Notes

Windows 7
Administration Training
Getting Started With Windows 7 Administration Training

Windows 7 Administration Training
Instructor: Scott Lowe
Getting Started With Windows 7 Administration Training Windows 7 Administration Training
In This Lesson:
What were building About your instructor About the course Before you begin How to use the course
What Were Building

In this course, well be creating a complete Windows 7 deployment plan that includes: Real business justifications for moving to Windows 7 at Globomantics, a pharmaceutical distributor with offices nationwide and a growing mobile sales force Processes that make Windows 7 deployment a breeze and add to the Globomantics bottom line Ways to use Windows 7s exciting new features to improve the security of the desktop environment and keep Globomantics within regulatory compliance parameters Methods to optimize Windows 7 performance and eke out every ounce of capability to extend the life of the desktop investment
About Your Instructor

Scott Lowe Chief Information Officer, Westminster College, Fulton, MO Prolific author of more than 1,000 technical articles and three books Microsoft Certified Systems Engineer Frequent early adopter of new technologies, including Windows 7! Seasoned IT pro with more than sixteen years of experience Father of 2, husband of 1 6-year old son is proficient with his iPod Touch and Internet Explorer
About the Course

A high level overview of the course Getting started with Windows 7 features, deployment and configuration Managing Windows 7 mobility and security features Configuring and managing applications and shared resources Maintaining and optimizing Windows 7
Before You Begin

Understand a few underpinnings, including Basic IPv4 and IPv6 address structures and requirements Overall Active Directory concepts, including Structures, User groups, Organizational Units Expand your foundational knowledge with these Train Signal products Group Policy Active Directory TCP/IP Networking Fundamentals
How to Use the Course

Follow along at home Best possible certification preparation! Use the Lab Setup lesson to learn how to build your own complete lab environment Download trial Windows Server 2008 R2 software from Microsoft for the server build-out Make sure to take notes along the way Note the timestamp for particularly interesting topics so you can come back later to review Watch the videos in any order you like If something doesnt make sense, go back and try it again If you still dont quite get it, let us know in the Train Signal forums
How to Use the Course

Before you take the certification exam Watch the lesson entitled How to use Transcender to Prepare for a Certification Exam Watch the Preparing for Your MCTS: 70-680 Certification Exam lesson at the end of this course
What We Covered
What were building About your instructor About the course Before you begin How to use the course
Lab Setup

Lab Setup Windows 7 Administration Training
In This Lesson:
Globomantics corporate network Globomantics locations Headquarters network details Large regional office network details Small regional office network details Globomantics network diagram logical Lab overview Lab network diagram physical
Globomantics Corporate Network

The Windows 7 implementation team is focused on creating a deployment template for one of each location type Each location type is replicated in the course lab Headquarters (Columbia, MO) Large regional office Southwest office (Scottsdale, AZ) Small regional office Northeast office (Utica, NY) Mobile worker
Globomantics Locations
Seattle, WA
Northeast Office Utica, NY
Globomantics HQ
Germantown, MD
Southwest Office Scottsdale, AZ
Dallas, TX
Miami, FL
Headquarters
Headquarters server naming convention Example: GM-File - The file server for HQ Network details for HQ IP address range: 172.16.5.1 to 172.16.5.254 Subnet mask: 255.255.255.0 Gateway: 172.16.5.254 DNS: 172.16.5.1
Large Regional Office

Large regional office server naming convention Example: GM-SW-File - The file server for the Southwest regional office Network details for Scottsdale, AZ large regional office IP address range: 172.16.6.1 to 172.16.6.254 Subnet mask: 255.255.255.0 Gateway: 172.16.6.254 DNS: 172.16.6.1
Small Regional Office

Small regional offices (Example: Northeast regional office) do not have dedicated servers Network details for Utica, NY small regional office IP address range: 172.16.7.1 to 172.16.7.254 Subnet mask: 255.255.255.0 Gateway: 172.16.7.254 DNS: 172.16.5.1 (HQ DNS server)
Globomantics Corporate Network Diagram

Network: 172.16.5.0 Subnet Mask: 255.255.255.0 Gateway: 172.16.5.254 DNS: 172.16.5.1 Network: 172.16.6.0 Subnet Mask: 255.255.255.0 Gateway: 172.16.6.254 DNS: 172.16.6.1 Network: 172.16.7.0 Subnet Mask: 255.255.255.0 Gateway: 172.16.7.254 DNS: 172.16.5.1
Globomantics Corporate Headquarters

GM-DC
Domain Controller (globomantics.com) DNS server Windows 2008 R2 172.16.5.1
Southwest Office
GM-SW-File
Southwest Office File Server DNS server Windows 2008 R2 172.16.6.1
Northeast Office
GM-7-XXX
Globomantics Windows 7 Desktop Naming Convention DHCP-assigned IP address
GM-7-XXX
GM-7-M-XXX GM-Remote
Globomantics Remote Access Server Windows 2008 R2 172.16.5.2 Globomantics Windows 7 Mobile Naming Convention DHCP-assigned IP address
GM-7-XXX
GM-7-M-XXX
Globomantics Windows 7 Mobile Naming Convention DHCP-assigned IP address
GM-File
Globomantics File and Print Server Windows 2008 R2 172.16.5.3
GM-General
Globomantics General Purpose Server Windows 2008 R2 172.16.5.4
GM-7-M-XXX
Globomantics Windows 7 Mobile Naming Convention DHCP-assigned IP address
Firewall
Inside: 172.16.5.254
Firewall
Inside: 172.16.6.254
Firewall
Inside: 172.16.7.254
Firewall Outside: 192.168.10.5
Firewall Outside: 192.168.10.6
Firewall Outside: 192.168.10.7 To other sites
Lab Overview
For this course The various servers and Windows 7 workstations used in this course run on a Windows Server 2008 R2 Data Center machine under Hyper-V R2 The Hyper-V R2 server is a Dell PowerEdge 2950 server with 32 GB RAM, 2 x quad core Xeon processors and just under 1 TB of disk space (RAID 5) Each Globomantics site is connected on a separate network adapter in the Hyper-V R2 server Each network adapter is connected to an actual firewall and then to my lab/home network
Lab Overview
For this course All servers are running Windows Server 2008 R2 RTM Each server has 1 GB of RAM assigned Windows Server 2008 R2 180-day trial software is available for download from http://www.microsoft.com/windowsserver2008/en/us/trialsoftware.aspx My lab goal: Mimic as closely as possible a real-world multisite environment
Physical Lab Configuration

Server
PowerEdge 2950 32 GB RAM 2 x Xeon X5355 8 cores Windows 2008 R2
VMs
Other needs Mobile workers
VMs
HQ GM-DC GM-Remote GM-File GM-General Desktops
VMs
Large Regional GM-SW-File Desktops
VMs
Small Regional Desktops
Hyper-V R2
Hyper-V R2 server management
To other computers in my home
192.168.0.197
172.16.5.253
172.16.6.253
172.16.7.253
NIC1
172.16.5.254
Firewall
192.168.10.5
NIC2
172.16.6.254
Firewall
192.168.10.6
NIC3
172.16.7.254
Firewall
192.168.10.7
NIC4
Router
192.168.0.1 255.255.0.0
To Internet
The Course Scenario

The Course Scenario Windows 7 Administration Training
In This Lesson:
About Globomantics The Globomantics regulatory environment Recent security breach Globomantics cost structure Globomantics office locations Specific technology challenges Immediate needs Large regional office needs Small regional office needs Mobile worker needs Windows 7 project plan
About Globomantics
Rapidly growing distributor of pharmaceuticals Sells direct to consumers via the Internet Sells to doctors offices via mobile sales force Sells to pharmacies via mobile sales force Expanding mobile sales force Mobile workers need secure access to HQ Ease-of-use is critical Related Windows 7 technologies DirectAccess, VPN, BranchCache, Location-aware printing, Power management
The Globomantics Regulatory Environment

Subject to numerous regulatory statutes HIPAA FTC consumer regulations PCI Security is a priority Protect customer health information The company must be PCI compliant Related Windows 7 technologies DirectAccess, VPN, encryption
Recent Security Breach

A high level finance employees laptop was stolen The laptop hard drive contained very sensitive employee and customer information Business impact Globomantics suffered a significant fine and major PR fallout Globomantics senior management has directed the technology division to implement full-disk encryption on all mobile systems Related Windows 7 technologies BitLocker, BitLocker-To-Go, Encrypting File System (EFS), Windows Firewall, User Account Control, Windows Updates
Globomantics Cost Structure

Globomantics is concerned about the ever-rising cost of technology New initiatives must show a quick ROI Where possible, avoid cost increases Willing to expand IT department and spending, but only when absolutely necessary Business impact New technologies must be carefully evaluated The CIO thinks that Windows 7 features will show good ROI Related Windows 7 technologies BranchCache, BitLocker, DirectAccess, Automated deployment, Performance monitoring
Globomantics Office Locations

Headquarters Columbia, Missouri (pilot site) Primary regional offices Scottsdale, Arizona (pilot site) Germantown, Maryland Seattle, Washington Dallas, Texas Miami, Florida Secondary offices Utica, New York (pilot site) Sixteen others scattered throughout the states
Globomantics Office Locations Map

Seattle, WA
Northeast Office Utica, NY
Globomantics HQ
Germantown, MD
Southwest Office Scottsdale, AZ
Dallas, TX
Miami, FL
Specific Technology Challenges

Some Globomantics users are experiencing specific problems Performance problems with Windows Vista 64-bit Globomantics financial system runs only on Windows XP Related Windows 7 technologies 64-bit architecture, Windows XP Mode
10
Immediate Needs
Globomantics quick growth has had a number of results A large desktop/laptop purchase supporting new employees is pending Some new employees will work from their homes Related Windows 7 technologies Automated deployment, DirectAccess, Location-aware printing
Large Regional Office Needs

Many HQ services accessed over a site-to-site connection Challenge: Files are not always synchronized between HQ and the large regional office file server in a timely manner Challenge: Bandwidth costs have been rising as traffic between large office and HQ grows Challenge: When mobile workers visit the office, they complain of problems printing documents
Small Regional Office Needs

Small regional offices (Example: Northeast regional office) do not have dedicated servers All systems access Globomantics HQ over the Internet Challenge: Small offices are bandwidth-bound, resulting in loss of productivity as the Internet slows down Challenge: Adding bandwidth is expensive Challenge: Given the recent security breach, there is concern about the security of small office connectivity to HQ Challenge: When mobile workers visit the office, they complain of problems printing documents
11
Mobile Worker Needs

Mobile workers work from their home, hotels and cars Challenge: A recent security breach has resulted in a directive to encrypt all mobile worker hard drives Challenge: Mobile workers have complained about their inability to access all HQ-based behind-the-firewall employee resources, resulting in lost productivity Challenge: Printing at regional offices
Windows 7 Project Plan

The Globomantics CIO has appointed us to Evaluate individual Windows 7 features for suitability against business goals Develop a Windows 7 implementation plan Create a deployment template for each pilot site type Deploy Windows 7 with business-necessary features Ensure that Windows 7 systems are operating at peak efficiency to realize maximum ROI Implementation team Me, a consultant helping you evaluate Windows 7 You, a desktop specialist at Globomantics
Introduction to Windows 7
12
Introduction to Windows 7 Windows 7 Administration Training
In This Lesson:
Business objectives User interface enhancements BranchCache DirectAccess BitLocker and BitLocker To Go AppLocker Windows XP Mode Group Policy enhancements Improved power management 32-bit vs. 64-bit Windows 7 Windows 7 editions comparison matrix
Scenario
Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal The company CIO wants to understand Windows 7s new security features and mobility capabilities as well as simply understanding whats changed since older versions of Windows
Business Objectives
Improve security in order to reassure customers that Globomantics takes their privacy seriously Improve employee productivity to increase sales and reduce expenses Contain rising communications infrastructure costs Maintain current, or close to current, levels of staffing in Information Technology
13
User Interface Enhancements

Taskbar Aero Peek Aero Snap Aero Shake
BranchCache
New to Windows 7 Requires Windows Server 2008 R2 Expected Business Outcomes Allow Globomantics remote offices to cache HQ-based content on a local Windows Server 2008 R2 server or Windows 7 desktop Reduce bandwidth costs
BranchCache Operational Diagram

Headquarters
GM-File
Globomantics File and Print Server
GM-SW-File
Southwest Regional Office File Server
GM-7-XXX
Globomantics Windows 7 Desktop
Southwest Office
Northeast Office
14
DirectAccess
New to Windows 7 and can replace traditional VPNs Requires Windows Server 2008 R2 as a host (GM-Remote) Expected Business Outcomes Remote and mobile workers enjoy seamless access to Globomantics HQ IT services Globomantics can remotely install software updates to mobile worker computers and enforce policies The ability to include remote computers in new policy updates improves regulatory compliance measures
BitLocker and BitLocker To Go

Improved in Windows 7 Provides full disk encryption services Encrypts USB-based removable storage devices Expected Business Outcomes Mobile system security is vastly improved leading to greater customer confidence and fewer regulatory issues Centralized encryption keys mean fewer headaches for IT staff
AppLocker
New in Windows 7 Evolved from Software Restriction Policies Provides granular application control to help prevent execution of unauthorized software Expected Business Outcomes Improve overall security of the Globomantics desktop environment Maintain high levels of productivity by denying use of unauthorized software and reducing malware infestations
15
Windows XP Mode
New in Windows 7 Leverages virtualization technology to ensure software compatibility Runs software inside a virtualized copy of Windows XP SP3 delivered to the Windows 7 desktop via RDP Expected Business Outcomes Globomantics financial application will run under Windows 7 using Windows XP Mode Migration to Windows 7 will be streamlined
Windows XP Mode Operational Diagram
Group Policy Enhancements

Windows 7 includes dozens of new Group Policies providing more centralized management of the environment Expected Business Outcomes Globomantics will enjoy improved security through centralized enforcement of Group Policies Desktop management TCO is reduced through efficient, centralized resource management
16
Improved Power Management

Windows 7 is much more granular in managing power Even audio chips are power-managed Ambient light sensors are now supported Expected Business Outcomes Reduced power bills for Globomantics Longer battery life for mobile workers equates to increased productivity
32-bit vs. 64-bit

64-bit editions of Windows are increasing in popularity Support for large memory needs 32-bit RAM limit: 4 GB (Starter 2 GB) 64-bit RAM limit Professional, Enterprise, Ultimate: 192 GB Home Premium: 16 GB Home Basic: 8 GB
32-bit vs. 64-bit

64-bit considerations Processor must support 64-bit operating systems Software must be compatible with 64-bit OS (or, use Windows XP Mode) Hardware devices must have available 64-bit drivers Cannot upgrade from 32-bit to 64-bit: Must reinstall
17
Windows 7 Editions Comparison Matrix

Starter User interface enhancements BranchCache DirectAccess BitLocker AppLocker Windows XP Mode Group Policy enhancements Improved power management 32- and 64-bit editions Home Basic Home Premium Profes. Enterprise Ultimate
What We Covered
Business objectives User interface enhancements BranchCache DirectAccess BitLocker and BitLocker To Go AppLocker Windows XP Mode Group Policy enhancements Improved power management 32-bit vs. 64-bit Windows 7 Windows 7 editions comparison matrix
Installing Windows 7

18
Installing Windows 7 Windows 7 Administration Training
In This Lesson:
Identifying Windows 7 requirements Upgrade and migration limitations Upgrading between Windows 7 editions Installing Windows 7 Upgrading Windows Vista to Windows 7 Dual booting Windows 7 Migrating from Windows XP to Windows 7 Migrating user profiles with Windows Easy Transfer User State Migration Tool
Scenario
Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal The company CIO wants to understand Windows 7s new security features and mobility capabilities as well as simply understanding whats changed since older versions of Windows Globomantics pilot project Will use a combination of installations Existing Vista machines will simply be upgraded to Windows 7 apps already work Windows XP machines will dual boot with Windows 7
Identifying Windows 7 Requirements

Different Windows 7 editions have different requirements Use the Windows 7 Upgrade Advisor Verifies that hardware is ready for Windows 7 Checks installed software for Windows 7 compatibility If problems are found and there are solutions, those solutions are presented
19
Windows 7 Requirements Matrix
Starter Processor RAM Disk Space Graphics 512 MB
Home Basic
Home Premium
Professional
Enterprise
Ultimate
1 GHz or faster minimum 32-bit: 1 GB or 64-bit: 2 GB 32-bit: 16 GB or 64-bit: 20 GB DirectX 9 graphics processor DirectX 9 graphics processor with WDDM
Upgrade and Migration Limitations

Upgrade limitations Upgrades cannot be performed between 32-bit and 64-bit systems To move from 32-bit to 64-bit or back, you must perform a new installation You cannot upgrade from Windows XP and earlier versions of Windows to Windows 7; you must migrate instead You must perform a new installation or a dual-boot installation Move user files from Windows XP to new Windows 7 system
Upgrading Between Windows 7 Editions

Windows Anytime Upgrade Upgrade to more feature-filled editions of Windows 7 by using Windows Anytime Upgrade Only 32-bit to 32-bit and 64-bit to 64-bit Anytime upgrades are allowed You cannot upgrade from 32-bit to 64-bit or downgrade from 64-bit to 32-bit You cannot downgrade editions You can only move up the edition chart, not down
20
Upgrades
Starter
Windows 7 Editions
Home Basic Home Premium Profes. Enterprise Ultimate
32-bit to 32-bit or 64-bit to 64-bit only
Windows Vista (SP1, SP2)

Home Basic Home Premium Business Enterprise Ultimate
Windows 7 Anytime Upgrade

Starter Home Basic Home Premium Professional Enterprise Ultimate
32-bit to 32-bit or 64-bit to 64-bit only
Installation options for a new machine Clean installation new machine with no existing operating system Dual boot installation run two operating systems side-byside on the same computer Upgrade in-place upgrade to Windows 7 from Windows Vista Migration upgrade to Windows 7 from Windows Vista or Windows XP
Installation types Standard installation For the initial phase of the pilot project being covered in this lesson, Globomantics will focus on standard installations Unattended installation Allows an administrator a mostly hands-off installation We will cover automated installations in the Deploying Windows 7 Machines lesson
21
Media options DVD included in Windows 7 retail boxes and often created after downloading an ISO file and burning it ISO generally used by those with Microsoft licensing agreements USB drive allows administrators to customize the installation source Network share used with automated installations
Upgrading Windows Vista to Windows 7

Only Windows Vista supports an in-place upgrade to Windows 7 At the end of the upgrade, the system operates just like it did before, except with Windows 7 Documents, files, and applications remain intact and in place If the upgrade fails, the system rolls back to Windows Vista An upgrade from Windows Vista to Windows 7 is initiated from a running Vista system
Windows Vista to Windows 7 Upgrade Walkthrough
22
Dual Booting Windows 7

Dual booting allows users to select the operating system that will be loaded at boot time During the early pilot phase of the Windows 7 implementation project, Globomantics Windows 7 pilot desktops will be dual booted between Windows XP and Windows 7 Easier for staff to revert to Windows XP in the event of an unanticipated problem The computer must have one of the following Dual hard drives Enough space to create a second partition to which Windows 7 will be installed Partitions are discussed in the lesson entitled
Understanding Windows 7 Storage

Windows 7 can dual boot run side-by-side with a variety of operating systems, including Windows XP, Vista, Linux and more Steps Make sure you have your Windows 7 media and product key Partition the hard drive to make room for Windows 7 For Windows XP, use GParted, an open source tool Windows Vista has its own partitioning tools Can also simply add a second hard drive Install Windows 7 onto the new partition/drive

Post dual boot walkthrough steps Choosing the default operating system GUI: Via the Control Panel Command line: Using the BCDEDIT utility Requires a command prompt executed with administrator privileges Important notes The Windows 7 installation is a new installation Applications need to be reinstalled User profiles and data need to be migrated Migrating profiles is covered in the next section
23
Windows XP to Windows 7 Dual Boot Walkthrough
Migrating from Windows XP to Windows 7

Windows XP cannot be upgraded to Windows 7 You must instead perform either a new/clean installation or dual boot the system After installation, applications must be reinstalled Migrate user profiles and data from Windows XP to Windows 7 If you installed Windows 7 in a dual boot configuration, you also need to migrate user profiles and data
Windows XP to Windows 7 Migration Walkthrough
24
Migrating User Profiles

Roaming profiles negate the need for migrating profiles between machines Globomantics does not use roaming profiles due to network bandwidth requirements Local user profiles include Documents and other files Internet bookmarks Backgrounds E-mail account information Custom application settings Windows settings For a few initial phase pilot users, Globomantics will migrate profiles from XP to Windows 7
Windows Easy Transfer

Windows Easy Transfer - Transfers information between Windows installations Supports a number of data transfer methods Easy Transfer cable connects two computers via their USB ports Network transfer data between computers over the network (Globomantics option) Portable hard drive save profile information from source system to a portable drive and load to new system CD/DVD media same as above, except with a CD or DVD
User State Migration Tool (USMT)

Automates user profile migration Well-suited for large migrations Does not support the Windows Easy Transfer cable Part of the Windows Automated Installation Toolkit (WAIK) USMT is not covered here, but will be discussed in the lesson entitled Deploying Windows 7 Machines
25
What We Covered
Identifying Windows 7 requirements Upgrade and migration limitations Upgrading between Windows 7 editions Installing Windows 7 Upgrading Windows Vista to Windows 7 Dual booting Windows 7 Migrating from Windows XP to Windows 7 Migrating user profiles with Windows Easy Transfer User State Migration Tool
Key Terms You Should Know

Upgrademoving in-place from one version of Windows to another Migrationmoving from one version of Windows to another without performing an in-place upgrade; requires the manual migration of user profiles after installation User profilesall personal information stored on a user's PC, including application settings and Internet bookmarks
Deploying Windows 7

26
Deploying Windows 7 Windows 7 Administration Training
In This Lesson:
Globomantics deployment plan Windows 7 deployment enhancements Specific lesson goals Deployment types Pre-deployment tools Thick vs. thin images Deployment strategies Understanding image capture tools Image deployment options Capture and deployment process overview User State Migration Tool (USMT) Automated installation methods
Scenario
Globomantics IT staff runs a lean and mean shop and group The company cant afford to send IT staff to visit each and every computer in every location to facilitate deployment Business needs For organizations that have more than a few PCs, manual Windows 7 deployment is an inefficient rollout strategy Manual labor and travel result in major costs Managing desktops already has a high total cost of ownership (TCO) Use automated deployment tools to help automate this process and bring down costs
Globomantics Deployment Plan

Globomantics uses the following deployment strategy: Thick system image. Includes applications and Windows Updates right in the system image. Lite Touch Installation. Takes most of the manual processing out of deployment, but requires some human intervention. Deployment. Systems are imaged at HQ and sent to regional offices. Globomantics does not currently own System Center Configuration Manager 2007 R2 http://www.trainsignal.com/System-Center-ConfigurationManager-P71.aspx {End of shameless plug}
27
Windows 7 Deployment Enhancements

Optimizes deployment with improved driver handling through Dynamic Driver Provisioning Reduces image sizes by dynamically matching drivers to existing hardware during deployment, and then pulls them from a central store Multicast multiple stream transfer Deploy multiple images simultaneously across networks more efficiently Virtual Hard Disk image management and deployment VHD files provide additional deployment and operational flexibility Streamlined installation and file migration Overall better installation and deployment experience
Specific Lesson Goals

Too many deployment options and scenarios to cover in a single lesson Deployment could be a complete course by itself Goals Understand the myriad of deployment options Cover a repeatable, documented, real-world deployment scenario Be able to apply the lessons learned through understanding deployment options and covering a real world scenario to other deployment needs Recommendation Practice, practice, practice
Deployment Types
Manual/semi-automated/high touch Small number of computers Covered in the lesson entitled Installing Windows 7 Lite Touch Installation (LTI) Well-suited for medium sized organizations that do not have a need for a more automated deployment system Often used in conjunction with a "thick" system image, but can use used with thin images Zero Touch Installation (ZTI) Best suited for large, distributed organizations that deploy new systems and applications in a non-centralized manner Often used in conjunction with thin system images
28
Thick vs. Thin Images

Thick image Complete system image with all applications and updates May take longer to deploy to individual computers, but results in an immediately usable system upon completion Thin image Minimal system image; often operating system only Applications and updates are installed either manually or through the use of some other software management system, such as System Center Configuration Manager 2007 and/or App-V Hybrid Image Combination of thin and thick image types
Pre-Deployment Tools
Application Compatibility Toolkit (ACT) A tool to evaluate and mitigate application compatibility issues as they pertain to Windows 7 Requires a SQL Server to house reporting data Microsoft Assessment and Planning Toolkit (MAP) Performs an audit of your existing environment and provides inventory, assessment and reporting capabilities to assist in planning a Windows 7 rollout
Understanding Image Capture Tools

Windows Automated Installer Kit (WAIK) WAIK is a collection of tools designed to assist in the deployment of Windows 7 Windows System Image Manager (SIM) Creates and manages unattended Windows Setup answer files SysPrep Prepares a computer for imaging by configuring the computer to create a new security identifier at startup ImageX Used to capture, create, modify, and apply Windows images Windows Preinstallation Environment (WinPE) A minimal system used to deploy Windows User State Migration Tool (USMT) 4.0 Used to migrate user information from older versions of Windows to Windows 7 Oscdimg Creates an ISO image of a WinPE installation
29
Image Deployment Options

Manually Discussed in the lesson entitled Installing Windows 7 Semi-automated Discussed in this lesson Using Windows Deployment Services and Microsoft Deployment Toolkit 2010 Beyond the scope of this lesson Bonus video: Automating Deployment of Windows 7
Machines
System Center Configuration Manager 2007 R2 Beyond the scope of this course Discussed in TrainSignal's System Center Configuration Manager 2007 R2 course
Capture and Deployment Process overview

Create the capture and deployment environment Build and validate an answer file Build the reference installation Create bootable Windows PE media Capture the installation network or VHD file Deploy new computers from network or VHD file
Image Capture and Deployment Prerequisites

Software Windows 7 media The Windows AIK Hardware Management computer A computer to which the Windows AIK and other tools can be installed Reference computer A new computer that can be used as the deployment reference system Target computer A new computer to which you can deploy a newly captured image Other All systems connected to the network
30
Create the Capture and Deployment Environment

Target: Management computer Purpose Installs the Windows AIK and makes available the tools necessary to create, capture and deploy a Windows image Need: Windows AIK Download and install the Windows AIK http://www.microsoft.com/downloads/details.aspx?F amilyID=696dd665-9f76-4177-a81139c26d3b3b34&displaylang=en
Build and Validate the Answer File

Target: Management computer Purpose The answer file configures Windows settings during installation such as default Internet Explorer settings, networking settings and other settings Need Windows 7 media Floppy disk or removable media to which you will save a new answer file Windows System Image Manager (SIM) tool (part of WAIK) Steps/Demo
Create Bootable Windows PE Media

Target: Management computer Purpose Windows PE provides a minimal Windows environment in order to capture and deploy system images In this step, create the bootable WinPE disc The disc will include all tools necessary to complete the process Need Windows System Image Manager (SIM) tool (part of WAIK) Steps/Demo
31
Build the Reference Installation

Target: Reference computer Purpose The reference installation is the "gold master" image that will be deployed to the other computers in the organization
Build and Generalize the Reference Installation

Need Windows 7 media Media/drive with the answer file created in the previous step Any software to be made a part of the standard image (i.e. Microsoft Office) Any drivers for hardware that is to be included in standard image Windows AIK SysPrep utility will generalize the system setup to make it possible to transfer the image to many other systems Steps/Demo Be sure to include /PersistAllDeviceInstalls switch when executing SysPrep's generalize command
Capture the Installation (Network Share)

Target: Reference computer Purpose Capture a generalized version of the reference image and save it to a network share Need Windows PE boot disc created earlier ImageX tool from the WAIK Included on the WinPE media Network connectivity A network share to which to save the reference image Steps/Demo
32
Deploy to a Target Computer (Network Share)

Target: New target computer Purpose Deploy the captured image to a new computer Need Windows PE boot disc created earlier Network connectivity Access to the network share to which the reference image was saved Steps/Demo After imaging, boot and test new system
User State Migration Tool (USMT)

Included in the WAIK USMT is Windows Easy Transfer for enterprise users Captures user accounts, files, operating system settings and application settings Migrates these settings to a new Windows 7 installation
Automated Installation Methods

Windows Deployment Services & Microsoft Deployment Toolkit 2010 WDS is a component of Windows Server 2008 R2 Replaces Remote Installation Services (RIS) and Automated Deployment Services (ADS) Provides automated network-based installation of Windows servers and desktop computers Extends the capability of the WAIK Offers an opportunity to script specific actions at points in time i.e. Post-deployment, automatically join the Windows 7 computer to the Active Directory domain
33
What We Covered
Globomantics deployment plan Windows 7 deployment enhancements Specific lesson goals Deployment types Pre-deployment tools Thick vs. thin images Deployment strategies Understanding image capture tools Image deployment options Capture and deployment process overview User State Migration Tool (USMT) Automated installation methods

Windows System Image Manager (SIM)Creates and manages unattended Windows Setup answer files Thick imageA complete system image with all applications and updates Thin imageA minimal system image; often operating system only Lite Touch InstallationTakes most of the manual processing out of deployment, but requires some human intervention. Zero Touch Installation (ZTI)Best suited for large, distributed organizations that deploy new systems and applications in a non-centralized manner Windows Automated Installer Kit (WAIK)WAIK is a collection of tools designed to assist in the deployment of Windows 7

Windows System Image Manager (SIM)Creates and manages unattended Windows Setup answer files SysPrepPrepares a computer for imaging by configuring the computer to create a new security identifier at startup ImageXUsed to capture, create, modify, and apply Windows images Windows Preinstallation Environment (WinPE)A minimal system used to deploy Windows User State Migration Tool (USMT) 4.0Used to migrate user information from older versions of Windows to Windows 7 OscdimgCreates an ISO image of a WinPE installation
34
My Favorite Supporting Resources

1. Choosing a Deployment Strategy 2. Windows 7 Desktop Deployment Overview 3. Choosing an Image Strategy and Building Windows 7 System Images 4. Step-by-Step: Basic Windows Deployment for IT Professionals 5. Springboard Series Windows 7 IT Pro Work Template: Windows 7 Deployment Plan 6. Getting Started with the Windows AIK 7. Windows Automated Installation Kit (Windows AIK) Scenarios 8. MDT and WDS help deliver Windows 7 to attendees at TechEd Australia
Managing Drivers and Hardware Devices

Managing Drivers and Hardware Devices Windows 7 Administration Training
In This Lesson:
Using the Device Manager tool Viewing device information with the System Information Tool Understanding drivers Driver installation methods Managing installed drivers The Driver Verifier utility Managing hardware installation policies Staging drivers with pnputil.exe Adding device drivers to the driver store Monitoring USB devices
35
Scenario
Globomantics has an array of computing needs There is no single desktop hardware configuration Marketing: High end graphics adapters Other users: Mainstream configuration Make device installation seamless by pre-staging device drivers lower TCO Help users get their work done by making sure that their necessary hardware devices work well and are well maintained
Using Device Manager

Viewing device and driver information View device resources Displaying hidden devices
Using the System Information Utility

Using the System Information utility Much greater level of detail about system devices and resources Read-only
36
Understanding Drivers
Device drivers enable communication between the operating system and hardware devices Driver facts Drivers are just software Not all drivers are created equal Driver issues are a major support hassle Drivers can create system instability
Driver
Driver Installation Methods

Windows Update New device drivers come right from Windows Update Disable this behavior to improve security and control what devices are installed Hardware installation disc Pre-staging drivers Globomantics will pre-deploy drivers for high-end graphics adapters to ease deployment Result: Better end-user experience Lower TCO
Managing Installed Drivers

Device and driver security Driver software runs with full system rights Signed vs. unsigned drivers Identify unsigned drivers with sigverif.exe Updating drivers Rolling back drivers
37
The Driver Verifier Utility

Driver verifier Helps to determine root cause for driver-related issues including problems related to: Drivers that experience memory-based issues Poorly written drivers Requires a system restart
Managing Hardware Installation Policies

Via Group Policy Allow and disallow installation of specific devices based on device ID Disable the installation of removable devices Create custom error messages to be displayed for users that attempt to install hardware Provide an administrative back door to allow IT staff to install any new hardware and drivers
Adding Device Drivers to the Driver Store

Use the pnputil.exe tool to manage the driver store Add a driver to the store using the -a parameter Download the driver package first Combine with -i to install the driver, too Show all third party drivers using the -e parameter Delete a driver from the store with the -d parameter Combine with the -f parameter to force deletion
38
Monitoring USB Devices

USB hub types Self-powered Bus-powered USB bandwidth Bandwidth-related error messages USB controller bandwidth exceeded USB bandwidth USB 1.0/1.1: 12 Mbps USB 2.0: 480 Mbps USB 3.0: 5 Gbps Gauging bandwidth use is a best effort task Not all devices report bandwidth back to Windows
What We Covered
Using the Device Manager tool Viewing device information with the System Information Tool Understanding drivers Driver installation methods Managing installed drivers The Driver Verifier utility Managing hardware installation policies Staging drivers with pnputil.exe Adding device drivers to the driver store Monitoring USB devices

1. Using Driver Verifier to identify issues with Windows drivers for advanced users 2. What are basic and dynamic disks? 3. Windows and GPT FAQ
39

DriverSoftware that provides a link from a computer operating system to a hardware device Driver storeThe location at which Windows stores device driver files, typically C:\Windows\System32\Drivers or C:\Windows\SysWOW64\Drivers Signed driverA digitally signed driver is from a traceable source Unsigned driverAn unsigned driver can come from anywhere and may prove to be a system risk
Understanding Windows 7 Storage Options

Understanding Windows 7 Storage Options Windows 7 Administration Training
In This Lesson:
Deconstructing basic disks Disk Manager basic disk view Master Boot Record (MBR) MBR vs. GUID Partition Table disks Disk Manager basic disk view GPT Understanding dynamic disks Dynamic disk volume types Volume types diagrams Disk Manager dynamic disk view Managing storage volumes FAT vs. NTFS
40
Scenario
Data is the lifeblood of Globomantics Some users have different storage needs Database administrators need additional storage protection Business analysts require speedy storage with a lot of capacity Understand storage options to make the best possible data availability decisions Choose storage options that enable high security levels Globomantics is recovering from a data breach that could have been prevented with better storage options
Deconstructing Basic Disks - MBR

Partition A portion of a physical hard drive that can be formatted and used as an individual storage volume Primary partition A hard drive can have up to four primary partitions One partition is designated as active Active partitions boot the operating system Extended partition Think of this partition as a container This container can hold one or more volumes Storage volumes on an extended partition cannot be used to start the operating system
Disk Manager Basic Disk View Master Boot Record
41
MBR vs. GPT Disks

MBR disks have limitations Limited number of primary partitions - Four Partition size limited to 2 TB GPT disks Pros Disks can have up to 128 partitions Partitions can be up to 256 TB in size Cons 32-bit Windows can't boot from GPT at all 64-bit Windows can boot from GPT only when the system has an Extensible Firmware Interface (EFI) BIOS
MBR vs. GPT Disks
MBR Windows Versions Supported Bootable Maximum Partition Size Maximum Partitions Per Physical Drive 2 TB 4 All
GPT All Recent 32-bit 64-bit 256 TB 128
Only 64-bit systems with EFI BIOS can boot from GPT-based partitions
Limits pertain to Windows only. Other operating systems may provide additional capabilities.
Disk Manager Basic Disk View GPT
42
Understanding Dynamic Disks

Overcome the limitations of Basic/MBR and Basic/GPT disks Support for about 2,000 dynamic volumes per disk Space Extend volumes to span multiple disks Speed Improve performance by striping across multiple disks Reliability Improve reliability by mirroring data across multiple disks
Dynamic Disk Volume Types

Disk volumes Simple Spanned Striped (RAID 0) Mirrored (RAID 1) RAID-5 volumes are shown in Disk Management, but not supported in Windows 7
Volume Types Diagram
Simple Volume Spanned Volume Striped Volume Mirrored Volume RAID 5 Volume 1 1 unit of data
1 1
1/3 1/3 1/3
1
1/2 1/x
1
1/2 P
Fractional unit of data
43
Disk Manager Dynamic Disk View
Managing Storage Volumes

Creating new volumes Choosing a disk and volume type Naming a volume Formatting volumes FAT vs. NTFS Changing a volumes drive letter Defragmenting disks Checking a volume for errors Viewing volume status
FAT vs. NTFS
FAT32 Windows Versions Supported (Native) Maximum Volume Size Maximum File Size Security All 32 GB/2 TB Just under 4GB
exFAT
NTFS
Vista SP1, 7 All NT-based 64 ZB 16 ZB 2 TB Size of Volume
44
What We Covered
Deconstructing basic disks Disk Manager basic disk view MBR MBR vs. GPT disks Disk Manager basic disk view GPT Understanding dynamic disks Dynamic disk volume types Volume types diagrams Disk Manager dynamic disk view Managing storage volumes FAT vs. NTFS

1. What are basic and dynamic disks? 2. Windows and GPT FAQ

Basic diskThe traditional disk type Dynamic diskA type of disk that enables advanced storage options, such as mirroring and striping
45
Configuring Networking in Windows 7

Configuring Networking in Windows 7 Windows 7 Administration Training
In This Lesson:
Scenario Managing network connections TCP/IP recap TCP/IP operational overview TCP/IP subnetting overview IPv6 recap Configuring TCP/IP Settings Configuring network adapters Configuring Internet Connection Sharing (ICS) Troubleshooting network connectivity
Scenario
Every device at Globomantics is a business tool, from the laptops carried by the sales team to every desktop PC in the company. A machine not connected to Globomantics network doesnt provide any return. By the end of this lesson, youll be able to provide Globomantics with expert-level assistance in configuring the network settings on Windows 7-based desktops and laptops Internet Connection Sharing is used in Globomantics' smaller offices to save costs on networking equipment All networks need troubleshooting, so you need to understand ways that you can correct networking issues
46
Managing Network Connections

Connecting to a wired network Viewing current network status Viewing the current network map Connecting to a wireless network If prompted, provide the wireless network password Most Globomantics offices have a wireless network Managing preferred wireless networks
TCP/IP Recap
TCP/IP components Network address defines the address of the network as a whole Subnet mask provides bounds the upper and lower ranges of the network address IP address an individual identifier assigned to a resource Default gateway the IP address of the router or firewall port that connects the local network to a larger network Router a layer 3 device responsible for connecting the local network to a larger network and handling incoming and outgoing network communications
TCP/IP Recap
IP address types Public Private 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 Network Address Translation (NAT) Allows private IP addresses to be used with public ones Special addresses First range address (often ends with .0) network address Last range address (often ends with .255) broadcast address
47
TCP/IP Recap
IP addresses Dotted decimal notation is most common Are representations of binary numbers which can be converted to a decimal number 209.85.225.106 = 11010001.01010101.11100001.0110010 = 3512066410 Subnetting breaking a large network down into smaller chunks Reduces broadcast traffic Reduces collisions Can improve security
TCP/IP Recap
Dynamic Host Configuration Protocol (DHCP) server provides automated IP address assignment services Globomantics uses DHCP for client computers Globomantics desktop technicians sometimes input manual IP addresses when troubleshooting DHCP can pass other configuration information to clients Automatic Private IP Addressing (APIPA) is used when a DHCP server is not present Domain Name System (DNS) provides a method to resolve friendly names into IP addresses i.e. www.google.com = 209.85.225.10
TCP/IP Operational Overview

Network: 172.16.6.0 Subnet Mask: 255.255.255.0 172.16.6.1 172.16.6.2
Globomantics SW Office
172.16.6.3 Default Gateway 172.16.6.254
192.168.10.5 Firewall/Router
GM-SW-File
Globomantics Server DHCP/DNS Allocated 172.16.6.2 172.16.6.3 Available 172.16.6.4 172.16.6.5 172.16.6.6
GM-7-Desktop
GM-7-M-X
Globomantics Windows 7 Mobile
48
TCP/IP Subnetting Overview
192.168.0.x network with 26-bit subnet mask

1st subnet Network Subnet Mask Subnet Mask (bits) Address Range Broadcast Address 192.168.0.0 2nd subnet 192.168.0.64 3rd subnet 192.168.0.128 4th subnet 192.168.0.192
255.255.255.192 255.255.255.192 255.255.255.192 255.255.255.192 26 bits 192.168.0.1 to 192.168.0.62 192.168.0.63 26 bits 192.168.0.65 to 192.168.0.126 192.168.0.127 26 bits 192.168.0.129 to 192.168.0.190 192.168.0.191 26 bits 192.168.0.193 to 192.168.0.254 192.168.0.255
IPv6 Recap
IPv6 facts Larger address space IPv4 addresses are running out 232 addresses = 4,294,967,296 More always on devices More Internet users IPv6 = 2128 addresses Eliminates needs for a number of workarounds, including Network Address Translation Stateless address configuration DHCPv6 can be used to provide more capability
IPv6 Recap
IPv6 is not in widespread use IPv6 address types Link locallocally and automatically configured IPv6 addresses for networks without a DHCP server Site localprivate, non-routable IPv6 addresses Globalan everyday, routable IPv6 address either manually configured or obtained via DHCP Special IPv6 addresses Unspecified IPv6 address0:0:0:0:0:0:0:0 (::0) Loopbackin IPv4 parlance, 127.0.0.1; for IPv6, 0:0:0:0:0:0:0:1 (::1) Always the local machine
49
Configuring TCP/IP Settings

Managing TCP/IP settings via the graphical user interface Configuring IP address information Manual information Configuring for DHCP (the Globomantics standard) Managing TCP/IP settings via the netsh shell - manual IPv4: netsh interface ipv4 or netsh interface ip netsh interface ip set address Local Area Connection static 172.16.6.2 gateway=172.16.6.254 netsh interface ip set dnsservers Local Area Connection static 172.16.6.1 Managing TCP/IP settings via the netsh shell - DHCP netsh interface ip set address name=Local Area Connection source=DHCP
Configuring Network Adapters

Globomantics wants to force the network link speed and duplex due to an issue with some network switches Configure device power settings to conserve power
Configuring Internet Connection Sharing (ICS)

Smaller Globomantics sites do not have network routers They rely on ICS Allows a single computer with two network adapters to share its Internet connection with other computers Windows 7 and Windows Server 2008 R2 both include ICS Requirements Two network adapters Administrative rights Firewall exceptions
50
Internet Connection Sharing Overview
Internet Connection Sharing

GM-7-M-1
Globomantics Laptop Computer
GM-7-Desktop
Globomantics Desktop Computer
ICS
To Internet
GM-7-M-2
Globomantics Laptop Computer
Configuring Internet Connection Sharing

On the computer that will share its connection Open the properties for the network adapter with the connection to the Internet Select the checkbox that reads Allow other network
users to connect through this computer's Internet connection
Make sure other clients are configured to use DHCP
Troubleshooting Network Connectivity

netstat Display current network and TCP/IP connections View Ethernet & IPv4 stats and active connections netstat -e -s -p tcp tracert View each hop of the network path between the local system and a selected remote system tracert www.google.com ping Check the status of a remote system Check to see if the local system can reach a remote system ping www.google.com
51
Troubleshooting Network Connectivity

Fixing network issues command line Resetting a network adapters IP address Command line (ipconfig /release and /renew) Command line (ipconfig /release6 and /renew6) DNS issues Purge DNS cache: ipconfig /flushdns Refresh DHCP lease & register DNS names: ipconfig /registerdns Display contents of DNS cache: ipconfig /displaydns
What We Covered
Scenario Managing network connections TCP/IP recap TCP/IP operational overview TCP/IP subnetting overview IPv6 recap Configuring TCP/IP Settings Configuring Network Adapters Configuring Internet Connection Sharing Troubleshooting network connectivity

Network addressdefines the address of the network as a whole Subnet maskprovides bounds the upper and lower ranges of the network address IP addressan individual identifier assigned to a resource Default gatewaythe IP address of the router or firewall port that connects the local network to a larger network Routera layer 3 device responsible for connecting the local network to a larger network and handling incoming and outgoing network communications
52

1. Internet Protocol version 6 (IPv6) 2. Internet Connection Sharing
Protecting Windows 7: Network

Protecting Windows 7 Windows 7 Administration Training
In This Lesson:
Network profiles / Network Location Awareness Windows firewall management Remote Desktop Remote Assistance Windows Remote Management Service (WinRM) WinRM and PowerShell
53
Scenario
Globomantics is recovering from a serious and very public security incident As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features. Balancing security with usability will allow users to do their jobs while the company remains protected
Network Profiles / Network Location Awareness

Home network (Private) Trusted computers on a home network Network discovery is enabled Computer can be a member of a HomeGroup Work network (Private) Trusted computers on a work network Network discovery is enabled for computers Computer cannot be a member of a HomeGroup Domain network System is joined to an Active Directory domain Computer cannot be a member of a HomeGroup Public network
Network Profiles
Network profiles allow administrators to set granular policies based on the type of network to which the system is connected Firewall can be turned on or off for a particular network type i.e. turn off the firewall when system is connected to a domain and turn it back on when the system joins a public network Different profiles can be active simultaneously if the system is connected to multiple networks
54
Windows Firewall Purpose and Capabilities

Designed to protect computers by disallowing all but specifically allowed network traffic Windows Firewall can block both incoming and outgoing traffic The network profile dictates the set of firewall rules that will be applied for that connection
Allowing New Programs Access

As you add new programs to Windows, they need access to the network You can allow this access on a per program basis or by directly configuring network ports New firewall exception enable ICMP/Ping Command line method Netsh advfirewall firewall add rule name = PING4 protocol=icmpv4:any,any dir=in action=allow GUI method Rules/exceptions can be added on a per-profile basis
Other Firewall Management Items

Configuring firewall notification settings Can be configured on a per-profile basis Resetting Windows Firewall to Defaults GUI Click Restore defaults in the Windows Firewall control panel applet Command line Execute the command Netsh advfirewall reset
55
Remote Desktop
Allows a user to connect to the desktop from a remote computer and operate it as if he were sitting at the console Must be explicitly enabled default is set to not allow remote connections Allow connections from computers running any version of Remote Desktop Allow connections only from clients running Remote Desktop with Network Level Authentication (XP SP3, Vista, Windows 7) You must specifically identify which users can connect remotely
Remote Desktop
A new session can be established A remote session can be established that assumes control of an existing desktop session A different user can initiate a remote desktop session, but doing so results in a dialog box asking permission since the currently logged in user will be logged off Example Configure Remote Desktop from the Remote tab in System Properties
Remote Assistance
Commonly used by tech support personnel to help a user troubleshoot a problem Initiated by the user having troubles Uses a time-limited invitation that allows the remote user access to the desktop More secure invitations can be created, but only users using Vista or Windows 7 can respond to them Examples Configure Remote Assistance from the Remote tab in System Properties Requesting remote assistance
56
Windows Remote Management Service (WinRM)

WinRM enables command-line and PowerShell based management of remote systems Requires that the WinRM service first be configured on the remote system From administrator command prompt: winrm quickconfig Starts the winrm service and sets it to start automatically Creates a WinRM listener to allow incoming WinRM connections to be serviced Creates a WinRM exception in the firewall
Windows Remote Management Service (WinRM)

If the systems are not in the same domain, a trust relationship must be established winrm set winrm/config/client @{TrustedHosts=XXXX} Needed if you want to manage remotely via PowerShell Via group policy Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management Example Get a directory listing from a remote computer named gm-7075 WinRS r:gm-7-075 dir WinRS = Windows Remote Shell
WinRM and PowerShell

Remote management via PowerShell Requires that you enable WinRM as previously discussed You must be using PowerShell V2, the default in Windows 7 Use icm (Invoke-Command alias) to run a command on a different machine Example Start PowerShell with administrative rights
icm gm-7-075 { Get-WmiObject -Class Win32_ComputerSystem }
57
What We Covered
Network profiles / Network Location Awareness Windows firewall management Remote Desktop Remote Assistance Windows Remote Management Service (WinRM) WinRM and PowerShell

1. Windows Firewall with Advanced Security Design and Deployment Guide http://www.microsoft.com/downloads/details.aspx?FamilyID =e4a6d0d6-c8c3-414a-ad61-abce6889449d&displaylang=en
Protecting Windows 7: Local

58
In This Lesson:
Configuring User Account Control Configuring removable device policies Understanding Credential Manager Changing execution context with RunAs Windows 7 account policies and user rights Windows 7 local groups Creating a password reset disk Understanding smart card policies
Scenario
Globomantics is recovering from a serious and very public security incident As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features. Balancing security with usability will allow users to do their jobs while the company remains protected
Configuring User Account Control

First included in Windows Vista, UAC adds an authorization layer before actions requiring administrative rights can be performed If UAC prompt is ignored for more than 150 seconds, the request is not approved Only users granted administrative rights can approve UAC prompts Enabled by default in Windows 7 Can be configured to meet organizational security policies and need
59

Features Secure desktop Have you ever wondered why UAC basically locks the desktop? Its by design and is a good thing Understanding privileges All users operate with standard privileges Only when a task requiring administrative rights is performed does UAC interject itself and temporarily escalate privileges Prompt for consent Prompt for credentials

UAC settings Never notify me Notify me only when programs try to make changes to my computer (do not dim my desktop) Default Notify me only when programs try to make changes to my computer (but dont notify me when I make changes to Windows settings) Always notify

Group Policy/Local Group Policy/Local Security Policy Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options Local Group Policy: gpedit.msc Local Security Policy: secpol.msc Allows granular control over UAC policies Can configure UAC to require credentials instead of just an approval window Demo Walk-through all UAC-related policies
60
Configuring Removable Device Policies

For security reasons, many organizations prohibit the use of removable devices Group Policy/Local Group Policy Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions Prevent installation of removable devices
Understanding Credential Manager

When user names and passwords are selected to be remembered, they are stored in the Windows Vault Web sites Remote Desktop sessions Exploring the Credential Manager Backing up Windows Vault Restoring Windows Vault Modifying an existing stored credential Adding a new credential Removing an existing credential
Changing Execution Context with RunAs

Allows you to run programs using a different users credentials Use the RunAs command line tool RunAs /user:DOMAIN\USER program /switches Common switches /profile Loads the users profile allowing access to userspecific EFS-protected files /noprofile Does not load the users profile /savecred Saves the credentials under the context of the local administrator account
61
Windows 7 Account Policies and User Rights

Account and password policies Computer Configuration > Windows Settings > Security Settings > Account Policies Local Group Policy: gpedit.msc Configurable password policies include Enforce password history Maximum password age Minimum password age Password must meet complexity requirements Store passwords using reversible encryption Not recommended
Windows 7 Account Policies and User Rights

Configurable account lockout policies include Account lockout duration Account lockout threshold Reset account lockout User rights Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments Make sure to understand that these user rights exist There are more than three dozen policy settings
Windows 7 Local Groups
62
Creating a Password Reset Disk

Users will forget passwords Simply resetting a password has consequences User loses access to EFS-encrypted files unless other steps have been taken Credentials stored in Credential Manager are no longer accessible A password reset disk (or USB/removable device) can be used to reset a password without the aforementioned negative side effects Caution: Anyone that finds a password reset disk can use it! Demo Create a password reset disk
Understanding Smart Card Policies

Windows 7 includes a number of policies related to managing smart cards Smart cards are devices that can be used to authenticate to systems More secure that typical username/password-based authentication mechanisms Often used to augment not replace username/password (multifactor authentication) Windows 7 uses the Personal Identity Verification (PIV) standard from the National Institute of Standards and Technology (NIST) and includes other new features Smart Card/BitLocker encryption Document and email signing
Understanding Smart Card Policies

Group Policy/Local Group Policy/Local Security Policy Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options Interactive Logon: Require Smart Card A simple Yes or No (Enabled or Disabled) Interactive Logon: Smart Card Removal Behavior No Action (default) Lock Workstation Force Logoff Disconnect if a remote Remote Desktop Services connection
63
What We Covered
Configuring User Account Control Configuring removable device policies Understanding Credential Manager Changing execution context with RunAs Windows 7 account policies and user rights Windows 7 local groups Creating a password reset disk Understanding smart card policies

1. Vista UAC Secure Desktop Explained http://cybernetnews.com/vista-uac-secure-desktopexplained/
Managing Mobility Options

64
Managing Mobility Options Windows 7 Administration Training
In This Lesson:
Enable work on the go by using offline files Transparent caching Save energy by configuring local power settings Location Aware Printing
Scenario
Globomantics is making sure that every sales person is equipped with a laptop to use in order to maximize their time on the road Every customer visit must be as productive as possible All of Windows 7s mobility capabilities offline files, caching, location-based printing, power policies must be leveraged Business needs Increased mobility leads to increased sales Battery life and power settings must be optimized to increase road time Sales people still need access to their centralized files and folders in order to do their jobs Location-based printing will help these mobile professionals locate available printers
Using Offline Files

Users particularly mobile users can always be connected to a live server Road warriors still need access to their files Offline Files locally caches copies of server-based files on the Windows 7 desktop As the user roams, he works from the locally cached file Once reconnected to the file server, the cached files synchronize with the server-side copy As space becomes a premium, Offline Files begins removing the least-used cached files to reclaim space Use the Sync Center to resolve synchronization conflicts
65
Offline Files in Action
1
Offline Files is enabled for a file A copy of the file is cached to the local Windows 7 machine
User disconnects from server to go on the road User modifies locally cached file while disconnected from server
The user reconnects to the network The modified file is synchronized with the server-based copy
Using Offline Files

There are four operational methods Online mode (Online) Normal, connected access to server-based files Auto offline mode (Offline: not connected) When network issues occur, Offline File moves to auto offline mode, which redirects file operations (browse, open, create, read, write) to offline mode Manual offline mode (Offline: working offline) Users can force Windows 7 to use the offline copy of data at will Slow-link mode (Offline: slow connection) If enabled in Group Policy, allows a transition to offline mode when a network connection slows down
Using Offline Files

Group/Local policies related to Offline Files Computer Configuration > Administrative Templates > Network > Offline Files Important policies Encrypt the Offline Files cache Files not cached Remove Make Available Offline A look at the Sync Center available via Control Panel
66
Transparent Caching
Similar to Windows 7s new BranchCache feature Windows 7s new BranchCache capability is covered in the lesson entitled Managing BranchCache Transparent caching locally and automatically caches copies of files that a user has accessed from a server Does not need to be enabled on a per-file basis Each time the user accesses the file, the local system verifies that the locally cached copy is current If its not current, the file is opened directly from the server When the server is unavailable, the local cache is also unavailable Supports both domain- and non-domain-joined clients
Transparent Caching
Not enabled by default Group/Local policies related to Offline Files Computer Configuration > Administrative Templates > Network > Offline Files We will learn more about Transparent Caching in the lesson entitled Managing BranchCache
Configuring Local Power Settings and Policies

Power plans (default is Balanced power plan) Allow you to decide how your computer operates under different power environments Plugged in On Battery (available only on computer with batteries) Include a number of power settings from which you can choose, including Display settings Power configuration Brightness Sleep settings Advanced settings Available for each configured power plan
67

Power button options Sleep Most system devices are turned off RAM stays active at current state Eventually transitions to Hibernate mode Hibernate Everything is turned off and the contents of system memory are written to a file on the hard disk System resumes when powered back on at the state at which it was when it was placed in Hibernate mode Shut down Turn the system off Do Nothing

Centralize power configuration through Group Policy Computer Configuration > Administrative Templates > System > Power Management You can require the use of one of Window 7s built in power plans If you know the GUID of a custom power plan, that plan can be used instead Use powercfg L from the command line to get a list of power plans and their GUIDs

Other important powercfg commands See which devices can wake a computer powercfg -devicequery wake_from_any Create an energy policy report powercfg -energy Open the resulting report in Internet Explorer Saved to a files named energy-report.html in the directory in which the command was run Export a power plan powercfg -export export_name GUID Import a power plan powercfg -import filename GUID
68
Location Aware Printing

Allows automatic switching of available print devices based on location Printers can be manually paired with a particular network From Devices and Printers Click Manage default printers Make decisions about which printers to use for which network
What We Covered
Enable work on the go by using offline files Transparent caching Save energy by configuring local power settings Location Aware Printing
Protecting Windows 7 Computers with Windows Updates

69
Protecting Windows 7 Computers with Windows Updates Windows 7 Administration Training
In This Lesson:
Why update Windows? Update types Windows Update control panel applet Configuring important update settings Windows Update settings Reviewing update history Deciding which updates to install Uninstalling updates Using the Microsoft Baseline Security Analyzer WSUS and Windows Updates Non-WSUS operations vs. WSUS operations
Scenario
Keeping Windows desktop computers current with the latest security patches is vital to company efforts to keep systems and data secure Windows computers require regular updates designed to plug security holes and correct other flaws Globomantics cant afford to hire enough people to simply walk around and manually update each and every Windows 7 desktop Business need Centralizing updates keeps TCO at a reasonable level Updates are a critical component of an organizations overall security strategy The ability to roll back updates is key in the event that an updates breaks something
Why Update Windows?

All software contains flaws Even with the best of intentions, Windows ships with holes that were not discovered during development Updates fix these flaws Some updates add new features and capabilities to Windows Update is not limited to Windows; other Microsoft products including Office are updated via this update mechanism
70
Update Types
Important Updates that should be installed immediately in order to counter potential security or privacy threats Includes security and critical updates Recommended Updates that may improve system reliability or improve information, such as that found in system help files May add new features to Windows or even other Microsoft software Optional Often includes new driver updates May include new versions of trial software
Windows Update Control Panel Applet

Options provides control over Windows Update settings Manual update installation process Click Check for updates Manually install updates via the Install Update button If updates have been downloaded, click the Install updates button to begin installation Click the category name to list updates
Configuring Important Update Settings

Install updates automatically Updates are installed every day at 3AM or as soon as the computer is turned on Download updates but let me choose whether to install them Updates are downloaded but are not installed until a user initiates the process Check for updates but let me choose whether to download and install them The user is simply notified that new updates are available, but they are neither downloaded nor installed without user intervention Never check for updates Not recommended
71
Windows Update Settings
Reviewing Update History

Get a list of installed updates by clicking the View update history option in Control Panel
Get more information about an update by right-clicking the update and choosing
View details
Deciding Which Updates to Install

You may want to prevent an update from installing automatically Some updates have problems You may have software that conflicts with an update Hide an update so it doesnt appear in update lists If you change your mind, you can unhide updates At some point, you should make sure to install all important updates, even if youve previously hidden them Use the Restore hidden updates option
72
Uninstalling Updates
When youre viewing a list of installed updates, right-click an update and choose Uninstall The Installed Updates window is accessible via the Windows Update control panel applet or the Programs and Features control panel applet
Using the Microsoft Baseline Security Analyzer

MBSA 2.1.1 provides support for Windows 7 and Windows Server 2008 R2 Download from http://www.microsoft.com/downloads/details.aspx?Famil yID=b1e76bbe-71df-41e8-8b52c871d012ba78&displaylang=en MBSA provides a way to identify updates that might be missing from a Windows installation The tool also points out other potential security holes, such as misconfigured accounts or account with no password expiration in place
Using Group Policy to Configure Updates

Group Policy (local GP editor: gpedit.msc) Computer Configuration > Administrative Templates > Windows Components > Windows Update A lot of options available Well walk through them
73
WSUS and Windows Updates

Microsoft Windows Server Update Services 3.0 SP2 Provides support for Windows 7 A server-based tool that centrally manages and distributes updates Once installed, assumes responsibility for contacting Microsoft Update servers Saves bandwidth Machines dont need to individually download massive updates Centrally catalogs updates
Non-WSUS Operations vs. WSUS Operations
WSUS Server
WSUS Server
GM-SW-File
Globomantics Server DHCP/DNS
GM-7-Desktop
GM-7-M-X
GM-SW-File
Globomantics Server DHCP/DNS
GM-7-Desktop
GM-7-M-X
Globomantics Office Without WSUS

Each individual computer downloads updates from Microsoft Update servers
Globomantics Office With WSUS

Local WSUS servers download and catalog updates Each individual computer downloads updates from the local WSUS server
WSUS and Windows Updates

Redirect Automatic Updates to a WSUS server Click Specify Intranet Microsoft update service location Click Enabled and type the HTTP(S) URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server Click the OK button Disable access to Windows Update Use Group Policy: Expand Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings Click Turn off access to all Windows Update features Click Enabled
74
Plug for System Center Configuration Manager 2007 R2

System Center Configuration Manager 2007 R2 can also be used to handle distribution and tracking of updates Globomantics does not currently own System Center Configuration Manager 2007 R2 http://www.trainsignal.com/System-Center-ConfigurationManager-P71.aspx
What We Covered
Why update Windows? Update types Windows Update control panel applet Configuring important update settings Windows Update settings Reviewing update history Deciding which updates to install Uninstalling updates Using the Microsoft Baseline Security Analyzer WSUS and Windows Updates Non-WSUS operations vs. WSUS operations
Managing Applications

75
Managing Applications Windows 7 Administration Training
In This Lesson:
Program compatibility assistant Program compatibility properties Compatibility-related group policies Application Compatibility Toolkit Using Windows XP mode Configuring software restriction policies Using AppLocker
Scenario
Globomantics uses a wide range of applications to meet its business goals There are questions surrounding application compatibility Globomantics will use a number of tools to determine compatibility with Windows 7 Globomantics also plans to consider the use of AppLocker as a security mechanism to keep hostile software off the network Business need Line of business applications are the lifeblood of Globomantics so they need to simply work AppLocker is a Windows 7-based evolution in software policies designed to control what applications are allowed to be used
Program Compatibility Assistant

A tool built into Windows 7 that checks for program installation problems Pops up a dialog box suggesting a fix for a problem Offers to reinstall a program using Microsoft recommended settings Only modifies Windows settings related to the execution of the program
76
Program Compatibility Properties

Right-click program and choose Troubleshoot compatibility Manually modify program properties Compatibility mode Run in 256 colors Run in 640x480 screen resolution Disable visual themes Disable desktop compression Disable display scaling on high DPI settings Privilege level Change settings for all users
Compatibility-Related Group Policies

Available via the Group Policy editor Computer Configuration > Administrative Templates > System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics
Application Compatibility Toolkit

Application Compatibility Manager A SQL Server-based tool that collects application information from existing Globomantics computers Compatibility Administrator A set of application compatibility fixes that have already been verified to allow applications to work under Windows 7 Developer and Tester Tools Internet Explorer Compatibility Test Tool Tests web site compatibility with Internet Explorer 8 Setup Analysis Tool Monitors application installers to test compatibility Standard User Analyzer Determines if an app will have problems with UAC
77
Using Windows XP Mode

Option of last resort Creates a virtual instance of Windows XP in which applications are run Seamless to end user Installation steps (www.microsoft.com/windows/virtual-pc) Download and install Windows XP Mode first Then Virtual PC Then Windows XP Mode update Globomantics will run Internet Explorer 6 from Windows XP Mode
Configuring Software Restriction Policies

A legacy application management tool Configurable via Group Policy Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies Applicable to Windows XP, Windows Vista and Windows 7 Security levels Group Policy page Enforcement Group Policy page Designated file types Group Policy page Trusted publishers
Configuring Software Restriction Policies

Order of precedence Hash rule Certificate rule Path rule Network zone rule (msi installer files only) Default rules For conflicts The most specific rule takes precedence Globomantics will block the use of Solitaire using Software Restriction Policies
78
Using AppLocker
Available only on Windows 7 clients Significantly better than Software Restriction Policies No need to rework restrictions as applications are upgraded Can be applied to user subsets Configurable via Group Policy Computer Configuration > Windows Settings > Security Settings > Application Control Policies Relies on the use of the Application Identity Service
Using AppLocker
Feature Rule scope Rule conditions provided Rule types provided Default rule action Audit-only mode Wizard to create multiple rules at one time Policy import or export Rule collection PowerShell support Custom error messages Software Restriction Policies All users File hash, path, certificate, registry path, and Internet zone rules Allow and deny Allow or deny No No No No No No AppLocker Specific user or group File hash, path, and publisher rules Allow and deny Deny Yes Yes Yes Yes Yes Yes
Using AppLocker
Rule types Executable .exe and .com files Windows Installer .msi and .msp files Script .ps1, .bat, .cmd, .vbs and .js files DLL .dll and .ocx files
79
Using AppLocker
Rule conditions Publisher Discussed on next slide Most secure option Path Based on the file path File hash Based on the unique file hash Use when a file is not signed More secure than path rules Rule behavior Allow or Deny
Using AppLocker
Publisher rules Rules based on application digital signatures Files must be signed These rules can survive application upgrades i.e. Create a rule that says Block this application version 2.0 and higher i.e. Allow versions 2.0 or higher of a program to run if it is signed by the software publisher GlobomanticsDevCorp Globomantics will block the use of WordPad using AppLocker Service Packs should not disable this rule
What We Covered
Program compatibility assistant Program compatibility properties Compatibility-related group policies Application Compatibility Toolkit Using Windows XP mode Configuring software restriction policies Using AppLocker
80

1. Windows 7 Application Compatibility List for IT Professionals 2. Introduction to the Application Compatibility Toolkit (ACT) Version 5.6 3. Windows 7 AppLocker Executive Overview 4. How AppLocker Works
Managing Internet Explorer

Managing Internet Explorer Windows 7 Administration Training
In This Lesson:
Compatibility Mode Configuring IE security settings IE Protected Mode Managing IE add-ons and search providers Managing IEs InPrivate browsing Managing IEs InPrivate filtering About IEs SmartScreen Filter IEs pop up blocker Managing IE certificates
81
Scenario
The Globomantics Application group has developed a number of web-based applications that support only Internet Explorer The CIO has made Internet Explorer the corporate standard Windows 7 provides centralized management of IE Making sure that Internet Explorer settings on Windows 7 machines meet corporate security policies Ban the use of unapproved add-ins for Internet Explorer Make sure that compatibility mode is properly configured Business need Compatibility Mode will give the Globomantics Application Support group time to update web-based applications Users need to understand SmartScreen to help the company prevent malware infestations
Compatibility Mode
Not all web sites display properly in Internet Explorer 8 IE 8 is the version that ships with Windows 7 Windows Updates include lists of web sites that work best under Compatibility Mode Compatibility Mode Group Policies Administrative Templates > Windows Components > Internet Explorer > Compatibility View Globomantics needs to display the site apps.globomantics.com in compatibility mode
Configuring IE Security Settings

Security levels High Most actions are disallowed Medium-High Appropriate for most web browsing Prompts before downloading potentially unsafe content Unsigned ActiveX controls will not be downloaded Per-application override settings that disable ActiveX warnings in certain situations are not allowed Medium Prompts before downloading potentially unsafe content Unsigned ActiveX controls will not be downloaded
82

Medium-Low Appropriate for intranet-based sites Most content will be run without the user being prompted Unsigned ActiveX controls will not be downloaded Low Appropriate for only absolutely trusted sites Most content will be run without the user being prompted All active content can run

Internet Explorer security zones Local intranet Medium-Low security level Trusted sites Medium security level Used only for sites that are known and that can be trusted Restricted sites High security level Used for dangerous sites Internet Medium-High security level
IE Protected Mode
Makes it more difficult for web sites to install malicious software Allows administrators to install desirable ActiveX controls and add-ons Zones Enabled by default in the Internet and Restricted sites zones Disabled in the Local Intranet and Trusted sites zones
83
Managing IE Add-ons and Search Providers

Add-ons extend the functionality of Internet Explorer There are add-ons available for many different categories, including adding new search engines to IE Group Policy (computer and user settings) Administrative Templates > Windows Components > Internet Explorer > Accelerators and Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management Globomantics marketing department uses Twitter extensively and will add an Internet Explorer add-on to streamline the Twitter update process
Managing IEs InPrivate Browsing

InPrivate Browsing prevents Internet Explorer from storing data about a browsing session Help to prevent anyone else who might be using your computer from seeing visited sites and other potentially private information such as cookies, temporary Internet files, history, and other data. Toolbars and extensions are disabled by default InPrivate Browsing is only in effect during the time that you use the InPrivate window Group Policy settings (both computer and user settings) Administrative Tools > Windows Components > Internet Explorer
Managing IEs InPrivate Filtering

InPrivate Browsing is a broad privacy mechanism InPrivate Filtering is more granular Helps protect users from common browsing tracking, such as that performed by third party advertising networks Users (or administrators) decide what can be shared and with whom Managing InPrivate Filtering settings Globomantics wants to make sure users can browse the web and get work done and will turn off InPrivate Filtering
84
About IEs SmartScreen Filter

Looks for known or suspected phishing web sites or sites that may harm your computer through the installation of malware Site list is updated on an hourly basis Also scans downloaded files and blocks the download if there is a known risk Allows a user to perform a manual check of a site Provides users with a warning that a site might not be safe http://207.68.169.170/contoso/enroll_auth.html
IEs Pop-Up Blocker

Pop-ups are not very popular but when used appropriately, do have value Some pop-ups i.e. login boxes need to be allowed Pop-ups can be allowed on a site-by-site or per-zone basis Pop-ups are always allowed in the default Local Intranet and Trusted Sites zones The Pop-Up Blocker settings window allows configuration of this security feature
Managing IE Certificates
Secure web browsing is based on the use of Secure Sockets Layer (SSL) encryption certificates Provides trusted secure end-to-end communications encryption so users can comfortably share personal information including social security numbers and credit card information Internet Explorer blocks access to SSL-protected web sites when things dont look right The address doesnt match that of the SSL certificate The certificate is expired or has been revoked The certificate is not trusted back to whats call a root certificate Internet Explorer certificate settings window https://204.184.63.35/owa/
85
What We Covered
Compatibility Mode Configuring IE security settings IE Protected Mode Managing IE add-ons and search providers Managing IEs InPrivate browsing Managing IEs InPrivate filtering About IEs SmartScreen Filter IEs pop up blocker Managing IE certificates

1. About URL Security Zone Templates
Configuring File and Folder Access

86
Configuring File and Folder Access Windows 7 Administration Training
In This Lesson:
Changing file and folder permissions Understanding NTFS permissions Assigning NTFS permissions Understanding effective permissions Permissions impact: Copying and moving files Encrypting files and folders using EFS BitLocker To Go Full disk encryption using BitLocker
Scenario
Globomantics needs to provide secure access to files and folders so that users can do their jobs Due to the recent security incident, Globomantics wants to make sure that the theft of a desktop computer doesnt result in unauthorized access to company data Although Globomantics could choose to implement BitLocker on desktops as well as laptops, the company is considering using EFS on internal systems just to protect key shared folders Business need Globomantics will secure access to files and folders at both the share and file (NTFS) level. Globomantics will protect mobile devices through the use of BitLocker and protect internal desktop PCs using EFS
Changing File and Folder Permissions

In the world of IT, there is a principle that states that users should have only the most minimal permissions they need to complete their jobs NTFS the default file system used in Windows 7 helps to enforce this least security principle by providing the ability to apply permissions to files and folders in a very granular way No NTFS rights = No access With only minor exceptions, files and folders both use the same available NTFS permissions but these permissions may manifest themselves a bit differently Permissions can be assigned directly to a user or they can be assigned to a user group Its much preferred to assign permissions to groups
87
Understanding NTFS Permissions

Basic NTFS permission sets Full Control (Modify, Read & Execute, List Folder Contents, Read, Write) Provides a user with the ability to do anything and everything with a file or folder to include modifying permissions This is the only standard right that allows a user to change permissions to the file or folder Users can take ownership of a file or folder Modify (Read & Execute, List Folder Contents, Read, Write) Allows a user to reading, write, change and delete files and folders

Basic NTFS permission sets (continued) Read & Execute (List Folder Contents, Read) Allows a user to access a file or folder and execute programs within List Folder Contents Applies to folder only Allows a user to view the contents of a folder Read User can read the contents of a folder or access a file Does not allow the user to execute programs Write Folders: User can add files and folders to a folder Files: User can change to a file, but he cannot delete it

Inherited permissions When you create a file or folder, the new entity assumes the permission set of the parent folder This process is called inheritance and can result in some of the most complicated permission issues you will come across You can block inheritance and assign unique permissions if you like
88
Assigning NTFS Permissions

Each file and folder object on the NTFS partition has a Security tab on its Properties page From this page, you can view the current security configuration for the object You can also use the command line icacls utility Globomantics wants to do the following Allow users that are a part of the Marketing group to access (Modify access) a local folder named Marketing (GUI method) Allow users that are a part of the Sales group to access (again, Modify rights) a local folder name Sales (icacls) icacls c:\sales /grant gm\sales:(oi)(ci)m Deny access to the Sales folder to Marketing (GUI)
Understanding Effective Permissions

NTFS permissions can and do collide with one another from time to time A user might have been directly assigned Read rights to a particular folder and also been assigned the Write right by virtue of a group membership With one exception, NTFS permissions are cumulative In the case above, the user would be granted both Read and Write privileges Exception If a user has been specifically denied a right anywhere, the Deny right trumps everything else
Understanding Effective Permissions

Globomantics is trying to figure out why the user named Steve Smith was able to change a document at C:\Accounting Use the effective permissions tool to determine what access level this user has been granted and determine why he was able to make a change
89
Permissions Impact: Copying and Moving Files

As youve seen, file and folder permissions are dependent on their location in the file system, particularly as inheritance comes into play Moving and copying files can impact NTFS permissions on the files being copied or moved When copying objects to a new location, the objects take on the permission set of the new location When objects are moved To locations on the same volume They maintain their existing permission sets To locations on a different volumes They inherit the permissions of the new folder
Encrypting Files and Folders Using EFS

EFS allows users to encrypt individual files and folders BitLocker encrypts entire volumes EFS encrypts individual files and folders on NTFS volumes Once a folder is encrypted all files inside that folder are encrypted, including any files you create later on The first time a user encrypts a file on a Windows 7 machine, he is asked to back up his newly created security certificate If other users need to access the file, they need to first log in and encrypt something so that their certificate is also saved You can use Active Directory Certificate Services to centralize management of EFS certificates Well beyond the scope of this course and the exam

EFS Recovery Agent Users come and go and they may or may not leave in a way that allows them to make sure that they've provided access to files that they've encrypted Create an EFS Recovery Agent in order to open files encrypted by another use The agent needs to be created before users start encrypting files From the command line Cipher /r:recoveryagent
90

Globomantics will teach some internal users how to encrypt folders on their local hard drives These folders contain sensitive financial information that, in the wrong hands, could lead to another public relations debacle Because two users share a single PC in the controller's office, certificates will be created for both users (Administrator and Steve) This is a stop gap measure intended to be used only until Globomantics is able to deploy a full infrastructure capable of centralizing all of the various user certificates You will first create an EFS Recovery Agent to make sure that files remain accessible
BitLocker To Go
People often rely on portable storage to be able to transport documents between locations These portable storage devices can be a major security headache BitLocker To Go is a new feature that encrypts the full contents of these portable storage devices Does not require any special hardware, such as a Trusted Platform Module chip Devices protected with BitLocker To Go can even be read in older versions of Windows
BitLocker To Go
A number of local group policies exist that manage the implementation of BitLocker Located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives Globomantics requires that portable USB storage be configured with BitLocker To Go Set up appropriate local policies Walk-through policy options Encrypt a USB volume
91
Full Disk Encryption Using BitLocker

BitLocker provides full disk encryption making data inaccessible unless specific conditions are met BitLocker operating modes TPM-only mode TPM with startup key TPM with PIN TPM with PIN and startup key BitLocker without TPM

TPM-only mode (TPM = Trusted Platform Module) 100% transparent to user Protects the boot environment from modification No requirement for the user to use a PIN or password at boot time No requirement for the user to use a startup key at boot time Least secure BitLocker option

TPM with startup key Not very transparent to user Protects the boot environment from modification No requirement for the user to use a PIN or password at boot time There is a requirement for the user to use a startup key at boot time A startup key is a USB drive that has been preconfigured for use with BitLocker More secure since there is a need for the user to use a physical device to boot the system
92

TPM with PIN Transparent to user after boot Protects the boot environment from modification There is a requirement for the user to use a PIN or password at boot time No requirement for the user to use a startup key at boot time More secure since there is a need for the user to use a password to boot the system

TPM with PIN and startup key Not very transparent to user Protects the boot environment from modification There is a requirement for the user to use a PIN or password at boot time There is a requirement for the user to use a startup key at boot time A startup key is a USB drive that has been preconfigured for use with BitLocker Most secure option since there is a need for the user to both use a password to boot the system and to have available a physical USB device

BitLocker without TPM Not all systems ship with TPM chips so BitLocker can be configured to use just a key device Does not protect the boot environment itself Organizations may still want to use BitLocker even if a system does not have TPM Modify a Group Policy object Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup Requires the use of a USB-based startup key
93

BitLocker notes When used with TPM, the encryption key is stored on the system's local TPM chip Recovery information can also be stored in Active Directory Configure a Data Recovery Agent (DRA) user account to enable recovery of encrypted data Computer Configuration > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption For already-encrypted drives, use the manage-bde SetIdentifier <volume letter> command to enable afterthe-fact DRA support on that volume

Recovery There are times when BitLocker needs to be used on a recovery mode The contents of the TPM chip may have been lost You modified one of the boot files Best practice: Temporarily disable BitLocker before modifying a boot file You've connected a BitLocker-protected disk to a different computer In recovery mode, you need to provide one or both of The BitLocker PIN The USB key that holds the recovery key

The manage-bde command Manage BitLocker options from the command line See the results of manage-bde -status Globomantics will enable BitLocker on the system volume for laptop systems PIN option will be selected
94
What We Covered
Changing file and folder permissions Understanding NTFS permissions Assigning NTFS permissions Understanding effective permissions Permissions impact: Copying and moving files Encrypting files and folders using EFS BitLocker To Go Full disk encryption using BitLocker
Shared Access to Resources

Shared Access to Resources Windows 7 Administration Training
In This Lesson:
Resource sharing overview Basic vs. advanced sharing Understanding Share vs. NTFS permissions Offline folder caching Sharing printers and managing print queues Windows 7 libraries Configuring HomeGroup
95
Scenario
Information Technology advancements have created a collaboration revolution on which Globomantics wants to capitalize Collaboration is enabled through resource sharing Files, folders and printing devices are commonly shared at Globomantics, but not all users need to access all shared resources At especially small branch offices, Globomantics will use a Windows 7 desktop in a pseudo-server capacity Business need Shared resources reduce overall costs since users dont need their own dedicated devices, such as printers
Resource Sharing Overview

The Network and Sharing Center holds the basic keys to the resource sharing kingdom Resource sharing settings are configured on a per-network profile basis Network discovery File and printer sharing Public folder sharing Media streaming File sharing connections Password protected sharing HomeGroup connections
Basic vs. Advanced Sharing

Basic sharing Rights available Owner Assigned to the user account that set up the share Read Allows the specified user or group to read files from the shared location Read/Write Allows the specified user to read files, modifying existing files and create new ones
96
Basic vs. Advanced Sharing

Advanced sharing Rights available Full Control Assigned to the user account that set up the share Allows a user to change the resource share permissions Read Allows the specified user or group to read files from the shared location Change Allows the specified user to read files, modifying existing files and create new ones
Understanding Share vs. NTFS Permissions

Share permissions Applied only when a resource is accessed over the network If resource is accessed from the local console, only NTFS permissions are enforced NTFS permissions Applied regardless of access location local or remote NTFS permissions are discussed in the Configuring File and Folder Access lesson When combined, the most restrictive set of permissions applies
Offline Folder Caching

Offline folder caching is discussed fully in the Managing Mobility Options lesson During the sharing process, decide how/if you want users to be able to cache offline files to their local computers Only the files and programs that users specify are available offline No files or programs from the shared folder are available offline All files and programs that users open from the shared folder are automatically available offline
97
Sharing Folders
A Utica, NY-based Windows 7 desktop will be a pseudo-server with a couple of shares initially enabled Marketing (GUI method) Offline files should be disabled The Marketing group will have Change rights No more than five people at any one time Sales (command line method) Enable offline files for both documents and programs The Sales group will have Change rights Accounting will have Read rights net share Sales=c:\Sales
/grant:globomantics\SALES,CHANGE /grant:globomantics\ACCTNG,READ /cache:programs
Sharing Printers and Managing Print Queues

By sharing a printer, multiple users can share these relatively expensive resources and save Globomantics a lot of money Printing permissions Print Allows users to manage their own documents sent to the printer Manage this printer Users can manage the printer itself, including pausing and restarting printing, changing printer permissions and sharing the printer Manage documents Users in this group can manage the print jobs for any users that have sent document to the shared print queue
Sharing Printers and Managing Print Queues

The Utica, NY-based Globomantics office has an HP LaserJet 4250 printer connected directly to a Windows 7 machine Share this printer with the Sales, Marketing and Accounting domain groups The user named Fred should have both Manage this printer and Manage documents rights
98
Windows 7 Libraries
Windows 7 includes virtual folders known as libraries Libraries are collections of folders from various sources The local machine Network servers HomeGroup machines Default libraries Documents Music Pictures Videos
Windows 7 Libraries
Adding new folders to existing libraries The existing libraries can be extended to include new folder sources The Utica sales manager wants the contents of the newly created Sales shared folder to appear in his Documents library It is his machine that is acting as the pseudo-server at Utica Creating a new library The Utica sales manager has decided that he wants to create a dedicated Sales library that includes everything sales related
Configuring HomeGroup
HomeGroup is a new feature in Windows 7 intended to facilitate resource sharing in small home networks Resources shared with HomeGroup machines can be provided with some security The first Windows 7 machine on the Home network is asked to create a HomeGroup Work and domain computers can join a HomeGroup, but cannot create one Subsequent machines are asked if theyd like to join the existing HomeGroup Although Globomantics will not use the HomeGroup feature, the help desk has received some calls from users seeking advice regarding this feature
99
What We Covered
Resource sharing overview Basic vs. advanced sharing Understanding Share vs. NTFS permissions Offline folder caching Sharing printers and managing print queues Windows 7 libraries Configuring HomeGroup
Using DirectAccess and VPN Connections

Using DirectAccess and VPN Connections Windows 7 Administration Training
In This Lesson:
DirectAccess features DirectAccess server requirements Configuring DirectAccess client side Understanding DirectAccess connection types DirectAccess client requirements Enabling VPN-based remote access VPN authentication mechanisms Password-based authentication mechanisms Windows 7 VPN connections
100
Scenario
Globomantics is a company on the move! With an ever-growing force of sales people making the rounds visiting potential customers, those mobile professionals need to maintain a constant link with the mother ship in order to keep the wheels of business turning and to make sure that they always have the most current information about clients in order to maximize their efforts Windows 7s DirectAccess and VPN capabilities are a perfect fit Business need Mobility has become a very high priority to keep mobile professionals in touch as if they were in the office Enabling this mobility in a way that doesnt leave the organization at risk for exploit is key
DirectAccess Features
DirectAccess is a new Windows Server 2008 R2 and Windows 7 feature that enables VPN-like connectivity but without the need to establish a traditional VPN connection Fully bidirectional corporate servers can see clients Can be integrated with Network Access Protection to improve security Requires no user intervention; connects even before the user logs on to the machine Fully transparent to the end user as the connection process is automatic Connected as soon as the computer is able to use the network connection Allows the remote machine to continue to receive Group Policies and software updates
DirectAccess Server Requirements

DirectAccess requires significant server-side configuration in order to operate (beyond the scope of this course) Domain-joined Windows Server 2008 R2 server At least two network adapters The public network adapter must have two consecutive public IP addresses Other adapter must be connected to internal network A public key infrastructure (PKI) must be in place An Active Directory security group that contains accounts for the computers that will connect via DirectAccess Domain must have a Windows Server 2008 R2 domain controller and DNS server Internally accessed resources must be IPv6 capable
101
Understanding DirectAccess Connection Types

Public IPv6 The eventual goal; the client is using a public IPv6 address and connects to Globomantics network via IPv6 6to4 For clients that use a public IPv4 address, a 6to4 tunnel can be established Teredo For clients that sit behind a Network Address Translation (NAT) device and using a private IP address, DirectAccess uses a Teredo connection method IP-HTTPS When all else fails, this is the fallback connection type Does not perform as well as other methods
DirectAccess Client Requirements

Only the Enterprise and Ultimate editions of Windows 7 support DirectAccess Only domain-joined computers that belong to a DirectAccess security group can connect to DirectAccess servers DirectAccess configuration is distributed to clients via Group Policy with little manual configuration necessary It is possible to configure individual clients with the netsh command
Configuring DirectAccess Client Side

Group Policy Objects Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies 6to4 Relay Name IP-HTTPS State Teredo Default Qualified Teredo Server Name Computer Configuration > Windows Settings > Name Resolution Policy General configured during the server-side setup
102
Configuring DirectAccess Client Side

Netsh commands (overridden by Group Policies) netsh interface ipv6 set teredo enterpriseclient <serverIPv4address> netsh interface 6to4 set relay <serverIPv4address> netsh interface httpstunnel add interface client https://externalIPv4name/IPHTTPS netsh interface ipv6 show teredo 6to4 show relay httpstunnel show interfaces
Enabling VPN-Based Remote Access

VPNs are traditional broadly supported remote access and pointto-point connection mechanisms For the purposes of this lesson, were focused on the remote access side of the VPN house Windows 7 supports four different VPN connection methods IKEv2/VPN Reconnect (Internet Key Exchange) SSTP (Secure Socket Tunneling Protocol) L2TP/IPSec (Layer 2 Tunneling Protocol) PPTP (Point-to-point Tunneling Protocol)

IKEv2/VPN Reconnect Brand new in Windows 7 Works only in Windows 7 & Windows Server 2008 R2 Supports IPv6 Also supports VPN Reconnect NAT-friendly SSTP Tunnels traffic over port 443, making it firewall-friendly Cannot be used on a web proxy environment that requires user authentication Works in Windows Vista SP1 and Windows Server 2008
103

L2TP/IPSec More secure than PPTP NAT-friendly (supports NAT-T when clients do) Supports either preshared key or certificate-based authentication Very commonly deployed VPN type Works in Windows 2000 and later PPTP Least secure VPN type Does not support the use of certificate-based authentication Arguably the most deployed VPN type Works in Windows 2000 and later
VPN Authentication Mechanisms

Password-based options EAP/PEAP-MS-CHAPv2 (Protected/Extensible Authentication Protocol) PEAP/PEAP-TLS (Protected Extensible Authentication Protocol-Transport Layer Security) MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol) CHAP (Challenge Authentication Protocol) PAP (Password Authentication Protocol) VPN connections can also be authenticated using smart cards or pre-installed certificates
Password-Based Authentication Mechanisms

EAP/PEAP-MS-CHAPv2 Most secure of the password-based options Requires a computer certificate on the VPN server No client certificate is necessary PEAP/PEAP-TLS Requires a computer certificate on the VPN server Clients authenticate using certificates MS-CHAPv2 A simple password-based authentication protocol
104
Password-Based Authentication Mechanisms

CHAP Not supported under Windows Server 2008s remote access services, but is enabled in Windows 7 clients Used as a fallback when more secure options are not available PAP Least secure Not supported under Windows Server 2008s remote access services Not enabled in Windows 7 clients Can be enabled if necessary
Windows 7 VPN Connections

VPN Reconnect VPN Reconnect is a brand new feature in Windows 7 intended to allow for a more stable remote experience As users lose network connections or move to other connections (i.e. between Wi-Fi hotspots), VPN Reconnect automatically reconnects the user to the VPN connection Network connectivity can be lost for as long as 8 hours Globomantics has established a Windows Server 2008 R2-based remote access server Your job is to create a VPN connection from a client and explore the possible options
What We Covered
DirectAccess features DirectAccess server requirements Configuring DirectAccess client side Understanding DirectAccess connection types DirectAccess client requirements Enabling VPN-based remote access VPN authentication mechanisms Password-based authentication mechanisms Windows 7 VPN connections
105

1. Teredo tunneling http://en.wikipedia.org/wiki/Teredo_tunneling 2. DirectAccess Technical Overview for Windows 7 and Windows Server 2008 R2 http://technet.microsoft.com/enus/library/dd637827(WS.10).aspx 3. 10 things you should know about DirectAccess http://blogs.techrepublic.com.com/10things/?p=1371 4. Group Policy Management Console and Editor (DirectAccess) http://technet.microsoft.com/enus/library/ee624060(WS.10).aspx
Managing BranchCache

Managing BranchCache Windows 7 Administration Training
In This Lesson:
Understanding BranchCache Requirements BranchCache operating modes About local cache mode BranchCache operational diagram Managing BranchCache with Group Policy Managing BranchCache with Netsh Monitoring BranchCache
106
Scenario
Globomantics has a number of small regional offices with relatively slow connections to the Internet Corporate IT has become concerned with ever-increasing bandwidth costs related to constant communication with headquarters The Globomantics CIO has decided that all smaller regional sites will use Distributed Mode BranchCache (the mode covered in this lesson) Larger regional offices will eventually use Hosted Mode Business need Increase employee productivity by reducing the time it takes to download items Reduce bandwidth costs by caching content locally
Understanding BranchCache
BranchCache is new to Windows 7 and Windows Server 2008 R2 Does not work at all on older versions of Windows The feature caches remote content on local computers and Speeds up access to information Reduces bandwidth costs Lowers TCO Increases efficiency Transparent to the end user Automatically activates when the latency to a file hosting server exceeds 80 ms (definable via Group Policy) Has been described as a "black box"
Requirements
A working, configured BranchCache server Windows Server 2008 R2 Enterprise or Datacenter Beyond the scope of this course to cover server side deployment See My Favorite Supporting Resources slide for more information Client Windows 7 Enterprise or Ultimate
107
BranchCache Operating Modes

Hosted Cache mode Uses a BranchCache-enabled server at a remote location to cache content from a central site Clients at the remote site obtain their content from this caching server Only if that server has the content Otherwise, content is acquired from the original server Distributed Cache mode Ideal for small offices General Microsoft guidance indicates this as a site with fewer than 50 people Negates the need for a dedicated branch server Each Windows 7 client maintains its own cache and other clients request the data via network broadcasts
About Local Cache Mode

There is a third BranchCache operating mode Local cache mode When enabled, the local client caches the files These files are used only by the local client None of the cached information is shared with other systems
Managing BranchCache with Group Policy

Computer Configuration > Administrative Templates > Network > BranchCache Required firewall changes Inbound & outbound TCP port 80 Distributed mode: Inbound & outbound UDP port 3702 Hosted mode: Outbound TCP port 443 We cover firewall rules creation in the lesson entitled
Protecting Windows 7
108
Managing BranchCache with Group Policy

Disk space Default: BranchCache uses up to 5% of available disk space Policy name: Set Percentage of Disk Space Used For Client Computer Cache Latency Default: 80 milliseconds Policy name: Configure BranchCache for Network Files Group Policy configured items trump netsh configured items
Managing BranchCache with Netsh

Netsh branchcache set service mode=distributed Enables BranchCache in distributed mode Firewall rules are automatically created Other mode options Local (Netsh branchcache set service mode=local) Hosted client (Netsh branchcache set service Hosted server (Netsh branchcache set service
mode=hostedclient location=gm-file.globomantics.com) mode=hostedserver clientauthentication=domain)
Netsh branchcache show status Shows the current status of the BranchCache service
Managing BranchCache with Netsh

Netsh branchcache set cachesize size=30 percent=true Allows BranchCache to use up to 30% of total disk space for caching Netsh branchcache show localcache Show the contents of the local BranchCache cache Netsh branchcache smb set latency 1000 Set the latency value at 1000 milliseconds
109
Monitoring BranchCache
Netsh branchcache show status all Performance monitor counters Windows 7 includes more than twenty BranchCache related counters Performance Monitor is covered in the lesson entitled
Monitoring and maintaining Windows 7
What We Covered
Understanding BranchCache Client side requirements BranchCache operating modes About local cache mode BranchCache operational diagram Managing BranchCache with Group Policy Managing BranchCache with Netsh Monitoring BranchCache

1. BranchCache Deployment Guide for Windows Server 2008 R2 and Windows 7 http://www.microsoft.com/downloads/details.aspx?displayla ng=en&FamilyID=4b14f942-b488-4f51-99e1-c4c8834b750e 2. BranchCache: Helping You Save on WAN Bandwidth Consumption at Branch Offices http://technet.microsoft.com/en-us/ff607489.aspx
110
Monitoring and Maintaining Windows 7

Monitoring and Maintaining Windows 7 Windows 7 Administration Training
In This Lesson:
Performance Information and Tools utility Event logging Centralizing event logs Using Performance Monitor Data Collector Sets Creating a new Data Collector Set Task Manager Resource Monitor Reliability Monitor A sample WMI script
Scenario
Monitoring the infrastructure for problems is a major component of a technology architecture Youve been asked to understand desktop performance monitoring to keep users operating at peak productivity and keep potential minor security events from becoming big ones Business need Event monitoring provides early identification for what could become larger security or performance problems Performance monitoring helps identify what steps need to be taken to keep Globomantics operating at a high level
111
Performance Information and Tools

Windows Experience Index Creates a metric based on the hardware and software capabilities for each listed component The system base score is determined by the lowest subscore More detailed information can be gathered
Event Logging
Commonly used to gain in-depth knowledge about what is creating a system problem Most Windows programs are designed to write detailed information into the Windows event logs Windows logs Application Security Setup System Forwarded events Other application and service logs
Event Logging
Filtering logs and creating views View only Critical event types Create a view that logs only Critical events Globomantics will create this log view on every desktop PC to aid in future troubleshooting efforts Saving/exporting log files A user is experiencing an intermittent hardware problem You will export the contents of the users event logs to a file so that you can examine them on your own machine so the user can continue working
112
Centralizing Event Logs

Not all problems are limited to a single computer Aggregating log files may help to identify broader issues, such as network, DHCP or DNS issues, among other items Globomantics will aggregate critical desktop log events on the server named GM-DC Enable WinRM on all systems (winrm quickconfig) On GM-DC (collector), execute the command wecutil qc WECutil = Windows Event Collector tool Enable the ForwardedEvents channel Start the Windows Event Collector service Add the computer account for GM-DC to the local Administrators group on each desktop
Centralizing Event Logs

On the Collector machine (GM-DC) Create a subscription Choose subscription parameters, including Computers from which events should be pulled Event/source types to forward Severity types to forward Date/time range Log to which events should be written Note: Events are copied to the collector machine; they also remain local View event collection status to verify operation
Using Performance Monitor

Used to visually monitor any variety of Windows performance counters, event trace data and configuration information Performance counters measure system state and activity Event trace data is collected from trace providers Operating system or application components that report actions or events Configuration information is collected from values stored in the registry Can be used to view data in real time or save information to a log file for future viewing Useful for tracking down errant software
113

Performance counter permissions Regular users Can view only historical information Cannot manipulate Data Collector Sets Cannot view real-time information Members of the Performance Monitor Users group Can view both historical and real-time information Cannot manipulate Data Collector Sets Members of the Performance Log Users group Can view both historical and real-time performance information Can manipulate Data Collector Sets

Globomantics needs to track down software or software combinations that might be creating adverse disk performance Create a performance view that includes the following counters to see how disks are performing PhysicalDisk: Disk Read Bytes/sec PhysicalDisk: Disk Reads/sec PhysicalDisk: Disk Write Bytes/sec PhysicalDisk: Disk Writes/sec PhysicalDisk: Disk Queue Length
Data Collector Sets

Performance Monitor views that have been exported Brings together multiple data collection items into single reports that can be used to review system performance Collector types Performance Counter Data Collector Collect historical performance counter-related system statistics Event Trace Data Collector Collect event-related information Configuration Data Collector Information from the system registry Performance Counter Alert A specific performance counter condition is met
114
Data Collector Sets

Data sets included in Windows 7 System Performance Use to troubleshoot a system that is not performing well Disk Network RAM Processor System Diagnostics Use to troubleshoot an unreliable system All of the stats gathered by the System Performance data collector set Additional system information related to reliability
Data Collector Sets

Use a built-in Data Collector Set to determine which files are having the most impact on disk performance and correlate these files with a running process Modify the System Performance Data Collector Set to run for five minutes and to run daily at 3:00 PM
Creating a New Data Collector Set

Simply watching disk performance in real time could be a laborious task and the intermittent issue may not surface Globomantics will create a new Data Collector Set that watches and logs the same disk counters we looked at previously PhysicalDisk: Disk Read Bytes/sec PhysicalDisk: Disk Reads/sec PhysicalDisk: Disk Write Bytes/sec PhysicalDisk: Disk Writes/sec PhysicalDisk: Disk Queue Length Base the Data Collector Set on an existing Performance Monitor set
115
Task Manager
Provides information about Running applications, processes and services Can kill running applications and misbehaving processes as well as start and stop services CPU usage overall and by core RAM usage Network utilization Currently logged in users Arguably the most used monitoring tool in Windows
Resource Monitor
Resource Monitor is relatively new to Windows, but adds a huge punch to the monitoring arsenal Quickly access at-a-glance system statistics and associate processes with specific system characteristics Ascertain which processes are actively using the disk or network What exact iexplore.exe process is using major bandwidth? Globomantics will use the Resource Monitor to determine file and process associations
Reliability Monitor
A new tool in Windows 7 available via the Control Panels Action Center Divines a stability index as a value from 1 to 10 that describes system performance as a function of reliability Provides administrators with at-aglance information that can help to correlate system stability issues with new updates, software installations and other system events Use Reliability Monitor to attempt to find a root cause for ongoing stability issues reported by a Globomantics user
116
A Sample WMI Script

GUIs are good for gathering information from a single system If you want to gather information from other systems, considering writing a script to gather information using Windows Management Instrumentation Globomantics will write a script that help desk technicians can use to gather basic system information, including System name Total virtual memory Available memory Operating system version and service pack level
What We Covered
Event logging Centralizing event logs Using Performance Monitor Data Collector Sets Creating a new Data Collector Set Task Manager Resource Monitor Reliability Monitor A sample WMI script

1. Windows Performance Analysis Developer Center http://msdn.microsoft.com/en-us/performance/default.aspx 2. Windows Management Instrumentation (WMI) scripting guide http://msdn.microsoft.com/en-us/library/Aa286547
117
Configuring Performance Settings

Configuring Performance Settings Windows 7 Administration Training
In This Lesson:
Changing graphics settings Configuring virtual memory Understanding write caching Optimizing processes with Task Manager Managing processor scheduling settings Optimizing services Using msconfig to boost performance
Scenario
A high performance organization, Globomantics demands top performing computing hardware Just like not maximizing a sale is leaving money on the table not optimizing hardware has a similar result: Lost money due to inefficiency Business need Maximize computing resources to maximize ROI on the computing investment
118
Changing Graphics Settings

Windows Aero is visually stunning, but can require significant system resources, particularly for lower-end or borderline systems Selectively disable Aero features or disable Aero altogether to improve overall system performance Globomantics has a two year old system that theyd like to keep in production but the system is having trouble keeping up with the users demand By disabling Aero, you may be able to extend the life of that PC investment and save the company money
Configuring Virtual Memory

Systems have only so much RAM As programs and services begin to consume all available memory, Windows uses temporary storage called a paging file A paging file consists of a file on each hard disk Information is automatically moved between RAM and the paging file as necessary, freeing up RAM for system needs RAM = extremely fast data access and retrieval Paging file = Relatively very slow access and retrieval
Configuring Virtual Memory

Running low on memory has a major impact on system performance as the system begins paging As users begin to receive virtual memory-related error messages, this is an indication that the system needs more RAM or you need to increase the size of the paging file More RAM is always the preferred option Windows generally does a very good job managing the size of the paging file The users in the Globomantics Marketing department have been complaining about virtual memory errors for particularly large projects New computers are on order for this department For now, simply increase the size of the paging file
119
Understanding Write Caching

When a systems hard drive is busy, information intended to be written can be saved in a high-speed cache Once the hard drive is available, cached information is written to the disk Keeps the user working while the system handles the technicalities Can result in data loss if system power is interrupted or if the storage device is removed before the cache is cleared Device properties page for the system hard drive Enable write caching on the device Turn off Windows write-cache buffer flushing on the device Globomantics uses USB-connected batteries on all desktops so make sure that write caching is enabled
Understanding Write Caching

Removable devices i.e. flash drives have similar options available on the drives Device Manager page Removal Policy Quick removal (default) Device uses write-through caching The device can be simply removed Better performance Write caching and buffering are enabled Need to use Safely Remove Hardware to remove device A user accidentally configured a USB device for Better performance and has been losing information
Optimizing Processes with Task Manager

Understanding process affinity Choose the processor/core on which to run a particular process Globomantics will run DVD burning software a sometimes CPU intensive task on a specific core Understanding process priority Provide a process with a modified priority level Marketing wants to make sure that their hefty PowerPoint presentations dont have major contention with other system resources You will set the PowerPoint priority level to AboveNormal Dont set too many processes to High or Realtime
120
Managing Processor Scheduling Settings

By default, Windows 7 is configured to favor programs over background services when it comes to scheduling processor time You can change this setting if you have a desktop machine that handles more background services than programs Globomantics has a desktop PC that will be used for backup purposes Set this PCs processor scheduling to favor background services
Optimizing Services
Windows 7 ships with a core set of enabled and running services Every service Uses system resources such as RAM and processor Opens an additional system attack vector Not all services are necessary in order for users to do their jobs Disable or set to Manual services not needed by users In general, Manual is a safe choice The Windows Media Player Network Sharing Service should never be used by Globomantics employees and will be disabled
Using Msconfig to Boost Performance

Although its better to uninstall software you dont want, you can disable software that starts up with the system using the msconfig tool Msconfig is also a great troubleshooting tool Globomantics will use Msconfig to verify that only absolutely necessary startup items load at boot time
121
What We Covered
Changing graphics settings Configuring virtual memory Understanding write caching Optimizing processes with Task Manager Managing processor scheduling settings Optimizing services Using msconfig to boost performance
Configuring Backup and Recovery

Configuring Backup and Recovery Windows 7 Administration Training
In This Lesson:
Windows 7's backup and restore utility Configuring Windows Backup Restoring files from a backup Creating and restoring system images Creating a system repair disk Creating and using system restore points Previous versions Understanding advanced boot options Understanding Last Known Good Configuration
122
Scenario
Globomantics regional offices sit in areas prone to earthquakes, tornados, and hurricanes You need to make sure that the company is ready to quickly recover should the unthinkable happen Some business desktops hold critical company information and are key to business processes Business need Backups remain a key component of a recovery plan Automating this process keeps costs at a reasonable level Testing backups by recovering data is a good best practice
Windows 7's Backup and Restore Utility

Windows 7 includes a utility capable of backing up and restoring files, folders and even a full image of the computer You can back up to a number of destinations, including Internal hard drives External hard drives Network locations USB flash drives Writeable CDs and DVDs There are significant pros and cons to all of the options

Internal hard drives Pros Cheap storage with lots of space Secure since they're in the chassis Very fast Cons Not separate from the computer itself Installation requires some technical knowledge
123

External hard drives Pros Also very cheap with a lot of space Easy to connect Easy to keep separate from the computer Cons "Out of sight, out of mind"

Network locations Pros Extremely convenient Easy to add additional server storage space Cons Can be slow if the network isn't up to snuff Can only save to Windows 7 Professional, Enterprise and Ultimate User rights to storage location must be Full Control for both the share and for NTFS

USB flash drives Pros Easy to install Ubiquitous; it's easy to find flash drives You can store the backups separately from the computer Cons USB flash drives dont support all backup use cases, such as system image backups USB flash drives don't scale well; eventually, your backup needs will outgrow available space
124

Writeable CDs and DVDs Pros CD/DVD burners are readily available in most new systems Media is very inexpensive You can store the backups separately from the computer Cons Not flexible; can't save system images to CD/DVD You may need several discs to perform a full backup

Cannot back up to Volumes not formatted as NTFS, FAT or UDF The drive being backed up The Windows volume A recovery partition A locked BitLocker partition Tape
Configuring Windows Backup

Globomantics will schedule a file/folder backup (Let Windows choose) that runs on the default schedule Steps Choose a location to which to store backups Choose what to back up Let Windows choose Backs up files saved in libraries, stored on the desktop and in default Windows folders for all user accounts Only local files are included, even if remote files are included in a local library If there is space at the destination, Windows includes a system image
125
Configuring Windows Backup

Let me choose You get to decide exactly what gets backed up Decide on a backup schedule Default is to run the backup every Sunday at 7PM Can be configured to run daily, weekly or monthly Can be configured to not recut; i.e. configure the backup job to run one time and back up the system Review settings Await backup completion Monitoring backup status
Restoring Files from a Backup

Individual files and folders can be restored from a backup You can restore objects to their original location; this will overwrite the current copy You can restore objects to a different location; this will preserve both copies of the object The POS system operator has indicated that she's lost an important spreadsheet and wants you to see if you can restore it from a system backup using the backup utility The other POS operator (Steve Smith) has been having strange problems that seem to be related to user profile corruption Restore Steve's user profile from backup
Creating and Restoring System Images

A Windows 7 system image is basically a snapshot of one of the volumes in a system (allows a bare metal restore) It includes everything needed for Windows to run Includes system settings, personal files and programs Can't be scheduled to run on a periodic basis with the GUI Stored as a VHD file (usable in Virtual PC) Does not allow restoration of individual files; it's all or nothing Globomantics will use this feature to back up and test restore a Windows 7-based point of sale system on a scheduled basis Use the wbadmin utility to schedule You will also use the bcdedit utility to convert the VHD system image file into a bootable device
126
Creating a System Repair Disk

Sometimes, a system becomes completely unbootable A system repair disk can be used to boot a computer when this happens You can also use a system repair disk to restore a computer from a system image You will create a system repair disk for the Globomantics POS system
Creating and Using System Restore Points

System restore points contain critical system information, such as registry information Among other times, restore points are created When new software is installed When Windows Update installs new updates When new drivers are installed that are not digitally signed by Windows Hardware Quality Labs Upon request by the user Windows automatically deletes the oldest restore point in order to make room for the newest
Creating and Using System Restore Points

This is not a full system restore Only system files and the registry are manipulated User files are not touched System Restore Point notes Restore points created from within Safe Mode cannot be undone NTFS required due to use of shadow copies (discussed later) Globomantics will create a system restore point on the aforementioned POS system right before a hardware upgrade You will explore the System Protection configuration tool
127
Previous Versions
Windows 7 includes the ability to restore individual files and folders right from the Explorer interface Files included in both backups and restore points can often be rolled back to previous versions This Previous Versions capability uses Shadow Copies shadow copies of files are automatically created by Windows These provide you with some powerful restore options If you're careful, you can even recover files that have been accidentally deleted Globomantics POS operator deleted a file and wants you to see if you can get it back using the Previous Versions feature
Understanding Advanced Boot Options

Safe Mode Safe Mode with Networking Safe Mode with Command Prompt Enable Boot Logging Enable low-resolution video (640x480) Last Known Good Configuration (advanced) Directory Services Restore Mode Debugging Mode (discussed previously) Disable automatic restart on system failure Disable Driver Signature Enforcement
Understanding Last Known Good Configuration

This is often considered a last ditch effort to get a system back to working order after a system failure This boot option uses a configuration set that Windows knows allowed the system to boot at some point in the past The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet is used The key named ControlSet001 becomes CurrentControlSet after a successful boot Once this happens, you can't go back There's not a lot to do around this except to understand how it works, so let's take a look at the registry
128
What We Covered
Windows 7's backup and restore utility Configuring Windows Backup Restoring files from a backup Creating and restoring system images Creating a system repair disk Creating and using system restore points Previous versions Understanding advanced boot options Understanding Last Known Good Configuration
Preparing for TS: Windows 7, Configuring (70-680)

Preparing for TS: Windows 7, Configuring (70-680) Windows 7 Administration Training
An Overview of Exam 70-680

Remember the exact steps taken to perform specific tasks Understand multiple ways for achieving the same goal GUI-based methods Command line-based methods Everything you learned in this course must combine with all of your own experience and exam preparation study if you want to pass Dont expect to watch the videos and then walk into the exam! Real-life even lab-based experience is essential for success Microsofts exams are not easy
129
The Candidate Profile

Candidates should be able to install, deploy, and upgrade to Windows 7, including ensuring hardware and software compatibility. Additionally, candidates should be able to configure pre-installation and post-installation system settings, Windows security features, network connectivity applications included with Windows 7, and mobile computing. Candidates should also be able to maintain systems, including monitoring for and resolving performance and reliability issues. Candidates should have a basic understanding of Windows PowerShell syntax.
The Candidate Profile

Dont let the profile scare you You may not yet have all of the knowledge and working experience under your belt just yet Between this course, your personal prep work, lab practice and, hopefully, real-world experience you have with Windows 7, you can pass this exam
Skills Being Measured

The exam measures your ability to accomplish the technical tasks below Installing, Upgrading, and Migrating to Windows 7 (14%) Deploying Windows 7 (13%) Configuring Hardware and Applications (14%) Configuring Network Connectivity (14%) Configuring Access to Resources (13%) Configuring Mobile Computing (10%) Monitoring and Maintaining Windows 7 Systems (11%) Configuring Backup and Recovery Options (11%) The percentages indicate the relative weight of each major topic area on the exam
130
Objective/Lesson Mapping
Objective Installing, Upgrading, and Migrating to Windows 7 Deploying Windows 7 Configuring Hardware and Applications Configuring Network Connectivity Weight Lessons An Introduction to Windows 7 14% Installing Windows 7 13% Deploying Windows 7 Machines Configuring Hardware in Windows 7 Understanding Windows 7 Storage 14% Managing applications Managing Internet Explorer Configuring Networking in Windows 7 14% Protecting Windows 7 Shared access to resources Configure file and folder access 13% Protecting Windows 7 Managing BranchCache Using DirectAccess and VPN connections Configure file and folder access 10% Managing Mobility Options Protecting Windows 7 Monitoring and maintaining Windows Configure performance settings 11% Protecting client computers with Windows updates Understanding Windows 7 storage 11% Configuring Backup and Recovery
Configuring Access to Resources
Configuring Mobile Computing
Monitoring and Maintaining Windows 7 Systems Configuring Backup and Recovery Options
Personal Study Recommendations

To prepare for this exam, I recommend the following Watch and study this course Use the Transcender test prep software included with this course Explore all topics in greater detail using Microsoft resources such as TechNet If possible, build a small home lab and get as much handson experience as possible What not to do Do not attempt to locate exam questions and answers online in the form of brain dumps
General Exam Prep Advice

Schedule your exam It will motivate you to move ahead and study Practice, practice, practice Dont pull all-nighters when exam time rolls around Make sure you dont forget your ID on exam day Eat, sleep and dont rush
131
Credit Toward Certification

This exam is strictly focused on the configuration aspect of Windows 7 and is one exam included in the following client certification paths MCTS: Windows 7, Configuration MCITP: Enterprise Desktop Support Technician 7 Pro: Windows 7, Enterprise Desktop Support Technician (70-685) MCITP: Enterprise Desktop Administrator 7 Pro: Windows 7, Enterprise Desktop Administrator (70686)
Credit Toward Certification

70-680 is also included in the following server certification paths MCITP: Enterprise Administrator TS: Windows Server 2008 Active Directory, Configuring (70-640) TS: Windows Server 2008 Network Infrastructure, Configuring (70-642) TS: Windows Server 2008 Applications Infrastructure, Configuring (70-643) Pro: Windows Server 2008, Enterprise Administrator (70647)
Next Steps

132
Next Steps Windows 7 Administration Training
Where You Started

Globomantics was running mostly Windows XP with some Windows Vista thrown in with no plans to move to Windows 7 The company was recovering from a major security breach Globomantics increasingly mobile sales force was challenged when on the road due to difficulty in connecting to the office Some users were having performance problems with the Windows Vista desktops The company was convinced that Windows 7 was a non-starter due to software compatibility issues with their finance tool Files were not always synchronized between HQ and the large regional office file server in a timely manner Bandwidth costs were rising as traffic between large office and HQ grew
Course Building Blocks

Section 1: Getting started with Windows 7 features, deployment and configuration Section 2: Managing Windows 7 mobility and security Section 3: Configuring and managing applications and shared resources Section 4: Maintaining Windows 7
What Youve Accomplished

Youve now completed the Windows 7 pilot deployment project for Globomantics! Youve learned how to secure the organization from outside attack and prevent issues that could cause the company further embarrassment Youve learned how to manage Windows 7 to achieve the highest possible effectiveness, highest possible ROI and lowest possible TCO Youve enabled the Globomantics mobile sales force to be able to stay on the road while they stay well connected with the office Youve learned how to leverage Windows 7s brand new features and integrate them into Globomantics operations
133
Your Road Ahead

Review the course areas where you still feel a little fuzzy Take a practice certification exam Join the community for supplemental information There are many Windows 7-focused resources (TechNet) where you can expand your Windows 7 knowledge by reading other peoples questions Get hands-on practice (cant stress this enough) Keep the course as reference material for when you run into future problems
Your Road Ahead

Consider social media feeds like Twitter and follow people you find knowledgeable in Windows 7 Use the included Transcender lessons How to Use Transcender to Prepare for a Certification Exam Redeeming your Transcender How to redeem your Transcender voucher How to download and install the software Watch my lesson on preparing for the 70-680 exam

1. My favorite Windows 7 sites Microsofts Springboard Series for Windows 7 http://technet.microsoft.com/enus/windows/dd361745.aspx?ITPID=carepgm The Windows Team blog http://windowsteamblog.com/ Windows 7 Technical Library http://technet.microsoft.com/enus/library/dd349342(WS.10).aspx Petri IT Knowledgebase Windows 7 http://www.petri.co.il/windows-7.htm
134
We Value Your Opinion

There are many ways to reach us Call us at 1-888-229-5055 (worldwide: 1-847-776-8800) Email us a feedback@trainsignal.com Post in our forums at http://forums.trainsignal.com Comment on our blogs at http://www.trainsignaltraining.com
Thank You and Good Luck!

Thank you for watching this course! I hope that youve enjoyed watching it as much as Ive enjoyed creating it Now, go forth and study, study, study and pass that 70-680 exam!
135

Notes

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Notes

Încărcat de

Drepturi de autor:

Formate disponibile

Windows 7

Getting Started With Windows 7 Administration Training

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

What Were Building

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

About Your Instructor

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

About the Course

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

Before You Begin

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

How to Use the Course

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

How to Use the Course

Getting Started With Windows 7 Administration Training Windows 7 Administration Training

Windows 7 Administration Training

Lab Setup Windows 7 Administration Training

Lab Setup Windows 7 Administration Training

Globomantics Corporate Network

Northeast Office Utica, NY

Southwest Office Scottsdale, AZ

Lab Setup Windows 7 Administration Training

Lab Setup Windows 7 Administration Training

Large Regional Office

Lab Setup Windows 7 Administration Training

Small Regional Office

Globomantics Corporate Network Diagram

Globomantics Corporate Headquarters

Firewall Outside: 192.168.10.5

Firewall Outside: 192.168.10.6

Firewall Outside: 192.168.10.7 To other sites

Lab Setup Windows 7 Administration Training

Lab Setup Windows 7 Administration Training

Physical Lab Configuration

Hyper-V R2 server management

To other computers in my home

The Course Scenario

Windows 7 Administration Training

The Course Scenario Windows 7 Administration Training

The Course Scenario Windows 7 Administration Training

The Course Scenario Windows 7 Administration Training

The Globomantics Regulatory Environment

The Course Scenario Windows 7 Administration Training

Recent Security Breach

The Course Scenario Windows 7 Administration Training

Globomantics Cost Structure

The Course Scenario Windows 7 Administration Training

Globomantics Office Locations

Globomantics Office Locations Map

Northeast Office Utica, NY

Southwest Office Scottsdale, AZ

The Course Scenario Windows 7 Administration Training

Specific Technology Challenges

The Course Scenario Windows 7 Administration Training

The Course Scenario Windows 7 Administration Training

Large Regional Office Needs

The Course Scenario Windows 7 Administration Training

Small Regional Office Needs

The Course Scenario Windows 7 Administration Training

Mobile Worker Needs

The Course Scenario Windows 7 Administration Training

Windows 7 Project Plan