, such as DirectAccess, use IPv6 to facilitate remote connections.

• Larger address space IPv6 uses a 128-bit address space, providing a vast increase in the availability of addresses for devices on the internet.

• Hierarchical addressing IPv6 uses a structured address space, which is more efficient for routers, helping to optimize network communications.

• Support for stateless and stateful autoconfiguration You can configure your IPv6 devices to use DHCPv6 to obtain a stateful configuration, or you can rely on router discovery to use a stateless configuration, simplifying the process of enabling IPv6 on your network devices.

IPv6 addressing

As mentioned, IPv6 uses a 128-bit addressing scheme. This is usually written in hexadecimal. The following is an example of an IPv6 address:

Click here to view code image

2001:CD8:1F2D::2BB:FF:EF82:1C3B

IPv6 uses the following three address types:

• Unicast addresses Packets are delivered to a single interface.

• Multicast addresses Packets are delivered to multiple interfaces.

• Anycast addresses Packets are delivered to multiple interfaces that are the closest in routing distance.

Unlike IPv4, IPv6 does not use broadcast messages. Instead, unicast and anycast addresses in IPv6 can have the following scopes:

• Link-local IPv6 hosts on the same subnet

• Site-local IPv6 hosts in the same organization, also known as private site addressing

• Global IPv6 internet addresses

Configuring an IPv6 connection

Configuring IPv6 is almost identical to the process of configuring IPv4. By default, Windows 10 uses automatic IPv6 configuration. If a DHCPv6 server is available, it obtains its configuration from that service; otherwise, it will use stateless autoconfiguration.

As with IPv4, you can use the Windows user interface to configure IPv6, as shown in Figure 3-5, or you can use Netsh.exe or Windows PowerShell.

To review or configure the IPv6 settings on your computer, perform the following procedure:

1. Right-click the network icon in the system tray and then select Open Network & Internet Settings.

2. Select Change Adapter Options.

3. Right-click the appropriate network adapter and then select Properties.

4. Double-click Internet Protocol Version 6 (TCP/IPv6).

Numerous Windows PowerShell cmdlets are available that you can use to review and configure IPv6 network settings, some of which are described in Table 3-4.

For example, to change the IPv6 configuration for a network connection with Windows PowerShell, use the following cmdlet:

Click here to view code image

Set-NetIPAddress -IPAddress 2001:CD8:1F2D::2BB:FF:EF82:1C3B -PrefixLength 64

Configure name resolution

Devices running Windows 10 communicate over networks by using names rather than IPv4 or IPv6 network addresses. A service on the Windows 10–based device, known as a client resolver, resolves names into IPv4 or IPv6 addresses. To configure Windows 10 networking, you must know how to configure name resolution.

Although IP addressing is not especially complex, it is generally easier for users to work with host names rather than with the IPv4 or IPv6 addresses of hosts, such as websites, to which they want to connect. When an application, such as Microsoft Edge, references a website name, the name is converted to the underlying IP address by using a process known as name resolution. Windows 10–based devices can use two types of names:

• Host names A host name, up to 255 characters in length, contains only alphanumeric characters, periods, and hyphens. A host name is an alias combined with a fully qualified domain name (FQDN). For example, the alias computer1 is prefixed to the domain name contoso.com to create the host name, or FQDN, of computer1.contoso.com.

• NetBIOS names Less relevant today, NetBIOS names use a nonhierarchical structure based on a 16-character name. The sixteenth character identifies a particular service running on the computer named by the preceding 15 characters. Thus, LON-SVR1[20h] is the NetBIOS server service on the computer called LON-SVR1.

The way a client computer resolves names varies based on its configuration but is typically resolved as indicated in Figure 3-6.

The following process identifies the typical stages of name resolution for Windows 10–based devices.

1. Determine whether the queried host name is the same as the local host name.

2. Search the local DNS resolver cache for the queried host name. Windows 10 updates the cache when records are successfully resolved. In addition, Windows adds the contents of the local Hosts file to the resolver cache.

3. Petition a DNS server for the required host name.

netsh interface ip set dns name="Ethernet" static 192.168.16.1

Set-DNSClientServerAddress -interfaceIndex 12 -ServerAddresses ('192.168.16.1')

Configure advanced DNS settings

In addition to configuring the basic DNS client settings, you can configure advanced DNS settings, as displayed in Figure 3-7. To configure these settings, from either the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box or the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box, select Advanced and then select the DNS tab.

The advanced DNS settings are as follows:

• Append primary and connection-specific DNS suffixes This option controls how the DNS resolver on the local client appends the DNS suffixes during queries. For example, if you query www and your computer’s primary suffix is contoso.com, the contoso.com suffix is appended to your query to make www.contoso.com.

• Append parent suffixes of the primary DNS suffix In this example, the parent suffix of contoso.com is com. This option determines whether, after attempting www.contoso.com, the DNS resolver tries www.com.

• Append these DNS suffixes (in order) This option enables you to define suffixes and order them for queries.

• DNS suffix for this connection You can define a DNS suffix for each network interface card installed in your device.

• Register this connection’s address in DNS Windows-based devices can register their IPv4 addresses with DNS servers that support dynamic updates of host records, such as the DNS server role service in Windows Server.

• Use this connection’s DNS suffix in DNS registration This option determines whether the IP addresses and the connection-specific domain name of this connection are registered with DNS.

Set up Windows 10 for a cellular data plan

Some devices with Windows 10 installed can support connectivity by using cellular networks. This is useful for users who cannot always connect to Wi-Fi networks but who still need access to corporate services and resources.

To enable and configure cellular remote access in Windows 10, you must obtain a cellular data plan from a telecom provider. Microsoft can provide this service.

Typically, your telecom provider must provide you with a suitable SIM card for your Windows 10 device. The SIM size might vary depending on the vendor of the device you intend to use. For example, if you or your users are intending to connect using a Microsoft Surface Pro device, you must obtain a Nano SIM from your telecom provider. Note that you can use the SIM card from your cellphone for this, but it must be the right size. Some hardware vendors, including Microsoft, support a built-in SIM, or Embedded SIM (eSIM). This enables you to use cellular data without obtaining a separate, physical SIM from a telecom provider. You can also combine the use of an external SIM and an eSIM, effectively creating a device that has two data plans; perhaps one for business and one for personal use—much like some users use their cellphones with dual-SIM.

After you have installed the SIM into your Windows device, you must configure Windows 10 to connect using cellular data. If you use a Microsoft data plan, you can configure network access simply by running the Mobile Plans app. This app is built into Windows 10. The app detects your eSIM (or SIM) and then guides you through the setup process. To set up cellular network access, use the following procedure:

1. Connect to the internet using a wired or wireless connection.

2. Select the Network symbol on the taskbar, look for Get Connected beneath the name of your mobile operator, and then select Connect with a data plan. This will open the Mobile Plans app.

3. In Mobile Plans, do one of the following, depending on what your computer displays on the screen:

   • On the Connect your device page, enter your cellphone number, and then select Find my mobile operator. This enables you to determine if your telecom provider offers any plans.

     • If they do, select Continue. A webpage opens on your telecom provider’s website. Sign in (using your existing mobile account details) or create a new account if needed, and then follow the steps to add your device to your account.

     • If your provider doesn’t offer plans, select Choose from a list of mobile operators. Choose a new provider, and then select Continue to go to the telecom provider’s website to set up a new account and plan.

   • On the Select a mobile operator to get online now page, select a telecom provider, select Continue to go to their site, sign in, and then choose a plan.

When you want to use your mobile data connection, use the following procedure to connect:

1. Select the Network icon in the system tray.

2. In the list of available networks, choose the mobile network.

If you experience any problems with your cellular connections, use the following steps to troubleshoot your connection:

1. Open the Settings app.

2. Select Network & Internet.

3. Assuming you have an eSIM or compatible SIM, you should see a Mobile tab on the left. Select the Mobile tab.

4. If you have multiple SIMs, then select whichever SIM you want to use for a given data plan, and select Use this SIM for mobile data.

5. Open the Mobile Plans app and choose a mobile operator from those listed.

6. Follow the previous instructions to set up a plan with your telecom provider.

Set up Windows 10 as a mobile hotspot

Windows 10 devices are becoming lighter and more mobile. Often, users have multiple connected devices, including laptops, tablets, and cellphones. Virtually ubiquitous internet connectivity enables users to adopt an “always on” lifestyle. When users face situations where traditional connections, such as corporate Wi-Fi or Ethernet, are not available, they will look for other forms of connectivity, such as Wi-Fi hotspots; they also might use their mobile devices to connect to the internet.

Broadband tethering, referred to as a Windows 10 mobile hotspot, enables users to share their own internet connections with others by enabling the device to function as a wireless “hotspot.” Similarly, users can connect to other users’ shared personal “hotspots,” provided they have the necessary credentials.

To connect to a shared mobile hotspot connection, follow these steps:

1. In Settings, select Network & Internet.

2. As shown in Figure 3-8, select the Mobile hotspot tab.

   

3. In the Share my internet connection from list, choose the appropriate network connection.

4. Select Edit and enter a Network name and Network password. These are used by other users that connect to your device.

5. Finally, enable the Share my Internet connection with other devices option.

VPN protocols

Windows 10 supports four commonly used VPN protocols. Each protocol offers different characteristics and age, as described next. Typically, the newest protocol will be the most secure.

• Point-to-Point Tunneling Protocol (PPTP) PPTP is the oldest and what is considered one of the least secure of all supported VPN protocols. However, it can be used successfully in low-security scenarios because it is very easy to set up and still offers more protection than using PPP over the internet. PPTP creates the tunnel and then can use several authentication methods, including the Microsoft Challenge Handshake Authentication Protocol versions 1 and 2 (MS-CHAP v1 and MS-CHAP v2), Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). If EAP is used, certificates can be used with PPTP; otherwise, they are not necessary.

• Layer 2 Tunneling Protocol (L2TP) This protocol uses the IP security extensions (IPsec) for encryption and encapsulation. L2TP encapsulates the messages with IPsec, and then encrypts the contents using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm. The encryption keys are provided by IPsec using Internet Key Exchange (IKE). L2TP/IPsec can use preshared keys or certificates for authentication. Using a preshared key is useful during testing and evaluation but should be replaced with a certificate in a production environment.

• Secure Socket Tunneling Protocol (SSTP) This is a recent protocol introduced with Windows Server 2008 and supported on Vista SP1 or later. It encapsulates PPP traffic using the Secure Sockets Layer (SSL) protocol, which is widely supported on the internet and passes through TCP port 443, which is the same as SSL. Using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication protocol together with certificates makes SSTP a versatile and widely used protocol.

• Internet Key Exchange, Version 2 (IKEv2) IKEv2 is most useful for mobile users and is the default protocol for Windows 10 and Windows 8.1 when trying to connect to remote access servers. This protocol is partially supported on Windows 7 and later versions of Windows and provides support for IPv6 traffic and the IKEv2 Mobility and Multi-homing (MOBIKE) protocol through the Windows VPN Reconnect feature, which allows automatic reconnection if a VPN connection is lost. Authentication is offered using EAP, PEAP, EAP-MS-CHAPv2, and smart cards. IKEv2 will not support older authentication methods, such as Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP), which offer little protection.

Authenticating remote users

Windows users authenticate using Kerberos when accessing the local network, but for remote authentication, this protocol is not suitable; a separate protocol, which protects against network intrusion, must be used. During the initial negotiation sequence (using PPP) when a client connects to the remote computer, each party must agree on a shared authentication protocol to use. By default, Windows 10 will use the strongest protocol that both parties have in common.

In the Add A VPN Connection Wizard, Windows 10 offers three sign-in options when configuring a VPN, such as:

• Username and password

• Smart card

• One-time password

In addition to these options, you can configure Windows 10 to use the common authentication protocols:

• EAP-MS-CHAPv2 This protocol uses Extensible Authentication Protocol (EAP), which offers the default and most flexible authentication option for Windows 10 clients. It provides the strongest password-based mechanism for the client side, with certificates used on the server side. Authentication can be negotiated based on certificates or smart cards, and EAP-MS-CHAPv2 is likely to be further extended and developed as technology advances. Windows 10 will aim to use this method for authentication connections where possible. IKEv2 connections must use EAP-MS-CHAPv2 or a certificate.

• PAP This is the least secure protocol since it uses plaintext passwords. It should be used only when other authentication methods cannot be negotiated.

• CHAP CHAP is used for down-level client compatibility and has been surpassed by MS-CHAP v2. This protocol uses a preshared key between the client and server to enable encryption to take place.

• MS-CHAP v2 This protocol is stronger than the CHAP protocol, with significantly improved security when partnered with EAP to enable encryption of the password.

Creating a VPN connection in Network And Sharing Center

To create a VPN in Windows 10, from the Network And Sharing Center, under Change your network settings, select Set up a new connection or network and then select Connect to a workplace.

To configure your VPN connection, in the Connect to a Workplace Wizard, provide the following information.

• How do you want to connect? You can connect by using an existing internet connection or by dialing directly to your workplace.

• Internet address This is the name or IP address of the computer that you connect to at your workplace, as shown in Figure 3-10. Typically, this is an FQDN, such as remote.adatum.com.

  

• Destination name This is the name of your VPN connection.

After you have created the VPN connection, from the Network And Sharing Center, select Change adapter settings, right-click your VPN connection, and select Properties. As shown in Figure 3-11, you can then configure additional options as required by your organization’s network infrastructure.

These settings must match the remote access device that your device connects to, and includes the following options:

• Type of VPN Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with IPsec (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), or Internet Key Exchange version 2 (IKEv2)

• Data encryption None, Optional, Required, or Maximum Strength

In the Authentication section, you choose either Use Extensible Authentication Protocol (EAP) or Allow These Protocols. If you choose to use EAP, you then configure one of the following:

• Microsoft: EAP-AKA (Encryption Enabled)

• Microsoft: EAP-SIM (Encryption Enabled)

• Microsoft: EAP-TTLS (Encryption Enabled)

• Microsoft: Protected EAP (PEAP) (Encryption Enabled)

• Microsoft: Secured Password (EAP-MSCHAP v2) (Encryption Enabled)

• Microsoft: Smart Card Or Other Certificate (Encryption Enabled)

If you choose Allow These Protocols, you then configure the following options:

• Unencrypted Password (PAP)

• Challenge Handshake Authentication Protocol (CHAP)

• Microsoft CHAP Version 2 (MS-CHAP v2)

  • Automatically Use My Windows Log-on Name And Password (And Domain, If Any)

Using the Settings app to create and configure a VPN

You can also use the Settings app to create and configure VPN connections. Use the following procedure:

1. Select Start and then select Settings.

2. In Settings, select Network & Internet.

3. Select the VPN tab, and then, in the details pane, select Add a VPN connection.

4. On the Add a VPN connection page, enter the following information:

   • VPN provider: Windows (Built-In)

   • Connection name

   • Server name or address

   • VPN type: Automatic (Default). You can also choose PPTP, L2TP/IPsec with certificate, L2TP/IPsec with pre-shared key, SSTP, or IKEv2.

   • Type of sign-in info: Username and password, Smart card, One-off password, or Certificate.

   • Username and password, although these options are only configurable if you selected username or password as the Type of sign-in info.

5. Select Save.

After you have created the VPN, you can manage it from Network Connections in Control Panel. Alternatively, on the VPN page in the Network & Internet node in Settings, you can select the VPN and then choose Advanced Options. From there, you can reconfigure the VPN’s settings.

VPN profiles

Although manually configuring VPN connections is relatively simple, completing the process on many computers, with the same or similar settings, is very time-consuming. In these circumstances, it makes sense to create a VPN profile and then distribute the profile to your users’ computers.

When you use VPN profiles in Windows 10, you can take advantage of a number of advanced features:

• Always On This feature enables Windows to automatically connect to a VPN. The Always On feature can be triggered by sign-in when the desktop is unlocked, and on network changes. When the Always On profile is configured, the VPN remains always connected unless the user disconnects manually or logs off the device. The profile is optimized for power and performance, and the profiles can be pushed and managed on devices using mobile device management (MDM) tools.

• App-Triggered VPN You can configure the VPN profile to respond to a specific set of apps; if a defined app loads, then the VPN initiates.

• Traffic Filters To protect the server from a remote attack, an administrator can configure policies on a Windows 10 device to inspect and, if necessary, filter VPN traffic before it is enabled to travel over the VPN. Two types of Traffic Filter rules are available:

  • App-based rules An app-based rule will only enable VPN traffic originating from applications that have been marked as being allowed to traverse the VPN interface.

  • Traffic-based rules Enterprise-level traffic-based rules enable fine-tuning of the type of traffic allowed. By using the industry-standard rules covered by five tuple policies (protocol, source IP address, destination IP address, source port, and destination port), administrators can be very specific on the type of network traffic that is allowed to travel over the VPN interface.

    An administrator can combine both app-based rules and traffic-based rules.

• LockDown VPN The LockDown VPN profile is used to enforce the use of the VPN interface. In this scenario, the device is secured to only allow network traffic over the VPN, which is automatically always on and can never be disconnected. If the VPN is unable to connect, then no network traffic will be allowed. The LockDown profile overrides all other VPN profiles and must be deleted before other profiles can be added, removed, or connected.

You can create and distribute Windows 10 VPN profiles with these advanced settings by using Microsoft Intune and/or Endpoint Configuration Manager.

Enable VPN Reconnect

VPN Reconnect uses the IKEv2 protocol with the MOBIKE extension to automatically reestablish a lost VPN connection without user intervention. For mobile users, the prevalence of dropped Wi-Fi or LTE connections can be frequent because of volatile signal strength. It is best to use and configure VPN Reconnect for your mobile users because doing so reduces the frustration of having to reconnect manually, and it will also increase productivity.

The network outage time can be configured from 5 minutes up to an interruption of 8 hours. To enable VPN Reconnect, follow these steps:

1. On the taskbar, in the search box, enter VPN.

2. Select VPN settings from the returned list.

3. In the Settings app, select Change adapter options.

4. Select the appropriate VPN adapter, and then select Change settings of this connection, as shown in Figure 3-12.

   

5. Select the Security tab in the VPN Properties dialog box, and select Advanced settings.

6. In the Advanced Properties dialog box, select the Mobility option on the IKEv2 tab.

7. Modify the Network outage time as necessary.

8. Select OK twice.

Network troubleshooting tools

Windows 10 provides a number of tools that you can use to diagnose and resolve many network-related issues. These tools are described in Table 3-5.

Troubleshoot name resolution

Many network failures can be caused by a failure in name resolution, such as when the wrong server IP address is returned or a service has not registered itself with a DNS server correctly (or at all). When troubleshooting name resolution issues, use a suitable procedure, which might consist of the following steps:

1. Clear the DNS resolver cache. Use the Ipconfig /flushdns command from an elevated command prompt. Clearing the cache ensures that all subsequent name resolution attempts are performed rather than being satisfied from DNS resolver cache. You can also use the Clear-DnsClientCache Windows PowerShell cmdlet to achieve the same thing.

2. Attempt to verify basic connectivity by using an IP address. Use the Ping command, or the test-connection Windows PowerShell cmdlet, to verify communications to an IP address; for example, type test-connection 172.16.16.1.

3. Attempt to verify connectivity to a host name. Using the same tools, check whether you can communicate with a host by using its name, for example, test-connection LON-DC1. If this is successful, it is likely that your problem is not related to name resolution.

4. If the test is not successful, edit the Hosts file. Add the correct IP address and name to your hosts file. For example, add the line 172.16.16.1 LON-DC1.adatum.com to C:WindowsSystem32DriversEtcHosts. Repeat the procedure to verify connectivity to a host name. Name resolution should now be successful.

5. Display the resolver cache. Use the Get-DnsClientCache cmdlet (or use IPConfig /displaydns) to verify that the entry appears in a resolved cache. You have proven that the problem is likely a name resolution issue. Remove the entry from the Hosts file and clear the resolver cache.

6. Test the name server by performing a query against it by using the Resolve-dnsname lon-DC1.adatum.com cmdlet. Alternatively, use the NSLookup .exe -d2 LON-cl1.adatum.com command. You can review the partial output from the Resolve-dnsname cmdlet in Figure 3-13.

The information returned from the name server test shows IP addresses of the server you queried against. It also shows which name servers provided the response. It is important to know how to interpret this returned information to diagnose any failures or faults properly.

Modes

Wireless networking can be configured in one of three modes:

• Ad-hoc This setting enables you to configure a wireless connection between devices in a peer-to-peer manner without requiring a wireless access point (AP).

• Wi-Fi Direct This setting is a wireless networking standard that you can use to connect your wireless devices without a wireless AP. Similar to ad hoc wireless networking, it is typically used to connect to peripherals such as printers and media players.

• Infrastructure Based on wireless APs, infrastructure networks consist of wireless local area networks to enable communications between wireless client devices.

Standards

To ensure compatibility between wireless networked devices, a number of standards have evolved. The 802.11x wireless standards are described in Table 3-6.

Security

It is comparatively easy to gain access to a wireless network, so it is important to secure network traffic on your wireless network infrastructure. A number of wireless security standards exist that can help, as described in Table 3-7. When choosing a security method, ensure that your wireless devices and infrastructure support that method.

Configure wireless settings

After you have selected the appropriate wireless infrastructure components and chosen your wireless security standard, you must set up and configure your wireless network in Windows 10.

Connect to a wireless network

To connect to a wireless network, in the system tray select the network icon to review a list of available wireless networks. Select the appropriate network and then select Connect. Enter the required security information as displayed in Figure 3-14 and select Next.

Configure existing wireless networks

To review or edit your existing wireless networks, from Settings select Network & Internet. On the Wi-Fi tab, displayed in Figure 3-15, you can configure the following options:

• Show available networks Enables you to review the currently available Wi-Fi networks within range of your device.

• Hardware properties Enables you to review the properties of your Wi-Fi connection, including SSID, Protocol, Security type, Network band, Network channel, IPv4 and IPv6 configuration, and details about your Wi-Fi adapter.

• Manage known networks Enables you to review, configure, or forget any Wi-Fi networks to which your device has connected. To forget a Wi-Fi connection, select it, and then select Forget. To configure a Wi-Fi network, select it, and then select Properties. You can then review or configure the following:

  • Connect Automatically When In Range

  • Network Profile: Public Or Private. This option is only available when you are connected to the specific Wi-Fi network.

  • Set As Metered Connection

• Random hardware addresses Enables your computer to use a different hardware address for each network to which it connects. This can help secure your device by making it harder to track your device’s location.

• Hotspot 2.0 networks Under this heading, you can enable the following option:

  • Let Me Use Online Sign-Up To Get Connected

Advanced settings

To configure advanced wireless settings, from the Network And Sharing Center, under View Your Active Networks, select the wireless network you want to configure, as shown in Figure 3-16. Then, in the Wi-Fi Status dialog box, click Wireless Properties. You can then view the security settings for your wireless network connection.

You can also manage wireless networks by using Netsh.exe. For example, to list the wireless network profiles on your computer, type:

Netsh wlan show profile

Need More Review? Using Netsh.Exe to Manage Wireless Networks

To find out more about managing Wi-Fi settings by using Netsh.exe, refer to the Microsoft website at https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd744890(v=ws.10).

Configuring Wi-Fi Direct

Wi-Fi Direct is a standard developed with the Wi-Fi Alliance, is fully supported by Windows 10, and enables Wi-Fi Direct devices to connect seamlessly to one another. This can be achieved by using Miracast over Infrastructure (which uses Ethernet if a network access point or secure ad hoc Wi-Fi network is available) or over a private ad hoc wireless network as and when required.

Wi-Fi Direct enables you to interact with other hardware—for example, to print to a wireless printer or to send your PowerPoint presentation to an external display.

Devices that are utilizing Wi-Fi Direct include mobile phones, cameras, printers, TVs, PCs, and gaming devices, such as Xbox One.

Wi-Fi Direct is similar to Bluetooth, but 10 times faster. Wi-Fi Direct transfers data at up to 250 Mbps, whereas Bluetooth 4.0 transfers data at up to 25 Mbps.

As the technology continues to mature, Microsoft has upgraded and enhanced the application programming interface (API) support with Windows 10 for developers to use when writing their software. Original equipment manufacturer (OEM) vendors are gradually incorporating Wi-Fi Direct into their devices, such as printers utilizing Wi-Fi Direct. Unlike with Bluetooth, only one device needs to support Wi-Fi Direct, though they will still pair in much the same way as Bluetooth. For example, Miracast enables a Windows device to wirelessly display on to a projected screen, such as a TV or projector. Miracast is ideal for enabling screens that do not have built-in support for Wi-Fi Direct because it uses a High-Definition Multimedia Interface (HDMI) adapter, which plugs into the remote screen. Windows 10 can wirelessly connect to the Miracast adapter.

To use the Wi-Fi Direct technology, a user will turn on or enable the Wi-Fi Direct device, such as a Miracast adapter or printer, and Windows 10 will locate the device wirelessly and connect. Once the device is connected, application files that are required for the user interface, such as display or printer dialog screens, are received directly from the Wi-Fi Direct device.

Some characteristics of Wi-Fi Direct are as follows:

• Distance between devices (ad hoc Wi-Fi) Compared with Bluetooth, which creates a personal area network of just a few feet, Wi-Fi Alliance states that Wi-Fi Direct devices can reach each other over a maximum distance of up to 656 feet.

• Security Wi-Fi Direct uses either WPA2-PSK or WPA2-Enterprise security, which uses AES 256-bit encryption with a key-based encryption and authentication method.

• Speed Wi-Fi Direct claims device-to-device transfer speeds of up to 250 Mbps.

• Services Wi-Fi Direct Send, Wi-Fi Direct Print, Wi-Fi Direct for DLNA, Miracast, and Miracast over Infrastructure are the five services that currently utilize the Wi-Fi Direct standard.

To set up Wi-Fi Direct in Windows 10, you need a compatible network adapter. Type ipconfig /all at the command line and verify that one of the network adapters listed returns the Description value Microsoft Wi-Fi Direct Virtual Adapter, as shown in Figure 3-17.

After you have checked that your wireless network adapter supports Wi-Fi Direct, use the Netsh.exe command-line tool to set up your Wi-Fi Direct network. You can use the following command to start the process of enabling Wi-Fi Direct:

Click here to view code image

netsh wlan set hostednetwork mode=allow ssid=Wi-Fidirect key=passphrase

Use the following command to start Wi-Fi Direct:

Click here to view code image

netsh wlan start hostednetwork

To stop the Wi-Fi Direct network, use this:

Click here to view code image

netsh wlan stop hostednetwork

Select file systems

Windows 10 supports many file systems, including NTFS, ReFS, exFat, FAT32, and FAT, which are described in Table 3-8. The most commonly used file systems are NTFS and FAT32, with ReFS becoming popular for servers and storage applications.

ReFS

Windows 10 includes support for the more recent Resilient File System (ReFS), which has been designed to respond to the increased scale, access speed, and distributed nature of storage currently available. ReFS is not intended to replace NTFS but offers benefits to users such as storage stability, flexibility, scalability, and availability.

ReFS offers enhanced data integrity and self-healing capabilities with the intention that repairs can be made while the operating system remains online.

Storage Spaces uses ReFS and is covered later in this chapter. When Storage Spaces is configured to use ReFS, it can automatically repair corrupted data to ensure that data is always available and resilient during drive failures.

Some ReFS characteristics are:

• Maximum file size of 16 exabytes (EB)

• Maximum volume size of 1 yottabyte (YB)

• Compatibility with existing APIs and technologies

• Does not support NTFS compression or Encrypting File System (EFS)

• Cannot boot Windows 10 from an ReFS volume

• Built-in resilience:

  • Transactional write model—Offers protection against power failures

  • Proactive repairing/self-healing—Corruption detection, automatic repairs

  • Data integrity—Reduces disk corruption through checksums employed on metadata

• Improved availability—Repairs ReFS volumes while still online

• Scalability—Works with extremely large datasets, in excess of 1 petabyte (PB)

ReFS supports long file names and file paths, with the total path size limited to 32,768 characters.

Use File Explorer to manage files and folders

The most common tool used to manage files and folders is File Explorer, which is located on the taskbar and on the Start screen. Typical functions provided through File Explorer include:

• Creating new folders and files

• Viewing and accessing files and folders

• Searching for files and information contained in files

• Managing properties of files and folders

• Previewing contents or thumbnails of files and folders

The Quick Access area is new in Windows 10 and appears at the uppermost left area of the File Explorer navigation pane; it includes pinned shortcuts for frequently used files and folders such as the Desktop, Downloads, Documents, Pictures, and Music. As you browse and access files in other folders on your computer, folder shortcuts for these items appear in the right navigation pane under Frequent Folders or Recent Files. You can modify the behavior of Quick Access by right-clicking Quick Access and selecting Options to open the Folder Options dialog box displayed in Figure 3-18.

On a shared computer, you might want to clear the check boxes for Show Recently Used Files In Quick Access and Show Frequently Used Folders In Quick Access.

Set file and folder permissions

Volumes formatted using either NTFS or the more recent ReFS enable you to configure file and folder permissions. File permissions are robust, reliable, and effective, and they enable you to configure granular permissions on both files and folders that determine how individual users and groups can use the objects.

The creator of the resource, such as a file or folder, is automatically assigned the special status of creator-owner, and the creator can grant or deny permissions to it. Administrators and anyone given the Full Control permission also can modify permissions for that file or folder.

To modify permissions to a file or folder, select the Security tab in the object’s properties, as displayed in Figure 3-19.

If a user leaves your organization or their account is deleted, an administrator can take ownership of the users’ files and folders to modify permissions by changing the Owner principal found in the Advanced settings in Properties.

If you have the permission to modify the security settings in the access control list (ACL), you can add or remove users or groups and then grant or deny a specific permission level. In organizations, you assign permissions to groups rather than to multiple users because doing so minimizes administrative effort.

Review the abbreviations relating to objects that you might use when applying security permissions, as shown in Table 3-9.

When configuring permissions for files and folders, you can configure basic or advanced permissions. Unless you are seeking a very fine degree of control to a resource, you typically work with basic permissions and assign them to groups and users, as described in Table 3-10.

Basic permissions are easier to manage and document. Under the hood, a basic permission is made from a combination of individual advanced special permissions. Consider that permissions for folders can have a different effect on files, as described in Table 3-11.

Behind the basic permissions is a matrix of 13 advanced permissions that can also be applied to files and folders. Each basic permission is a collection of one or more advanced permissions, as described in Table 3-12.

We recommend that you use basic permissions unless there is a clear requirement for setting advanced permissions; otherwise, the permissions can become complex and difficult to troubleshoot. If you do use the advanced permissions, it is best practice to document any modifications so that you can review the configuration and, if necessary, reverse the settings.

Many inexperienced users who configure file permissions can complicate the settings on files by setting advanced permissions (frequently using deny permissions) and setting permissions for individual users instead of setting permissions for groups. There is a strict canonical order or hierarchy of how Deny and Allow permissions can interoperate, and the general rule is that a Deny setting prevents an Allow setting.

Review Table 3-13 to understand the relationship between Deny and Allow settings and how the behavior changes, depending on how the setting is applied.

Although most administrators will use File Explorer to set individual ACLs for files and folders, you can also use Windows PowerShell or the ICACLS command-line utility.

Windows PowerShell offers two cmdlets that you can use to manage file and folder permissions: Get-Acl and Set-Acl. For additional information and examples of how to use these cmdlets, type Get-Help Get-Acl or Get-Help Set-Acl.

ICACLS enables you to configure and view permissions on files and folders on a local computer. Some of the most common ICACLS parameters and permission masks are described in Table 3-14.

To grant a permission, use the /grant switch, as the following example on an existing file called My New Files in C:Working Folder shows:

1. Open File Explorer.

2. Navigate to the folder on which you want to set permissions.

3. Select File and then select Open Windows PowerShell as administrator.

4. Run the following command:

   Click here to view code image

   Icacls 'My new files.rtf' /grant 'Demo:(OI)(M)'

5. Enter Icacls 'My new files.rtf' to review the permissions.

Understand permissions inheritance

Setting file permissions on hundreds of files and folders would take a long time, especially if each setting were configured manually. Fortunately, you don’t need to because, by default, NTFS and ReFS security permissions are inherited from their parent folder. In this way, permissions “flow” from top to bottom and follow the folder hierarchy. By default, inheritance is enabled because this facilitates more efficient administration. NTFS enables you to disable inheritance from flowing from a parent folder to the child.

You can review the inheritance status of a file or folder in File Explorer by following these steps:

1. Open File Explorer.

2. Navigate to the folder whose inheritance settings you want to review.

3. Right-click the file or folder, and select Properties and then select Advanced.

4. On the Permissions tab, review the permission entries and notice the Inherited from column, as shown in Figure 3-20.

Figure 3-20 shows a Disable Inheritance button. If you select this button, you are presented with two choices, as shown in Figure 3-21.

In the Block Inheritance dialog box, there are two options:

• Convert inherited permissions into explicit permissions on this object Prevents inherited permissions from being able to “flow” from top folders to the subfolders. Current inherited permissions are changed by the system from implicit permissions to explicit permissions. This can result in hundreds or thousands of inherited permissions being changed into explicit permissions.

• Remove all inherited permissions from this object Removes all permissions and gives you a folder structure with no permissions set. Care needs to be taken with this option because it is very easy to remove all access—even system access—to the file structure.

The option to convert inherited permissions to explicit permissions stops inheritance from flowing from the parent folders and changes the permissions on all child items from implicit permissions to explicit permissions. You can then modify the permissions.

If you choose the second option, Remove All Inherited Permissions From This Object, you completely remove all permissions. This provides you with a folder structure with no permissions at all.

Both options are powerful and can have far-reaching effects. Best practice recommends employing inheritance wherever possible to ease administration. You should also document and test your outline folder structure before it becomes too large. A big change on a small structure is simple to put in place, whereas modifying a large, established file structure could be cumbersome.

Understanding move, copy, and permissions inheritance

When you have to move or copy a folder from one location to another, you should understand how NTFS will perform the task with respect to how permissions on the resource are modified. Table 3-15 describes the behavior that NTFS adopts when copying files from one folder to another folder, and between partitions.

When you copy a file or folder within the same volume or between volumes, the user must have Read permission for the source folder and Write permission for the destination folder.

When you move a file or folder within the same volume or between volumes, you need to have both Write permission for the destination folder as well as Modify permission for the source file or folder. This is because Windows 10 will move the resources (Write) and then delete (Modify) the resources from the source folder once it has completed the copy to the destination folder.

View Effective Access

You might be required to determine the access that a user has to a resource. Within the Advanced options of an object’s Security settings, you will find the Effective Access tab (previously called Effective Permissions), as displayed in Figure 3-22. When setting permissions in a corporate environment, you should verify that NTFS permissions are applied correctly and use the Effective Access feature to ensure that the results are as expected.

For example, for a resource, if you assign a user the Read permission and assign the Modify permission to a group that the same user is a member of, the effective access permissions are a combination of the Read permission and the Modify permission, which is the Modify permission.

When you combine permissions that include Deny permissions, NTFS will evaluate the Deny permissions before the Allow permissions that are set on the same resource, with explicit Deny taking precedence over all Allow permissions.

If Deny and Allow permissions are set at different levels within a folder structure, or nested within each other, that can create unexpected results. For example, if Deny is set at the top-level folder and an Allow permission is set at its subfolder, Allow can take precedence and override Deny because the Allow permission is explicit and not implicit.

When assigning permissions to several groups, remember that the security settings have a cumulative effect; you should review the effective permissions obtained for the user by following these steps:

1. Open Windows Explorer.

2. Navigate to the file or folder whose effective permissions you want to view.

3. Right-click the file or folder, select Properties, and select the Security tab.

4. Select Advanced and then select the Effective Access tab.

5. Next to User/Group, select Select a user.

6. In the Select User or Group dialog box, click in the Enter the object name to select (examples) box, enter the name of a user or group, and then select OK.

7. Select View effective access.

   You should now be able to review the detailed effective permissions of the user or group for that file or folder.

Be careful when using the Effective Access tool and reviewing permissions on folders that you own since the permissions given to the Creator Owner of the object are not taken into account.

Take ownership of resources

It is possible to remove access to a particular user or group on an object, such as a folder. Sometimes, this happens accidentally when configuring permissions, but typically, it will happen when the user who originally created the resource leaves the organization and the resource is then said to be “orphaned.”

In the Advanced Security Settings dialog box for an object, you will find the Effective Access tab, and at the top of this screen, as shown in Figure 3-22, is an option to change the object owner. As long as you have administrative privileges, you can take ownership of the object and allocate it to another user or group. You can reset the permissions of all the folders, files and subfolders using the command icacls <file name> /reset, using an elevated command prompt.

Resolve file permission issues

The type of security that can be configured on Windows 10 is determined by the file system in place. NTFS, the default underlying file system, offers several security options, but you may also encounter removable drives or legacy systems that use FAT, FAT32, or exFAT, none of which offers file security.

It has been many years since NTFS was established as the default file system of choice for all recent Windows client and server operating systems. NTFS file permissions offer administrators a powerful tool for granting, controlling, auditing, and denying access to resources. Unlike share-level permissions, NTFS operates at the file level, which means NTFS permissions are applicable to resources shared over a network or accessed locally.

When troubleshooting resource access issues, you must determine the following:

1. Is the file system in NTFS?

2. Are the files and folders being accessed locally or over the network?

It is easy to test if the file system is using NTFS by checking to see if there is a Security tab on the volume on which the resource resides, as shown in Figure 3-23. The Security tab relates to NTFS permissions.

File and folder permissions can be complex and sometimes difficult to manage, especially for an inexperienced administrator. Often the most challenging environment is one in which a newly hired administrator must adopt an existing organization, which has an existing problematic NTFS permission infrastructure in place that has very little documentation. Required small changes can sometimes have unintended consequences, which pose security risks.

The role of the system administrator is to optimize data security and to make sure that data is accessible to the right users. If users are denied access to files to which they have rights or are given access to privileged files, it is a major problem that needs immediate remediation.

File and folder permissions are cumulative, which means a user may have been given various group memberships as well as explicit permissions to resources that they are able to access. If a user has not been given any implicit or explicit permissions, they will not have access. If a combination of permissions for a resource has been set, you’ll need to calculate the cumulative effect of all permissions.

Faced with an issue resulting from lack of access or over privilege, you need to start troubleshooting the problem by determining the effective permissions for the files or folders in question. Establish the scope. For example, who does this problem affect, and is it confined to a single user or a group of users? Establishing the effective permissions will allow you to quickly determine permissions that apply and provide you with a starting point.

User-effective permissions are based on the total of all permissions that they have been granted or denied. Take special care to look for any Deny permissions because these are infrequently set. However, when Deny permissions are set, they are powerful because any explicit Deny permission will have precedence over Allow entries.

Configure folder shares

When you share a folder, other users can connect to the shared folder and its contents across the network. Shared folders available on the network are no different from normal folders, and they can contain applications, corporate data, or private data.

When creating a network share, be careful that you do not accidentally provide access to a user or group of users who should not have access. By default, everyone on the network is given read access to the share, although you can change this setting.

Normally, a shared folder is located on a file server, but in a small network environment, the sharing can be located on a Windows 10–based computer or network-attached storage (NAS) device. When you’re choosing the device or server, keep in mind that the resources should be available whenever the users need them and that, often, this means the server is always on.

By providing a central location for shared folders to reside on, you enable the following features:

• Simplification of management

• User familiarity

• Ease in backing up data

• Consistent location and availability

When a user tries to use resources accessed on a shared folder, the access permissions are determined by taking into consideration both the share permission and the NTFS security permissions. The most restrictive set of permissions prevail.

Ensure that you do not create shared folders where the share permissions (SMB) become the primary access security mechanism. They are more restrictive than the NTFS permissions because users gaining access to the resource locally or by logging on through Remote Desktop would completely bypass SMB permissions. It is therefore essential for NTFS permissions to be configured independently to protect the resource.

To allow access to a locally stored folder across a network, first share the folder. Files contained in folders are also shared, but files cannot be specifically shared independently, except from within a user profile.

Server Message Block

Shares are provided by the Server Message Block (SMB) application-layer network protocol and not by NTFS. You can see what version of SMB your Windows 10 operating system is using by following these steps:

1. Sign in to your computer by using an administrative user account.

2. Open File Explorer and navigate to a shared or mapped folder on the network so that the shared files are visible in the right navigation pane.

3. On the File Explorer menu, select File and then select Open Windows PowerShell As Administrator.

4. Accept UAC if prompted.

5. Enter the Windows PowerShell cmdlet Get-SmbConnection.

   Windows PowerShell should report the SMB version (dialect) in use, as shown in Figure 3-24.

Need More Review? SMB 3.0 OVERVIEW

This Microsoft resource, although focused on Windows Server and SMB 3.0, offers useful information about the benefits of using the latest version of SMB compared to previous versions. Visit https://docs.microsoft.com/windows-server/storage/file-server/file-server-smb-overview.

Configure Network Discovery

The network discovery feature was introduced in Windows Vista and uses a new layer 2-level protocol called Link Layer Topology Discovery (LLTD). It allows Windows to identify other devices present on the local subnet and, when possible, establish the quality of service (QoS) bandwidth capabilities of the network.

Knowing what is on the network increases the communication between devices. One downside of this increased awareness capability is that the firewall security settings are slightly relaxed. This means that not only does your computer see other network computers and devices, it also becomes discoverable on the network by other Windows clients.

Exam Tip

Administrators working in a domain environment can manage the settings of the two network discovery settings, LLTD Mapper (LLTDIO) and Responder (RSPNDR), in Group Policy settings. The Group Policy settings can be found here: Computer ConfigurationPoliciesAdministrative TemplatesNetworkLink Layer Topology Discovery.

Network discovery is tightly linked to network location profiles and to Windows Defender Firewall configuration. As you have seen, by default, network discovery is enabled for devices connecting to networks that are assigned the Domain or Private network location profile, but network discovery is disabled on public networks.

To change network discovery settings, from the Network And Sharing Center, select Change Advanced Sharing Settings. As shown in Figure 3-25, you can then configure network discovery for each network location profile.

Create a share by using the Shared Folders snap-In

You can create and manage file shares centrally on your computer by using the Shared Folders snap-in, which can be loaded into an empty Microsoft Management Console (MMC). You can also use the snap-in found in Computer Management.

When you create a new share in the Shared Folders snap-in, the Create A Shared Folder Wizard appears and guides you through specifying the folder path, share name, description, and other settings, as shown in Figure 3-26.

By default, the share name will be the same as the folder name, and permissions for the share are set at read-only access for the Everyone group, but you can choose other options or full customization by completing the underlying Share Permissions DACL page.

The Shared Folders snap-in enables you to view existing shares and modify their properties, including settings such as offline file status, share permissions, and even the NTFS security permissions.

Exam Tip

To launch the Create A Shared Folder Wizard directly from a command prompt, use Shrpubw.exe.

net share MyShareName=c:TempData /remark:"Temp Work Area"

New-SmbShare -Name MyShareName -Path c:TempData

Share Files by using File Explorer

Files typically cannot be shared without first sharing the parent folder. In Windows 10, files that reside in the user profile, such as Documents, Downloads, and Pictures folders, can be shared. To do this, follow these steps:

1. Sign in to your computer using an administrative user account.

2. Open File Explorer and navigate to the user profile.

3. Right-click a folder, such as Pictures, in the user’s profile.

4. Select Give access to and then select Specific people, as shown in Figure 3-27.

   

5. In the Choose people to share with dialog box, enter a user or group and select Add.

6. Set Permission Level to Read or Read/Write and select Share.

7. Note that you are sharing. The File Sharing Wizard completes, and the files are shared.

8. Optionally, you can use the links in the File Sharing Wizard to send someone the links to the shares.

9. Select Done.

You can also share a file using the Share icon on the Share ribbon bar. Select the file or multiple files and then click Share on the ribbon bar, as shown in Figure 3-28.

The Share option is also available within other apps, including Microsoft Edge. The set of targets, including contacts and other apps, will depend on which apps are installed on your device and offers a simplified method of sharing files quickly and with minimum effort.

Configure shared folders permissions

Permissions that are set on the share determine the level of access a user has to the files in the share. They can be set on FAT or later file systems. When you use NTFS, be careful not to restrict access at the share level, because doing so might affect the effective permissions. You can configure the permissions when you share a folder and set a level that the user or group will have when they connect to the folder through the share across the network.

Sharing permissions have three options:

• Read Users and groups can view the files, but they cannot modify or delete them.

• Change Users and groups can open, modify, delete, and create content, but they cannot modify file or folder permissions; the Change permission incorporates all Read permissions.

• Full Users and groups can perform all actions, including modifying the permissions; the Full permission incorporates all Change permissions.

Unlike in earlier versions of Windows, there is no longer a visual icon or indicator in File Explorer to distinguish whether a folder is shared. All shared folders on your device appear in the Shared Folders node of the Computer Management console. You can also view the shared folders that exist on your device by using the Get-SmbShare Windows PowerShell cmdlet or by typing net view \localhost /all at the command prompt.

After a user has found the share in File Explorer, they can access the files directly. Another common way that users can connect to a shared folder over the network is by using the shares Universal Naming Convention (UNC) address. UNC addresses contain two backward slashes (\) followed by the name of the computer that is sharing the folder and the shared folder name; for example, the UNC name for the Marketing shared folder on the LON-DC1 computer in the Fabrikam.com domain would be:

Click here to view code image

\LON-CL1.Fabrikam.comMarketing

Troubleshoot Share permission issues

Share permissions can cause you many problems when you’re troubleshooting access to files and folders. You need to remember that Share permissions work together with file and folder permissions and that the most restrictive permission will apply. Another common cause of confusion is that Share permissions only affect shared resources over the network.

If your file system is configured with FAT or FAT32, there is no option to configure NTFS or ReFS permissions. If no Security tab is available in the resource’s Properties dialog box, you know that it cannot be formatted with NTFS and the file system is likely to be FAT/FAT32, as shown in Figure 3-29.

If you need to confirm the file system in use, you can view the properties of the drive by following these steps:

1. Open File Explorer and right-click the drive that is under review.

2. Select Properties.

3. On the General tab, review File System.

4. Select OK to close the dialog box.

Disk Management

This is the traditional GUI tool used for performing most configuration and management tasks relating to disks and volumes. The GUI uses the familiar Microsoft Management Console (MMC) that most administrative tools use. You can connect to the disks on a local or remote computer and perform tasks on both basic and dynamic disks and virtual hard disks.

Examples of the types of disk management tasks that you can perform using the GUI include the following:

• Partition creation, including creating a basic, spanned, or striped partition.

• Disk conversion between basic disks to dynamic disks. (To convert a dynamic disk to a basic disk, you must first delete all present volumes.)

• Extending and shrinking partitions.

• Viewing information relating to disk and volumes, such as volume name, layout, type, file system, status, capacity, free space, and percentage of disk free for each volume.

To open Disk Management, follow these steps:

1. Right-click Start and select Disk Management or enter diskmgmt.msc in the search box and then select diskmgmt.

2. Wait for Disk Management MMC to open and load the disk configuration information, as shown in Figure 3-31.

You can use the Disk Management console to convert a basic disk to a dynamic disk by right-clicking the disk you want to convert and then selecting Convert To Dynamic Disk.

Windows PowerShell

Windows PowerShell offers many disk-related tasks from the command line; it can be used locally or remotely and can be scripted. Windows PowerShell now natively enables you to manage disks, volumes, and partitions and perform a range of tasks that cannot be performed using DiskPart or Disk Management.

Table 3-18 details some of the most common Windows PowerShell cmdlets that you should become familiar with.

To shrink a partition in Windows PowerShell, run the following command:

Click here to view code image

Resize-Partition -DiskNumber 0 -PartitionNumber 2 -Size (50GB)

To create simple volumes in Windows PowerShell, run the following commands:

Click here to view code image

Get-Disk -Number 0 New-Partition -UseMaximumSize -DiskNumber 0 |

Format-Volume -Confirm:$false -FileSystem NTFS -NewFileSystemLabel Simple2 Get-
Partition -DiskNumber 0

Make a note of the partition number you just created to use in the next step:

Click here to view code image

Set-Partition -DiskNumber 0 -PartitionNumber <partition number> -NewDriveLetter G

Windows PowerShell is the preferred command-line method for disk operations. The Windows PowerShell storage cmdlets do not recognize dynamic disks, so we recommend that you use Storage Spaces rather than dynamic disks.

DiskPart

DiskPart is a built-in command-line tool that offers you all the functionality of Disk Management plus some advanced features that can also be scripted into BAT files to automate disk-related tasks. One limitation of DiskPart is that it only runs locally.

To open DiskPart, follow these steps:

1. Open an elevated command prompt.

2. Enter DiskPart.

   DiskPart launches in the command line.

3. For a list of all DiskPart commands, enter help or commands, or enter ?.

4. When you have finished using DiskPart, you can leave the interface by entering Exit and pressing Enter.

The following list shows several DiskPart commands whose functions you should understand:

• Active Marks the selected partition as the active partition

• Add Enables you to add a mirror to a simple volume

• Assign Enables you to assign a drive letter to a selected volume

• Convert Converts between basic and dynamic disks

• Create Enables you to create a volume, partition, or virtual disk

• Extend Extends the size of a volume

• Shrink Reduces the size of a volume

• Format Used to format the volume or partition (for example, FORMAT FS=NTFS LABEL="New Volume" QUICK COMPRESS)

If you want to create a USB bootable drive manually that contains the Windows installation files, you can use DiskPart commands to create, partition, and mark the USB drive as active.

Work with VHDs

A VHD can be thought of as a container object that holds files, folders, and volumes. The container, or VHD, is a single file with the .vhd or .vhdx file extension. You can think of a VHD file being similar in concept to a ZIP file. Analogous container types could include ISO, RAR, and WIM; they are all objects that contain files and folders inside them.

Because a VHD is just a file, it is portable and can be saved and transported on a USB drive or copied over a network. Be aware, however, that VHDs can grow very large, and the original open file format of VHD, which had a maximum size of 2,048 GB, was soon changed to the VHDX format, which allowed up to a 64 TB file size. A VHD can contain data, but you can also install and boot to an operating system using the VHD.

Wherever possible because of the disk-intensive nature of VHD, consider using an SSD to host the VHDs. This is especially applicable if you use a single drive on your Windows 10–based computer and use virtual machines and VHDs as the disk I/O; performance is likely to degrade quickly because of the increased disk read/write times and disk activity.

You can continue to use either the VHD or VHDX specification for your hard drives, but you should know the main differences between the two formats. VHD offers users ease of use and backward compatibility, whereas the VHDX format offers improvements in both scale and functionality. You can compare the two choices in Table 3-19.

There are multiple ways to create a virtual hard disk:

• Client Hyper-V Manager

• Disk Management

• Windows PowerShell

You can also use the DiskPart command-line tool, but this is becoming deprecated in favor of Windows PowerShell, which offers more extensive functionality and support.

Create VHDs with Hyper-V Manager

You can add the client Hyper-V feature to Windows 10 if the computer is running the Windows 10 Pro or Enterprise edition and has hardware that supports virtualization.

To create a virtual hard disk within Hyper-V Manager, complete the following steps:

1. Launch Hyper-V Manager.

2. In the Action pane, select New and then select Hard Disk.

3. Select the format for the disk as VHD, VHDX, or VHD Set, and then select Next.

4. Select the Disk Type (Fixed, Dynamically expanding, or Differencing) and select Next.

5. Provide the virtual disk with a name and storage location and select Next.

6. Configure the disk; the default settings are normally used and will create a new blank VHD with 127 GB. Select Next and then select Finish.

Use Disk Management to create VHDs

The Disk Management MMC includes a wizard that enables you to create a VHD that you can then mount and use. Not all of the VHD options are available in the Disk Management console, such as the ability to create VHD Sets or differencing disks; you should use Windows PowerShell or Hyper-V Manager if these tasks are required.

To create a simple VHD file, follow these steps:

1. Right-click the Start button and select Disk Management.

2. Select Action on the menu bar and then select Create VHD.

3. Select the location where you want to store your VHD.

4. Configure the VHD format and VHD type and select OK.

   The new disk will appear in the lower pane of the screen and display the following characteristics:

   • Unknown Status

   • Not Initialized

   • Disk icon is cyan blue with down-pointing red arrow

5. To use the disk, initialize it by right-clicking the down-pointing red arrow on the disk icon and selecting Initialize Disk.

6. In the Initialize Disk dialog box, ensure that the disk you want to initialize is selected and choose MBR (Default) or GPT partition style and select OK.

   The disk is marked with the status of Basic, and you can now create a partition, allocate a drive letter, and format the drive with a file system just like a normal disk.

Apart from the icon color in Disk Management, there is no other visual indicator in File Explorer or Disk Management to indicate that the disk is virtual. After you have finished using the VHD, you can detach the disk by right-clicking the disk icon in the lower pane of Disk Management and selecting Detach VHD. After you have detached the VHD, the VHD file is no longer locked to Windows 10 and becomes a portable hard drive.

Create VHDs by using Windows PowerShell

Disk Management offers the ability to create basic VHDs in a GUI environment, but if you need to create more complicated VHDs, such as differencing disks, or if you need to create 20 VHDs for a team of developers to work with, it would be easier and quicker to build Windows PowerShell scripts to do so. This section focuses on virtual hard disks.

You can manage every aspect of virtual disks with Windows PowerShell in both production and lab environments. Windows PowerShell enables you to configure, provision, and subsequently maintain all of your virtual estate rapidly. Windows PowerShell can be used to build a full virtual environment, including virtual disks, virtual machines, and virtual networks and switches.

More than 50 cmdlets are available in Windows PowerShell in Windows 10 that enable you to manage virtual and physical disks. This number will expand as new functionality is added. Table 3-20 outlines some of the common Windows PowerShell cmdlets that let you manage disks natively. After a VHD disk has been created, it is managed in the same way as a physical disk.

Two new cmdlets relate to the new VHD Set files, which can be used with Windows Server and Windows 10. These cmdlets are:

• Get-VHDSet Obtains information about a VHD Set file such as a list of all checkpoints that the set contains.

• Optimize-VHDSet Optimizes the allocation of space that VHD Set files use when used with the compact operation to optimize the files. Reclaims unused space and rearranges blocks, normally reducing the size of a VHD file.

To create a VHD, you use the New-VHD cmdlet. You must specify the path to the VHD, the name for the newly created VHD, the VHD type, the size of the disk, and the format type, as shown here:

Click here to view code image

New-VHD -Path D:VHDMyDynamicDisk.vhdx -SizeBytes 100GB -Dynamic

The New-VHD cmdlet executes and creates the VHD. As with Disk Management, the newly created VHD will not be mounted, initiated, or formatted without further action.

Windows PowerShell enables you to string instructions together and then execute them as a single action. The following example creates a new, dynamically expanding, 127 GB virtual hard disk with the .vhdx extension, mounts it, initializes it, and then formats the drive, using NTFS so that it is ready to use:

1. Select Start, enter powershell, right-click Windows PowerShell, and then select Run as administrator. Select Yes in the UAC dialog box.

2. Run the following PowerShell command:

   Click here to view code image

   New-VHD -Path "D:VHDsTest.vhdx" -Dynamic -SizeBytes 127GB | Mount-VHD -Passthru
   |Initialize-Disk -Passthru |New-Partition -AssignDriveLetter -UseMaximumSize
   |Format-Volume -FileSystem NTFS -Confirm:$false -Force

Use Storage Spaces and storage pools

Storage Spaces is a technology that is useful for desktop or server devices that have multiple hard disks that can be combined to provide storage redundancy by pooling separate disks and allowing Storage Spaces to manage their administration effectively.

Storage Spaces uses NTFS and the ReFS file format to configure volumes, which provides greater file resilience through ReFS self-healing capabilities. The redundancy aspects are derived by distributing data across several disk drives and using virtual disk arrays in a RAID configuration or as mirror sets. The operating system maintains the logical disks and presents the virtualized disk as a logical unit number (LUN), which the system can then access. You might have seen the LUN terminology before; it is a term used with Storage Area Network protocols such as Fibre Channel or iSCSI.

The requirements for creating a virtual disk with Storage Spaces are described in Table 3-21.

A storage space is created from a storage pool. As you add additional disks, you can create redundant storage spaces. Four types of storage layouts are available to you with Storage Spaces, as described in Table 3-22.

A further feature that is available with Storage Spaces is how you provision the virtual disk spaces for use. Storage Spaces offers you two schemes:

• Thin provisioning Enables you to allocate an intended storage that has greater capacity than is physically present at the time of creation. If you over-specify the amount of capacity compared to the data you currently have, the storage space engine disregards the extra storage capacity until datasets grow to require the storage. At this point, the extra storage is allocated. At any point, you increase the maximum size of an existing storage space and add drives as they are required at a later date. Thin provisioning is more economical and efficient because it allows organizations to deploy physical storage only when needed, thereby saving on operating costs, such as datacenter rack space costs associated with storing unused drives in situ.

• Fixed provisioning Similar to traditional fixed storage allocation methods, by which you specify that the spaces will not increase beyond the initial storage capacity allocated at the same time as storage space creation. With fixed provisioning, you specify the hard limit for the size of the storage pool.

Configure Storage Spaces

When you have connected your physical drives to your computer, you can configure Storage Spaces by using the following steps:

1. Select Start, enter Storage Spaces, and then select Manage Storage Spaces.

2. Select Create a new pool and storage space.

3. If prompted, accept the UAC prompt.

4. Select the drives you want to add, as shown in Figure 3-32.

   

   All drives that are offline are automatically selected. Storage Spaces automatically identifies available drives to create the storage pool.

5. Select Create pool.

6. When the create pool operation completes, on the Enter a name, resiliency type, and size for the storage space page, shown in Figure 3-33, provide a name for the storage space and select the drive letter you want to use.

   

7. Select either the NTFS or ReFS file system. (Only if you choose a mirrored resiliency type can you format the storage space by using either the NTFS or the ReFS file system.)

8. Select the type of resiliency you require. This will depend on how many drives you have added to the storage space. But options include Two-Way Mirror, Three-Way Mirror, and Parity.

9. Set the Size (maximum) of the storage space. The size can be larger than the current capacity of the storage pool.

10. Select Create storage space to create your storage pool in the storage space.

After the storage pool has been created, the Manage Storage Spaces console manages and maintains it within Control Panel, where you can add, rename, or delete drives. If a physical disk is removed permanently from the pool, it must be reformatted before it can be used in another PC. Just like with mirrored or RAID disk sets, if you need to move the pooled disks to another computer, always move them as a unit so that their integrity is maintained.

As part of your exam preparation, create a storage space, provision a storage pool, and simulate a drive failure. In Figure 3-34, one of the physical drives used to create the storage space has been disconnected from the computer. Even with only one drive, the E drive continues to be available within File Explorer, and applications and users will be unaware of the failure until they review any notification in the Action Center.

If the removed physical drive is replaced, the storage pool checks the integrity of the pool and makes the necessary repairs. When it’s repaired and full operational resiliency is restored, the icon changes from a warning symbol to the check mark indicating that everything is OK, as was originally shown before the disruption.

Storage Spaces can use ReFS for mirrored resilient spaces, offering built-in automatic file repair. This helps prevent data loss and can be carried out while the disks are online and do not require a system reboot to check and repair errors. ReFS and Storage Spaces therefore provide enhanced resiliency in the event of storage device failure.

Manage Storage Spaces by using Windows PowerShell

You can script the creation, repair, and administration of Storage Spaces by using Windows PowerShell. There are many more storage management–specific cmdlets that relate to storage operations. Some of the Storage Spaces–specific cmdlets that can be used are described in Table 3-23.

To list all the cmdlets that are available, use the Get-Command -Module Storage cmdlet.

Work with removable storage

Removable devices such as USB flash drives and Secure Digital High-Capacity (SDHC) memory cards are common and can offer portability benefits but also pose a potential threat to data security and loss. In this section, you learn how to work with removable devices.

Secure removable devices

Data stored on USB flash drives is inherently insecure and should be protected. This can be achieved by using NTFS permissions, encrypted using EFS, or by using BitLocker encryption. The most appropriate of these methods in an enterprise scenario is likely to be using BitLocker To Go because users understand it easily, and you can manage and configure the feature by using Group Policy.

BitLocker To Go is not designed to replace EFS or NTFS permissions; it adds an additional layer of security and protection on removable drives, including SDHC cards, USB flash drives, and external hard disk drives. BitLocker To Go is available in the Pro, Enterprise, and Education editions of Windows 10 only.

When encrypting removable media with BitLocker To Go, you have two options:

• Encrypt used disk space only Encrypts only the part of the drive that currently has data stored on it. This is quicker and appropriate in most cases.

• Encrypt entire drive Encrypts the full volume, including areas that contain no data, which takes longer to complete.

To enable BitLocker Drive Encryption on a removable drive, perform the following steps:

1. Insert a USB drive into your computer.

2. Open File Explorer and right-click the USB drive in the left pane.

3. Select Turn on BitLocker from the context menu.

4. The Starting BitLocker Wizard appears and initializes the drive.

5. On the Choose how you want to unlock this drive page, choose Use a password to unlock the drive.

6. In the Enter your password and Reenter your password boxes, enter a password and select Next.

7. On the How do you want to back up your recovery key? page, select Save to a file.

8. In the Save BitLocker recovery key as dialog box, select This PCDocuments.

9. In the Save BitLocker recovery key as dialog box, select Save and then select Next.

10. On the Choose how much of your drive to encrypt page, select Encrypt used disk space only (faster and best for new PCs and drives) and then select Next.

11. On the Choose which encryption mode to use page, select Compatible mode (best for drives that can be moved from this device) and select Next.

12. In the Are you ready to encrypt this drive? page, select Start encrypting.

When the encryption has completed, BitLocker is fully enabled on the removable drive. If you eject the USB drive and then insert the drive back into your PC or another computer, Windows 10 prompts you to enter the password to unlock the drive.

OneDrive desktop app

OneDrive is integrated with Windows 10, using the OneDrive app, and when you sign in to Windows with a Microsoft account, a OneDrive folder is created in File Explorer at C:UsersUsernameOneDrive.

To protect against data loss, you should use OneDrive as your preferred location for all your data. When you add, modify, or delete files stored in the OneDrive favorite, your changes are replicated to OneDrive as long as you are online.

If you are using an operating system other than Windows 10, you might still be able to use the OneDrive desktop app; it is available to download from www.microsoft.com/microsoft-365/onedrive/download or the Microsoft Store, and is supported on the following operating systems:

• Windows 7 or newer

• Windows Server 2008 R2 or newer

• macOS Sierra 10.12 or newer

• iPhone, iPad, or iPod touch with iOS 9.0

• Android

• Windows Phone 7.5 or later

• Xbox

The OneDrive app, located in the taskbar notification area, lets you modify synchronization settings. You can choose to synchronize all or selected files and folders from your cloud storage account to your device.

The OneDrive desktop app and sync client is preinstalled on Windows 10 devices and allows you to access your files stored in your online OneDrive if you use a Microsoft account to sign in to the app.

Once the app is configured, you can open File Explorer and locate a OneDrive icon. This icon represents a folder that is where the files you want to be kept in sync will be stored on your PC locally. By default nothing is stored—you must select files and folders and then they will be available.

If you add a new folder in the OneDrive folder within File Explorer, it will be available immediately in the cloud version of OneDrive and will be synchronized.

To configure OneDrive to synchronize folders from your OneDrive to your device, use these steps:

1. Right-click the OneDrive icon in the notification tray and select Settings.

2. On the Account tab, select Choose Folders.

3. On the Sync your OneDrive files to this PC screen select the check boxes for the folders and files that you want to sync.

4. Select OK.

5. On the Account tab, select OK.

The files will begin downloading immediately and the OneDrive app will monitor changes to local files as well as your cloud-based files, and it will maintain the synchronization.

On the notification area, the OneDrive for Business desktop app is colored blue whereas the consumer version is white. When displayed in File Explorer, both icons are blue, and the name of the account is listed after the business version to help differentiate.

OneDrive Files On Demand

OneDrive Files On Demand is a new feature available within OneDrive. This feature allows all your files and folders stored in OneDrive to be viewable within File Explorer on your PC without them actually being downloaded to your hard drive. You will be able to change each file and folder status to configure whether the resource should be stored locally.

You can turn on the Files On Demand feature by using these steps:

1. Sign in to OneDrive using your Microsoft account.

2. Right-click the white or blue OneDrive cloud icon in the notification area.

3. Select Settings.

4. On the Settings tab, select the Save space and download files as you use them box in the Files On-Demand section.

Once that setting is enabled, placeholders for all of your OneDrive content will be displayed in File Explorer. If you want to hide any folders from appearing in the OneDrive location in File Explorer, such as for privacy reasons, you can hide them by using these steps:

1. Sign in to OneDrive using your Microsoft account.

2. Right-click the white or blue OneDrive cloud icon in the notification area.

3. Select Settings.

4. On the Account tab, select Choose Folders in the Choose Folders area.

5. Clear the check box next to the folder you want to hide on this device.

After the OneDrive desktop app has retrieved a list of all files and folders from your OneDrive cloud account, you can browse to your OneDrive folder and see new cloud icons next to each item indicating the status of the file or folder availability as follows:

• Online-only files Online-only files are placeholders only and don’t use space on your computer. If you open the file and your device is connected to the internet, it is downloaded and opened.

• Locally available files After you have downloaded and opened any of your OneDrive files, they become locally available. You can open a locally available file at any time, even without internet access. To remove the local copy of the file, you can right-click the file and select Free Up Space.

• Always available files If you choose the “Always keep on this device” option, files have the green circle with the white check mark. These files will be downloaded to your device and will be always available even when your device is not connected to the internet.

OneDrive web portal

Although integration is tight between the Windows 10 OneDrive app and the online version of OneDrive, the online version currently has slightly more functionality, although it can be slower to manipulate your files, depending on available bandwidth.

In the portal, users can:

• Manage all their files stored on OneDrive.

• Access previous versions of files.

• Access the OneDrive Recycle Bin.

• Buy more storage (Microsoft 365 subscription-based).

• Configure advanced sharing options for files and folders.

• Create Microsoft Excel surveys.

Users of mobile phones can also allow the automatic upload of all photos to their private OneDrive photos folder. With photos consuming some of your free 5 GB cloud storage each time you take a picture, you may be surprised at how quickly the quota is used up, but adding additional storage is relatively inexpensive. If you subscribe to Microsoft 365, OneDrive comes with 1 TB of storage and the ability to install Office applications locally on your PC, Mac, or iPad.

In OneDrive, you can access Microsoft Office Online, which enables you to create Word, Excel, Microsoft PowerPoint, and Microsoft OneNote files. After you create an Office online file, you can share the documents online, collaborate with other users, and edit documents at the same time. In addition, you can create text documents and Excel surveys. The surveys are simple; others can fill them out just by opening the link to the survey. You then see everyone’s response compiled in the online spreadsheet.

Privacy is a significant concern for many users, especially when discussing personal data. Although OneDrive is aimed at consumers and is therefore not suitable (or licensed) for use with enterprise data, Microsoft has upgraded the level of security and encryption to protect data held on the OneDrive service. Data is now protected with Perfect Forward Secrecy (PFS) encryption when you access OneDrive through the web portal, onedrive.live.com, mobile OneDrive application, and OneDrive sync clients.