Notes

1

Windows 7Administration Training

Windows 7 Administration TrainingInstructor: Scott Lowe

Getting Started With Windows 7

Administration Training

Windows 7 Administration Training

Getting Started With Windows 7 Administration Training

In This Lesson:

What we‘re building

About your instructor

About the course

Before you begin

How to use the course

2



• In this course, we‘ll be creating a complete Windows 7 deployment plan that includes:

–Real business justifications for moving to Windows 7 at Globomantics, a pharmaceutical distributor with offices nationwide and a growing mobile sales force

–Processes that make Windows 7 deployment a breeze and add to the Globomantics bottom line

–Ways to use Windows 7‘s exciting new features to improve the security of the desktop environment and keep Globomantics within regulatory compliance parameters

–Methods to optimize Windows 7 performance and eke out every ounce of capability to extend the life of the desktop investment

What We’re Building



• Scott Lowe

–Chief Information Officer, Westminster College, Fulton, MO

–Prolific author of more than 1,000 technical articles and three books

–Microsoft Certified Systems Engineer

– Frequent early adopter of new technologies, including Windows 7!

–Seasoned IT pro with more than sixteen years of experience

– Father of 2, husband of 1

• 6-year old son is proficient with his iPod Touch and Internet Explorer

About Your Instructor



• A high level overview of the course

–Getting started with Windows 7 – features, deployment and configuration

–Managing Windows 7 mobility and security features

–Configuring and managing applications and shared resources

–Maintaining and optimizing Windows 7

About the Course

3



• Understand a few underpinnings, including

–Basic IPv4 and IPv6 address structures and requirements

–Overall Active Directory concepts, including Structures, User groups, Organizational Units

• Expand your foundational knowledge with these Train Signal products

–Group Policy

–Active Directory

–TCP/IP

–Networking Fundamentals

Before You Begin



• Follow along at home

–Best possible certification preparation!

–Use the Lab Setup lesson to learn how to build your own complete lab environment

–Download trial Windows Server 2008 R2 software from Microsoft for the server build-out

• Make sure to take notes along the way

–Note the timestamp for particularly interesting topics so you can come back later to review

• Watch the videos in any order you like

• If something doesn‘t make sense, go back and try it again

– If you still don‘t quite get it, let us know in the Train Signal forums

How to Use the Course



• Before you take the certification exam

–Watch the lesson entitled ―How to use Transcender to Prepare for a Certification Exam‖

–Watch the ―Preparing for Your MCTS: 70-680 Certification Exam‖ lesson at the end of this course

How to Use the Course

4



What We Covered

What we‘re building

About your instructor

About the course

Before you begin

How to use the course


Lab Setup


Lab Setup

In This Lesson:

Globomantics corporate network

Globomantics locations

Headquarters network details

Large regional office network details

Small regional office network details

Globomantics network diagram – logical

Lab overview

Lab network diagram – physical

5


Lab Setup

• The Windows 7 implementation team is focused on creating a deployment template for one of each location type

• Each location type is replicated in the course lab

–Headquarters (Columbia, MO)

– Large regional office – Southwest office (Scottsdale, AZ)

–Small regional office – Northeast office (Utica, NY)

–Mobile worker

Globomantics Corporate Network

Globomantics Locations

Southwest OfficeScottsdale, AZ

Northeast OfficeUtica, NY

Seattle, WA

Germantown, MD

Dallas, TX

Globomantics HQ

Miami, FL


Lab Setup

• Headquarters server naming convention

–Example: GM-File - The file server for HQ

• Network details for HQ

– IP address range: 172.16.5.1 to 172.16.5.254

–Subnet mask: 255.255.255.0

–Gateway: 172.16.5.254

–DNS: 172.16.5.1

Headquarters

6


Lab Setup

• Large regional office server naming convention

–Example: GM-SW-File - The file server for the Southwest regional office

• Network details for Scottsdale, AZ large regional office


–Subnet mask: 255.255.255.0

–Gateway: 172.16.6.254

–DNS: 172.16.6.1

Large Regional Office


Lab Setup

• Small regional offices (Example: Northeast regional office) do not have dedicated servers

• Network details for Utica, NY small regional office


–Subnet mask: 255.255.255.0

–Gateway: 172.16.7.254

–DNS: 172.16.5.1 (HQ DNS server)

Small Regional Office

Globomantics Corporate Network Diagram

Globomantics Corporate Headquarters

GM-DCDomain Controller

(globomantics.com)DNS server

Windows 2008 R2172.16.5.1

GM-RemoteGlobomantics Remote

Access ServerWindows 2008 R2

172.16.5.2

GM-7-XXXGlobomantics

Windows 7 Desktop Naming Convention

DHCP-assigned IP address

GM-FileGlobomantics File and

Print ServerWindows 2008 R2

172.16.5.3

GM-7-M-XXXGlobomantics

Windows 7 Mobile Naming Convention


GM-GeneralGlobomantics General

Purpose ServerWindows 2008 R2

172.16.5.4

Southwest Office

GM-SW-FileSouthwest Office

File Server DNS server

Windows 2008 R2172.16.6.1







Northeast Office







FirewallInside: 172.16.5.254

Network: 172.16.5.0Subnet Mask: 255.255.255.0Gateway: 172.16.5.254DNS: 172.16.5.1



FirewallOutside: 192.168.10.5





To other sites

7


Lab Setup

• For this course

–The various servers and Windows 7 workstations used in this course run on a Windows Server 2008 R2 Data Center machine under Hyper-V R2

• The Hyper-V R2 server is a Dell PowerEdge 2950 server with 32 GB RAM, 2 x quad core Xeon processors and just under 1 TB of disk space (RAID 5)

–Each Globomantics site is connected on a separate network adapter in the Hyper-V R2 server

–Each network adapter is connected to an actual firewall and then to my lab/home network

Lab Overview


Lab Setup

• For this course

–All servers are running Windows Server 2008 R2 RTM

–Each server has 1 GB of RAM assigned

–Windows Server 2008 R2 180-day trial software is available for download from http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx

–My lab goal: Mimic as closely as possible a real-world multisite environment

Lab Overview

Physical Lab Configuration

NIC

21

72

.16

.5.2

53

NIC

31

72

.16

.6.2

53

NIC

41

72

.16

.7.2

53

ServerPowerEdge 2950

32 GB RAM2 x Xeon X5355

8 coresWindows 2008

R2

Hyper-V R2

VMsHQ

GM-DCGM-Remote

GM-FileGM-General

Desktops

VMsLarge Regional

GM-SW-FileDesktops

VMsSmall Regional

Desktops

VMsOther needs

Mobile workers

Hyper-V R2 server

management

172.16.5.254

Firewall192.168.10.5

172.16.6.254


172.16.7.254


NIC

11

92

.16

8.0

.19

7

To Internet

Router192.168.0.1

255.255.0.0

To other computers

in my home

http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx




8


The Course Scenario


The Course Scenario

In This Lesson:

About Globomantics

The Globomantics regulatory environment

Recent security breach

Globomantics cost structure

Globomantics office locations

Specific technology challenges

Immediate needs

Large regional office needs

Small regional office needs

Mobile worker needs

Windows 7 project plan


The Course Scenario

• Rapidly growing distributor of pharmaceuticals

–Sells direct to consumers via the Internet

–Sells to doctor‘s offices via mobile sales force

–Sells to pharmacies via mobile sales force

• Expanding mobile sales force

–Mobile workers need secure access to HQ

–Ease-of-use is critical

• Related Windows 7 technologies

–DirectAccess, VPN, BranchCache, Location-aware printing, Power management

About Globomantics

9


The Course Scenario

• Subject to numerous regulatory statutes

–HIPAA

– FTC consumer regulations

–PCI

• Security is a priority

–Protect customer health information

–The company must be PCI compliant


–DirectAccess, VPN, encryption

The Globomantics Regulatory Environment


The Course Scenario

• A high level finance employee‘s laptop was stolen

–The laptop hard drive contained very sensitive employee and customer information

• Business impact

–Globomantics suffered a significant fine and major PR fallout

–Globomantics senior management has directed the technology division to implement full-disk encryption on all mobile systems


–BitLocker, BitLocker-To-Go, Encrypting File System (EFS), Windows Firewall, User Account Control, Windows Updates

Recent Security Breach


The Course Scenario

• Globomantics is concerned about the ever-rising cost of technology

–New initiatives must show a quick ROI

–Where possible, avoid cost increases

–Willing to expand IT department and spending, but only when absolutely necessary

• Business impact

–New technologies must be carefully evaluated

–The CIO thinks that Windows 7 features will show good ROI


–BranchCache, BitLocker, DirectAccess, Automated deployment, Performance monitoring

Globomantics Cost Structure

10


The Course Scenario

• Headquarters

–Columbia, Missouri (pilot site)

• Primary regional offices

–Scottsdale, Arizona (pilot site)

–Germantown, Maryland

–Seattle, Washington

–Dallas, Texas

–Miami, Florida

• Secondary offices

–Utica, New York (pilot site)

–Sixteen others scattered throughout the states

Globomantics Office Locations

Globomantics Office Locations Map

Southwest OfficeScottsdale, AZ

Northeast OfficeUtica, NY

Seattle, WA

Germantown, MD

Dallas, TX

Globomantics HQ

Miami, FL


The Course Scenario

• Some Globomantics users are experiencing specific problems

–Performance problems with Windows Vista 64-bit

–Globomantics‘ financial system runs only on Windows XP


–64-bit architecture, Windows XP Mode

Specific Technology Challenges

11


The Course Scenario

• Globomantics‘ quick growth has had a number of results

–A large desktop/laptop purchase supporting new employees is pending

–Some new employees will work from their homes


–Automated deployment, DirectAccess, Location-aware printing

Immediate Needs


The Course Scenario

• Many HQ services accessed over a site-to-site connection

• Challenge: Files are not always synchronized between HQ and the large regional office file server in a timely manner

• Challenge: Bandwidth costs have been rising as traffic between large office and HQ grows

• Challenge: When mobile workers visit the office, they complain of problems printing documents

Large Regional Office Needs


The Course Scenario

• Small regional offices (Example: Northeast regional office) do not have dedicated servers

• All systems access Globomantics HQ over the Internet

• Challenge: Small offices are bandwidth-bound, resulting in loss of productivity as the Internet slows down

• Challenge: Adding bandwidth is expensive

• Challenge: Given the recent security breach, there is concern about the security of small office connectivity to HQ

• Challenge: When mobile workers visit the office, they complain of problems printing documents

Small Regional Office Needs

12


The Course Scenario

• Mobile workers work from their home, hotels and cars

• Challenge: A recent security breach has resulted in a directive to encrypt all mobile worker hard drives

• Challenge: Mobile workers have complained about their inability to access all HQ-based behind-the-firewall employee resources, resulting in lost productivity

• Challenge: Printing at regional offices

Mobile Worker Needs


The Course Scenario

• The Globomantics CIO has appointed us to

–Evaluate individual Windows 7 features for suitability against business goals

–Develop a Windows 7 implementation plan

• Create a deployment template for each pilot site type

–Deploy Windows 7 with business-necessary features

–Ensure that Windows 7 systems are operating at peak efficiency to realize maximum ROI

• Implementation team

–Me, a consultant helping you evaluate Windows 7

–You, a desktop specialist at Globomantics

Windows 7 Project Plan


Introduction to Windows 7

13



In This Lesson:

Business objectives

User interface enhancements

BranchCache

DirectAccess

BitLocker and BitLocker To Go

AppLocker

Windows XP Mode

Group Policy enhancements

Improved power management

32-bit vs. 64-bit Windows 7

Windows 7 editions comparison matrix



• Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard

• Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal

• The company CIO wants to understand Windows 7‘s new security features and mobility capabilities as well as simply understanding what‘s changed since older versions of Windows

Scenario



• Improve security in order to reassure customers that Globomantics takes their privacy seriously

• Improve employee productivity to increase sales and reduce expenses

• Contain rising communications infrastructure costs

• Maintain current, or close to current, levels of staffing in Information Technology

Business Objectives

14



• Taskbar

• Aero Peek

• Aero Snap

• Aero Shake

User Interface Enhancements



• New to Windows 7

• Requires Windows Server 2008 R2

• Expected Business Outcomes

–Allow Globomantics remote offices to cache HQ-based content on a local Windows Server 2008 R2 server or Windows 7 desktop

–Reduce bandwidth costs

BranchCache

BranchCache Operational Diagram

GM-FileGlobomantics File and

Print Server

Southwest Office

GM-SW-FileSouthwest Regional

Office File Server

Headquarters

Northeast Office


Windows 7 Desktop

15



• New to Windows 7 and can replace traditional VPNs

• Requires Windows Server 2008 R2 as a host (GM-Remote)


–Remote and mobile workers enjoy seamless access to Globomantics HQ IT services

–Globomantics can remotely install software updates to mobile worker computers and enforce policies

–The ability to include remote computers in new policy updates improves regulatory compliance measures

DirectAccess



• Improved in Windows 7

• Provides full disk encryption services

• Encrypts USB-based removable storage devices


–Mobile system security is vastly improved leading to greater customer confidence and fewer regulatory issues

–Centralized encryption keys mean fewer headaches for IT staff




• New in Windows 7

• Evolved from Software Restriction Policies

• Provides granular application control to help prevent execution of unauthorized software


– Improve overall security of the Globomantics desktop environment

–Maintain high levels of productivity by denying use of unauthorized software and reducing malware infestations

AppLocker

16



• New in Windows 7

• Leverages virtualization technology to ensure software compatibility

• Runs software inside a virtualized copy of Windows XP SP3 delivered to the Windows 7 desktop via RDP


–Globomantics‘ financial application will run under Windows 7 using Windows XP Mode

–Migration to Windows 7 will be streamlined

Windows XP Mode

Windows XP Mode Operational Diagram



• Windows 7 includes dozens of new Group Policies providing more centralized management of the environment


–Globomantics will enjoy improved security through centralized enforcement of Group Policies

–Desktop management TCO is reduced through efficient, centralized resource management

Group Policy Enhancements

17



• Windows 7 is much more granular in managing power

–Even audio chips are power-managed

• Ambient light sensors are now supported


–Reduced power bills for Globomantics

– Longer battery life for mobile workers equates to increased productivity

Improved Power Management



• 64-bit editions of Windows are increasing in popularity

–Support for large memory needs

• 32-bit RAM limit: 4 GB (Starter – 2 GB)

• 64-bit RAM limit

– Professional, Enterprise, Ultimate: 192 GB

– Home Premium: 16 GB

– Home Basic: 8 GB

32-bit vs. 64-bit



• 64-bit considerations

–Processor must support 64-bit operating systems

–Software must be compatible with 64-bit OS (or, use Windows XP Mode)

–Hardware devices must have available 64-bit drivers

–Cannot upgrade from 32-bit to 64-bit: Must reinstall

32-bit vs. 64-bit

18

Windows 7 Editions Comparison Matrix

Home Premium Profes. EnterpriseStarter

HomeBasic Ultimate

BranchCache

DirectAccess

BitLocker

AppLocker

Windows XP Mode



32- and 64-bit editions




What We Covered

Business objectives


BranchCache

DirectAccess


AppLocker

Windows XP Mode



32-bit vs. 64-bit Windows 7

Windows 7 editions comparison matrix


Installing Windows 7

19



In This Lesson:

Identifying Windows 7 requirements

Upgrade and migration limitations

Upgrading between Windows 7 editions


Upgrading Windows Vista to Windows 7

Dual booting Windows 7

Migrating from Windows XP to Windows 7

Migrating user profiles with Windows Easy Transfer

User State Migration Tool



• Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard

• Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal

• The company CIO wants to understand Windows 7‘s new security features and mobility capabilities as well as simply understanding what‘s changed since older versions of Windows

• Globomantics pilot project

–Will use a combination of installations

• Existing Vista machines will simply be upgraded to Windows 7 – apps already work

• Windows XP machines will dual boot with Windows 7

Scenario



• Different Windows 7 editions have different requirements

• Use the Windows 7 Upgrade Advisor

–Verifies that hardware is ready for Windows 7

–Checks installed software for Windows 7 compatibility

– If problems are found and there are solutions, those solutions are presented

Identifying Windows 7 Requirements

20

Windows 7 Requirements Matrix

Home Premium Professional EnterpriseStarterHomeBasic Ultimate

RAM

Disk Space

Processor 1 GHz or faster minimum

32-bit: 16 GB or 64-bit: 20 GB

512 MB 32-bit: 1 GB or 64-bit: 2 GB

DirectX 9 graphics processorGraphics DirectX 9 graphics processor with WDDM



• Upgrade limitations

–Upgrades cannot be performed between 32-bit and 64-bit systems

• To move from 32-bit to 64-bit or back, you must perform a new installation

–You cannot upgrade from Windows XP and earlier versions of Windows to Windows 7; you must migrate instead

• You must perform a new installation or a dual-boot installation

• Move user files from Windows XP to new Windows 7 system

Upgrade and Migration Limitations



• Windows Anytime Upgrade

–Upgrade to more feature-filled editions of Windows 7 by using Windows Anytime Upgrade

–Only 32-bit to 32-bit and 64-bit to 64-bit Anytime upgrades are allowed

• You cannot upgrade from 32-bit to 64-bit or downgrade from 64-bit to 32-bit

–You cannot downgrade editions

• You can only move up the edition chart, not down

Upgrading Between Windows 7 Editions

21

UpgradesProfes. EnterpriseStarter

Home Basic

Home Premium

Business

Enterprise

Ultimate

Ultimate

Windows 7 EditionsHomeBasic

Home Premium

Starter

Home Basic

Home Premium

Professional

Enterprise

Ultimate

Windows Vista (SP1, SP2) 32-bit to 32-bit or 64-bit to 64-bit only

Windows 7 Anytime Upgrade 32-bit to 32-bit or 64-bit to 64-bit only



• Installation options for a new machine

–Clean installation – new machine with no existing operating system

–Dual boot installation – run two operating systems side-by-side on the same computer

–Upgrade – in-place upgrade to Windows 7 from Windows Vista

–Migration – upgrade to Windows 7 from Windows Vista or Windows XP




• Installation types

–Standard installation

• For the initial phase of the pilot project being covered in this lesson, Globomantics will focus on standard installations

–Unattended installation

• Allows an administrator a mostly hands-off installation

• We will cover automated installations in the Deploying Windows 7 Machines lesson


22



• Media options

–DVD – included in Windows 7 retail boxes and often created after downloading an ISO file and burning it

– ISO – generally used by those with Microsoft licensing agreements

–USB drive – allows administrators to customize the installation source

–Network share – used with automated installations




• Only Windows Vista supports an in-place upgrade to Windows 7

• At the end of the upgrade, the system operates just like it did before, except with Windows 7

–Documents, files, and applications remain intact and in place

• If the upgrade fails, the system rolls back to Windows Vista

• An upgrade from Windows Vista to Windows 7 is initiated from a running Vista system


Windows Vista to Windows 7 Upgrade Walkthrough

23



• Dual booting allows users to select the operating system that will be loaded at boot time

• During the early pilot phase of the Windows 7 implementation project, Globomantics Windows 7 pilot desktops will be dual booted between Windows XP and Windows 7

–Easier for staff to revert to Windows XP in the event of an unanticipated problem

• The computer must have one of the following

–Dual hard drives

–Enough space to create a second partition to which Windows 7 will be installed

• Partitions are discussed in the lesson entitled Understanding Windows 7 Storage

Dual Booting Windows 7



• Windows 7 can dual boot – run side-by-side – with a variety of operating systems, including Windows XP, Vista, Linux and more

• Steps

–Make sure you have your Windows 7 media and product key

–Partition the hard drive to make room for Windows 7

• For Windows XP, use GParted, an open source tool

• Windows Vista has its own partitioning tools

• Can also simply add a second hard drive

– Install Windows 7 onto the new partition/drive




• Post dual boot walkthrough steps

–Choosing the default operating system

• GUI: Via the Control Panel

• Command line: Using the BCDEDIT utility

– Requires a command prompt executed with administrator privileges

• Important notes

–The Windows 7 installation is a new installation

–Applications need to be reinstalled

–User profiles and data need to be migrated

• Migrating profiles is covered in the next section


http://gparted.sourceforge.net/livecd.php

24

Windows XP to Windows 7 Dual Boot Walkthrough



• Windows XP cannot be upgraded to Windows 7

–You must instead perform either a new/clean installation or dual boot the system

–After installation, applications must be reinstalled

• Migrate user profiles and data from Windows XP to Windows 7

– If you installed Windows 7 in a dual boot configuration, you also need to migrate user profiles and data


Windows XP to Windows 7 Migration Walkthrough

25



• Roaming profiles negate the need for migrating profiles between machines

–Globomantics does not use roaming profiles due to network bandwidth requirements

• Local user profiles include

–Documents and other files

– Internet bookmarks

–Backgrounds

–E-mail account information

–Custom application settings

–Windows settings

• For a few initial phase pilot users, Globomantics will migrate profiles from XP to Windows 7

Migrating User Profiles



• Windows Easy Transfer - Transfers information between Windows installations

–Supports a number of data transfer methods

• Easy Transfer cable – connects two computers via their USB ports

• Network – transfer data between computers over the network (Globomantics option)

• Portable hard drive – save profile information from source system to a portable drive and load to new system

• CD/DVD media – same as above, except with a CD or DVD

Windows Easy Transfer



• Automates user profile migration

–Well-suited for large migrations

• Does not support the Windows Easy Transfer cable

• Part of the Windows Automated Installation Toolkit (WAIK)

• USMT is not covered here, but will be discussed in the lesson entitled Deploying Windows 7 Machines

User State Migration Tool (USMT)

26



What We Covered

Identifying Windows 7 requirements

Upgrade and migration limitations

Upgrading between Windows 7 editions



Dual booting Windows 7


Migrating user profiles with Windows Easy Transfer

User State Migration Tool



Key Terms You Should Know

Upgrade—moving in-place from one version of Windows to another

Migration—moving from one version of Windows to another without performing an in-place upgrade; requires the manual migration of user profiles after installation

User profiles—all personal information stored on a user's PC, including application settings and Internet bookmarks


Deploying Windows 7

27


Deploying Windows 7

In This Lesson:

Globomantics deployment plan

Windows 7 deployment enhancements

Specific lesson goals

Deployment types

Pre-deployment tools

Thick vs. thin images

Deployment strategies

Understanding image capture tools

Image deployment options

Capture and deployment process overview


Automated installation methods


Deploying Windows 7

• Globomantics IT staff runs a lean and mean shop and group

• The company can‘t afford to send IT staff to visit each and every computer in every location to facilitate deployment

• Business needs

– For organizations that have more than a few PCs, manual Windows 7 deployment is an inefficient rollout strategy

–Manual labor and travel result in major costs

–Managing desktops already has a high total cost of ownership (TCO)

–Use automated deployment tools to help automate this process and bring down costs

Scenario


Deploying Windows 7

• Globomantics uses the following deployment strategy:

–Thick system image. Includes applications and Windows Updates right in the system image.

– Lite Touch Installation. Takes most of the manual processing out of deployment, but requires some human intervention.

–Deployment. Systems are imaged at HQ and sent to regional offices.

• Globomantics does not currently own System Center Configuration Manager 2007 R2

–http://www.trainsignal.com/System-Center-Configuration-Manager-P71.aspx

– {End of shameless plug}

Globomantics Deployment Plan

http://www.trainsignal.com/System-Center-Configuration-Manager-P71.aspx











28


Deploying Windows 7

• Optimizes deployment with improved driver handling through Dynamic Driver Provisioning

–Reduces image sizes by dynamically matching drivers to existing hardware during deployment, and then pulls them from a central store

• Multicast multiple stream transfer

–Deploy multiple images simultaneously across networks more efficiently

• Virtual Hard Disk image management and deployment

–VHD files provide additional deployment and operational flexibility

• Streamlined installation and file migration

–Overall better installation and deployment experience

Windows 7 Deployment Enhancements


Deploying Windows 7

• Too many deployment options and scenarios to cover in a single lesson

–Deployment could be a complete course by itself

• Goals

–Understand the myriad of deployment options

–Cover a repeatable, documented, real-world deployment scenario

–Be able to apply the lessons learned through understanding deployment options and covering a real world scenario to other deployment needs

• Recommendation

–Practice, practice, practice

Specific Lesson Goals


Deploying Windows 7

• Manual/semi-automated/high touch

–Small number of computers

–Covered in the lesson entitled Installing Windows 7

• Lite Touch Installation (LTI)

–Well-suited for medium sized organizations that do not have a need for a more automated deployment system

–Often used in conjunction with a "thick" system image, but can use used with thin images

• Zero Touch Installation (ZTI)

–Best suited for large, distributed organizations that deploy new systems and applications in a non-centralized manner

–Often used in conjunction with thin system images

Deployment Types

29


Deploying Windows 7

• Thick image

–Complete system image with all applications and updates

–May take longer to deploy to individual computers, but results in an immediately usable system upon completion

• Thin image

–Minimal system image; often operating system only

–Applications and updates are installed either manually or through the use of some other software management system, such as System Center Configuration Manager 2007 and/or App-V

• Hybrid Image

–Combination of thin and thick image types

Thick vs. Thin Images


Deploying Windows 7

• Application Compatibility Toolkit (ACT) – A tool to evaluate and mitigate application compatibility issues as they pertain to Windows 7

–Requires a SQL Server to house reporting data

• Microsoft Assessment and Planning Toolkit (MAP) – Performs an audit of your existing environment and provides inventory, assessment and reporting capabilities to assist in planning a Windows 7 rollout

Pre-Deployment Tools


Deploying Windows 7

• Windows Automated Installer Kit (WAIK) – WAIK is a collection of tools designed to assist in the deployment of Windows 7

–Windows System Image Manager (SIM) – Creates and manages unattended Windows Setup answer files

–SysPrep – Prepares a computer for imaging by configuring the computer to create a new security identifier at startup

– ImageX – Used to capture, create, modify, and apply Windows images

–Windows Preinstallation Environment (WinPE) – A minimal system used to deploy Windows

–User State Migration Tool (USMT) 4.0 – Used to migrate user information from older versions of Windows to Windows 7

• Oscdimg – Creates an ISO image of a WinPE installation

Understanding Image Capture Tools

http://www.microsoft.com/downloads/details.aspx?familyid=24DA89E9-B581-47B0-B45E-492DD6DA2971&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=67240b76-3148-4e49-943d-4d9ea7f77730&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en


http://technet.microsoft.com/en-us/library/cc722301(WS.10).aspx










http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx



30


Deploying Windows 7

• Manually

–Discussed in the lesson entitled Installing Windows 7

• Semi-automated

–Discussed in this lesson

• Using Windows Deployment Services and Microsoft Deployment Toolkit 2010

–Beyond the scope of this lesson

–Bonus video: Automating Deployment of Windows 7 Machines

• System Center Configuration Manager 2007 R2

–Beyond the scope of this course

–Discussed in TrainSignal's System Center Configuration Manager 2007 R2 course

Image Deployment Options


Deploying Windows 7

• Create the capture and deployment environment

• Build and validate an answer file

• Build the reference installation

• Create bootable Windows PE media

• Capture the installation – network or VHD file

• Deploy new computers – from network or VHD file

Capture and Deployment Process overview


Deploying Windows 7

• Software

–Windows 7 media

–The Windows AIK

• Hardware

–Management computer – A computer to which the Windows AIK and other tools can be installed

–Reference computer – A new computer that can be used as the deployment reference system

–Target computer – A new computer to which you can deploy a newly captured image

• Other

–All systems connected to the network

Image Capture and Deployment Prerequisites

31


Deploying Windows 7

• Target: Management computer

–Purpose

• Installs the Windows AIK and makes available the tools necessary to create, capture and deploy a Windows image

–Need: Windows AIK

• Download and install the Windows AIK

– http://www.microsoft.com/downloads/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en

Create the Capture and Deployment Environment


Deploying Windows 7


–Purpose

• The answer file configures Windows settings during installation such as default Internet Explorer settings, networking settings and other settings

–Need

• Windows 7 media

• Floppy disk or removable media to which you will save a new answer file

• Windows System Image Manager (SIM) tool (part of WAIK)

–Steps/Demo

Build and Validate the Answer File


Deploying Windows 7


–Purpose

• Windows PE provides a minimal Windows environment in order to capture and deploy system images

• In this step, create the bootable WinPE disc

• The disc will include all tools necessary to complete the process

–Need

• Windows System Image Manager (SIM) tool (part of WAIK)

–Steps/Demo

Create Bootable Windows PE Media












32


Deploying Windows 7

• Target: Reference computer

–Purpose

• The reference installation is the "gold master" image that will be deployed to the other computers in the organization

Build the Reference Installation


Deploying Windows 7

• Need

–Windows 7 media

–Media/drive with the answer file created in the previous step

–Any software to be made a part of the standard image (i.e. Microsoft Office)

–Any drivers for hardware that is to be included in standard image

–Windows AIK SysPrep utility – will generalize the system setup to make it possible to transfer the image to many other systems

• Steps/Demo

–Be sure to include /PersistAllDeviceInstalls switch when executing SysPrep's generalize command

Build and Generalize the Reference Installation


Deploying Windows 7

• Target: Reference computer

–Purpose

• Capture a generalized version of the reference image and save it to a network share

–Need

• Windows PE boot disc created earlier

• ImageX tool from the WAIK

– Included on the WinPE media

• Network connectivity

– A network share to which to save the reference image

–Steps/Demo

Capture the Installation (Network Share)

33


Deploying Windows 7

• Target: New target computer

–Purpose

• Deploy the captured image to a new computer

–Need

• Windows PE boot disc created earlier

• Network connectivity

– Access to the network share to which the reference image was saved

–Steps/Demo

• After imaging, boot and test new system

Deploy to a Target Computer (Network Share)


Deploying Windows 7

• Included in the WAIK

• USMT is Windows Easy Transfer for enterprise users

• Captures user accounts, files, operating system settings and application settings

• Migrates these settings to a new Windows 7 installation



Deploying Windows 7

• Windows Deployment Services & Microsoft Deployment Toolkit 2010

–WDS is a component of Windows Server 2008 R2

–Replaces Remote Installation Services (RIS) and Automated Deployment Services (ADS)

–Provides automated network-based installation of Windows servers and desktop computers

–Extends the capability of the WAIK

–Offers an opportunity to script specific actions at points in time

• i.e. Post-deployment, automatically join the Windows 7 computer to the Active Directory domain

Automated Installation Methods


34


Deploying Windows 7

What We Covered

Globomantics deployment plan

Windows 7 deployment enhancements

Specific lesson goals

Deployment types

Pre-deployment tools

Thick vs. thin images

Deployment strategies

Understanding image capture tools

Image deployment options

Capture and deployment process overview


Automated installation methods


Deploying Windows 7


Windows System Image Manager (SIM)—Creates and manages unattended Windows Setup answer files

Thick image—A complete system image with all applications and updates

Thin image—A minimal system image; often operating system only

Lite Touch Installation—Takes most of the manual processing out of deployment, but requires some human intervention.

Zero Touch Installation (ZTI)—Best suited for large, distributed organizations that deploy new systems and applications in a non-centralized manner

Windows Automated Installer Kit (WAIK)—WAIK is a collection of tools designed to assist in the deployment of Windows 7


Deploying Windows 7


Windows System Image Manager (SIM)—Creates and manages unattended Windows Setup answer files

SysPrep—Prepares a computer for imaging by configuring the computer to create a new security identifier at startup

ImageX—Used to capture, create, modify, and apply Windows images

Windows Preinstallation Environment (WinPE)—A minimal system used to deploy Windows

User State Migration Tool (USMT) 4.0—Used to migrate user information from older versions of Windows to Windows 7

Oscdimg—Creates an ISO image of a WinPE installation
















35


Deploying Windows 7

My Favorite Supporting Resources

1. Choosing a Deployment Strategy

2. Windows 7 Desktop Deployment Overview

3. Choosing an Image Strategy and Building Windows 7 System Images

4. Step-by-Step: Basic Windows Deployment for IT Professionals

5. Springboard Series Windows 7 IT Pro Work Template: Windows 7 Deployment Plan

6. Getting Started with the Windows AIK

7. Windows Automated Installation Kit (Windows AIK) Scenarios

8. MDT and WDS help deliver Windows 7 to attendees at TechEdAustralia


Managing Drivers and Hardware Devices



In This Lesson:

Using the Device Manager tool

Viewing device information with the System Information Tool

Understanding drivers

Driver installation methods

Managing installed drivers

The Driver Verifier utility

Managing hardware installation policies

Staging drivers with pnputil.exe

Adding device drivers to the driver store

Monitoring USB devices





http://technet.microsoft.com/en-us/library/ee956904(WS.10).aspx







http://www.microsoft.com/downloads/details.aspx?FamilyID=171ecffc-92ab-4f48-b6b4-dd68712fc663&displayLang=en







http://windowsteamblog.com/windows/b/springboard/archive/2009/09/10/mdt-and-wds-help-deliver-windows-7-to-attendees-at-teched-australia.aspx




36



• Globomantics has an array of computing needs

– There is no single desktop hardware configuration

• Marketing: High end graphics adapters

• Other users: Mainstream configuration

• Make device installation seamless by pre-staging device drivers – lower TCO

• Help users get their work done by making sure that their necessary hardware devices work well and are well maintained

Scenario



• Viewing device and driver information

• View device resources

• Displaying hidden devices

Using Device Manager



• Using the System Information utility

–Much greater level of detail about system devices and resources

–Read-only

Using the System Information Utility

37



• Device drivers enable communication between the operating system and hardware devices

• Driver facts

–Drivers are just software

–Not all drivers are created equal

–Driver issues are a major support hassle

–Drivers can create system instability

Understanding Drivers

Driver



• Windows Update

–New device drivers come right from Windows Update

• Disable this behavior to improve security and control what devices are installed

• Hardware installation disc

• Pre-staging drivers

–Globomantics will pre-deploy drivers for high-end graphics adapters to ease deployment

• Result: Better end-user experience

• Lower TCO

Driver Installation Methods



• Device and driver security

–Driver software runs with full system rights

–Signed vs. unsigned drivers

• Identify unsigned drivers with sigverif.exe

• Updating drivers

• Rolling back drivers

Managing Installed Drivers

38



• Driver verifier

–Helps to determine root cause for driver-related issues including problems related to:

• Drivers that experience memory-based issues

• Poorly written drivers

–Requires a system restart

The Driver Verifier Utility



• Via Group Policy

–Allow and disallow installation of specific devices based on device ID

–Disable the installation of removable devices

–Create custom error messages to be displayed for users that attempt to install hardware

–Provide an administrative ―back door‖ to allow IT staff to install any new hardware and drivers

Managing Hardware Installation Policies



• Use the pnputil.exe tool to manage the driver store

–Add a driver to the store using the -a parameter

• Download the driver package first

• Combine with -i to install the driver, too

–Show all third party drivers using the -e parameter

–Delete a driver from the store with the -d parameter

• Combine with the -f parameter to force deletion

Adding Device Drivers to the Driver Store

39



• USB hub types

– Self-powered

– Bus-powered

• USB bandwidth

– Bandwidth-related error messages

• ―USB controller bandwidth exceeded‖

– USB bandwidth

• USB 1.0/1.1: 12 Mbps

• USB 2.0: 480 Mbps

• USB 3.0: 5 Gbps

– Gauging bandwidth use is a best effort task

• Not all devices report bandwidth back to Windows

Monitoring USB Devices



What We Covered

Using the Device Manager tool

Viewing device information with the System Information Tool

Understanding drivers

Driver installation methods

Managing installed drivers

The Driver Verifier utility

Managing hardware installation policies

Staging drivers with pnputil.exe

Adding device drivers to the driver store

Monitoring USB devices




1. Using Driver Verifier to identify issues with Windows drivers for advanced users

2. What are basic and dynamic disks?

3. Windows and GPT FAQ

http://support.microsoft.com/kb/244617



http://windows.microsoft.com/en-US/windows-vista/What-are-basic-and-dynamic-disks


http://www.microsoft.com/whdc/device/storage/GPT_FAQ.mspx

40




Driver—Software that provides a link from a computer operating system to a hardware device

Driver store—The location at which Windows stores device driver files, typically C:\Windows\System32\Drivers or C:\Windows\SysWOW64\Drivers

Signed driver—A digitally signed driver is from a traceable source

Unsigned driver—An unsigned driver can come from anywhere and may prove to be a system risk


Understanding Windows 7

Storage Options


Understanding Windows 7 Storage Options

In This Lesson:

Deconstructing basic disks

Disk Manager basic disk view – Master Boot Record (MBR)

MBR vs. GUID Partition Table disks

Disk Manager basic disk view – GPT

Understanding dynamic disks

Dynamic disk volume types

Volume types diagrams

Disk Manager dynamic disk view

Managing storage volumes

FAT vs. NTFS

41



• Data is the lifeblood of Globomantics

• Some users have different storage needs

– Database administrators need additional storage protection

– Business analysts require speedy storage with a lot of capacity

• Understand storage options to make the best possible data availability decisions

• Choose storage options that enable high security levels

–Globomantics is recovering from a data breach that could have been prevented with better storage options

Scenario



• Partition

–A portion of a physical hard drive that can be formatted and used as an individual storage volume

• Primary partition

–A hard drive can have up to four primary partitions

–One partition is designated as active

–Active partitions boot the operating system

• Extended partition

–Think of this partition as a container

–This container can hold one or more volumes

–Storage volumes on an extended partition cannot be used to start the operating system

Deconstructing Basic Disks - MBR

Disk Manager Basic Disk View – Master Boot Record

42



• MBR disks have limitations

– Limited number of primary partitions - Four

–Partition size limited to 2 TB

• GPT disks

–Pros

• Disks can have up to 128 partitions

• Partitions can be up to 256 TB in size

–Cons

• 32-bit Windows can't boot from GPT at all

• 64-bit Windows can boot from GPT only when the system has an Extensible Firmware Interface (EFI) BIOS

MBR vs. GPT Disks

MBR vs. GPT Disks

MBR GPT

Bootable

Maximum Partition Size

Maximum Partitions Per Physical Drive

Windows Versions Supported

2 TB

4

All All Recent

256 TB

128

Limits pertain to Windows only. Other operating systems may provide additional capabilities.

{Only 64-bit

systems with EFI BIOS can boot

from GPT-based partitions

32-bit64-bit

Disk Manager Basic Disk View – GPT

43



Understanding Dynamic Disks

• Overcome the limitations of Basic/MBR and Basic/GPT disks

–Support for about 2,000 dynamic volumes per disk

–Space – Extend volumes to span multiple disks

–Speed – Improve performance by striping across multiple disks

–Reliability – Improve reliability by mirroring data across multiple disks



• Disk volumes

–Simple

–Spanned

–Striped (RAID 0)

–Mirrored (RAID 1)

–RAID-5 volumes are shown in Disk Management, but not supported in Windows 7

Dynamic Disk Volume Types

Volume Types Diagram

1Simple Volume

1Spanned Volume

1/3Striped Volume 1/3 1/3

1Mirrored Volume 1

1/2RAID 5 Volume 1/2 P

1 1 unit of data 1/x Fractional unit of data

44

Disk Manager Dynamic Disk View



• Creating new volumes

–Choosing a disk and volume type

–Naming a volume

– Formatting volumes

• FAT vs. NTFS

• Changing a volume‘s drive letter

• Defragmenting disks

• Checking a volume for errors

• Viewing volume status

Managing Storage Volumes

FAT vs. NTFS

FAT32 NTFS

Maximum Volume Size

Maximum File Size

Security

Windows Versions Supported (Native)

Just under 4GB

All All NT-based

Size of Volume

Vista SP1, 7

exFAT

2 TB32 GB/2 TB 64 ZB

16 ZB

45



What We Covered

Deconstructing basic disks

Disk Manager basic disk view – MBR

MBR vs. GPT disks

Disk Manager basic disk view – GPT

Understanding dynamic disks

Dynamic disk volume types

Volume types diagrams

Disk Manager dynamic disk view

Managing storage volumes

FAT vs. NTFS




1. What are basic and dynamic disks?

2. Windows and GPT FAQ




Basic disk—The traditional disk type

Dynamic disk—A type of disk that enables advanced storage options, such as mirroring and striping




http://www.microsoft.com/whdc/device/storage/GPT_FAQ.mspx

46


Configuring Networking in Windows 7



In This Lesson:

Scenario

Managing network connections

TCP/IP recap

TCP/IP operational overview

TCP/IP subnetting overview

IPv6 recap

Configuring TCP/IP Settings

Configuring network adapters

Configuring Internet Connection Sharing (ICS)

Troubleshooting network connectivity



• Every device at Globomantics is a business tool, from the laptops carried by the sales team to every desktop PC in the company. A machine not connected to Globomantics network doesn‘t provide any return. By the end of this lesson, you‘ll be able to provide Globomantics with expert-level assistance in configuring the network settings on Windows 7-based desktops and laptops

• Internet Connection Sharing is used in Globomantics' smaller offices to save costs on networking equipment

• All networks need troubleshooting, so you need to understand ways that you can correct networking issues

Scenario

47



• Connecting to a wired network

–Viewing current network status

–Viewing the current network map

• Connecting to a wireless network

– If prompted, provide the wirelessnetwork password

–Most Globomantics offices have a wireless network

• Managing preferred wireless networks

Managing Network Connections



• TCP/IP components

–Network address – defines the address of the network as a whole

–Subnet mask – provides bounds the upper and lower ranges of the network address

– IP address – an individual identifier assigned to a resource

–Default gateway – the IP address of the router or firewall port that connects the local network to a larger network

–Router – a ―layer 3‖ device responsible for connecting the local network to a larger network and handling incoming and outgoing network communications

TCP/IP Recap



• IP address types

–Public

–Private

• 10.0.0.0 to 10.255.255.255

• 172.16.0.0 to 172.31.255.255

• 192.168.0.0 to 192.168.255.255

• Network Address Translation (NAT)

–Allows private IP addresses to be used with public ones

• Special addresses

– First range address (often ends with .0) – network address

– Last range address (often ends with .255) – broadcast address

TCP/IP Recap

48



• IP addresses

–Dotted decimal notation is most common

–Are representations of binary numbers which can be converted to a decimal number

–209.85.225.106 = 11010001.01010101.11100001.0110010 = 3512066410

• Subnetting – breaking a large network down into smaller chunks

–Reduces broadcast traffic

–Reduces collisions

–Can improve security

TCP/IP Recap



• Dynamic Host Configuration Protocol (DHCP) server – provides automated IP address assignment services

–Globomantics uses DHCP for client computers

–Globomantics desktop technicians sometimes input manual IP addresses when troubleshooting

–DHCP can pass other configuration information to clients

–Automatic Private IP Addressing (APIPA) is used when a DHCP server is not present

• Domain Name System (DNS) – provides a method to resolve friendly names into IP addresses

– i.e. www.google.com = 209.85.225.10

TCP/IP Recap

TCP/IP Operational Overview

Globomantics SW Office

GM-7-DesktopGlobomantics

Windows 7 Desktop

GM-7-M-XGlobomantics

Windows 7 Mobile

GM-SW-FileGlobomantics Server

DHCP/DNS

172.16.6.1 172.16.6.2 172.16.6.3172.16.6.254

192.168.10.5

Firewall/Router

Network: 172.16.6.0Subnet Mask: 255.255.255.0

Default Gateway

172.16.6.2

172.16.6.3

172.16.6.4

Allocated

Available

172.16.6.5

172.16.6.6

49

TCP/IP Subnetting Overview

Subnet Mask

Subnet Mask (bits)

Address Range

Broadcast Address

Network 192.168.0.0 192.168.0.64 192.168.0.128 192.168.0.192

192.168.0.1to

192.168.0.62

192.168.0.65to

192.168.0.126

192.168.0.129to

192.168.0.190

192.168.0.193to

192.168.0.254

192.168.0.63 192.168.0.127 192.168.0.191 192.168.0.255

255.255.255.192 255.255.255.192 255.255.255.192 255.255.255.192

26 bits 26 bits 26 bits 26 bits

1st subnet 2nd subnet 3rd subnet 4th subnet

192.168.0.x network with 26-bit subnet mask



• IPv6 facts

– Larger address space

• IPv4 addresses are running out

– 232 addresses = 4,294,967,296

– More ―always on‖ devices

– More Internet users

• IPv6 = 2128 addresses

– Eliminates needs for a number of workarounds, including Network Address Translation

– Stateless address configuration

– DHCPv6 can be used to provide more capability

IPv6 Recap



• IPv6 is not in widespread use

• IPv6 address types

– Link local—locally and automatically configured IPv6 addresses for networks without a DHCP server

–Site local—private, non-routable IPv6 addresses

–Global—an everyday, routable IPv6 address either manually configured or obtained via DHCP

–Special IPv6 addresses

• Unspecified IPv6 address—0:0:0:0:0:0:0:0 (::0)

• Loopback—in IPv4 parlance, 127.0.0.1; for IPv6, 0:0:0:0:0:0:0:1 (::1)

– Always the local machine

IPv6 Recap

50



• Managing TCP/IP settings via the graphical user interface

–Configuring IP address information

• Manual information

• Configuring for DHCP (the Globomantics standard)

• Managing TCP/IP settings via the netsh shell - manual

– IPv4: netsh interface ipv4 or netsh interface ip

• netsh interface ip set address ―Local Area Connection‖ static 172.16.6.2 gateway=172.16.6.254

• netsh interface ip set dnsservers ―Local Area Connection‖ static 172.16.6.1

• Managing TCP/IP settings via the netsh shell - DHCP

• netsh interface ip set address name=―Local Area Connection‖ source=DHCP




• Globomantics wants to force the network link speed and duplex due to an issue with some network switches

• Configure device power settingsto conserve power

Configuring Network Adapters



• Smaller Globomantics sites do not have network routers

• They rely on ICS

–Allows a single computer with two network adapters to share its Internet connection with other computers

–Windows 7 and Windows Server 2008 R2 both include ICS

• Requirements

–Two network adapters

–Administrative rights

– Firewall exceptions

Configuring Internet Connection Sharing (ICS)

51

Internet Connection Sharing Overview

Internet Connection Sharing

GM-7-DesktopGlobomantics Desktop

Computer

GM-7-M-1Globomantics Laptop

Computer

GM-7-M-2Globomantics Laptop

Computer

To InternetICS



• On the computer that will shareits connection

–Open the properties for thenetwork adapter with theconnection to the Internet

–Select the checkbox thatreads Allow other networkusers to connect through this computer's Internetconnection

• Make sure other clients areconfigured to use DHCP

Configuring Internet Connection Sharing



• netstat

–Display current network and TCP/IP connections

–View Ethernet & IPv4 stats and active connections

• netstat -e -s -p tcp

• tracert

–View each hop of the network path between the local system and a selected remote system

• tracert www.google.com

• ping

–Check the status of a remote system

–Check to see if the local system can reach a remote system

• ping www.google.com

Troubleshooting Network Connectivity

52



• Fixing network issues – command line

–Resetting a network adapter‘s IP address

• Command line (ipconfig /release and /renew)

• Command line (ipconfig /release6 and /renew6)

–DNS issues

• Purge DNS cache: ipconfig /flushdns

• Refresh DHCP lease & register DNS names: ipconfig /registerdns

• Display contents of DNS cache: ipconfig /displaydns

Troubleshooting Network Connectivity



What We Covered

Scenario

Managing network connections

TCP/IP recap

TCP/IP operational overview

TCP/IP subnetting overview

IPv6 recap


Configuring Network Adapters

Configuring Internet Connection Sharing

Troubleshooting network connectivity




Network address—defines the address of the network as a whole

Subnet mask—provides bounds the upper and lower ranges of the network address

IP address—an individual identifier assigned to a resource

Default gateway—the IP address of the router or firewall port that connects the local network to a larger network

Router—a ―layer 3‖ device responsible for connecting the local network to a larger network and handling incoming and outgoing network communications

53




1. Internet Protocol version 6 (IPv6)

2. Internet Connection Sharing


Protecting Windows 7: Network


Protecting Windows 7

In This Lesson:

Network profiles / Network Location Awareness

Windows firewall management

Remote Desktop

Remote Assistance

Windows Remote Management Service (WinRM)

WinRM and PowerShell

http://en.wikipedia.org/wiki/IPv6

http://en.wikipedia.org/wiki/IPv6

http://en.wikipedia.org/wiki/Internet_Connection_Sharing

54



• Globomantics is recovering from a serious and very public security incident

• As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA

• Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features.

• Balancing security with usability will allow users to do their jobs while the company remains protected

Scenario



• Home network (Private)

–Trusted computers on a home network

–Network discovery is enabled

–Computer can be a member of a HomeGroup

• Work network (Private)

–Trusted computers on a work network

–Network discovery is enabled for computers

–Computer cannot be a member of a HomeGroup

• Domain network

–System is joined to an Active Directory domain

–Computer cannot be a member of a HomeGroup

• Public network

Network Profiles / Network Location Awareness



• Network profiles allow administrators to set granular policies based on the type of network to which the system is connected

• Firewall can be turned on or off for a particular network type

– i.e. turn off the firewall when system is connected to a domain and turn it back on when the system joins a public network

• Different profiles can be active simultaneously if the system is connected to multiple networks

Network Profiles

55



• Designed to protect computers by disallowing all but specifically allowed network traffic

• Windows Firewall can block both incoming and outgoing traffic

• The network profile dictates the set of firewall rules that will be applied for that connection

Windows Firewall Purpose and Capabilities



• As you add new programs to Windows, they need access to the network

• You can allow this access on a per program basis or by directly configuring network ports

–New firewall exception – enable ICMP/Ping

• Command line method

– Netsh advfirewall firewall add rule name = PING4 protocol=icmpv4:any,any dir=in action=allow

• GUI method

• Rules/exceptions can be added on a per-profile basis

Allowing New Programs Access



• Configuring firewall notification settings

–Can be configured on a per-profile basis

• Resetting Windows Firewall to Defaults

–GUI

• Click Restore defaults in the Windows Firewall control panel applet

–Command line

• Execute the command ‗Netsh advfirewall reset‘

Other Firewall Management Items

56



• Allows a user to connect to the desktop from a remote computer and operate it as if he were sitting at the console

• Must be explicitly enabled – default is set to not allow remote connections

–Allow connections from computers running any version of Remote Desktop

–Allow connections only from clients running Remote Desktop with Network Level Authentication (XP SP3, Vista, Windows 7)

• You must specifically identify which users can connect remotely

Remote Desktop



• A new session can be established

• A remote session can be established that assumes control of an existing desktop session

• A different user can initiate a remote desktop session, but doing so results in a dialog box asking permission since the currently logged in user will be logged off

• Example

–Configure Remote Desktop from the Remote tab in System Properties

Remote Desktop



• Commonly used by tech support personnel to help a user troubleshoot a problem

• Initiated by the user having troubles

• Uses a time-limited invitation that allows the remote user access to the desktop

• More secure invitations can be created, but only users using Vista or Windows 7 can respond to them

• Examples

–Configure Remote Assistance from the Remote tab in System Properties

–Requesting remote assistance

Remote Assistance

57



• WinRM enables command-line and PowerShell based management of remote systems

• Requires that the WinRM service first be configured on the remote system

– From administrator command prompt: winrm quickconfig

• Starts the winrm service and sets it to start automatically

• Creates a ―WinRM listener‖ to allow incoming WinRMconnections to be serviced

• Creates a WinRM exception in the firewall




• If the systems are not in the same domain, a trust relationship must be established

–winrm set winrm/config/client @{TrustedHosts=―XXXX‖}

• Needed if you want to manage remotely via PowerShell

–Via group policy

• Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management

• Example

–Get a directory listing from a remote computer named gm-7-075

• WinRS –r:gm-7-075 dir

– WinRS = Windows Remote Shell




• Remote management via PowerShell

–Requires that you enable WinRM as previously discussed

–You must be using PowerShell V2, the default in Windows 7

–Use icm (Invoke-Command alias) to run a command on a different machine

• Example

–Start PowerShell with administrative rights

• icm gm-7-075 { Get-WmiObject -Class Win32_ComputerSystem }


58



What We Covered

Network profiles / Network Location Awareness

Windows firewall management

Remote Desktop

Remote Assistance






1. Windows Firewall with Advanced Security Design and Deployment Guide

• http://www.microsoft.com/downloads/details.aspx?FamilyID=e4a6d0d6-c8c3-414a-ad61-abce6889449d&displaylang=en


Protecting Windows 7:Local

http://www.microsoft.com/downloads/details.aspx?FamilyID=e4a6d0d6-c8c3-414a-ad61-abce6889449d&displaylang=en











59



In This Lesson:

Configuring User Account Control

Configuring removable device policies

Understanding Credential Manager

Changing execution context with RunAs

Windows 7 account policies and user rights

Windows 7 local groups

Creating a password reset disk

Understanding smart card policies



• Globomantics is recovering from a serious and very public security incident

• As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA

• Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features.

• Balancing security with usability will allow users to do their jobs while the company remains protected

Scenario



• First included in Windows Vista, UAC adds an authorization layer before actions requiring administrative rights can be performed

– If UAC prompt is ignored for more than 150 seconds, the request is not approved

• Only users granted administrative rights can approve UAC prompts

• Enabled by default in Windows 7

• Can be configured to meet organizational security policies and need


60



• Features

–Secure desktop

• Have you ever wondered why UAC basically locks the desktop?

• It‘s by design and is a good thing

–Understanding privileges

• All users operate with standard privileges

• Only when a task requiring administrative rights is performed does UAC interject itself and temporarily escalate privileges

– Prompt for consent

– Prompt for credentials




• UAC settings

–Never notify me

–Notify me only when programs try to make changes to my computer (do not dim my desktop)

–Default – Notify me only when programs try to make changes to my computer (but don‘t notify me when I make changes to Windows settings)

–Always notify




• Group Policy/Local Group Policy/Local Security Policy

–Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

• Local Group Policy: gpedit.msc

• Local Security Policy: secpol.msc

• Allows granular control over UAC policies

–Can configure UAC to require credentials instead of just an approval window

• Demo

–Walk-through all UAC-related policies


61



• For security reasons, many organizations prohibit the use of removable devices

• Group Policy/Local Group Policy

–Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

• Prevent installation of removable devices

Configuring Removable Device Policies



• When user names and passwords are selected to be remembered, they are stored in the Windows Vault

–Web sites

–Remote Desktop sessions

• Exploring the Credential Manager

–Backing up Windows Vault

–Restoring Windows Vault

–Modifying an existing stored credential

–Adding a new credential

–Removing an existing credential




• Allows you to run programs using a different user‘s credentials

–Use the RunAs command line tool

–RunAs /user:DOMAIN\USER ―program‖ /switches

• Common switches

– /profile

• Loads the user‘s profile allowing access to user-specific EFS-protected files

– /noprofile

• Does not load the user‘s profile

– /savecred

• Saves the credentials under the context of the local administrator account

Changing Execution Context with RunAs

62



• Account and password policies

–Computer Configuration > Windows Settings > Security Settings > Account Policies

• Local Group Policy: gpedit.msc

• Configurable password policies include

–Enforce password history

–Maximum password age

–Minimum password age

–Password must meet complexity requirements

–Store passwords using reversible encryption

• Not recommended

Windows 7 Account Policies and User Rights



• Configurable account lockout policies include

–Account lockout duration

–Account lockout threshold

–Reset account lockout

• User rights

–Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments

• Make sure to understand that these user rights exist

– There are more than three dozen policy settings

Windows 7 Account Policies and User Rights

Windows 7 Local Groups

63



• Users will forget passwords

• Simply resetting a password has consequences

–User loses access to EFS-encrypted files unless other steps have been taken

–Credentials stored in Credential Manager are no longer accessible

• A password reset disk (or USB/removable device) can be used to reset a password without the aforementioned negative side effects

–Caution: Anyone that finds a password reset disk can use it!

• Demo

–Create a password reset disk

Creating a Password Reset Disk



• Windows 7 includes a number of policies related to managing smart cards

–Smart cards are devices that can be used to authenticate to systems

–More secure that typical username/password-based authentication mechanisms

–Often used to augment – not replace – username/password (multifactor authentication)

• Windows 7 uses the Personal Identity Verification (PIV) standard from the National Institute of Standards and Technology (NIST) and includes other new features

–Smart Card/BitLocker encryption

–Document and email signing

Understanding Smart Card Policies



• Group Policy/Local Group Policy/Local Security Policy

–Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

• Interactive Logon: Require Smart Card

– A simple Yes or No (Enabled or Disabled)

• Interactive Logon: Smart Card Removal Behavior

– No Action (default)

– Lock Workstation

– Force Logoff

– Disconnect if a remote Remote Desktop Services connection

Understanding Smart Card Policies

64



What We Covered


Configuring removable device policies


Changing execution context with RunAs

Windows 7 account policies and user rights

Windows 7 local groups

Creating a password reset disk

Understanding smart card policies




1. Vista UAC Secure Desktop Explained

• http://cybernetnews.com/vista-uac-secure-desktop-explained/


Managing Mobility Options

http://cybernetnews.com/vista-uac-secure-desktop-explained/










65



In This Lesson:

Enable work on the go by using offline files

Transparent caching

Save energy by configuring local power settings

Location Aware Printing



• Globomantics is making sure that every sales person is equipped with a laptop to use in order to maximize their time on the road

• Every customer visit must be as productive as possible

• All of Windows 7‘s mobility capabilities – offline files, caching, location-based printing, power policies – must be leveraged

• Business needs

– Increased mobility leads to increased sales

–Battery life and power settings must be optimized to increase road time

–Sales people still need access to their centralized files and folders in order to do their jobs

– Location-based printing will help these mobile professionals locate available printers

Scenario



• Users – particularly mobile users – can always be connected to a live server

• Road warriors still need access to their files

• Offline Files locally caches copies of server-based files on the Windows 7 desktop

• As the user roams, he works from the locally cached file

• Once reconnected to the file server, the cached files synchronize with the server-side copy

• As space becomes a premium, Offline Files begins removing the least-used cached files to reclaim space

• Use the Sync Center to resolve synchronization conflicts

Using Offline Files

66

Offline Files in Action

Offline Files is enabled for a file

A copy of the file is cached to the local Windows 7

machine

User disconnects from server to go on the road

The user reconnects to the network

The modified file is synchronized with the

server-based copy

User modifies locally cached file while disconnected from

server

1

2

3



• There are four operational methods

–Online mode (Online)

• Normal, connected access to server-based files

–Auto offline mode (Offline: not connected)

• When network issues occur, Offline File moves to auto offline mode, which redirects file operations (browse, open, create, read, write) to offline mode

–Manual offline mode (Offline: working offline)

• Users can force Windows 7 to use the offline copy of data at will

–Slow-link mode (Offline: slow connection)

• If enabled in Group Policy, allows a transition to offline mode when a network connection slows down

Using Offline Files



• Group/Local policies related to Offline Files

–Computer Configuration > Administrative Templates > Network > Offline Files

• Important policies

–Encrypt the Offline Files cache

– Files not cached

–Remove ‗Make Available Offline‘

• A look at the Sync Center available via Control Panel

Using Offline Files

67



• Similar to Windows 7‘s new BranchCache feature

–Windows 7‘s new BranchCache capability is covered in the lesson entitled Managing BranchCache

• Transparent caching locally and automatically caches copies of files that a user has accessed from a server

–Does not need to be enabled on a per-file basis

• Each time the user accesses the file, the local system verifies that the locally cached copy is current

– If it‘s not current, the file is opened directly from the server

• When the server is unavailable, the local cache is also unavailable

• Supports both domain- and non-domain-joined clients

Transparent Caching



• Not enabled by default

–Group/Local policies related to Offline Files

• Computer Configuration > Administrative Templates > Network > Offline Files

• We will learn more about Transparent Caching in the lesson entitled Managing BranchCache

Transparent Caching



• Power plans (default is ―Balanced‖ power plan)

–Allow you to decide how your computer operates under different power environments

• Plugged in

• On Battery (available only on computer with batteries)

– Include a number of power settings from which you can choose, including

• Display settings

– Power configuration

– Brightness

• Sleep settings

• Advanced settings

– Available for each configured power plan

Configuring Local Power Settings and Policies

68



• Power button options

–Sleep

• Most system devices are turned off

• RAM stays active at current state

• Eventually transitions to Hibernate mode

–Hibernate

• Everything is turned off and the contents of system memory are written to a file on the hard disk

• System resumes when powered back on at the state at which it was when it was placed in Hibernate mode

–Shut down

• Turn the system off

–Do Nothing




• Centralize power configuration through Group Policy

–Computer Configuration > Administrative Templates > System > Power Management

• You can require the use of one of Window 7‘s built in power plans

– If you know the GUID of a custom power plan, that plan can be used instead

• Use powercfg –L from the command line to get a list of power plans and their GUIDs




• Other important powercfg commands

–See which devices can wake a computer

• powercfg -devicequery wake_from_any

–Create an energy policy report

• powercfg -energy

• Open the resulting report in Internet Explorer

– Saved to a files named energy-report.html in the directory in which the command was run

–Export a power plan

• powercfg -export export_name GUID

– Import a power plan

• powercfg -import filename GUID


69



• Allows automatic switching of available print devices based on location

• Printers can be manually paired with a particular network

• From Devices and Printers

–Click Manage default printers

–Make decisions about which printers to use for which network




What We Covered

Enable work on the go by using offline files

Transparent caching

Save energy by configuring local power settings



Protecting Windows 7 Computers

with Windows Updates

70


Protecting Windows 7 Computers with Windows Updates

In This Lesson:

Why update Windows?

Update types

Windows Update control panel applet

Configuring important update settings

Windows Update settings

Reviewing update history

Deciding which updates to install

Uninstalling updates

Using the Microsoft Baseline Security Analyzer

WSUS and Windows Updates

Non-WSUS operations vs. WSUS operations



• Keeping Windows desktop computers current with the latest security patches is vital to company efforts to keep systems and data secure

• Windows computers require regular updates designed to plug security holes and correct other flaws

• Globomantics can‘t afford to hire enough people to simply walk around and manually update each and every Windows 7 desktop

• Business need

–Centralizing updates keeps TCO at a reasonable level

–Updates are a critical component of an organizations overall security strategy

–The ability to roll back updates is key in the event that an updates breaks something

Scenario



• All software contains flaws

• Even with the best of intentions, Windows ships with holes that were not discovered during development

• Updates fix these flaws

• Some updates add new features and capabilities to Windows

• Update is not limited to Windows; other Microsoft products –including Office – are updated via this update mechanism

Why Update Windows?

71



• Important

–Updates that should be installed immediately in order to counter potential security or privacy threats

– Includes security and critical updates

• Recommended

–Updates that may improve system reliability or improve information, such as that found in system help files

–May add new features to Windows or even other Microsoft software

• Optional

–Often includes new driver updates

–May include new versions of trial software

Update Types



• Options provides control over Windows Update settings

• Manual update installation process

• Click Check for updates

• Manually install updates via the Install Update button

– If updates have been downloaded, click the Install updates button to begin installation

– Click the category name to list updates

Windows Update Control Panel Applet



• Install updates automatically

–Updates are installed every day at 3AM or as soon as the computer is turned on

• Download updates but let me choose whether to install them

–Updates are downloaded but are not installed until a user initiates the process

• Check for updates but let me choose whether to download and install them

–The user is simply notified that new updates are available, but they are neither downloaded nor installed without user intervention

• Never check for updates

–Not recommended

Configuring Important Update Settings

72

Windows Update Settings



• Get a list of installed updates by clicking the View update history option in Control Panel

• Get more information about an update by right-clicking the update and choosing View details

Reviewing Update

History



• You may want to prevent an update from installing automatically

–Some updates have problems

–You may have software that conflicts with an update

• Hide an update so it doesn‘t appear in update lists

• If you change your mind, you can unhide updates

–At some point, you should make sure to install all important updates, even if you‘ve previously hidden them

• Use the Restore hidden updates option

Deciding Which Updates to Install

73



• When you‘re viewing a list of installed updates, right-click an update and choose Uninstall

• The Installed Updates window is accessible via the Windows Update control panel applet or the Programs and Features control panel applet

Uninstalling Updates



• MBSA 2.1.1 provides support for Windows 7 and Windows Server 2008 R2

–Download from

• http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en

• MBSA provides a way to identify updates that might be missing from a Windows installation

• The tool also points out other potential security holes, such as misconfigured accounts or account with no password expiration in place




• Group Policy (local GP editor: gpedit.msc)

–Computer Configuration > Administrative Templates > Windows Components > Windows Update

• A lot of options available

–We‘ll walk through them

Using Group Policy to Configure Updates

http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en












74



• Microsoft Windows Server Update Services 3.0 SP2

–Provides support for Windows 7

–A server-based tool that centrally manages and distributes updates

–Once installed, assumes responsibility for contacting Microsoft Update servers

–Saves bandwidth

• Machines don‘t need to individually download massive updates

• Centrally catalogs updates


Non-WSUS Operations vs. WSUS Operations

Globomantics Office – Without WSUS


Windows 7 Desktop


Windows 7 Mobile


DHCP/DNS

Each individual computer downloads updates from Microsoft Update servers

Globomantics Office – With WSUS


Windows 7 Desktop


Windows 7 Mobile


DHCP/DNS

Local WSUS servers download and catalog updatesEach individual computer downloads updates from

the local WSUS server

WSUS Server WSUS Server



• Redirect Automatic Updates to a WSUS server

–Click Specify Intranet Microsoft update service location

–Click Enabled and type the HTTP(S) URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server

–Click the OK button

• Disable access to Windows Update

–Use Group Policy: Expand Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings

–Click Turn off access to all Windows Update features

–Click Enabled


75



• System Center Configuration Manager 2007 R2 can also be used to handle distribution and tracking of updates

• Globomantics does not currently own System Center Configuration Manager 2007 R2

–http://www.trainsignal.com/System-Center-Configuration-Manager-P71.aspx

Plug for System Center

Configuration Manager 2007 R2



What We Covered

Why update Windows?

Update types

Windows Update control panel applet

Configuring important update settings

Windows Update settings

Reviewing update history

Deciding which updates to install

Uninstalling updates



Non-WSUS operations vs. WSUS operations


Managing Applications











76



In This Lesson:

Program compatibility assistant

Program compatibility properties

Compatibility-related group policies

Application Compatibility Toolkit

Using Windows XP mode

Configuring software restriction policies

Using AppLocker



• Globomantics uses a wide range of applications to meet its business goals

• There are questions surrounding application compatibility

• Globomantics will use a number of tools to determine compatibility with Windows 7

• Globomantics also plans to consider the use of AppLocker as a security mechanism to keep hostile software off the network

• Business need

– Line of business applications are the lifeblood of Globomantics so they need to simply work

–AppLocker is a Windows 7-based evolution in software policies designed to control what applications are allowed to be used

Scenario



• A tool built into Windows 7 that checks for program installation problems

• Pops up a dialog box suggesting a fix for a problem

• Offers to reinstall a program using Microsoft recommended settings

• Only modifies Windows settings related to the execution of the program

Program Compatibility Assistant

77



• Right-click program and choose Troubleshoot compatibility

• Manually modify program properties

–Compatibility mode

–Run in 256 colors

–Run in 640x480 screen resolution

–Disable visual themes

–Disable desktop compression

–Disable display scaling on high DPI settings

–Privilege level

–Change settings for all users

Program Compatibility Properties



• Available via the Group Policy editor

–Computer Configuration > Administrative Templates > System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics

Compatibility-Related Group Policies



• Application Compatibility Manager

–A SQL Server-based tool that collects application information from existing Globomantics computers

• Compatibility Administrator

–A set of application compatibility fixes that have already been verified to allow applications to work under Windows 7

• Developer and Tester Tools

– Internet Explorer Compatibility Test Tool

• Tests web site compatibility with Internet Explorer 8

–Setup Analysis Tool

• Monitors application installers to test compatibility

–Standard User Analyzer

• Determines if an app will have problems with UAC


78



• Option of last resort

• Creates a virtual instance of Windows XP in which applications are run

• Seamless to end user

• Installation steps (www.microsoft.com/windows/virtual-pc)

–Download and install Windows XP Mode first

–Then Virtual PC

–Then Windows XP Mode update

• Globomantics will run Internet Explorer 6 from Windows XP Mode

Using Windows XP Mode



• A legacy application management tool

• Configurable via Group Policy

–Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies

• Applicable to Windows XP, Windows Vista and Windows 7

• Security levels – Group Policy page

• Enforcement – Group Policy page

• Designated file types – Group Policy page

• Trusted publishers

Configuring Software Restriction Policies



• Order of precedence

–Hash rule

–Certificate rule

–Path rule

–Network zone rule (msi installer files only)

–Default rules

• For conflicts

–The most specific rule takes precedence

• Globomantics will block the use of Solitaire using Software Restriction Policies

Configuring Software Restriction Policies

http://www.microsoft.com/windows/virtual-pc



79



• Available only on Windows 7 clients

• Significantly better than Software Restriction Policies

–No need to rework restrictions as applications are upgraded

–Can be applied to user subsets

• Configurable via Group Policy

–Computer Configuration > Windows Settings > Security Settings > Application Control Policies

• Relies on the use of the Application Identity Service

Using AppLocker



Using AppLocker

FeatureSoftware Restriction

PoliciesAppLocker

Rule scope All users Specific user or group

Rule conditions provided

File hash, path, certificate,

registry path, and Internet

zone rules

File hash, path, and

publisher rules

Rule types provided Allow and deny Allow and deny

Default rule action Allow or deny Deny

Audit-only mode No Yes

Wizard to create multiple

rules at one timeNo Yes

Policy import or export No Yes

Rule collection No Yes

PowerShell support No Yes

Custom error messages No Yes



• Rule types

–Executable

• .exe and .com files

–Windows Installer

• .msi and .msp files

–Script

• .ps1, .bat, .cmd, .vbs and .js files

–DLL

• .dll and .ocx files

Using AppLocker

80



• Rule conditions

–Publisher

• Discussed on next slide

• Most secure option

–Path

• Based on the file path

– File hash

• Based on the unique file hash

• Use when a file is not signed

• More secure than path rules

• Rule behavior

–Allow or Deny

Using AppLocker



• Publisher rules

–Rules based on application digital signatures

• Files must be signed

–These rules can survive application upgrades

• i.e. Create a rule that says ―Block this application -version 2.0 and higher‖

• i.e. Allow versions 2.0 or higher of a program to run if it is signed by the software publisher GlobomanticsDevCorp

–Globomantics will block the use of WordPad using AppLocker

• Service Packs should not disable this rule

Using AppLocker



What We Covered

Program compatibility assistant

Program compatibility properties

Compatibility-related group policies


Using Windows XP mode

Configuring software restriction policies

Using AppLocker

81




1. Windows 7 Application Compatibility List for IT Professionals

2. Introduction to the Application Compatibility Toolkit (ACT) Version 5.6

3. Windows 7 AppLocker Executive Overview

4. How AppLocker Works


Managing Internet Explorer



In This Lesson:

Compatibility Mode

Configuring IE security settings

IE Protected Mode

Managing IE add-ons and search providers

Managing IE‘s InPrivate browsing

Managing IE‘s InPrivate filtering

About IE‘s SmartScreen Filter

IE‘s pop up blocker

Managing IE certificates

http://www.microsoft.com/downloads/details.aspx?FamilyID=890e522e-e39e-4278-aebc-186f81e29173&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=890e522e-e39e-4278-aebc-186f81e29173&displaylang=en













82



• The Globomantics Application group has developed a number of web-based applications that support only Internet Explorer

• The CIO has made Internet Explorer the corporate standard

• Windows 7 provides centralized management of IE

• Making sure that Internet Explorer settings on Windows 7 machines meet corporate security policies

–Ban the use of unapproved add-ins for Internet Explorer

–Make sure that compatibility mode is properly configured

• Business need

–Compatibility Mode will give the Globomantics Application Support group time to update web-based applications

–Users need to understand SmartScreen to help the company prevent malware infestations

Scenario



• Not all web sites display properly in Internet Explorer 8

– IE 8 is the version that ships with Windows 7

• Windows Updates include lists of web sites that work best under Compatibility Mode

• Compatibility Mode Group Policies

–Administrative Templates > Windows Components > Internet Explorer > Compatibility View

• Globomantics needs to display the site apps.globomantics.com in compatibility mode

Compatibility Mode



• Security levels

–High

• Most actions are disallowed

–Medium-High

• Appropriate for most web browsing

• Prompts before downloading potentially unsafe content

• Unsigned ActiveX controls will not be downloaded

• Per-application override settings that disable ActiveX warnings in certain situations are not allowed

–Medium

• Prompts before downloading potentially unsafe content


Configuring IE Security Settings

83



–Medium-Low

• Appropriate for intranet-based sites

• Most content will be run without the user being prompted


– Low

• Appropriate for only absolutely trusted sites

• Most content will be run without the user being prompted

• All active content can run




• Internet Explorer security zones

– Local intranet

• Medium-Low security level

–Trusted sites

• Medium security level

• Used only for sites that are known and that can be trusted

–Restricted sites

• High security level

• Used for dangerous sites

– Internet

• Medium-High security level




• Makes it more difficult for web sites to install malicious software

• Allows administrators to install desirable ActiveX controls and add-ons

• Zones

–Enabled by default in the Internet and Restricted sites zones

–Disabled in the Local Intranet and Trusted sites zones

IE Protected Mode

84



• Add-ons extend the functionality of Internet Explorer

• There are add-ons available for many different categories, including adding new search engines to IE

• Group Policy (computer and user settings)

–Administrative Templates > Windows Components > Internet Explorer > Accelerators and

–Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management

• Globomantics‘ marketing department uses Twitter extensively and will add an Internet Explorer add-on to streamline the Twitter update process

Managing IE Add-ons and Search Providers



• InPrivate Browsing prevents Internet Explorer from storing data about a browsing session

• Help to prevent anyone else who might be using your computer from seeing visited sites and other potentially private information such as cookies, temporary Internet files, history, and other data.

• Toolbars and extensions are disabled by default

• InPrivate Browsing is only in effect during the time that you use the InPrivate window

• Group Policy settings (both computer and user settings)

–Administrative Tools > Windows Components > Internet Explorer

Managing IE’s InPrivate Browsing



• InPrivate Browsing is a broad privacy mechanism

• InPrivate Filtering is more granular

–Helps protect users from common browsing tracking, such as that performed by third party advertising networks

–Users (or administrators) decide what can be shared and with whom

• Managing InPrivate Filtering settings

–Globomantics wants to make sure users can browse the web and get work done and will turn off InPrivate Filtering

Managing IE’s InPrivate Filtering

85



• Looks for known or suspected ―phishing‖ web sites or sites that may harm your computer through the installation of malware

• Site list is updated on an hourly basis

• Also scans downloaded files and blocks the download if there is a known risk

• Allows a user to perform a manual check of a site

• Provides users with a warning that a site might not be safe

• http://207.68.169.170/contoso/enroll_auth.html

About IE’s SmartScreen Filter



• Pop-ups are not very popular but when used appropriately, do have value

• Some pop-ups – i.e. login boxes – need to be allowed

• Pop-ups can be allowed on a site-by-site or per-zone basis

–Pop-ups are always allowed in the default Local Intranet and Trusted Sites zones

• The Pop-Up Blocker settings window allows configuration of this security feature

IE’s Pop-Up Blocker



• Secure web browsing is based on the use of Secure Sockets Layer (SSL) encryption certificates

• Provides trusted secure end-to-end communications encryption so users can comfortably share personal information including social security numbers and credit card information

• Internet Explorer blocks access to SSL-protected web sites when things don‘t look right

–The address doesn‘t match that of the SSL certificate

–The certificate is expired or has been revoked

–The certificate is not trusted back to what‘s call a root certificate

• Internet Explorer certificate settings window

–https://204.184.63.35/owa/

Managing IE Certificates

http://207.68.169.170/contoso/enroll_auth.html

http://207.68.169.170/contoso/enroll_auth.html

https://204.184.63.35/owa/

https://204.184.63.35/owa/

86



What We Covered

Compatibility Mode

Configuring IE security settings

IE Protected Mode

Managing IE add-ons and search providers

Managing IE‘s InPrivate browsing

Managing IE‘s InPrivate filtering

About IE‘s SmartScreen Filter

IE‘s pop up blocker

Managing IE certificates




1. About URL Security Zone Templates


Configuring File and Folder Access

http://msdn.microsoft.com/en-us/library/ms537186(VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms537186(VS.85).aspx

87



In This Lesson:

Changing file and folder permissions

Understanding NTFS permissions

Assigning NTFS permissions

Understanding effective permissions

Permissions impact: Copying and moving files

Encrypting files and folders using EFS

BitLocker To Go

Full disk encryption using BitLocker



• Globomantics needs to provide secure access to files and folders so that users can do their jobs

• Due to the recent security incident, Globomantics wants to make sure that the theft of a desktop computer doesn‘t result in unauthorized access to company data

• Although Globomantics could choose to implement BitLocker on desktops as well as laptops, the company is considering using EFS on internal systems just to protect key shared folders

• Business need

–Globomantics will secure access to files and folders at both the share and file (NTFS) level.

–Globomantics will protect mobile devices through the use of BitLocker and protect internal desktop PCs using EFS

Scenario



• In the world of IT, there is a principle that states that users should have only the most minimal permissions they need to complete their jobs

• NTFS – the default file system used in Windows 7 – helps to enforce this least security principle by providing the ability to apply permissions to files and folders in a very granular way

–No NTFS rights = No access

• With only minor exceptions, files and folders both use the same available NTFS permissions but these permissions may manifest themselves a bit differently

• Permissions can be assigned directly to a user or they can be assigned to a user group

– It‘s much preferred to assign permissions to groups

Changing File and Folder Permissions

88



• Basic NTFS permission sets

– Full Control (Modify, Read & Execute, List Folder Contents, Read, Write)

• Provides a user with the ability to do anything and everything with a file or folder to include modifying permissions

• This is the only standard right that allows a user to change permissions to the file or folder

• Users can take ownership of a file or folder

–Modify (Read & Execute, List Folder Contents, Read, Write)

• Allows a user to reading, write, change and delete files and folders

Understanding NTFS Permissions



• Basic NTFS permission sets (continued)

–Read & Execute (List Folder Contents, Read)

• Allows a user to access a file or folder and execute programs within

– List Folder Contents

• Applies to folder only

• Allows a user to view the contents of a folder

–Read

• User can read the contents of a folder or access a file

• Does not allow the user to execute programs

–Write

• Folders: User can add files and folders to a folder

• Files: User can change to a file, but he cannot delete it




• Inherited permissions

–When you create a file or folder, the new entity assumes the permission set of the parent folder

–This process is called inheritance and can result in some of the most complicated permission issues you will come across

• You can block inheritance and assign unique permissions if you like


89



• Each file and folder object on the NTFS partition has a Security tab on its Properties page

– From this page, you can view the current security configuration for the object

• You can also use the command line icacls utility

• Globomantics wants to do the following

–Allow users that are a part of the Marketing group to access (Modify access) a local folder named ―Marketing‖ (GUI method)

–Allow users that are a part of the Sales group to access (again, Modify rights) a local folder name ―Sales‖ (icacls)

• icacls c:\sales /grant gm\sales:(oi)(ci)m

–Deny access to the ―Sales‖ folder to Marketing (GUI)

Assigning NTFS Permissions



• NTFS permissions can and do collide with one another from time to time

–A user might have been directly assigned Read rights to a particular folder and also been assigned the Write right by virtue of a group membership

• With one exception, NTFS permissions are cumulative

– In the case above, the user would be granted both Read and Write privileges

–Exception

• If a user has been specifically denied a right anywhere, the Deny right trumps everything else

Understanding Effective Permissions



• Globomantics is trying to figure out why the user named Steve Smith was able to change a document at C:\Accounting

• Use the effective permissions tool to determine what access level this user has been granted and determine why he was able to make a change

Understanding Effective Permissions

90



• As you‘ve seen, file and folder permissions are dependent on their location in the file system, particularly as inheritance comes into play

• Moving and copying files can impact NTFS permissions on the files being copied or moved

–When copying objects to a new location, the objects take on the permission set of the new location

–When objects are moved

• To locations on the same volume

– They maintain their existing permission sets

• To locations on a different volumes

– They inherit the permissions of the new folder

Permissions Impact: Copying and Moving Files



• EFS allows users to encrypt individual files and folders

–BitLocker encrypts entire volumes

–EFS encrypts individual files and folders on NTFS volumes

• Once a folder is encrypted all files inside that folder are encrypted, including any files you create later on

• The first time a user encrypts a file on a Windows 7 machine, he is asked to back up his newly created security certificate

– If other users need to access the file, they need to first log in and encrypt something so that their certificate is also saved

–You can use Active Directory Certificate Services to centralize management of EFS certificates

• Well beyond the scope of this course and the exam

Encrypting Files and Folders Using EFS



• EFS Recovery Agent

–Users come and go and they may or may not leave in a way that allows them to make sure that they've provided access to files that they've encrypted

–Create an EFS Recovery Agent in order to open files encrypted by another use

• The agent needs to be created before users start encrypting files

• From the command line

– Cipher /r:recoveryagent


91



• Globomantics will teach some internal users how to encrypt folders on their local hard drives

–These folders contain sensitive financial information that, in the wrong hands, could lead to another public relations debacle

–Because two users share a single PC in the controller's office, certificates will be created for both users (Administrator and Steve)

–This is a stop gap measure intended to be used only until Globomantics is able to deploy a full infrastructure capable of centralizing all of the various user certificates

–You will first create an EFS Recovery Agent to make sure that files remain accessible




• People often rely on portable storage to be able to transport documents between locations

• These portable storage devices can be a major security headache

• BitLocker To Go is a new feature that encrypts the full contents of these portable storage devices

• Does not require any special hardware, such as a Trusted Platform Module chip

• Devices protected with BitLocker To Go can even be read in older versions of Windows

BitLocker To Go



• A number of local group policies exist that manage the implementation of BitLocker

– Located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives

• Globomantics requires that portable USB storage be configured with BitLocker To Go

–Set up appropriate local policies

• Walk-through policy options

–Encrypt a USB volume

BitLocker To Go

92



• BitLocker provides full disk encryption making data inaccessible unless specific conditions are met

• BitLocker operating modes

–TPM-only mode

–TPM with startup key

–TPM with PIN

–TPM with PIN and startup key

–BitLocker without TPM

Full Disk Encryption Using BitLocker



• TPM-only mode (TPM = Trusted Platform Module)

–100% transparent to user

–Protects the boot environment from modification

–No requirement for the user to use a PIN or password at boot time

–No requirement for the user to use a startup key at boot time

– Least secure BitLocker option




• TPM with startup key

–Not very transparent to user


–No requirement for the user to use a PIN or password at boot time

–There is a requirement for the user to use a startup key at boot time

• A startup key is a USB drive that has been preconfigured for use with BitLocker

–More secure since there is a need for the user to use a physical device to boot the system


93



• TPM with PIN

–Transparent to user after boot


–There is a requirement for the user to use a PIN or password at boot time

–No requirement for the user to use a startup key at boot time

–More secure since there is a need for the user to use a password to boot the system




• TPM with PIN and startup key

–Not very transparent to user


–There is a requirement for the user to use a PIN or password at boot time

–There is a requirement for the user to use a startup key at boot time

• A startup key is a USB drive that has been preconfigured for use with BitLocker

–Most secure option since there is a need for the user to both use a password to boot the system and to have available a physical USB device




• BitLocker without TPM

–Not all systems ship with TPM chips so BitLocker can be configured to use just a key device

–Does not protect the boot environment itself

–Organizations may still want to use BitLocker even if a system does not have TPM

• Modify a Group Policy object

– Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup

• Requires the use of a USB-based startup key


94



• BitLocker notes

–When used with TPM, the encryption key is stored on the system's local TPM chip

–Recovery information can also be stored in Active Directory

• Configure a Data Recovery Agent (DRA) user account to enable recovery of encrypted data

– Computer Configuration > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption

• For already-encrypted drives, use the manage-bde –SetIdentifier <volume letter> command to enable after-the-fact DRA support on that volume




• Recovery

–There are times when BitLocker needs to be used on a recovery mode

• The contents of the TPM chip may have been lost

• You modified one of the boot files

– Best practice: Temporarily disable BitLocker before modifying a boot file

• You've connected a BitLocker-protected disk to a different computer

– In recovery mode, you need to provide one or both of

• The BitLocker PIN

• The USB key that holds the recovery key




• The manage-bde command

–Manage BitLocker options from the command line

–See the results of manage-bde -status

• Globomantics will enable BitLocker on the system volume for laptop systems

–PIN option will be selected


95



What We Covered

Changing file and folder permissions

Understanding NTFS permissions

Assigning NTFS permissions

Understanding effective permissions

Permissions impact: Copying and moving files

Encrypting files and folders using EFS

BitLocker To Go

Full disk encryption using BitLocker


Shared Access to Resources



In This Lesson:

Resource sharing overview

Basic vs. advanced sharing

Understanding Share vs. NTFS permissions

Offline folder caching

Sharing printers and managing print queues

Windows 7 libraries

Configuring HomeGroup

96



• Information Technology advancements have created a collaboration revolution on which Globomantics wants to capitalize

• Collaboration is enabled through resource sharing

• Files, folders and printing devices are commonly shared at Globomantics, but not all users need to access all shared resources

• At especially small branch offices, Globomantics will use a Windows 7 desktop in a pseudo-server capacity

• Business need

–Shared resources reduce overall costs since users don‘t need their own dedicated devices, such as printers

Scenario



• The Network and Sharing Center holds the basic keys to the resource sharing kingdom

• Resource sharing settings are configured on a per-network profile basis

–Network discovery

– File and printer sharing

–Public folder sharing

–Media streaming

– File sharing connections

–Password protected sharing

–HomeGroup connections

Resource Sharing Overview



• Basic sharing

–Rights available

• Owner

– Assigned to the user account that set up the share

• Read

– Allows the specified user or group to read files from the shared location

• Read/Write

– Allows the specified user to read files, modifying existing files and create new ones

Basic vs. Advanced Sharing

97



• Advanced sharing

–Rights available

• Full Control

– Assigned to the user account that set up the share

– Allows a user to change the resource share permissions

• Read

– Allows the specified user or group to read files from the shared location

• Change

– Allows the specified user to read files, modifying existing files and create new ones

Basic vs. Advanced Sharing



• Share permissions

–Applied only when a resource is accessed over the network

– If resource is accessed from the local console, only NTFS permissions are enforced

• NTFS permissions

–Applied regardless of access location – local or remote

–NTFS permissions are discussed in the Configuring File and Folder Access lesson

• When combined, the most restrictive set of permissions applies

Understanding Share vs. NTFS Permissions



• Offline folder caching is discussed fully in the Managing Mobility Options lesson

• During the sharing process, decide how/if you want users to be able to cache offline files to their local computers

–Only the files and programs that users specify are available offline

–No files or programs from the shared folder are available offline

–All files and programs that users open from the shared folder are automatically available offline

Offline Folder Caching

98



• A Utica, NY-based Windows 7 desktop will be a pseudo-server with a couple of shares initially enabled

–Marketing (GUI method)

• Offline files should be disabled

• The Marketing group will have Change rights

• No more than five people at any one time

–Sales (command line method)

• Enable offline files for both documents and programs

• The Sales group will have Change rights

• Accounting will have Read rights

• net share Sales=c:\Sales /grant:globomantics\SALES,CHANGE/grant:globomantics\ACCTNG,READ /cache:programs

Sharing Folders



• By sharing a printer, multiple users can share these relatively expensive resources and save Globomantics a lot of money

• Printing permissions

–Print

• Allows users to manage their own documents sent to the printer

–Manage this printer

• Users can manage the printer itself, including pausing and restarting printing, changing printer permissions and sharing the printer

–Manage documents

• Users in this group can manage the print jobs for any users that have sent document to the shared print queue

Sharing Printers and Managing Print Queues



• The Utica, NY-based Globomantics office has an HP LaserJet 4250 printer connected directly to a Windows 7 machine

–Share this printer with the Sales, Marketing and Accounting domain groups

–The user named Fred should have both Manage this printer and Manage documents rights

Sharing Printers and Managing Print Queues

99



• Windows 7 includes virtual folders known as libraries

• Libraries are collections of folders from various sources

–The local machine

–Network servers

–HomeGroup machines

• Default libraries

–Documents

–Music

–Pictures

–Videos

Windows 7 Libraries



• Adding new folders to existing libraries

–The existing libraries can be extended to include new folder sources

–The Utica sales manager wants the contents of the newly created Sales shared folder to appear in his Documents library

• It is his machine that is acting as the pseudo-server at Utica

• Creating a new library

–The Utica sales manager has decided that he wants to create a dedicated Sales library that includes everything sales related

Windows 7 Libraries



• HomeGroup is a new feature in Windows 7 intended to facilitate resource sharing in small home networks

• Resources shared with HomeGroup machines can be provided with some security

• The first Windows 7 machine on the Home network is asked to create a HomeGroup

–Work and domain computers can join a HomeGroup, but cannot create one

• Subsequent machines are asked if they‘d like to join the existing HomeGroup

• Although Globomantics will not use the HomeGroup feature, the help desk has received some calls from users seeking advice regarding this feature


100



What We Covered

Resource sharing overview

Basic vs. advanced sharing

Understanding Share vs. NTFS permissions

Offline folder caching

Sharing printers and managing print queues

Windows 7 libraries



Using DirectAccess and VPN Connections



In This Lesson:

DirectAccess features

DirectAccess server requirements

Configuring DirectAccess – client side

Understanding DirectAccess connection types

DirectAccess client requirements

Enabling VPN-based remote access

VPN authentication mechanisms

Password-based authentication mechanisms

Windows 7 VPN connections

101



• Globomantics is a company on the move!

• With an ever-growing force of sales people making the rounds visiting potential customers, those mobile professionals need to maintain a constant link with the mother ship in order to keep the wheels of business turning and to make sure that they always have the most current information about clients in order to maximize their efforts

• Windows 7‘s DirectAccess and VPN capabilities are a perfect fit

• Business need

–Mobility has become a very high priority to keep mobile professionals in touch as if they were in the office

–Enabling this mobility in a way that doesn‘t leave the organization at risk for exploit is key

Scenario



• DirectAccess is a new Windows Server 2008 R2 and Windows 7 feature that enables VPN-like connectivity but without the need to establish a traditional VPN connection

– Fully bidirectional – corporate servers can see clients

–Can be integrated with Network Access Protection to improve security

–Requires no user intervention; connects even before the user logs on to the machine

– Fully transparent to the end user as the connection process is automatic

–Connected as soon as the computer is able to use the network connection

–Allows the remote machine to continue to receive Group Policies and software updates

DirectAccess Features



• DirectAccess requires significant server-side configuration in order to operate (beyond the scope of this course)

–Domain-joined Windows Server 2008 R2 server

–At least two network adapters

• The ―public‖ network adapter must have two consecutive public IP addresses

• Other adapter must be connected to internal network

–A public key infrastructure (PKI) must be in place

–An Active Directory security group that contains accounts for the computers that will connect via DirectAccess

–Domain must have a Windows Server 2008 R2 domain controller and DNS server

– Internally accessed resources must be IPv6 capable

DirectAccess Server Requirements

102



• Public IPv6

–The eventual goal; the client is using a public IPv6 address and connects to Globomantics‘ network via IPv6

• 6to4

– For clients that use a public IPv4 address, a 6to4 tunnel can be established

• Teredo

– For clients that sit behind a Network Address Translation (NAT) device and using a private IP address, DirectAccess uses a Teredo connection method

• IP-HTTPS

–When all else fails, this is the fallback connection type

–Does not perform as well as other methods

Understanding DirectAccess Connection Types



• Only the Enterprise and Ultimate editions of Windows 7 support DirectAccess

• Only domain-joined computers that belong to a DirectAccess security group can connect to DirectAccess servers

• DirectAccess configuration is distributed to clients via Group Policy with little manual configuration necessary

– It is possible to configure individual clients with the netshcommand

DirectAccess Client Requirements



• Group Policy Objects

–Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies

• 6to4 Relay Name

• IP-HTTPS State

• Teredo Default Qualified

• Teredo Server Name

• Computer Configuration > Windows Settings > Name Resolution Policy

– General configured during the server-side setup

Configuring DirectAccess – Client Side

103



• Netsh commands (overridden by Group Policies)

–netsh interface ipv6 set teredo enterpriseclient<serverIPv4address>

–netsh interface 6to4 set relay <serverIPv4address>

–netsh interface httpstunnel add interface client https://externalIPv4name/IPHTTPS

–netsh interface

• ipv6 show teredo

• 6to4 show relay

• httpstunnel show interfaces

Configuring DirectAccess – Client Side



Enabling VPN-Based Remote Access

• VPNs are traditional broadly supported remote access and point-to-point connection mechanisms

• For the purposes of this lesson, we‘re focused on the remote access side of the VPN house

• Windows 7 supports four different VPN connection methods

– IKEv2/VPN Reconnect (Internet Key Exchange)

–SSTP (Secure Socket Tunneling Protocol)

– L2TP/IPSec (Layer 2 Tunneling Protocol)

–PPTP (Point-to-point Tunneling Protocol)



• IKEv2/VPN Reconnect

–Brand new in Windows 7

• Works only in Windows 7 & Windows Server 2008 R2

–Supports IPv6

–Also supports VPN Reconnect

–NAT-friendly

• SSTP

–Tunnels traffic over port 443, making it firewall-friendly

–Cannot be used on a web proxy environment that requires user authentication

–Works in Windows Vista SP1 and Windows Server 2008


104



• L2TP/IPSec

–More secure than PPTP

–NAT-friendly (supports NAT-T when clients do)

–Supports either preshared key or certificate-based authentication

–Very commonly deployed VPN type

–Works in Windows 2000 and later

• PPTP

– Least secure VPN type

–Does not support the use of certificate-based authentication

–Arguably the most deployed VPN type

• Works in Windows 2000 and later




• Password-based options

–EAP/PEAP-MS-CHAPv2 (Protected/Extensible Authentication Protocol)

–PEAP/PEAP-TLS (Protected Extensible Authentication Protocol-Transport Layer Security)

–MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol)

–CHAP (Challenge Authentication Protocol)

–PAP (Password Authentication Protocol)

• VPN connections can also be authenticated using smart cards or pre-installed certificates

VPN Authentication Mechanisms



• EAP/PEAP-MS-CHAPv2

–Most secure of the password-based options

–Requires a computer certificate on the VPN server

–No client certificate is necessary

• PEAP/PEAP-TLS

–Requires a computer certificate on the VPN server

–Clients authenticate using certificates

• MS-CHAPv2

–A simple password-based authentication protocol

Password-Based Authentication Mechanisms

105



• CHAP

–Not supported under Windows Server 2008‘s remote access services, but is enabled in Windows 7 clients

–Used as a fallback when more secure options are not available

• PAP

– Least secure

–Not supported under Windows Server 2008‘s remote access services

–Not enabled in Windows 7 clients

• Can be enabled if necessary

Password-Based Authentication Mechanisms



• VPN Reconnect

–VPN Reconnect is a brand new feature in Windows 7 intended to allow for a more stable remote experience

–As users lose network connections or move to other connections (i.e. between Wi-Fi hotspots), VPN Reconnect automatically reconnects the user to the VPN connection

–Network connectivity can be lost for as long as 8 hours

• Globomantics has established a Windows Server 2008 R2-based remote access server

–Your job is to create a VPN connection from a client and explore the possible options

Windows 7 VPN Connections



What We Covered

DirectAccess features

DirectAccess server requirements

Configuring DirectAccess – client side

Understanding DirectAccess connection types

DirectAccess client requirements

Enabling VPN-based remote access

VPN authentication mechanisms

Password-based authentication mechanisms

Windows 7 VPN connections

106




1. Teredo tunneling

• http://en.wikipedia.org/wiki/Teredo_tunneling

2. DirectAccess Technical Overview for Windows 7 and Windows Server 2008 R2

• http://technet.microsoft.com/en-us/library/dd637827(WS.10).aspx

3. 10 things you should know about DirectAccess

• http://blogs.techrepublic.com.com/10things/?p=1371

4. Group Policy Management Console and Editor (DirectAccess)

• http://technet.microsoft.com/en-us/library/ee624060(WS.10).aspx


Managing BranchCache



In This Lesson:

Understanding BranchCache

Requirements

BranchCache operating modes

About local cache mode

BranchCache operational diagram

Managing BranchCache with Group Policy

Managing BranchCache with Netsh

Monitoring BranchCache

http://en.wikipedia.org/wiki/Teredo_tunneling

http://en.wikipedia.org/wiki/Teredo_tunneling





http://blogs.techrepublic.com.com/10things/?p=1371

http://blogs.techrepublic.com.com/10things/?p=1371





107



• Globomantics has a number of small regional offices with relatively slow connections to the Internet

• Corporate IT has become concerned with ever-increasing bandwidth costs related to constant communication with headquarters

• The Globomantics CIO has decided that all smaller regional sites will use Distributed Mode BranchCache (the mode covered in this lesson)

• Larger regional offices will eventually use Hosted Mode

• Business need

– Increase employee productivity by reducing the time it takes to download items

–Reduce bandwidth costs by caching content locally

Scenario



• BranchCache is new to Windows 7 and Windows Server 2008 R2

–Does not work at all on older versions of Windows

• The feature caches remote content on local computers and

–Speeds up access to information

–Reduces bandwidth costs

• Lowers TCO

• Increases efficiency

• Transparent to the end user

–Automatically activates when the latency to a file hosting server exceeds 80 ms (definable via Group Policy)

–Has been described as a "black box"




• A working, configured BranchCache server

–Windows Server 2008 R2 Enterprise or Datacenter

–Beyond the scope of this course to cover server side deployment

–See My Favorite Supporting Resources slide for more information

• Client

–Windows 7 Enterprise or Ultimate

Requirements

108



• Hosted Cache mode

–Uses a BranchCache-enabled server at a remote location to cache content from a central site

–Clients at the remote site obtain their content from this caching server

• Only if that server has the content

• Otherwise, content is acquired from the original server

• Distributed Cache mode

– Ideal for small offices – General Microsoft guidance indicates this as a site with fewer than 50 people

–Negates the need for a dedicated branch server

–Each Windows 7 client maintains its own cache and other clients request the data via network broadcasts

BranchCache Operating Modes



• There is a third BranchCache operating mode

• Local cache mode

–When enabled, the local client caches the files

–These files are used only by the local client

–None of the cached information is shared with other systems

About Local Cache Mode



• Computer Configuration > Administrative Templates > Network > BranchCache

• Required firewall changes

– Inbound & outbound TCP port 80

–Distributed mode: Inbound & outbound UDP port 3702

–Hosted mode: Outbound TCP port 443

–We cover firewall rules creation in the lesson entitled Protecting Windows 7


109



• Disk space

–Default: BranchCache uses up to 5% of available disk space

–Policy name: Set Percentage of Disk Space Used For Client Computer Cache

• Latency

–Default: 80 milliseconds

–Policy name: Configure BranchCache for Network Files

• Group Policy configured items trump netsh configured items




• Netsh branchcache set service mode=distributed

–Enables BranchCache in distributed mode

– Firewall rules are automatically created

–Other mode options

• Local (Netsh branchcache set service mode=local)

• Hosted client (Netsh branchcache set service mode=hostedclient location=gm-file.globomantics.com)

• Hosted server (Netsh branchcache set service mode=hostedserver clientauthentication=domain)

• Netsh branchcache show status

–Shows the current status of the BranchCache service




• Netsh branchcache set cachesize size=30 percent=true

–Allows BranchCache to use up to 30% of total disk space for caching

• Netsh branchcache show localcache

–Show the contents of the local BranchCache cache

• Netsh branchcache smb set latency 1000

–Set the latency value at 1000 milliseconds


110



• Netsh branchcache show status all

• Performance monitor counters

–Windows 7 includes more than twenty BranchCache related counters

–Performance Monitor is covered in the lesson entitled Monitoring and maintaining Windows 7




What We Covered


Client side requirements

BranchCache operating modes

About local cache mode

BranchCache operational diagram







1. BranchCache Deployment Guide for Windows Server 2008 R2 and Windows 7

• http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4b14f942-b488-4f51-99e1-c4c8834b750e

2. BranchCache: Helping You Save on WAN Bandwidth Consumption at Branch Offices

• http://technet.microsoft.com/en-us/ff607489.aspx

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4b14f942-b488-4f51-99e1-c4c8834b750e











http://technet.microsoft.com/en-us/ff607489.aspx




111


Monitoring and Maintaining Windows 7



In This Lesson:

Performance Information and Tools utility

Event logging

Centralizing event logs

Using Performance Monitor

Data Collector Sets

Creating a new Data Collector Set

Task Manager

Resource Monitor

Reliability Monitor

A sample WMI script



• Monitoring the infrastructure for problems is a major component of a technology architecture

• You‘ve been asked to understand desktop performance monitoring to keep users operating at peak productivity and keep potential minor security events from becoming big ones

• Business need

–Event monitoring provides early identification for what could become larger security or performance problems

–Performance monitoring helps identify what steps need to be taken to keep Globomantics operating at a high level

Scenario

112



• Windows Experience Index

–Creates a metric based on the hardware and software capabilities for each listed component

–The system base score is determined by the lowest subscore

–More detailed information can be gathered

Performance Information and Tools



• Commonly used to gain in-depth knowledge about what is creating a system problem

• Most Windows programs are designed to write detailed information into the Windows event logs

• Windows logs

–Application

–Security

–Setup

–System

– Forwarded events

–Other application and service logs

Event Logging



• Filtering logs and creating views

–View only Critical event types

–Create a view that logs only Critical events

• Globomantics will create this log view on every desktop PC to aid in future troubleshooting efforts

• Saving/exporting log files

–A user is experiencing an intermittent hardware problem

• You will export the contents of the user‘s event logs to a file so that you can examine them on your own machine so the user can continue working

Event Logging

113



• Not all problems are limited to a single computer

• Aggregating log files may help to identify broader issues, such as network, DHCP or DNS issues, among other items

• Globomantics will aggregate critical desktop log events on the server named GM-DC

–Enable WinRM on all systems (winrm quickconfig)

–On GM-DC (collector), execute the command wecutil qc

• WECutil = Windows Event Collector tool

– Enable the ForwardedEvents channel

– Start the Windows Event Collector service

–Add the computer account for GM-DC to the local Administrators group on each desktop

Centralizing Event Logs



• On the Collector machine (GM-DC)

–Create a subscription

• Choose subscription parameters, including

– Computers from which events should be pulled

– Event/source types to forward

– Severity types to forward

– Date/time range

– Log to which events should be written

• Note: Events are copied to the collector machine; they also remain local

• View event collection status to verify operation

Centralizing Event Logs



• Used to visually monitor any variety of Windows performance counters, event trace data and configuration information

–Performance counters measure system state and activity

–Event trace data is collected from trace providers

• Operating system or application components that report actions or events

–Configuration information is collected from values stored in the registry

• Can be used to view data in real time or save information to a log file for future viewing

• Useful for tracking down errant software


114



• Performance counter permissions

–Regular users

• Can view only historical information

• Cannot manipulate Data Collector Sets

• Cannot view real-time information

–Members of the Performance Monitor Users group

• Can view both historical and real-time information

• Cannot manipulate Data Collector Sets

–Members of the Performance Log Users group

– Can view both historical and real-time performance information

– Can manipulate Data Collector Sets




• Globomantics needs to track down software or software combinations that might be creating adverse disk performance

–Create a performance view that includes the following counters to see how disks are performing

• PhysicalDisk: Disk Read Bytes/sec

• PhysicalDisk: Disk Reads/sec

• PhysicalDisk: Disk Write Bytes/sec

• PhysicalDisk: Disk Writes/sec

• PhysicalDisk: Disk Queue Length




• Performance Monitor views that have been exported

–Brings together multiple data collection items into single reports that can be used to review system performance

–Collector types

• Performance Counter Data Collector

– Collect historical performance counter-related system statistics

• Event Trace Data Collector

– Collect event-related information

• Configuration Data Collector

– Information from the system registry

• Performance Counter Alert

– A specific performance counter condition is met

Data Collector Sets

115



• Data sets included in Windows 7

–System Performance

• Use to troubleshoot a system that is not performing well

– Disk

– Network

– RAM

– Processor

–System Diagnostics

• Use to troubleshoot an unreliable system

– All of the stats gathered by the System Performance data collector set

– Additional system information related to reliability

Data Collector Sets



• Use a built-in Data Collector Set to determine which files are having the most impact on disk performance and correlate these files with a running process

• Modify the System Performance Data Collector Set to run for five minutes and to run daily at 3:00 PM

Data Collector Sets



• Simply watching disk performance in real time could be a laborious task and the intermittent issue may not surface

• Globomantics will create a new Data Collector Set that watches and logs the same disk counters we looked at previously

–PhysicalDisk: Disk Read Bytes/sec

–PhysicalDisk: Disk Reads/sec

–PhysicalDisk: Disk Write Bytes/sec

–PhysicalDisk: Disk Writes/sec

–PhysicalDisk: Disk Queue Length

–Base the Data Collector Set on an existing Performance Monitor set

Creating a New Data Collector Set

116



• Provides information about

–Running applications, processes and services

• Can kill running applications and misbehaving processes as well as start and stop services

–CPU usage – overall and by core

–RAM usage

–Network utilization

–Currently logged in users

• Arguably the most used monitoring tool in Windows

Task Manager



• Resource Monitor is relatively new to Windows, but adds a huge punch to the monitoring arsenal

• Quickly access at-a-glance system statistics and associate processes with specific system characteristics

–Ascertain which processes are actively using the disk or network

• What exact iexplore.exe process is using major bandwidth?

• Globomantics will use the Resource Monitor to determine file and process associations

Resource Monitor



• A new tool in Windows 7 availablevia the Control Panel‘s Action Center

• Divines a ―stability index‖ as a valuefrom 1 to 10 that describes systemperformance as a function ofreliability

• Provides administrators with at-a-glance information that can help tocorrelate system stability issues withnew updates, software installationsand other system events

• Use Reliability Monitor to attempt to find a root cause for ongoing stability issues reported by a Globomantics user

Reliability Monitor

117



• GUIs are good for gathering information from a single system

• If you want to gather information from other systems, considering writing a script to gather information using Windows Management Instrumentation

• Globomantics will write a script that help desk technicians can use to gather basic system information, including

–System name

–Total virtual memory

–Available memory

–Operating system version and service pack level

A Sample WMI Script



What We Covered

Event logging

Centralizing event logs


Data Collector Sets

Creating a new Data Collector Set

Task Manager

Resource Monitor

Reliability Monitor

A sample WMI script




1. Windows Performance Analysis Developer Center

• http://msdn.microsoft.com/en-us/performance/default.aspx

2. Windows Management Instrumentation (WMI) scripting guide

• http://msdn.microsoft.com/en-us/library/Aa286547

http://msdn.microsoft.com/en-us/performance/default.aspx



http://msdn.microsoft.com/en-us/library/Aa286547




118


Configuring Performance Settings



In This Lesson:

Changing graphics settings

Configuring virtual memory

Understanding write caching

Optimizing processes with Task Manager

Managing processor scheduling settings

Optimizing services

Using msconfig to boost performance



• A high performance organization, Globomantics demands top performing computing hardware

• Just like not maximizing a sale is ―leaving money on the table‖ not optimizing hardware has a similar result: Lost money due to inefficiency

• Business need

–Maximize computing resources to maximize ROI on the computing investment

Scenario

119



• Windows Aero is visually stunning, but can require significant system resources, particularly for lower-end or borderline systems

• Selectively disable Aero features – or disable Aero altogether –to improve overall system performance

• Globomantics has a two year old system that they‘d like to keep in production but the system is having trouble keeping up with the user‘s demand

–By disabling Aero, you may be able to extend the life of that PC investment and save the company money

Changing Graphics Settings



• Systems have only so much RAM

• As programs and services begin to consume all available memory, Windows uses temporary storage called a paging file

• A paging file consists of a file on each hard disk

• Information is automatically moved between RAM and the paging file as necessary, freeing up RAM for system needs

–RAM = extremely fast data access and retrieval

–Paging file = Relatively very slow access and retrieval

Configuring Virtual Memory



• Running low on memory has a major impact on system performance as the system begins ―paging‖

• As users begin to receive virtual memory-related error messages, this is an indication that the system needs more RAM or you need to increase the size of the paging file

–More RAM is always the preferred option

–Windows generally does a very good job managing the size of the paging file

• The users in the Globomantics Marketing department have been complaining about virtual memory errors for particularly large projects

–New computers are on order for this department

– For now, simply increase the size of the paging file

Configuring Virtual Memory

120



• When a system‘s hard drive is busy, information intended to be written can be saved in a high-speed cache

–Once the hard drive is available, cached information is written to the disk

–Keeps the user working while the system handles the technicalities

–Can result in data loss if system power is interrupted or if the storage device is removed before the cache is cleared

• Device properties page for the system hard drive

–Enable write caching on the device

–Turn off Windows write-cache buffer flushing on the device

• Globomantics uses USB-connected batteries on all desktops so make sure that write caching is enabled

Understanding Write Caching



• Removable devices – i.e. flash drives – have similar options available on the drive‘s Device Manager page

–Removal Policy

• Quick removal (default)

– Device uses write-through caching

– The device can be simply removed

• Better performance

– Write caching and buffering are enabled

– Need to use Safely Remove Hardware to remove device

• A user accidentally configured a USB device for ‗Better performance‘ and has been losing information

Understanding Write Caching



• Understanding process affinity

–Choose the processor/core on which to run a particular process

• Globomantics will run DVD burning software – a sometimes CPU intensive task – on a specific core

• Understanding process priority

–Provide a process with a modified priority level

• Marketing wants to make sure that their hefty PowerPoint presentations don‘t have major contention with other system resources

• You will set the PowerPoint priority level to AboveNormal

• Don‘t set too many processes to High or Realtime

Optimizing Processes with Task Manager

121



• By default, Windows 7 is configured to favor programs over background services when it comes to scheduling processor time

• You can change this setting if you have a desktop machine that handles more background services than programs

• Globomantics has a desktop PC that will be used for backup purposes

–Set this PC‘s processor scheduling to favor background services

Managing Processor Scheduling Settings



• Windows 7 ships with a core set of enabled and running services

• Every service

–Uses system resources such as RAM and processor

–Opens an additional system attack vector

• Not all services are necessary in order for users to do their jobs

• Disable or set to Manual services not needed by users

– In general, Manual is a safe choice

• The Windows Media Player Network Sharing Service should never be used by Globomantics employees and will be disabled

Optimizing Services



• Although it‘s better to uninstall software you don‘t want, you can disable software that starts up with the system using the msconfig tool

• Msconfig is also a great troubleshooting tool

• Globomantics will use Msconfig to verify that only absolutely necessary startup items load at boot time

Using Msconfig to Boost Performance

122



What We Covered

Changing graphics settings

Configuring virtual memory

Understanding write caching

Optimizing processes with Task Manager

Managing processor scheduling settings

Optimizing services

Using msconfig to boost performance


Configuring Backup and Recovery



In This Lesson:

Windows 7's backup and restore utility

Configuring Windows Backup

Restoring files from a backup

Creating and restoring system images

Creating a system repair disk

Creating and using system restore points

Previous versions

Understanding advanced boot options

Understanding Last Known Good Configuration

123



• Globomantics‘ regional offices sit in areas prone to earthquakes, tornados, and hurricanes

• You need to make sure that the company is ready to quickly recover should the unthinkable happen

• Some business desktops hold critical company information and are key to business processes

• Business need

–Backups remain a key component of a recovery plan

–Automating this process keeps costs at a reasonable level

–Testing backups by recovering data is a good best practice

Scenario



• Windows 7 includes a utility capable of backing up and restoring files, folders and even a full image of the computer

• You can back up to a number of destinations, including

– Internal hard drives

–External hard drives

–Network locations

–USB flash drives

–Writeable CDs and DVDs

• There are significant pros and cons to all of the options

Windows 7's Backup and Restore Utility



• Internal hard drives

–Pros

• Cheap storage with lots of space

• Secure since they're in the chassis

• Very fast

–Cons

• Not separate from the computer itself

• Installation requires some technical knowledge


124



• External hard drives

–Pros

• Also very cheap with a lot of space

• Easy to connect

• Easy to keep separate from the computer

–Cons

• "Out of sight, out of mind"




• Network locations

–Pros

• Extremely convenient

• Easy to add additional server storage space

–Cons

• Can be slow if the network isn't up to snuff

• Can only save to Windows 7 Professional, Enterprise and Ultimate

• User rights to storage location must be Full Control for both the share and for NTFS




• USB flash drives

–Pros

• Easy to install

• Ubiquitous; it's easy to find flash drives

• You can store the backups separately from the computer

–Cons

• USB flash drives don‘t support all backup use cases, such as system image backups

• USB flash drives don't scale well; eventually, your backup needs will outgrow available space


125



• Writeable CDs and DVDs

–Pros

• CD/DVD burners are readily available in most new systems

• Media is very inexpensive

• You can store the backups separately from the computer

–Cons

• Not flexible; can't save system images to CD/DVD

• You may need several discs to perform a full backup




• Cannot back up to

–Volumes not formatted as NTFS, FAT or UDF

–The drive being backed up

–The Windows volume

–A recovery partition

–A locked BitLocker partition

–Tape




• Globomantics will schedule a file/folder backup (Let Windows choose) that runs on the default schedule

• Steps

–Choose a location to which to store backups

–Choose what to back up

• Let Windows choose

– Backs up files saved in libraries, stored on the desktop and in default Windows folders for all user accounts

– Only local files are included, even if remote files are included in a local library

– If there is space at the destination, Windows includes a system image


126



• Let me choose

– You get to decide exactly what gets backed up

• Decide on a backup schedule

–Default is to run the backup every Sunday at 7PM

–Can be configured to run daily, weekly or monthly

–Can be configured to not recut; i.e. configure the backup job to run one time and back up the system

• Review settings

• Await backup completion

–Monitoring backup status




• Individual files and folders can be restored from a backup

–You can restore objects to their original location; this will overwrite the current copy

–You can restore objects to a different location; this will preserve both copies of the object

• The POS system operator has indicated that she's lost an important spreadsheet and wants you to see if you can restore it from a system backup using the backup utility

• The other POS operator (Steve Smith) has been having strange problems that seem to be related to user profile corruption

–Restore Steve's user profile from backup

Restoring Files from a Backup



• A Windows 7 system image is basically a snapshot of one of the volumes in a system (allows a ―bare metal restore‖)

– It includes everything needed for Windows to run

– Includes system settings, personal files and programs

–Can't be scheduled to run on a periodic basis with the GUI

–Stored as a VHD file (usable in Virtual PC)

–Does not allow restoration of individual files; it's all or nothing

• Globomantics will use this feature to back up and test restore a Windows 7-based point of sale system on a scheduled basis

–Use the wbadmin utility to schedule

–You will also use the bcdedit utility to convert the VHD system image file into a bootable device

Creating and Restoring System Images

127



• Sometimes, a system becomes completely unbootable

• A system repair disk can be used to boot a computer when this happens

• You can also use a system repair disk to restore a computer from a system image

• You will create a system repair disk for the Globomantics POS system

Creating a System Repair Disk



• System restore points contain critical system information, such as registry information

• Among other times, restore points are created

–When new software is installed

–When Windows Update installs new updates

–When new drivers are installed that are not digitally signed by Windows Hardware Quality Labs

–Upon request by the user

• Windows automatically deletes the oldest restore point in order to make room for the newest

Creating and Using System Restore Points



• This is not a full system restore

–Only system files and the registry are manipulated

–User files are not touched

• System Restore Point notes

–Restore points created from within Safe Mode cannot be undone

–NTFS required due to use of shadow copies (discussed later)

• Globomantics will create a system restore point on the aforementioned POS system right before a hardware upgrade

–You will explore the System Protection configuration tool

Creating and Using System Restore Points

128



• Windows 7 includes the ability to restore individual files and folders right from the Explorer interface

– Files included in both backups and restore points can often be rolled back to previous versions

• This Previous Versions capability uses Shadow Copies – shadow copies of files are automatically created by Windows

• These provide you with some powerful restore options

• If you're careful, you can even recover files that have been accidentally deleted

• Globomantics POS operator deleted a file and wants you to see if you can get it back using the Previous Versions feature

Previous Versions



• Safe Mode

• Safe Mode with Networking

• Safe Mode with Command Prompt

• Enable Boot Logging

• Enable low-resolution video (640x480)

• Last Known Good Configuration (advanced)

• Directory Services Restore Mode

• Debugging Mode (discussed previously)

• Disable automatic restart on system failure

• Disable Driver Signature Enforcement

Understanding Advanced Boot Options



• This is often considered a last ditch effort to get a system back to working order after a system failure

• This boot option uses a configuration set that Windows knows allowed the system to boot at some point in the past

• The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet is used

–The key named ControlSet001 becomes CurrentControlSetafter a successful boot

–Once this happens, you can't go back

• There's not a lot to do around this except to understand how it works, so let's take a look at the registry


129



What We Covered

Windows 7's backup and restore utility


Restoring files from a backup

Creating and restoring system images

Creating a system repair disk

Creating and using system restore points

Previous versions

Understanding advanced boot options



Preparing for TS: Windows 7, Configuring

(70-680)


Preparing for TS: Windows 7, Configuring (70-680)

• Remember the exact steps taken to perform specific tasks

• Understand multiple ways for achieving the same goal

–GUI-based methods

–Command line-based methods

• Everything you learned in this course must combine with all of your own experience and exam preparation study if you want to pass

• Don‘t expect to watch the videos and then walk into the exam!

• Real-life – even lab-based – experience is essential for success

• Microsoft‘s exams are not easy

An Overview of Exam 70-680

130



• Candidates should be able to install, deploy, and upgrade to Windows 7, including ensuring hardware and software compatibility. Additionally, candidates should be able to configure pre-installation and post-installation system settings, Windows security features, network connectivity applications included with Windows 7, and mobile computing. Candidates should also be able to maintain systems, including monitoring for and resolving performance and reliability issues. Candidates should have a basic understanding of Windows PowerShell syntax.

The Candidate Profile



• Don‘t let the profile scare you

• You may not yet have all of the knowledge and working experience under your belt just yet

• Between this course, your personal prep work, lab practice and, hopefully, real-world experience you have with Windows 7, you can pass this exam

The Candidate Profile



• The exam measures your ability to accomplish the technical tasks below

– Installing, Upgrading, and Migrating to Windows 7 (14%)

–Deploying Windows 7 (13%)

–Configuring Hardware and Applications (14%)

–Configuring Network Connectivity (14%)

–Configuring Access to Resources (13%)

–Configuring Mobile Computing (10%)

–Monitoring and Maintaining Windows 7 Systems (11%)

–Configuring Backup and Recovery Options (11%)

• The percentages indicate the relative weight of each major topic area on the exam

Skills Being Measured

131

Objective/Lesson Mapping

Objective Weight Lessons

Installing, Upgrading, and Migrating

to Windows 714%

An Introduction to Windows 7


Deploying Windows 7 13% Deploying Windows 7 Machines

Configuring Hardware and

Applications14%

Configuring Hardware in Windows 7

Understanding Windows 7 Storage

Managing applications


Configuring Network Connectivity 14%Configuring Networking in Windows 7


Configuring Access to Resources 13%

Shared access to resources

Configure file and folder access



Configuring Mobile Computing 10%

Using DirectAccess and VPN connections

Configure file and folder access



Monitoring and Maintaining

Windows 7 Systems11%

Monitoring and maintaining Windows

Configure performance settings

Protecting client computers with Windows updates

Understanding Windows 7 storage


Options11% Configuring Backup and Recovery



• To prepare for this exam, I recommend the following

–Watch and study this course

–Use the Transcender test prep software included with this course

–Explore all topics in greater detail using Microsoft resources such as TechNet

– If possible, build a small home lab and get as much hands-on experience as possible

• What not to do

–Do not attempt to locate exam questions and answers online in the form of brain dumps

Personal Study Recommendations



• Schedule your exam

– It will motivate you to move ahead and study

• Practice, practice, practice

• Don‘t pull all-nighters when exam time rolls around

• Make sure you don‘t forget your ID on exam day

• Eat, sleep and don‘t rush

General Exam Prep Advice

132



• This exam is strictly focused on the configuration aspect of Windows 7 and is one exam included in the following client certification paths

–MCTS: Windows 7, Configuration

–MCITP: Enterprise Desktop Support Technician 7

• Pro: Windows 7, Enterprise Desktop Support Technician (70-685)

–MCITP: Enterprise Desktop Administrator 7

• Pro: Windows 7, Enterprise Desktop Administrator (70-686)

Credit Toward Certification



• 70-680 is also included in the following server certification paths

–MCITP: Enterprise Administrator

• TS: Windows Server 2008 Active Directory, Configuring (70-640)

• TS: Windows Server 2008 Network Infrastructure, Configuring (70-642)

• TS: Windows Server 2008 Applications Infrastructure, Configuring (70-643)

• Pro: Windows Server 2008, Enterprise Administrator (70-647)

Credit Toward Certification


Next Steps

133


Next Steps

• Globomantics was running mostly Windows XP with some Windows Vista thrown in with no plans to move to Windows 7

• The company was recovering from a major security breach

• Globomantics increasingly mobile sales force was challenged when on the road due to difficulty in connecting to the office

• Some users were having performance problems with the Windows Vista desktops

• The company was convinced that Windows 7 was a non-starter due to software compatibility issues with their finance tool

• Files were not always synchronized between HQ and the large regional office file server in a timely manner

• Bandwidth costs were rising as traffic between large office and HQ grew

Where You Started


Next Steps

• Section 1: Getting started with Windows 7 – features, deployment and configuration

• Section 2: Managing Windows 7 mobility and security

• Section 3: Configuring and managing applications and shared resources

• Section 4: Maintaining Windows 7

Course Building Blocks


Next Steps

• You‘ve now completed the Windows 7 pilot deployment project for Globomantics!

• You‘ve learned how to secure the organization from outside attack and prevent issues that could cause the company further embarrassment

• You‘ve learned how to manage Windows 7 to achieve the highest possible effectiveness, highest possible ROI and lowest possible TCO

• You‘ve enabled the Globomantics mobile sales force to be able to stay on the road while they stay well connected with the office

• You‘ve learned how to leverage Windows 7‘s brand new features and integrate them into Globomantics‘ operations

What You’ve Accomplished

134


Next Steps

• Review the course areas where you still feel a little fuzzy

• Take a practice certification exam

• Join the community for supplemental information

–There are many Windows 7-focused resources (TechNet) where you can expand your Windows 7 knowledge by reading other people‘s questions

• Get hands-on practice (can‘t stress this enough)

• Keep the course as reference material for when you run into future problems

Your Road Ahead


Next Steps

• Consider social media feeds like Twitter and follow people you find knowledgeable in Windows 7

• Use the included Transcender lessons

–How to Use Transcender to Prepare for a Certification Exam

–Redeeming your Transcender

• How to redeem your Transcender voucher

• How to download and install the software

• Watch my lesson on preparing for the 70-680 exam

Your Road Ahead


Next Steps


1. My favorite Windows 7 sites

• Microsoft‘s Springboard Series for Windows 7http://technet.microsoft.com/en-us/windows/dd361745.aspx?ITPID=carepgm

• The Windows Team bloghttp://windowsteamblog.com/

• Windows 7 Technical Library http://technet.microsoft.com/en-us/library/dd349342(WS.10).aspx

• Petri IT Knowledgebase – Windows 7http://www.petri.co.il/windows-7.htm

http://technet.microsoft.com/en-us/windows/dd361745.aspx?ITPID=carepgm




http://windowsteamblog.com/

http://windowsteamblog.com/





http://www.petri.co.il/windows-7.htm




135


Next Steps

We Value Your Opinion

Next Steps

• There are many ways to reach us

• Call us at 1-888-229-5055 (worldwide: 1-847-776-8800)

• Email us a [email protected]

• Post in our forums at http://forums.trainsignal.com

• Comment on our blogs at http://www.trainsignaltraining.com


Next Steps

• Thank you for watching this course!

• I hope that you‘ve enjoyed watching it as much as I‘ve enjoyed creating it

• Now, go forth and study, study, study and pass that 70-680 exam!

Thank You and Good Luck!

http://forums.trainsignal.com/

Notes

Documents

Transcript of Notes