Technical Guidelines for School LAN by yaosaigeng

VIEWS: 2 PAGES: 92

									             Technical Guidelines

       for School LAN Implementation

under the Information Technology in Education project



                       Part I

            LAN Design Guidelines




                      June 1999
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                                                                   Table of Contents




                                                         Table of Contents

1.      INTRODUCTION TO SCHOOL LAN DESIGN .........................................................................1-1

2.      NETWORK INFRASTRUCTURE ...............................................................................................2-1
     2.1.            BASIC BUILDING BLOCKS OF A WINDOWS NT NETWORK ...................................................2-2
        2.1.1.              Domain ................................................................................................................2-2
        2.1.2.              Servers .................................................................................................................2-4
        2.1.3.              Workstations ........................................................................................................2-9
     2.2.            NETWORK COMMUNICATIONS...........................................................................................2-13
        2.2.1.              Communication Protocols – Rules of Communications ....................................2-13
        2.2.2.              Network Addressing ..........................................................................................2-14
        2.2.3.              Naming Conventions .........................................................................................2-17
3.      USER ADMINISTRATION ...........................................................................................................3-1
     3.1.            USER ACCOUNT POLICY .....................................................................................................3-2
        3.1.1.              Global and Local User Accounts ........................................................................3-2
        3.1.2.              Personal and Shared User Accounts ...................................................................3-5
        3.1.3.              User Account Naming Convention ......................................................................3-7
     3.2.            DESKTOP SETTINGS FOR DIFFERENT GROUPS OF USERS .....................................................3-9
        3.2.1.              Start Menu and Desktop Icons ............................................................................3-9
        3.2.2.              User Profile .......................................................................................................3-10
     3.3.            HOME DIRECTORY SCHEME .............................................................................................3-14
     3.4.            GROUPING STRATEGY FOR USER ACCOUNTS....................................................................3-16
4.      RESOURCES SHARING .............................................................................................................4-1
     4.1.            FILE AND DIRECTORY SHARING ..........................................................................................4-2
        4.1.1.               File System ..........................................................................................................4-2
        4.1.2.               Sharing Data .......................................................................................................4-3
        4.1.3.               Disk Quota System ..............................................................................................4-6
     4.2.            PRINT SHARING ..................................................................................................................4-7
5.      SECURITY .....................................................................................................................................5-1
     5.1.            PHYSICAL AND HARDWARE SECURITY ...............................................................................5-2
     5.2.            WINDOWS NT SECURITY ....................................................................................................5-3
        5.2.1.              Account and Password Policy .............................................................................5-3
        5.2.2.              Control on System and File Accesses ..................................................................5-4
        5.2.3.              Audit Policy and Security Log .............................................................................5-5
     5.3.            DATA SECURITY .................................................................................................................5-7
        5.3.1.              Virus Protection ..................................................................................................5-7
        5.3.2.              Fault-tolerant Disk Systems ................................................................................5-8
        5.3.3.              Uninterruptible Power Supply (UPS) ..................................................................5-8
     5.4.            SYSTEM BACKUP AND RECOVERY ....................................................................................5-10
6.      EXTENDIBILITY ...........................................................................................................................6-1
     6.1.            REMOTE ACCESS SERVICE (RAS) ......................................................................................6-2
        6.1.1.              Concurrent Connections......................................................................................6-2
        6.1.2.              Accessible Resources ...........................................................................................6-3
        6.1.3.              Security Measures ...............................................................................................6-4
     6.2.            INTERNET ACCESS ..............................................................................................................6-6
        6.2.1.              Valid IP Address Range ......................................................................................6-6
        6.2.2.              User Accessibility to Internet Resources .............................................................6-6
        6.2.3.              Performance Enhancement .................................................................................6-7
     6.3.            INTEGRATION WITH EXISTING SYSTEMS .............................................................................6-8
        6.3.1.              Standalone Machines ..........................................................................................6-8
        6.3.2.              Networked Machines ...........................................................................................6-9



November, 11                                                                                                                                            i
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                                                            Table of Contents


7.     APPENDIX A – MORE INFORMATION FOR LAN DESIGN .................................................7-1
     7.1.      WINDOWS NT DOMAIN ......................................................................................................7-1
     7.2.      WINDOWS NT SERVER .......................................................................................................7-1
     7.3.      IP ADDRESS SCHEME .........................................................................................................7-2
     7.4.      COMPUTER AND DEVICE NAMES ........................................................................................7-3
     7.5.      USER ADMINISTRATION ......................................................................................................7-4
     7.6.      FILE AND DIRECTORY SHARING ..........................................................................................7-7
     7.7.      PRINT SHARING ................................................................................................................7-10
     7.8.      PHYSICAL SECURITY.........................................................................................................7-10
     7.9.      USER ACCOUNT SECURITY ...............................................................................................7-11
     7.10.        FAULT TOLERANCE FOR SERVER HARD DISK ..............................................................7-12
     7.11.     UNINTERRUPTIBLE POWER SUPPLY (UPS) .......................................................................7-12
     7.12.        DATA BACKUP .............................................................................................................7-13
     7.13.        REMOTE ACCESS SERVICE (RAS) ................................................................................7-14
     7.14.        PROXY SERVER ...........................................................................................................7-15
     7.15.        INTEGRATION WITH EXISTING NETWORK .....................................................................7-15
8.     APPENDIX B – CHECKLIST FOR BASIC PARAMETERS OF LAN DESIGN ...................8-1




November, 11                                                                                                                                   ii
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                 Introduction To School LAN Design




1.         INTRODUCTION TO SCHOOL LAN DESIGN

           Purpose

           It may be a completely new task for most schools to participate in the project of
           building up a school LAN. Though the Contractors will assist schools in the
           network planning and perform all the installation and configuration work,
           schools may also need to work out their own requirements and monitor the
           Contractor‟s work against these requirements.

           The design stage is most important to a network implementation as the details
           of most core components are decided in this stage. This document aims to assist
           schools in formulating their general requirements for deploying a basic
           Windows NT network to their school LANs.

           It should be noted that the design options recommended in this document are
           for schools‟ reference only. Schools may have their own requirements and the
           Contractors serve to provide sufficient skills and most up-to-date technical
           information for addressing schools‟ requirements. It should also be noted that
           this document does not aim at transferring any technical skills to the
           Contractors for their implementation works since they are already equipped
           with all the required skills.

           The guidelines are categorized into five key aspects:-

                           Network Infrastructure
                           User Administration
                           Resources Sharing
                           Security
                           Extendibility


           Scope: NURSE – The Five Key Aspects for School LAN

           The five key aspects for deploying a basic Windows NT network – “NURSE”
           are described below.

           1) Network Infrastructure
              To formulate the requirements for the infrastructure of a Windows NT
              network, a systematic way would be to start from its major building
              blocks – that is domain, server, workstation and their relationships.
              Schools may also work out their requirements on the components that are
              necessary for the network communications between machines – that is
              communication protocol, network addressing and naming conventions of
              the machines.




November, 11                                                                                1-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                 Introduction To School LAN Design


           2) User Administration
              After formulating the requirements for the network infrastructure, another
              major aspect in the school LAN design would be the administration of the
              large number of users in school. Each user would need a valid user account
              to log on the school LAN. For easier administration, schools will be guided
              to work out their requirements on the user account management scheme
              and the corresponding grouping strategy in this part.

           3) Resources Sharing
              One of the virtues of networking is resource sharing. This involves the
              sharing of resources like data (e.g. files and directories), hardware devices
              (e.g. printers) and application software. Besides deciding on which
              resources are to be shared, schools may also need to work out the
              requirements on which user groups are authorized to use which shared
              resources.

           4) Security
              Security is always a key issue in the design of most computer networks. It
              involves areas like protecting the network from unauthorized accesses,
              protecting the network from intended and unintended damaging, avoiding
              data loss, preventing virus infection and so on. However, it should be noted
              that increasing the security of a network may reduce the flexibility of user
              operations and increase the administration work. Schools are advised to
              take these factors into considerations and work out their own requirements
              on the school LAN security.

           5) Extendibility
              The school LAN may have connections to other network or computers
              inside and outside the school. Typical examples will be teachers and
              students accessing the Internet from the school LAN and teachers
              accessing the school LAN from their computers at home through telephone
              lines. Guidelines will be given on these aspects in assisting schools to
              formulate their requirements on the extendibility of the school LAN.

           As mentioned before, this document is written with the assumption that
           Windows NT network is to be deployed for the school LAN. For deploying
           other network operating systems for the school LAN, schools should consult
           their Contractors for the details.

           It is also assumed that schools already have the relevant hardware and software
           ready. Schools should ensure the shopping list includes the relevant hardware
           and software items.




November, 11                                                                                1-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                   Introduction To School LAN Design


           A Simple Reading Guide

           There are eight chapters in this part – chapter 1 is the introduction, 2 to 6 caters
           each of the five key aspects described above and the last two chapters are
           appendices. Appendix A contains additional information for the designing of
           school LAN and Appendix B shows a checklist of the basic LAN design
           parameters.

           Each topic is basically divided into the following sections:-

                            General Descriptions
                            Guidelines
                            Examples

           School representatives may want to have an overview of a school LAN design
           and they may read the first chapter and the sections: General Descriptions and
           Guidelines of each topic in chapter 2 to 6.

           School LAN administrators and ED officers who support the schools may need
           to know the technical details in designing a school LAN and they should read
           all the chapters.

           The Contractors should read all the chapters in order to have a more thorough
           understanding of the standards and conventions recommended for the school
           LANs.




November, 11                                                                                  1-3
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                         Network Infrastructure




2.         NETWORK INFRASTRUCTURE
           To work out the requirements for the network infrastructure of the Windows
           NT network for the school LAN, it is easier to start from its basic building
           blocks. The communication within the network is also part of the planning for
           the network infrastructure. Based on this, this chapter covers the following
           topics:-

                           Basic Building Blocks of a Windows NT Network
                           Network Communications




November, 11                                                                             2-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                           Network Infrastructure



2.1.       BASIC BUILDING BLOCKS OF A WINDOWS NT NETWORK
           The basic building blocks for a Windows NT network consists of the
           followings:-

                            domain
                            servers
                            workstations

           The details of these elements, their relationships and the activities among them
           are discussed below.



2.1.1. Domain
           In a Windows NT network, a domain is a logical grouping of servers and
           workstations that share common security and user account information. All
           servers and workstations in a domain are under the same centralized
           administration. The following figure shows a graphical overview of a single
           domain network.




           There should be at least one server in a domain for controlling the domain
           activities and one domain can accommodate up to approximately 26,000 users
           with individual workstations. So in general, a single domain would provide
           sufficient capacity for a school LAN.

           As the number of domain increases, additional administration effort is needed
           for handling the activities between domains, so it would be better to keep the
           number of domain as few as possible. The following figure shows a graphical
           overview of a network with two domains.




November, 11                                                                               2-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                             Network Infrastructure




           In view of the upgrade from Windows NT 4.0 to Windows 2000, the migration
           effort would also be minimized with fewer domains.

           Windows NT networks may already be built (or to be built) in schools for the
           other projects. If the network is also deployed for teaching and learning, for
           example the network for Multimedia Learning Centre (MMLC), schools may
           consider to integrate this network with the school LAN to one domain for easier
           administration. In this case, schools are advised to consult the Contractors for
           the details of the integration. Some details for network integration are discussed
           in Chapter 6 – Extensibility.


           Guidelines

                Deploy one Windows NT domain for the school LAN.

                Consult the Contractors for other implementations if schools need more
                 than one domain.


           Examples

           Scenario 1
           School A is going to purchase 1 server and 40 workstations. Since there is only
           1 server, school A can only deploy one Windows NT domain for the school
           LAN.

           Scenario 2
           School B is going to purchase 2 servers and 70 workstations. To keep the effort
           for network administration and future upgrade to Windows 2000 as minimized
           as possible, school B has deployed one Windows NT domain for the school
           LAN.



November, 11                                                                                 2-3
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                               Network Infrastructure




2.1.2. Servers
           In deploying a Windows NT Server in the school LAN, the following shows the
           basic aspects that should be catered:-

                           server role
                           preferred server configuration
                           licensing issue



2.1.2.1. Server Role
           A Windows NT Server may play one of the following 3 roles in a network and
           this should be determined at the design stage:-

                            Primary Domain Controller (PDC)
                            Backup Domain Controller (BDC)
                            Member Server

           PDC
           Within a domain, domain controllers manage all the user and network activities.
           There must be one and only one PDC in each domain. Without the PDC, users
           cannot log on to the domain since the PDC keeps the database storing all the
           user information.

           BDC
           The BDC acts as a backup to the PDC. There may be more than one BDC in a
           domain. In case the PDC is down, one of the BDCs may be promoted to PDC
           and users could still log on to the network.

           Member Server
           A member server is a Windows NT Server that is not assigned as a PDC or
           BDC. Usually, a member server acts as an application server to provide specific
           functions to the network, e.g. proxy server.

           Guidelines

                Deploy the Windows NT Server as the Primary Domain Controller (PDC)
                 of a domain if there is only one server in the domain.

                Deploy the other Windows NT Server as a Backup Domain Controller
                 (BDC) of a domain for server fault tolerance if there are two servers in the
                 domain.

                Consult the Contractors for the server role settings if there is more than two
                 servers in a domain.



November, 11                                                                                   2-4
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                             Network Infrastructure




           Examples

           Scenario 1
           School A is going to purchase 1 server and 40 workstations and deploy one
           Windows NT domain. Since there must be a PDC in a domain, the server has to
           be the PDC.

           Scenario 2
           School B is going to purchase 2 servers and 70 workstations and deploy only
           one Windows NT domain for the school LAN. For server fault tolerance, school
           B deploys one server as the PDC and another as a BDC.

           Scenario 3
           School C is going to purchase 4 servers and 50 workstations and deploy only
           one Windows NT domain for the school LAN. School B deploys one server as
           the PDC, another two as BDCs for fault tolerance and the forth one as a
           Member Server for specific applications.




2.1.2.2. Preferred Server Configuration
           The servers on the school LAN may serve different purposes like:-

                 -    for storing users‟ personal data and public data sharing
                 -    for printer sharing
                 -    for backing up data stored in other servers and workstations
                 -    acting as a proxy server for Internet access and etc.

           The configurations for the servers serving different purposes may be different.
           It is important to plan the preferred configurations of each server in the design
           stage. Some aspects that related to the configurations are discussed in later
           chapters and the preferred configurations may be updated accordingly when the
           readers read through this part.

           It is recommended to use English Windows NT Server as the server operating
           system because the patches for the English version, in general, are more
           updated than the Chinese version. It should be noted that users still get a
           Chinese desktop environment if they work on a Chinese Windows NT
           Workstation to access the English Windows NT Server. Only the LAN
           administrator, responsible for the network administration, may work locally on
           the English desktop environment of the server. In fact, some of the
           administration tasks may also be done remotely through a workstation with
           Chinese desktop.




November, 11                                                                                 2-5
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                             Network Infrastructure


           As a specific recommendation, the server hard disk should be divided into at
           least 2 partitions, one for system and applications and another for data, to
           facilitate the server management and data backup.


           Guidelines

                Consult the Contractors for the preferred configuration of each server and
                 at least, the following aspects should be catered:-
                  -    peripheral devices connected
                  -    security settings
                  -    network configurations
                  -    application installation and configurations

                Deploy English Windows NT Server for server machines.

                Divide the server hard disk into at least two partitions, one for system and
                 applications and one for data, to facilitate the server management and data
                 backup.



           Examples

           Scenario
           School A is going to purchase only 1 server and the tasks assigned to this server
           is listed below:-
                 (a) storing personal data of 1000 users, each has 10 MB hard disk space
                 (b) providing a 200 MB public area for data exchange among users
                 (c) performing tape backup of the data on the school LAN
                 (d) handling the print jobs of 2 shared printers
                 (e) providing two remote connections to the teachers for connecting to
                      the school LAN from their own computers at home
                 (f) acting as a proxy server to enhance the performance of Internet access
                 (g) for security, users other than those in the Administrators group are
                      not allowed to log on the school LAN through this server.

           The Contractor, in response to above requirements, proposed the following
           server configurations:-
                - for (a) and (b), install a disk quota manager software and configure it
                    to provide appropriate disk space and permission to each user; the
                    server hard disk is divided into two partitions: one for system and
                    applications and one for data to facilitate the data backup.
                - for (c), install a tape cartridge and configure the tape backup software.
                - for (d), share the two printers for network uses on the server and assign
                    appropriate permissions to the users.




November, 11                                                                                 2-6
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                   Network Infrastructure


                 -       for (e), install two modems (one for each connection), enable the
                         Remote Access Services (RAS) on the server and set appropriate
                         configurations for the services accordingly.
                 -       for (f), install a proxy server software on the server and set appropriate
                         configurations accordingly.
                 -       for (g), Windows NT User Right Policy has been configured to allow
                         only the users in the Administrator group to log on locally.

           Besides the above, the Contractor also proposed the following configurations,
           of which school A may not be aware of:-
               - enable time service to synchronize the time for each machine on the
                   school LAN
               - enable DHCP service for assigning IP addresses to the workstations
                   dynamically
               - enable WINS service for translating the computer name to IP address
                   in order to reduce network broadcast
               - install a network management software to assist the school LAN
                   administrator to manage the network devices
               - install a desktop management software to assist the school LAN
                   administrator to perform software distribution, hardware and software
                   taking and remote management of the workstations




2.1.2.3. Licensing Issue
           On installing Windows NT Servers, a server license is needed. For each
           workstation accessing the server for basic network services, it also needs to
           have a Client Access License (CAL).

           A CAL is required whether the workstation is installed with Windows NT
           Workstation, Windows 95, Windows 98, or other client software supplied by
           Microsoft or by a third-party vendor. There are two Licensing Modes for the
           CAL:-

                           Per Server Licensing
                           Per Seat Licensing

           Per Server Licensing
           With Per Server Licensing, each CAL is assigned to a particular server and
           allows one connection to that server for basic network services. There must be
           at least as many CALs assigned to a server as the maximum number of
           workstations that will connect to that server at the same time.

           Per Seat Licensing
           With Per Seat Licensing, each CAL applies to a specific workstation and an
           unlimited number of workstations can have access to a server at the same time,
           provided each is licensed with the appropriate CAL. After a workstation is



November, 11                                                                                       2-7
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                              Network Infrastructure


           licensed for Windows NT Server, it has permission to access all Windows NT
           Servers installed on the school LAN.

           There is a one-time conversion opportunity from the Per Server Licensing to
           Per Seat Licensing at no cost. However, it is not possible to convert from Per
           Seat Licensing to Per Server Licensing.


           Guidelines

                Choose Per Server Licensing if there is only one server in the school LAN
                 and Ensure that there is sufficient number of Client Access Licenses (CALs)
                 for the workstations to access the servers for basic network services.

                Consult the Contractor for the appropriate licensing mode and the number
                 of CALs required to cater current need and also future expansion if there
                 are more than one server in the school LAN.



           Examples

           Scenario 1
           School A has one server and 40 workstations. The server is configured with Per
           Seat Licensing and 40 Client Access Licenses have been purchased. Later on,
           school A installs a second server and it is also configured with Per Seat
           Licensing. The 40 workstations can access both servers without purchasing
           additional CALs.

           Scenario 2
           School B has one server and 40 workstations. 40 CALs have been purchased
           and the server is configured with the Per Server Licensing. When school B
           installs a second server, the following shows two choices:-
              - purchase 40 additional CALs with the Per Server Licensing Mode for the
                  second server; or
              - convert the first server to Per Seat Licensing and configure the second
                  server to Per Seat also. In this way, the 40 CALs are assigned to the
                  workstations, allowing them to have access to either server.

           Scenario 3
           School C has a server and 30 workstations and the server is configured with Per
           Server Licensing of 30 CALs. Later on, the server is configured to allow 5
           remote connections for teachers‟ accesses at home. Since the teachers‟ home
           computers do not connect to the server at the same time with the 30
           workstations in school, no additional CALs are required.

           In this case, if the server is originally configured with Per Seat Licensing, then 5
           more CALs are needed for the teachers‟ home computers.



November, 11                                                                                  2-8
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                           Network Infrastructure




2.1.3. Workstations
           The workstations are installed with Windows NT Workstation. Similar to the
           server, schools may need to decide the preferred configurations of the
           workstations in the design stage. Since the workstation may be dual- or
           multi-booted, the configuration of each platform should also be considered.
           Based on this, the topics covered in this chapter includes:-

                           preferred workstation configuration
                           multi-platform workstation



2.1.3.1. Preferred Workstation Configuration
           The workstations on the school LAN may serve different purposes like:-

                 -    for producing graphical output in the Art lessons
                 -    for teaching computer programming in the Computer lessons
                 -    for searching book records in the library
                 -    for accessing the Internet
                 -    for teachers to prepare teaching materials and etc.

           The configurations for the workstations serving different purposes may be
           different. For example, a workstation for producing graphical output should
           have a scanner attached; a workstation for teaching computer programming
           should have the corresponding compiler installed and etc.

           However, it will be difficult to manage and administer if there are too many
           different workstation configurations. So it is important to classify the
           workstation into a few categories and then work out the preferred
           configurations for each category. For easier management, each category should
           be assigned a configuration code and each workstation should be adhered with a
           label showing the corresponding configuration code.

           Some aspects that related to the configurations are discussed in later chapters
           and so the preferred configurations may be updated accordingly when the
           readers read through this part.


           Guidelines

                Classify the configurations of the workstations into as few categories as
                 possible.

                Consult the Contractors for preferred configurations of each category and
                 at least, the following aspects should be catered:-


November, 11                                                                               2-9
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                         Network Infrastructure


                      - peripheral devices connected
                      - desktop and hard disk settings
                      - security settings
                      - network configurations
                      - application installation and configurations



           Examples

           A school has categorized the workstations into the following categories and the
           corresponding configuration code is shown in brackets:-
                - notebook computers for teachers (TEA_NC)
                - desktop computers in the computer room and staff room (COM_DC)
                - desktop computers in the library (LIB_DC)

           All the workstations support multimedia applications (that is equipped with
           sound card, microphone and speakers) and are installed with a network
           interface card.

           Some aspects of the preferred configurations for each category are shown
           below:-

               Code       Peripheral Devices                Desktop            Hard Disk Settings
                          Connected                         Settings
               TEA_NC     - all have modems and GoGoPens    - resolution:      - 2 hard disk partitions
                          - two have VGA-to-TV converters     640 x 480        - size: 3 GB each
                                                            - no. of colors:   - C: installed with Chinese Win NT
                                                              65536            - D: empty for storing data or
                                                                                 installing English Win NT in the
                                                                                 future
                                                                               - system directory: C:\CWINNT40

               COM_DC - all have modems                    - resolution:       - 3 hard disk partitions
                      - all have GoGoPen                     800 x 600         - C: installed with MS-DOS (500MB)
                      - three have scanners and TV capture - no. of colors:    - D: installed with Chinese Win NT
                        card                                 1.6m                (4GB)
                      - three have inkjet printer                              - D: empty for storing data or
                      - one has laserjet printer                                 installing English Win NT in the
                                                                                 future (1.5GB)
                                                                               - system directory for DOS: C:\DOS
                                                                               - system directory for Chinese Win
                                                                                 NT: D:\CWINNT40

               LIB_DC     - all have GoGoPens and inkjet    - resolution:      - 2 hard disk partitions
                            printers                          1024 x 768       - size: 3 GB each
                                                            - no. of colors:   - C: installed with Chinese Win NT
                                                              65536            - D: empty for storing data or
                                                                                 installing English Win NT in the
                                                                                 future
                                                                               - system directory: C:\CWINNT40




November, 11                                                                                            2-10
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                     Network Infrastructure


2.1.3.2. Multi-Platform Workstation
           The workstations may be dual-booted with both Chinese Windows NT
           Workstation and English Windows NT Workstation or even multi-booted with
           the two Windows NT Workstation systems and DOS.

           Since each platform works independently, schools have to decide on the
           preferred configurations for each platform if the workstation is dual- or
           multi-booted.


           Guidelines

                  Consult the Contractors for the preferred configurations of each platform if
                   a workstation is dual- or multi-booted.



           Examples

           Scenario
           School A has 30 workstations, all having the same configurations, in her
           computer room. These workstations are multi-booted with MS-DOS, Chinese
           Windows NT Workstation and English Windows NT Workstation. The
           following shows some details of the configurations for this category of
           workstations:-

               -    all have GoGoPen attached
               -    display resolution 800 x 600 and 16 million colors for all platforms
               -    boot menu
                      1. Chinese Window NT
                      2. English Windows NT
                      3. MS DOS
                      4. For Support Only [ Chinese Windows NT - VGA Mode ]
                      5. For Support Only [ English Windows NT - VGA Mode ]
                      Default (1)
                      Timer 10 Seconds




               -    hard disk settings
                     Drive System          Size System           File   Remarks
                     Letter                (GB) Directory        System
                     C:      MS-DOS 6.22 0.5         \DOS      FAT       NIL
                     D:      Chinese NT  2.75        \CWINNT40 NTFS      Chinese Windows NT Workstation
                                                                         image stored in the I386 directory
                     E:      English NT    2.75      \WINNT40    NTFS    English Windows NT Workstation
                                                                         image stored in the I386 directory



               -    application and network settings
                     Platform Application Installation          Network Settings Remarks
                              & Configuration



November, 11                                                                                        2-11
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                            Network Infrastructure


                    MS-DOS     - Chinese Windows 3.1             - install MS LAN     applications installed
                               - Turbo Pascal                      Manager for        under default directories
                                                                   network connection
                                                                 - use TCP/IP

                    Chinese    -   Chinese Office 97 Prof.       - use TCP/IP            - applications installed
                    Win. NT    -   Dynafont 98                   - get IP address from     under D:\Program Files
                               -   MS Visual Foxpro 6.0            DHCP server           - enable Changjei &
                               -   Chinese anti-virus software                             quick Chinese input
                                                                                           methods
                                                                                         - install punctuation tool
                                                                                           bar for Word 97

                    English    -   English Office 97 Prof.       - same settings as      applications installed
                    Win. NT    -   Turbo Assembler 5.0             Chinese Win NT        under E:\Program Files
                               -   MS Visual C++ 6.0
                               -   English anti-virus software




November, 11                                                                                                2-12
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                           Network Infrastructure



2.2.       NETWORK COMMUNICATIONS
           To enable the servers, workstations and other devices to communicate on the
           school LAN, they have to meet the following basic requirements:-

                         being uniquely identified on the network, and
                         using the same communication protocol – that is the same set of
                          communication rules.

           Each machine and device has to be uniquely identified on the network before
           they can communicate with each other. This is just like sending a letter to your
           friend, you must know his/her address beforehand. Generally, there are two
           types of identifications in a network:-

                         by address – which are usually numbers to be read by systems
                         by name – which are usually meaningful terms to be read by human

           For a Windows NT network, the names involved will be domain, computer and
           device names. Developing an addressing scheme and a naming convention for
           them can facilitate the network management.



2.2.1. Communication Protocols – Rules of Communications
           A communication protocol defines the rules for the communication. So when
           two machines use the same protocol, they can understand the messages sent out
           by each other and thus communication is enabled.

           Windows NT supports many popular communication protocols like:-

                   -       TCP/IP
                   -       NWLink IPX/SPX
                   -       NetBEUI
                   -       AppleTalk

           Among them, TCP/IP is the most popular and used for Internet access. It is
           recommended to use TCP/IP as the communication protocol for the school
           LANs.

           Schools may enable more than one protocol on the school LAN. However, the
           more protocols using on the network, the busier the network traffic. So a
           communication protocol should only be enabled only if it is necessary.

           Guidelines

                Use TCP/IP as the communication protocol of the school LAN.

                Enable other communication protocols only if they are necessary.



November, 11                                                                             2-13
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                          Network Infrastructure




           Examples

           Scenario 1
           School A uses TCP/IP as the communication protocol for the school LAN.
           However, it is planned that the existing Macintosh machines should be
           connected to the school LAN.
           Since Macintosh machines use AppleTalk as the communication protocol,
           machines on the school LAN that will communicate with the Macintosh
           machines should have both the TCP/IP and AppleTalk enabled.

           Scenario 2
           School B already has a Windows NT network which uses NetBEUI as the
           communication protocol. School B plans to integrate the school LAN with this
           network and uses TCP/IP as the communication protocol for resulting network.
           The machines in the existing network should be:-
                -      enabled with TCP/IP and configured with the appropriate settings
                       accordingly;
                -      disabled from the NetBEUI protocol.




2.2.2. Network Addressing
           For the TCP/IP protocol, the address involved is the IP address. For the
           addressing of the other protocols, schools may consult the Contractors.

           To facilitate the schools in building up an IP address scheme that caters for
           communications inside and also outside the school LAN, an IP address range is
           recommended to each school under this project. With this address range,
           schools can develop their own IP address scheme which involves the IP
           addresses for different machines and devices and the corresponding assignment
           method. Based on this, the following topics are covered:-

                            IP Address Range for Schools
                            Assigning IP Addresses Within School



2.2.2.1. IP Address Range for Schools
           An IP address composes of 4 decimal numbers, each separated by a period, e.g.
           10.1.1.1. Each number ranges from 0 to 255. The Education Department
           adopted the IP address range 10.0.0.0 to 10.255.255.255 for the IT in Education
           project. This IP address range is divided into several sub-ranges for different
           usage and the detail is shown in the table below:-




November, 11                                                                            2-14
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                       Network Infrastructure


                                  Usage                                Address Range
               Reserved for Common Facilities of the ITED           10.0.0.0 – 10.39.255.255
               project, e.g. ITERC
               Reserved for Schools     Primary Schools             10.40.0.0 – 10.99.255.255


                                        Secondary Schools       10.100.0.0 – 10.179.255.255


                                        Special Schools         10.180.0.0 – 10.199.255.255

               Reserved for Future Expansion                    10.200.0.0 – 10.255.255.255



           Schools are assigned with addresses starting from 10.40.0.0 to 10.199.255.255,
           each with 16 subnets (sub-networks). Each subnet can accommodate up to 254
           network nodes and so each school will then have an address space of 254 * 16 =
           4064 network nodes. Example on the address range assignment to schools is
           shown in the table below:-

                        School No.                          Subnets

                            1                        10.40.0.z – 10.40.15.z
                            2                        10.40.16.z – 10.40.31.z
                            3                        10.40.32.z – 10.40.47.z
                            4                        10.40.48.z – 10.40.63.z
                            :                                   :
                            :                                   :


           For the actual IP address range assigned, schools should consult the
           Contractors.


           Guidelines

                 Use the IP address range recommended by the Education Department.




2.2.2.2. Assigning IP Addresses Within School
           With the IP address range recommended by the Education Department, schools
           may then assign the IP addresses to the machines and devices on their school
           LANs. The IP address scheme may include:-

                    -        the range for each device type;
                    -        the assignment method
                            (static – fixed IP addresses;
                             dynamic – the device may get a different IP address each time)


November, 11                                                                                         2-15
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                Network Infrastructure


           After deciding the IP address scheme, schools are advised to keep a record of
           the IP addresses assigned for easier administration and management in the
           future. It is advised that this record of IP addresses should be disclosed only on
           a need-to-know basis for security reason.


           Guidelines

                Consult the Contractors for an IP address scheme for the school LAN.

                Keep a record of the IP addresses assigned for easier administration.

                Disclose the record of IP addresses only on a need-to-know basis.



           Examples

           Scenario
           School A has built a network with 150 workstations, 3 servers (1 of them is the
           DHCP server), 15 printers, 5 hubs, 5 switches and a router for accessing the
           Internet. The router port connecting the school LAN serves as the default
           gateway.
           School A has registered an address range from the Education Department
           which includes 16 subnets from 10.60.0.z – 10.60.15.z.

           Since the address space of one subnet can accommodate all the network nodes
           and there is no special requirement for dividing the network into multiple
           subnets, the Contractor proposes to use the subnet 10.60.0.z initially and
           develops the following IP address scheme for school A:-

                 Device Type             Address Range          Capacity   Assignment Method
                default gateway        10.60.0.1 – 10.60.0.5       5              Static
               networking devices      10.60.0.6 – 10.60.0.20      15             Static
                    servers           10.60.0.21 – 10.60.0.30      10             Static
                    printers          10.60.0.31 – 10.60.0.60      30             Static
                  workstations       10.60.0.61 – 10.60.0.254     194           Dynamic


           As the school LAN grows up, more address space may be required. In this case,
           the other subnets assigned to school A, that is 10.60.1.z – 10.60.15.z, may be
           used with the same address scheme as shown above.




November, 11                                                                                  2-16
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                       Network Infrastructure


           The record for the actual address assignment is shown below:-

               Device                         IP Address              Assignment Method
               default gateway                10.60.0.1               static assignment through manual
               (router port connecting the                            procedures
               school LAN)
               hub1 in computer room          10.60.0.6
               hub2 in computer room          10.60.0.7
               hub in 1/F FLEC                10.60.0.8
               hub in 3/F FLEC                10.60.0.9
               hub in sever room              10.60.0.10
               backbone switch in server room 10.60.0.11
               switch in 1/F FLEC             10.60.0.12
               switch in 2/F FLEC             10.60.0.13
               switch in 3/F FLEC             10.60.0.14
               switch in computer room        10.60.0.15
               server 1 (DHCP server)         10.60.0.31
               server 2                       10.60.0.32              static assignment through address
               server 3                       10.60.0.33              reservation in DHCP
               15 printers                    10.60.0.41 –            static assignment through address
                                              10.60.0.55              reservation in DHCP
               150 workstations               10.60.0.61 –            dynamic assignment through DHCP
                                              10.60.0.254




2.2.3. Naming Conventions
           In a Windows NT network, each computer must be assigned with a unique
           computer name within its domain. The Windows NT domain must also be
           assigned with a unique name. Some of the network devices may also need a
           device name. To facilitate network management, there should be a naming
           convention for both the computer name and the domain name.

           A suggestion for the convention of Windows NT domain name in the form
           SSS# is shown below:-

               SSS#       Meaning                     Values         Remarks
                          Denoting the project this ITED             Schools may have Windows
                              domain belongs to                          NT domains for other
                                                                         projects like SAMS.
               SSS            SAMS ID                     A01 – Z99      Each school is assigned with
                                                                         an ID in the SAMS project
               #              Alphabet                    A–Z            The alphabet is assigned
                                                                         sequentially.


           A suggestion for the convention of both computer and device names in the form
           SSS$### is shown below:-



November, 11                                                                                            2-17
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                      Network Infrastructure


               SSS$###      Meaning             Values        Remarks
               SSS           SAMS ID             A01 - Z99     Each school is assigned with an ID in
                                                               the SAMS project
               $             Device Type         D, N, S, L,   D for Desktop Computer
                                                 P, X, Z       N for Notebook Computer
                                                               S for Server
                                                               L for Plotter
                                                               P for Printer
                                                               X for Network Device
                                                               Z for Device Other than the Above
               ###           Serial Number       001 – 999     This number is assigned sequentially
                            Language            C, E          C for Chinese
                             Platform for                      E for English
                             Desktop and
                             Notebook
                             Computers
                             ($ = D or N or S)
                             Printer Type for    I, L, M       I for InkJet Printer
                             Printers                          L for LaserJet Printer
                             ($ = P)                           M for Dot Matrix Printer
                             Device Type for     H, S, R       H for Hub
                             Networking                        S for Switch
                             Devices
                                                               R for Router
                             ($ = X)
                             Blank for Plotter Blank
                             and Other Devices
                             ($=L or Z)


           If schools develop their own convention for the computer and device names, the
           following shows some basic features that the naming convention may include:-

                   -   each computer and device is assigned with a unique name;
                   -   all the computer and device types are covered;
                   -   if a computer contains multiple platforms, the computer name for each
                       platform should also be unique.

           After deciding the naming conventions, schools are advised to keep a record of
           the Windows NT domain name assigned and also the computer and device
           names assigned for easier management and avoiding duplication.


           Guidelines

                  Use the suggested naming conventions for Windows NT domain, computer
                   and device.

                  Consult the Contractors if schools want to use other naming conventions
                   for Windows NT domain, computer and device.



November, 11                                                                                           2-18
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                              Network Infrastructure




                    Keep a record of the Windows NT domain names and also the computer
                     and device names assigned for easier administration.



           Examples

           Scenario
           School A deploys only one Windows NT domain for the school LAN and there
           are various devices, in addition to the server and workstation machines, on the
           network. School A adopts the above suggested naming conventions and the
           records for the Windows NT domain name and the computer and device name
           are also shown below. The SAMS ID for school A is U01.

           Windows NT domain name: ITEDU01A

               Device                                      Quantity Device Name
               Server (Windows NT Server (English Version)) 2      U01S001E, U01S002E
               LaserJet Printer                            5       U01P001L – U01P005L
               InkJet Printer                              20      U01P001I – U01P020I
               Dot Matrix Printer                          3       U01P001M – U01P003M
               Hub                                         10      U01X001H – U01X010H
               Switch                                      5       U01X001S – U01X005S
               Router                                      1       U01X001R




November, 11                                                                                2-19
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                 User Administration




3.         USER ADMINISTRATION
           To access the school LAN, users must have a user account. After the users
           logging on the school LAN with their user accounts, they may then enjoy all the
           services and shared resources authorized for their user accounts. As there are
           lots of users in the schools, it is important for schools to decide on their own
           user account management scheme for easier administration and management in
           the future. The user account management scheme should at least cater the
           following key areas:-

                            user account policy
                            desktop settings for different groups of users
                            home directory scheme
                            grouping strategy of user accounts
                            users‟ permissions on shared resources
                            security measures for users

           This chapter covers the first 4 areas and later chapters have discussions for the
           rest.




November, 11                                                                                  3-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                             User Administration



3.1.       USER ACCOUNT POLICY
           The section describes the types of user account available in Windows NT
           network and how schools can use these user accounts in their school LANs. The
           followings are discussed:-

                              global and local user accounts
                              personal and shared user accounts
                              user account naming convention



3.1.1. Global and Local User Accounts
           There are two types of user accounts in a Windows NT network:-

                    -       global user account
                    -       local user account

           Global User Account
           Global user accounts are created on the Windows NT Server that acts as a
           Domain Controller (PDC or BDC) of a Windows NT domain. Users can use
           these global user accounts to log on the school LAN from any networked
           workstations and get accesses to the shared resources of the whole network.

           Local User Account
           Local user accounts are created on the Windows NT Workstations or Windows
           NT Server that acts as a Member Server. Users can use these local user accounts
           to log on that workstation or server and get accesses to the resources of that
           machine only.

           For a Windows NT domain network, global user accounts should be used, so
           that accounts have to be created once on the PDC. In contrast, if local user
           accounts are used, the same set of accounts have to be created on each machine,
           modifications to the settings of these accounts have to be done machine by
           machine, thus imposing a heavy loading to network administration. The
           following figure shows a graphical overview of the global user accounts on the
           school LAN.




November, 11                                                                              3-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                               User Administration




           For standalone machines, since they have no connection to the PDC, users can
           only use local user accounts to log on the machines. The following figure shows
           a graphical overview of the local user accounts on standalone machines.




           Guidelines

                Create global user accounts for users of the school LAN.

                Create local user accounts for users of the standalone machines.




November, 11                                                                                3-3
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                             User Administration


           Examples

           Scenario 1 – networked machines
           School A has 1 server and 40 workstations. All the machines are networked to
           form a Windows NT network with one domain. The server is installed as the
           PDC. Global user accounts are created on the PDC, one per user. No local user
           accounts have to be created on the workstations. The users can then use their
           own user accounts to log on any of the workstations in the school LAN.


           Scenario 2 – standalone machines
           School B has 2 servers and 80 workstations. The 2 servers and 60 of the
           workstations are networked to form a Windows NT network with one domain,
           one server is installed as the PDC and the other as a BDC. The remaining 20
           workstations are left standalone.

           Global user accounts are created on the PDC or BDC (user account information
           is replicated between PDC and BDC), one per user. No local user accounts are
           created on the 60 networked workstations. The users can then use their own
           user accounts to log on any of the networked workstations in the school LAN.

           For the 20 standalone workstations, local user account have to be created
           machine by machine. To reduce the administration effort, the user accounts
           created on these machines are shared among users, instead of one per user.


           Scenario 3 – notebook computers
           School C has 2 servers, 60 desktop computers and 20 notebook computers. All
           the machines are networked to form a Windows NT network with one domain,
           one server is installed as the PDC and the other as a BDC. However, the
           notebook computers may sometimes be disconnected from the school LAN and
           used in standalone mode.

           Global user accounts are created on the PDC or BDC (user account information
           is replicated between PDC and BDC), one per user. The users can then use their
           own user accounts to log on any of the networked desktop and notebook
           computers in the school LAN.

           If a user previously logged on the school LAN through a computer, the user can
           still log on that computer using its global user account even if the computer is
           disconnected from the school LAN and operates in standalone mode. Users that
           will use the notebook computers in standalone mode are prompted to log on the
           school LAN through the notebook computers at least once. With this
           arrangement, no local user accounts have to be created on the notebook
           computers.




November, 11                                                                              3-4
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                               User Administration


3.1.2. Personal and Shared User Accounts
           To access the school LAN, a user must have a valid user account on the network.
           Schools may consider to create a user account for each user (personal user
           account) or a user account shared by a group of users (shared user account) or a
           mixing of these two choices, e.g. creating personal user accounts for teachers
           and shared user accounts for students.

           Shared User Account
           For shared user accounts, since there is a group of users using the same user
           account, the personal data of a user may be accessed by another user using the
           same shared user account. To avoid unauthorized access of users‟ personal data,
           private user data may need to be stored in removable media such as floppy disk.
           Besides, the desktop environment of the shared user accounts may need to be
           locked. So different users using the same shared user account can work on the
           same environment.

           Personal User Account
           For personal user accounts, users could enjoy the flexibility of customizing
           their own working environment and the security in protecting the customized
           configurations and personal data. Besides, the activities of each user on the
           school LAN are also controllable and traceable.

           Bilingual Environment
           If students need to work on both Chinese and English Windows NT
           Workstation for basic network activities, they may need two separate user
           accounts for the operations on the two different platforms, due to the reason that
           the desktop appearances on the two platforms are not interchangeable. This will
           be further discussed in the section talking about User Profile. Schools are
           advised to pay attention to this point in planning for their user account policy.

           Administration Tools for User Administration
           The administration effort for managing personal user accounts is heavier than
           that for shared user accounts. There are administration tools like the Windows
           NT User Wizard that can largely reduce the administration effort in managing
           user accounts. Some of these tools will be introduced in Part III – LAN
           Administration & Operation of this document. Besides, schools may request the
           Contractors to tailor-made some command scripts to automate some of the
           administration tasks.

           Schools should tailor a user account policy that fit for their own environments.
           With all the above considerations, personal user accounts are preferred over
           shared user accounts for its flexibility and security on the networking
           environment. For standalone machines, shared user accounts are recommended
           to reduce the administration effort.




November, 11                                                                                3-5
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                              User Administration


           Guidelines

                Create a personal user account for each user for basic operations on the
                 school LAN.

                Create shared accounts for a group of users for special uses on the school
                 LAN.

                Create shared accounts for users to operate on the standalone machines.

                Plan for the User Account Policy with considerations for the bilingual
                 environment.



           Examples

           Scenario 1
           School A has 1000 students, 70 teaching staffs (including the principal), 10
           clerical staffs. Another requirement is that a tailor-made desktop environment
           is required to facilitate the teaching of the Computer subject.

           School A planned to create a personal account for each user for their basic
           operations on the school LAN and the user account names use the initial and
           last name of the users. For the Computer subject, 50 shared accounts with the
           account names: computer1, computer2 … computer50. The teaching
           of Computer subjects for all forms will use these 50 accounts. The desktop
           appearances for these accounts are locked to facilitate the teaching.

           There are totally 1130 (1000 + 70 + 10 + 50) global user accounts created on the
           PDC.

           Scenario 2
           School B has 800 students, 60 teaching staffs (including the principal), 10
           clerical staffs. There are 6 forms in school B and the most junior form contains
           5 classes and totally 200 students. As a starting, school B planned to create a
           personal account for each user, except the most junior form. 5 shared accounts,
           each per class, are created for the most junior form, with the user account names:
           class1A, class1B … class1E. The desktop appearances for these
           accounts are locked to facilitate the management.
           There are totally 675 (800 – 200 + 60 + 10 + 5) global user accounts created on
           the PDC.




November, 11                                                                               3-6
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                 User Administration


3.1.3. User Account Naming Convention
           To ensure uniqueness and consistency, there should be a naming convention for
           the user accounts. The name of each user account must be unique. Besides, the
           following shows some basic features that the naming convention may include:-

                 -    the user account name for each user is worked out with reference to
                      some existing personal information, e.g. user name, student ID and etc.
                 -    there is a mechanism for handling duplicate user account names
                 -    if there are two user accounts for the same user to operate on Chinese
                      and English Windows NT, the convention has to cater for this case.

           There should not be Chinese characters in the user account name because users
           cannot log on an English Windows NT Server with such account name.

           A common user account naming convention is to use the initials and last name
           of the users. A serial number is added when there is duplication. To cater for the
           different language platform, a letter like „c‟ for Chinese, „e‟ for English may be
           added if two personal user accounts are assigned for each user to cater for the
           bilingual environment. Unique descriptors like student IDs are also commonly
           used as user account names. Readers may refer to the example below for details.

           Schools may already have electronic copy of the list of students‟ names and IDs
           which may be used as an input to the utility for creating user accounts, thus
           reducing much administration effort.


           Guidelines

                Use initials + last name + a serial number (in case of duplication) + a letter
                 specifying the language platform as the user account naming convention.

                Consult the Contractors for other user account naming conventions if
                 schools have their own specific requirements.

                Ensure that the user account names do not contain Chinese characters if
                 other naming conventions are used.




           Examples

           Scenario 1
           In school A, two global user accounts are created for each user for the basic
           operations on Chinese and English Windows NT. The following user account
           naming convention is used:-




November, 11                                                                                  3-7
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                  User Administration


                 -    initials + last name + a serial number (in case of duplication) + a letter
                      „c‟ for accounts operating on Chinese Windows NT or „e‟ for English
                      Windows NT.

           With this naming convention, the following shows some samples:-
                       User Names             user account name    user account name
                                              (Chi. Windows NT)    (Eng. Windows NT)
                     Ada Y.H. Wong                  ayhwongc             ayhwonge
                     Ann Y.H. Wong                 ayhwong1c            ayhwong1e
                     Arthur Y.H.Wong               ayhwong2c            ayhwong2e
                     David D.L. Fong                 ddlfongc             ddlfonge
                      Emil C.C. Lee                   eccleec              eccleee
                     Patrick T.K. Lam                ptklamc              ptklame
                      Peter T.K. Lam                ptklam1c             ptklam1e



           Scenario 2
           In school B, two global user accounts are created for each user for the basic
           operations on Chinese and English Windows NT. School B uses the student ID,
           which is assigned unique to a student on their admission to the school, as the
           basis for the user account naming convention. For teachers, initials + last name
           is used as their user account names.

           With this naming convention, the following shows some samples:-
                       User Names             Student ID   user account name     user account name
                                                           (Chi. Windows NT)     (Eng. Windows NT)
                      Ada Y.H. Wong              970101          970101c               970101e
                     Ann Y.H. Wong               970159          970159c               970159e
                     Arthur Y.H.Wong             980060          980060c               980060e
                     David D.L. Fong             980001          980001c               980001e
                       Emil C.C. Lee             990100          990100c               990100e
                     Patrick T.K. Lam            990099          990099c               990099e
                      Peter T.K. Lam             990121          990121c               990121e




November, 11                                                                                   3-8
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                   User Administration



3.2.       DESKTOP SETTINGS FOR DIFFERENT GROUPS OF
           USERS
           Each group of users may need a different working environment. For example,
           they may need to use different applications, get accesses to different files and
           print documents to different printers on the network. Users enjoy all these
           services through the desktop interfaces they are working on. To facilitate the
           administration and maintenance, the desktop settings should be standardized on
           groups of users, instead of varying from user to user and this should be planned
           in the design stage. This section covers the following:-

                         start menu and desktop icons
                         user profile



3.2.1. Start Menu and Desktop Icons
           On the desktop interface, users get accesses to all the services through the Start
           Menu and the desktop icons. The items should at least include the followings:-

                    -    default items
                    -    system utilities
                    -    application software
                    -    hardware devices

           Guidelines

                Plan for the Start Menu and Desktop Icons of each group of users.



           Examples

           Scenario
           School A planned to have 3 different sets of Start Menu and Desktop Icons, one for the
           teachers, one for form 1 to 3 students and one for form 4 and 5 students. The following
           shows the details of the set for form 4 and 5 students:-

            Category            Desktop Icons                 Category      Start Menu
                                My Computer                                 Internet Explorer
            default &           Network Neighborhood                        Microsoft Outlook
            & mandatory         Recycle Bin                                 Internet Mail
                                My Briefcase                                Internet News
                                Internet Explorer                           MS Word
                                Netscape Communicator                       MS Excel
            Internet software   ICQ                           Programs      MS Access
                                Internet Mail                               MS PowerPoint
                                Internet News                               Norton Utilities
                                MS Word                                     Turbo Pascal
            MS Office           MS Excel                                    Visual C++



November, 11                                                                                    3-9
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                            User Administration


                             MS Access                                              Visual FoxPro
                             MS PowerPoint                                          GoGo Pen
                             Norton Utilities                                       Scanner
                             Turbo Pascal
            other software   Visual C++
                             Visual FoxPro
                             True Type Dynafont
                             GoGo Pen
            hardware devices Scanner
                             LaserJet Printer 1
                             LaserJet Printer 2




3.2.2. User Profile
           Each user account is associated with a user profile which contains the settings
           for desktop appearance. When a user logs on to the Windows NT network, the
           user profile associated with its user account is retrieved and its customized
           desktop environment is then displayed.

           Roaming vs Local
           Basically, there are two types of user profiles: roaming and local.

           If roaming user profile is used, a user gets the same desktop environment no
           matter which machine it is used to log on the school LAN. Roaming profiles are
           usually stored on the PDC.

           If local user profile is used, each machine stores the desktop appearances of
           users‟ last logon and so users may get different desktop environment when they
           log on the school LAN from different workstations. For standalone machines,
           local user profile is used.

           Since the local user profile of a user is stored locally in each machine, future
           modifications to the profiles have to be done machine by machine and thus
           involving more administration work compared to roaming user profiles which
           are stored in the PDC.

           Roaming Mandatory vs Roaming Personal
           Besides, there are two types of roaming profiles and they are briefly described
           below:-

               Profile Type        Description
               roaming mandatory   This is a pre-configured user profile that the user cannot change.
                                   Multiple users may use the same mandatory profile.
               roaming personal    Users can change settings with this profile. The user profile is updated to
                                   include any changes made by the user each time the user logs off.




November, 11                                                                                             3-10
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                               User Administration


           For shared user accounts, roaming mandatory profiles should be used to lock
           the desktop settings. So the desktop appearance cannot be modified by a
           particular user and users share the same user account get the same desktop
           environment every time they log on the school LAN.

           For personal accounts, roaming personal user profile may be used, so that users
           may have their own desktop settings. However, this is only recommended if the
           workstations in the school LAN only installed with a single Windows NT
           Workstation. If the workstations in the school LAN are dual-booted with both
           Chinese and English Windows NT Workstation, roaming personal user profile
           may not be suitable and this is discussed below.

           Considerations for Bilingual Environment
           The workstations on the school LAN may be dual-booted with both Chinese
           and English Windows NT Workstation. The same roaming user profile cannot
           be used for operating in both platforms, otherwise the desktop appearance will
           be corrupted. However, each user account can only associated with one
           roaming user profile. To cater for the bilingual environment, the followings
           may be considered:-

                 1) roaming user profile is still used but each user is assigned with 2 user
                    accounts, each associated with a different user profile containing the
                    desktop appearances for operations on the Chinese and English
                    Windows NT respectively.

                      However, students may wrongly use the accounts with the Chinese
                      desktop appearance to log on the English Windows NT Workstation
                      and vice versa. To prevent the corruption of desktop appearances from
                      such misuses, it is recommended to lock the desktop settings through
                      roaming mandatory user profile.

                      With roaming mandatory user profile, a group of user accounts may
                      point to the same profile, thus reducing administration effort. But it
                      should be noted that students are not able to save their customized
                      desktop settings with mandatory profile.

                 2) local user profile is used, instead of roaming user profile. Each user
                    can then use the same user account to operate on both Chinese and
                    English Windows NT. However, the user may get a different desktop
                    environment when logging on the school LAN from different
                    machines. As mentioned above, using local user profiles involve more
                    administration work compared to using roaming user profiles.


           Different profile types may fit for different groups of users, so there may be a
           mix of different profile types in the school LAN. Schools should plan for this in
           the design stage.




November, 11                                                                               3-11
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                              User Administration


           Guidelines

                Use roaming mandatory user profile for shared user accounts.

                Use roaming personal user profile for the user accounts if the workstations
                 on the school LAN are installed with only one Windows NT Workstation
                 (either Chinese or English).

                Create two user accounts for each user for the operation in the bilingual
                 environment and Lock the desktop environment through roaming
                 mandatory user profile to prevent the corruption of the desktop appearance
                 from using the user account of the wrong platform.



           Examples

           Scenario 1 – two accounts with roaming mandatory user profile
           School A has 1 server and 80 workstations. All the machines are connected to
           the school LAN and the workstations are dual-booted with both Chinese and
           English Windows NT Workstation. There are 5 forms in school A and each
           form requires a different desktop configuration.

           School A planned to create two global user accounts, associated with roaming
           mandatory user profiles for each student to operate on the Chinese and English
           Windows NT environment. User accounts for students in the same form are
           associated with the same mandatory profile. School A has to work out the
           desktop configurations for 5 Chinese user profiles and 5 English user profiles, a
           total of 10 for the students‟ use.

           Teachers require that they have their customized desktop settings. Two global
           user accounts, each associated with roaming personal user profiles are created
           for each teacher.


           Scenario 2 – one account with local user profile
           School B has 2 servers and 60 workstations in its school LAN and 10
           standalone workstations. All workstations are dual-booted with both Chinese
           and English Windows NT Workstation.

           For the operations on the school LAN, school B planned to create only one user
           account for each student and local user profile is used. There is a default user
           profile in each platform of each workstation and this default profile is used as
           the initial desktop appearance of the users.

           For the standalone machines, 3 shared user accounts: administrator, teacher,
           student are created in each platform (Chinese NT and English NT) and local
           user profiles are used for these accounts.



November, 11                                                                              3-12
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                              User Administration




           Scenario 3 – mixed use of personal and shared account
           School C has 1 servers and 50 workstations in its school LAN. All workstations
           are dual-booted with both Chinese and English Windows NT Workstation.
           Students work on Chinese Windows NT for most of the network operations and
           only work on English Windows NT for specific applications.

           School C planned to create only one user account for each student. The account
           is associated with roaming user profile containing Chinese desktop
           environment. Students use this account to operate on Chinese Windows NT.
           For operations on English Windows NT, a shared account is created for each
           class and it is associated with a roaming mandatory user profile. Students in the
           same class use the same shared account to work on English Windows NT.




November, 11                                                                              3-13
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                               User Administration



3.3.       HOME DIRECTORY SCHEME
           Users may work on different workstations on the school LAN. If they save their
           personal data on one workstation and work on another workstation next time,
           they may not be able to find their data. There is also a risk that one user‟s data
           may be accessed by others working on the same workstation. If users are
           required to save their data on a floppy disk each time, the capacity of a floppy
           disk (1.44MB) may not be sufficient to store large files.

           In a networking environment, each user account may be assigned with a home
           directory, which is usually a place on the server‟s hard disk, for storing their
           personal data. The following figure shows a graphical overview of the concept
           of home directory.




           The following points are recommended for planning the scheme for home
           directory in the school LAN:-
           a)    each user has its own home directory for storing personal data, instead of
                 sharing a home directory among a group of users.
           b)    the home directories are put on the file server for better management and
                 easier backup and restore.
           c)    each user may have two user accounts for the bilingual environment. The
                 two user accounts of the same user may be assigned with the same home
                 directory.
           d)    each user should at least have 10 MB storage space initially in its home
                 directory.
           e)    the permission on the home directories are appropriately assigned such as
                 “Change” permission, so that only the corresponding user can access the
                 data stored there.
           f)    the home directory is mapped as a logical drive like U: for easier user
                 access and management.



November, 11                                                                               3-14
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                 User Administration




           Guidelines

                Assign each user account an individual home directory for storing its
                 personal data.

                Assign the same home directory to the user if the user has two user
                 accounts for the bilingual environment.

                Put the home directories on a server, rather than a workstation.

                Allocate at least 10 MB storage space for the home directory of each user
                 initially.

                Assign “Change” permission to the owner of the home directory and “No
                 Access” permission to other users.

                Map the home directory as U: drive for each user for easier management.



           Examples

           Scenario
           School A has 1000 students, 70 teaching staffs (including the principal), 10
           clerical staffs. For the home directory scheme of the users, school A planned to
           have the following settings:-

             user category storage             location                 permissions       mapped
                               space                                                       as drive
           teachers &        30 MB c:\winnt\home\%username%* owner: Change                U:
           clerical staffs           on the PDC                    other users: No Access
           students          10 MB c:\winnt\home\%username%* owner: Change                U:
                                     on the PDC                    other users: No Access
           *
             %username% is a system environment variable containing the user account name of the
           currently logged user.

           Windows NT does not provide disk quota functions and so a third-party
           software – disk quota manager has to be installed on the server to manage the
           storage space assigned to each user.

           The space on the server‟s hard disk allocated for users‟ home directories is:-
                (70 + 10) x 30MB + 1000 x 10MB = 12400MB = 12.4GB




November, 11                                                                                 3-15
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                             User Administration



3.4.       GROUPING STRATEGY FOR USER ACCOUNTS
           A good grouping of the user accounts can reduce much of the administration
           work of the LAN administrator. With groups, the LAN administrator can easily
           carry out network administration tasks for the users like managing the desktop
           settings, assigning resources permissions, maintaining data security and etc.

           There are two types of groups available in Windows NT network: local groups
           and global groups that can be created on the PDC or BDC in a domain. Their
           details are listed in the following table.

               Group          Description
               local group     -    used to provide users with permissions to access network resources;
                               -    also used to provide users with rights to perform system tasks, such as
                                    changing system time or backing up and restoring data
                               -    can contain global groups but cannot contain other local groups
                               -    there are several built-in local groups designed for assigning users rights


               global group    -    used to organize global user accounts
                               -    cannot contain global group or local group


           Both global groups and local groups can contain user accounts. However, it is
           more appropriate to use global groups for grouping users because local groups
           are mainly used for user rights assignment. This means that in general, global
           groups only contain user accounts whereas local groups only contain global
           groups.

           In assigning permissions, it is recommended to use those built-in local groups
           and create your own local groups only if necessary. The following table shows
           the details of some built-in global groups. It should be noted that these groups
           are available in the PDC or BDC of a domain.

               Group Type Group Name                    Description
               built-in local Administrators            members    can    fully    administer     the
               groups                                   computer/domain
                              Account Operators         members can administer domain user and group
                                                        accounts
                               Server Operators         members can administer domain servers
                               Print Operators          members can administer domain printers
                               Backup Operators         members can bypass file security to back up
                                                        files
                               Users                    ordinary users
                               Guests                   users granted with guest access to the
                                                        computer/domain


           In grouping user accounts of the students, it is suggested to organize the groups
           according to the organization unit of the school. Schools may consider the
           following options:-
                  - by class


November, 11                                                                                              3-16
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                               User Administration


                   -    by form
                   -    by student‟s admission year

           Since the students are promoted to a higher form each year, for grouping by
           class or by form, the LAN administrator needs to regroup the user accounts of
           the students every year. For grouping by student‟s admission year, the
           regrouping may not be needed and so is recommended.


           Guidelines

                Create global groups for grouping user accounts.

                Use the built-in local groups for assigning user rights to users and Create
                 local groups

                Group the user accounts of the students according to their admission years.



           Examples

           Scenario 1 – grouping by class
           School A planned to group the user accounts of the students according to their
           classes. There are 5 forms and each form has 5 classes from A to E. There are
           totally 25 global groups created with the group names: class1A, class1B …
           class5E. There is a global group named Teacher for teachers‟ accounts.

           Since students are only assigned with the user right of ordinary users, the global
           groups for the students are made members of the built-in local group: Users.
           The teachers are responsible for managing the printing in the school LAN and
           so the Teacher group is made member of the built-in local group: Print
           Operator.

           Scenario 2 – grouping by form
           Since the students in the same form use the same set of applications and
           network services, school B planned to group the students by form. There are 7
           forms in school B and there are totally 7 global groups created with the group
           names: form1, form2 … form7.

           Since students are only assigned with the user right of ordinary users, the global
           groups for the students are made members of the built-in local group: Users.
           The form 7 students and teachers are responsible for managing the printing in
           the school LAN and so the form7and Teacher groups are made member of the
           built-in local group: Print Operator.




November, 11                                                                               3-17
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                             User Administration


           Scenario 3 – grouping by student’s admission year
           The user accounts for students in school C are grouped by their admission years.
           There are 7 global groups created with the group names: Y1993, Y1994, …
           Y1999.

           Regrouping is only needed for individual student who cannot promote to the
           upper form.




November, 11                                                                             3-18
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                               Resources Sharing




4.         RESOURCES SHARING
           Schools can designate resources to share with others. For example, when a
           directory on a server is shared, authorized users can make connections to the
           directory and access its files from their own workstations. And when a printer is
           shared, many users can print from it over the network. Commonly there are two
           types of resources that are shared in a network:-

                         File and Directory Sharing
                         Print Sharing




November, 11                                                                              4-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                Resources Sharing



4.1.       FILE AND DIRECTORY SHARING
           To formulate the requirements on file and directory sharing, the first thing is to
           understand how data is stored on the network and this involves the file system
           of the servers and workstations. Since each user may store data on the network,
           a control on the volume of data that a user can store is needed. However,
           Windows NT does not provide such control, so third-party software like the
           disk quota manager is needed for managing the storage space of each user.
           Based on this, this section involves the following topics:-

                            File System
                            Sharing Data
                            Disk Quota System



4.1.1. File System
           File system is the way that the operating system used to store data in a
           machine‟s hard disk. File system provides controls on storing and sharing data.
           Basically, machines running Windows NT support two file systems:-

                -    NT file system (NTFS)
                -    File allocation table (FAT) file system

           NTFS is more stable and provides more security features than FAT, thus is
           recommended.

           MS-DOS only supports FAT. If machines are multi-booted with Windows NT
           and MS-DOS, FAT has to be used for hard disk partition that installed with
           MS-DOS and NTFS should be used for hard disk partitions that installed with
           Windows NT. It should be noted that those NTFS partitions are not visible to
           users when the machine is booted from MS-DOS.


           Guidelines

                Use NTFS for the hard disk partitions of server and workstation that
                 installed with Windows NT.



           Examples

           Scenario
           School A planned to have one server and 40 workstations in the school LAN.
           The server machine is installed with English Windows NT Server and all the
           workstations are multi-booted with MS-DOS, Chinese and English Windows
           NT Workstation.



November, 11                                                                               4-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                Resources Sharing




           For the server machine, there are two partitions and the detail is shown below:-
           C drive: NTFS      (for system and application)
           D drive: NTFS      (for user data)

           For workstation machines, there are three partitions and the detail is shown
           below:-
           C drive: FAT      (for MS-DOS)
           D drive: NTFS     (for Chinese Windows NT Workstation installation)
           E drive: NTFS     (for English Windows NT Workstation installation)




4.1.2. Sharing Data
           An important use of servers on the school LAN is for sharing data among
           teachers and students. The basic unit for data sharing is file. However, files
           cannot be shared out directly under NTFS. To share files for network use, the
           files have to put under a directory and the directory is the access point for the
           files through the network.

           When a directory is shared, network users can make connections to the
           directory from their own workstations and access the files in the directory as if
           data is stored in the local machine.

           NTFS File Permissions vs Share Permissions
           Two kinds of permission may be set for a shared directory:-
              - NTFS file permission
              - share permission

           File permission can be set to control users‟ accesses to any files and directories
           under NTFS. Examples of the file permissions are Read, List, Change, Full
           Control, No Access, Take Owner and etc. NTFS file permissions apply to
           users working at the computer containing the file and also to users accessing the
           file over the network, if the file is shared.

           If a directory is shared for network use, share permission can be configured for
           it for controlling users‟ access its content through network. If a user works on a
           machine that has a directory shared out and accesses the content of this shared
           directory locally, its action is not controlled by the share permissions. Share
           permissions operate in addition to the NTFS file permissions for controlling file
           accesses through network and four different levels of permissions can be
           configured: No Access, Read, Change, Full Control.

           If both NTFS file permission and share permission is set for a shared directory,
           the administration effort is doubled. It is recommended that only NTFS file
           permission is configured accordingly to control the users‟ access to shared data
           both locally and through network. Share permission should be left as default.
           The default value of share permission is usually Full Control for Everyone.


November, 11                                                                               4-3
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                Resources Sharing




           Share Names
           When schools share a directory, schools must assign it a share name, a name
           that network users use to refer to the shared directory. A share name can be the
           same as the actual directory name, but it doesn't have to be. The share name
           must be unique on the same machine and to facilitate users, meaningful names
           should be used and appropriate descriptions should be added.


           Guidelines

                Set appropriate NTFS file permissions on the files and directories before
                 sharing out for network uses.

                Leave the share permission of the shared directories as default and Restrict
                 users‟ access to shared directories only through NTFS file permissions for
                 ease of management.

                Assign meaningful and unique share names to shared directories and make
                 appropriate descriptions to facilitate users.




           Examples

           Scenario 1
           A user has share permission: Read on a shared directory with the name:
           PublicData on server A. When the user tries to access PublicData through the
           network, its access is denied.

           The school LAN administrator finds that the user has NTFS file permission: No
           Access on PublicData. After setting this permission to Read, the user can
           now read the content of PublicData.

           Later this user takes up the responsibility of managing PublicData and so it
           should be assigned with Full Control permission on PublicData. The school
           LAN administrator has to reconfigure both NTFS file permission and share
           permission and thus duplicating the administration effort.

           For the ease of management, the administrator decided to set the share
           permissions of all shared directories to its default value (Full Control for
           Everyone) and control users‟ accesses through NTFS permission only.


           Scenario 2
           Network users generally make connections to shared directories by assigning a
           drive letter on their workstation to the server‟s shared directory. Then they use



November, 11                                                                               4-4
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                        Resources Sharing


           the assigned drive letter to refer to the directory to which they have made the
           connection. All subdirectories under the shared directory are also made
           available to the connected users. The following examples illustrate how users
           make connections to shared directories on a server:

           Making Connection to Home Directory
           Suppose a user called MC Kay makes a connection to his home directory which
           is named “C:\Home\MCKay” and shared as “MCKay” in the following figure,
           and assigns the drive letter ”U” to the directory. MC Kay then sees the contents
           of his home directory C:\Home\MCKay on the server as the contents of his
           own ”U” drive. Since it is his home directory, “Change” NTFS file permission
           is granted to him so that he can read and add files and change the contents of
           current files under this directory. In addition, “Full Control” NTFS file
           permission is granted to “Administrators” group that school LAN
           administrators can manage this shared directory if necessary.

                 Properties
                     Shared Directory on Server :   “C:\Home\MCKay”
                     Share Name                 :   “MCKay”
                     NTFS File Permission       :   “Change” permission for “MCKay” user
                                                 :   “Full Control” permission for “Administrators” group
                     Share Permission           :   “Full Control” permission for “Everyone”
                     Drive on Workstation       :   “U” drive

                 On Server Side




November, 11                                                                                        4-5
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                Resources Sharing


                 On Workstation Side




           Making Connection to Shared Applications
           Suppose everyone on the school LAN needs to access an application called
           “Learning English” which is installed at “C:\Apps\Learning English” on the
           server and shared as “Learning.Eng”, users can then make a connection to this
           shared directory and assign the drive letter “L” to this. Since this application is
           intended for everyone to read, “Read” NTFS file permission is granted to
           “Everyone” so that everyone on the school LAN can read the contents of files
           and run applications in this shared directory. In addition, “Full Control” NTFS
           file permission is granted to “Administrators” group that school LAN
           administrators can manage this shared directory if necessary.




4.1.3. Disk Quota System
           Network users have their personal data saved on servers under its home
           directory or in public area. Windows NT does not come with a disk quota
           system for controlling the amount of data that users can store on the server. In
           order to protect the servers from disk full error, the disk space used by each user
           should be restricted by an add-on disk quota system.


           Guidelines

                Install disk quota system on the servers in the school LAN for managing
                 the storage space of each user.




November, 11                                                                               4-6
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                Resources Sharing



4.2.       PRINT SHARING
           Generally, the following steps are involved in sharing a printer for network use
           and there should be some planning for each of these steps:-
               - connect printers to the network
               - assign machines as the print servers for serving the network printing
               - share the printers and assign a share name to it
               - grant appropriate permissions to users
               - add the shared printer to the users‟ working environment

           Physical Connection
           There are basically two methods for connecting a printer to the network: 1)
           through a network printer sharing device; or 2) by attaching to a networked
           machine, e.g. a server machine in the server room. It is recommended to use the
           first method, so that the shared printer may be placed wherever there is a data
           node of the school LAN, without limited by the location of the machine it is
           attached to.

           Print Server Assignment
           There should be a print server for handling the network printing activities of a
           shared printer. It is recommended to deploy the print server on a server machine
           because a server machine, compared to a workstation machine, has stronger
           processing power for performing this task. Commonly the file server also acts
           as the print server. A discussion on using a workstation machine as the print
           server can be found in Appendix A.

           Printer Share Name
           To share a printer, a unique share name has to be assigned to it. The naming
           convention for the computers and devices as discussed in section 2.2.3 may be
           used. It should be noted that if the shared printer is to be used in some
           non-Windows NT systems and/or applications such as MS-DOS, there may be
           special requirements on the share name, schools should consult the Contractors
           for the details. Besides the share name, information like location, purpose and
           printer model may also be added to the shared printers for illustration when
           viewed through network.

           Printer Permissions
           By default, the permission for a shared printer allows the printing from all
           network users. Schools may have specific requirements on the usage of the each
           shared printer, for example, restricting some users from using a particular
           shared printer or assigning some users to manage the print jobs of the shared
           printers. Schools should consult the Contractors for these details.

           User Accessibility to Shared Printers
           Finally, a shared printer should be added to the users‟ working environment in
           order for them to use it. The icon of the shared printers that a user is allowed to
           use should be found in the Printer Folder of the user‟s desktop. The following
           figure shows a graphical overview of print sharing.



November, 11                                                                               4-7
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                              Resources Sharing




           Guidelines

                Connect the shared printers to the network through the network printer
                 sharing device (Ensure the shopping list includes this item).

                Deploy the print server on a server machine, instead of a workstation
                 machine.

                Assign a unique name to each shared printer, the naming convention as
                 discussed in section 2.2.3 may be used.

                Add appropriate information for the shared printers for illustration when
                 viewed through network.

                Consult the Contractors for granting appropriate permissions to different
                 groups of users.

                Add the shared printers to the working environment of the users whom
                 allowed to use them.



           Examples

           Scenario
           School A planned to set up 6 shared printers, 2 for the uses of teachers in the
           staff room, 3 for the uses of both teachers and students in the computer room
           and 1 in library for public uses. School A has only one server, installed as the
           PDC and situated in the server room.
           Print sharing devices are used to connect the 6 shared printers to the school
           LAN. Since there are only a small number of shared printers, school A adopts a


November, 11                                                                             4-8
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                          Resources Sharing


           simple convention for the share name of the printers: location code + „prt‟ + a
           serial number.

           The server is assigned as the print server of all these shared printers. Printer type,
           location and purpose of the shared printers are added as the descriptions. The
           following table shows the details.

        Shared         Share        User Permissions            Icons on Users’               Description
       Printers        Name                                         Desktop
      printer 1 in     crprt1 students: Print                 students: Yes         HP laserjet 6P in Computer Room
    computer room              teachers: Manage               teachers: Yes         (Rm 202), mainly for teachers‟
                               administrators: Full Control   administrators: Yes   printing
      printer 2 in     crprt2 students: Print                 students: Yes         HP laserjet 5 in Computer
    computer room              teachers: Manage               teachers: Yes         Room(Rm 202), for both
                               administrators: Full Control   administrators: Yes   teachers‟ and students‟ printing
      printer 3 in     crprt3 students: Print                 students: Yes         HP inkjet 670c in Computer
    computer room              teachers: Manage               teachers: Yes         Room, for both teachers‟ and
                               administrators: Full Control   administrators: Yes   students‟ printing
    printer 1 in staff stfprt1 students: No Access            students: No          HP laserjet 6P in Computer
          room                 teachers: Manage               teachers: Yes         Room, for teachers‟ printing only
                               administrators: Full Control   administrators: Yes
    printer 2 in staff stfprt2 students: No Access            students: No          HP inkjet 670c in Computer
          room                 teachers: Manage               teachers: Yes         Room, for teachers‟ printing only
                               administrators: Full Control   administrators: Yes
      printer 1 in     libprt1 students: Print                students: Yes         HP laserjet 6P in Library, for
         library               teachers: Manage               teachers: Yes         teachers‟ and students printing
                               administrators: Full Control   administrators: Yes   inside the library




November, 11                                                                                           4-9
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                        Security




5.         SECURITY
           Security is always a key issue in the design of most computer networks. It
           involves areas like prevention, protection and recovery. In this section, we will
           discuss school LAN security under three major issues:

                    Physical and Hardware Security
                    Windows NT Security
                    Data Security

           It should be noted that security procedures generally reduce the flexibility of
           user operations and increase the administration work. Schools are advised to
           work out their own requirements on the school LAN security.

           In addition, it should be stressed that education on users about security would
           be superior to technology control in protecting the computer resources.
           Building and maintaining strong relationships between teachers, students,
           school LAN administrators, and parents about the goals and responsibilities of
           computer use in the classroom lead to the highest levels of network stability and
           security in the long term.




November, 11                                                                             5-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                           Security



5.1.       PHYSICAL AND HARDWARE SECURITY
           Physical security is the first line of defense against intruders. It prevents direct
           access and forcing intruders to circumvent network security. Server hardware
           and storage media such as server machines, backup tapes, recovery diskettes
           original software packages should be protected from unauthorized access.

           In addition, unauthorized access can be protected at hardware level such as
           using BIOS password. Even one can reach the machine, he/she may not easily
           boot the system and make various configuration changes to the system.

           In addition, inventory taking is important to prevent physical loss. Missed parts
           or difference in configuration should be reported and investigated.


           Guidelines

                Consult the Contractors for the physical and hardware security policy
                 which should at least include the following aspects:-
                        - server machines and backup media location and access
                        - list of authorized users to access
                        - BIOS security
                        - hardware and software inventory list



           Examples

           Scenario
           School A drafted a physical and hardware security policy for her school LAN
           and the following shows the details:-

                 1) The server machines should be kept in server room. The room should
                    be locked and restricted to authorized persons only.
                 2) Backup tapes and System Recovery Kit should be stored in a data safe
                    away from the server room.
                 3) System BIOS with password should be enabled and make known to the
                    school LAN administrators only.
                 4) Disable access to removable drives in server. Setting the BIOS boot
                    order option to boot from hard disk first and boot from the floppy disk
                    or CD-ROM drive second. This can also helps protect the server from
                    boot sector viruses.
                 5) Develop an inventory table and periodic check on hardware
                    configuration, original software packages and number of data backup
                    tapes.




November, 11                                                                                5-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                           Security



5.2.       WINDOWS NT SECURITY
           Windows NT provides security controls over various aspects of a network and
           this section will discuss on the following aspects:

                    Account and Password Policy
                    Control on system and files
                    Audit Policy and Security

           Setting up password is almost a must for network security. The password helps
           ensure that unauthorized users do not access the computer, even they can reach
           the system locally or remotely. Apart from choosing a strong password, the
           setting in account policy in Windows NT can further safeguard the system.

           In Windows NT, users are granted with permissions and rights to access
           resources on network. Permission is associated with an object to let a user
           access a resource such as a file, a directory, or a printer. Right is associated with
           the system to let a user perform system task such as changing the system clock
           time.

           Furthermore, the Windows NT auditing system can track events in user account
           and file system. In addition, success and/or failure events can also be tracked to
           capture a better picture on what the system and users are doing.



5.2.1. Account and Password Policy
           Adopting good password policy is one of the most effective ways to ensure
           system security. Apart from selecting a good password, several of the Windows
           NT default account policy settings such as minimum password length,
           password uniqueness, reset count and lockout duration can be used to further
           safeguard the system.


           Guidelines

                Consult the Contractors for the account and password policy with focus on
                 the following issues:-
                           - login process
                           - use strong password



           Examples

           Scenario
           School A drafted the account and password policy for her school LAN and the
           following shows the details:-



November, 11                                                                                 5-3
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                        Security




           account policy
               Screen should lockout after 30 minutes of inactivity during computing
                 sessions and users are required to re-enter their password after lockout.
               Users should log off every time they leave their workstation
                 unattended.
               The user login name should be cleared in the login dialog box after the
                 user logged out.
               Server machine should be set to be locally login.

           password selection
               Password should be at least 8 characters long.
               Users should choose a password that is easily to be remembered and
                 yet is complex. For example, IhlaKCf8y (I have lived at Kwai Chung
                 for 8 years).
               Personal identification information such as user‟s name should be
                 prohibited from being used in passwords
               Passwords should be non-dictionary words.
               Notify users that passwords should never be written down.




5.2.2. Control on System and File Accesses
           After logging in the system, users can use the network resources with assigned
           permission and rights. As mentioned above, permission is always associated
           with network objects and resources, and right is always associated with the
           system.

           Rights and permission can be assigned to individual users or to groups of users.
           Windows NT automatically assigns many rights to specific groups. Schools
           may better understand these specific groups in controlling user rights.

           Various settings in Windows NT can be applied for network security. The setup
           and configuration of domains, groups, accounts, profiles, policies and scripts
           are all useful tools in controlling the permission and right of users. Schools
           should work closely with the Contractors on deciding the corresponding
           technical options.


           Guidelines

                Consult the Contractors for the Windows NT user right for each group of
                 user.

                Consult the Contractors for a resource-sharing plan and the access right on
                 the network resources.




November, 11                                                                             5-4
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                               Security


           Examples

           Scenario
           School A drafted the account and password policy for her school LAN and the
           following shows the details:-

           user right security settings
               Aspects    Items                                   Administrator   Teacher   Student
               System     Modify system settings                  Yes             Yes       Yes
                          Change system date and time             Yes             Yes       Yes
                          Modify network configurations           Yes             No        No
                          Modify printer settings                 Yes             Yes       Yes
                          Use system utilities like User          Yes             Yes       No
                          Manager, Disk Administrator Tools
                          Access the system through MS DOS        Yes             Yes       No
                          Prompt
                          Save settings on exit                   Yes             Yes       No
                          Perform message auditing and view       Yes             No        No
                          security log

           user file permission settings
               Aspects    Items                                   Administrator   Teacher   Student
               File       Delete system files from hard disk of   Yes             No        No
               System     the workstation
                          Store files in its home directory       Yes             Yes       Yes
                          Store files in directories other than   Yes             Yes       No
                          its home directory




5.2.3. Audit Policy and Security Log
           Audit and logs help collecting and monitoring the events on server and network
           to track the security violation. In addition, the activities of users can be logged
           so that malicious activities can be tracked.

           Schools can specify that an audit entry is to be written to the security event log
           whenever certain actions are performed or files are accessed. The audit entry
           shows the action performed, the user who performed it, and the date and time of
           the action. Schools can audit both successful and failed attempts at actions to
           uncover the unauthorized actions.


           Guidelines

                Adopt audit policy to keep track on the system events according to schools‟
                 own requirements.




November, 11                                                                                      5-5
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                       Security




           Examples

           Scenario
           School A drafted an audit policy for her school LAN and the following shows
           the details:-

                 1) Audit events such as “User and Group Management” and “Security
                    Policy Changes”, and Failed “logon” attempts.

                 2) Set the security log file size to be an initial of 2 MB.

                 3) Use Performance Monitor to ensure that designated individuals (e.g.
                    school LAN administrators) receive alerts about security-related
                    events such as excessive failed log-on attempts.

                 4) Ensure that only authorized individuals have access to audit files.




November, 11                                                                              5-6
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                         Security



5.3.       DATA SECURITY
           In this section, we will discuss the data security of school LAN by preventive
           and recovery means. In general, data security protects the school LAN against
           loss of data. The following issues included:

                    Virus Protection
                    Fault Tolerance Disk Systems
                    Unterruptible Power Supply (UPS)
                    Backup and Recovery

           Computer virus intrusion would corrupt or even destroy data and should be
           prevented. On the other hand, data loss and network downtime caused by
           storage media failure or power failure can be prevented by Fault Tolerance Disk
           Systems and UPS. Lastly, in case of data lost or corrupted for any reason, data is
           recovered by means of backup and recovery process.



5.3.1. Virus Protection
           Computer viruses are programs or pieces of code that can cause system
           malfunctions and data loss. Generally, viruses are propagated via floppy
           diskettes or data transmitted through communication channels.

           It is likely that users will unwittingly introduce a virus into the school LAN by
           downloading files from the Internet, or by copying files from their home PC.
           So one of the best ways to keep the school LAN safe from viruses is by
           educating users.


           Guidelines

                Consult the Contractors for an anti-virus policy to protect the school
                 computer system from virus intrusion.



           Examples

           Scenario
           School A drafted an anti-virus policy for her school LAN and the following
           shows the details:-

                    1) Install memory-resident anti-virus program in all workstation and
                       server machines for continuous virus monitoring.




November, 11                                                                              5-7
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                         Security


                    2) All installed software, programs or documents should be scanned
                       with anti-virus program before they are loaded into the server or
                       workstations.

                    3) Educate users about viruses and request them to report immediately if
                       a virus is found. Let users realize how much damage a virus can
                       inflict

                    4) Illegal copies of software have been regarded as the most common
                       source of viruses. Software products should only be acquired from
                       authorized agents.

                    5) All files from unknown sources such as Internet download or floppy
                       disk should be scanned.

                    6) Stop using a machine when it is suspected to be infected by a virus.




5.3.2. Fault-tolerant Disk Systems
           Redundant Array of Independent Disks (RAID) technology is the most
           commonly used method to improve performance and resistance to disk fault.
           Among all available levels, RAID-5 is the most popular one.

           RAID-5 technology uses redundant parity information to facilitate error
           correction. All data information together with the parity information is spread
           across multiple disks in a process called striping, which requires n+1 disks to
           yield a usable disk space equivalent to n disks.

           With the RAID system installed, failure of any one disk within the RAID stack
           can be recovered by replacing the damaged disk with a good one. Hardware
           RAID controller provide more features such as stand-by disk and on line stack
           expansion.


           Guidelines

                Use hardware RAID 5 solution for all types of servers (Entry-level,
                 Standard- and High- performance servers).




5.3.3. Uninterruptible Power Supply (UPS)
           An uninterruptible power supply (UPS) provides temporary power when the
           local power fails. It is usually rated to provide a specific amount of power for a
           specific period of time. Usually, all that is needed from a UPS is time to shut



November, 11                                                                              5-8
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                      Security


           down the system in an orderly fashion by terminating processes and closing
           sessions.


           Guidelines

                Incorporate UPS devices for school LAN servers, and provide time for the
                 servers to shut down during power failure.

                Test and ensure that the UPS guarantees minimum 10 minutes for the
                 servers and any other connected equipment to perform a graceful shutdown
                 before rolling out the school LAN.

                Work closely with the Contractors to determine which server peripherals
                 should be connected to the UPS, with considerations to the school‟s own
                 environment.



           Examples

           Scenario
           School A has 1 server and 70 workstations in her school LAN. There is a
           backbone switch in the server room for connecting all the floor level switches
           through optical fibres. The server machine is directed connected to the
           backbone switch.

           School A planned to incorporate UPS for both the server machine and the
           backbone switch. The UPS can guarantee 10 minutes for the servers and the
           backbone switch to shutdown. So in case of power failure in the server room,
           there is still time for the server to shutdown in normal procedures and to send
           alert messages to the workstations in the school LAN through the backbone
           switch.




November, 11                                                                           5-9
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                       Security



5.4.       SYSTEM BACKUP AND RECOVERY
           In case of the data is corrupted in the network, system backup and recovery can
           resume the data. Data in the main sever must be backup regularly and the
           backup tape should be stored in a safe place.

           A proper system backup policy and procedure should be developed. The
           procedure should be fully automatic with minimal administrator interaction.
           The procedure must be able to backup and recover the entire disk system.

           Schools should consult the Contractors to tailor a suitable backup and recovery
           system to the school LAN.


           Guidelines

                Develop and adopt a backup strategy which includes files coverage,
                 backup and time, tapes-rotation schedule, tape label and log book formats,
                 off-site location, etc., according to the school‟s unique requirements.



           Examples

           Scenario
           School A drafted a backup policy for her school LAN and the following shows
           the details:-


           Emergency Repair Disk (ERD)

                a) Create a ERD during server setup.

                b) Update the ERD or create a new disk every time schools make a
                   significant change to the hardware or software setup for the servers,
                   such as changing the partition structure, changing device drivers or
                   other hardware, or installing new applications.


           19 Tapes-rotation Schedule

                 Rotating tapes used during backup is common practice. One of the
                 tape-rotation schedules is the 19 tapes-rotation schedule. This schedule
                 uses the same 4 tapes Monday through Thursday for differential backups,
                 and 3 tapes are used for weekly normal backups (performed each Friday).
                 The remaining 12 tapes are used for monthly normal backups and are
                 stored off-site.




November, 11                                                                           5-10
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                           Security




           Backup Policy

                     The Contractors should prepare “Workstation Recovery Kit” for
                      reinstallation or recovery of networked workstations.
                     Set backup process as a schedule service that automatically back up
                      files at a preset time on each backup day (e.g. 11:45pm).
                     Perform backups when the fewest people are using the network. If
                      many files are in use, the backup might not accurately reflect the
                      school LAN.
                     Perform verify operation after every backup.
                     Label tapes sequentially with date, the type of backup (normal,
                      incremental, or differential) and complete information regarding tape
                      contents.
                     Keep a log book for backup schedule and tapes used.
                     Store backup tapes in cool, humidity-controlled, and free of magnetic
                      fields locations.
                     Find an off-site location to store the monthly normal backup tapes.
                      This can be in a vault or other place that can protect them against fire,
                      water, theft, and other hazards.
                     Leave workstation backups to individual users.
                     Clean your tape device once a month




November, 11                                                                               5-11
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                   Extendibility




6.         EXTENDIBILITY
           The school LAN may have connections to other networks or computers that
           may be located inside and outside the school. Typical examples are teachers and
           students accessing the Internet from the school LAN, and teachers accessing the
           school LAN from their computers at home through telephone lines. All these
           are under the scope of extendibility of the school LAN. In this chapter, three
           common types of school LAN extensions are discussed and they are:-

                         remote access services (RAS)
                         Internet access
                         integration with existing systems




November, 11                                                                             6-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                     Extendibility



6.1.       REMOTE ACCESS SERVICE (RAS)
           Users on the remote computers use dial-up software to connect to the RAS
           server on the school LAN through telephone lines. The users may then work as
           if they were connected directly to the school LAN. A Windows NT Server may
           be readily configured as an RAS server. Several aspects have to be concerned in
           implementing the remote access services. Schools may decide on their own
           Remote Access Plan which may include areas like:-

                         concurrent connections
                         accessible resources
                         security measures



6.1.1. Concurrent Connections
           Each concurrent connection of the RAS requires a separate modem and a
           separate telephone line on the server while another set of modem and telephone
           line on the remote computer.

           There are usually only two serial ports on a server for connecting the modems
           and these ports may be occupied with other devices. If the number of concurrent
           connections required for the RAS is more than the number of serial ports
           available on the server, the multi-port WAN adapter may be installed on the
           server to provide more serial ports.

           Schools are advised to decide on the number of concurrent connections of the
           RAS in the design stage, so that the list of necessary hardware devices to be
           purchased can be determined.


           Guidelines

                Decide on the number of concurrent connections for the RAS according to
                 schools‟ own requirements.

                Ensure that there are sufficient modems and telephone lines to support the
                 planned number of concurrent connections on both the remote computers
                 and the RAS server.

                Ensure that the multi-port WAN adapter is in the hardware shopping list if
                 the number of serial ports available on the server is not sufficient for the
                 planned number of concurrent connections.




November, 11                                                                               6-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                        Extendibility


           Examples

           Scenario
           In school A, 20 teachers have computers at home and may connect to the school
           LAN at night and in holidays through RAS. Since not all the teachers will
           connect to the school LAN remotely at the same time, after evaluating the
           computer usage pattern of the teachers, school A decided to set up 4 concurrent
           connections for the RAS server.

           In considering the hardware equipment list, school A will need to purchase a
           multi-port WAN adapter and 4 modems for the server and install 4 telephone
           lines at the location near the server. Besides, the home computers of the
           teachers should also be equipped with a modem, e.g. desktop PC with an
           internal/external modem or a notebook computer with a PC card modem.




6.1.2. Accessible Resources
           The shared resources on the school LAN that remote users will make use of are
           most probably files and directories. It is not common to use those shared
           printers on a network remotely. If the RAS server is also the file server on the
           school LAN, schools may consider to expose only the RAS server, instead of
           the whole school LAN to the remote users. In other words, users connect to the
           school LAN remotely can only get access to shared resources on the RAS server
           and have no access to the other shared resources on the school LAN.


           Guidelines

                Allow users to remotely access the RAS server only, instead of the whole
                 school LAN, if the RAS server is also the file server on which most shared
                 files are stored.



           Examples

           Scenario
           A teacher with RAS permission can dial to the school‟s RAS server and then
           access to shared directories as if his or her workstation is directly attached to the
           school LAN, subject to the normal Windows NT security controls.




November, 11                                                                                  6-3
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                     Extendibility


6.1.3. Security Measures
           The RAS server authenticates the users when they log on the school LAN
           remotely. This may be regarded as the most basic security measure of the RAS.
           If the RAS server is a Windows NT Server, the user accounts on the Windows
           NT network will be used for the authentication. The Dial-In permission should
           be assigned to the user accounts that require remote accesses to the school LAN.
           Schools are advised to keep a list of the users who are authorized to access the
           school LAN remotely.

           Schools may also restrict the locations from which the remote computers can
           access the school LAN through RAS using the Call-back feature of the RAS
           server. The RAS server can be configured to call back a predetermined or
           user-specified telephone number for each connection initialized by the remote
           computers. So only the remote computers at those specified locations can get
           accesses to the school LAN. Schools may consider to use the Call-back feature
           if a more secure dial-up authentication is needed.

           For the remote access users, the same Windows NT user accounts will be used
           to log on the school LAN both in the school and remotely. The users, when
           connected to the school LAN remotely, will be guarded by the same Windows
           NT security controls as if they were logged on the network locally. In addition,
           the activities of the remote users can also be traced through the Windows NT
           audit policy.

           Guidelines

                Keep a record of the users who are authorized to access the school LAN
                 remotely.

                Use the Call-back feature if a more secure dial-up authentication is needed.

                Log RAS activities so that school LAN administrators can audit
                 RAS-related events such as failed logon attempts and the duration of
                 remote connections.



           Examples

           Scenario
           School A drafted a policy for the RAS service in her school LAN and the
           following shows the details:-

                    1) Grant RAS permission to selected teachers only (e.g. school LAN
                       administrators and teachers who frequently prepare electronic
                       curriculum).




November, 11                                                                               6-4
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                     Extendibility


                    2) Use “Call-back” to a preset number. That is, a number that cannot
                       be specified by the caller so that only users from specific locations
                       are permitted access to the RAS server.

                    3) A teacher with RAS permission can dial to the school‟s RAS server
                       and then access to shared directories as if his or her workstation is
                       directly attached to the school LAN, subject to the normal
                       Windows NT security controls.




November, 11                                                                               6-5
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                    Extendibility



6.2.       INTERNET ACCESS
           The connection methods for the Internet access in schools are not discussed
           here. Readers who want to know about Internet connections should refer to the
           Circular Memorandum No. 574/98 – Hiring of Internet Access Services of the
           Education Department to heads of all schools.

           Moreover, there are several aspects that schools should concern when
           extending their school LANs to the Internet:-

                 ●    valid IP address range
                 ●    user accessibility to Internet resources
                 ●    performance enhancement



6.2.1. Valid IP Address Range
           The school LAN needs a valid IP address range for the Internet access. A valid
           IP address range for the Internet access means that address range is committed
           to the suggestion from the Internet Information Centre (InterNIC). The IP
           address range recommended by the Education Department is a valid IP address
           range. Schools may consult the Contractors for the readiness of Internet
           accesses if IP address range other than the recommended one has been used.


           Guidelines

                Ensure that the IP address range used on the school LAN is a valid address
                 range for Internet access.




6.2.2. User Accessibility to Internet Resources
           After connecting the school LAN to the Internet, it does not mean that the users
           can then access the Internet resources. There are different types of resources on
           the Internet and they may be accessed with different applications. For example,
           users may need to have a web browser installed with their user accounts if they
           have to access the World Wide Web (WWW). Schools may have to decide on
           the types of Internet resources that are available to users and ensure the
           corresponding applications are available to the user accounts of the users.

           Guidelines

                Plan for the types of Internet resources available to users.

                Ensure that the corresponding applications are available to the user
                 accounts of the users.



November, 11                                                                              6-6
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                    Extendibility




6.2.3. Performance Enhancement
           When a user access the information on the Internet, the data are actually
           transferred from the remote computers to the user‟s local computer. File size
           and locations of the remote computers may affect the transfer rate.

           A proxy server can increase the efficiency in accessing certain type of data on
           the Internet, for example, the web pages. The proxy server keeps a copy of data
           the users previously retrieved from the Internet. If the same piece of data is
           requested again, it can be got from the proxy server, rather than from the
           Internet site to the school LAN again and again. This can saves users‟ time in
           waiting for the data as well as reduces the network traffic to the Internet.

           Though the Internet Service Provider (ISP) may already be equipped with her
           own proxy servers, the performance of the Internet access through school LAN
           may also be improved if schools deploy their own proxy server.


           Guidelines

                Deploy a proxy server to cache web sites for improving the performance of
                 Internet access through the school LAN.



           Examples

           Scenario
           School A planned to deploy a proxy server in her school LAN to improve the
           performance of Internet access through the school LAN and at the same time
           control the Internet access control at user level.

           Since proxy servers can provide user access control that schools can set detailed
           user and group permission lists together with different Internet services, school
           A planned that form 1 to 3 students have no Internet access while form 4 to 6
           students can only have Web services. Teachers can have Web and Internet
           email services and Administrators have unlimited Internet services such as
           Web access, personal home page, email, newsgroup and video-conferencing,
           etc.




November, 11                                                                              6-7
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                   Extendibility



6.3.       INTEGRATION WITH EXISTING SYSTEMS
           There may be the following two types of systems existing in schools:-

                         standalone machines
                         networked machines

           For those networked machines, instead of considering each machine
           individually, the network that those machines connecting to are considered as a
           whole for the integration.



6.3.1. Standalone Machines
           In incorporating the existing standalone machines, the interoperability between
           the operating systems of the machines and Windows NT will be the major
           concern. In addition, the operating system running on the standalone machines
           should support TCP/IP which is the communication protocol used in the school
           LAN. Besides Windows NT Server and Windows NT Workstation, the
           following are examples of other operating systems that are interoperable with
           Windows NT network:-

                         Microsoft Windows 95 and 98
                         Microsoft MS-DOS
                         Novell NetWare servers and clients
                         Apple Macintosh
                         Unix

           These standalone machines may not be equipped with the hardware or software
           for networking. For example, the machines may not be installed with a network
           adapter which is the basic device required for networking. Schools may consult
           the Contractors for the list of hardware and software necessary for connecting
           these standalone machines to the school LAN and revise the preliminary
           hardware and software shopping lists accordingly.

           Not all the systems can be tightly integrated with the Windows NT network.
           That means the user accounts, security controls provided by Windows NT may
           not be applied to these systems. For example, the Windows NT user accounts
           cannot be used to log on a Unix machine. Schools may formulate their
           requirements on the security measures before connecting the machines to the
           school LAN. Similarly, schools may also need to work out their requirements
           for the user administration and resources sharing on these machines. Schools
           may consult the Contractors for the details of these aspects.

           To access Windows NT servers, a client machine needs a Client Access Licence
           (CAL). School may have to purchase the CALs for the integrated machines if
           they have accesses to the Windows NT servers on the school LAN.




November, 11                                                                             6-8
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                    Extendibility




           Guidelines

                Check whether the operating systems of the existing standalone machines
                 support TCP/IP and are interoperable with Windows NT network.

                Ensure the hardware and software items necessary for integrating those
                 existing standalone machines to the school LAN is included in the
                 shopping list.

                Consult the Contractors for formulating the requirements on the aspects
                 like user administration, resource sharing, security measures and etc. for
                 those systems that cannot be tightly integrated with the Windows NT
                 network.

                Ensure that the integrated machines have a Client Access License (CAL) if
                 they have accesses to the Windows NT servers on the school LAN.



           Examples

           Scenario
           School A has several standalone 486 machines installed with DOS. These
           machines do not have a network adapter. School A decided to connect these
           machines to the school LAN. Schools may need the following items for such
           integration:-

                   -    a network adapter for each of the machine
                   -    a CAL for each machine that has accesses to the Windows NT
                        servers on the school LAN
                   -    Microsoft LAN Manager client software – it has to be installed on
                        the DOS machines for the connection to a Windows NT network
                        and this client software supports TCP/IP.

           Since Microsoft LAN Manager client software is a free package embedded with
           Windows NT Server, school A only needs to include sufficient number of
           network adapters and CALs in her shopping list.




6.3.2. Networked Machines
           As mentioned, schools may consider the integration of the networked machines
           as a whole – that is integrating an existing network to the school LAN.

           Considerations for the standalone machines as mentioned above should also be
           applied to individual networked machines. For the network as a whole, network


November, 11                                                                              6-9
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                     Extendibility


           device such as switch or router may be needed for connecting the existing
           network to the school LAN.

           Besides, there are concerns on the infrastructure of the final network like
           number of domain, server roles and etc. If the network to be integrated is also a
           Windows NT network and aims for teaching and learning, it is recommended
           that the final network should only consist of one Windows NT domain for
           easier management and administration.

           Special concerns should also be paid to aspects like user account management,
           resources sharing and the security policy in the integration. Schools should
           consult the Contractors on all these aspects.


           Guidelines

                Apply the considerations for the standalone machines mentioned in the last
                 section to individual networked machines.

                Consult the Contractors for the network devices that are necessary for
                 connecting the existing network to the school LAN

                Integrate the existing Windows NT network, that also aimed for teaching
                 and learning, with the school LAN into one Windows NT domain.

                Consult the Contractors for the integration of the networks in aspects like
                 user accounts, resources sharing and security policy.



           Examples

           Scenario 1
           The school LAN for school A is not built yet but school A already had a
           Windows NT network for the MMLC. This network contains one Windows NT
           domain, one server as the PDC and 21 workstations. The PDC is configured
           with Per Server Licensing of 21 CALs.

           The school LAN will have one server and 60 workstations. These workstations
           will not be put into the MMLC. School A planned to integrate the school LAN
           with the MMLC network. After the integration, school A has the following
           requirements:-
                - there is only one Windows NT domain;
                - the server for the school LAN acts as the PDC;
                - the workstations outside the MMLC do not access the server in the
                     MMLC;
                - the workstations inside the MMLC may access the server for the
                     school LAN.



November, 11                                                                              6-10
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                                    Extendibility




           Based on these requirements, the Contractors proposed the followings:-
               - the server for the school LAN is configured as BDC of the domain for
                   MMLC during the initial installation. After integration, the roles of
                   BDC and PDC can be swapped, so that the server for the school LAN
                   acts as the PDC and the server for the MMLC acts as a BDC. The
                   resulting network still consists of one domain.
               - Both servers are configured with Per Server Licensing. Since the
                   workstations outside the MMLC will not access the server in the
                   MMLC, 21 CALs are sufficient for this server. For the school LAN
                   server, 60 + 21 = 81 CALs should be purchased to cater for the
                   connections of the workstations both inside and outside the MMLC.

           Scenario 2
           School B has two servers and 60 workstations in its school LAN. One server
           acts as the PDC and another acts as a BDC. Both servers are configured with
           Per Server Licensing of 60 CALs.

           School B is going to build a Windows NT network in the Computer Laboratory.
           This network consists of 1 server and 20 workstations. The server is also placed
           inside the server room as the existing two servers. School B planned to integrate
           this network with the school LAN, but the impact to the school LAN should be
           minimized. After the integration, school A has the following requirements:-
                 - there is only one Windows NT domain;
                 - the workstations outside the Computer Lab. not access the server for
                     the Computer Lab.;
                 - the workstations inside the Computer Lab. may access all the servers
                     in school B.

           Based on these requirements, the Contractors proposed the followings:-
               - the server for the Computer Lab. configured as another BDC of the
                   domain for the school LAN. So the resulting network consists of one
                   Windows NT domain with 1 PDC and 2 BDCs.
               - all the servers are configured with Per Server Licensing. For the
                   existing two servers, each should be purchased with 20 additional
                   CALs for the connections from the workstations inside the Computer
                   Lab. The server for the Computer Lab. only requires 20 CALs for the
                   connections of the workstations inside the Computer Lab.




November, 11                                                                             6-11
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                Appendix A – More Information for LAN Design




7.         APPENDIX A – MORE INFORMATION FOR LAN DESIGN


7.1.       WINDOWS NT DOMAIN

           Domain Models
           Within domains, administrators create one user account for each user. Users then log on once to
           the domain, not to each of the individual servers in the domain.

           The term domain does not refer to a single location or specific type of network configuration.
           Computers in a single domain can be located in different corners all over the schools.

           If schools plan to deploy more than one domain in the school LAN, they have to choose on a
           domain model for the Windows NT network. A domain model is a grouping of one or more
           domains with administration and communications links between them that are arranged for the
           purpose of user and resource management. There are totally 4 domain models:-

                1)   Single Domain Model
                2)   Single Master Domain Model
                3)   Multiple Master Domain Model
                4)   Complete Trust Domain Model

           Schools may consult their Contractors for the features of each model before deciding on their
           network design.




7.2.       WINDOWS NT SERVER

           Primary Domain Controller and Backup Domain Controller
           The primary domain controller (PDC) tracks changes made to domain accounts. Whenever an
           administrator makes a change to a domain account, the change is recorded in the directory
           database on the PDC. The PDC is the only domain server that receives these changes directly. A
           domain has only one PDC.

           A backup domain controller (BDC) maintains a copy of the directory database. This copy is
           synchronized periodically and automatically with the PDC. BDCs also authenticate user logons,
           and a BDC can be promoted to function as the PDC. Multiple BDCs can exist in a domain.

           You create a domain when you install Windows NT Server on a computer and designate that
           computer as the PDC. There can be as many BDCs as needed in a domain to share the load of
           authenticating network logons. In a small organization, a PDC and a single BDC in one domain
           might be all that is required.

           Can PDC and BDC be migrated to each other?
           PDC and BDC can be migrated to each other since they have the same server role as the domain
           controller. But domain controller cannot migrate between domains. That is PDC of domain A
           cannot migrate to PDC of domain B and vice versa.

           Can domain controllers and member servers be migrated to each other?
           A Member Server has to be reinstalled if it is migrated to a domain controller and vice versa.




November, 11                                                                                           7-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                 Appendix A – More Information for LAN Design




           Conversion between Different Licensing Mode
           There is a one-time conversion opportunity from the Per Server license to a Per seat license at no
           cost, using the Licensing option in Control Panel. It is not necessary to notify Microsoft to make
           this change. This is a one-way conversion. It is possible to convert from Per Server to Per Seat,
           but not the reverse.



7.3.       IP ADDRESS SCHEME

           Using Subnet Mask
           Each IP address has to be associated with a subnet mask which is used to identify the network
           and host part of the IP address. The Education Department recommended to use 255.255.255.0
           as the subnet mask. Based on this recommendation, the meaning of each number is as follow:

                (a) The first number is fixed to 10 according to the Internet Information Centre (InterNIC)
                    standard for private network addressing.

                (b) The first 3 numbers form the network ID denoting a subnet (sub-network). Initially, 16
                    network IDs are reserved for each school. Each subnet can accommodate up to 254
                    network hosts.

                (c) The last number is the host ID that is controlled by schools for address assignment
                    within their own campuses.

           Though each school is assigned with 16 subnets, schools should note that in using more than one
           subnet, a router must be used to connect the two subnets, otherwise the network nodes in these
           two subnets cannot communicate.

           If a school did not equip with a router but had network nodes more than 254, it may consider to
           use a subnet mask other than 255.255.255.0. The subnet mask that schools may consider to use
           are listed below:-

            subnet mask              no. of subnets within no. of hosts supported in
                                     the assigned range    each subnet
                 255.255.255.0                 16                     254
                 255.255.254.0                  8                     510
                 255.255.252.0                  4                     1022
                 255.255.248.0                  2                     2046
                 255.255.240.0                  1                     4094

           However, schools should note that if there are too many nodes in a subnet, the network
           performance will be downgraded. So schools are advised to work closely with the Contractors
           for selecting the appropriate subnet mask.


           Benefits of Using the Recommended IP Address Range
           Schools may decide to use any IP address range for their school LANs. As long as there is no
           address duplication, all the machines and devices on the school LAN are able to communicate
           with each other. However, communications outside the school LAN, e.g. Internet connections,
           are not guaranteed. In adopting the recommended address range, school is able to build the
           school LAN with the following benefits:-

                (a) Collision with public addresses in the Internet is avoided. If schools use other arbitrary
                    IP addresses in their networks, their addresses may collide with the public addresses,
                    leading to inaccessible to some Internet hosts in connecting to the Internet.



November, 11                                                                                              7-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                 Appendix A – More Information for LAN Design



                  (b) The address will be managed in a simple and systematic way. Address duplication will
                      be easily avoided.

                  (c) The expandability for Inter-school connections can be enabled when each school has an
                      unique IP address range.



7.4.       COMPUTER AND DEVICE NAMES

           Descriptions for the Computers and Devices
           Besides the computer name, descriptions may be added to computers and devices for illustrative
           purpose. Information such as location, owner, purposes and etc may be included in the
           description to describe the various details of the computers and devices. Since this description
           will be shown beside the computer/device in the Network Neighbour and Windows NT
           Explorer, it could help users to identify the computers and devices in accessing the network..
           The following figure shows an example: machine U001D001C has a description “Student
           Computer in 3/F Computer Lab”.




           Existing Naming Convention for PCs in Previous ED Contracts
           The PCs in previous ED contracts have already been assigned with computer names in the form
           SSS$### where:

            SSS$###        Meaning           Values          Remarks
            SSS             SAMS ID           A01-Z99         Each school is assigned with an ID
                                                              in the SAMS project
            $               Machine Type D, N                 D for Desktop Computer
                                                              N for Notebook Computer
            ###             Serial Number 001 – 999           This number is assigned
                                                              sequentially
                           Language          C, E            C for Chinese
                            Platform                          E for English

           The following shows an example on the actual assignment of the computer names:-




November, 11                                                                                            7-3
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                            Appendix A – More Information for LAN Design


           School A has 2 desktop computers and 13 notebook computers. Each computer is installed with
           both Chinese and English Windows NT Workstation. The SAMS ID for school A is U01. Figure
           6.2 shows their computer names




                     School A

                                             Chinese NT: U01D002C
                    Chinese NT: U01D001C     English NT: U01D002E
                    English NT: U01D001E




                      Chinese NT: U01N001C    Chinese NT: U01N002C
                      English NT: U01N001E    English NT: U01N002E




                                      
                   Chinese NT: U01N003C                      Chinese NT: U01N013C
                   English NT: U01N003E                      English NT: U01N013E




           Periodic Review of the Naming Convention
           It is advised to review the naming conventions for computers and devices periodically in order
           to accommodate new device types.




7.5.       USER ADMINISTRATION

           User Accounts Settings for PCs in Previous ED Contracts
           The PCs in previous ED contracts are standalone (except those for Sixth Form Computer Room
           Network). So users are logged on a PC with the user accounts local to that PC. Changes made to
           user accounts on one PC will not be effective on another PC since user accounts on different PCs
           are independent.
           Initially there are 3 local user accounts available on each system of each PC (that means for dual
           boot machines, the Chinese and English Windows NT each have 3 use accounts.) and they are
           Administrator, Teacher and Student as shown in the following figure. These 3 accounts are
           common and shared by different groups of user.




November, 11                                                                                                      7-4
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                            Appendix A – More Information for LAN Design




                                      Existing Configurations
                              Local User Accounts on Standalone PCs



                                                                           Administrator
                                                                           Teacher
                         Administrator                                     Student
                         Teacher
                         Student
                                               Administrator
                                               Teacher
                                               Student



                      Administrator                                  Administrator
                      Teacher                                        Teacher
                      Student                                        Student




           Administrator has the highest privilege, Teacher the next and Student the least. Student is
           restricted from tampering the system through mandatory user profile, system policies and
           permissions on file and directories. Some of their configurations are summarized below:
            User              Local Group      Password        Mandatory Home      Logon         System File and
            Account                                            User      Directory Script        Policy Directory
                                                               Profile                                  Permission
            Administrator     Administrators   Yes             No               No         No    No       Full Control
            Teacher           Power Users      Yes             No               No         No    No       Full Control
            Student           Users            No              Yes              Yes        No    Yes      Restricted




           Periodic Review of User Account Policy
           It is recommended to review periodically on the user account policy as school environment is
           changing from time to time and different policy fits for different situation.



           Built-in Global User Accounts
           There are built-in global user accounts for the domain, their names are Administrator and Guest.
           Their usage is summarized below:

           Administrator
           used to manage all the configurations in the Windows NT domain, such as administrating user
           and group accounts, performing backup jobs and etc.

           Guest
           used to give occasional users the ability log on and access resources on the local computer. It is
           disabled by default.


           Built-in Local User Accounts
           There are also built-in local user accounts for each Windows NT Workstation and Windows NT
           Server that acts as a Member Server and they are also named Administrator and Guest. These
           two accounts can only give accesses to that particular machine.




November, 11                                                                                                       7-5
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                 Appendix A – More Information for LAN Design


           Built-in Global Groups

           There are 3 built-in global groups in a Windows NT domain and their details are as follows:-
            Group Name                 Description
            Domain Admins              By default, this built-in global group is a member of the built-in local
                                       group: Administrators and it contains the built-in user account:
                                       administrator of the domain,

                                      All user accounts that are members of this global group will have
                                      administrator‟s right in the domain.

               Domain Users           By default, this built-in global group is a member of the built-in local
                                      group: Users and it contains all global user accounts created in a domain.

                                      All users that are members of this global group have ordinary user rights
                                      in the domain.

               Domain Guests          By default, this built-in global group is a member of the built-in local
                                      group: Guests and it contains the built-in user account: Guest.

                                      All users that are members of this global group have limited user rights in
                                      the domain.



           Periodic Review of User Account List
           User account list must be reviewed periodically to remove unwanted account. Global user
           accounts are stored centrally in the primary domain controller (PDC) and can be managed
           centrally. However, local user accounts are stored in standalone PC or notebook computer, they
           must be handled individually. School should have some audit policy for user account.


           Roaming User Profile
           All global user account should be roaming. That is, a profile is stored in a domain controller and
           is downloaded to a workstation during the logon process. Since profiles are stored centrally,
           user can logon the network from any workstation and gets the same properties. See section 3.1.4
           for detail.

           The bilingual problem arises due to the fact that global account is roaming, i.e. the desktop
           properties are stored in the server rather than workstation. The advantage of roaming profile is
           that user can logon the network at any workstation to retrieve his desktop property. However,
           the retrieved information is language dependent, thus if a Chinese roamed profile may have
           problem on English system.


           Contents of User Profile
           The settings saved in a user profile:
           Source                      Parameters
           Desktop                     All user-definable settings for the desktop appearances.
           Windows NT Explorer         All user-definable settings for Windows NT Explorer.
           Taskbar                     All personal program groups and their properties, all
                                       program items and their properties, and all Taskbar settings.
           Printers Settings           Network printer connections.
           Control Panel               All user-defined settings made in Control Panel.
           Accessories                 All user-specific application settings affecting the user‟s
                                       Windows NT environment, including Calculator, Clock,
                                       Notepad, Paint, and HyperTeminal, among others.



November, 11                                                                                              7-6
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                 Appendix A – More Information for LAN Design


            Windows NT-based              Any application written specifically for Windows can be
            applications                  designed so that it tracks application settings on a per-user
                                          basis. If this information exists, it is saved in the user
                                          profile.
            Online Help bookmarks         Any bookmarks placed in the Windows NT Help system.


           Windows NT Restrictions on User Account Names
           Windows NT imposes the following restrictions on the user account name:
                (a) user name must be unique;
                (b) maximum length for an account name is 20 characters;
                (c) an account name may contain uppercase or lowercase characters except the
                    following special characters:
                     “/\[]:;|=,+*?<>


           Chinese Character on User Account Names
           Windows NT has no limitation on using Chinese character in user account name, however, it is
           NOT recommended to use.


           Global Group Usage
           1)     Create global groups for grouping users.
           2)     Use the built-in local groups for assigning permissions to users for network resources.
           3)     Assign permissions to users through the sequence:
                     local group -> global group -> user accounts



7.6.       FILE AND DIRECTORY SHARING

           General Information about File Systems
           1) Both NTFS and FAT file systems support file and directory names of up to 255 characters.

           2)    To use NTFS and have access to another operating system, schools must have at least two
                 disk partitions. Format the first local hard drive (e.g. C drive) with a file system that
                 Windows NT and the other operating system (e.g. Windows 98) can use, such as FAT.
                 Format the other partition with NTFS.


           Comparison Between NTFS and FAT
           File System     Advantages                          Disadvantages
           Windows NT file   Supports complete Windows NT        Recognized only by Windows NT.
           system (NTFS)      security, so schools can specify     When the computer is running
                              who is allowed various kinds of      another operating system such as
                              access to a file or directory.       MS-DOS or Windows 95/98, that
                             Keeps a log of activities to         operating system cannot access files
                              restore the disk in the event of     on an NTFS partition on the same
                              power failure or other problems.     computer.
                             Files on NTFS volumes can be
                              compressed and uncompressed.

            File allocation        Allows access to files when             Files are not protected by the
            table (FAT)             computers are running another            security features of Windows NT.
                                    operating system, such as               Cannot support extremely large
                                    MS-DOS and Windows 95/98.                files.
                                   Is the most widely used file            Less robust than NTFS; for



November, 11                                                                                              7-7
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                   Appendix A – More Information for LAN Design


                                      system for PCs.                          example, no automatic disk restore
                                                                               features.



           NTFS File and Directory Permissions
           1) Only NTFS allows the file owner to establish discretionary access control. Schools can
              use Windows NT Explorer to set permissions on files on NTFS partitions on Windows NT
              computers. These permissions then apply to both users working at that computer itself and
              to users accessing these files over the network (if they are shared). Schools can set file
              permissions to a fine degree of granularity for example, schools can set different
              permissions for each file in a directory. Schools can set many different types of
              permissions as well for example, schools can let one user read the contents of a file and
              change it, let another user only read the file, and prevent all other users from any access to
              the file.

           2)    Schools do not have to assign “No Access” to every user or group that schools want to
                 prevent from accessing a file or directory. Schools can prevent a user from accessing a file
                 or directory just by not granting the user (or any groups the user is a member of) any
                 permissions for it.

           3)    Permissions are cumulative. For example, if the TeachersChem group has “Add”
                 permission for a file while the TeachersBio group has “Read” permission and Alan is a
                 member of both groups, Alan has “Add” and “Read” permissions.

           4)    The exception is the “No Access” permission, which overrides all other permissions.
                 Schools can use the “No Access” permission to grant a group access to a file while
                 preventing access to a subgroup or individual who is a member of that group. For example,
                 suppose Leslie is a member of TeachersChi and TeachersChi has the “Change” permission
                 for a file. If schools then set the “No Access” permission for Leslie for the file, Leslie will
                 be unable to use the file even though he is a member of a group that can access the file.

           5)    By default, new files and new subdirectories inherit permissions from the directory in
                 which they are created. For example, if schools add a file to a directory where the
                 TeachersEng group has “Change” permission and the TeachersMaths group has Read
                 permission, those same permissions will apply to the file.

           6)    When schools change the permissions on an existing directory, schools have the choice of
                 whether to apply the changes to all files and subdirectories in the directory.

           7)    The user who creates a file or directory is the owner of that file or directory. The owner
                 can always control access to the file or directory by changing the permissions set on it.


           Share Permissions
           1) Share permissions for NTFS volumes work in combination with file and directory
               permissions. When a directory is shared, these permissions, set through the shared
               directory, allow users to connect to the share. Using the default permissions (Full Control)
               for NTFS shared directories, schools can manage the security of the files using directory
               and file permissions.

           2)    Using Full Control permission for Everyone for all NTFS shared directories is the easiest
                 way to manage NTFS file security. Schools can apply directory and file permissions, and
                 allow share access to Everyone through share permissions.


           Share Names




November, 11                                                                                                7-8
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                Appendix A – More Information for LAN Design


           1)    If a share will be accessed only by Windows NT Workstation, Windows NT Server,
                 Windows 95 or Windows 98 users, the share name can include up to 80 characters.

           2)    Windows NT Server automatically creates special shares for administrative and system use.
                 Depending on the configuration of the computer being administered, some or all of the
                 following special shares can appear in this list. Usually, schools should not remove or
                 modify these special shares.

                  Share name Represents
                  Driveletter$ The root directory of a storage device on the computer. For example, C$
                               is a share name by which the root directory of drive C can be accessed
                               over the network. Only members of the Administrators, Backup
                               Operators, and Server Operators groups can connect to these shares.
                  ADMIN$       A resource used by the system during remote administration of a
                               computer. The path of this resource is always the Windows NT system
                               root (the directory in which Windows NT was installed, for example,
                               C:\WINNT). Only members of the Administrators, Backup Operators,
                               and Server Operators groups can connect to this share.
                  IPC$         A resource sharing the named pipes that are essential for communication
                               between programs. Used during remote administration of a computer and
                               when viewing a computer‟s shared resources.
                  NETLOGON A resource used by the Net Logon service on domain controllers for
                               processing domain logon requests. This resource is provided only for
                               Windows NT Server, not for Windows NT Workstation.
                  PRINT$       A resource that supports shared printers.
                  REPL$        A resource created by the system when a Windows NT Server computer is
                               configured as a replication export server. Required for export replication.



           Considerations for MS-DOS Users
           1) Unlike Windows NT Server/Workstation and Windows 95/98, if a share will be accessed
              by users of MS-DOS (including users of Windows 3.x and Windows for Workgroups), it
              is necessary to follow the MS-DOS 8.3 naming convention for the share name (the
              name can have up to eight characters, optionally followed by a period and up to three more
              characters). MS-DOS computer users will be unable to access shares with share names
              that do not follow this convention.

           2)    On NTFS and FAT volumes, files and directories can have file names of up to 255
                 characters. And to ensure access by MS-DOS users, Windows NT Server and Windows
                 NT Workstation provide name mapping: Each file or directory with a name that does not
                 conform to the MS-DOS 8.3 standard is automatically given a second name that does.
                 MS-DOS users connecting to the file or directory over the network see the name in the 8.3
                 format; Windows NT Workstation and Windows NT Server users see the long name.
                 However, Windows NT Workstation and Windows NT Server do not generate short
                 names for share names that do not conform to MS-DOS naming standards, only for files
                 and directories with long names. When naming a share, use the 8.3 standard.


           When Files are Near or Over Quota Limits…
           Some disk quota systems allow schools to set warning and maximum values for each quota. The
           warning notifies users when they are about to exceed their quota, and the maximum defines the
           total amount of disk space allotted to the directory. Schools can define possible actions to take
           when a user reaches the warning or maximum value. Warning message will be sent to users via
           pop-up messages or email, and if necessary, users‟ write access will be revoked. When schools
           revoke write access, schools can prevent users from saving any more data and therefore, save
           disk space.




November, 11                                                                                             7-9
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                  Appendix A – More Information for LAN Design


           Furthermore, some disk quota systems allow users to save a file which exceeds quota that no
           data is lost or corrupted, but after the save then quota exceeded messages are automatically sent
           and systems will deny the creation or addition of any new data. The user then has to delete or
           otherwise manage files to bring the size back within quota. School LAN administrators may
           unlock the quota for a limited grace period.



7.7.       PRINT SHARING

           User Permissions on Shared Printers
           1) Four types of permissions apply to network printers:
               a) No Access
               b) Print
               c) Manage Documents (permission to manage all jobs aimed at that printer)
               d) Full Control

           2)    Permissions are cumulative except that the “No Access” permission overrides all other
                 permissions.

           3)    Users with “Manage Documents” or “Full Control” permission can manage printer and
                 print jobs. Management includes:
                 a) Viewing a list of printers and their respective print jobs
                 b) Purging jobs waiting for a printer
                 c) Holding or releasing a print job
                 d) Restarting a print job from the beginning
                 e) Deleting a print job
                 f) Stopping a job that is currently printing
                 g) Pausing and continuing a printer
                 h) Deleting a printer

           4)    Another way for managing the shared printers is to assign desired users to the “Print
                 Operators” local group of printer servers.


           Using a Workstation as the Print Server
           If schools really require a workstation to be a print server, it is recommended to add more
           memory to the workstation for performing this task.
           Both Windows NT Workstation and Windows NT Server can be configured as a print server.
           However, unlike Windows NT Server, Windows NT Workstation is limited to a maximum of 10
           connections from other computers through network. It does not support printing from some
           non-Windows NT systems such as Macintosh and NetWare. That is another reason for not
           recommending to use a workstation machine as a print server.



7.8.       PHYSICAL SECURITY

           Offsite Backup
           Offsite backup is a practice such that data backup storage media are not stored in the server site.
           This allows system recovery after a disaster that destroys the whole server site.

           Data Safe
           Data safe is normally made by special material that resistance to fire and water. It can keep the
           contained data tape or diskette in good condition even being burnt for hours.

           Chassis Lock


November, 11                                                                                             7-10
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                 Appendix A – More Information for LAN Design


           Chassis lock is an effective mean to prevent hardware inventory lost. Every server and the
           workstation should be locked.


           Property Markings
           Property marking uses engraving or permanent pigment add on to hardware including system
           units, server system unit, monitor, hub and switches, printers and scanners. etc, is another mean
           to keep the property.



           Periodic Review of Physical Security
           1) Review and change the BIOS password regularly.
           2) Update the inventory list after configuration change and inventory take.




7.9.       USER ACCOUNT SECURITY

           Account lockout
           When account lockout is enabled, if there are too many bad logon attempts on a user account,
           and no more than a specified length of time occurs between any two of the bad logon attempts,
           then the account is locked out. Locked out accounts cannot log on to the system again.


           Forced lockout
           If users are forced to disconnect from servers when their logon hours expire, they are given
           warnings just before the end of the specified logon hours. If they have not ended their
           connections by then, the server(s) to which they are connected will end the connection(s). Users
           are not forced to log off of their workstations, however.


           Security on User profile
           User profile can be used to control a user's desktop environment. Profiles contain all user
           defined settings for the user environment, including start menu entries, desktop icons, display
           settings, and background colors. These settings can be stored on the local machine (local profile)
           or on a network server (roaming profile).


           Windows NT System Policy
           Policies in Windows NT can be used to lock down desktops and prevent users from performing
           unsafe tasks. Restrictions include desktop properties, Start menu options, enabling or disabling
           sharing, and establishing and sharing custom folders for individual students to store their work.

           Policy modifies the system registry and is applied after a user's profile is loaded. Consequently,
           policies overlay the user's portion of the registry and add more control on top of user profiles.


           Logon Script
           A logon script is a file run automatically when a user logs on. Schools will most likely need to
           use logon scripts to map network drives for login users. Drive mapping can hide the network
           resources and shows only the information relevant to the users such as the home directories.


           Security on Home Directory
           Home directories are personal storage locations assigned to each user account. Users can save
           their work to corresponding home directories on network and access it from any station in the


November, 11                                                                                            7-11
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                Appendix A – More Information for LAN Design


           site. With a user account and password, students and teachers can access their work from any
           station on the school LAN without intrusion from others.




           Periodic Review on Security Log
           -   regularly review for security-related events (e.g. at least once a week).
           -   regularly purge security log after appropriate copies are made (e.g. weekly).



           Periodic Review on Anti-Virus Settings
           -   regularly check all files in servers for viruses (e.g. at least once a week).
           -   regularly update anti-virus programs‟ signature (e.g. at least once a month).
           -   regularly back up the files on servers, so that damage is minimized if a virus attack does
               occur (e.g. back up servers‟ files everyday).




7.10.      FAULT TOLERANCE FOR SERVER HARD DISK

           Redundant Arrays of Independent Disks (RAID)
            There are 6 levels of fault-tolerant disk systems known as Redundant Arrays of Independent
              Disks (RAID), level from 0 to 5. Each level offers various mixes of performance, reliability,
              and cost.
            For software solution, Windows NT Server offers three of the RAID strategies (level 0, 1,
              and 5). Alternatively, a hardware implementation of RAID can offer performance
              advantages over the software RAID solution.
            The key to RAID 5 performance edge is the use of more disks at a given capacity than a
              conventional storage solution. However, hardware implementation is a relatively higher
              cost solution.
            Be aware that there is no fault tolerance until the fault is repaired. RAID 5 implementation
              cannot withstand two failures simultaneously. When the failed disk is replaced, the data
              can be regenerated using the redundant information. When this operation is complete, all
              data is current and again protected against disk failure. This occurs without bringing in
              backup tapes or performing manual update operations to cover transactions that took place
              since the last backup.


           Hot Standby Feature of RAID
           A RAID System with 5 x 9GB disks are connected to a Disk Array Controller to from a RAID
           stack of disk size 36 GB. A sixth disk can be installed as a stand-by disk, so that when any one
           out of the five disks corrupted, the sixth disk will automatically replace the defective one and
           rebuild the whole RAID stack into its normal state.


           Hot Expand Feature of RAID
           Install another disk (the 7th disk) into the above RAID system will provide 45 GB data storage.
           No shutdown or system down is required during the installation of this new disk. Insert the disk
           into the RAID stack and running a rebuild program is the only step required.




7.11.      UNINTERRUPTIBLE POWER SUPPLY (UPS)


November, 11                                                                                          7-12
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                  Appendix A – More Information for LAN Design


           More Information on UPS Settings
           1) With UPS connected to the servers in a school LAN, during a power failure, the UPS
               service immediately pauses server services to prevent any new connections and sends a
               message to notify users of the power failure. The UPS service then waits a specified
               interval of time before notifying users to terminate their sessions. If power is restored
               during the interval, another message is sent to inform users that power has been restored
               and normal operations have resumed.

           2)    However, if a power failure is prolonged and the UPS reaches a critical state, a shutdown
                 of the school LAN servers is performed, and the UPS device is turned off. Therefore,
                 schools should ensure that their UPS device guarantees at least 10 minutes to enable the
                 Windows NT Server of their servers to perform a graceful shutdown.


           Periodic Review of UPS Settings
           Regularly test the UPS device to ensure the UPS‟ batteries are in a good condition (e.g. at least
           once a month).




7.12.      DATA BACKUP

           Tape Autoloader or Library
           For managing large backups that span several tape cartridge sets, tape autoloader or library can
           help. Autoloaders let multiple tape cartridges be stored and accessed by a single drive through a
           robotic mechanism for hands-free backup operation.


           Offsite Backup
           Offsite backup is a practice such that data backup storage media are not stored in the server site.
           This allows system recovery after a disaster that destroys the whole server site


           Normal (Full), Incremental, and Differential Backup
             A normal backup always copies all selected files and marks each file as having been
               backed up. Normal backups give schools the ability to restore files quickly because files
               on the last tape are the most current.
             The incremental method only backs up files that were created or changed since the last
               normal or incremental backup. It marks files as having been backed up. If schools use a
               combination of normal and incremental backups, restoring requires starting with their last
               normal backup and then working through all the incremental tapes.
             A differential backup copies files that were created or changed since the last normal (or
               incremental) backup. It does not mark files as having been backed up. If schools are
               doing normal and differential backups, restoring requires only the last normal and last
               differential backup tape.

           The following table lists advantages and disadvantages associated with running each type of
           backup.

            Backup type Advantages                                     Disadvantages
            Normal       Files are easy to find because they are       Most time-consuming.
                          always on a current backup of the system or  If files do not change frequently,
                          on one tape or tape set.                       backups are redundant.
                         Recovery requires only one tape or tape set.




November, 11                                                                                             7-13
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                  Appendix A – More Information for LAN Design


            Incremental        Least data storage space required.               Files difficult to find because
                               Least time-consuming.                             they are spread across several
                                                                                  tapes.
            Differential       Less time-consuming than normal backups.         If large amounts of data change
                               Recovery only requires last normal backup         daily, backups can be more time
                                tape and last differential tape.                  consuming than incremental.



           A verified operation compares files on disk to files that have been written to tape. It occurs after
           all files are backed up or restored and takes about as long as the backup procedure itself.



           Emergency Repair Disk (ERD)
           Emergency Repair Disk contains information about the files installed on the system such as the
           settings of software, hardware, security files and users. ERD can help to recover from a system
           crash caused by corrupted files without having to reinstall Windows NT.




7.13.      REMOTE ACCESS SERVICE (RAS)

           More Information about RAS
           1) The Windows NT Server RAS permits up to 255 remote clients to dial in.

           2)    For schools having more than one server, the RAS server can be configured to provide
                 access to an entire school LAN or restrict access to the RAS server only.

           3)    Modem ports on RAS servers can be configured individually. Each port can be set to “Dial
                 Out Only”, “Receive Calls Only”, or “Dial Out And Receive Calls”. These settings affect
                 only the port specified, not all ports on the RAS server. For example, RAS server can be
                 configured to provide access to the entire school LAN, modem port 1 can be configured to
                 receive calls, and modem port 2 can be configured for dial out and receive. A remote user
                 can call in on either port, but a local user can use only port 2 for outbound RAS calls.


           RAS Security
           1) Windows NT Server security is integrated into RAS. User accounts on any domain can be
              used by remote clients for RAS access. Schools can specify who can dial in to the server. It
              is not necessary to create user accounts just for RAS users. Authentication can be
              encrypted at connect time.

           2)    The RAS generates audit trails of remote connections to RAS server‟s event log. With this
                 feature, schools can audit all remote access activity such as successful and failed logon
                 attempts, and the remote access duration of a particular connection.


           Periodic Review of RAS Settings
           1) Accounts with RAS permission should be regularly reviewed to ensure that they still
               require (e.g. quarterly).
           2) Regularly review for audit log of RAS-related events (e.g. at least once a week).




November, 11                                                                                              7-14
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                                  Appendix A – More Information for LAN Design


7.14.      PROXY SERVER

           Functions of a Proxy Server
           Proxy servers can also provide user access control that schools can set detailed user and group
           permission lists together with different Internet services. In addition, proxy servers can act as an
           Internet filtering software that oversees Internet use and blocks access to inappropriate sites. It
           does this by comparing the requested site with its own list of rated sites.

           Furthermore, proxy servers can log the services and accesses passing through it. The log entry
           shows the IP address of the workstation which and the user who requested Internet service, the
           date and time of the access, the type of the Internet service, and the URL of the accessed Web
           site or the name of the accessed file.



           Advanced Internet Security with a Multi-homed Proxy Server
           Since it is impossible to know what sort of content a student will locate using Internet search
           engines, and impossible to guarantee that malicious hackers would not attempt an assault on the
           school LAN, a great deal of Internet security centers around gatekeepers and filtering.

           Before connecting a school LAN to the Internet, it is important and better to develop a plan for
           keeping the two networks separate. Perhaps the most important component in this plan is a
           firewall, or, a multi-home proxy server. A multi-home proxy server is a separate server machine
           which does not serve as a Windows NT domain controller but act as a gatekeeper that controls
           traffic between the Internet and school LAN. The proxy server intercepts any internal Internet
           request and executes that request, sending the information back to the user. If an outside hacker
           attempts to access the school LAN, the proxy server intercepts the request and denies the hacker
           access.


           If No Proxy Server is Installed…
           Some stateful Web browsers such as Microsoft Internet Explorer support ratings standards such
           as Platform for Internet Content Selection (PICS), ratified by the World Wide Web Consortium
           (W3C). This ratings standard let schools choose different levels of allowable language, nudity,
           sex, and violence. Therefore if there is no proxy server is installed as a centralized Internet
           security center, schools should set appropriate ratings level to the Web browser(s) to all
           Internet-ready workstations so inappropriate sites can be blocked. In addition, schools should
           regularly review and maintain the ratings level to fit their preference (e.g. monthly). However,
           it will cause mass administrative works.


           Periodic Review of Proxy Server Settings
           -   regularly review and maintain the filtering list to fit the preference of the school and
               community (e.g. monthly).
           -   regularly review for security-related events (e.g. weekly)




7.15.      INTEGRATION WITH EXISTING NETWORK

           Communication Protocols
           Different machines may operate on different communication protocols. For example, Macintosh
           operates on the communication protocol: AppleTalk. In order to integrate them into the
           Windows NT network, AppleTalk has to be enabled on the school LAN.




November, 11                                                                                              7-15
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                        Appendix B – Checklist for Basic Parameters of LAN Design




8.          APPENDIX B – CHECKLIST FOR BASIC PARAMETERS
            OF LAN DESIGN

Network Infrastructure
                                                                    (suggested values)
Windows NT Domain
   number of Window NT domain                                       (1)

Server
   number of servers                                                (1)
   server role                                                      (Primary Domain Controller)
   licensing mode                                                   (Per Server Licensing)
   number of Client Access Licenses (CALs)                          (= no. of workstation)
   number of partitions for server hard disk                        (2, one for system and one for data)
   preferred configurations of each server

Workstation
   number of workstations
   number of category for workstation configuration
   preferred configurations for each category of
   workstation

Network Communications
   communication protocol                                           (TCP/IP)
   IP address range                                                 (as recommended by ED)
   IP address scheme in school
   Windows NT Domain Naming Convention                              (SSS# as suggested)
   computer & device naming convention                              (SSS$### as suggested)
   descriptions to be added to computers & devices                  (location, purpose, machine type)



User Administration

User Account Policy
   user accounts: global vs local                                   (global accounts for networked machines,
                                                                     local accounts for standalone machines)
     no. of personal user accounts                                  (2 per user)
     no. of shared user accounts                                    (50 for the computer subject)
     user account naming convention                                 (initials + last name + serial no
                                                                     incase of duplication + „c‟ or „e‟ to specify
                                                                     the language)

User Profile
   user profile                                                     (roaming mandatory)
   desktop configuration for each user group

Home Directory Scheme
   initial size of home directory                                   (10 MB for each user)
   location of home directory                                       (D:\Home\%username% on the PDC,
                                                                     D: - data partition of server hard disk)
     permission for home directory                                  (“Change” permission for owner,
                                                                    “No Access” for other users)
     drive letter for home directory                                (U:)



November, 11                                                                                           8-1
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                        Appendix B – Checklist for Basic Parameters of LAN Design



Grouping Strategy
   grouping users                                                   (use global groups)
   assigning permissions                                            (use local groups)
   number of groups for grouping users                              (students grouped by admission year,
                                                                    one group for accounts for the computer
                                                                    subject, one group for teachers, one group
                                                                    for administrator)



Resources Sharing

File and Directory Sharing
    file system of Windows NT Servers                               (NTFS)
    file system of Windows NT Workstations                          (NTFS)
    file system of MS-DOS                                           (FAT)
    size of public area on server                                   (500 MB)
    location of the public area                                     (D:\public on the PDC)
    permission of the public area                                   (Change)

Print Sharing
    no .of shared printers
    location of each shared printer
    physical connections of the shared printers                     (through printer sharing devices)
    print server assignment                                         (server machine)
    permission on shared printers                                   (students: Print
                                                                     teachers: Manage
                                                                     administrators: Full)



Security

Physical Security
   server BIOS password
   workstation BIOS password
   other details of physical & hardware security policy

Windows NT Security
   minimum password length                                          (8 characters)
   account lockout                                                  (5 bad logon attempts)
   other details of login & password policy
   user right policy
   audit policy

Data Security
   anti-virus policy
   RAID-5 hard disk for server                                      (yes)
   UPS                                                              (for server and backbone switch/hub)
   backup strategy




November, 11                                                                                           8-2
Technical Guidelines for School LAN Implementation
under the IT in Education project
Part I: LAN Design Guidelines                        Appendix B – Checklist for Basic Parameters of LAN Design


Extendibility

Remote Access Service (RAS)
   concurrent connections for remote dial-in
   resources accessible to the dial-in users                        (file server only)
   call-back feature enabled                                        (yes)
   log the activities                                               (yes)


Internet Access
    Internet resources available to users                           (WWW for all users)
    enhance Internet performance via proxy server                   (yes)


Integration with Existing Systems
    no. of standalone PCs to be integrated
    configurations of these PCs
    communication protocol used after integration                   (TCP/IP)
    number of Windows NT domain after integration                   (1)




November, 11                                                                                           8-3

								
To top