Chapter 3: User Administration Concepts and Mechanisms

Chapter 3: User Administration Concepts & Mechanisms

3.1. Users and Capabilities
A user account is a collection of settings and information that tells Windows which files and folders
you can access, what you can do on your computer, what are your preferences, and what network
resources you can access when connected to a network.
The user account allows you to authenticate to Windows or any other operating system so that you are
granted authorization to use them. Multi-user operating systems such as Windows don’t allow a user to
use them without having a user account.
A user account in Windows is characterized by the following attributes:
➢ User name: the name you are giving to that account.
➢ Password: the password associated with the user account (in Windows 7 or older versions you
can also use blank passwords).
➢ User group: a collection of user accounts that share the same security rights and permissions. A
user account must be a member of at least one user group.
➢ Type: all user accounts have a type which defines their permissions and what they can do in
Windows.
 Administrator: The “Administrator” user account has complete control over the PC. He or
she can install anything and make changes that affect all users of that PC.
 Standard: The “Standard” user account can only use the software that’s already installed by
the administrator and change system settings that don’t affect other users.
 Guest: The “Guest” account is a special type of user account that has the name Guest and
no password. This is only for users that need temporary access to the PC. This user can only
use the software that’s already installed by the administrator and cannot make any changes
to system settings.
All user accounts have specific capabilities, privileges, and rights. When you create a user account, you
can grant the user specific capabilities by making the user a member of one or more groups. This gives
the user the capabilities of these groups. You then assign additional capabilities by making a user a
member of the appropriate groups or withdraw capabilities by removing a user from a group.
An important part of an administrator's job is being able to determine and set permissions, privileges,
and logon rights as necessary. Although you can't change a group's built-in capabilities, you can change
a group's default privileges and logon rights. For example, you could revoke network access to a
computer by removing a group's right to access the computer from the network.

1
Chapter 3: User Administration Concepts and Mechanisms

3.1.1. What is File & Folder Permissions?

Permissions are a method for assigning access rights to specific user accounts and user groups.
Through the use of permissions, Windows defines which user accounts and user groups can access
which files and folders, and what they can do with them. To put it simply, permissions are the
operating system’s way of telling you what you can or cannot do with a file or folder.
On Windows operating system, to learn permissions of a folder, right click on it & select “Properties.”
In the Properties window, go to the Security tab. In the “Group or user names” section you will see all
the user accounts and use groups that have permissions to that folder. If you select a group or a user
account, then see its assigned permissions, in the “Permissions for Users” section. In Windows, a user
account or a user group can receive one of the following permissions to any file or folder:
➢ Read: allows the viewing and listing of a file or folder. When viewing a folder, you can view all
its files and subfolders.
➢ Write: allows writing to a file or adding files and subfolders to a folder.
➢ List folder contents: this permission can be assigned only to folders. It permits the viewing and
listing of files and subfolders, as well as executing files that are found in that folder.
➢ Read & execute: permits the reading and accessing of a file’s contents as well as its execution.
When dealing with folders, it allows the viewing and listing of files and subfolders, as well as
the execution of files.
➢ Modify: when dealing with files, it allows their reading, writing & deletion. When dealing with
folders, it allows the reading and writing of files and subfolders, plus the deletion of the folder.
➢ Full control: it allows reading, writing, changing and deleting of any file and subfolder.
Generally, files inherit the permissions of the folder where they are placed, but users can also
define specific permissions that are assigned only to a specific file. To make your computing
life simpler, it is best to edit permissions only at a folder level.

Assigning User Rights

The most efficient way to assign user rights is to make the user a member of a group that already has
the right. In some cases, however, you might want a user to have a particular right but not have all the
other rights of the group. One way to resolve this problem is to give the user the rights directly. Another
way to resolve this is to create a special group for users that need the right. This is the approach used
with the Remote Desktop Users group, which was created by Microsoft to grant Allow Logon Through
Terminal Services to groups of users.
You assign user rights through the Local Policies node of Group Policy. Local policies can be set on a
per-computer basis using a computer's local security policy or on a domain or OU basis through an
existing group policy for the related domain or OU. When you do this, the local policies apply to all
accounts in the domain or OU.

2
Chapter 3: User Administration Concepts and Mechanisms

3.2. Policy Tools & Roaming Profiles

3.2.1. What is Roaming profile?
A Windows profile is a set of files that contains all settings of a user including per-user configuration
files and registry settings. In an Active Directory or NT4 domain you can set that the profile of a user is
stored on a server. This enables the user to log on to different Windows domain members and use the
same settings.
When using roaming user profiles, a copy of the profile is downloaded from the server to the Windows
domain member when a user logs into. Until the user logs out, all settings are stored and updated in the
local copy. During the log out, the profile is uploaded to the server.

Assigning a Roaming Profile to a User

Depending on the Windows version, Windows uses different folders to store the roaming profile of a
user. However, when you set the profile path for a user, you always set the path to the folder without
any version suffix. For example:
\\server\profiles\user_name

A roaming user profile is a file synchronization concept in the Windows NT family of operating
systems that allows users with a computer joined to a Windows domain to log on to any computer on
the same domain and access their documents and have a consistent desktop experience, such as
applications remembering toolbar positions and preferences, or the desktop appearance staying the
same, while keeping all related files stored locally, to not continuously depend on a fast and reliable
network connection to a file server.
All Windows operating systems since Windows NT 3.1 are designed to support roaming profiles.
Normally, a standalone computer stores the user's documents, desktop items, application preferences,
and desktop appearance on the local computer in two divided sections, consisting of the portion that
could roam plus an additional temporary portion containing items such as the web browser cache. The
Windows Registry is similarly divided to support roaming; there are System and Local Machine hives
that stay on the local computer, plus a separate User hive (HKEY CURRENT USER) designed to be
able to roam with the user profile.
When a roaming user is created, the user's profile information is instead stored on a centralized file
server accessible from any network-joined desktop computer. The login prompt on the local computer
checks to see if the user exists in the domain rather than on the local computer; no preexisting account
is required on the local computer. If the domain login is successful, the roaming profile is copied from
the central file server to the desktop computer, and a local account is created for the user.

3
Chapter 3: User Administration Concepts and Mechanisms

When the user logs off from the desktop computer, the user's roaming profile is merged from the local
computer back to the central file server, not including the temporary local profile items. Because this is
a merge and not a move/delete, the user's profile information remains on the local computer in addition
to being merged to the network.
When the user logs in on a second desktop computer, this process repeats, merging the roaming profile
from the server to the second desktop computer, and then merging back from the desktop to the server
when the user logs off.
When the user returns to the first desktop computer and logs in, the roaming profile is merged with the
previous profile information, replacing it. If profile caching is enabled, the server is capable of merging
only the newest files to the local computer, reusing the existing local files that have not changed since
the last login, and thereby speeding up the login process.
Windows stores information about a particular user in a so-called profile. Some examples of the sort of
data that gets stored in a profile are (N.B. this list is not exhaustive):
➢ Application data and settings
➢ The "Documents"/"My Documents" folder
➢ The "Downloads" folder, which is where your internet browser may save to by default
➢ Files stored on your Desktop
➢ Directories you create under c:\users\[your-username]
Members of some groups in the department have a roaming profile. This means that the master copy of
the profile is stored on a fileserver. When you log in to a Windows computer, the contents of your
profile will be synchronized from the fileserver to the local computer. When you log out of the
computer, any changes to the profile are then synchronized back to the server. Instructions for checking
whether or not you have a roaming profile are available.
There are two main reasons why a roaming profile might be useful in the department. Firstly, because
the contents of the profile are stored centrally, whenever you log on to any computer in the department
you will have the same application data and settings (e.g., internet browser bookmarks, preferences in
Microsoft Office etc.).
Secondly, because the master copy of your roaming profile is stored on a Departmentally-managed
fileserver, all data stored within it is automatically backed up.

What are the main differences of roaming and local profiles?

Windows roaming and local profiles are similar in that they both store Windows user settings and data.
A local profile is one that is stored directly on the computer. The main advantage to using a local
profile is that the profile is accessible even when the computer is disconnected from the network. A
major drawback of a local profile is that the user profile data is not being automatically backed up by

4
Chapter 3: User Administration Concepts and Mechanisms

the server. Since most users rarely back up their computers, if a hard drive fails, any data that is stored
within local profiles on that machine would be lost.
Roaming profiles are stored on a server and can be accessed by logging into any computer on the
network. In a roaming profile, when a user logs onto the network, his/her profile is copied from the
server to the user’s desktop. When the user logs off of their computer, the profile (including any
changes that the user might have made) is copied back to the server. A major drawback of roaming
profiles is that they can slow down the network. Windows user profiles often become very large as the
user profile data continues to grow. If you have a large roaming profile, the login and logoff times may
take a significant amount of time.
The solution to this problem is to use folder redirection with roaming profiles. Folder redirection
allows specific folders (such as the Desktop and Documents folder) to be permanently stored on the
server. Doing so eliminates the need for the redirected folder to be copied as a part of the logon and
logoff processes.
In summary, for a hassle-free network experience one should choose the default local profile. However,
if you need roaming profiles enabled, Concise can assist you with the configuration and deployment of
roaming profiles utilizing folder redirection so you can have the best of both worlds!

3.3. Advanced Concepts I

3.3.1. The Registry
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft
Windows operating system and for applications that opt to use the registry. The kernel, device drivers,
services, Security Accounts Manager, and user interface can all use the registry. The registry also
allows access to counters for profiling system performance.
In other words, the registry or Windows Registry contains information, settings, options, and other
values for programs and hardware installed on all versions of Microsoft Windows operating systems.
For example, when a program is installed, a new subkey containing settings such as a program's
location, its version, and how to start the program, are all added to the Windows Registry.
When introduced with Windows 3.1, the Windows Registry primarily stored configuration information
for COM-based components. Windows 95 and Windows NT extended its use to rationalize and
centralize the information in the profusion of INI files, which held the configurations for individual
programs, and were stored at various locations. It is not a requirement for Windows applications to use
the Windows Registry. For example, .NET Framework applications use XMLfiles for configuration,
while portable applications usually keep their configuration files with their executables.
Prior to the Windows Registry, .INI files stored each program's settings as a text file or binary file,
often located in a shared location that did not provide user-specific settings in a multi-user scenario. By

5
Chapter 3: User Administration Concepts and Mechanisms

contrast, the Windows Registry stores all application settings in one logical repository (but a number of
discrete files) and in a standardized form. According to Microsoft, this offers several advantages over
.INI files. Since file parsing is done much more efficiently with a binary format, it may be read from or
written to more quickly than a text INI file. Furthermore, strongly typed data can be stored in the
registry, as opposed to the text information stored in .INI files. This is a benefit when editing keys
manually using regedit.exe, the built-in Windows Registry Editor. Because user-based registry settings
are loaded from a user-specific path rather than from a read-only system location, the registry allows
multiple users to share the same machine, and also allows programs to work for less privileged users.
Backup and restoration is also simplified as the registry can be accessed over a network connection for
remote management/support, including from scripts, using the standard set of APIs, as long as the
Remote Registry service is running and firewall rules permit this.
Because the registry is a database, it offers improved system integrity with features such as atomic
updates. If two processes attempt to update the same registry value at the same time, one process's
change will precede the other's and the overall consistency of the data will be maintained. Where
changes are made to .INI files, such race conditions can result in inconsistent data that does not match
either attempted update. Windows Vista and later operating systems provide transactional updates to
the registry by means of the Kernel Transaction Manager, extending the atomicity guarantees across
multiple key and/or value changes, with traditional commit–abort semantics. (Note however that NTFS
provides such support for the file system as well, so the same guarantees could, in theory, be obtained
with traditional configuration files.)

3.3.1.1. Structure

Keys and values

The registry contains two basic elements: keys and values. Registry keys are container objects similar
to folders. Registry values are non-container objects similar to files. Keys may contain values and
subkeys. Keys are referenced with a syntax similar to Windows' path names, using backslashes to
indicate levels of hierarchy. Keys must have a case insensitive name without backslashes.
The hierarchy of registry keys can only be accessed from a known root key handle (which is
anonymous but whose effective value is a constant numeric handle) that is mapped to the content of a
registry key preloaded by the kernel from a stored "hive", or to the content of a subkey within another
root key, or mapped to a registered service or DLL that provides access to its contained subkeys and
values.
Example: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the
subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of
the HKEY_LOCAL_MACHINE root key.

6
Chapter 3: User Administration Concepts and Mechanisms

There are seven predefined root keys, traditionally named according to their constant handles defined
in the Win32 API, or by synonymous abbreviations (depending on applications):
➢ HKEY_LOCAL_MACHINE or HKLM
➢ HKEY_CURRENT_CONFIG or HKCC
➢ HKEY_CLASSES_ROOT or HKCR
➢ HKEY_CURRENT_USER or HKCU
➢ HKEY_USERS or HKU
➢ HKEY_PERFORMANCE_DATA (only in Windows NT, but invisible in the Windows Registry Editor)
➢ HKEY_DYN_DATA (only in Windows 9x, and visible in the Windows Registry Editor)
Like other files and services in Windows, all registry keys may be restricted by access control lists
(ACLs), depending on user privileges, or on security tokens acquired by applications, or on system
security policies enforced by the system (these restrictions may be predefined by the system itself, and
configured by local system administrators or by domain administrators). Different users, programs,
services or remote systems may only see some parts of the hierarchy or distinct hierarchies from the
same root keys.
Registry values are name/data pairs stored within keys. Registry values are referenced separately from
registry keys. Each registry value stored in a registry key has a unique name whose letter case is not
significant. The Windows API functions that query and manipulate registry values take value names
separately from the key path and/or handle that identifies the parent key. Registry values may contain
backslashes in their names, but doing so makes them difficult to distinguish from their key paths when
using some legacy Windows Registry API functions (whose usage is deprecated in Win32).
The terminology is somewhat misleading, as each registry key is similar to an associative array, where
standard terminology would refer to the name part of each registry value as a "key". The terms are a
holdout from the 16-bit registry in Windows 3, in which registry keys could not contain arbitrary
name/data pairs, but rather contained only one unnamed value (which had to be a string). In this sense,
the Windows 3 registry was like a single associative array, in which the keys (in the sense of both
'registry key' and 'associative array key') formed a hierarchy, and the registry values were all strings.
When the 32-bit registry was created, so was the additional capability of creating multiple named
values per key, and the meanings of the names were somewhat distorted. For compatibility with the
previous behavior, each registry key may have a "default" value, whose name is the empty string.
Each value can store arbitrary data with variable length and encoding, but which is associated with a
symbolic type (defined as a numeric constant) defining how to parse this data. The standard types are:
Type Symbolic Type Name Meaning and encoding of the data stored in the
ID registry value
0 REG_NONE No type (the stored value, if any)
1 REG_SZ A string value, normally stored and exposed in UTF-16LE

7
Chapter 3: User Administration Concepts and Mechanisms

(when using the Unicode version of Win32 API

functions), usually terminated by a NUL character
2 REG_EXPAND_SZ An "expandable" string value that can contain
environment variables, normally stored and exposed in
UTF-16LE, usually terminated by a NUL character
3 REG_BINARY Binary data (any arbitrary data)
4 REG_DWORD / A DWORD value, a 32-bit unsigned integer (numbers
REG_DWORD_LITTLE_ENDIAN between 0 and 4,294,967,295 [232 – 1]) (little-endian)
5 REG_DWORD_BIG_ENDIAN A DWORD value, a 32-bit unsigned integer (numbers
between 0 and 4,294,967,295 [232 – 1])
6 REG_LINK A symbolic link (UNICODE) to another registry key,
specifying a root key and the path to the target key
7 REG_MULTI_SZ A multi-string value, which is an ordered list of non-
empty strings, normally stored and exposed in Unicode,
each one terminated by a null character, the list being
normally terminated by a second null character.
8 REG_RESOURCE_LIST A resource list (used by the Plug-n-Play hardware
enumeration and configuration)
9 REG_FULL_RESOURCE_DESCR A resource descriptor (used by the Plug-n-Play hardware
IPTOR enumeration and configuration)
10 REG_RESOURCE_REQUIREME A resource requirements list (used by the Plug-n-Play
NTS_LIST hardware enumeration and configuration)
11 REG_QWORD / A QWORD value, a 64-bit integer (either big- or little-
REG_QWORD_LITTLE_ENDIAN endian, or unspecified) (introduced in Windows 2000)
Table 3.0. List of Standard Registry value types
When an administrator runs the command regedit, pre-defined keys called root keys, high-level keys
or HKEYS display in the left pane of the Registry Editor window. A pre-defined key and its nested
subkeys are collectively called a hive.
An application must open a key before it can add data to the registry, so having pre-defined keys that
are always open helps an application navigate the registry. Although pre-defined keys cannot be
changed, subkeys can be modified or deleted as long as the user has permission to do so and the subkey
is not located directly under a high-level key.
Before making any changes to registry keys, however, Microsoft strongly recommends the registry be
backed up and that the end user only change values in the registry that they understand or have been

8
Chapter 3: User Administration Concepts and Mechanisms

told to change by a trusted advisor. Keys and subkeys are referred to with a syntax that's similar to
Windows' path names, using backslashes to indicate levels in the hierarchy. Edits to the registry that
cause syntax errors can make the computer inoperable.

Root keys
The keys at the root level of the hierarchical database are generally named by their Windows API
definitions, which all begin "HKEY". They are frequently abbreviated to a three- or four-letter short
name starting with "HK" (e.g. HKCU and HKLM). Technically, they are predefined handles (with
known constant values) to specific keys that are either maintained in memory, or stored in hive files
stored in the local filesystem and loaded by the system kernel at boot time and then shared (with
various access rights) between all processes running on the local system, or loaded and mapped in all
processes started in a user session when the user logs on the system.
The registry is a hierarchical database where information is presented on a number of levels. Hive keys
are on the first level. There are seven hive keys as we discussed previously. Registry keys are on the
second level, subkeys are on the third and then come values. If we consider the registry in terms of a
hierarchical file system.
The HKEY_LOCAL_MACHINE (local machine-specific configuration data) and
HKEY_CURRENT_USER (user-specific configuration data) nodes have a similar structure to each
other; user applications typically look up their settings by first checking for them in
"HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if
the setting is not found, look instead in the same location under the HKEY_LOCAL_MACHINE
key[citation needed]. However, the converse may apply for administrator-enforced policy settings
where HKLM may take precedence over HKCU. The Windows Logo Program has specific
requirements for where different types of user data may be stored, and that the concept of least
privilege be followed so that administrator-level access is not required to use an application.

HKEY_CLASSES_ROOT (HKCR)
This key contains several subkeys with information about extensions of all registred file types and
COM servers. This information is necessary for opening files with a double-click, or for drag-and-drop
operations. Besides, the HKEY_CLASSES_ROOT key provides combined data to applications that
were created for earlier versions of Windows.

HKEY_CURRENT_USER (HKCU)
This key store settings which are specific to the currently logged-in user (Windows Start menu,
desktop, etc.). Its subkeys store information about environment variables, program groups, desktop
settings, screen colors, network connections, printers and additional application settings. This

9
Chapter 3: User Administration Concepts and Mechanisms

information is gathered from the Security ID subkey (SID) of HKEY_USERS for the current user. In
fact, this key stores all information related to the profile of the user who is currently working with
Windows.

HKEY_LOCAL_MACHINE (HKLM)
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to local computer.
The key located by HKLM is actually not stored on disk, but maintained in memory by the system
kernel in order to map all the other subkeys. Applications cannot create any additional subkeys. On
Windows NT, this key contains four subkeys, "SAM", "SECURITY", "SYSTEM", and "SOFTWARE",
that are loaded at boot time within their respective files located in the %SystemRoot%\System32\
config folder. A fifth subkey, "HARDWARE", is volatile and is created dynamically, and as such is not
stored in a file (it exposes a view of all the currently detected Plug-and-Play devices). On Windows
Vista and above, a sixth and seventh subkey, "COMPONENTS" and "BCD", are mapped in memory by
the kernel on-demand and loaded from %SystemRoot%\system32\config\COMPONENTS or from
boot configuration data, \boot\BCD on the system partition.
➢ The "HKLM\SAM" key usually appears as empty for most users (unless they are granted access
by administrators of the local system or administrators of domains managing the local system).
It is used to reference all "Security Accounts Manager" (SAM) databases for all domains into
which the local system has been administratively authorized or configured (including the local
domain of the running system, whose SAM database is stored in a subkey also named "SAM":
other subkeys will be created as needed, one for each supplementary domain). Each SAM
database contains all builtin accounts (mostly group aliases) and configured accounts (users,
groups and their aliases, including guest accounts and administrator accounts) created and
configured on the respective domain, for each account in that domain, it notably contains the
user name which can be used to log on that domain, the internal unique user identifier in the
domain, a cryptographic hash of each user's password for each enabled authentication protocol,
the location of storage of their user registry hive, various status flags (for example if the account
can be enumerated and be visible in the logon prompt screen), and the list of domains
(including the local domain) into which the account was configured.
➢ The "HKLM\SECURITY" key usually appears empty for most users (unless they are granted
access by users with administrative privileges) and is linked to the Security database of the
domain into which the current user is logged on (if the user is logged on the local system
domain, this key will be linked to the registry hive stored by the local machine and managed by
local system administrators or by the builtin "System" account and Windows installers). The
kernel will access it to read and enforce the security policy applicable to the current user and all
applications or operations executed by this user. It also contains a "SAM" subkey which is
dynamically linked to the SAM database of the domain onto which the current user logged on.

10
Chapter 3: User Administration Concepts and Mechanisms

➢ The "HKLM\SYSTEM" key is normally only writable by users with administrative privileges
on the local system. It contains information about the Windows system setup, data for the
secure random number generator (RNG), the list of currently mounted devices containing a
filesystem, several numbered "HKLM\SYSTEM\Control Sets" containing alternative
configurations for system hardware drivers and services running on the local system (including
the currently used one and a backup), a "HKLM\SYSTEM\Select" subkey containing the status
of these Control Sets, and a "HKLM\SYSTEM\CurrentControlSet" which is dynamically linked
at boot time to the Control Set which is currently used on the local system. Each configured
Control Set contains:
• an "Enum" subkey enumerating all known Plug-and-Play devices and associating them with
installed system drivers (and storing the device-specific configurations of these drivers),
• a "Services" subkey listing all installed system drivers (with non device-specific
configuration, and the enumeration of devices for which they are instantiated) and all
programs running as services (how and when they can be automatically started),
• a "Control" subkey organizing the various hardware drivers and programs running as
services and all other system-wide configuration,
• a "Hardware Profiles" subkey enumerating the various profiles that have been tuned (each
one with "System" or "Software" settings used to modify the default profile, either in system
drivers and services or in the applications) as well as the "Hardware Profiles\Current"
subkey which is dynamically linked to one of these profiles.
➢ The "HKLM\SOFTWARE" subkey contains software and Windows settings (in the default
hardware profile). It is mostly modified by application and system installers. It is organized by
software vendor (with a subkey for each), but also contains a "Windows" subkey for some
settings of the Windows user interface, a "Classes" subkey containing all registered associations
from file extensions, MIME types, Object Classes IDs and interfaces IDs (for OLE,
COM/DCOM and ActiveX), to the installed applications or DLLs that may be handling these
types on the local machine (however these associations are configurable for each user, see
below), and a "Policies" subkey (also organized by vendor) for enforcing general usage policies
on applications and system services (including the central certificates store used for
authenticating, authorizing or disallowing remote systems or services running outside the local
network domain).
➢ The "HKLM\SOFTWARE\Wow6432Node" key is used by 32-bit applications on a 64-bit
Windows OS, and is equivalent to but separate from "HKLM\SOFTWARE". The key path is
transparently presented to 32-bit applications by WoW64 as HKLM\SOFTWARE (in a similar
way that 32-bit applications see %SystemRoot%\Syswow64 as %SystemRoot%\System32)

11
Chapter 3: User Administration Concepts and Mechanisms

HKEY_USERS (HKU)
While the HKEY_CURRENT_USER key stores the settings of the current user, this key stores
Windows settings for all users. Its subkeys contain information about all user profiles, and one of the
subkeys always corresponds to the HKEY_CURRENT_USER key (via the Security ID (SID)
parameter of the user). Another subkey, HKEY_USERS\DEFAULT, stores information about system
settings at the moment before the start of the current user session.

HKEY_CURRENT_CONFIG (HKCC)
This key store information about a hardware profile which is used by the local computer at system
startup. Hardware profiles allow selecting drivers of supported devices for the specified session.

HKEY_PERFORMANCE_DATA
This key provides runtime information into performance data provided by either the NT kernel itself, or
running system drivers, programs and services that provide performance data. This key is not stored in
any hive and not displayed in the Registry Editor, but it is visible through the registry functions in the
Windows API, or in a simplified view via the Performance tab of the Task Manager (only for a few
performance data on the local system) or via more advanced control panels (such as the Performances
Monitor or the Performances Analyzer which allows collecting and logging these data, including from
remote systems).

HKEY_DYN_DATA
This key is used only on Windows 95, Windows 98 and Windows ME. It contains information about
hardware devices, including Plug and Play and network performance statistics. The information in this
hive is also not stored on the hard drive. The Plug and Play information is gathered and configured at
startup and is stored in memory.

3.3.2. Automating Administrative Tasks - Windows Host Scripting

The Microsoft Windows Script Host (WSH) (formerly named Windows Scripting Host) is an
automation technology for Microsoft Windows operating systems that provides scripting abilities
comparable to batch files, but with a wider range of supported features. This tool was first provided on
Windows 95 after Build 950a on the installation discs as an optional installation configurable and
installable by means of the Control Panel. Windows Script Host is distributed and installed by default
on Windows 98 and later versions of Windows. It is also installed if Internet Explorer 5 (or a later
version) is installed. Beginning with Windows 2000, the Windows Script Host became available for use
with user login scripts.

12
Chapter 3: User Administration Concepts and Mechanisms

It is language-independent in that it can make use of different Active Scripting language engines. By
default, it interprets and runs plain-text JScript (.JS & .JSE files) and VBScript (.VBS & .VBE files).
Users can install different scripting engines to enable them to script in other languages, for instance
PerlScript. The language independent filename extension WSF can also be used. The advantage of the
Windows Script File (.WSF) is that it allows multiple scripts ("jobs") as well as a combination of
scripting languages within a single file.
WSH engines include various implementations for the Rexx, BASIC, Perl, Ruby, Tcl, PHP, JavaScript,
Delphi, Python, XSLT, and other languages.

Usage
Windows Script Host may be used for a variety of purposes, including logon scripts, administration and
general automation. Microsoft describes it as an administration tool. WSH provides an environment for
scripts to run – it invokes the appropriate script engine and provides a set of services and objects for the
script to work with. These scripts may be run in GUI mode (WScript.exe) or command line mode
(CScript.exe), or from a COM object (wshom.ocx), offering flexibility to the user for interactive or
non-interactive scripts. Windows Management Instrumentation is also scriptable by this means.
The WSH, the engines, and related functionality are also listed as objects which can be accessed and
scripted and queried by means of the VBA and Visual Studio object explorers and those for similar
tools like the various script debuggers, e.g. Microsoft Script Debugger, and editors.
WSH implements an object model which exposes a set of Component Object Model (COM) interfaces.
So in addition to ASP, IIS, Internet Explorer, CScript and WScript, the WSH can be used to automate
and communicate with any Windows application with COM and other exposed objects, such as using
PerlScript to query Microsoft Access by various means including various ODBC engines and SQL,
ooRexxScript to create what are in effect Rexx macros in Microsoft Excel, Quattro Pro, Microsoft
Word, Lotus Notes and any of the like, the XLNT script to get environment variables and print them in
a new TextPad document, and so on.
The VBA functionality of Microsoft Office, Open Office (as well as Python and other installable macro
languages) and Corel WordPerfect Office is separate from WSH engines although Outlook 97 uses
VBScript rather than VBA as its macro language.
VBScript, JScript, and some third-party engines have the ability to create and execute scripts in an
encoded format which prevents editing with a text editor; the file extensions for these encoded scripts is
.vbe and .jse and others of that type.
Unless otherwise specified, any WSH scripting engine can be used with the various Windows server
software packages to provide CGI scripting. The current versions of the default WSH engines and all or
most of the third party engines have socket abilities as well; as a CGI script or otherwise, PerlScript is

13
Chapter 3: User Administration Concepts and Mechanisms

the choice of many programmers for this purpose and the VBScript and various Rexx-based engines are
also rated as sufficiently powerful in connectivity and text-processing abilities to also be useful. This
also goes for file access and processing—the earliest WSH engines for VBScript and JScript do not
since the base language did not, whilst PerlScript, ooRexxScript, and the others have this from the
beginning.
Any scripting language installed under Windows can be accessed by external means of PerlScript,
PythonScript, VBScript and the other engines available can be used to access databases (Lotus Notes,
Microsoft Access, Oracle Database, Paradox) and spreadsheets (Microsoft Excel, Lotus 1-2-3, Quattro
Pro) and other tools like word processors, terminal emulators, command shells and so on. This can be
accomplished by means of the WSH, so any language can be used if there is an installed engine.

Examples
The first example is very simple; it shows some VBScript which uses the root WSH COM object
"WScript" to display a message with an 'OK' button. Upon launching this script the CScript or WScript
engine would be called and the runtime environment provided. Content of a file hello0.vbs:
Save the file as ‘hello0.vbs’
WScript.Echo "Hello world"
WScript.Quit

WSH programming can also use the JScript language. Content of a file hello1.js:
Save the file as ‘hello1.js’
WSH.Echo("Hello world");
WSH.Quit();

Or, code can be mixed in one WSF file, such as VBScript and JScript, or any other: Content of a file
hello2.wsf:
Save the file as ‘hello2.wsf’
<job>
<script language="VBScript">
MsgBox "hello world (from vb)"
</script>
<script language="JScript">
WSH.echo("hello world (from js)");
</script>
</job>

Security Concerns
Windows applications and processes may be automated using a script in Windows Script Host. Viruses
and malware could be written to exploit this ability. Thus, some suggest disabling it for security

14
Chapter 3: User Administration Concepts and Mechanisms

reasons. Alternatively, antivirus programs may offer features to control .vbs and other scripts which run
in the WSH environment.
Since version 5.6 of WSH, scripts can be digitally signed programmatically using the Scripting.Signer
object in a script itself, provided a valid certificate is present on the system. Alternatively, the signcode
tool from the Platform SDK, which has been extended to support WSH filetypes, may be used at the
command line.
By using Software Restriction Policies introduced with Windows XP, a system may be configured to
execute only those scripts which are stored in trusted locations, have a known MD5 hash, or have been
digitally signed by a trusted publisher, thus preventing the execution of untrusted scripts.

3.4. Advanced Concepts II

3.4.1. Routing and NAT
Routing refers to establishing routes that data packets take on their way to a particular destination. This
term can be applied to data traveling on Internet, over 3G/4G networks, or over similar networks used
for telecom and other digital communications setups. Routing can also take place within proprietary
networks. In general, routing involves the network topology, or the setup of hardware, that can
effectively relay data. Standard protocols help to identify the best routes for data and to ensure quality
transmission. Individual pieces of hardware such as routers are referred to as "nodes" in the network.
Different algorithms and protocols can be used to figure out how to best route data packets, and which
nodes should be used. E.g., some data packets travel according to distance vector model that primarily
uses distance as a factor, whereas others use Link-State Protocol, which involves other aspects.
Data packets are also made to give networks information. Headers on packets provide details about
origin and destination. Standards for data packets allow for conventional design, which can help with
future routing methodologies. As the world of digital technology evolves, routing will also evolve
according to the needs and utility of a particular network.
In Internetworking, the process of moving a packet of data from source to destination. Routing is
usually performed by a dedicated device called a router. Routing is a key feature of the Internet because
it enables messages to pass from one computer to another and eventually reach the target machine.
Each intermediary computer performs routing by passing along the message to the next computer. Part
of this process involves analyzing a routing table to determine the best path.
Routing is often confused with bridging, which performs a similar function. The principal difference
between the two is that bridging occurs at a lower level and is therefore more of a hardware function
whereas routing occurs at a higher level where the software component is more important. And because
routing occurs at a higher level, it can perform more complex analysis to determine the optimal path for
the packet.

15
Chapter 3: User Administration Concepts and Mechanisms

Network Address Translation (NAT)

NAT translates the IP addresses of computers in a local network to a single IP address. This address is
often used by the router that connects the computers to the Internet. The router can be connected to a
DSL modem, cable modem, T1 line, or even a dial-up modem. When other computers on the Internet
attempt to access computers within the local network, they only see the IP address of the router. This
adds an extra level of security, since the router can be configured as a firewall, only allowing
authorized systems to access the computers within the network.
Once a system from outside the network has been allowed to access a computer within the network, the
IP address is then translated from the router's address to the computer's unique address. The address is
found in a "NAT table" that defines the internal IP addresses of computers on the network. The NAT
table also defines the global address seen by computers outside the network. Even though each
computer within the local network has a specific IP address, external systems can only see one IP
address when connecting to any of the computers within the network.
To simplify, network address translation makes computers outside the local area network (LAN) see
only one IP address, while computers within the network can see each system's unique address. While
this aids in network security, it also limits the number of IP addresses needed by companies and
organizations. Using NAT, even large companies with thousands of computers can use a single IP
address for connecting to the Internet. Now that's efficient.
NAT is the process where a network device, usually a firewall, assigns a public address to a computer
(or group of computers) inside a private network. The main use of NAT is to limit the number of public
IP addresses an organization or company must use, for both economy and security purposes.
The most common form of network translation involves a large private network using addresses in a
private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to
192.168.255.255). The private addressing scheme works well for computers that only have to access
resources inside the network, like workstations needing access to file servers and printers. Routers
inside the private network can route traffic between private addresses with no trouble. However, to
access resources outside the network, like the Internet, these computers have to have a public address in
order for responses to their requests to return to them. This is where NAT comes into play.
Internet requests that require Network Address Translation (NAT) are quite complex but happen so
rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request
to a computer on the Internet. Routers within the network recognize that the request is not for a
resource inside the network, so they send the request to the firewall. The firewall sees the request from
the computer with the internal IP. It then makes the same request to the Internet using its own public
address, and returns the response from the Internet resource to the computer inside the private network.
From the perspective of the resource on the Internet, it is sending information to the address of the
firewall. From the perspective of the workstation, it appears that communication is directly with the site

16
Chapter 3: User Administration Concepts and Mechanisms

on the Internet. When NAT is used in this way, all users inside the private network access the Internet
have the same public IP address when they use the Internet. That means only one public address is
needed for hundreds or even thousands of users.
Most modern firewalls are stateful - that is, they are able to set up the connection between the internal
workstation and the Internet resource. They can keep track of the details of the connection, like ports,
packet order, and the IP addresses involved. This is called keeping track of the state of the connection.
In this way, they are able to keep track of the session composed of communication between the
workstation and the firewall, and the firewall with the Internet. When the session ends, the firewall
discards all of the information about the connection.
There are other uses for Network Address Translation (NAT) beyond simply allowing workstations
with internal IP addresses to access the Internet. In large networks, some servers may act as Web
servers and require access from the Internet. These servers are assigned public IP addresses on the
firewall, allowing the public to access the servers only through that IP address. However, as an
additional layer of security, the firewall acts as the intermediary between the outside world and the
protected internal network. Additional rules can be added, including which ports can be accessed at that
IP address. Using NAT in this way allows network engineers to more efficiently route internal network
traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It
also allows detailed logging of communications between the network and the outside world.
Additionally, NAT can be used to allow selective access to the outside of the network, too.
Workstations or other computers requiring special access outside the network can be assigned specific
external IPs using NAT, allowing them to communicate with computers and applications that require a
unique public IP address. Again, the firewall acts as the intermediary, and can control the session in
both directions, restricting port access and protocols.
It is very important aspect of firewall security. It conserves the number of public addresses used within
an organization, and it allows for stricter control of access to resources on both sides of the firewall.

3.4.2. Proxies and Gateways

What is proxy server?
A proxy server acts as a gateway between you and the Internet. It’s an intermediary server separating
end users from the websites they browse. Proxy servers provide varying levels of functionality,
security, and privacy depending on your use case, needs, or company policy.
Modern proxy servers do much more than forwarding web requests, all in the name of data security and
network performance. Proxy servers act as a firewall and web filter, provide shared network
connections, and cache data to speed up common requests. A good proxy server keeps users and the
internal network protected from the bad stuff that lives out in the wild Internet. Lastly, proxy servers
can provide a high level of privacy.

17
Chapter 3: User Administration Concepts and Mechanisms

A proxy server is a bridge between you and the rest of the Internet. Normally, when you use your
browser to surf the Internet, you’ll connect directly to the website you’re visiting. Proxies communicate
with websites on your behalf.
When you use a proxy, your browser first connects to the proxy, and the proxy forwards your traffic to
the website. That’s why proxy servers are also known as “forward proxies.” A proxy will also receive
the website’s response and send it back to you.
In everyday use, the word proxy refers to someone who is authorized to take action on your behalf, like
voting on important meeting that you can’t attend. Proxy server fills that role, but online. Instead of you
communicating directly with the websites you visit, a proxy steps in to handle that relationship for you.

What does a proxy server do, exactly?

As your intermediary on web, proxy servers have many useful roles, some of them are:
➢ Firewalls: is a type of network security system that acts as a barrier between a network and the
wider Internet. Security professionals configure firewalls to block unwanted access to the
networks they are trying to protect, often as an anti-malware or anti-hacking countermeasure. A
proxy server between a trusted network and the Internet is the perfect place to host a firewall
designed to intercept and either approve or block incoming traffic before it reaches the network.
➢ Content filters: Just as proxy servers can regulate incoming connection requests with a
firewall, they can also act as content filters by blocking undesired outgoing traffic. Companies
may configure proxy servers as content filters to prevent employees from accessing the blocked
websites while at work.
➢ Bypassing content filters: That’s right — you can outsmart a proxy with another proxy. If your
company’s proxy has blocked your favorite website, but it hasn’t blocked access to your
personal proxy server or favorite web-based proxy, you can access your proxy and use it to
reach the websites you want.
➢ Caching: Caching refers to the temporary storage of frequently accessed data, which makes it
easier and faster to access it again in the future. Proxies can cache websites so that they’ll load
faster than if you were to send your traffic all the way through the Internet to the website’s
server. This reduces latency — the time it takes for data to travel through the Internet.
➢ Security: In addition to hosting firewalls, proxy servers can also enhance security by serving as
the singular public face of the network. From an outside point of view, all the network’s users
are anonymous, hidden behind the proxy’s IP address. If a hacker wants to access a specific
device on a network, it’ll be a lot harder for them to find it.
➢ Sharing Internet connections: Businesses or even homes with a single Internet connection can
use a proxy server to funnel all their devices through that one connection. Using a Wi-Fi router
and wireless-capable devices is another solution to this issue.

18
Chapter 3: User Administration Concepts and Mechanisms

What is a Gateway
A gateway is a node (router) in a computer network, a key stopping point for data on its way to or from
other networks. Thanks to gateways, we are able to communicate and send data back and forth. The
Internet wouldn't be any use to us without gateways (as well as a lot of other hardware and software).
In a workplace, the gateway is the computer that routes traffic from a workstation to the outside
network that is serving up the Web pages. For basic Internet connections at home, the gateway is the
Internet Service Provider that gives you access to the entire Internet.
A node is simply a physical place where the data stops for either transporting or reading/using. (A
computer or modem is a node; a computer cable isn't.) Here are a few node notes:
➢ On the Internet, the node that's a stopping point can be a gateway or a host node.
➢ A computer that controls the traffic your Internet Service Provider (ISP) receives is a node.
➢ If you have a wireless network at home that gives your entire family access to the Internet, your
gateway is the modem (or modem-router combo) your ISP provides so you can connect to their
network. On the other end, the computer that controls all of the data traffic your Internet Service
Provider (ISP) takes and sends out is itself a node.
➢ When a computer-server acts as a gateway, it also operates as a firewall and a proxy server. A
firewall keeps out unwanted traffic and outsiders off a private network. A proxy server is
software that "sits" between programs on your computer that you use (such as a Web browser)
and a computer server—the computer that serves your network. The proxy server's task is to
make sure the real server can handle your online data requests.
A gateway is a hardware device that acts as a "gate" between two networks. It may be a router, firewall,
server, or other device that enables traffic to flow in and out of the network. While a gateway protects
the nodes within network, it also a node itself. The gateway node is considered to be on the "edge" of
the network as all data must flow through it before coming in or going out of the network. It may also
translate data received from outside networks into a format or protocol recognized by devices within
the internal network. A router is a common type of gateway used in home networks. It allows
computers within the local network to send and receive data over the Internet. A firewall is a more
advanced type of gateway, which filters inbound and outbound traffic, disallowing incoming data from
suspicious or unauthorized sources. A proxy server is another type of gateway that uses a combination
of hardware and software to filter traffic between two networks.
A gateway is a network node used in telecommunications that connects two networks with different
transmission protocols together. Gateways serve as an entry and exit point for a network as all data
must pass through or communicate with the gateway prior to being routed. In most IP-based networks,
the only traffic that does not go through at least one gateway is traffic flowing among nodes on the
same local area network (LAN) segment. The term default gateway or network gateway may also be
used to describe the same concept.

19
Chapter 3: User Administration Concepts and Mechanisms

The primary advantage of using gateway in personal or enterprise scenarios is simplifying Internet
connectivity into one device. In enterprise, gateway can also act as proxy server & firewall. They can
be purchased through popular technology retailers, such as Best Buy, or rented through an ISP.

How gateways work

All networks have a boundary that limits communication to devices that are directly connected to it.
Due to this, if a network wants to communicate with devices, nodes or networks outside of that
boundary, they require the functionality of a gateway. A gateway is often characterized as being the
combination of a router and a modem.
The gateways is implemented at the edge of a network and manages all data that is directed internally
or externally from that network. When one network wants to communicate with another, the data
packet is passed to the gateway and then routed to the destination through the most efficient path. In
addition to routing data, a gateway will also store information about the host network’s internal paths
and the paths of any additional networks that are encountered.
Gateways are basically protocol converters, facilitating compatibility between two protocols and
operating on any layer of the open systems interconnection (OSI) model.

Types of gateways
Gateways can take several forms and perform a variety of tasks. Examples of this include:
➢ Web application firewalls- filters traffic to & from web server & looks at app-layer data.
➢ Cloud storage gateways- This type translates storage requests with various cloud storage
service API calls. It allows organizations to integrate storage from a private cloud into
applications without migrating into a public cloud.
➢ API, SOA or XML gateways – This type manages traffic flowing into and out of a service,
microservices-oriented architecture or XML-based web service.
➢ IoT gateways- This type aggregates sensor data from devices in an IoT environment, translates
between sensor protocols and processes sensor data before sending it onward.
➢ Media gateways- This type converts data from the format required for one type of network to
the format required for another.
➢ Email security gateways- This type prevents the transmission of emails that break company
policy or will transfer information with malicious intent.
➢ VoIP trunk gateways- This type facilitates the use of plain old telephone service equipment,
such as landline phones and fax machines, with a voice over IP (VoIP) network.
Additionally, a service provider may develop their own personal gateways that can be used by
customers. For instance, Amazon Web Services (AWS) has Gateway that allows a developer to connect
non-AWS applications to AWS back end resources.

20