Moving certificates between computers

If you use certificates for authentication, digital signing, or other reasons, and routinely work with more than one machine, you'd probably like to have the same certificates on multiple computers. Or, maybe you need to reinstall Windows 2000 and must recover all of your certificates for the next installation. Rather than obtain different certificates for each computer you use, just export the certificates to each computer as needed. Exporting the certificates also gives you the ability to restore them if you're reinstalling Windows 2000.
You can use Internet Explorer, Outlook Express, or the Certificates console to export certificates. In each case, Windows 2000 runs the Certificate Export Wizard to export the certificate to a file that you can archive or import to another computer. Here's how to move your certificates to another computer using the Certificates console:

Open the Certificates MMC snap-in; then, open the branch Certificates/Current User/Personal/
Certificates.

Right-click the certificate and choose All Tasks | Export.

Click Next after the Certificate Export Wizard starts.

Choose Yes, Export The Private Key and
click Next.

Accept the default settings for Export File Format and click Next.

Specify a password to protect the certificate file and click Next.

Specify a filename for the certificate, click Next, and then click Finish.

On the next computer, in Internet Explorer or Outlook Express, click Import to start the Certificate Import Wizard. If using the Certificates console, right-click in the right-pane and choose All Tasks | Import to start the wizard.

Click Next after the wizard starts. Specify or browse to the path where the certificate is stored, select it, and click Next.

Specify the password entered in step six and click Next.

Click Next when prompted for the location of the certificate (let Windows 2000 place the certificate for you automatically), click Next again, and then click Finish.

Locking down the registry

Our recent tip, "Disable remote registry modification" (Jun. 12, 2000), explained how to prevent remote users from modifying your registry. If you need to allow some users that ability or otherwise restrict but not completely prevent registry modifications, you can apply permissions to registry keys that specify what actions users and groups can take on those particular keys and their values. For example, you might grant a given group of users the right to read keys but not modify them, while granting another group the ability to read and create new values in those keys but not create new subkeys.
Use Regedt32.exe to set permissions on registry keys. To do so, run Regedt32, select the key for which you want to modify permissions, then click Permissions | Security. The initial Permissions dialog box for a key lets you allow or deny Read or Full Control permissions on a per-user or per-group basis. Click Advanced if you need more granular control over the permissions granted to a group or user.
Auditing is another important aspect of registry security. You can configure which registry events are logged for specific users or groups. Open Regedt32, open the key, then click Security | Permissions. Click Advanced then click the Auditing tab. Click Add to add a user or group, and then in the Auditing Entry dialog select Successful or Failed, as desired, beside each event you want to audit.

Working with removable NTFS media

By default, Windows 2000 allows removable NTFS media to be ejected only by members of the Administrators group. That logic makes sense because if you're using NTFS, you're probably doing so to take advantage of the security it provides.
In some situations, however, you might want to enable other users to eject removable NTFS media. For example, if you need to eject frequently, you could avoid logging off your primary user account and logging on as administrator each time.
The ability to eject removable NTFS media is controlled by a group policy. If the policy is defined at a level above the local computer, the domain policy takes precedence over the local policy. To set the policy at the local level:

Open the Local Security Policy console from the Administrative Tools folder.

Open the branch Local Policies/Security Options.

Double-click Allowed To Eject Removable NTFS Media.

Select the groups that need the ability to eject the media and click OK, then close the console.

Renaming the administrator and guest accounts

Obtaining a valid account name is the first step in any malicious attempt to break into a system, whether the cracker is working from within your organization or externally. Anyone with any NT or Windows 2000 experience knows the name of the administrator account and probably knows about the guest account, as well.
So, if you're concerned about tightening up your system security, you can take the precaution of renaming both the administrator and guest accounts. You can also disable the guest account to prevent it from being used to access the system.
You can change the administrator and guest account names through the Local Security Policy console. To do so, open the Local Security Policy console from the Administrative Tools folder then open the Local Policies/Security Options branch, where you'll find the policy options Rename Administrator Account and Rename Guest Account. You can use the Local Users And Groups console to completely disable the guest account, if desired.

Controlling driver and service installation behavior

Windows 2000 introduced a new feature called Driver Signing, which enables drivers and services to be digitally signed to indicate that they've been tested for compatibility by Microsoft. While Driver Signing doesn't guarantee a problem-free driver or service, it's a good first step.
Windows 2000 checks during installation to determine if a driver or service are signed, and if not, takes an action based on the way you've configured the appropriate security policy. You have three choices: Allow the installation to silently succeed, have Windows 2000 warn the user that the driver is unsigned but allow the installation to proceed, or not allow the driver to be installed. As with most other policies, the domain policy, if there is one, overrides the local policy.
You'll find the two policy settings in the Local Policies/Security Options branch of the Local Security Policy console as Unsigned Driver Installation Behavior and Unsigned Non-Driver Installation Behavior. Just double-click the policy, select the desired value, and click OK.

Viewing and disabling services from the Recovery Console

When you're trying to troubleshoot and recover a system that won't boot normally or won't let you log on, it's often helpful to be able to disable services that might be the source of the problem. The Recovery Console gives you three commands you can use to list services and their status, as well as change the startup mode for the service. For example, you might set a service's mode to Manual or Disabled if you think it's preventing the system from starting normally.
Install the Recovery Console if it isn't already loaded, then boot the system to the Recovery Console. The LISTSVC command lists each available service and driver, giving you its name, startup mode, and friendly name. There are no switches for the command; just type LISTSVC at the console prompt.
The ENABLE command lets you change the startup mode for a service. The syntax is:
ENABLE servicename [start_type]
where servicename is the name of the service to modify and [start_type] is one of these four values:

SERVICE_BOOT_START

SERVICE_SYSTEM_START

SERVICE_AUTO_START

SERVICE_DEMAND_START

Use ENABLE servicename with no start type to list the current start type.
You can use the DISABLE command to disable a service. The syntax for the command is:
DISABLE servicename
where servicename is the name of the service to disable.

Configure Win2K Professional as a Telnet server

Windows 2000 includes a service that lets the computer function as a Telnet server, enabling remote clients to connect and run command console sessions. Since Telnet offers a handy means of remote administration, you might want to enable the service on your workstation. Or, perhaps you simply want to be able to connect to your office computer when you're out of the office. Whatever the case, setting up the Telnet service is easy.
First, decide how you want the service started. By default, the Telnet service is configured for manual startup, but you might want to configure it for automatic startup so it's available when you need it. Open the Services branch of the Computer Management console and start the Telnet service, then set its startup mode as desired. Next, open a Telnet client on another computer and attempt to connect via your new Telnet server's IP address or host name.
You might also want to configure a logon banner and automatically execute commands when you log on (map drives and so on). When a user connects, the Telnet service runs the file %systemroot%\System32\Login.cmd. Modify the file in Notepad to suit your needs.

Using certificate-based authentication for dial-up connections

If you're concerned that someone other than your authorized users might compromise a dial-up account and gain access to your network, you can consider requiring certificate-based authentication for all dial-up connections. This helps lock out unauthorized users even if they have a valid user account and password, since they won't have the appropriate certificate to enable them to authenticate.

The following assumes that you've already configured the dial-up server to require EAP-TLS as the authentication protocol. Here's how to configure the client to use certificates for RAS authentication:

Obtain a computer certificate from a Certification Authority (CA) in your domain.

Install on the client computer the certificate obtained in step 1 (using the Certificates MMC console to do so).

Open the Network And Dial-Up Connections folder, right-click the dial-up connection, and choose Properties.

Click the Security tab, select Advanced, and click Settings.

Under Logon Security, select Use Extensible Authentication Protocol (EAP).

Select Smart Card or other Certificate from the drop-down list.

Click Properties to set additional options as needed, based on the following selections:

Validate Server Certificate: Causes your computer to verify that the certificate provided by the server has not expired. Deselect Let The Client Accept The Server's Certificate Without Validation.

Connect Only If Server Name Ends With: Use to limit connections to servers that reside in a specified domain.

Trusted Root Certificate Authority: Select the trusted root certificate authority for your server.

Use A Different User Name For The Connection: Select this option if the user name stored in the smart card or associated with the certificate you're using is not the same as the user name you need to use to log on in the remote domain.

Generating e-mail automatically

Have you ever wished you could schedule messages to be sent as periodic reminders? Maybe you need to send reminders, even to yourself, to replace a tape set for a regular backup, for example. Perhaps you've automated a process with a batch file and would like it to send e-mail notifications as part of the process. Good ol' Blat is just the thing you need.
Blat is a command-line SMTP e-mail utility that lets you send e-mail, complete with attachments, to any SMTP server. The application is public domain (freeware), so you can't beat the price! You'll find Blat at http://www.interlog.com/~tcharron/blat.html.
Blat offers a good set of options for specifying subject and other message properties, sending attachments, retrying transmission, and so on. You can use Blat within your batch files, or use it in conjunction with the AT command or the WinAT utility in the Windows 2000 Resource Kit to schedule messages.

Restricting dial-in users to the local computer

You might not realize it, but when you configure a Windows 2000 Professional computer to act as a dial-up server, remote callers have the ability to browse the local network as well, accessing LAN resources subject to the resource's permissions and user rights. If that's what you intended, then all is well. But, allowing dial-up users to access the LAN can be a security risk, even if the remote users are all authorized to access the LAN when they work locally rather than through dial-up. If an unauthorized user obtains a dial-in account and password, your LAN is suddenly exposed and potentially compromised. So, if the remote users only need access to the dial-up server, or to their individual computers, you should consider preventing pass-through access to the LAN.
You configure the connection through the Incoming Connections properties in the Network And Dial-Up Connections folder. Open the Properties sheet and click the Networking tab. Double-click a protocol then deselect the option Allow Callers To Access My Local Area Network. Repeat the process for any other protocols enabled for incoming connections.

Creating a file list for a batch file with DIR /B

Have you ever wished you could generate a file list from a directory so you could process those files in a batch file? For example, the Recovery Console's COPY command doesn't support wildcards for copying multiple files. If you're using the RC to back up or restore registry files or lots of other files, you have two options: type a COPY command for each file or automate the process with a batch file. You could use DIR without any switches to redirect the output to a text file, and then open the text file and strip out all of the extra stuff. But, there's an easier way.
The DIR command's /B switch displays files using a bare format that displays only the file name. You can use /B in combination with other switches and output redirection to create a list of files in a given directory. You can then use that list as input to a batch file or modify the list file itself to create a batch file, inserting the appropriate commands in the file.
Here's a sample command that performs a directory listing using the bare format, sorts the list by name with directories listed first, and redirects the list to a file named filelist.txt:
DIR /OGN /B > FILELIST.TXT

Disabling Automatic Private IP Addressing

Windows 2000 provides the ability for clients to automatically assume an IP address from the private subnet 169.254.n.n if no DHCP server is available on the network. This feature is called Automatic Private IP Addressing, or APIPA. It's great when you don't have a DHCP server, you don't need public IP addresses, and don't want the hassle of having to assign IP addresses manually.
In some situations, however, you might want to disable APIPA. For example, perhaps you do have a DHCP server on the network but don't want the system to use APIPA when the DHCP server is unable to service requests or the client is unable to communicate with the server for some reason. Having the system fail to obtain an IP address is a good means of notification that a problem exists on the network.
You can disable APIPA in one of two ways. You can implicitly disable it by assigning a static IP address to the workstation. Or, you can modify the registry to disable APIPA explicitly so that the workstation, when unable to obtain an IP address from a DHCP server, generates an error to that effect.

To disable APIPA, open the Registry Editor and navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Tcpip\Parameters\Interfaces\<adapter>

where <adapter> is the name of the interface for which you want to disable APIPA. Add a REG_DWORD value named IPAutoconfigurationEnabled in the key and set it to 0x0. Repeat the process for any other adapters that need to have APIPA disabled, then restart the computer.

Using L2TP for VPN connections

Virtual private network (VPN) connections let you establish a secure, private network tunnel to a remote private network through a public network such as the Internet. Once connected you can use resources such as files and printers just as if you were still in the office. Best of all, it's secure from intrusion. You might use a VPN connection when you need to connect to the office LAN while you're on the road.
If you've dealt with VPNs much, you're probably familiar with Point-to-Point Tunneling Protocol, or PPTP, which enables your private network traffic to be encapsulated for transmission over the public network. In addition to PPTP, Windows 2000 also supports Layer 2 Tunneling Protocol, or L2TP. Unlike PPTP, which uses Microsoft Point-to-Point Encryption (MPPE), L2TP relies on IP Security (IPSec) to provide encryption for the data traffic. Support for IPSec makes L2TP a better choice when a secure connection is essential because IPSec enables the remote access server administrator to lock down the VPN server so only L2TP traffic can pass through it. Encryption protects against your data being intercepted and compromised.
Configuring L2TP connections on the RRAS server takes a little effort, but we're focusing on Professional, so we'll just touch on the overall process:

Add additional VPN ports, if necessary, using
the Routing and Remote Access (RRAS)
MMC console.

Obtain a computer certificate for the RRAS server from a Certificate Authority (CA) on the LAN. Install the certificate.

Open the RRAS console and configure input filters on the VPN interface for UDP ports 500 and 1701 (source and destination) with a subnet mask of 255.255.255.255.

Configure output filters on the VPN interface for UDP ports 500 and 1701 (source and destination) with a subnet mask of 255.255.255.255.

Start the RC from the Setup disks or Windows 2000 CD

The Recovery Console (RC) provides a command console you can use to repair a system that's having problems booting. You can also use the RC to perform administration tasks on systems that will boot, such as manually restoring a registry hive file from a backup.
The best option is to install the Recovery Console on the system hard disk, which makes it a boot option—just select Recovery Console from the boot menu to start it. In some cases, such as when the hard drive has a problem, you might not be able to access the RC even if it is installed. In those situations you can start the RC from the Windows 2000 Setup disks (you did make a set, didn't you?). Just pop disk 1 in the drive and reboot. After you cycle through all of the disks, select the option to repair the system. One of your options will be to load the RC. If your system supports booting from CD, pop in the Windows 2000 CD and reboot from the CD. You'll have the same option to start the RC as you do when booting from the Setup disks—it just won't take 10 minutes to get there.

Use FIXBOOT and FIXMBR to fix drive problems

A couple of Recovery Console (RC) commands can help you fix problems that might crop up with a system's hard disk. If you don't have the RC installed, you can run it through the Windows 2000 Setup disks as explained in yesterday's tip, "Start the Recovery Console from the Setup disks or Windows 2000 CD."
The FIXBOOT command writes a new boot sector onto the system partition. The syntax for the command is:
FIXBOOT [drive:]
It is important to note that if you don't specify the drive: option, FIXBOOT writes the boot sector to the default boot partition. You can specify a different drive if you need to write a boot sector to a volume other than the default boot partition.
The FIXMBR command lets you repair a master boot record (MBR). The syntax for this command is:
FIXMBR [DeviceName]
If you omit the DeviceName parameter, FIXMBR rewrites the MBR on the boot device. You can specify a device name to write a MBR to a different drive (such as a floppy disk or secondary hard disk). You can use the MAP command to retrieve a list of device names. An example of a valid device name is \Device\HardDisk0.

Use DISKPART to manage partitions

DISKPART is a Recovery Console (RC) command you can use to create and remove partitions. It's particularly useful when you're troubleshooting or configuring a system with a bad or new (unformatted) drive.

DISKPART functions in either of two ways: as a command line tool or with a simple user interface. Use DISKPART without any options to open the user interface, which lets you view, create, and remove partitions. The syntax of the command if you want to perform tasks from the console is:

DISKPART [/add | /delete] [DeviceName | DriveName | PartitionName] [size]

The /add parameter adds a partition and the /delete partition deletes the specified partition. Use the DeviceName parameter to specify a device name for the action. You can use the MAP command to retrieve the list of device names.

The DriveName parameter lets you specify a drive letter from which to remove a partition, and the PartitionName parameter specifies the partition to remove. As when dealing with any partition-modifying tool, make sure
you understand what you're doing before pressing that
[Enter] key!

Avoid reinstalling apps after a clean W2K install

You might think that performing a clean install of Windows 2000 on an existing system means you'll have to reinstall all of your applications. While it's true you'll probably have to reinstall a few, it's a good bet you can get by without a reinstall for at least some programs.

Before you install Windows 2000, export a copy of the application sections of your existing registry. In some cases you can simply import the registry settings after Windows 2000 installation, which effectively reinstalls
the applications.

Other applications don't require registry settings and therefore seldom require reinstallation. Just recreate a shortcut to the program's executable and you're all set. Other applications are self-healing, recreating their registry settings if the settings or even the entire key
is missing.

If all else fails and you do have to reinstall an application, make sure you back up any customized files first. For example, back up your custom templates, AutoCorrect entries, or similar custom settings before reinstalling. You can then restore those custom files and settings afterward if the reinstallation doesn't pick them up automatically.

Change the command console colors

By default the command console uses white text on a black background. This boring color combination works fine in just about all situations, but you might want to use different colors either for aesthetic reasons or because you want to highlight the console in some way. For example, if you're writing a complex batch file, you might want to change the console colors when a critical error or other event occurs.

You can change console colors in two ways. First, you can set the colors through the console's Control menu. Open the Control menu, choose Properties, and click the Colors tab. Make the desired changes and click OK. You then have the option of applying the change to the current window only or to the shortcut that started the console (which affects the color of subsequent consoles you open from the same shortcut).

If you need to change console color programmatically within a batch file, use the COLOR command. With COLOR you specify the foreground and background colors for the current console. Issuing COLOR without any color parameters reverts the console to the colors in use when the console first opened. Type COLOR /? for a list of color parameters you can use with the command.

Use NSLOOKUP to check DNS operation

NSLOOKUP is a useful but sometimes little known tool for checking DNS operation and performing manual DNS queries. NSLOOKUP is particularly useful because it lets you specify the DNS server to use, which means you can query against servers other than those specified in the computer's DNS settings.
NSLOOKUP is a command console tool with its own interface. Open a console prompt and type NSLOOKUP to enter the NSLOOKUP program. Once in the program you can type HELP or ? to display a list of commands.
Here's an example of when you might use NSLOOKUP. Assume that you're having name resolution problems for your domain, and your ISP is providing DNS services for you. You use NSLOOKUP to connect to the name server that serves your zone and browse the resource records for the domain to determine where the problem might lie. Use the SERVER command to specify the server you want to use, then use the LS command (with options as needed) to list the records for your zone. Check the NSLOOKUP help information for the specifics of these parameters.

Use hardware profiles for multiple system configurations

Windows 2000 is pretty good about making hardware work together, but it still hasn't overcome the problem of having too much hardware and too few hardware resources. For the want of an IRQ, some crucial piece of hardware might be completely useless to you.
Like Windows 98 before it, Windows 2000 supports hardware profiles that let you maintain different hardware configurations and boot between them as needed. Say you have two devices that need the same resources but you don't need to use both devices at the same time. So, you create two hardware profiles, one for each device, and disable the opposing device in each profile. Then you just boot with the appropriate profile as needed.
Configuring hardware profiles is a two-phase process. First you create the profiles as container objects, then use the Device Manager to specify which devices are enabled/disabled for each profile. Right-click on My Computer, choose Properties, click on Hardware, and click on Hardware Profiles to open the Hardware Profiles dialog box, where you can create profiles and specify how Windows 2000 decides which one to use at startup. Configure the system to let you select a profile, restart, and select the desired hardware profile. Then, open the Device Manager, open the properties for a conflicting device, and use the Device Usage drop-down list on the device's Properties sheet to disable or enable the device for the current profile. You also can disable the device for all profiles.

Remove hidden Windows 2000 components

By now you're probably familiar with the Add/Remove Programs object in the Control Panel that lets you add or remove Windows 2000 components. After you open the Add/Remove Programs object, click the Add/Remove Windows Components button to start the Windows Components Wizard, which lets you choose which components to install or remove.

The list looks comprehensive, doesn't it? Well, it's not. There are several "hidden" components that don't show up on the list. Microsoft's primary reasoning for hiding certain components was to provide a common baseline of installed applications to help testing and troubleshooting. Uh huh...that's why Games, for example, isn't on the list, and you therefore can't readily uninstall them. Microsoft must want you to be able to play Pinball while waiting for a support engineer.

It's an easy tweak to unhide those hidden components. Although unhiding them doesn't necessarily enable you to remove them, it does make removal possible for many components. Here's how to make the change:

First, open the file Sysoc.inf from the %systemroot%\inf folder. Look for the word "HIDE" enclosed between two commas. This parameter hides the entry from the wizard. Remove HIDE but leave the two enclosing commas for any components that you want to show up in the wizard for removal/addition. Save the file, start the wizard, and voila! The component will now show up.

Cloning your hard drive, part 1

Whether you've run low on disk space or just want one of those cheap, huge hard drives available today, getting your system cloned from the old drive to the new one doesn't have to be a major chore.

If you have access to a tape drive or other drive (either local or network) that will contain a backup copy of the entire drive, you can use the Backup utility in combination with a clean Windows 2000 installation to copy your system to the new drive. Here's how:

Log on as Administrator, open Backup, and back up the entire drive including the system state data. Back up all volumes on the disk, including those residing in separate partitions.

Shut down the system, remove the old drive, and install the new one.

Restart the system and perform a clean installation of Windows 2000. Structure partitions on the new drive as needed. Format the volume using the desired file system (FAT or NTFS).

Boot the system, log on as Administrator, and open the Backup program. Restore the entire backup set including the system state data. You'll have to use the Restore Wizard and choose Import File to bring the backup set back in, since it was created with a different installation of Windows 2000.

Restart, log on as Administrator, and check out the system to make sure everything was restored properly

Cloning your hard drive, part 2

Yesterday we explained how to replace your system's hard disk through the Backup utility and a clean Windows 2000 installation. If you prefer not to go through a reinstall, you can try the following procedure to do a direct copy:

Configure the new drive as a slave (if IDE) or with an SCSI ID other than 0 (if SCSI) and install in the system.

Boot the system and configure the BIOS for the new drive if necessary, and then log on as Administrator.

Open the Disk Management console, create the desired partition structure for the disk, and format the volume(s).

For good measure, open the Backup utility and update the ERD, including backing up the registry files.

Open a console prompt and execute the following command, assuming drive C is the old drive and drive D is the new one:

XCOPY C: D: /H /I /C /K /E /R

Repeat step 5 for any other volumes you need to copy from the old drive to the new one.

If the Recovery Console isn't installed, execute i386\WINNT32 /CMDCONS from the Windows 2000 CD to install it.

Open the Local Security Policy console, open the Local Policies/Security Options branch, and enable the policy Recovery Console: Allow Floppy Copy And Access To All Drives And All Folders.

Restart the system and boot the Recovery Console, log on, and execute the following command:

SET AllowAllPaths = TRUE

Change to the %systemroot%\System32\Config folder on the old drive and copy all files there to the same folder on the new drive.

Shut down the system and reconfigure the new drive as master (IDE) or ID 0 (SCSI). Reconfigure or remove the old drive so it's no longer a boot drive.

Restart the system, log on, and make sure everything checks out.

View IRQ and other resource allocations

At some point you've probably played with the Device Manager to enable or disable devices or view/change their settings. What you might not have realized is that the Device Manager offers four different views.

The default view shows devices by type, with each type under its own branch (Disk Drives, Display Adapters, Mice, Modems, etc.). While you can view resource device usage in this view, you have to do it one device at a time. That's a real pain if you're trying to find an available IRQ, base address, or DMA channel for a new, non-plug-and-play device you need to install.

Rather than hunt and peck through the Device Manager's default view, click View | Resources By Type for a more convenient view. This view organizes IRQ, DMA, I/O base address, and memory addresses under their own branches. You can then tell at a glance what IRQ channels (or other resource type) are available simply by opening that branch.

Use offline folders for file synchronization, part 1

Sometimes you need to work with files when they might not otherwise be available. For example, you might copy files from a network server to your notebook so you can work with them when you're on the road. When you get back, you synchronize your copies with the server so your changes are reflected in the server copy. Or, perhaps the server will be offline for several hours, but you want to continue working on files stored on it. Windows 2000 provides a feature called Offline Folders that serves these functions.

When you make a folder available offline, Windows 2000 copies the entire contents of the folder to a hidden cache on your system, retaining on your local system the permissions in place on the server. As far as the user interface is concerned, it looks like the cached files are still located on your computer. But, you're actually manipulating the locally cached copy rather than the remote copy. When the remote folder becomes available again, you can synchronize your changes with the copy stored on the remote share.

Any system that supports Server Message Block (SMB) file sharing can support offline caching. This includes Windows 9x and Windows NT systems. At this point only Windows 2000 systems can disable caching of a shared folder—for all others a shared folder can be cached offline as soon as the folder is shared.

Use offline folders for file synchronization, part 2
Last time we discussed offline files, a feature that lets you work with remote files even when they would otherwise be unavailable. To turn on offline files for your system, making them available to other users when your system is offline, open any folder and choose Tools | Folder Options. Click the Offline Files tab and select the option Enable Offline Files.

Next, configure settings that define client settings for how your computer uses offline files from other systems. You can set a quota that determines how much space on your local system is used to cache offline files from the same Offline Files page. Configure any other settings as desired, including how you want Windows 2000 to handle synchronization. Click Advanced if you want to specify what action Windows 2000 takes when a given computer goes offline. When you're satisfied with the settings, click OK on the Offline Files page to close the Properties sheet.

When you want to work with a set of files offline, browse to the folder containing the files, right-click the folder, and choose Make Available Offline. Windows 2000 prompts you to specify how to handle subfolders. Click Yes to cache subfolders or No to cache only the selected folder.

Change the location of the offline file cache

In our last two tips you learned about offline files and how to use the feature to continue working with remote files even when the remote computer sharing them goes offline. Windows 2000 copies the files you designate for offline access to a hidden cache on your system. By default, the offline file cache is stored in the folder %systemroot%\CSC. CSC stands for "Client Side Cache."

If you have plenty of disk space on the volume that contains the cache folder, there's no reason to relocate it. However, you might need to relocate the cache folder to a different volume if you're running low on space on the system volume. Or, perhaps you work with offline files quite a bit and want to place them on a volume that offers better performance than the system volume.

Whatever your reason for moving the offline cache, to do so you'll need the CACHEMOV.EXE program included with the Windows 2000 Resource Kit. You can obtain the Resource Kit directly from Microsoft or purchase it through nearly any retail store or distributor that sells software or computer books.

Bypass Startup items at logon

Windows 2000 provides a handful of ways to automatically start applications at logon. In most cases, automatic execution is a good thing. It enables your antivirus, fax, and other background programs to start automatically as soon as you log on. In some situations, though, automatic startup can be a problem.

For example, you might have a program that's misbehaving and causing the system to hang. Or, perhaps you have a lot of Startup programs that collectively take a long time to start, and you just want to log on quickly, perform a quick task, and log off. In these situations, you'll want to know how to prevent the Startup items from executing.
The easiest way to bypass the Startup folder itself is to hold down the [Shift] key while the system is logging you on. Enter your username and password in the Logon dialog box, hold down [Shift], and press [Enter]. Continue to hold [Shift] until you're logged on.

For a more permanent approach, you can move the contents of the Startup folder elsewhere, preventing Windows 2000 from starting those programs. There are two folders: \Documents and Settings\user\Start Menu\Programs\Startup and \Documents and Settings\All Users\Start Menu\Programs\Startup. Check the contents of both and move them to a backup location. You can later move them back if you want the items to autostart again. On systems upgraded from Windows NT to Windows 2000, check in the %systemroot%\Profiles folder for the Startup folders.

Change the location of the Startup folder

In Windows NT the Start menu includes two Startup folders, one for the current user
and one for all users. In Windows 2000 you see only one Startup folder on the
Programs menu, although its contents still come from two different locations.

The Startup folder for the current user is located by default in %USERPROFILE%\
Start Menu\Programs\Startup, where %USERPROFILE% represents the user's home directory as defined by the user's profile (typically \Documents and Settings\user). The common Startup folder is located by default in %ALLUSERSPROFILE%\Start Menu\
Programs\Startup, where %ALLUSERSPROFILE% represents the common user folder (typically \Documents and Settings\All Users). On systems upgraded from Windows NT to Windows 2000, the folders are typically located in %systemroot%\Profiles.

In some cases you might want to change the location of the Startup folders. For example, you might want to change the common Startup folder to point to a network folder so all users across the LAN have the same common set of startup items. You might want to change the location of the personal Startup folder for storage or administrative reasons.

You accomplish the change through a registry modification. The location of the common Startup folder is defined by the registry value HKEY_CURRENT_USER\Software\
Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup. The user Startup folder is defined in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\User Shell Folders\Common Startup.

Configure a print queue to retain printed documents

By default, Windows 2000 discards documents from a printer's queue when the document's been printed. This keeps the queue from filling up with old documents. In most cases, this configuration works just fine. However, it also means that if a problem occurs with a print job that allows it to complete but not satisfactorily (like if the printer runs out of toner, for example), you have to open the application and resubmit the job. This might not be a problem for most applications or documents, but for particularly large documents and some applications, reprinting the job from the application could take several extra minutes.

As a solution, you can configure a printer's queue to retain printed documents in the queue. This enables you to resubmit a document from the queue rather than from the application. If you often print large documents, this could be a real timesaver.

To configure a printer's queue to retain documents, first open the Printers folder. Open the Properties sheet for the printer and click the Advanced tab. Select the option Keep Printed Documents, then click OK. You'll now need to manually remove documents from the queue after they're successfully printed.

Use encryption for NTFS volumes

Object permissions in NTFS provide good security, but they don't protect against a file system being physically removed or an entire system stolen. Remember the handful of notebooks containing classified data that disappeared in both the U.S. and the U.K. recently? Hopefully those file systems were well encrypted (although given enough time and resources almost any encryption mechanism can be compromised). If your system contains sensitive data, you can go a long way toward protecting it against prying eyes and theft by encrypting it.

Windows 2000 includes an Encrypting File System (EFS) driver that renders volumes and files on NTFS volumes unreadable without the appropriate decryption key. You can encrypt at the folder or individual file level, but encrypting at the folder level is best, since applications could place temporary files in a folder. Those files will be unencrypted unless you encrypt at the folder level.

Windows 2000 automatically creates the necessary keys when you encrypt a file, so there is very little you need to do to use encryption. Here's how to go about it:

Right-click the folder or file you want to encrypt and choose Properties.

Click Advanced in the Attributes section of the General tab to display the Advanced Attributes dialog box.

Select the option Encrypt Contents To Secure Data.

Click OK and close the Properties sheet.

Keep in mind that compression and encryption are mutually exclusive. You can use one or the other on a folder or file, but not both.