Documente Academic
Documente Profesional
Documente Cultură
Administration Training
In This Lesson:
What were building About your instructor About the course Before you begin How to use the course
What We Covered
What were building About your instructor About the course Before you begin How to use the course
Lab Setup
In This Lesson:
Globomantics corporate network Globomantics locations Headquarters network details Large regional office network details Small regional office network details Globomantics network diagram logical Lab overview Lab network diagram physical
Globomantics Locations
Seattle, WA
Globomantics HQ
Germantown, MD
Dallas, TX
Miami, FL
Headquarters
Headquarters server naming convention Example: GM-File - The file server for HQ Network details for HQ IP address range: 172.16.5.1 to 172.16.5.254 Subnet mask: 255.255.255.0 Gateway: 172.16.5.254 DNS: 172.16.5.1
Southwest Office
GM-SW-File
Southwest Office File Server DNS server Windows 2008 R2 172.16.6.1
Northeast Office
GM-7-XXX
Globomantics Windows 7 Desktop Naming Convention DHCP-assigned IP address
GM-7-XXX
Globomantics Windows 7 Desktop Naming Convention DHCP-assigned IP address
GM-7-M-XXX GM-Remote
Globomantics Remote Access Server Windows 2008 R2 172.16.5.2 Globomantics Windows 7 Mobile Naming Convention DHCP-assigned IP address
GM-7-XXX
Globomantics Windows 7 Desktop Naming Convention DHCP-assigned IP address
GM-7-M-XXX
Globomantics Windows 7 Mobile Naming Convention DHCP-assigned IP address
GM-File
Globomantics File and Print Server Windows 2008 R2 172.16.5.3
GM-General
Globomantics General Purpose Server Windows 2008 R2 172.16.5.4
GM-7-M-XXX
Globomantics Windows 7 Mobile Naming Convention DHCP-assigned IP address
Firewall
Inside: 172.16.5.254
Firewall
Inside: 172.16.6.254
Firewall
Inside: 172.16.7.254
Lab Overview
For this course The various servers and Windows 7 workstations used in this course run on a Windows Server 2008 R2 Data Center machine under Hyper-V R2 The Hyper-V R2 server is a Dell PowerEdge 2950 server with 32 GB RAM, 2 x quad core Xeon processors and just under 1 TB of disk space (RAID 5) Each Globomantics site is connected on a separate network adapter in the Hyper-V R2 server Each network adapter is connected to an actual firewall and then to my lab/home network
Lab Overview
For this course All servers are running Windows Server 2008 R2 RTM Each server has 1 GB of RAM assigned Windows Server 2008 R2 180-day trial software is available for download from http://www.microsoft.com/windowsserver2008/en/us/trialsoftware.aspx My lab goal: Mimic as closely as possible a real-world multisite environment
VMs
Other needs Mobile workers
VMs
HQ GM-DC GM-Remote GM-File GM-General Desktops
VMs
Large Regional GM-SW-File Desktops
VMs
Small Regional Desktops
Hyper-V R2
192.168.0.197
172.16.5.253
172.16.6.253
172.16.7.253
NIC1
172.16.5.254
Firewall
192.168.10.5
NIC2
172.16.6.254
Firewall
192.168.10.6
NIC3
172.16.7.254
Firewall
192.168.10.7
NIC4
Router
192.168.0.1 255.255.0.0
To Internet
In This Lesson:
About Globomantics The Globomantics regulatory environment Recent security breach Globomantics cost structure Globomantics office locations Specific technology challenges Immediate needs Large regional office needs Small regional office needs Mobile worker needs Windows 7 project plan
About Globomantics
Rapidly growing distributor of pharmaceuticals Sells direct to consumers via the Internet Sells to doctors offices via mobile sales force Sells to pharmacies via mobile sales force Expanding mobile sales force Mobile workers need secure access to HQ Ease-of-use is critical Related Windows 7 technologies DirectAccess, VPN, BranchCache, Location-aware printing, Power management
Globomantics HQ
Germantown, MD
Dallas, TX
Miami, FL
10
Immediate Needs
Globomantics quick growth has had a number of results A large desktop/laptop purchase supporting new employees is pending Some new employees will work from their homes Related Windows 7 technologies Automated deployment, DirectAccess, Location-aware printing
11
Introduction to Windows 7
Windows 7 Administration Training
Instructor: Scott Lowe
12
In This Lesson:
Business objectives User interface enhancements BranchCache DirectAccess BitLocker and BitLocker To Go AppLocker Windows XP Mode Group Policy enhancements Improved power management 32-bit vs. 64-bit Windows 7 Windows 7 editions comparison matrix
Scenario
Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal The company CIO wants to understand Windows 7s new security features and mobility capabilities as well as simply understanding whats changed since older versions of Windows
Business Objectives
Improve security in order to reassure customers that Globomantics takes their privacy seriously Improve employee productivity to increase sales and reduce expenses Contain rising communications infrastructure costs Maintain current, or close to current, levels of staffing in Information Technology
13
BranchCache
New to Windows 7 Requires Windows Server 2008 R2 Expected Business Outcomes Allow Globomantics remote offices to cache HQ-based content on a local Windows Server 2008 R2 server or Windows 7 desktop Reduce bandwidth costs
GM-SW-File
Southwest Regional Office File Server
GM-7-XXX
Globomantics Windows 7 Desktop
Southwest Office
Northeast Office
14
DirectAccess
New to Windows 7 and can replace traditional VPNs Requires Windows Server 2008 R2 as a host (GM-Remote) Expected Business Outcomes Remote and mobile workers enjoy seamless access to Globomantics HQ IT services Globomantics can remotely install software updates to mobile worker computers and enforce policies The ability to include remote computers in new policy updates improves regulatory compliance measures
AppLocker
New in Windows 7 Evolved from Software Restriction Policies Provides granular application control to help prevent execution of unauthorized software Expected Business Outcomes Improve overall security of the Globomantics desktop environment Maintain high levels of productivity by denying use of unauthorized software and reducing malware infestations
15
Windows XP Mode
New in Windows 7 Leverages virtualization technology to ensure software compatibility Runs software inside a virtualized copy of Windows XP SP3 delivered to the Windows 7 desktop via RDP Expected Business Outcomes Globomantics financial application will run under Windows 7 using Windows XP Mode Migration to Windows 7 will be streamlined
16
17
What We Covered
Business objectives User interface enhancements BranchCache DirectAccess BitLocker and BitLocker To Go AppLocker Windows XP Mode Group Policy enhancements Improved power management 32-bit vs. 64-bit Windows 7 Windows 7 editions comparison matrix
Installing Windows 7
18
In This Lesson:
Identifying Windows 7 requirements Upgrade and migration limitations Upgrading between Windows 7 editions Installing Windows 7 Upgrading Windows Vista to Windows 7 Dual booting Windows 7 Migrating from Windows XP to Windows 7 Migrating user profiles with Windows Easy Transfer User State Migration Tool
Scenario
Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal The company CIO wants to understand Windows 7s new security features and mobility capabilities as well as simply understanding whats changed since older versions of Windows Globomantics pilot project Will use a combination of installations Existing Vista machines will simply be upgraded to Windows 7 apps already work Windows XP machines will dual boot with Windows 7
19
Home Basic
Home Premium
Professional
Enterprise
Ultimate
1 GHz or faster minimum 32-bit: 1 GB or 64-bit: 2 GB 32-bit: 16 GB or 64-bit: 20 GB DirectX 9 graphics processor DirectX 9 graphics processor with WDDM
20
Upgrades
Starter
Windows 7 Editions
Home Basic Home Premium Profes. Enterprise Ultimate
32-bit to 32-bit or 64-bit to 64-bit only
Installing Windows 7
Installation options for a new machine Clean installation new machine with no existing operating system Dual boot installation run two operating systems side-byside on the same computer Upgrade in-place upgrade to Windows 7 from Windows Vista Migration upgrade to Windows 7 from Windows Vista or Windows XP
Installing Windows 7
Installation types Standard installation For the initial phase of the pilot project being covered in this lesson, Globomantics will focus on standard installations Unattended installation Allows an administrator a mostly hands-off installation We will cover automated installations in the Deploying Windows 7 Machines lesson
21
Installing Windows 7
Media options DVD included in Windows 7 retail boxes and often created after downloading an ISO file and burning it ISO generally used by those with Microsoft licensing agreements USB drive allows administrators to customize the installation source Network share used with automated installations
22
23
24
25
What We Covered
Identifying Windows 7 requirements Upgrade and migration limitations Upgrading between Windows 7 editions Installing Windows 7 Upgrading Windows Vista to Windows 7 Dual booting Windows 7 Migrating from Windows XP to Windows 7 Migrating user profiles with Windows Easy Transfer User State Migration Tool
Deploying Windows 7
26
In This Lesson:
Globomantics deployment plan Windows 7 deployment enhancements Specific lesson goals Deployment types Pre-deployment tools Thick vs. thin images Deployment strategies Understanding image capture tools Image deployment options Capture and deployment process overview User State Migration Tool (USMT) Automated installation methods
Scenario
Globomantics IT staff runs a lean and mean shop and group The company cant afford to send IT staff to visit each and every computer in every location to facilitate deployment Business needs For organizations that have more than a few PCs, manual Windows 7 deployment is an inefficient rollout strategy Manual labor and travel result in major costs Managing desktops already has a high total cost of ownership (TCO) Use automated deployment tools to help automate this process and bring down costs
27
Deployment Types
Manual/semi-automated/high touch Small number of computers Covered in the lesson entitled Installing Windows 7 Lite Touch Installation (LTI) Well-suited for medium sized organizations that do not have a need for a more automated deployment system Often used in conjunction with a "thick" system image, but can use used with thin images Zero Touch Installation (ZTI) Best suited for large, distributed organizations that deploy new systems and applications in a non-centralized manner Often used in conjunction with thin system images
28
Pre-Deployment Tools
Application Compatibility Toolkit (ACT) A tool to evaluate and mitigate application compatibility issues as they pertain to Windows 7 Requires a SQL Server to house reporting data Microsoft Assessment and Planning Toolkit (MAP) Performs an audit of your existing environment and provides inventory, assessment and reporting capabilities to assist in planning a Windows 7 rollout
29
Machines
System Center Configuration Manager 2007 R2 Beyond the scope of this course Discussed in TrainSignal's System Center Configuration Manager 2007 R2 course
30
31
32
33
What We Covered
Globomantics deployment plan Windows 7 deployment enhancements Specific lesson goals Deployment types Pre-deployment tools Thick vs. thin images Deployment strategies Understanding image capture tools Image deployment options Capture and deployment process overview User State Migration Tool (USMT) Automated installation methods
34
In This Lesson:
Using the Device Manager tool Viewing device information with the System Information Tool Understanding drivers Driver installation methods Managing installed drivers The Driver Verifier utility Managing hardware installation policies Staging drivers with pnputil.exe Adding device drivers to the driver store Monitoring USB devices
35
Scenario
Globomantics has an array of computing needs There is no single desktop hardware configuration Marketing: High end graphics adapters Other users: Mainstream configuration Make device installation seamless by pre-staging device drivers lower TCO Help users get their work done by making sure that their necessary hardware devices work well and are well maintained
36
Understanding Drivers
Device drivers enable communication between the operating system and hardware devices Driver facts Drivers are just software Not all drivers are created equal Driver issues are a major support hassle Drivers can create system instability
Driver
37
38
What We Covered
Using the Device Manager tool Viewing device information with the System Information Tool Understanding drivers Driver installation methods Managing installed drivers The Driver Verifier utility Managing hardware installation policies Staging drivers with pnputil.exe Adding device drivers to the driver store Monitoring USB devices
39
In This Lesson:
Deconstructing basic disks Disk Manager basic disk view Master Boot Record (MBR) MBR vs. GUID Partition Table disks Disk Manager basic disk view GPT Understanding dynamic disks Dynamic disk volume types Volume types diagrams Disk Manager dynamic disk view Managing storage volumes FAT vs. NTFS
40
Scenario
Data is the lifeblood of Globomantics Some users have different storage needs Database administrators need additional storage protection Business analysts require speedy storage with a lot of capacity Understand storage options to make the best possible data availability decisions Choose storage options that enable high security levels Globomantics is recovering from a data breach that could have been prevented with better storage options
41
MBR Windows Versions Supported Bootable Maximum Partition Size Maximum Partitions Per Physical Drive 2 TB 4 All
Only 64-bit systems with EFI BIOS can boot from GPT-based partitions
Limits pertain to Windows only. Other operating systems may provide additional capabilities.
42
Simple Volume Spanned Volume Striped Volume Mirrored Volume RAID 5 Volume 1 1 unit of data
1 1
1/3 1/3 1/3
1
1/2 1/x
1
1/2 P
43
FAT32 Windows Versions Supported (Native) Maximum Volume Size Maximum File Size Security All 32 GB/2 TB Just under 4GB
exFAT
NTFS
44
What We Covered
Deconstructing basic disks Disk Manager basic disk view MBR MBR vs. GPT disks Disk Manager basic disk view GPT Understanding dynamic disks Dynamic disk volume types Volume types diagrams Disk Manager dynamic disk view Managing storage volumes FAT vs. NTFS
45
In This Lesson:
Scenario Managing network connections TCP/IP recap TCP/IP operational overview TCP/IP subnetting overview IPv6 recap Configuring TCP/IP Settings Configuring network adapters Configuring Internet Connection Sharing (ICS) Troubleshooting network connectivity
Scenario
Every device at Globomantics is a business tool, from the laptops carried by the sales team to every desktop PC in the company. A machine not connected to Globomantics network doesnt provide any return. By the end of this lesson, youll be able to provide Globomantics with expert-level assistance in configuring the network settings on Windows 7-based desktops and laptops Internet Connection Sharing is used in Globomantics' smaller offices to save costs on networking equipment All networks need troubleshooting, so you need to understand ways that you can correct networking issues
46
TCP/IP Recap
TCP/IP components Network address defines the address of the network as a whole Subnet mask provides bounds the upper and lower ranges of the network address IP address an individual identifier assigned to a resource Default gateway the IP address of the router or firewall port that connects the local network to a larger network Router a layer 3 device responsible for connecting the local network to a larger network and handling incoming and outgoing network communications
TCP/IP Recap
IP address types Public Private 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 Network Address Translation (NAT) Allows private IP addresses to be used with public ones Special addresses First range address (often ends with .0) network address Last range address (often ends with .255) broadcast address
47
TCP/IP Recap
IP addresses Dotted decimal notation is most common Are representations of binary numbers which can be converted to a decimal number 209.85.225.106 = 11010001.01010101.11100001.0110010 = 3512066410 Subnetting breaking a large network down into smaller chunks Reduces broadcast traffic Reduces collisions Can improve security
TCP/IP Recap
Dynamic Host Configuration Protocol (DHCP) server provides automated IP address assignment services Globomantics uses DHCP for client computers Globomantics desktop technicians sometimes input manual IP addresses when troubleshooting DHCP can pass other configuration information to clients Automatic Private IP Addressing (APIPA) is used when a DHCP server is not present Domain Name System (DNS) provides a method to resolve friendly names into IP addresses i.e. www.google.com = 209.85.225.10
Globomantics SW Office
172.16.6.3 Default Gateway 172.16.6.254
192.168.10.5 Firewall/Router
GM-SW-File
Globomantics Server DHCP/DNS Allocated 172.16.6.2 172.16.6.3 Available 172.16.6.4 172.16.6.5 172.16.6.6
GM-7-Desktop
Globomantics Windows 7 Desktop
GM-7-M-X
Globomantics Windows 7 Mobile
48
255.255.255.192 255.255.255.192 255.255.255.192 255.255.255.192 26 bits 192.168.0.1 to 192.168.0.62 192.168.0.63 26 bits 192.168.0.65 to 192.168.0.126 192.168.0.127 26 bits 192.168.0.129 to 192.168.0.190 192.168.0.191 26 bits 192.168.0.193 to 192.168.0.254 192.168.0.255
IPv6 Recap
IPv6 facts Larger address space IPv4 addresses are running out 232 addresses = 4,294,967,296 More always on devices More Internet users IPv6 = 2128 addresses Eliminates needs for a number of workarounds, including Network Address Translation Stateless address configuration DHCPv6 can be used to provide more capability
IPv6 Recap
IPv6 is not in widespread use IPv6 address types Link locallocally and automatically configured IPv6 addresses for networks without a DHCP server Site localprivate, non-routable IPv6 addresses Globalan everyday, routable IPv6 address either manually configured or obtained via DHCP Special IPv6 addresses Unspecified IPv6 address0:0:0:0:0:0:0:0 (::0) Loopbackin IPv4 parlance, 127.0.0.1; for IPv6, 0:0:0:0:0:0:0:1 (::1) Always the local machine
49
50
GM-7-Desktop
Globomantics Desktop Computer
ICS
To Internet
GM-7-M-2
Globomantics Laptop Computer
51
What We Covered
Scenario Managing network connections TCP/IP recap TCP/IP operational overview TCP/IP subnetting overview IPv6 recap Configuring TCP/IP Settings Configuring Network Adapters Configuring Internet Connection Sharing Troubleshooting network connectivity
52
In This Lesson:
Network profiles / Network Location Awareness Windows firewall management Remote Desktop Remote Assistance Windows Remote Management Service (WinRM) WinRM and PowerShell
53
Scenario
Globomantics is recovering from a serious and very public security incident As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features. Balancing security with usability will allow users to do their jobs while the company remains protected
Network Profiles
Network profiles allow administrators to set granular policies based on the type of network to which the system is connected Firewall can be turned on or off for a particular network type i.e. turn off the firewall when system is connected to a domain and turn it back on when the system joins a public network Different profiles can be active simultaneously if the system is connected to multiple networks
54
55
Remote Desktop
Allows a user to connect to the desktop from a remote computer and operate it as if he were sitting at the console Must be explicitly enabled default is set to not allow remote connections Allow connections from computers running any version of Remote Desktop Allow connections only from clients running Remote Desktop with Network Level Authentication (XP SP3, Vista, Windows 7) You must specifically identify which users can connect remotely
Remote Desktop
A new session can be established A remote session can be established that assumes control of an existing desktop session A different user can initiate a remote desktop session, but doing so results in a dialog box asking permission since the currently logged in user will be logged off Example Configure Remote Desktop from the Remote tab in System Properties
Remote Assistance
Commonly used by tech support personnel to help a user troubleshoot a problem Initiated by the user having troubles Uses a time-limited invitation that allows the remote user access to the desktop More secure invitations can be created, but only users using Vista or Windows 7 can respond to them Examples Configure Remote Assistance from the Remote tab in System Properties Requesting remote assistance
56
57
What We Covered
Network profiles / Network Location Awareness Windows firewall management Remote Desktop Remote Assistance Windows Remote Management Service (WinRM) WinRM and PowerShell
58
In This Lesson:
Configuring User Account Control Configuring removable device policies Understanding Credential Manager Changing execution context with RunAs Windows 7 account policies and user rights Windows 7 local groups Creating a password reset disk Understanding smart card policies
Scenario
Globomantics is recovering from a serious and very public security incident As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features. Balancing security with usability will allow users to do their jobs while the company remains protected
59
60
61
62
63
What We Covered
Configuring User Account Control Configuring removable device policies Understanding Credential Manager Changing execution context with RunAs Windows 7 account policies and user rights Windows 7 local groups Creating a password reset disk Understanding smart card policies
64
In This Lesson:
Enable work on the go by using offline files Transparent caching Save energy by configuring local power settings Location Aware Printing
Scenario
Globomantics is making sure that every sales person is equipped with a laptop to use in order to maximize their time on the road Every customer visit must be as productive as possible All of Windows 7s mobility capabilities offline files, caching, location-based printing, power policies must be leveraged Business needs Increased mobility leads to increased sales Battery life and power settings must be optimized to increase road time Sales people still need access to their centralized files and folders in order to do their jobs Location-based printing will help these mobile professionals locate available printers
65
1
Offline Files is enabled for a file A copy of the file is cached to the local Windows 7 machine
User disconnects from server to go on the road User modifies locally cached file while disconnected from server
The user reconnects to the network The modified file is synchronized with the server-based copy
66
Transparent Caching
Similar to Windows 7s new BranchCache feature Windows 7s new BranchCache capability is covered in the lesson entitled Managing BranchCache Transparent caching locally and automatically caches copies of files that a user has accessed from a server Does not need to be enabled on a per-file basis Each time the user accesses the file, the local system verifies that the locally cached copy is current If its not current, the file is opened directly from the server When the server is unavailable, the local cache is also unavailable Supports both domain- and non-domain-joined clients
Transparent Caching
Not enabled by default Group/Local policies related to Offline Files Computer Configuration > Administrative Templates > Network > Offline Files We will learn more about Transparent Caching in the lesson entitled Managing BranchCache
67
68
What We Covered
Enable work on the go by using offline files Transparent caching Save energy by configuring local power settings Location Aware Printing
69
In This Lesson:
Why update Windows? Update types Windows Update control panel applet Configuring important update settings Windows Update settings Reviewing update history Deciding which updates to install Uninstalling updates Using the Microsoft Baseline Security Analyzer WSUS and Windows Updates Non-WSUS operations vs. WSUS operations
Scenario
Keeping Windows desktop computers current with the latest security patches is vital to company efforts to keep systems and data secure Windows computers require regular updates designed to plug security holes and correct other flaws Globomantics cant afford to hire enough people to simply walk around and manually update each and every Windows 7 desktop Business need Centralizing updates keeps TCO at a reasonable level Updates are a critical component of an organizations overall security strategy The ability to roll back updates is key in the event that an updates breaks something
70
Update Types
Important Updates that should be installed immediately in order to counter potential security or privacy threats Includes security and critical updates Recommended Updates that may improve system reliability or improve information, such as that found in system help files May add new features to Windows or even other Microsoft software Optional Often includes new driver updates May include new versions of trial software
71
Get more information about an update by right-clicking the update and choosing
View details
72
Uninstalling Updates
When youre viewing a list of installed updates, right-click an update and choose Uninstall The Installed Updates window is accessible via the Windows Update control panel applet or the Programs and Features control panel applet
73
WSUS Server
WSUS Server
GM-SW-File
Globomantics Server DHCP/DNS
GM-7-Desktop
Globomantics Windows 7 Desktop
GM-7-M-X
Globomantics Windows 7 Mobile
GM-SW-File
Globomantics Server DHCP/DNS
GM-7-Desktop
Globomantics Windows 7 Desktop
GM-7-M-X
Globomantics Windows 7 Mobile
74
What We Covered
Why update Windows? Update types Windows Update control panel applet Configuring important update settings Windows Update settings Reviewing update history Deciding which updates to install Uninstalling updates Using the Microsoft Baseline Security Analyzer WSUS and Windows Updates Non-WSUS operations vs. WSUS operations
Managing Applications
75
In This Lesson:
Program compatibility assistant Program compatibility properties Compatibility-related group policies Application Compatibility Toolkit Using Windows XP mode Configuring software restriction policies Using AppLocker
Scenario
Globomantics uses a wide range of applications to meet its business goals There are questions surrounding application compatibility Globomantics will use a number of tools to determine compatibility with Windows 7 Globomantics also plans to consider the use of AppLocker as a security mechanism to keep hostile software off the network Business need Line of business applications are the lifeblood of Globomantics so they need to simply work AppLocker is a Windows 7-based evolution in software policies designed to control what applications are allowed to be used
76
77
78
Using AppLocker
Available only on Windows 7 clients Significantly better than Software Restriction Policies No need to rework restrictions as applications are upgraded Can be applied to user subsets Configurable via Group Policy Computer Configuration > Windows Settings > Security Settings > Application Control Policies Relies on the use of the Application Identity Service
Using AppLocker
Feature Rule scope Rule conditions provided Rule types provided Default rule action Audit-only mode Wizard to create multiple rules at one time Policy import or export Rule collection PowerShell support Custom error messages Software Restriction Policies All users File hash, path, certificate, registry path, and Internet zone rules Allow and deny Allow or deny No No No No No No AppLocker Specific user or group File hash, path, and publisher rules Allow and deny Deny Yes Yes Yes Yes Yes Yes
Using AppLocker
Rule types Executable .exe and .com files Windows Installer .msi and .msp files Script .ps1, .bat, .cmd, .vbs and .js files DLL .dll and .ocx files
79
Using AppLocker
Rule conditions Publisher Discussed on next slide Most secure option Path Based on the file path File hash Based on the unique file hash Use when a file is not signed More secure than path rules Rule behavior Allow or Deny
Using AppLocker
Publisher rules Rules based on application digital signatures Files must be signed These rules can survive application upgrades i.e. Create a rule that says Block this application version 2.0 and higher i.e. Allow versions 2.0 or higher of a program to run if it is signed by the software publisher GlobomanticsDevCorp Globomantics will block the use of WordPad using AppLocker Service Packs should not disable this rule
What We Covered
Program compatibility assistant Program compatibility properties Compatibility-related group policies Application Compatibility Toolkit Using Windows XP mode Configuring software restriction policies Using AppLocker
80
In This Lesson:
Compatibility Mode Configuring IE security settings IE Protected Mode Managing IE add-ons and search providers Managing IEs InPrivate browsing Managing IEs InPrivate filtering About IEs SmartScreen Filter IEs pop up blocker Managing IE certificates
81
Scenario
The Globomantics Application group has developed a number of web-based applications that support only Internet Explorer The CIO has made Internet Explorer the corporate standard Windows 7 provides centralized management of IE Making sure that Internet Explorer settings on Windows 7 machines meet corporate security policies Ban the use of unapproved add-ins for Internet Explorer Make sure that compatibility mode is properly configured Business need Compatibility Mode will give the Globomantics Application Support group time to update web-based applications Users need to understand SmartScreen to help the company prevent malware infestations
Compatibility Mode
Not all web sites display properly in Internet Explorer 8 IE 8 is the version that ships with Windows 7 Windows Updates include lists of web sites that work best under Compatibility Mode Compatibility Mode Group Policies Administrative Templates > Windows Components > Internet Explorer > Compatibility View Globomantics needs to display the site apps.globomantics.com in compatibility mode
82
IE Protected Mode
Makes it more difficult for web sites to install malicious software Allows administrators to install desirable ActiveX controls and add-ons Zones Enabled by default in the Internet and Restricted sites zones Disabled in the Local Intranet and Trusted sites zones
83
84
Managing IE Certificates
Secure web browsing is based on the use of Secure Sockets Layer (SSL) encryption certificates Provides trusted secure end-to-end communications encryption so users can comfortably share personal information including social security numbers and credit card information Internet Explorer blocks access to SSL-protected web sites when things dont look right The address doesnt match that of the SSL certificate The certificate is expired or has been revoked The certificate is not trusted back to whats call a root certificate Internet Explorer certificate settings window https://204.184.63.35/owa/
85
What We Covered
Compatibility Mode Configuring IE security settings IE Protected Mode Managing IE add-ons and search providers Managing IEs InPrivate browsing Managing IEs InPrivate filtering About IEs SmartScreen Filter IEs pop up blocker Managing IE certificates
86
In This Lesson:
Changing file and folder permissions Understanding NTFS permissions Assigning NTFS permissions Understanding effective permissions Permissions impact: Copying and moving files Encrypting files and folders using EFS BitLocker To Go Full disk encryption using BitLocker
Scenario
Globomantics needs to provide secure access to files and folders so that users can do their jobs Due to the recent security incident, Globomantics wants to make sure that the theft of a desktop computer doesnt result in unauthorized access to company data Although Globomantics could choose to implement BitLocker on desktops as well as laptops, the company is considering using EFS on internal systems just to protect key shared folders Business need Globomantics will secure access to files and folders at both the share and file (NTFS) level. Globomantics will protect mobile devices through the use of BitLocker and protect internal desktop PCs using EFS
87
88
89
90
BitLocker To Go
People often rely on portable storage to be able to transport documents between locations These portable storage devices can be a major security headache BitLocker To Go is a new feature that encrypts the full contents of these portable storage devices Does not require any special hardware, such as a Trusted Platform Module chip Devices protected with BitLocker To Go can even be read in older versions of Windows
BitLocker To Go
A number of local group policies exist that manage the implementation of BitLocker Located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives Globomantics requires that portable USB storage be configured with BitLocker To Go Set up appropriate local policies Walk-through policy options Encrypt a USB volume
91
92
93
94
What We Covered
Changing file and folder permissions Understanding NTFS permissions Assigning NTFS permissions Understanding effective permissions Permissions impact: Copying and moving files Encrypting files and folders using EFS BitLocker To Go Full disk encryption using BitLocker
In This Lesson:
Resource sharing overview Basic vs. advanced sharing Understanding Share vs. NTFS permissions Offline folder caching Sharing printers and managing print queues Windows 7 libraries Configuring HomeGroup
95
Scenario
Information Technology advancements have created a collaboration revolution on which Globomantics wants to capitalize Collaboration is enabled through resource sharing Files, folders and printing devices are commonly shared at Globomantics, but not all users need to access all shared resources At especially small branch offices, Globomantics will use a Windows 7 desktop in a pseudo-server capacity Business need Shared resources reduce overall costs since users dont need their own dedicated devices, such as printers
96
97
Sharing Folders
A Utica, NY-based Windows 7 desktop will be a pseudo-server with a couple of shares initially enabled Marketing (GUI method) Offline files should be disabled The Marketing group will have Change rights No more than five people at any one time Sales (command line method) Enable offline files for both documents and programs The Sales group will have Change rights Accounting will have Read rights net share Sales=c:\Sales
98
Windows 7 Libraries
Windows 7 includes virtual folders known as libraries Libraries are collections of folders from various sources The local machine Network servers HomeGroup machines Default libraries Documents Music Pictures Videos
Windows 7 Libraries
Adding new folders to existing libraries The existing libraries can be extended to include new folder sources The Utica sales manager wants the contents of the newly created Sales shared folder to appear in his Documents library It is his machine that is acting as the pseudo-server at Utica Creating a new library The Utica sales manager has decided that he wants to create a dedicated Sales library that includes everything sales related
Configuring HomeGroup
HomeGroup is a new feature in Windows 7 intended to facilitate resource sharing in small home networks Resources shared with HomeGroup machines can be provided with some security The first Windows 7 machine on the Home network is asked to create a HomeGroup Work and domain computers can join a HomeGroup, but cannot create one Subsequent machines are asked if theyd like to join the existing HomeGroup Although Globomantics will not use the HomeGroup feature, the help desk has received some calls from users seeking advice regarding this feature
99
What We Covered
Resource sharing overview Basic vs. advanced sharing Understanding Share vs. NTFS permissions Offline folder caching Sharing printers and managing print queues Windows 7 libraries Configuring HomeGroup
In This Lesson:
DirectAccess features DirectAccess server requirements Configuring DirectAccess client side Understanding DirectAccess connection types DirectAccess client requirements Enabling VPN-based remote access VPN authentication mechanisms Password-based authentication mechanisms Windows 7 VPN connections
100
Scenario
Globomantics is a company on the move! With an ever-growing force of sales people making the rounds visiting potential customers, those mobile professionals need to maintain a constant link with the mother ship in order to keep the wheels of business turning and to make sure that they always have the most current information about clients in order to maximize their efforts Windows 7s DirectAccess and VPN capabilities are a perfect fit Business need Mobility has become a very high priority to keep mobile professionals in touch as if they were in the office Enabling this mobility in a way that doesnt leave the organization at risk for exploit is key
DirectAccess Features
DirectAccess is a new Windows Server 2008 R2 and Windows 7 feature that enables VPN-like connectivity but without the need to establish a traditional VPN connection Fully bidirectional corporate servers can see clients Can be integrated with Network Access Protection to improve security Requires no user intervention; connects even before the user logs on to the machine Fully transparent to the end user as the connection process is automatic Connected as soon as the computer is able to use the network connection Allows the remote machine to continue to receive Group Policies and software updates
101
102
103
104
What We Covered
DirectAccess features DirectAccess server requirements Configuring DirectAccess client side Understanding DirectAccess connection types DirectAccess client requirements Enabling VPN-based remote access VPN authentication mechanisms Password-based authentication mechanisms Windows 7 VPN connections
105
Managing BranchCache
In This Lesson:
Understanding BranchCache Requirements BranchCache operating modes About local cache mode BranchCache operational diagram Managing BranchCache with Group Policy Managing BranchCache with Netsh Monitoring BranchCache
106
Scenario
Globomantics has a number of small regional offices with relatively slow connections to the Internet Corporate IT has become concerned with ever-increasing bandwidth costs related to constant communication with headquarters The Globomantics CIO has decided that all smaller regional sites will use Distributed Mode BranchCache (the mode covered in this lesson) Larger regional offices will eventually use Hosted Mode Business need Increase employee productivity by reducing the time it takes to download items Reduce bandwidth costs by caching content locally
Understanding BranchCache
BranchCache is new to Windows 7 and Windows Server 2008 R2 Does not work at all on older versions of Windows The feature caches remote content on local computers and Speeds up access to information Reduces bandwidth costs Lowers TCO Increases efficiency Transparent to the end user Automatically activates when the latency to a file hosting server exceeds 80 ms (definable via Group Policy) Has been described as a "black box"
Requirements
A working, configured BranchCache server Windows Server 2008 R2 Enterprise or Datacenter Beyond the scope of this course to cover server side deployment See My Favorite Supporting Resources slide for more information Client Windows 7 Enterprise or Ultimate
107
Protecting Windows 7
108
Netsh branchcache show status Shows the current status of the BranchCache service
109
Monitoring BranchCache
Netsh branchcache show status all Performance monitor counters Windows 7 includes more than twenty BranchCache related counters Performance Monitor is covered in the lesson entitled
What We Covered
Understanding BranchCache Client side requirements BranchCache operating modes About local cache mode BranchCache operational diagram Managing BranchCache with Group Policy Managing BranchCache with Netsh Monitoring BranchCache
110
In This Lesson:
Performance Information and Tools utility Event logging Centralizing event logs Using Performance Monitor Data Collector Sets Creating a new Data Collector Set Task Manager Resource Monitor Reliability Monitor A sample WMI script
Scenario
Monitoring the infrastructure for problems is a major component of a technology architecture Youve been asked to understand desktop performance monitoring to keep users operating at peak productivity and keep potential minor security events from becoming big ones Business need Event monitoring provides early identification for what could become larger security or performance problems Performance monitoring helps identify what steps need to be taken to keep Globomantics operating at a high level
111
Event Logging
Commonly used to gain in-depth knowledge about what is creating a system problem Most Windows programs are designed to write detailed information into the Windows event logs Windows logs Application Security Setup System Forwarded events Other application and service logs
Event Logging
Filtering logs and creating views View only Critical event types Create a view that logs only Critical events Globomantics will create this log view on every desktop PC to aid in future troubleshooting efforts Saving/exporting log files A user is experiencing an intermittent hardware problem You will export the contents of the users event logs to a file so that you can examine them on your own machine so the user can continue working
112
113
114
115
Task Manager
Provides information about Running applications, processes and services Can kill running applications and misbehaving processes as well as start and stop services CPU usage overall and by core RAM usage Network utilization Currently logged in users Arguably the most used monitoring tool in Windows
Resource Monitor
Resource Monitor is relatively new to Windows, but adds a huge punch to the monitoring arsenal Quickly access at-a-glance system statistics and associate processes with specific system characteristics Ascertain which processes are actively using the disk or network What exact iexplore.exe process is using major bandwidth? Globomantics will use the Resource Monitor to determine file and process associations
Reliability Monitor
A new tool in Windows 7 available via the Control Panels Action Center Divines a stability index as a value from 1 to 10 that describes system performance as a function of reliability Provides administrators with at-aglance information that can help to correlate system stability issues with new updates, software installations and other system events Use Reliability Monitor to attempt to find a root cause for ongoing stability issues reported by a Globomantics user
116
What We Covered
Event logging Centralizing event logs Using Performance Monitor Data Collector Sets Creating a new Data Collector Set Task Manager Resource Monitor Reliability Monitor A sample WMI script
117
In This Lesson:
Changing graphics settings Configuring virtual memory Understanding write caching Optimizing processes with Task Manager Managing processor scheduling settings Optimizing services Using msconfig to boost performance
Scenario
A high performance organization, Globomantics demands top performing computing hardware Just like not maximizing a sale is leaving money on the table not optimizing hardware has a similar result: Lost money due to inefficiency Business need Maximize computing resources to maximize ROI on the computing investment
118
119
120
Optimizing Services
Windows 7 ships with a core set of enabled and running services Every service Uses system resources such as RAM and processor Opens an additional system attack vector Not all services are necessary in order for users to do their jobs Disable or set to Manual services not needed by users In general, Manual is a safe choice The Windows Media Player Network Sharing Service should never be used by Globomantics employees and will be disabled
121
What We Covered
Changing graphics settings Configuring virtual memory Understanding write caching Optimizing processes with Task Manager Managing processor scheduling settings Optimizing services Using msconfig to boost performance
In This Lesson:
Windows 7's backup and restore utility Configuring Windows Backup Restoring files from a backup Creating and restoring system images Creating a system repair disk Creating and using system restore points Previous versions Understanding advanced boot options Understanding Last Known Good Configuration
122
Scenario
Globomantics regional offices sit in areas prone to earthquakes, tornados, and hurricanes You need to make sure that the company is ready to quickly recover should the unthinkable happen Some business desktops hold critical company information and are key to business processes Business need Backups remain a key component of a recovery plan Automating this process keeps costs at a reasonable level Testing backups by recovering data is a good best practice
123
124
125
126
127
Previous Versions
Windows 7 includes the ability to restore individual files and folders right from the Explorer interface Files included in both backups and restore points can often be rolled back to previous versions This Previous Versions capability uses Shadow Copies shadow copies of files are automatically created by Windows These provide you with some powerful restore options If you're careful, you can even recover files that have been accidentally deleted Globomantics POS operator deleted a file and wants you to see if you can get it back using the Previous Versions feature
128
What We Covered
Windows 7's backup and restore utility Configuring Windows Backup Restoring files from a backup Creating and restoring system images Creating a system repair disk Creating and using system restore points Previous versions Understanding advanced boot options Understanding Last Known Good Configuration
129
130
Objective/Lesson Mapping
Objective Installing, Upgrading, and Migrating to Windows 7 Deploying Windows 7 Configuring Hardware and Applications Configuring Network Connectivity Weight Lessons An Introduction to Windows 7 14% Installing Windows 7 13% Deploying Windows 7 Machines Configuring Hardware in Windows 7 Understanding Windows 7 Storage 14% Managing applications Managing Internet Explorer Configuring Networking in Windows 7 14% Protecting Windows 7 Shared access to resources Configure file and folder access 13% Protecting Windows 7 Managing BranchCache Using DirectAccess and VPN connections Configure file and folder access 10% Managing Mobility Options Protecting Windows 7 Monitoring and maintaining Windows Configure performance settings 11% Protecting client computers with Windows updates Understanding Windows 7 storage 11% Configuring Backup and Recovery
Monitoring and Maintaining Windows 7 Systems Configuring Backup and Recovery Options
131
Next Steps
132
133
134
135