The Automatic Private Internet Protocol Addressing (APIPA) system provides an alternate configuration to DHCP for automatic IP addressing in small networks. When a computer uses APIPA, Windows Vista assigns itself an IP address and then verifies that it is unique on the local network. To work effectively, APIPA is useful only on a small local area network (LAN) or as a backup to DHCP.

When a Windows Vista computer begins its network configuration, it performs the following procedures:

APIPA defines its IP addresses in the range of 169.254.0.1 to 169.254.255.254. The subnet mask on these addresses is configured as 255.255.0.0. You do have administrative control over APIPA. When Windows Vista selects an address from this range, it then performs a duplicate address detection process to ensure that the IP address it has selected is not already being used, while continuing to query for a DHCP server in the background. If the address is found to be in use, Windows Vista selects another address. The random IP selection occurs recursively until an unused IP address is selected, a DHCP server is discovered, or the process has taken place 10 times.

IP addresses indicate the same type of location information as a street address. A building on a street has a number, and when you add it to the street address, you can find it fairly easily because the number and the street will be unique within a city. This type of address scheme—an individual address plus a location address—allows every computer on the Internet to be uniquely identified.

A static IP address is one that is permanently assigned to a computer on the network. Certain computers require static IP addresses because of their functions, such as routers or servers. Client computers are more often assigned dynamic addresses because they are more likely to be moved around the network or retired and replaced. DSL and cable modem users are usually given a static IP address, whereas dial-up users are provided with dynamic addresses.

As discussed earlier, IP addresses consist of two parts: one that specifies the network and the other that specifies the computer. These addresses are further categorized with classes, as described in Table 6.1.

The portion of the address that decides on which network the host resides varies based on the class and, as you will see further on, the subnet mask. In the following list, the uppercase Ns represent the part of the IP address that specifies the network, and the lowercase Cs represent the part of the address that specifies the computer. This explains why there are differing numbers of networks per class and different numbers of hosts per network, as listed in Table 6.1.

These address portions coincide with the default subnet masks for each address class. A Class A subnet mask is 255.0.0.0, a Class B subnet mask is 255.255.0.0, and a Class C subnet mask is 255.255.255.0.

Subnet masks enable you to reconfigure what constitutes the network portion and what constitutes the computer portion. When you apply the subnet mask to the IP address by using a “bitwise logical AND” operation, the result is a network number. A bitwise logical AND operation adds the bit, whether 1 or 0, to the corresponding bit in the subnet mask. If the subnet mask bit is a 1, the corresponding IP address bit is passed through as a result. If the subnet mask bit is a 0, a zero bit is passed through. For example, if the IP address is 141.25.240.201, you will have the following:

This shows the network address as 141.25.0.0 and the host address as 0.0.240.201. If you add bits to the mask, you will be able to have additional subnetworks when you perform a bitwise logical AND, and each subnetwork will have fewer hosts because fewer bits are available for the host portion of the address. Using the same address, and adding five bits to the subnet mask, you would receive the following:

In this case, the subnet mask changes the network address to 141.25.240.0. The host address changes to 0.0.0.201. Other IP addresses that are under the default Class B subnet mask that would otherwise be part of the same network, such as 140.25.192.15 and 140.25.63.12, are now on different subnets.

For an organization with a large number of physical networks where each requires a different subnet address, you can use the subnet mask to segment a single address to fit the network. You can easily calculate how many subnets and hosts you will receive when you subnet a network. The formula is 2ⁿ − 2, where n is the number of bits. The 2ⁿ is the number 2 raised to the power of the number of bits, and that result minus 2 (the addresses represented by all 1s and all 0s) equals the available subnets or hosts. Therefore, if you have a subnet of 5 bits as is shown here, you are able to achieve 2⁵ − 2 = 32 − 2 = 30 subnets. Because there are 11 bits left for host addresses, each subnet will have 2¹¹ − 2 = 2048 − 2 = 2,046 hosts.

When you multiply 2046 by 30, you will see that you have 61,380 addresses available for network hosts and that you “lost” 4,154 addresses. This is the problem that Classless Inter-Domain Routing (CIDR) solves and is discussed in the sidebar.

Dynamic IP addresses are provided to a computer when it needs to be connected to the network. The provider is the DHCP server. When the computer is disconnected, the IP address becomes available for use by another computer. The address does not become available immediately, however. It is leased for a specified period of time (the administrator specifies this time period when configuring the DHCP server), and when the lease is up, the IP address is placed back in an IP address pool and can be delivered to another computer.

Before DHCP was developed, network administrators were forced to manually assign a separate IP address to each computer on the network. If a user left for a 2-month vacation and the computer was off the entire time, the IP address was unusable by anyone else. If the administrator (yes, to err is human) forgot to reuse an IP address for a computer that was retired, then the number of IP addresses available was also reduced. Other administrative errors included assigning duplicate IP addresses to computers on the network and misconfiguring the subnet mask, default gateway, and DNS server addresses. DHCP resolves these problems.

On a Windows Vista computer, you can configure any network connection to be a DHCP client by selecting the option to Obtain an IP Address Automatically, which is configured in the Internet Protocol (TCP/IP) Properties dialog box. If you change from a manual address to a dynamic one, you need to clear out the manual IP addressing information first.

Whereas IPv4 addresses use dotted-decimal format as already explained in the section, “Features of TCP/IP Version 4,” IPv6 addresses are subdivided into 16-bit blocks. Each 16-bit block is portrayed as a 4-digit hexadecimal number and is separated from other blocks by colons. This addressing scheme is referred to as colon-hexadecimal.

For example, a 128-bit IPv6 address written in binary could appear as follows:

0011111111111110  1111111111111111  0010000111000101 0000000000000000
0000001010101010  0000000011111111  1111111000100001 0011101000111110

The same address written in colon-hexadecimal becomes 3ffe:ffff:21a5:0000:00ff:fe21:5a3e. You can remove any leading zeros, converting this address to 3ffe:ffff:21a5::ff:fe21:5a3e. In this notation, note that the block that contained all zeros appears as “::”, which is called double-colon.

Corresponding to the network portion of an IPv4 address is the prefix, which is the part of the address containing the bits of the subnet prefix. IPv6 addresses do not employ subnet masks but rather use the same CIDR notation used with IPv4. For example, an IPv6 address prefix could be 3ffe:ffff:21a5::/64, where 64 is the number of bits employed by the address prefix.

IPv6 uses the following three types of addresses:

Table 6.2 provides additional details on the IPv6 classes and subclasses:

To assist in the migration from IPv4 to IPv6 and their coexistence, several additional address types are used, as follows:

More information on compatibility addresses and technologies used for transition to IPv6 is available in IPv6 Transition Technologies in the “Suggested Readings and Resources” section at the end of this chapter.

You can configure TCP/IP version 4 on a Windows Vista computer either manually or dynamically. The default method is to dynamically configure TCP/IP. If the infrastructure includes DHCP services that deliver IP addresses to network computers, then a Windows Vista computer can connect upon logon with the default configuration of the network adapter. However, if you need to apply a static IPv4 address and other parameters, your only option is to manually configure the network adapter. Manually configuring one computer is time-consuming and error-prone. Multiply that by hundreds of computers, and you can see why dynamic configuration has become so popular. Step by Step 6.1 describes how to configure TCP/IP.

You can let IPv6 configure itself automatically with a link-local address described previously in Table 6.2. You can also configure IPv6 to use an existing DHCP server, or manually configure an IPv6 address as required. Configuration of IPv6 addresses is very similar to the procedure used with configuration of IPv4 addresses, as Step by Step 6.2 shows.

You cannot remove IPv6 from a Windows Vista computer. However, you can disable IPv6 on a specific connection. Follow steps 1 to 3 of Step by Step 6.2 to access the Local Area Connection Properties dialog box. Clear the check box beside Internet Protocol Version 6 (TCP/IPv6) and then click OK. You can do this selectively for each network connection on your computer.

You can also selectively disable IPv6 components. This is a more complex procedure that involves editing the Registry and is beyond the scope of this book. For more details, refer to Configuring IPv6 with Windows Vista in the “Suggested Readings and Resources” section.

Shared folders are folders on the local hard drive that other users on a network can connect to. For the exam, it is critical that you understand how to manage and troubleshoot connections to shared resources, how to create new shared resources, and how to set permissions on shared resources. The process that Windows Vista uses to share folders is that an administrator selects a folder, regardless of its location in the local folder hierarchy, and shares it through the Sharing tab of the folder’s Properties dialog box. Shares can be managed through the Computer Management console snap-in.

Administrators might find that the Computer Management snap-in is helpful in file and folder security management. You can open Computer Management from within Administrative Tools, which is found in the System and Maintenance category of Control Panel, or by right-clicking Computer and choosing Manage. To manage file and folder security, navigate to the Shared Folders node in the left pane. Double-click Shares to see the shared folders. The hidden administrative shares are followed by a dollar sign ($) and cannot be modified. From the remaining shared folders, select one to double-click and view the security settings on the folder.

Aside from the Public folder (C:UsersPublic) and the default administrative shares, there are no folders that are automatically shared with the network. To share files with other users across the network, you must manually do so for each folder containing the files that you want to share. To share a folder with other network users, you can open any Explorer window and then follow the process shown in Step by Step 6.3.

To add people to the sharing list, follow the procedure of Step by Step 6.3 and select Change Sharing Permissions from the File Sharing dialog box. Then type the name of the required user and click Add. To remove a shared folder, select Stop Sharing from the File Sharing dialog box.

Windows Vista shares folders to others as Reader, which means that the users you specify can view but not modify available files. The Advanced Sharing feature in Vista enables you to modify these properties when necessary.

When granting full access to your local files to other users across a network, your computer becomes vulnerable to both unintentional and intentional attacks. Not only can the data simply be viewed for malicious purposes, such as corporate spying, but it can be altered or destroyed on purpose or accidentally. For this reason alone, you should always grant the most restrictive permissions necessary for a network user to conduct work on those files. Granting just enough permission without being too lenient requires careful consideration. If you are too stringent, users can’t get their jobs done. If you are too lenient, the data is at risk.

Follow Step by Step 6.4 to modify shared folder properties.

Windows Vista provides the Public folder as a location for sharing files as a default. By default, public folder sharing is turned off. To use this folder for sharing files, expand the Public Folder Sharing line under Sharing and Discovery on the Network and Sharing Center. You have the following options at C:UsersPublic:

By default, this folder is located at C:UsersPublic and becomes visible when you select either of the Turn on Sharing options. You can configure additional security options on this folder by accessing its Properties dialog box from this location and following the procedures outlined in Step by Step 6.4.

When you have installed a printer on your computer, you can configure printer sharing from the Sharing and Discovery section of the Network and Sharing Center. Expand this entry and select the Turn On Printer Sharing option. Then click Apply and click Continue on the UAC prompt that appears. By default, printer sharing is enabled with a password required if password-protected file sharing is turned on.

When password-protected sharing is turned on, only users with a local user account and password on your computer can access shared files and printers, including the Public shared folder. To enable others to access shared resources, expand the Password Protected Sharing section and select the Turn Off Password Protected Sharing radio button. Then click Apply and click Continue on the UAC prompt that appears.

Turning media sharing on enables users and devices on the network to access music, pictures, and videos in Windows Media Player and from devices attached to the computer such as digital cameras, portable device assistants (PDAs), cellular phones, and so on. In addition, the computer can locate these types of shared files on the network. To turn media sharing on, expand this entry in the Sharing and Discovery section of the Network and Sharing Center and click the Change button. For further information on media sharing, consult the Windows Vista Help and Support Center.

Windows Vista lets you search for computers on the network, even when connected remotely. To search for a computer, click Start and select Search from the list on the right side of the Start menu. In the dialog box that appears, select Advanced Search, and under Location, click Choose Search Locations. In the Choose Search Locations dialog box shown in Figure 6.13, expand the Network entry to display available computers. Click to select a computer on the network. In the box, type the name or partial name of the desktop or server that you want to access and then click OK. You can double-click any of the results and view the shared folders, files, printers, and other resources that the found computer provides.

Figure 6.13. The Choose Search Locations dialog box enables you to search network locations for shared resources.

The search utility is exceptionally cooperative. If you type in a partial name or similar name, Windows Vista displays the results. Therefore, misspellings do not prevent you from finding the computer you need to use. To search for a computer, click Start and then click Search.

If you do not know the name of the computer that you want to access, you can use the View Computers and Devices option in the Network and Sharing Center. You should see a list of the currently configured network location shortcuts that were either created by you or automatically configured by the operating system. Double-click the desired computer to view its shares.

Windows Vista provides a wizard that simplifies the process of setting up various types of network connections and connecting to wireless and other networks. From the Start menu, click the Connect To option to display the available connection options in the Connect To a Network dialog box shown in Figure 6.14 (note that this dialog box might not display all these options according to the networking hardware attached to your computer):

Figure 6.14. The Choose a Connection Option dialog box enables you to connect to several types of networks.

Follow Step by Step 6.5 to set up a wireless network connection.

This procedure copies the wireless settings plus a small utility application to the USB flash drive. You can use this flash drive to enter information to the wireless router or to configure other computers for wireless networking on the same access point.

You can use the same wizard to connect to an infrastructure wireless network, as Step by Step 6.6 shows.

The wireless network you configured is visible in the Network and Sharing Center, from which you can connect later if you have not chosen the Start This Connection Automatically option.

After you have configured one or more wireless network connections, you can manage them from the Manage Wireless Networks dialog box shown in Figure 6.18. You can access this dialog box from the task list in the Network and Sharing Center. This dialog box enables you to add new wireless networks, view or modify the properties of a wireless network connection, modify the sequence of preferred connection to these networks, or choose the type of profile to be applied to a network. You learn about wireless network profiles later in this section.

Figure 6.18. The Manage Wireless Networks dialog box displays the various wireless networks you have configured on your computer.

To modify the order in which Windows attempts to connect to the wireless networks, select the network to be connected first and drag it to the top of the list. To modify the properties of the wireless network connection, right-click it and choose Properties. This displays the dialog box shown in Figure 6.19. (This dialog box is also available from the completion page of the wizard in Step by Step 6.6 by selecting Change Connection Settings.)

Figure 6.19. The Wireless Network Properties dialog box enables you to modify the properties of your wireless network connection.

From the Wireless Network Properties dialog box, you can modify the options previously selected to connect automatically or connect even if the network is not broadcasting. You can also choose to connect to a more preferred network if you have configured one and it is available (this option is unavailable if you have configured only one wireless network). The Security tab of this dialog box enables you to change the security and encryption types according to the types given previously in Table 6.3. From this tab you can also change the network security key if you have chosen a security type that requires this key.

The Manage Wireless Networks dialog box also enables you to manage wireless network profiles. Simply put, a wireless network profile is a set of wireless networks available to a given user on a Vista computer. The profile contains the SSID, the security settings as configured earlier in this section, and whether the network is an infrastructure or ad hoc network. There are two types of wireless network profiles:

In addition to using the Manage Wireless Networks dialog box, you can use the netsh command to manage wireless network profiles. You can also use Group Policy to deploy or maintain wireless network profiles. For more information, refer to Wireless Networking in Windows Vista in the “Suggested Readings and Resources” section.

Recall from earlier in this chapter that the subnet mask determines the number of bits assigned to the network portion of the IP address and the number of bits assigned to the host portion. Be aware of the fact that the network portion of the IP address must match properly on all computers within a network segment and that the subnet mask must be configured appropriately to ensure that the computer is able to determine whether the computer to which it is attempting to connect is on the same or different subnet.

For example, suppose you are at a computer configured with an IP address of 192.168.1.2 with a subnet mask of 255.255.255.0. If you want to reach a computer with the IP address of 192.168.2.1, the subnet mask indicates that this computer is located on a different subnet. Connection will take place across a router. Should the computer you are at be configured with the same IP address but a subnet mask of 255.255.248.0, this would indicate that the destination computer with the IP address of 192.168.2.1 is on the same subnet. If in fact this computer is located across a router on another subnet, you will fail to connect to it.

Router problems could also cause a failure to access a computer on another subnet. These problems are beyond the scope of the 70-620 exam. For further information, consult a reference such as MCSA/MCSE Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Exam Cram 2 (Exam 70-291) in the “Suggested Readings and Resources” section.

If you configure your computer to automatically receive an IP address and the DHCP server is down, the computer will assign itself an IPv4 address in the 169.254.y.z range or an IPv6 link local unicast address on the fe80::/64 network. If you notice this when using ipconfig, check the connectivity to the DHCP server or contact an administrator responsible for this server. (You learn more about ipconfig in the section, “Using TCP/IP Utilities to Troubleshoot TCP/IP.”)

If your computer is using an IP address that duplicates another computer on the network, you will be unable to connect to any computer on the network. When this happens, the first computer on the network performs properly but receives a message when the second computer joins the network. Ping your computer’s IP address to check for this problem. This problem cannot occur if you are using DHCP to obtain an IP address automatically or if your computer is configured for an IP address using APIPA.

The Alternate Configuration tab of the TCP/IPv4 Properties dialog box (refer to Figure 6.4) enables you to configure an alternate IPv4 address, which is useful in situations where you need to connect to a second network—for example, when you are using a portable computer and traveling to a branch office of your company. However, to use the alternate configuration, your primary connection must be set to obtain an IP address automatically. If this is not the case, this tab does not appear. Note that this alternate configuration ability is not available when using IPv6.

One of Windows Vista’s standard troubleshooting tools is Event Viewer, which is incorporated into the Computer Management console. You can rely on this utility to be able to see errors and system messages. The ones that would be of most concern for a network problem are in the System Event log. You learn about Event Viewer in more detail in Chapter 8, “Maintaining and Optimizing Systems That Run Windows Vista.”

After data reaches the segment on which the IP address resides, it needs to discover the Media Access Control (MAC) address of the machine. The address resolution Protocol (ARP) is the protocol in the TCP/IP suite that resolves IP addresses to MAC addresses by creating an Address Resolution table in each host that transmits data on the network segment. The TCP/IP suite provides a utility called Arp that can check the table for errors. You should use the Arp utility when data is sent to a computer unexpectedly.

If you want to finger the culprit when a user has intentionally caused a problem, you can use Finger. This utility queries the computer about the services and users that are running on it and is typically used to query remote computers that are running non-Microsoft operating systems such as UNIX. Each operating system returns different output to the Finger command.

File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) are not considered to be troubleshooting tools. Sometimes you need to make certain that a protocol is able to move data from one network segment to another, and these two utilities can help out in a pinch because they verify TCP and UDP specifically, as well as all the protocols down to the Physical layer of the stack.

If you want to verify whether the Transport Control Protocol (TCP) is functioning across a router, you can use FTP to download a file from an FTP server on another subnet. If you want to verify whether the User Datagram Protocol (UDP) is functioning across a router, you can use TFTP to download a file from a TFTP server on another subnet.

Windows Vista uses the ipconfig utility to display information about the IP address configuration of its network adapters. When you are experiencing a problem with connectivity, this is the first thing you should check (besides the link lights on the network adapter). If you are using DHCP, you can see whether the adapter was able to obtain an IP address lease. If you are using a static IP address, you can verify and validate whether it has been configured correctly. You can use ipconfig with the following switches:

To determine whether the IP address the computer is using has been provided by APIPA, you can check the address of the interface by using the ipconfig command at a command prompt. The syntax for this command, which shows you the configuration of all network adapters, is ipconfig /all

In the resulting text, you can see whether the line Autoconfiguration Enabled is Yes or No. If Yes, and the IP address is 169.254.0.1 through 169.254.255.254, you are using an APIPA address.

The Nbtstat utility is used on networks that run NetBIOS over TCP/IP. This utility checks to see the status of NetBIOS name resolution to IP addresses. You can check current NetBIOS sessions, add entries to the NetBIOS name cache, and check the NetBIOS name and scope assigned to the computer.

The Netstat command-line tool enables you to check the current status of the computer’s IP connections. If you do not use switches, the results are protocol statistics and current TCP/IP connections. You should use Netstat to look for the services that are listening for incoming connections, if you have already checked the IP configuration and, though it is correct, the computer still displays a connectivity problem.

Name Server Lookup, or NSLookup, is a command-line utility that communicates with a DNS server. There are two modes to Nslookup: interactive and non-interactive. The interactive mode opens a session with a DNS server and views various records. The non-interactive mode asks for one piece of information and receives it. If more information is needed, a new query must be made.

Packet InterNet Groper (Ping) is a valuable tool for determining whether there is a problem with connectivity. The ping command uses an Echo packet at the Network layer—the default is to send a series of four echoes in a row—transmitting the packets to the IP address specified. The Echo returns an acknowledgment if the IP address is found. The results are displayed in the command window. If an IP address is not found, you see only the response Request timed out. You see similar results to those shown in Figure 6.21, where the first address that was pinged was not found and the second address was found. The ping command indicates how long each packet took for the response. You can use the ping command to determine whether a host is reachable and to determine whether you are losing packets when sending/receiving data to a particular host.

Figure 6.21. The ping command displays its results in a command window.

You can use the ping command to determine whether the internal TCP/IP protocol stack is functioning properly by pinging the loopback testing address. The command for IPv4 is

ping 127.0.0.1

For IPv6, the command is

ping ::1

When you have a problem communicating with a particular host, yet you have determined that your computer is functioning well, you can use Tracert (Trace Route) to tell you how the data is moving across the network between your computer and the one that you are having difficulty reaching. The Tracert command offers a somewhat higher level of information than Ping. Rather than simply tell you that the data was transmitted and returned effectively, as Ping does, Tracert logs each hop through which the data was transmitted. Figure 6.22 shows the results of a Tracert command. Keep in mind that some network routers strip out or refuse to reply to Tracert requests. When this happens, you see Request timed out messages.

Figure 6.22. The tracert command provides detailed information about the path that data travels between two IP hosts.

Many corporate wireless networks have more than one access point configured to provide adequate signal strength across a large floor area or a multistory building. In this case, you will have more than one wireless network visible in the Manage Wireless Networks dialog box previously shown in Figure 6.18. So that random switching between wireless networks does not take place, you should ensure that the network corresponding to the best access point for your normal work location is listed at the top of the list in Figure 6.18. In addition, you should clear the check box labeled Connect to a More Preferred Network If Available, found on the Properties dialog box of your best wireless network and previously shown in Figure 6.19. Doing so ensures that your computer connects to the best access point when available and does not switch to another one.

If you are unable to connect to your wireless network, you should verify that it is available. Access the Network and Sharing Center and click Manage Network Connections from the Tasks list. Right-click your wireless adapter, select View Available Wireless Networks, and then verify that your network name or SSID is visible. If the wireless network name is visible, but you are unable to connect, one or more of the following might be the cause:

If the wireless network name fails to appear, check the following possibilities:

For additional hints at troubleshooting wireless network connectivity, refer to How to troubleshoot wireless connection problems and A Support Guide for Wireless Diagnostics and Troubleshooting in the “Suggested Readings and Resources” section. Additional hints can be found in the Vista Help and Support Center.

Authentication is the first perimeter of defense that a network administrator can define in a remote access system. The process of authenticating a user is meant to verify and validate a user’s identification. If the user provides invalid input, the authentication process should deny the user access to the network. An ill-defined authentication system, or lack of one altogether, can open the door to mischief and disruption because the two most common methods for remote access are publicly available: the Internet and the public services telephone network. Table 6.4 discusses the authentication protocols supported by Windows Vista’s dial-up network connections.

Windows Vista can be configured in an assortment of ways to ensure that your remote access services meet your organization’s security criteria. Much of the configuration takes place on the server side of remote access. These security features are available on a Windows Vista computer when you configure it to receive remote access connections.

You can access the Local Security Policies snap-in through Administrative Tools under Control Panel’s System and Maintenance category, or by typing secpol.msc in the Run dialog box. The policies defined in this utility affect all users on the computer, unless the policies allow you to configure them on a per-user or per-group basis. This snap-in is shown in Figure 6.26.

Figure 6.26. You can configure security policies that affect remote access in the Local Security Policy snap-in.

You might configure the Account Lockout Policy on the local computer to increase security. Under the Account Lockout Policy, you can configure how many bad passwords the computer will accept before it disables the user from logging on, how long the user will be locked out, and how long to wait before starting to count invalid logon attempts again. Remember that the Account Lockout Policy does not only affect remote access users, but all users who try to log on to the computer. The following list describes the various Account Lockout Policy options:

You should always consider that because the default time periods are known quantities, an experienced hacker attempting to gain access to one of these accounts is likely to try again at intervals that will allow retries without locking the compromised account. To counter this, you should always set the policies to a longer duration than 30 minutes. If your computer is configured to accept VPN connections, you will probably want to establish IPSec settings. IPSec is a protocol used for authentication and encryption and is often used in VPNs in conjunction with L2TP.

Specifying callback settings is another method you can use to restrict misuse of a Windows Vista computer configured to accept incoming connections via dial-up. You can do this in the properties of the incoming connection. From the Network and Sharing Center, click Manage Network Connections to access the Network Connections applet and double-click the incoming connection. Click the Users tab. In the window, you see a list of users configured on the computer. By default, none of the users is enabled to log on to the computer through this connection. You can select the options for each user to whom you want to grant remote access. You can compel all users to use encryption by selecting the Require All Users to Secure Their Passwords and Data option. You can also eliminate the need for a password for incoming connections from handheld devices by selecting the Always Allow Directly Connected Devices Such As Palmtop Computers to Connect Without a Password option. Select a user and click the Properties button. Click the Callback tab. Select whether you want the user to provide a callback number (use this for travelers), or whether you want to set a permanent callback number. Using callback is a verification step to ensure the identity of the calling user.

On the General tab, you can specify whether to allow a VPN connection by selecting the Allow Others to Make Private Connections to My Computer by Tunneling Through the Internet or Other Network option.