Windows 2000

Microsoft Windows 2000 (also referred to as Win2K or Windows NT 5.0) is a 32-bit graphical business-oriented operating system released on February 17, 2000 by Microsoft. Windows 2000 comes in four versions: Professional, Server, Advanced Server, and Datacenter Server. Additionally, Microsoft offers Windows 2000 Advanced Server, Limited Edition, released in 2001, which runs on Intel Itanium 64-bit processors.

Microsoft has replaced Windows 2000 Server products with Windows Server 2003, and Windows 2000 Professional with Windows XP Professional.

Windows Neptune started development in 1999, and was supposed to be the home-user edition of Windows 2000. However, the project lagged in production time – and only one alpha release was built. Windows Me was released as a substitute, and the Neptune project was forwarded to the production of Whistler (Windows XP).

Architecture

Windows 2000 is a 32-bit, preemptible, interruptible operating system, which has been designed to work with either uniprocessor or symmetrical multi processor (SMP) based Intel x86 computers. To process I/O requests it uses packet driven I/O which utilise I/O request packets (IRPs) and asynchronous I/O. It is a highly modular system and, as with most other monolithic operating systems, consists of two main layers: a user mode and a kernel mode. However, Windows 2000 is known as a hybrid operating system as the microkernel is essentially the kernel, while higher-level services are implemented by the executive.

User mode

The user mode is made up of subsystems which can pass I/O requests to the appropriate kernel mode drivers via the I/O manager (which exists in kernel mode). Two subsystems make up the user mode layer of Windows 2000: the Environment subsystem and the Integral subsystem.

Environment subsystem

The Environment subsystem was designed to run applications written for many different types of operating systems. None of the environment subsystems can directly access hardware, and must request access to memory resources through the Virtual Memory Manager that runs in kernel mode. Also, applications run at a lower priority than kernel mode processes. Currently, there are three main environment subsystems: the Win32 subsystem, an OS/2 subsystem and a POSIX subsystem.

The Win32 subsystem can run 32-bit Windows applications. It contains the console as well as text window support, shutdown and hard-error handling for all other environment subsystems. It also supports Virtual DOS Machines (VDMs), which allow MS-DOS and 16-bit Windows 3.x (Win16) applications to be run on Windows. There is a specific MS-DOS VDM which runs in its own address space and which emulates an Intel 486 running MS-DOS 5. Win16 programs, however, run in a Win16 VDM. Each program, by default, runs in the same process, thus using the same address space, and the Win16 VDM gives each process it's own thread to run on. However, Windows 2000 does allow users to run a Win16 program in a seperate Win16 VDM, which allows the program to be preemptively multitasked as Windows 2000 will preempt the whole VDM process, which only contains one running application.

The OS/2 subsystem supports 16-bit character-based OS/2 applications and emulates OS/2 1.3 and 1.x, but not 2.x or later OS/2 applications. The POSIX subsystem supports applications that are strictly written to either the POSIX.1 standard or the related ISO/IEC standards.

Integral subsystem

The Integral subsystem looks after operating system specific functions on behalf of the environment subsystem. It consists of a security subsystem, a workstation service and a server service. The security subsystem deals with security tokens, grants or denies access to user accounts based on resource permissions, handles logon requests and initiates logon authentication, and determines which system resources need to be audited by Windows 2000. It also looks after Active Directory. The workstation service is an API to the network redirector, which provides the computer access to the network. The server service is an API that allows the computer to provide network services.

Kernel mode

Windows 2000 kernel mode has full access to the hardware and system resources of the computer and runs code in a protected memory area. It controls access to scheduling, thread prioritisation, memory management and the interaction with hardware. The kernel mode stops user mode services and applications from accessing critical areas of the operating system that they should not have access to as user mode processes ask the kernel mode to perform such operations on it's behalf.

Kernel mode consists of executive services, which is itself made up on many modules that do specific tasks, kernel drivers, a microkernel and a Hardware Abstraction Layer, or HAL.

Executive

The Executive interfaces with all the user mode subsystems. It deals with I/O, object management, security and process management. It contains various components, including the I/O Manager, the Security Reference Monitor, the IPC Manager, the Virtual Memory Manager (VMM), a PnP Manager and Power Manager, as well as a Window Manager which works in conjunction with the Windows Graphical Device Interface (GDI). Each of these components exports a kernel-only support routine allows other components to communicate with one another. Grouped together, the components can be called executive services. No executive component has access to the internal routines of any other executive component.

• I/O Manager: allows devices to communicate with user-mode subsystems. It translates user-mode read and write commands in read or write IRPs which it passes to device drivers. It accepts file system I/O requests and translates them into device specific calls, and can incorporate low-level device drivers that directly manipulate hardware to either read input or write output. It also includes a cache manager to improve disk performance by caching read requests and write to the disk in the background
• Security Reference Monitor (SRM): the is the primary authority for enforcing the security rules of the security integral subsystem ^[1]. It determines whether an object or resource can be accessed, via the use of access control lists (ACLs), which are themselves made up of access control entries (ACEs). ACEs contain a security identifier (SID) and a list of operations that the ACE gives a select group of trustees — a user account, group account, or logon session ^[2] — permission (allow, deny, or audit) to that resource. ^{[3] [4]}
• IPC Manager: the IPC manager (or Interprocess Communication Manager) manages the communication between clients (the environment subsystem) and servers (components of the Executive). It has two facilities that it can use: the Local Procedure Call (LPC) facility (clients and servers on the one computer) and the Remote Procedure Call (RPC) facility (where clients and servers are situated on different computers. Microsoft has had significant security issues with the RPC facility ^[5].
• Virtual Memory Manager: manages virtual memory, allowing Windows 2000 to use the hard disk as a primary storage device (although strictly speaking it is secondary storage). It controls the paging of memory in and out of physical memory to disk storage.
• Process Manager: handles process and thread creation and termination
• PnP Manager: handles Plug and Play and supports device detection and installation at boot time. It also has the responsibility to stop and start devices on demand — sometimes this happens when a bus gains a new device and needs to have a device driver loaded to support that device. Both Firewire and USB are hot-swappable and require the services of the PnP Manager to load, stop and start devices. The PnP manager interfaces with the HAL, the rest of the executive (as necessary) and with device drivers.
• Power Manager: the power manager deals with power events and generates power IRPs. It coordinates these power events when several devices send a request to be turned off it determines the best way of doing this.
• The display system has been moved from user mode into the kernel mode as a device driver contained in the file Win32k.sys. There are two components in this device driver — the Window Manager and the GDI:
  • Window Manager: responsible for drawing windows and menus. It controls the way that output is painted to the screen and handles input events (such as from the keyboard and mouse), then passes messages to the applications that need to receive this input
  • GDI: the graphical device interface is responsible for tasks such as drawing lines and curves, rendering fonts and handling palettes. Windows 2000 introduced native alpha blending into the GDI.

Object manager

Each instance of an object that is created stores it's name, parameters that are passed to the object creation function, security attributes and a pointer to it's object type. The object also contains a object close procedure and a reference count to tell the object manager how many other objects in the system reference that object and thereby determines whether the object can be destroyed when a close request is sent to it ^[8].

Every object exists in a hierachical object namespace.

Microkernel

The Microkernel sits between the HAL and the Executive and provide multiprocessor synchronization, thread and interrupt scheduling and dispatching, and trap handling and exception dispatching. The Microkernel often interfaces with the process manager. ^[9] The microkernel is also responsible for initialising device drivers at bootup that are necessary to get the operating system up and running.

Kernel-mode drivers

Windows 2000 uses kernel-mode device drivers to enables the Windows 2000 to interact with hardware devices. Each of the drivers has well defined system routines and internal routines that it exports to the rest of the operating system. All devices are seen by user mode code as a file object in the I/O manager, though to the I/O manager itself the devices are seen as device objects, which it defines as either file, device or driver objects. Kernel mode drivers exist in three levels: highest level drivers, intermediate drivers and low level drivers. The highest level drivers, such as file system drivers for FAT and NTFS, rely on intermediate drivers. Intermediate drivers consist of function drivers — or main driver for a device — that are optionally sandwiched between lower and higher level filter drivers. The function driver then relies on a bus driver — or a driver that services a bus controller, adapter, or bridge — which can have an optional bus filter driver that sits between itself and the function driver. Intermeditate drivers rely on the lowest level drivers to function. The Windows Driver Model (WDM) exists in the intermediate layer. The lowest level drivers are either legacy Windows NT device drivers that control a device directly or can be a PnP hardware bus. These lower level drivers directly control hardware and do not rely on any other drivers.

Windows Driver Model

Windows 2000 introduced the Windows Driver Model (WDM) driver model to the NT kernel. WDM exists in the intermediary layer of Windows 2000 kernel-mode drivers and was introduced to increase the functionality and ease of writing drivers for Windows. The WDM was mainly designed to be binary and source compatible between Windows 98 and Windows 2000. However, this may not always be desired and so specific drivers can be developed for either operating system. WDM consists of:

• Class drivers: these can be thought of as built-in framework drivers that miniport and other class drivers can be built on top of. The class drivers provide an interfaces between different levels of the WDM architecture. Common functionality between different classes of drivers can be written into the class driver and used by other class and miniport drivers. The lower edge of the class driver will have its interface exposed to the miniport driver, while the upper edge of top level class drivers is operating system specific. Class drivers can be dynamically loaded and unloaded at will. They can do class specific functions that are not hardware or bus-specific (with the exception of bus-type class drivers) and in fact sometimes only do class specific functions like enumeration).
• Miniport drivers: these are USB, Audio, SCSI and network adapters. They should usually be source and binary compatible between Windows 98 and Windows 2000 and are hardware specific but control access to the hardware through a specific bus class driver.
• Software bus drivers: Microsoft provides bus drivers for most common buses, such as PCI, PnpISA, SCSI, USB and Firewire. Each software vendor can create their own bus drivers if needed.
• OS Services: this layer is all the operating system functionality that has been abstracted away from the miniport driver.
• Virtualisation drivers: have been part of Windows since v3.0 and are used for legacy hardware.

In the layered architecture of Windows kernel-mode drivers, class/mini port drivers are functional drivers.

Hardware Abstraction Layer

The Windows 2000 Hardware Abstraction Layer, or HAL, is a layer between the physical hardware of the computer and the rest of the operating system. It was designed to hide differences in hardware and therefore provide a consistent platform to run applications on. The HAL includes hardware specific code that controls I/O interfaces, interrupt controllers and multiple processors.

Windows 2000 used to support the DEC Alpha, however they did not extend Alpha support beyond beta 3 of Windows 2000. The HAL now only supports hardware that is compatible with the Intel x86 architecture.

Windows 2000 Core Features

All versions of Windows 2000 share certain features.

NTFS5

Version 3 of the NTFS, (also known as version 5.0), introduced quotas, file-system-level encryption (called EFS), sparse streams and reparse points, which are used to implement Directory Junctions, Volume Mount Points, Hierarchical Storage Management, Native Structured Storage and Single Instance Storage. By adding these features, Windows could compete with established file serving systems like Netware and Unix.

Encrypting File System

The Encrypting File System (EFS) introduced strong encryption into the Windows file world. It allowed any folder or drive to be encrypted and was transparent once implemented. As of February 2004, its encryption has not been compromised.

Versions

Windows 2000 Professional

Windows 2000 Professional is designed as a desktop operating system in business environments. It offers greater security and stability than previous Windows desktop operating systems. It supports up to two processors, and can address up to 4GB of RAM.

Windows 2000 Server

The various server products share the same user interface with Windows 2000 Professional, but contain additional components for running infrastructure and application software. A significant component of the server products is Active Directory, which is an enterprise-wide directory service based on LDAP. Additionally, Microsoft integrated Kerberos network authentication, replacing the often-criticised NT 4 authentication system. This also provided a purely transitive-trust relationship between Windows 2000 domains in a 'forest' (a collection of one or more Windows 2000 domains that share a common schema, configuration, and global catalog, being linked with two-way transitive trusts). Furthermore, Windows 2000 introduced a DNS server which allows dynamic registration of IP addresses.

Windows 2000 Advanced Server

Windows 2000 Advanced Server is a variant of Windows 2000 Server operating system designed for medium-to-large businesses.

A limited edition 64 bit version of Windows 2000 Advanced Server was made available via the OEM Channel.

Windows 2000 Datacenter Server

Windows 2000 Datacenter Server is a variant of the Windows 2000 Server that is designed for large businesses that move large quantites of confidential or sensitive data frequently via a central server.

Its system requirements are normal, but is compatible with vast amounts of power:

• A Pentium-class CPU at 400 MHz or higher – up to 32 are supported in one machine
• 256MB of RAM – up to 64GB is supported in one machine
• Approximitely 1GB of available disk space

Total Cost of Ownership

Microsoft commissioned a firm to determine the total cost of ownership (TCO) for enterprise applications on Windows 2000, such as security and other infrastructure tasks, and Web Serving. Windows 2000 had a lower TCO for the four infrastructure items (according to the report), but Linux had a lower TCO for web serving. There has been a lot of controversy over this claim, including:

• Claims that the test were done on different spec machines to give Microsoft an unfair advantage
• Claims that as Microsoft was paying for the report, the neutrality of it is in question

Criticisms

One aspect of concern with Windows 2000 (along with previous versions of NT), is the lack of an option to make a bootable DOS diskette. Unlike previous versions of Windows, which are based on DOS, (Windows 95, Windows 98, Windows Me), when running Windows 2000, a user is unable to make a bootable DOS diskette. While this is not a major issue for the average user, there are times when a DOS boot diskette is required (such as when doing a BIOS upgrade). In instances such as that, some users have turned to alternative sources for boot diskettes, such as BootDisk.com.

An alternative to the bootable diskette is the Recovery Console. As diskettes are rapidly becoming obsolete, the main alternate boot device is the CD-ROM drive; users can access the Recovery Console when booting the install disc. The Recovery Console provides basic command-line functionality, including additional commands to enable and disable Windows services, among other things. The Recovery Console can also be installed onto an existing Windows 2000 installation to appear as an option on boot-up, making it easier to use than having to boot from a CD-ROM drive, but this isn't well documented by Microsoft.

Windows NT also introduced permissions for Registry editing. Windows 2000 incorporated both the Windows 9x REGEDIT.EXE program and NT's REGEDT32.EXE program. REGEDIT.EXE had a left-side tree view that began at "My Computer" and listed all loaded hives. REGEDT32.EXE had a left-side tree view, but each hive had its own window, so the tree displayed only keys. REGEDIT.EXE represented the three components of a value (its name, type, and data) as separate columns of a table. REGEDT32.EXE represented them as a list of strings. REGEDIT.EXE was written for the Win32 API and supported right-clicking of entries in a tree view to adjust properties and other settings. REGEDT32.EXE was written for the NT 3.x API and required all actions to be performed from the top menu bar. Because REGEDIT.EXE was directly ported from Windows 98, it did not support permission editing (permissions do not exist on Windows 9x). Therefore, the only way to access the full functionality of an NT registry was with REGEDT32.EXE, which many considered to be inefficient and out-of-date. Windows XP was the first system to integrate these two programs into one, adopting the REGEDIT.EXE behavior with the additional NT functionality.

Notes

1. ^  Microsoft. Active Directory Data Storage.
2. ^  MSDN. Trustee definition.
3. ^  Siyan, Kanajit S., 2000.
4. ^  MSDN. ACE definition.
5. ^  Microsoft has had numerous security issues caused by vulnerabilities in its RPC mechanisms. A list follows of the security bulletins that Microsoft have issued in regards to RPC vulnerabilities:
   • Microsoft Security Bulletin MS03–026: issue with a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports.
   • Microsoft Security Bulletin MS03–001: A security vulnerability results from an unchecked buffer in the Locator service. By sending a specially malformed request to the Locator service, an attacker could cause the Locator service to fail, or to run code of the attacker's choice on the system.
   • Microsoft Security Bulletin MS03–026: Buffer overrun in RPC may allow code execution
   • Microsoft Security Bulletin MS03–010: This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.
   • Microsoft Security Bulletin MS04–029: This RPC Runtime library vulnerability was addressed in CAN-2004–0569, however the title is "Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service".
   • Microsoft Security Bulletin (MS00–066): A remote denial of service vulnerability in RPC is found. Blocking ports 135–139 and 445 can stop attacks.
   • Microsoft Security Bulletin MS03–039: "There are three newly identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation- two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another. An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service."
   • Microsoft Security Bulletin MS01–041: "Several of the RPC servers associated with system services in Microsoft Exchange Server, SQL Server, Windows NT 4.0 and Windows 2000 do not adequately validate inputs, and in some cases will accept invalid inputs that prevent normal processing. The specific input values at issue here vary from RPC server to RPC server. An attacker who sent such inputs to an affected RPC server could disrupt its service. The precise type of disruption would depend on the specific service, but could range in effect from minor (e.g., the service temporarily hanging) to major (e.g., the service failing in a way that would require the entire system to be restarted)."
6. ^  Mark Russinovich (October 1997). Inside NT's Object Manager. Introduction.
7. ^  Mark Russinovich (October 1997). Inside NT's Object Manager. "Object Types".
8. ^  Mark Russinovich (October 1997). Inside NT's Object Manager. "Objects".
9. ^  Inside Microsoft Windows 2000 (Third Edition). Microsoft Press.

References

• Finnel, Lynn (2000). MCSE Exam 70–215, Microsoft Windows 2000 Server. Chapter 1, Introduction to Microsoft Windows 2000, pg 7–18. Microsoft Press. ISBN 1–57231–903–8.
• Microsoft. Running Nonnative Applications in Windows 2000 Professional. Windows 2000 Resource Kit. Retrieved May 4, 2005.
• Microsoft. "Active Directory Data Storage". Retrieved May 9, 2005.
• Russinovich, Mark (October 1997). "Inside NT's Object Manager". Windows IT Pro.
• Siyan, Kanajit S. (2000). "Windows 2000 Professional Reference". New Riders. ISBN 0735709521.
• Salomon, David; & Russinovich, Mark E. (2000). Inside Microsoft Windows 2000 (Third Edition). Microsoft Press. ISBN 0735610215.

See also

• Comparison of operating systems

External links

• Official Page
• Windows 2000 Server comparison chart
• GUIdebook: Windows 2000 Gallery – A website dedicated to preserving and showcasing Graphical User Interfaces