Notes
-
Upload
jonn1234567890 -
Category
Documents
-
view
699 -
download
0
Transcript of Notes
1
Windows 7Administration Training
Windows 7 Administration TrainingInstructor: Scott Lowe
Getting Started With Windows 7
Administration Training
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
In This Lesson:
What we‘re building
About your instructor
About the course
Before you begin
How to use the course
2
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
• In this course, we‘ll be creating a complete Windows 7 deployment plan that includes:
–Real business justifications for moving to Windows 7 at Globomantics, a pharmaceutical distributor with offices nationwide and a growing mobile sales force
–Processes that make Windows 7 deployment a breeze and add to the Globomantics bottom line
–Ways to use Windows 7‘s exciting new features to improve the security of the desktop environment and keep Globomantics within regulatory compliance parameters
–Methods to optimize Windows 7 performance and eke out every ounce of capability to extend the life of the desktop investment
What We’re Building
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
• Scott Lowe
–Chief Information Officer, Westminster College, Fulton, MO
–Prolific author of more than 1,000 technical articles and three books
–Microsoft Certified Systems Engineer
– Frequent early adopter of new technologies, including Windows 7!
–Seasoned IT pro with more than sixteen years of experience
– Father of 2, husband of 1
• 6-year old son is proficient with his iPod Touch and Internet Explorer
About Your Instructor
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
• A high level overview of the course
–Getting started with Windows 7 – features, deployment and configuration
–Managing Windows 7 mobility and security features
–Configuring and managing applications and shared resources
–Maintaining and optimizing Windows 7
About the Course
3
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
• Understand a few underpinnings, including
–Basic IPv4 and IPv6 address structures and requirements
–Overall Active Directory concepts, including Structures, User groups, Organizational Units
• Expand your foundational knowledge with these Train Signal products
–Group Policy
–Active Directory
–TCP/IP
–Networking Fundamentals
Before You Begin
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
• Follow along at home
–Best possible certification preparation!
–Use the Lab Setup lesson to learn how to build your own complete lab environment
–Download trial Windows Server 2008 R2 software from Microsoft for the server build-out
• Make sure to take notes along the way
–Note the timestamp for particularly interesting topics so you can come back later to review
• Watch the videos in any order you like
• If something doesn‘t make sense, go back and try it again
– If you still don‘t quite get it, let us know in the Train Signal forums
How to Use the Course
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
• Before you take the certification exam
–Watch the lesson entitled ―How to use Transcender to Prepare for a Certification Exam‖
–Watch the ―Preparing for Your MCTS: 70-680 Certification Exam‖ lesson at the end of this course
How to Use the Course
4
Windows 7 Administration Training
Getting Started With Windows 7 Administration Training
What We Covered
What we‘re building
About your instructor
About the course
Before you begin
How to use the course
Windows 7 Administration TrainingInstructor: Scott Lowe
Lab Setup
Windows 7 Administration Training
Lab Setup
In This Lesson:
Globomantics corporate network
Globomantics locations
Headquarters network details
Large regional office network details
Small regional office network details
Globomantics network diagram – logical
Lab overview
Lab network diagram – physical
5
Windows 7 Administration Training
Lab Setup
• The Windows 7 implementation team is focused on creating a deployment template for one of each location type
• Each location type is replicated in the course lab
–Headquarters (Columbia, MO)
– Large regional office – Southwest office (Scottsdale, AZ)
–Small regional office – Northeast office (Utica, NY)
–Mobile worker
Globomantics Corporate Network
Globomantics Locations
Southwest OfficeScottsdale, AZ
Northeast OfficeUtica, NY
Seattle, WA
Germantown, MD
Dallas, TX
Globomantics HQ
Miami, FL
Windows 7 Administration Training
Lab Setup
• Headquarters server naming convention
–Example: GM-File - The file server for HQ
• Network details for HQ
– IP address range: 172.16.5.1 to 172.16.5.254
–Subnet mask: 255.255.255.0
–Gateway: 172.16.5.254
–DNS: 172.16.5.1
Headquarters
6
Windows 7 Administration Training
Lab Setup
• Large regional office server naming convention
–Example: GM-SW-File - The file server for the Southwest regional office
• Network details for Scottsdale, AZ large regional office
– IP address range: 172.16.6.1 to 172.16.6.254
–Subnet mask: 255.255.255.0
–Gateway: 172.16.6.254
–DNS: 172.16.6.1
Large Regional Office
Windows 7 Administration Training
Lab Setup
• Small regional offices (Example: Northeast regional office) do not have dedicated servers
• Network details for Utica, NY small regional office
– IP address range: 172.16.7.1 to 172.16.7.254
–Subnet mask: 255.255.255.0
–Gateway: 172.16.7.254
–DNS: 172.16.5.1 (HQ DNS server)
Small Regional Office
Globomantics Corporate Network Diagram
Globomantics Corporate Headquarters
GM-DCDomain Controller
(globomantics.com)DNS server
Windows 2008 R2172.16.5.1
GM-RemoteGlobomantics Remote
Access ServerWindows 2008 R2
172.16.5.2
GM-7-XXXGlobomantics
Windows 7 Desktop Naming Convention
DHCP-assigned IP address
GM-FileGlobomantics File and
Print ServerWindows 2008 R2
172.16.5.3
GM-7-M-XXXGlobomantics
Windows 7 Mobile Naming Convention
DHCP-assigned IP address
GM-GeneralGlobomantics General
Purpose ServerWindows 2008 R2
172.16.5.4
Southwest Office
GM-SW-FileSouthwest Office
File Server DNS server
Windows 2008 R2172.16.6.1
GM-7-XXXGlobomantics
Windows 7 Desktop Naming Convention
DHCP-assigned IP address
GM-7-M-XXXGlobomantics
Windows 7 Mobile Naming Convention
DHCP-assigned IP address
Northeast Office
GM-7-XXXGlobomantics
Windows 7 Desktop Naming Convention
DHCP-assigned IP address
GM-7-M-XXXGlobomantics
Windows 7 Mobile Naming Convention
DHCP-assigned IP address
FirewallInside: 172.16.5.254
Network: 172.16.5.0Subnet Mask: 255.255.255.0Gateway: 172.16.5.254DNS: 172.16.5.1
FirewallInside: 172.16.6.254
FirewallInside: 172.16.7.254
FirewallOutside: 192.168.10.5
Network: 172.16.6.0Subnet Mask: 255.255.255.0Gateway: 172.16.6.254DNS: 172.16.6.1
FirewallOutside: 192.168.10.6
FirewallOutside: 192.168.10.7
Network: 172.16.7.0Subnet Mask: 255.255.255.0Gateway: 172.16.7.254DNS: 172.16.5.1
To other sites
7
Windows 7 Administration Training
Lab Setup
• For this course
–The various servers and Windows 7 workstations used in this course run on a Windows Server 2008 R2 Data Center machine under Hyper-V R2
• The Hyper-V R2 server is a Dell PowerEdge 2950 server with 32 GB RAM, 2 x quad core Xeon processors and just under 1 TB of disk space (RAID 5)
–Each Globomantics site is connected on a separate network adapter in the Hyper-V R2 server
–Each network adapter is connected to an actual firewall and then to my lab/home network
Lab Overview
Windows 7 Administration Training
Lab Setup
• For this course
–All servers are running Windows Server 2008 R2 RTM
–Each server has 1 GB of RAM assigned
–Windows Server 2008 R2 180-day trial software is available for download from http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx
–My lab goal: Mimic as closely as possible a real-world multisite environment
Lab Overview
Physical Lab Configuration
NIC
21
72
.16
.5.2
53
NIC
31
72
.16
.6.2
53
NIC
41
72
.16
.7.2
53
ServerPowerEdge 2950
32 GB RAM2 x Xeon X5355
8 coresWindows 2008
R2
Hyper-V R2
VMsHQ
GM-DCGM-Remote
GM-FileGM-General
Desktops
VMsLarge Regional
GM-SW-FileDesktops
VMsSmall Regional
Desktops
VMsOther needs
Mobile workers
Hyper-V R2 server
management
172.16.5.254
Firewall192.168.10.5
172.16.6.254
Firewall192.168.10.6
172.16.7.254
Firewall192.168.10.7
NIC
11
92
.16
8.0
.19
7
To Internet
Router192.168.0.1
255.255.0.0
To other computers
in my home
8
Windows 7 Administration TrainingInstructor: Scott Lowe
The Course Scenario
Windows 7 Administration Training
The Course Scenario
In This Lesson:
About Globomantics
The Globomantics regulatory environment
Recent security breach
Globomantics cost structure
Globomantics office locations
Specific technology challenges
Immediate needs
Large regional office needs
Small regional office needs
Mobile worker needs
Windows 7 project plan
Windows 7 Administration Training
The Course Scenario
• Rapidly growing distributor of pharmaceuticals
–Sells direct to consumers via the Internet
–Sells to doctor‘s offices via mobile sales force
–Sells to pharmacies via mobile sales force
• Expanding mobile sales force
–Mobile workers need secure access to HQ
–Ease-of-use is critical
• Related Windows 7 technologies
–DirectAccess, VPN, BranchCache, Location-aware printing, Power management
About Globomantics
9
Windows 7 Administration Training
The Course Scenario
• Subject to numerous regulatory statutes
–HIPAA
– FTC consumer regulations
–PCI
• Security is a priority
–Protect customer health information
–The company must be PCI compliant
• Related Windows 7 technologies
–DirectAccess, VPN, encryption
The Globomantics Regulatory Environment
Windows 7 Administration Training
The Course Scenario
• A high level finance employee‘s laptop was stolen
–The laptop hard drive contained very sensitive employee and customer information
• Business impact
–Globomantics suffered a significant fine and major PR fallout
–Globomantics senior management has directed the technology division to implement full-disk encryption on all mobile systems
• Related Windows 7 technologies
–BitLocker, BitLocker-To-Go, Encrypting File System (EFS), Windows Firewall, User Account Control, Windows Updates
Recent Security Breach
Windows 7 Administration Training
The Course Scenario
• Globomantics is concerned about the ever-rising cost of technology
–New initiatives must show a quick ROI
–Where possible, avoid cost increases
–Willing to expand IT department and spending, but only when absolutely necessary
• Business impact
–New technologies must be carefully evaluated
–The CIO thinks that Windows 7 features will show good ROI
• Related Windows 7 technologies
–BranchCache, BitLocker, DirectAccess, Automated deployment, Performance monitoring
Globomantics Cost Structure
10
Windows 7 Administration Training
The Course Scenario
• Headquarters
–Columbia, Missouri (pilot site)
• Primary regional offices
–Scottsdale, Arizona (pilot site)
–Germantown, Maryland
–Seattle, Washington
–Dallas, Texas
–Miami, Florida
• Secondary offices
–Utica, New York (pilot site)
–Sixteen others scattered throughout the states
Globomantics Office Locations
Globomantics Office Locations Map
Southwest OfficeScottsdale, AZ
Northeast OfficeUtica, NY
Seattle, WA
Germantown, MD
Dallas, TX
Globomantics HQ
Miami, FL
Windows 7 Administration Training
The Course Scenario
• Some Globomantics users are experiencing specific problems
–Performance problems with Windows Vista 64-bit
–Globomantics‘ financial system runs only on Windows XP
• Related Windows 7 technologies
–64-bit architecture, Windows XP Mode
Specific Technology Challenges
11
Windows 7 Administration Training
The Course Scenario
• Globomantics‘ quick growth has had a number of results
–A large desktop/laptop purchase supporting new employees is pending
–Some new employees will work from their homes
• Related Windows 7 technologies
–Automated deployment, DirectAccess, Location-aware printing
Immediate Needs
Windows 7 Administration Training
The Course Scenario
• Many HQ services accessed over a site-to-site connection
• Challenge: Files are not always synchronized between HQ and the large regional office file server in a timely manner
• Challenge: Bandwidth costs have been rising as traffic between large office and HQ grows
• Challenge: When mobile workers visit the office, they complain of problems printing documents
Large Regional Office Needs
Windows 7 Administration Training
The Course Scenario
• Small regional offices (Example: Northeast regional office) do not have dedicated servers
• All systems access Globomantics HQ over the Internet
• Challenge: Small offices are bandwidth-bound, resulting in loss of productivity as the Internet slows down
• Challenge: Adding bandwidth is expensive
• Challenge: Given the recent security breach, there is concern about the security of small office connectivity to HQ
• Challenge: When mobile workers visit the office, they complain of problems printing documents
Small Regional Office Needs
12
Windows 7 Administration Training
The Course Scenario
• Mobile workers work from their home, hotels and cars
• Challenge: A recent security breach has resulted in a directive to encrypt all mobile worker hard drives
• Challenge: Mobile workers have complained about their inability to access all HQ-based behind-the-firewall employee resources, resulting in lost productivity
• Challenge: Printing at regional offices
Mobile Worker Needs
Windows 7 Administration Training
The Course Scenario
• The Globomantics CIO has appointed us to
–Evaluate individual Windows 7 features for suitability against business goals
–Develop a Windows 7 implementation plan
• Create a deployment template for each pilot site type
–Deploy Windows 7 with business-necessary features
–Ensure that Windows 7 systems are operating at peak efficiency to realize maximum ROI
• Implementation team
–Me, a consultant helping you evaluate Windows 7
–You, a desktop specialist at Globomantics
Windows 7 Project Plan
Windows 7 Administration TrainingInstructor: Scott Lowe
Introduction to Windows 7
13
Windows 7 Administration Training
Introduction to Windows 7
In This Lesson:
Business objectives
User interface enhancements
BranchCache
DirectAccess
BitLocker and BitLocker To Go
AppLocker
Windows XP Mode
Group Policy enhancements
Improved power management
32-bit vs. 64-bit Windows 7
Windows 7 editions comparison matrix
Windows 7 Administration Training
Introduction to Windows 7
• Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard
• Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal
• The company CIO wants to understand Windows 7‘s new security features and mobility capabilities as well as simply understanding what‘s changed since older versions of Windows
Scenario
Windows 7 Administration Training
Introduction to Windows 7
• Improve security in order to reassure customers that Globomantics takes their privacy seriously
• Improve employee productivity to increase sales and reduce expenses
• Contain rising communications infrastructure costs
• Maintain current, or close to current, levels of staffing in Information Technology
Business Objectives
14
Windows 7 Administration Training
Introduction to Windows 7
• Taskbar
• Aero Peek
• Aero Snap
• Aero Shake
User Interface Enhancements
Windows 7 Administration Training
Introduction to Windows 7
• New to Windows 7
• Requires Windows Server 2008 R2
• Expected Business Outcomes
–Allow Globomantics remote offices to cache HQ-based content on a local Windows Server 2008 R2 server or Windows 7 desktop
–Reduce bandwidth costs
BranchCache
BranchCache Operational Diagram
GM-FileGlobomantics File and
Print Server
Southwest Office
GM-SW-FileSouthwest Regional
Office File Server
Headquarters
Northeast Office
GM-7-XXXGlobomantics
Windows 7 Desktop
15
Windows 7 Administration Training
Introduction to Windows 7
• New to Windows 7 and can replace traditional VPNs
• Requires Windows Server 2008 R2 as a host (GM-Remote)
• Expected Business Outcomes
–Remote and mobile workers enjoy seamless access to Globomantics HQ IT services
–Globomantics can remotely install software updates to mobile worker computers and enforce policies
–The ability to include remote computers in new policy updates improves regulatory compliance measures
DirectAccess
Windows 7 Administration Training
Introduction to Windows 7
• Improved in Windows 7
• Provides full disk encryption services
• Encrypts USB-based removable storage devices
• Expected Business Outcomes
–Mobile system security is vastly improved leading to greater customer confidence and fewer regulatory issues
–Centralized encryption keys mean fewer headaches for IT staff
BitLocker and BitLocker To Go
Windows 7 Administration Training
Introduction to Windows 7
• New in Windows 7
• Evolved from Software Restriction Policies
• Provides granular application control to help prevent execution of unauthorized software
• Expected Business Outcomes
– Improve overall security of the Globomantics desktop environment
–Maintain high levels of productivity by denying use of unauthorized software and reducing malware infestations
AppLocker
16
Windows 7 Administration Training
Introduction to Windows 7
• New in Windows 7
• Leverages virtualization technology to ensure software compatibility
• Runs software inside a virtualized copy of Windows XP SP3 delivered to the Windows 7 desktop via RDP
• Expected Business Outcomes
–Globomantics‘ financial application will run under Windows 7 using Windows XP Mode
–Migration to Windows 7 will be streamlined
Windows XP Mode
Windows XP Mode Operational Diagram
Windows 7 Administration Training
Introduction to Windows 7
• Windows 7 includes dozens of new Group Policies providing more centralized management of the environment
• Expected Business Outcomes
–Globomantics will enjoy improved security through centralized enforcement of Group Policies
–Desktop management TCO is reduced through efficient, centralized resource management
Group Policy Enhancements
17
Windows 7 Administration Training
Introduction to Windows 7
• Windows 7 is much more granular in managing power
–Even audio chips are power-managed
• Ambient light sensors are now supported
• Expected Business Outcomes
–Reduced power bills for Globomantics
– Longer battery life for mobile workers equates to increased productivity
Improved Power Management
Windows 7 Administration Training
Introduction to Windows 7
• 64-bit editions of Windows are increasing in popularity
–Support for large memory needs
• 32-bit RAM limit: 4 GB (Starter – 2 GB)
• 64-bit RAM limit
– Professional, Enterprise, Ultimate: 192 GB
– Home Premium: 16 GB
– Home Basic: 8 GB
32-bit vs. 64-bit
Windows 7 Administration Training
Introduction to Windows 7
• 64-bit considerations
–Processor must support 64-bit operating systems
–Software must be compatible with 64-bit OS (or, use Windows XP Mode)
–Hardware devices must have available 64-bit drivers
–Cannot upgrade from 32-bit to 64-bit: Must reinstall
32-bit vs. 64-bit
18
Windows 7 Editions Comparison Matrix
Home Premium Profes. EnterpriseStarter
HomeBasic Ultimate
BranchCache
DirectAccess
BitLocker
AppLocker
Windows XP Mode
Group Policy enhancements
Improved power management
32- and 64-bit editions
User interface enhancements
Windows 7 Administration Training
Introduction to Windows 7
What We Covered
Business objectives
User interface enhancements
BranchCache
DirectAccess
BitLocker and BitLocker To Go
AppLocker
Windows XP Mode
Group Policy enhancements
Improved power management
32-bit vs. 64-bit Windows 7
Windows 7 editions comparison matrix
Windows 7 Administration TrainingInstructor: Scott Lowe
Installing Windows 7
19
Windows 7 Administration Training
Installing Windows 7
In This Lesson:
Identifying Windows 7 requirements
Upgrade and migration limitations
Upgrading between Windows 7 editions
Installing Windows 7
Upgrading Windows Vista to Windows 7
Dual booting Windows 7
Migrating from Windows XP to Windows 7
Migrating user profiles with Windows Easy Transfer
User State Migration Tool
Windows 7 Administration Training
Installing Windows 7
• Windows 7 is the first version of Windows capable of unseating Windows XP as the corporate standard
• Globomantics sees major possibilities with Windows 7 and the CIO understands a lot of the appeal
• The company CIO wants to understand Windows 7‘s new security features and mobility capabilities as well as simply understanding what‘s changed since older versions of Windows
• Globomantics pilot project
–Will use a combination of installations
• Existing Vista machines will simply be upgraded to Windows 7 – apps already work
• Windows XP machines will dual boot with Windows 7
Scenario
Windows 7 Administration Training
Installing Windows 7
• Different Windows 7 editions have different requirements
• Use the Windows 7 Upgrade Advisor
–Verifies that hardware is ready for Windows 7
–Checks installed software for Windows 7 compatibility
– If problems are found and there are solutions, those solutions are presented
Identifying Windows 7 Requirements
20
Windows 7 Requirements Matrix
Home Premium Professional EnterpriseStarterHomeBasic Ultimate
RAM
Disk Space
Processor 1 GHz or faster minimum
32-bit: 16 GB or 64-bit: 20 GB
512 MB 32-bit: 1 GB or 64-bit: 2 GB
DirectX 9 graphics processorGraphics DirectX 9 graphics processor with WDDM
Windows 7 Administration Training
Installing Windows 7
• Upgrade limitations
–Upgrades cannot be performed between 32-bit and 64-bit systems
• To move from 32-bit to 64-bit or back, you must perform a new installation
–You cannot upgrade from Windows XP and earlier versions of Windows to Windows 7; you must migrate instead
• You must perform a new installation or a dual-boot installation
• Move user files from Windows XP to new Windows 7 system
Upgrade and Migration Limitations
Windows 7 Administration Training
Installing Windows 7
• Windows Anytime Upgrade
–Upgrade to more feature-filled editions of Windows 7 by using Windows Anytime Upgrade
–Only 32-bit to 32-bit and 64-bit to 64-bit Anytime upgrades are allowed
• You cannot upgrade from 32-bit to 64-bit or downgrade from 64-bit to 32-bit
–You cannot downgrade editions
• You can only move up the edition chart, not down
Upgrading Between Windows 7 Editions
21
UpgradesProfes. EnterpriseStarter
Home Basic
Home Premium
Business
Enterprise
Ultimate
Ultimate
Windows 7 EditionsHomeBasic
Home Premium
Starter
Home Basic
Home Premium
Professional
Enterprise
Ultimate
Windows Vista (SP1, SP2) 32-bit to 32-bit or 64-bit to 64-bit only
Windows 7 Anytime Upgrade 32-bit to 32-bit or 64-bit to 64-bit only
Windows 7 Administration Training
Installing Windows 7
• Installation options for a new machine
–Clean installation – new machine with no existing operating system
–Dual boot installation – run two operating systems side-by-side on the same computer
–Upgrade – in-place upgrade to Windows 7 from Windows Vista
–Migration – upgrade to Windows 7 from Windows Vista or Windows XP
Installing Windows 7
Windows 7 Administration Training
Installing Windows 7
• Installation types
–Standard installation
• For the initial phase of the pilot project being covered in this lesson, Globomantics will focus on standard installations
–Unattended installation
• Allows an administrator a mostly hands-off installation
• We will cover automated installations in the Deploying Windows 7 Machines lesson
Installing Windows 7
22
Windows 7 Administration Training
Installing Windows 7
• Media options
–DVD – included in Windows 7 retail boxes and often created after downloading an ISO file and burning it
– ISO – generally used by those with Microsoft licensing agreements
–USB drive – allows administrators to customize the installation source
–Network share – used with automated installations
Installing Windows 7
Windows 7 Administration Training
Installing Windows 7
• Only Windows Vista supports an in-place upgrade to Windows 7
• At the end of the upgrade, the system operates just like it did before, except with Windows 7
–Documents, files, and applications remain intact and in place
• If the upgrade fails, the system rolls back to Windows Vista
• An upgrade from Windows Vista to Windows 7 is initiated from a running Vista system
Upgrading Windows Vista to Windows 7
Windows Vista to Windows 7 Upgrade Walkthrough
23
Windows 7 Administration Training
Installing Windows 7
• Dual booting allows users to select the operating system that will be loaded at boot time
• During the early pilot phase of the Windows 7 implementation project, Globomantics Windows 7 pilot desktops will be dual booted between Windows XP and Windows 7
–Easier for staff to revert to Windows XP in the event of an unanticipated problem
• The computer must have one of the following
–Dual hard drives
–Enough space to create a second partition to which Windows 7 will be installed
• Partitions are discussed in the lesson entitled Understanding Windows 7 Storage
Dual Booting Windows 7
Windows 7 Administration Training
Installing Windows 7
• Windows 7 can dual boot – run side-by-side – with a variety of operating systems, including Windows XP, Vista, Linux and more
• Steps
–Make sure you have your Windows 7 media and product key
–Partition the hard drive to make room for Windows 7
• For Windows XP, use GParted, an open source tool
• Windows Vista has its own partitioning tools
• Can also simply add a second hard drive
– Install Windows 7 onto the new partition/drive
Dual Booting Windows 7
Windows 7 Administration Training
Installing Windows 7
• Post dual boot walkthrough steps
–Choosing the default operating system
• GUI: Via the Control Panel
• Command line: Using the BCDEDIT utility
– Requires a command prompt executed with administrator privileges
• Important notes
–The Windows 7 installation is a new installation
–Applications need to be reinstalled
–User profiles and data need to be migrated
• Migrating profiles is covered in the next section
Dual Booting Windows 7
24
Windows XP to Windows 7 Dual Boot Walkthrough
Windows 7 Administration Training
Installing Windows 7
• Windows XP cannot be upgraded to Windows 7
–You must instead perform either a new/clean installation or dual boot the system
–After installation, applications must be reinstalled
• Migrate user profiles and data from Windows XP to Windows 7
– If you installed Windows 7 in a dual boot configuration, you also need to migrate user profiles and data
Migrating from Windows XP to Windows 7
Windows XP to Windows 7 Migration Walkthrough
25
Windows 7 Administration Training
Installing Windows 7
• Roaming profiles negate the need for migrating profiles between machines
–Globomantics does not use roaming profiles due to network bandwidth requirements
• Local user profiles include
–Documents and other files
– Internet bookmarks
–Backgrounds
–E-mail account information
–Custom application settings
–Windows settings
• For a few initial phase pilot users, Globomantics will migrate profiles from XP to Windows 7
Migrating User Profiles
Windows 7 Administration Training
Installing Windows 7
• Windows Easy Transfer - Transfers information between Windows installations
–Supports a number of data transfer methods
• Easy Transfer cable – connects two computers via their USB ports
• Network – transfer data between computers over the network (Globomantics option)
• Portable hard drive – save profile information from source system to a portable drive and load to new system
• CD/DVD media – same as above, except with a CD or DVD
Windows Easy Transfer
Windows 7 Administration Training
Installing Windows 7
• Automates user profile migration
–Well-suited for large migrations
• Does not support the Windows Easy Transfer cable
• Part of the Windows Automated Installation Toolkit (WAIK)
• USMT is not covered here, but will be discussed in the lesson entitled Deploying Windows 7 Machines
User State Migration Tool (USMT)
26
Windows 7 Administration Training
Installing Windows 7
What We Covered
Identifying Windows 7 requirements
Upgrade and migration limitations
Upgrading between Windows 7 editions
Installing Windows 7
Upgrading Windows Vista to Windows 7
Dual booting Windows 7
Migrating from Windows XP to Windows 7
Migrating user profiles with Windows Easy Transfer
User State Migration Tool
Windows 7 Administration Training
Installing Windows 7
Key Terms You Should Know
Upgrade—moving in-place from one version of Windows to another
Migration—moving from one version of Windows to another without performing an in-place upgrade; requires the manual migration of user profiles after installation
User profiles—all personal information stored on a user's PC, including application settings and Internet bookmarks
Windows 7 Administration TrainingInstructor: Scott Lowe
Deploying Windows 7
27
Windows 7 Administration Training
Deploying Windows 7
In This Lesson:
Globomantics deployment plan
Windows 7 deployment enhancements
Specific lesson goals
Deployment types
Pre-deployment tools
Thick vs. thin images
Deployment strategies
Understanding image capture tools
Image deployment options
Capture and deployment process overview
User State Migration Tool (USMT)
Automated installation methods
Windows 7 Administration Training
Deploying Windows 7
• Globomantics IT staff runs a lean and mean shop and group
• The company can‘t afford to send IT staff to visit each and every computer in every location to facilitate deployment
• Business needs
– For organizations that have more than a few PCs, manual Windows 7 deployment is an inefficient rollout strategy
–Manual labor and travel result in major costs
–Managing desktops already has a high total cost of ownership (TCO)
–Use automated deployment tools to help automate this process and bring down costs
Scenario
Windows 7 Administration Training
Deploying Windows 7
• Globomantics uses the following deployment strategy:
–Thick system image. Includes applications and Windows Updates right in the system image.
– Lite Touch Installation. Takes most of the manual processing out of deployment, but requires some human intervention.
–Deployment. Systems are imaged at HQ and sent to regional offices.
• Globomantics does not currently own System Center Configuration Manager 2007 R2
–http://www.trainsignal.com/System-Center-Configuration-Manager-P71.aspx
– {End of shameless plug}
Globomantics Deployment Plan
28
Windows 7 Administration Training
Deploying Windows 7
• Optimizes deployment with improved driver handling through Dynamic Driver Provisioning
–Reduces image sizes by dynamically matching drivers to existing hardware during deployment, and then pulls them from a central store
• Multicast multiple stream transfer
–Deploy multiple images simultaneously across networks more efficiently
• Virtual Hard Disk image management and deployment
–VHD files provide additional deployment and operational flexibility
• Streamlined installation and file migration
–Overall better installation and deployment experience
Windows 7 Deployment Enhancements
Windows 7 Administration Training
Deploying Windows 7
• Too many deployment options and scenarios to cover in a single lesson
–Deployment could be a complete course by itself
• Goals
–Understand the myriad of deployment options
–Cover a repeatable, documented, real-world deployment scenario
–Be able to apply the lessons learned through understanding deployment options and covering a real world scenario to other deployment needs
• Recommendation
–Practice, practice, practice
Specific Lesson Goals
Windows 7 Administration Training
Deploying Windows 7
• Manual/semi-automated/high touch
–Small number of computers
–Covered in the lesson entitled Installing Windows 7
• Lite Touch Installation (LTI)
–Well-suited for medium sized organizations that do not have a need for a more automated deployment system
–Often used in conjunction with a "thick" system image, but can use used with thin images
• Zero Touch Installation (ZTI)
–Best suited for large, distributed organizations that deploy new systems and applications in a non-centralized manner
–Often used in conjunction with thin system images
Deployment Types
29
Windows 7 Administration Training
Deploying Windows 7
• Thick image
–Complete system image with all applications and updates
–May take longer to deploy to individual computers, but results in an immediately usable system upon completion
• Thin image
–Minimal system image; often operating system only
–Applications and updates are installed either manually or through the use of some other software management system, such as System Center Configuration Manager 2007 and/or App-V
• Hybrid Image
–Combination of thin and thick image types
Thick vs. Thin Images
Windows 7 Administration Training
Deploying Windows 7
• Application Compatibility Toolkit (ACT) – A tool to evaluate and mitigate application compatibility issues as they pertain to Windows 7
–Requires a SQL Server to house reporting data
• Microsoft Assessment and Planning Toolkit (MAP) – Performs an audit of your existing environment and provides inventory, assessment and reporting capabilities to assist in planning a Windows 7 rollout
Pre-Deployment Tools
Windows 7 Administration Training
Deploying Windows 7
• Windows Automated Installer Kit (WAIK) – WAIK is a collection of tools designed to assist in the deployment of Windows 7
–Windows System Image Manager (SIM) – Creates and manages unattended Windows Setup answer files
–SysPrep – Prepares a computer for imaging by configuring the computer to create a new security identifier at startup
– ImageX – Used to capture, create, modify, and apply Windows images
–Windows Preinstallation Environment (WinPE) – A minimal system used to deploy Windows
–User State Migration Tool (USMT) 4.0 – Used to migrate user information from older versions of Windows to Windows 7
• Oscdimg – Creates an ISO image of a WinPE installation
Understanding Image Capture Tools
30
Windows 7 Administration Training
Deploying Windows 7
• Manually
–Discussed in the lesson entitled Installing Windows 7
• Semi-automated
–Discussed in this lesson
• Using Windows Deployment Services and Microsoft Deployment Toolkit 2010
–Beyond the scope of this lesson
–Bonus video: Automating Deployment of Windows 7 Machines
• System Center Configuration Manager 2007 R2
–Beyond the scope of this course
–Discussed in TrainSignal's System Center Configuration Manager 2007 R2 course
Image Deployment Options
Windows 7 Administration Training
Deploying Windows 7
• Create the capture and deployment environment
• Build and validate an answer file
• Build the reference installation
• Create bootable Windows PE media
• Capture the installation – network or VHD file
• Deploy new computers – from network or VHD file
Capture and Deployment Process overview
Windows 7 Administration Training
Deploying Windows 7
• Software
–Windows 7 media
–The Windows AIK
• Hardware
–Management computer – A computer to which the Windows AIK and other tools can be installed
–Reference computer – A new computer that can be used as the deployment reference system
–Target computer – A new computer to which you can deploy a newly captured image
• Other
–All systems connected to the network
Image Capture and Deployment Prerequisites
31
Windows 7 Administration Training
Deploying Windows 7
• Target: Management computer
–Purpose
• Installs the Windows AIK and makes available the tools necessary to create, capture and deploy a Windows image
–Need: Windows AIK
• Download and install the Windows AIK
– http://www.microsoft.com/downloads/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en
Create the Capture and Deployment Environment
Windows 7 Administration Training
Deploying Windows 7
• Target: Management computer
–Purpose
• The answer file configures Windows settings during installation such as default Internet Explorer settings, networking settings and other settings
–Need
• Windows 7 media
• Floppy disk or removable media to which you will save a new answer file
• Windows System Image Manager (SIM) tool (part of WAIK)
–Steps/Demo
Build and Validate the Answer File
Windows 7 Administration Training
Deploying Windows 7
• Target: Management computer
–Purpose
• Windows PE provides a minimal Windows environment in order to capture and deploy system images
• In this step, create the bootable WinPE disc
• The disc will include all tools necessary to complete the process
–Need
• Windows System Image Manager (SIM) tool (part of WAIK)
–Steps/Demo
Create Bootable Windows PE Media
32
Windows 7 Administration Training
Deploying Windows 7
• Target: Reference computer
–Purpose
• The reference installation is the "gold master" image that will be deployed to the other computers in the organization
Build the Reference Installation
Windows 7 Administration Training
Deploying Windows 7
• Need
–Windows 7 media
–Media/drive with the answer file created in the previous step
–Any software to be made a part of the standard image (i.e. Microsoft Office)
–Any drivers for hardware that is to be included in standard image
–Windows AIK SysPrep utility – will generalize the system setup to make it possible to transfer the image to many other systems
• Steps/Demo
–Be sure to include /PersistAllDeviceInstalls switch when executing SysPrep's generalize command
Build and Generalize the Reference Installation
Windows 7 Administration Training
Deploying Windows 7
• Target: Reference computer
–Purpose
• Capture a generalized version of the reference image and save it to a network share
–Need
• Windows PE boot disc created earlier
• ImageX tool from the WAIK
– Included on the WinPE media
• Network connectivity
– A network share to which to save the reference image
–Steps/Demo
Capture the Installation (Network Share)
33
Windows 7 Administration Training
Deploying Windows 7
• Target: New target computer
–Purpose
• Deploy the captured image to a new computer
–Need
• Windows PE boot disc created earlier
• Network connectivity
– Access to the network share to which the reference image was saved
–Steps/Demo
• After imaging, boot and test new system
Deploy to a Target Computer (Network Share)
Windows 7 Administration Training
Deploying Windows 7
• Included in the WAIK
• USMT is Windows Easy Transfer for enterprise users
• Captures user accounts, files, operating system settings and application settings
• Migrates these settings to a new Windows 7 installation
User State Migration Tool (USMT)
Windows 7 Administration Training
Deploying Windows 7
• Windows Deployment Services & Microsoft Deployment Toolkit 2010
–WDS is a component of Windows Server 2008 R2
–Replaces Remote Installation Services (RIS) and Automated Deployment Services (ADS)
–Provides automated network-based installation of Windows servers and desktop computers
–Extends the capability of the WAIK
–Offers an opportunity to script specific actions at points in time
• i.e. Post-deployment, automatically join the Windows 7 computer to the Active Directory domain
Automated Installation Methods
34
Windows 7 Administration Training
Deploying Windows 7
What We Covered
Globomantics deployment plan
Windows 7 deployment enhancements
Specific lesson goals
Deployment types
Pre-deployment tools
Thick vs. thin images
Deployment strategies
Understanding image capture tools
Image deployment options
Capture and deployment process overview
User State Migration Tool (USMT)
Automated installation methods
Windows 7 Administration Training
Deploying Windows 7
Key Terms You Should Know
Windows System Image Manager (SIM)—Creates and manages unattended Windows Setup answer files
Thick image—A complete system image with all applications and updates
Thin image—A minimal system image; often operating system only
Lite Touch Installation—Takes most of the manual processing out of deployment, but requires some human intervention.
Zero Touch Installation (ZTI)—Best suited for large, distributed organizations that deploy new systems and applications in a non-centralized manner
Windows Automated Installer Kit (WAIK)—WAIK is a collection of tools designed to assist in the deployment of Windows 7
Windows 7 Administration Training
Deploying Windows 7
Key Terms You Should Know
Windows System Image Manager (SIM)—Creates and manages unattended Windows Setup answer files
SysPrep—Prepares a computer for imaging by configuring the computer to create a new security identifier at startup
ImageX—Used to capture, create, modify, and apply Windows images
Windows Preinstallation Environment (WinPE)—A minimal system used to deploy Windows
User State Migration Tool (USMT) 4.0—Used to migrate user information from older versions of Windows to Windows 7
Oscdimg—Creates an ISO image of a WinPE installation
35
Windows 7 Administration Training
Deploying Windows 7
My Favorite Supporting Resources
1. Choosing a Deployment Strategy
2. Windows 7 Desktop Deployment Overview
3. Choosing an Image Strategy and Building Windows 7 System Images
4. Step-by-Step: Basic Windows Deployment for IT Professionals
5. Springboard Series Windows 7 IT Pro Work Template: Windows 7 Deployment Plan
6. Getting Started with the Windows AIK
7. Windows Automated Installation Kit (Windows AIK) Scenarios
8. MDT and WDS help deliver Windows 7 to attendees at TechEdAustralia
Windows 7 Administration TrainingInstructor: Scott Lowe
Managing Drivers and Hardware Devices
Windows 7 Administration Training
Managing Drivers and Hardware Devices
In This Lesson:
Using the Device Manager tool
Viewing device information with the System Information Tool
Understanding drivers
Driver installation methods
Managing installed drivers
The Driver Verifier utility
Managing hardware installation policies
Staging drivers with pnputil.exe
Adding device drivers to the driver store
Monitoring USB devices
36
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Globomantics has an array of computing needs
– There is no single desktop hardware configuration
• Marketing: High end graphics adapters
• Other users: Mainstream configuration
• Make device installation seamless by pre-staging device drivers – lower TCO
• Help users get their work done by making sure that their necessary hardware devices work well and are well maintained
Scenario
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Viewing device and driver information
• View device resources
• Displaying hidden devices
Using Device Manager
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Using the System Information utility
–Much greater level of detail about system devices and resources
–Read-only
Using the System Information Utility
37
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Device drivers enable communication between the operating system and hardware devices
• Driver facts
–Drivers are just software
–Not all drivers are created equal
–Driver issues are a major support hassle
–Drivers can create system instability
Understanding Drivers
Driver
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Windows Update
–New device drivers come right from Windows Update
• Disable this behavior to improve security and control what devices are installed
• Hardware installation disc
• Pre-staging drivers
–Globomantics will pre-deploy drivers for high-end graphics adapters to ease deployment
• Result: Better end-user experience
• Lower TCO
Driver Installation Methods
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Device and driver security
–Driver software runs with full system rights
–Signed vs. unsigned drivers
• Identify unsigned drivers with sigverif.exe
• Updating drivers
• Rolling back drivers
Managing Installed Drivers
38
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Driver verifier
–Helps to determine root cause for driver-related issues including problems related to:
• Drivers that experience memory-based issues
• Poorly written drivers
–Requires a system restart
The Driver Verifier Utility
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Via Group Policy
–Allow and disallow installation of specific devices based on device ID
–Disable the installation of removable devices
–Create custom error messages to be displayed for users that attempt to install hardware
–Provide an administrative ―back door‖ to allow IT staff to install any new hardware and drivers
Managing Hardware Installation Policies
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• Use the pnputil.exe tool to manage the driver store
–Add a driver to the store using the -a parameter
• Download the driver package first
• Combine with -i to install the driver, too
–Show all third party drivers using the -e parameter
–Delete a driver from the store with the -d parameter
• Combine with the -f parameter to force deletion
Adding Device Drivers to the Driver Store
39
Windows 7 Administration Training
Managing Drivers and Hardware Devices
• USB hub types
– Self-powered
– Bus-powered
• USB bandwidth
– Bandwidth-related error messages
• ―USB controller bandwidth exceeded‖
– USB bandwidth
• USB 1.0/1.1: 12 Mbps
• USB 2.0: 480 Mbps
• USB 3.0: 5 Gbps
– Gauging bandwidth use is a best effort task
• Not all devices report bandwidth back to Windows
Monitoring USB Devices
Windows 7 Administration Training
Managing Drivers and Hardware Devices
What We Covered
Using the Device Manager tool
Viewing device information with the System Information Tool
Understanding drivers
Driver installation methods
Managing installed drivers
The Driver Verifier utility
Managing hardware installation policies
Staging drivers with pnputil.exe
Adding device drivers to the driver store
Monitoring USB devices
Windows 7 Administration Training
Managing Drivers and Hardware Devices
My Favorite Supporting Resources
1. Using Driver Verifier to identify issues with Windows drivers for advanced users
2. What are basic and dynamic disks?
3. Windows and GPT FAQ
40
Windows 7 Administration Training
Managing Drivers and Hardware Devices
Key Terms You Should Know
Driver—Software that provides a link from a computer operating system to a hardware device
Driver store—The location at which Windows stores device driver files, typically C:\Windows\System32\Drivers or C:\Windows\SysWOW64\Drivers
Signed driver—A digitally signed driver is from a traceable source
Unsigned driver—An unsigned driver can come from anywhere and may prove to be a system risk
Windows 7 Administration TrainingInstructor: Scott Lowe
Understanding Windows 7
Storage Options
Windows 7 Administration Training
Understanding Windows 7 Storage Options
In This Lesson:
Deconstructing basic disks
Disk Manager basic disk view – Master Boot Record (MBR)
MBR vs. GUID Partition Table disks
Disk Manager basic disk view – GPT
Understanding dynamic disks
Dynamic disk volume types
Volume types diagrams
Disk Manager dynamic disk view
Managing storage volumes
FAT vs. NTFS
41
Windows 7 Administration Training
Understanding Windows 7 Storage Options
• Data is the lifeblood of Globomantics
• Some users have different storage needs
– Database administrators need additional storage protection
– Business analysts require speedy storage with a lot of capacity
• Understand storage options to make the best possible data availability decisions
• Choose storage options that enable high security levels
–Globomantics is recovering from a data breach that could have been prevented with better storage options
Scenario
Windows 7 Administration Training
Understanding Windows 7 Storage Options
• Partition
–A portion of a physical hard drive that can be formatted and used as an individual storage volume
• Primary partition
–A hard drive can have up to four primary partitions
–One partition is designated as active
–Active partitions boot the operating system
• Extended partition
–Think of this partition as a container
–This container can hold one or more volumes
–Storage volumes on an extended partition cannot be used to start the operating system
Deconstructing Basic Disks - MBR
Disk Manager Basic Disk View – Master Boot Record
42
Windows 7 Administration Training
Understanding Windows 7 Storage Options
• MBR disks have limitations
– Limited number of primary partitions - Four
–Partition size limited to 2 TB
• GPT disks
–Pros
• Disks can have up to 128 partitions
• Partitions can be up to 256 TB in size
–Cons
• 32-bit Windows can't boot from GPT at all
• 64-bit Windows can boot from GPT only when the system has an Extensible Firmware Interface (EFI) BIOS
MBR vs. GPT Disks
MBR vs. GPT Disks
MBR GPT
Bootable
Maximum Partition Size
Maximum Partitions Per Physical Drive
Windows Versions Supported
2 TB
4
All All Recent
256 TB
128
Limits pertain to Windows only. Other operating systems may provide additional capabilities.
{Only 64-bit
systems with EFI BIOS can boot
from GPT-based partitions
32-bit64-bit
Disk Manager Basic Disk View – GPT
43
Windows 7 Administration Training
Understanding Windows 7 Storage Options
Understanding Dynamic Disks
• Overcome the limitations of Basic/MBR and Basic/GPT disks
–Support for about 2,000 dynamic volumes per disk
–Space – Extend volumes to span multiple disks
–Speed – Improve performance by striping across multiple disks
–Reliability – Improve reliability by mirroring data across multiple disks
Windows 7 Administration Training
Understanding Windows 7 Storage Options
• Disk volumes
–Simple
–Spanned
–Striped (RAID 0)
–Mirrored (RAID 1)
–RAID-5 volumes are shown in Disk Management, but not supported in Windows 7
Dynamic Disk Volume Types
Volume Types Diagram
1Simple Volume
1Spanned Volume
1/3Striped Volume 1/3 1/3
1Mirrored Volume 1
1/2RAID 5 Volume 1/2 P
1 1 unit of data 1/x Fractional unit of data
44
Disk Manager Dynamic Disk View
Windows 7 Administration Training
Understanding Windows 7 Storage Options
• Creating new volumes
–Choosing a disk and volume type
–Naming a volume
– Formatting volumes
• FAT vs. NTFS
• Changing a volume‘s drive letter
• Defragmenting disks
• Checking a volume for errors
• Viewing volume status
Managing Storage Volumes
FAT vs. NTFS
FAT32 NTFS
Maximum Volume Size
Maximum File Size
Security
Windows Versions Supported (Native)
Just under 4GB
All All NT-based
Size of Volume
Vista SP1, 7
exFAT
2 TB32 GB/2 TB 64 ZB
16 ZB
45
Windows 7 Administration Training
Understanding Windows 7 Storage Options
What We Covered
Deconstructing basic disks
Disk Manager basic disk view – MBR
MBR vs. GPT disks
Disk Manager basic disk view – GPT
Understanding dynamic disks
Dynamic disk volume types
Volume types diagrams
Disk Manager dynamic disk view
Managing storage volumes
FAT vs. NTFS
Windows 7 Administration Training
Understanding Windows 7 Storage Options
My Favorite Supporting Resources
1. What are basic and dynamic disks?
2. Windows and GPT FAQ
Windows 7 Administration Training
Understanding Windows 7 Storage Options
Key Terms You Should Know
Basic disk—The traditional disk type
Dynamic disk—A type of disk that enables advanced storage options, such as mirroring and striping
46
Windows 7 Administration TrainingInstructor: Scott Lowe
Configuring Networking in Windows 7
Windows 7 Administration Training
Configuring Networking in Windows 7
In This Lesson:
Scenario
Managing network connections
TCP/IP recap
TCP/IP operational overview
TCP/IP subnetting overview
IPv6 recap
Configuring TCP/IP Settings
Configuring network adapters
Configuring Internet Connection Sharing (ICS)
Troubleshooting network connectivity
Windows 7 Administration Training
Configuring Networking in Windows 7
• Every device at Globomantics is a business tool, from the laptops carried by the sales team to every desktop PC in the company. A machine not connected to Globomantics network doesn‘t provide any return. By the end of this lesson, you‘ll be able to provide Globomantics with expert-level assistance in configuring the network settings on Windows 7-based desktops and laptops
• Internet Connection Sharing is used in Globomantics' smaller offices to save costs on networking equipment
• All networks need troubleshooting, so you need to understand ways that you can correct networking issues
Scenario
47
Windows 7 Administration Training
Configuring Networking in Windows 7
• Connecting to a wired network
–Viewing current network status
–Viewing the current network map
• Connecting to a wireless network
– If prompted, provide the wirelessnetwork password
–Most Globomantics offices have a wireless network
• Managing preferred wireless networks
Managing Network Connections
Windows 7 Administration Training
Configuring Networking in Windows 7
• TCP/IP components
–Network address – defines the address of the network as a whole
–Subnet mask – provides bounds the upper and lower ranges of the network address
– IP address – an individual identifier assigned to a resource
–Default gateway – the IP address of the router or firewall port that connects the local network to a larger network
–Router – a ―layer 3‖ device responsible for connecting the local network to a larger network and handling incoming and outgoing network communications
TCP/IP Recap
Windows 7 Administration Training
Configuring Networking in Windows 7
• IP address types
–Public
–Private
• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
• 192.168.0.0 to 192.168.255.255
• Network Address Translation (NAT)
–Allows private IP addresses to be used with public ones
• Special addresses
– First range address (often ends with .0) – network address
– Last range address (often ends with .255) – broadcast address
TCP/IP Recap
48
Windows 7 Administration Training
Configuring Networking in Windows 7
• IP addresses
–Dotted decimal notation is most common
–Are representations of binary numbers which can be converted to a decimal number
–209.85.225.106 = 11010001.01010101.11100001.0110010 = 3512066410
• Subnetting – breaking a large network down into smaller chunks
–Reduces broadcast traffic
–Reduces collisions
–Can improve security
TCP/IP Recap
Windows 7 Administration Training
Configuring Networking in Windows 7
• Dynamic Host Configuration Protocol (DHCP) server – provides automated IP address assignment services
–Globomantics uses DHCP for client computers
–Globomantics desktop technicians sometimes input manual IP addresses when troubleshooting
–DHCP can pass other configuration information to clients
–Automatic Private IP Addressing (APIPA) is used when a DHCP server is not present
• Domain Name System (DNS) – provides a method to resolve friendly names into IP addresses
– i.e. www.google.com = 209.85.225.10
TCP/IP Recap
TCP/IP Operational Overview
Globomantics SW Office
GM-7-DesktopGlobomantics
Windows 7 Desktop
GM-7-M-XGlobomantics
Windows 7 Mobile
GM-SW-FileGlobomantics Server
DHCP/DNS
172.16.6.1 172.16.6.2 172.16.6.3172.16.6.254
192.168.10.5
Firewall/Router
Network: 172.16.6.0Subnet Mask: 255.255.255.0
Default Gateway
172.16.6.2
172.16.6.3
172.16.6.4
Allocated
Available
172.16.6.5
172.16.6.6
49
TCP/IP Subnetting Overview
Subnet Mask
Subnet Mask (bits)
Address Range
Broadcast Address
Network 192.168.0.0 192.168.0.64 192.168.0.128 192.168.0.192
192.168.0.1to
192.168.0.62
192.168.0.65to
192.168.0.126
192.168.0.129to
192.168.0.190
192.168.0.193to
192.168.0.254
192.168.0.63 192.168.0.127 192.168.0.191 192.168.0.255
255.255.255.192 255.255.255.192 255.255.255.192 255.255.255.192
26 bits 26 bits 26 bits 26 bits
1st subnet 2nd subnet 3rd subnet 4th subnet
192.168.0.x network with 26-bit subnet mask
Windows 7 Administration Training
Configuring Networking in Windows 7
• IPv6 facts
– Larger address space
• IPv4 addresses are running out
– 232 addresses = 4,294,967,296
– More ―always on‖ devices
– More Internet users
• IPv6 = 2128 addresses
– Eliminates needs for a number of workarounds, including Network Address Translation
– Stateless address configuration
– DHCPv6 can be used to provide more capability
IPv6 Recap
Windows 7 Administration Training
Configuring Networking in Windows 7
• IPv6 is not in widespread use
• IPv6 address types
– Link local—locally and automatically configured IPv6 addresses for networks without a DHCP server
–Site local—private, non-routable IPv6 addresses
–Global—an everyday, routable IPv6 address either manually configured or obtained via DHCP
–Special IPv6 addresses
• Unspecified IPv6 address—0:0:0:0:0:0:0:0 (::0)
• Loopback—in IPv4 parlance, 127.0.0.1; for IPv6, 0:0:0:0:0:0:0:1 (::1)
– Always the local machine
IPv6 Recap
50
Windows 7 Administration Training
Configuring Networking in Windows 7
• Managing TCP/IP settings via the graphical user interface
–Configuring IP address information
• Manual information
• Configuring for DHCP (the Globomantics standard)
• Managing TCP/IP settings via the netsh shell - manual
– IPv4: netsh interface ipv4 or netsh interface ip
• netsh interface ip set address ―Local Area Connection‖ static 172.16.6.2 gateway=172.16.6.254
• netsh interface ip set dnsservers ―Local Area Connection‖ static 172.16.6.1
• Managing TCP/IP settings via the netsh shell - DHCP
• netsh interface ip set address name=―Local Area Connection‖ source=DHCP
Configuring TCP/IP Settings
Windows 7 Administration Training
Configuring Networking in Windows 7
• Globomantics wants to force the network link speed and duplex due to an issue with some network switches
• Configure device power settingsto conserve power
Configuring Network Adapters
Windows 7 Administration Training
Configuring Networking in Windows 7
• Smaller Globomantics sites do not have network routers
• They rely on ICS
–Allows a single computer with two network adapters to share its Internet connection with other computers
–Windows 7 and Windows Server 2008 R2 both include ICS
• Requirements
–Two network adapters
–Administrative rights
– Firewall exceptions
Configuring Internet Connection Sharing (ICS)
51
Internet Connection Sharing Overview
Internet Connection Sharing
GM-7-DesktopGlobomantics Desktop
Computer
GM-7-M-1Globomantics Laptop
Computer
GM-7-M-2Globomantics Laptop
Computer
To InternetICS
Windows 7 Administration Training
Configuring Networking in Windows 7
• On the computer that will shareits connection
–Open the properties for thenetwork adapter with theconnection to the Internet
–Select the checkbox thatreads Allow other networkusers to connect through this computer's Internetconnection
• Make sure other clients areconfigured to use DHCP
Configuring Internet Connection Sharing
Windows 7 Administration Training
Configuring Networking in Windows 7
• netstat
–Display current network and TCP/IP connections
–View Ethernet & IPv4 stats and active connections
• netstat -e -s -p tcp
• tracert
–View each hop of the network path between the local system and a selected remote system
• tracert www.google.com
• ping
–Check the status of a remote system
–Check to see if the local system can reach a remote system
• ping www.google.com
Troubleshooting Network Connectivity
52
Windows 7 Administration Training
Configuring Networking in Windows 7
• Fixing network issues – command line
–Resetting a network adapter‘s IP address
• Command line (ipconfig /release and /renew)
• Command line (ipconfig /release6 and /renew6)
–DNS issues
• Purge DNS cache: ipconfig /flushdns
• Refresh DHCP lease & register DNS names: ipconfig /registerdns
• Display contents of DNS cache: ipconfig /displaydns
Troubleshooting Network Connectivity
Windows 7 Administration Training
Configuring Networking in Windows 7
What We Covered
Scenario
Managing network connections
TCP/IP recap
TCP/IP operational overview
TCP/IP subnetting overview
IPv6 recap
Configuring TCP/IP Settings
Configuring Network Adapters
Configuring Internet Connection Sharing
Troubleshooting network connectivity
Windows 7 Administration Training
Configuring Networking in Windows 7
Key Terms You Should Know
Network address—defines the address of the network as a whole
Subnet mask—provides bounds the upper and lower ranges of the network address
IP address—an individual identifier assigned to a resource
Default gateway—the IP address of the router or firewall port that connects the local network to a larger network
Router—a ―layer 3‖ device responsible for connecting the local network to a larger network and handling incoming and outgoing network communications
53
Windows 7 Administration Training
Configuring Networking in Windows 7
My Favorite Supporting Resources
1. Internet Protocol version 6 (IPv6)
2. Internet Connection Sharing
Windows 7 Administration TrainingInstructor: Scott Lowe
Protecting Windows 7: Network
Windows 7 Administration Training
Protecting Windows 7
In This Lesson:
Network profiles / Network Location Awareness
Windows firewall management
Remote Desktop
Remote Assistance
Windows Remote Management Service (WinRM)
WinRM and PowerShell
54
Windows 7 Administration Training
Protecting Windows 7
• Globomantics is recovering from a serious and very public security incident
• As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA
• Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features.
• Balancing security with usability will allow users to do their jobs while the company remains protected
Scenario
Windows 7 Administration Training
Protecting Windows 7
• Home network (Private)
–Trusted computers on a home network
–Network discovery is enabled
–Computer can be a member of a HomeGroup
• Work network (Private)
–Trusted computers on a work network
–Network discovery is enabled for computers
–Computer cannot be a member of a HomeGroup
• Domain network
–System is joined to an Active Directory domain
–Computer cannot be a member of a HomeGroup
• Public network
Network Profiles / Network Location Awareness
Windows 7 Administration Training
Protecting Windows 7
• Network profiles allow administrators to set granular policies based on the type of network to which the system is connected
• Firewall can be turned on or off for a particular network type
– i.e. turn off the firewall when system is connected to a domain and turn it back on when the system joins a public network
• Different profiles can be active simultaneously if the system is connected to multiple networks
Network Profiles
55
Windows 7 Administration Training
Protecting Windows 7
• Designed to protect computers by disallowing all but specifically allowed network traffic
• Windows Firewall can block both incoming and outgoing traffic
• The network profile dictates the set of firewall rules that will be applied for that connection
Windows Firewall Purpose and Capabilities
Windows 7 Administration Training
Protecting Windows 7
• As you add new programs to Windows, they need access to the network
• You can allow this access on a per program basis or by directly configuring network ports
–New firewall exception – enable ICMP/Ping
• Command line method
– Netsh advfirewall firewall add rule name = PING4 protocol=icmpv4:any,any dir=in action=allow
• GUI method
• Rules/exceptions can be added on a per-profile basis
Allowing New Programs Access
Windows 7 Administration Training
Protecting Windows 7
• Configuring firewall notification settings
–Can be configured on a per-profile basis
• Resetting Windows Firewall to Defaults
–GUI
• Click Restore defaults in the Windows Firewall control panel applet
–Command line
• Execute the command ‗Netsh advfirewall reset‘
Other Firewall Management Items
56
Windows 7 Administration Training
Protecting Windows 7
• Allows a user to connect to the desktop from a remote computer and operate it as if he were sitting at the console
• Must be explicitly enabled – default is set to not allow remote connections
–Allow connections from computers running any version of Remote Desktop
–Allow connections only from clients running Remote Desktop with Network Level Authentication (XP SP3, Vista, Windows 7)
• You must specifically identify which users can connect remotely
Remote Desktop
Windows 7 Administration Training
Protecting Windows 7
• A new session can be established
• A remote session can be established that assumes control of an existing desktop session
• A different user can initiate a remote desktop session, but doing so results in a dialog box asking permission since the currently logged in user will be logged off
• Example
–Configure Remote Desktop from the Remote tab in System Properties
Remote Desktop
Windows 7 Administration Training
Protecting Windows 7
• Commonly used by tech support personnel to help a user troubleshoot a problem
• Initiated by the user having troubles
• Uses a time-limited invitation that allows the remote user access to the desktop
• More secure invitations can be created, but only users using Vista or Windows 7 can respond to them
• Examples
–Configure Remote Assistance from the Remote tab in System Properties
–Requesting remote assistance
Remote Assistance
57
Windows 7 Administration Training
Protecting Windows 7
• WinRM enables command-line and PowerShell based management of remote systems
• Requires that the WinRM service first be configured on the remote system
– From administrator command prompt: winrm quickconfig
• Starts the winrm service and sets it to start automatically
• Creates a ―WinRM listener‖ to allow incoming WinRMconnections to be serviced
• Creates a WinRM exception in the firewall
Windows Remote Management Service (WinRM)
Windows 7 Administration Training
Protecting Windows 7
• If the systems are not in the same domain, a trust relationship must be established
–winrm set winrm/config/client @{TrustedHosts=―XXXX‖}
• Needed if you want to manage remotely via PowerShell
–Via group policy
• Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management
• Example
–Get a directory listing from a remote computer named gm-7-075
• WinRS –r:gm-7-075 dir
– WinRS = Windows Remote Shell
Windows Remote Management Service (WinRM)
Windows 7 Administration Training
Protecting Windows 7
• Remote management via PowerShell
–Requires that you enable WinRM as previously discussed
–You must be using PowerShell V2, the default in Windows 7
–Use icm (Invoke-Command alias) to run a command on a different machine
• Example
–Start PowerShell with administrative rights
• icm gm-7-075 { Get-WmiObject -Class Win32_ComputerSystem }
WinRM and PowerShell
58
Windows 7 Administration Training
Protecting Windows 7
What We Covered
Network profiles / Network Location Awareness
Windows firewall management
Remote Desktop
Remote Assistance
Windows Remote Management Service (WinRM)
WinRM and PowerShell
Windows 7 Administration Training
Protecting Windows 7
My Favorite Supporting Resources
1. Windows Firewall with Advanced Security Design and Deployment Guide
• http://www.microsoft.com/downloads/details.aspx?FamilyID=e4a6d0d6-c8c3-414a-ad61-abce6889449d&displaylang=en
Windows 7 Administration TrainingInstructor: Scott Lowe
Protecting Windows 7:Local
59
Windows 7 Administration Training
Protecting Windows 7
In This Lesson:
Configuring User Account Control
Configuring removable device policies
Understanding Credential Manager
Changing execution context with RunAs
Windows 7 account policies and user rights
Windows 7 local groups
Creating a password reset disk
Understanding smart card policies
Windows 7 Administration Training
Protecting Windows 7
• Globomantics is recovering from a serious and very public security incident
• As a pharmaceutical company with direct customer contact, Globomantics falls under privacy regulations, including HIPAA
• Globomantics wants to make certain that every possible reasonable security measure is implemented, including firewalls, carefully configured remote management capabilities, user account control and various authentication and authorization features.
• Balancing security with usability will allow users to do their jobs while the company remains protected
Scenario
Windows 7 Administration Training
Protecting Windows 7
• First included in Windows Vista, UAC adds an authorization layer before actions requiring administrative rights can be performed
– If UAC prompt is ignored for more than 150 seconds, the request is not approved
• Only users granted administrative rights can approve UAC prompts
• Enabled by default in Windows 7
• Can be configured to meet organizational security policies and need
Configuring User Account Control
60
Windows 7 Administration Training
Protecting Windows 7
• Features
–Secure desktop
• Have you ever wondered why UAC basically locks the desktop?
• It‘s by design and is a good thing
–Understanding privileges
• All users operate with standard privileges
• Only when a task requiring administrative rights is performed does UAC interject itself and temporarily escalate privileges
– Prompt for consent
– Prompt for credentials
Configuring User Account Control
Windows 7 Administration Training
Protecting Windows 7
• UAC settings
–Never notify me
–Notify me only when programs try to make changes to my computer (do not dim my desktop)
–Default – Notify me only when programs try to make changes to my computer (but don‘t notify me when I make changes to Windows settings)
–Always notify
Configuring User Account Control
Windows 7 Administration Training
Protecting Windows 7
• Group Policy/Local Group Policy/Local Security Policy
–Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
• Local Group Policy: gpedit.msc
• Local Security Policy: secpol.msc
• Allows granular control over UAC policies
–Can configure UAC to require credentials instead of just an approval window
• Demo
–Walk-through all UAC-related policies
Configuring User Account Control
61
Windows 7 Administration Training
Protecting Windows 7
• For security reasons, many organizations prohibit the use of removable devices
• Group Policy/Local Group Policy
–Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
• Prevent installation of removable devices
Configuring Removable Device Policies
Windows 7 Administration Training
Protecting Windows 7
• When user names and passwords are selected to be remembered, they are stored in the Windows Vault
–Web sites
–Remote Desktop sessions
• Exploring the Credential Manager
–Backing up Windows Vault
–Restoring Windows Vault
–Modifying an existing stored credential
–Adding a new credential
–Removing an existing credential
Understanding Credential Manager
Windows 7 Administration Training
Protecting Windows 7
• Allows you to run programs using a different user‘s credentials
–Use the RunAs command line tool
–RunAs /user:DOMAIN\USER ―program‖ /switches
• Common switches
– /profile
• Loads the user‘s profile allowing access to user-specific EFS-protected files
– /noprofile
• Does not load the user‘s profile
– /savecred
• Saves the credentials under the context of the local administrator account
Changing Execution Context with RunAs
62
Windows 7 Administration Training
Protecting Windows 7
• Account and password policies
–Computer Configuration > Windows Settings > Security Settings > Account Policies
• Local Group Policy: gpedit.msc
• Configurable password policies include
–Enforce password history
–Maximum password age
–Minimum password age
–Password must meet complexity requirements
–Store passwords using reversible encryption
• Not recommended
Windows 7 Account Policies and User Rights
Windows 7 Administration Training
Protecting Windows 7
• Configurable account lockout policies include
–Account lockout duration
–Account lockout threshold
–Reset account lockout
• User rights
–Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments
• Make sure to understand that these user rights exist
– There are more than three dozen policy settings
Windows 7 Account Policies and User Rights
Windows 7 Local Groups
63
Windows 7 Administration Training
Protecting Windows 7
• Users will forget passwords
• Simply resetting a password has consequences
–User loses access to EFS-encrypted files unless other steps have been taken
–Credentials stored in Credential Manager are no longer accessible
• A password reset disk (or USB/removable device) can be used to reset a password without the aforementioned negative side effects
–Caution: Anyone that finds a password reset disk can use it!
• Demo
–Create a password reset disk
Creating a Password Reset Disk
Windows 7 Administration Training
Protecting Windows 7
• Windows 7 includes a number of policies related to managing smart cards
–Smart cards are devices that can be used to authenticate to systems
–More secure that typical username/password-based authentication mechanisms
–Often used to augment – not replace – username/password (multifactor authentication)
• Windows 7 uses the Personal Identity Verification (PIV) standard from the National Institute of Standards and Technology (NIST) and includes other new features
–Smart Card/BitLocker encryption
–Document and email signing
Understanding Smart Card Policies
Windows 7 Administration Training
Protecting Windows 7
• Group Policy/Local Group Policy/Local Security Policy
–Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
• Interactive Logon: Require Smart Card
– A simple Yes or No (Enabled or Disabled)
• Interactive Logon: Smart Card Removal Behavior
– No Action (default)
– Lock Workstation
– Force Logoff
– Disconnect if a remote Remote Desktop Services connection
Understanding Smart Card Policies
64
Windows 7 Administration Training
Protecting Windows 7
What We Covered
Configuring User Account Control
Configuring removable device policies
Understanding Credential Manager
Changing execution context with RunAs
Windows 7 account policies and user rights
Windows 7 local groups
Creating a password reset disk
Understanding smart card policies
Windows 7 Administration Training
Protecting Windows 7
My Favorite Supporting Resources
1. Vista UAC Secure Desktop Explained
• http://cybernetnews.com/vista-uac-secure-desktop-explained/
Windows 7 Administration TrainingInstructor: Scott Lowe
Managing Mobility Options
65
Windows 7 Administration Training
Managing Mobility Options
In This Lesson:
Enable work on the go by using offline files
Transparent caching
Save energy by configuring local power settings
Location Aware Printing
Windows 7 Administration Training
Managing Mobility Options
• Globomantics is making sure that every sales person is equipped with a laptop to use in order to maximize their time on the road
• Every customer visit must be as productive as possible
• All of Windows 7‘s mobility capabilities – offline files, caching, location-based printing, power policies – must be leveraged
• Business needs
– Increased mobility leads to increased sales
–Battery life and power settings must be optimized to increase road time
–Sales people still need access to their centralized files and folders in order to do their jobs
– Location-based printing will help these mobile professionals locate available printers
Scenario
Windows 7 Administration Training
Managing Mobility Options
• Users – particularly mobile users – can always be connected to a live server
• Road warriors still need access to their files
• Offline Files locally caches copies of server-based files on the Windows 7 desktop
• As the user roams, he works from the locally cached file
• Once reconnected to the file server, the cached files synchronize with the server-side copy
• As space becomes a premium, Offline Files begins removing the least-used cached files to reclaim space
• Use the Sync Center to resolve synchronization conflicts
Using Offline Files
66
Offline Files in Action
Offline Files is enabled for a file
A copy of the file is cached to the local Windows 7
machine
User disconnects from server to go on the road
The user reconnects to the network
The modified file is synchronized with the
server-based copy
User modifies locally cached file while disconnected from
server
1
2
3
Windows 7 Administration Training
Managing Mobility Options
• There are four operational methods
–Online mode (Online)
• Normal, connected access to server-based files
–Auto offline mode (Offline: not connected)
• When network issues occur, Offline File moves to auto offline mode, which redirects file operations (browse, open, create, read, write) to offline mode
–Manual offline mode (Offline: working offline)
• Users can force Windows 7 to use the offline copy of data at will
–Slow-link mode (Offline: slow connection)
• If enabled in Group Policy, allows a transition to offline mode when a network connection slows down
Using Offline Files
Windows 7 Administration Training
Managing Mobility Options
• Group/Local policies related to Offline Files
–Computer Configuration > Administrative Templates > Network > Offline Files
• Important policies
–Encrypt the Offline Files cache
– Files not cached
–Remove ‗Make Available Offline‘
• A look at the Sync Center available via Control Panel
Using Offline Files
67
Windows 7 Administration Training
Managing Mobility Options
• Similar to Windows 7‘s new BranchCache feature
–Windows 7‘s new BranchCache capability is covered in the lesson entitled Managing BranchCache
• Transparent caching locally and automatically caches copies of files that a user has accessed from a server
–Does not need to be enabled on a per-file basis
• Each time the user accesses the file, the local system verifies that the locally cached copy is current
– If it‘s not current, the file is opened directly from the server
• When the server is unavailable, the local cache is also unavailable
• Supports both domain- and non-domain-joined clients
Transparent Caching
Windows 7 Administration Training
Managing Mobility Options
• Not enabled by default
–Group/Local policies related to Offline Files
• Computer Configuration > Administrative Templates > Network > Offline Files
• We will learn more about Transparent Caching in the lesson entitled Managing BranchCache
Transparent Caching
Windows 7 Administration Training
Managing Mobility Options
• Power plans (default is ―Balanced‖ power plan)
–Allow you to decide how your computer operates under different power environments
• Plugged in
• On Battery (available only on computer with batteries)
– Include a number of power settings from which you can choose, including
• Display settings
– Power configuration
– Brightness
• Sleep settings
• Advanced settings
– Available for each configured power plan
Configuring Local Power Settings and Policies
68
Windows 7 Administration Training
Managing Mobility Options
• Power button options
–Sleep
• Most system devices are turned off
• RAM stays active at current state
• Eventually transitions to Hibernate mode
–Hibernate
• Everything is turned off and the contents of system memory are written to a file on the hard disk
• System resumes when powered back on at the state at which it was when it was placed in Hibernate mode
–Shut down
• Turn the system off
–Do Nothing
Configuring Local Power Settings and Policies
Windows 7 Administration Training
Managing Mobility Options
• Centralize power configuration through Group Policy
–Computer Configuration > Administrative Templates > System > Power Management
• You can require the use of one of Window 7‘s built in power plans
– If you know the GUID of a custom power plan, that plan can be used instead
• Use powercfg –L from the command line to get a list of power plans and their GUIDs
Configuring Local Power Settings and Policies
Windows 7 Administration Training
Managing Mobility Options
• Other important powercfg commands
–See which devices can wake a computer
• powercfg -devicequery wake_from_any
–Create an energy policy report
• powercfg -energy
• Open the resulting report in Internet Explorer
– Saved to a files named energy-report.html in the directory in which the command was run
–Export a power plan
• powercfg -export export_name GUID
– Import a power plan
• powercfg -import filename GUID
Configuring Local Power Settings and Policies
69
Windows 7 Administration Training
Managing Mobility Options
• Allows automatic switching of available print devices based on location
• Printers can be manually paired with a particular network
• From Devices and Printers
–Click Manage default printers
–Make decisions about which printers to use for which network
Location Aware Printing
Windows 7 Administration Training
Managing Mobility Options
What We Covered
Enable work on the go by using offline files
Transparent caching
Save energy by configuring local power settings
Location Aware Printing
Windows 7 Administration TrainingInstructor: Scott Lowe
Protecting Windows 7 Computers
with Windows Updates
70
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
In This Lesson:
Why update Windows?
Update types
Windows Update control panel applet
Configuring important update settings
Windows Update settings
Reviewing update history
Deciding which updates to install
Uninstalling updates
Using the Microsoft Baseline Security Analyzer
WSUS and Windows Updates
Non-WSUS operations vs. WSUS operations
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Keeping Windows desktop computers current with the latest security patches is vital to company efforts to keep systems and data secure
• Windows computers require regular updates designed to plug security holes and correct other flaws
• Globomantics can‘t afford to hire enough people to simply walk around and manually update each and every Windows 7 desktop
• Business need
–Centralizing updates keeps TCO at a reasonable level
–Updates are a critical component of an organizations overall security strategy
–The ability to roll back updates is key in the event that an updates breaks something
Scenario
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• All software contains flaws
• Even with the best of intentions, Windows ships with holes that were not discovered during development
• Updates fix these flaws
• Some updates add new features and capabilities to Windows
• Update is not limited to Windows; other Microsoft products –including Office – are updated via this update mechanism
Why Update Windows?
71
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Important
–Updates that should be installed immediately in order to counter potential security or privacy threats
– Includes security and critical updates
• Recommended
–Updates that may improve system reliability or improve information, such as that found in system help files
–May add new features to Windows or even other Microsoft software
• Optional
–Often includes new driver updates
–May include new versions of trial software
Update Types
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Options provides control over Windows Update settings
• Manual update installation process
• Click Check for updates
• Manually install updates via the Install Update button
– If updates have been downloaded, click the Install updates button to begin installation
– Click the category name to list updates
Windows Update Control Panel Applet
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Install updates automatically
–Updates are installed every day at 3AM or as soon as the computer is turned on
• Download updates but let me choose whether to install them
–Updates are downloaded but are not installed until a user initiates the process
• Check for updates but let me choose whether to download and install them
–The user is simply notified that new updates are available, but they are neither downloaded nor installed without user intervention
• Never check for updates
–Not recommended
Configuring Important Update Settings
72
Windows Update Settings
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Get a list of installed updates by clicking the View update history option in Control Panel
• Get more information about an update by right-clicking the update and choosing View details
Reviewing Update
History
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• You may want to prevent an update from installing automatically
–Some updates have problems
–You may have software that conflicts with an update
• Hide an update so it doesn‘t appear in update lists
• If you change your mind, you can unhide updates
–At some point, you should make sure to install all important updates, even if you‘ve previously hidden them
• Use the Restore hidden updates option
Deciding Which Updates to Install
73
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• When you‘re viewing a list of installed updates, right-click an update and choose Uninstall
• The Installed Updates window is accessible via the Windows Update control panel applet or the Programs and Features control panel applet
Uninstalling Updates
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• MBSA 2.1.1 provides support for Windows 7 and Windows Server 2008 R2
–Download from
• http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en
• MBSA provides a way to identify updates that might be missing from a Windows installation
• The tool also points out other potential security holes, such as misconfigured accounts or account with no password expiration in place
Using the Microsoft Baseline Security Analyzer
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Group Policy (local GP editor: gpedit.msc)
–Computer Configuration > Administrative Templates > Windows Components > Windows Update
• A lot of options available
–We‘ll walk through them
Using Group Policy to Configure Updates
74
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Microsoft Windows Server Update Services 3.0 SP2
–Provides support for Windows 7
–A server-based tool that centrally manages and distributes updates
–Once installed, assumes responsibility for contacting Microsoft Update servers
–Saves bandwidth
• Machines don‘t need to individually download massive updates
• Centrally catalogs updates
WSUS and Windows Updates
Non-WSUS Operations vs. WSUS Operations
Globomantics Office – Without WSUS
GM-7-DesktopGlobomantics
Windows 7 Desktop
GM-7-M-XGlobomantics
Windows 7 Mobile
GM-SW-FileGlobomantics Server
DHCP/DNS
Each individual computer downloads updates from Microsoft Update servers
Globomantics Office – With WSUS
GM-7-DesktopGlobomantics
Windows 7 Desktop
GM-7-M-XGlobomantics
Windows 7 Mobile
GM-SW-FileGlobomantics Server
DHCP/DNS
Local WSUS servers download and catalog updatesEach individual computer downloads updates from
the local WSUS server
WSUS Server WSUS Server
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• Redirect Automatic Updates to a WSUS server
–Click Specify Intranet Microsoft update service location
–Click Enabled and type the HTTP(S) URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server
–Click the OK button
• Disable access to Windows Update
–Use Group Policy: Expand Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings
–Click Turn off access to all Windows Update features
–Click Enabled
WSUS and Windows Updates
75
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
• System Center Configuration Manager 2007 R2 can also be used to handle distribution and tracking of updates
• Globomantics does not currently own System Center Configuration Manager 2007 R2
–http://www.trainsignal.com/System-Center-Configuration-Manager-P71.aspx
Plug for System Center
Configuration Manager 2007 R2
Windows 7 Administration Training
Protecting Windows 7 Computers with Windows Updates
What We Covered
Why update Windows?
Update types
Windows Update control panel applet
Configuring important update settings
Windows Update settings
Reviewing update history
Deciding which updates to install
Uninstalling updates
Using the Microsoft Baseline Security Analyzer
WSUS and Windows Updates
Non-WSUS operations vs. WSUS operations
Windows 7 Administration TrainingInstructor: Scott Lowe
Managing Applications
76
Windows 7 Administration Training
Managing Applications
In This Lesson:
Program compatibility assistant
Program compatibility properties
Compatibility-related group policies
Application Compatibility Toolkit
Using Windows XP mode
Configuring software restriction policies
Using AppLocker
Windows 7 Administration Training
Managing Applications
• Globomantics uses a wide range of applications to meet its business goals
• There are questions surrounding application compatibility
• Globomantics will use a number of tools to determine compatibility with Windows 7
• Globomantics also plans to consider the use of AppLocker as a security mechanism to keep hostile software off the network
• Business need
– Line of business applications are the lifeblood of Globomantics so they need to simply work
–AppLocker is a Windows 7-based evolution in software policies designed to control what applications are allowed to be used
Scenario
Windows 7 Administration Training
Managing Applications
• A tool built into Windows 7 that checks for program installation problems
• Pops up a dialog box suggesting a fix for a problem
• Offers to reinstall a program using Microsoft recommended settings
• Only modifies Windows settings related to the execution of the program
Program Compatibility Assistant
77
Windows 7 Administration Training
Managing Applications
• Right-click program and choose Troubleshoot compatibility
• Manually modify program properties
–Compatibility mode
–Run in 256 colors
–Run in 640x480 screen resolution
–Disable visual themes
–Disable desktop compression
–Disable display scaling on high DPI settings
–Privilege level
–Change settings for all users
Program Compatibility Properties
Windows 7 Administration Training
Managing Applications
• Available via the Group Policy editor
–Computer Configuration > Administrative Templates > System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics
Compatibility-Related Group Policies
Windows 7 Administration Training
Managing Applications
• Application Compatibility Manager
–A SQL Server-based tool that collects application information from existing Globomantics computers
• Compatibility Administrator
–A set of application compatibility fixes that have already been verified to allow applications to work under Windows 7
• Developer and Tester Tools
– Internet Explorer Compatibility Test Tool
• Tests web site compatibility with Internet Explorer 8
–Setup Analysis Tool
• Monitors application installers to test compatibility
–Standard User Analyzer
• Determines if an app will have problems with UAC
Application Compatibility Toolkit
78
Windows 7 Administration Training
Managing Applications
• Option of last resort
• Creates a virtual instance of Windows XP in which applications are run
• Seamless to end user
• Installation steps (www.microsoft.com/windows/virtual-pc)
–Download and install Windows XP Mode first
–Then Virtual PC
–Then Windows XP Mode update
• Globomantics will run Internet Explorer 6 from Windows XP Mode
Using Windows XP Mode
Windows 7 Administration Training
Managing Applications
• A legacy application management tool
• Configurable via Group Policy
–Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies
• Applicable to Windows XP, Windows Vista and Windows 7
• Security levels – Group Policy page
• Enforcement – Group Policy page
• Designated file types – Group Policy page
• Trusted publishers
Configuring Software Restriction Policies
Windows 7 Administration Training
Managing Applications
• Order of precedence
–Hash rule
–Certificate rule
–Path rule
–Network zone rule (msi installer files only)
–Default rules
• For conflicts
–The most specific rule takes precedence
• Globomantics will block the use of Solitaire using Software Restriction Policies
Configuring Software Restriction Policies
79
Windows 7 Administration Training
Managing Applications
• Available only on Windows 7 clients
• Significantly better than Software Restriction Policies
–No need to rework restrictions as applications are upgraded
–Can be applied to user subsets
• Configurable via Group Policy
–Computer Configuration > Windows Settings > Security Settings > Application Control Policies
• Relies on the use of the Application Identity Service
Using AppLocker
Windows 7 Administration Training
Managing Applications
Using AppLocker
FeatureSoftware Restriction
PoliciesAppLocker
Rule scope All users Specific user or group
Rule conditions provided
File hash, path, certificate,
registry path, and Internet
zone rules
File hash, path, and
publisher rules
Rule types provided Allow and deny Allow and deny
Default rule action Allow or deny Deny
Audit-only mode No Yes
Wizard to create multiple
rules at one timeNo Yes
Policy import or export No Yes
Rule collection No Yes
PowerShell support No Yes
Custom error messages No Yes
Windows 7 Administration Training
Managing Applications
• Rule types
–Executable
• .exe and .com files
–Windows Installer
• .msi and .msp files
–Script
• .ps1, .bat, .cmd, .vbs and .js files
–DLL
• .dll and .ocx files
Using AppLocker
80
Windows 7 Administration Training
Managing Applications
• Rule conditions
–Publisher
• Discussed on next slide
• Most secure option
–Path
• Based on the file path
– File hash
• Based on the unique file hash
• Use when a file is not signed
• More secure than path rules
• Rule behavior
–Allow or Deny
Using AppLocker
Windows 7 Administration Training
Managing Applications
• Publisher rules
–Rules based on application digital signatures
• Files must be signed
–These rules can survive application upgrades
• i.e. Create a rule that says ―Block this application -version 2.0 and higher‖
• i.e. Allow versions 2.0 or higher of a program to run if it is signed by the software publisher GlobomanticsDevCorp
–Globomantics will block the use of WordPad using AppLocker
• Service Packs should not disable this rule
Using AppLocker
Windows 7 Administration Training
Managing Applications
What We Covered
Program compatibility assistant
Program compatibility properties
Compatibility-related group policies
Application Compatibility Toolkit
Using Windows XP mode
Configuring software restriction policies
Using AppLocker
81
Windows 7 Administration Training
Managing Applications
My Favorite Supporting Resources
1. Windows 7 Application Compatibility List for IT Professionals
2. Introduction to the Application Compatibility Toolkit (ACT) Version 5.6
3. Windows 7 AppLocker Executive Overview
4. How AppLocker Works
Windows 7 Administration TrainingInstructor: Scott Lowe
Managing Internet Explorer
Windows 7 Administration Training
Managing Internet Explorer
In This Lesson:
Compatibility Mode
Configuring IE security settings
IE Protected Mode
Managing IE add-ons and search providers
Managing IE‘s InPrivate browsing
Managing IE‘s InPrivate filtering
About IE‘s SmartScreen Filter
IE‘s pop up blocker
Managing IE certificates
82
Windows 7 Administration Training
Managing Internet Explorer
• The Globomantics Application group has developed a number of web-based applications that support only Internet Explorer
• The CIO has made Internet Explorer the corporate standard
• Windows 7 provides centralized management of IE
• Making sure that Internet Explorer settings on Windows 7 machines meet corporate security policies
–Ban the use of unapproved add-ins for Internet Explorer
–Make sure that compatibility mode is properly configured
• Business need
–Compatibility Mode will give the Globomantics Application Support group time to update web-based applications
–Users need to understand SmartScreen to help the company prevent malware infestations
Scenario
Windows 7 Administration Training
Managing Internet Explorer
• Not all web sites display properly in Internet Explorer 8
– IE 8 is the version that ships with Windows 7
• Windows Updates include lists of web sites that work best under Compatibility Mode
• Compatibility Mode Group Policies
–Administrative Templates > Windows Components > Internet Explorer > Compatibility View
• Globomantics needs to display the site apps.globomantics.com in compatibility mode
Compatibility Mode
Windows 7 Administration Training
Managing Internet Explorer
• Security levels
–High
• Most actions are disallowed
–Medium-High
• Appropriate for most web browsing
• Prompts before downloading potentially unsafe content
• Unsigned ActiveX controls will not be downloaded
• Per-application override settings that disable ActiveX warnings in certain situations are not allowed
–Medium
• Prompts before downloading potentially unsafe content
• Unsigned ActiveX controls will not be downloaded
Configuring IE Security Settings
83
Windows 7 Administration Training
Managing Internet Explorer
–Medium-Low
• Appropriate for intranet-based sites
• Most content will be run without the user being prompted
• Unsigned ActiveX controls will not be downloaded
– Low
• Appropriate for only absolutely trusted sites
• Most content will be run without the user being prompted
• All active content can run
Configuring IE Security Settings
Windows 7 Administration Training
Managing Internet Explorer
• Internet Explorer security zones
– Local intranet
• Medium-Low security level
–Trusted sites
• Medium security level
• Used only for sites that are known and that can be trusted
–Restricted sites
• High security level
• Used for dangerous sites
– Internet
• Medium-High security level
Configuring IE Security Settings
Windows 7 Administration Training
Managing Internet Explorer
• Makes it more difficult for web sites to install malicious software
• Allows administrators to install desirable ActiveX controls and add-ons
• Zones
–Enabled by default in the Internet and Restricted sites zones
–Disabled in the Local Intranet and Trusted sites zones
IE Protected Mode
84
Windows 7 Administration Training
Managing Internet Explorer
• Add-ons extend the functionality of Internet Explorer
• There are add-ons available for many different categories, including adding new search engines to IE
• Group Policy (computer and user settings)
–Administrative Templates > Windows Components > Internet Explorer > Accelerators and
–Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management
• Globomantics‘ marketing department uses Twitter extensively and will add an Internet Explorer add-on to streamline the Twitter update process
Managing IE Add-ons and Search Providers
Windows 7 Administration Training
Managing Internet Explorer
• InPrivate Browsing prevents Internet Explorer from storing data about a browsing session
• Help to prevent anyone else who might be using your computer from seeing visited sites and other potentially private information such as cookies, temporary Internet files, history, and other data.
• Toolbars and extensions are disabled by default
• InPrivate Browsing is only in effect during the time that you use the InPrivate window
• Group Policy settings (both computer and user settings)
–Administrative Tools > Windows Components > Internet Explorer
Managing IE’s InPrivate Browsing
Windows 7 Administration Training
Managing Internet Explorer
• InPrivate Browsing is a broad privacy mechanism
• InPrivate Filtering is more granular
–Helps protect users from common browsing tracking, such as that performed by third party advertising networks
–Users (or administrators) decide what can be shared and with whom
• Managing InPrivate Filtering settings
–Globomantics wants to make sure users can browse the web and get work done and will turn off InPrivate Filtering
Managing IE’s InPrivate Filtering
85
Windows 7 Administration Training
Managing Internet Explorer
• Looks for known or suspected ―phishing‖ web sites or sites that may harm your computer through the installation of malware
• Site list is updated on an hourly basis
• Also scans downloaded files and blocks the download if there is a known risk
• Allows a user to perform a manual check of a site
• Provides users with a warning that a site might not be safe
• http://207.68.169.170/contoso/enroll_auth.html
About IE’s SmartScreen Filter
Windows 7 Administration Training
Managing Internet Explorer
• Pop-ups are not very popular but when used appropriately, do have value
• Some pop-ups – i.e. login boxes – need to be allowed
• Pop-ups can be allowed on a site-by-site or per-zone basis
–Pop-ups are always allowed in the default Local Intranet and Trusted Sites zones
• The Pop-Up Blocker settings window allows configuration of this security feature
IE’s Pop-Up Blocker
Windows 7 Administration Training
Managing Internet Explorer
• Secure web browsing is based on the use of Secure Sockets Layer (SSL) encryption certificates
• Provides trusted secure end-to-end communications encryption so users can comfortably share personal information including social security numbers and credit card information
• Internet Explorer blocks access to SSL-protected web sites when things don‘t look right
–The address doesn‘t match that of the SSL certificate
–The certificate is expired or has been revoked
–The certificate is not trusted back to what‘s call a root certificate
• Internet Explorer certificate settings window
–https://204.184.63.35/owa/
Managing IE Certificates
86
Windows 7 Administration Training
Managing Internet Explorer
What We Covered
Compatibility Mode
Configuring IE security settings
IE Protected Mode
Managing IE add-ons and search providers
Managing IE‘s InPrivate browsing
Managing IE‘s InPrivate filtering
About IE‘s SmartScreen Filter
IE‘s pop up blocker
Managing IE certificates
Windows 7 Administration Training
Managing Internet Explorer
My Favorite Supporting Resources
1. About URL Security Zone Templates
Windows 7 Administration TrainingInstructor: Scott Lowe
Configuring File and Folder Access
87
Windows 7 Administration Training
Configuring File and Folder Access
In This Lesson:
Changing file and folder permissions
Understanding NTFS permissions
Assigning NTFS permissions
Understanding effective permissions
Permissions impact: Copying and moving files
Encrypting files and folders using EFS
BitLocker To Go
Full disk encryption using BitLocker
Windows 7 Administration Training
Configuring File and Folder Access
• Globomantics needs to provide secure access to files and folders so that users can do their jobs
• Due to the recent security incident, Globomantics wants to make sure that the theft of a desktop computer doesn‘t result in unauthorized access to company data
• Although Globomantics could choose to implement BitLocker on desktops as well as laptops, the company is considering using EFS on internal systems just to protect key shared folders
• Business need
–Globomantics will secure access to files and folders at both the share and file (NTFS) level.
–Globomantics will protect mobile devices through the use of BitLocker and protect internal desktop PCs using EFS
Scenario
Windows 7 Administration Training
Configuring File and Folder Access
• In the world of IT, there is a principle that states that users should have only the most minimal permissions they need to complete their jobs
• NTFS – the default file system used in Windows 7 – helps to enforce this least security principle by providing the ability to apply permissions to files and folders in a very granular way
–No NTFS rights = No access
• With only minor exceptions, files and folders both use the same available NTFS permissions but these permissions may manifest themselves a bit differently
• Permissions can be assigned directly to a user or they can be assigned to a user group
– It‘s much preferred to assign permissions to groups
Changing File and Folder Permissions
88
Windows 7 Administration Training
Configuring File and Folder Access
• Basic NTFS permission sets
– Full Control (Modify, Read & Execute, List Folder Contents, Read, Write)
• Provides a user with the ability to do anything and everything with a file or folder to include modifying permissions
• This is the only standard right that allows a user to change permissions to the file or folder
• Users can take ownership of a file or folder
–Modify (Read & Execute, List Folder Contents, Read, Write)
• Allows a user to reading, write, change and delete files and folders
Understanding NTFS Permissions
Windows 7 Administration Training
Configuring File and Folder Access
• Basic NTFS permission sets (continued)
–Read & Execute (List Folder Contents, Read)
• Allows a user to access a file or folder and execute programs within
– List Folder Contents
• Applies to folder only
• Allows a user to view the contents of a folder
–Read
• User can read the contents of a folder or access a file
• Does not allow the user to execute programs
–Write
• Folders: User can add files and folders to a folder
• Files: User can change to a file, but he cannot delete it
Understanding NTFS Permissions
Windows 7 Administration Training
Configuring File and Folder Access
• Inherited permissions
–When you create a file or folder, the new entity assumes the permission set of the parent folder
–This process is called inheritance and can result in some of the most complicated permission issues you will come across
• You can block inheritance and assign unique permissions if you like
Understanding NTFS Permissions
89
Windows 7 Administration Training
Configuring File and Folder Access
• Each file and folder object on the NTFS partition has a Security tab on its Properties page
– From this page, you can view the current security configuration for the object
• You can also use the command line icacls utility
• Globomantics wants to do the following
–Allow users that are a part of the Marketing group to access (Modify access) a local folder named ―Marketing‖ (GUI method)
–Allow users that are a part of the Sales group to access (again, Modify rights) a local folder name ―Sales‖ (icacls)
• icacls c:\sales /grant gm\sales:(oi)(ci)m
–Deny access to the ―Sales‖ folder to Marketing (GUI)
Assigning NTFS Permissions
Windows 7 Administration Training
Configuring File and Folder Access
• NTFS permissions can and do collide with one another from time to time
–A user might have been directly assigned Read rights to a particular folder and also been assigned the Write right by virtue of a group membership
• With one exception, NTFS permissions are cumulative
– In the case above, the user would be granted both Read and Write privileges
–Exception
• If a user has been specifically denied a right anywhere, the Deny right trumps everything else
Understanding Effective Permissions
Windows 7 Administration Training
Configuring File and Folder Access
• Globomantics is trying to figure out why the user named Steve Smith was able to change a document at C:\Accounting
• Use the effective permissions tool to determine what access level this user has been granted and determine why he was able to make a change
Understanding Effective Permissions
90
Windows 7 Administration Training
Configuring File and Folder Access
• As you‘ve seen, file and folder permissions are dependent on their location in the file system, particularly as inheritance comes into play
• Moving and copying files can impact NTFS permissions on the files being copied or moved
–When copying objects to a new location, the objects take on the permission set of the new location
–When objects are moved
• To locations on the same volume
– They maintain their existing permission sets
• To locations on a different volumes
– They inherit the permissions of the new folder
Permissions Impact: Copying and Moving Files
Windows 7 Administration Training
Configuring File and Folder Access
• EFS allows users to encrypt individual files and folders
–BitLocker encrypts entire volumes
–EFS encrypts individual files and folders on NTFS volumes
• Once a folder is encrypted all files inside that folder are encrypted, including any files you create later on
• The first time a user encrypts a file on a Windows 7 machine, he is asked to back up his newly created security certificate
– If other users need to access the file, they need to first log in and encrypt something so that their certificate is also saved
–You can use Active Directory Certificate Services to centralize management of EFS certificates
• Well beyond the scope of this course and the exam
Encrypting Files and Folders Using EFS
Windows 7 Administration Training
Configuring File and Folder Access
• EFS Recovery Agent
–Users come and go and they may or may not leave in a way that allows them to make sure that they've provided access to files that they've encrypted
–Create an EFS Recovery Agent in order to open files encrypted by another use
• The agent needs to be created before users start encrypting files
• From the command line
– Cipher /r:recoveryagent
Encrypting Files and Folders Using EFS
91
Windows 7 Administration Training
Configuring File and Folder Access
• Globomantics will teach some internal users how to encrypt folders on their local hard drives
–These folders contain sensitive financial information that, in the wrong hands, could lead to another public relations debacle
–Because two users share a single PC in the controller's office, certificates will be created for both users (Administrator and Steve)
–This is a stop gap measure intended to be used only until Globomantics is able to deploy a full infrastructure capable of centralizing all of the various user certificates
–You will first create an EFS Recovery Agent to make sure that files remain accessible
Encrypting Files and Folders Using EFS
Windows 7 Administration Training
Configuring File and Folder Access
• People often rely on portable storage to be able to transport documents between locations
• These portable storage devices can be a major security headache
• BitLocker To Go is a new feature that encrypts the full contents of these portable storage devices
• Does not require any special hardware, such as a Trusted Platform Module chip
• Devices protected with BitLocker To Go can even be read in older versions of Windows
BitLocker To Go
Windows 7 Administration Training
Configuring File and Folder Access
• A number of local group policies exist that manage the implementation of BitLocker
– Located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
• Globomantics requires that portable USB storage be configured with BitLocker To Go
–Set up appropriate local policies
• Walk-through policy options
–Encrypt a USB volume
BitLocker To Go
92
Windows 7 Administration Training
Configuring File and Folder Access
• BitLocker provides full disk encryption making data inaccessible unless specific conditions are met
• BitLocker operating modes
–TPM-only mode
–TPM with startup key
–TPM with PIN
–TPM with PIN and startup key
–BitLocker without TPM
Full Disk Encryption Using BitLocker
Windows 7 Administration Training
Configuring File and Folder Access
• TPM-only mode (TPM = Trusted Platform Module)
–100% transparent to user
–Protects the boot environment from modification
–No requirement for the user to use a PIN or password at boot time
–No requirement for the user to use a startup key at boot time
– Least secure BitLocker option
Full Disk Encryption Using BitLocker
Windows 7 Administration Training
Configuring File and Folder Access
• TPM with startup key
–Not very transparent to user
–Protects the boot environment from modification
–No requirement for the user to use a PIN or password at boot time
–There is a requirement for the user to use a startup key at boot time
• A startup key is a USB drive that has been preconfigured for use with BitLocker
–More secure since there is a need for the user to use a physical device to boot the system
Full Disk Encryption Using BitLocker
93
Windows 7 Administration Training
Configuring File and Folder Access
• TPM with PIN
–Transparent to user after boot
–Protects the boot environment from modification
–There is a requirement for the user to use a PIN or password at boot time
–No requirement for the user to use a startup key at boot time
–More secure since there is a need for the user to use a password to boot the system
Full Disk Encryption Using BitLocker
Windows 7 Administration Training
Configuring File and Folder Access
• TPM with PIN and startup key
–Not very transparent to user
–Protects the boot environment from modification
–There is a requirement for the user to use a PIN or password at boot time
–There is a requirement for the user to use a startup key at boot time
• A startup key is a USB drive that has been preconfigured for use with BitLocker
–Most secure option since there is a need for the user to both use a password to boot the system and to have available a physical USB device
Full Disk Encryption Using BitLocker
Windows 7 Administration Training
Configuring File and Folder Access
• BitLocker without TPM
–Not all systems ship with TPM chips so BitLocker can be configured to use just a key device
–Does not protect the boot environment itself
–Organizations may still want to use BitLocker even if a system does not have TPM
• Modify a Group Policy object
– Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup
• Requires the use of a USB-based startup key
Full Disk Encryption Using BitLocker
94
Windows 7 Administration Training
Configuring File and Folder Access
• BitLocker notes
–When used with TPM, the encryption key is stored on the system's local TPM chip
–Recovery information can also be stored in Active Directory
• Configure a Data Recovery Agent (DRA) user account to enable recovery of encrypted data
– Computer Configuration > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption
• For already-encrypted drives, use the manage-bde –SetIdentifier <volume letter> command to enable after-the-fact DRA support on that volume
Full Disk Encryption Using BitLocker
Windows 7 Administration Training
Configuring File and Folder Access
• Recovery
–There are times when BitLocker needs to be used on a recovery mode
• The contents of the TPM chip may have been lost
• You modified one of the boot files
– Best practice: Temporarily disable BitLocker before modifying a boot file
• You've connected a BitLocker-protected disk to a different computer
– In recovery mode, you need to provide one or both of
• The BitLocker PIN
• The USB key that holds the recovery key
Full Disk Encryption Using BitLocker
Windows 7 Administration Training
Configuring File and Folder Access
• The manage-bde command
–Manage BitLocker options from the command line
–See the results of manage-bde -status
• Globomantics will enable BitLocker on the system volume for laptop systems
–PIN option will be selected
Full Disk Encryption Using BitLocker
95
Windows 7 Administration Training
Configuring File and Folder Access
What We Covered
Changing file and folder permissions
Understanding NTFS permissions
Assigning NTFS permissions
Understanding effective permissions
Permissions impact: Copying and moving files
Encrypting files and folders using EFS
BitLocker To Go
Full disk encryption using BitLocker
Windows 7 Administration TrainingInstructor: Scott Lowe
Shared Access to Resources
Windows 7 Administration Training
Shared Access to Resources
In This Lesson:
Resource sharing overview
Basic vs. advanced sharing
Understanding Share vs. NTFS permissions
Offline folder caching
Sharing printers and managing print queues
Windows 7 libraries
Configuring HomeGroup
96
Windows 7 Administration Training
Shared Access to Resources
• Information Technology advancements have created a collaboration revolution on which Globomantics wants to capitalize
• Collaboration is enabled through resource sharing
• Files, folders and printing devices are commonly shared at Globomantics, but not all users need to access all shared resources
• At especially small branch offices, Globomantics will use a Windows 7 desktop in a pseudo-server capacity
• Business need
–Shared resources reduce overall costs since users don‘t need their own dedicated devices, such as printers
Scenario
Windows 7 Administration Training
Shared Access to Resources
• The Network and Sharing Center holds the basic keys to the resource sharing kingdom
• Resource sharing settings are configured on a per-network profile basis
–Network discovery
– File and printer sharing
–Public folder sharing
–Media streaming
– File sharing connections
–Password protected sharing
–HomeGroup connections
Resource Sharing Overview
Windows 7 Administration Training
Shared Access to Resources
• Basic sharing
–Rights available
• Owner
– Assigned to the user account that set up the share
• Read
– Allows the specified user or group to read files from the shared location
• Read/Write
– Allows the specified user to read files, modifying existing files and create new ones
Basic vs. Advanced Sharing
97
Windows 7 Administration Training
Shared Access to Resources
• Advanced sharing
–Rights available
• Full Control
– Assigned to the user account that set up the share
– Allows a user to change the resource share permissions
• Read
– Allows the specified user or group to read files from the shared location
• Change
– Allows the specified user to read files, modifying existing files and create new ones
Basic vs. Advanced Sharing
Windows 7 Administration Training
Shared Access to Resources
• Share permissions
–Applied only when a resource is accessed over the network
– If resource is accessed from the local console, only NTFS permissions are enforced
• NTFS permissions
–Applied regardless of access location – local or remote
–NTFS permissions are discussed in the Configuring File and Folder Access lesson
• When combined, the most restrictive set of permissions applies
Understanding Share vs. NTFS Permissions
Windows 7 Administration Training
Shared Access to Resources
• Offline folder caching is discussed fully in the Managing Mobility Options lesson
• During the sharing process, decide how/if you want users to be able to cache offline files to their local computers
–Only the files and programs that users specify are available offline
–No files or programs from the shared folder are available offline
–All files and programs that users open from the shared folder are automatically available offline
Offline Folder Caching
98
Windows 7 Administration Training
Shared Access to Resources
• A Utica, NY-based Windows 7 desktop will be a pseudo-server with a couple of shares initially enabled
–Marketing (GUI method)
• Offline files should be disabled
• The Marketing group will have Change rights
• No more than five people at any one time
–Sales (command line method)
• Enable offline files for both documents and programs
• The Sales group will have Change rights
• Accounting will have Read rights
• net share Sales=c:\Sales /grant:globomantics\SALES,CHANGE/grant:globomantics\ACCTNG,READ /cache:programs
Sharing Folders
Windows 7 Administration Training
Shared Access to Resources
• By sharing a printer, multiple users can share these relatively expensive resources and save Globomantics a lot of money
• Printing permissions
• Allows users to manage their own documents sent to the printer
–Manage this printer
• Users can manage the printer itself, including pausing and restarting printing, changing printer permissions and sharing the printer
–Manage documents
• Users in this group can manage the print jobs for any users that have sent document to the shared print queue
Sharing Printers and Managing Print Queues
Windows 7 Administration Training
Shared Access to Resources
• The Utica, NY-based Globomantics office has an HP LaserJet 4250 printer connected directly to a Windows 7 machine
–Share this printer with the Sales, Marketing and Accounting domain groups
–The user named Fred should have both Manage this printer and Manage documents rights
Sharing Printers and Managing Print Queues
99
Windows 7 Administration Training
Shared Access to Resources
• Windows 7 includes virtual folders known as libraries
• Libraries are collections of folders from various sources
–The local machine
–Network servers
–HomeGroup machines
• Default libraries
–Documents
–Music
–Pictures
–Videos
Windows 7 Libraries
Windows 7 Administration Training
Shared Access to Resources
• Adding new folders to existing libraries
–The existing libraries can be extended to include new folder sources
–The Utica sales manager wants the contents of the newly created Sales shared folder to appear in his Documents library
• It is his machine that is acting as the pseudo-server at Utica
• Creating a new library
–The Utica sales manager has decided that he wants to create a dedicated Sales library that includes everything sales related
Windows 7 Libraries
Windows 7 Administration Training
Shared Access to Resources
• HomeGroup is a new feature in Windows 7 intended to facilitate resource sharing in small home networks
• Resources shared with HomeGroup machines can be provided with some security
• The first Windows 7 machine on the Home network is asked to create a HomeGroup
–Work and domain computers can join a HomeGroup, but cannot create one
• Subsequent machines are asked if they‘d like to join the existing HomeGroup
• Although Globomantics will not use the HomeGroup feature, the help desk has received some calls from users seeking advice regarding this feature
Configuring HomeGroup
100
Windows 7 Administration Training
Shared Access to Resources
What We Covered
Resource sharing overview
Basic vs. advanced sharing
Understanding Share vs. NTFS permissions
Offline folder caching
Sharing printers and managing print queues
Windows 7 libraries
Configuring HomeGroup
Windows 7 Administration TrainingInstructor: Scott Lowe
Using DirectAccess and VPN Connections
Windows 7 Administration Training
Using DirectAccess and VPN Connections
In This Lesson:
DirectAccess features
DirectAccess server requirements
Configuring DirectAccess – client side
Understanding DirectAccess connection types
DirectAccess client requirements
Enabling VPN-based remote access
VPN authentication mechanisms
Password-based authentication mechanisms
Windows 7 VPN connections
101
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• Globomantics is a company on the move!
• With an ever-growing force of sales people making the rounds visiting potential customers, those mobile professionals need to maintain a constant link with the mother ship in order to keep the wheels of business turning and to make sure that they always have the most current information about clients in order to maximize their efforts
• Windows 7‘s DirectAccess and VPN capabilities are a perfect fit
• Business need
–Mobility has become a very high priority to keep mobile professionals in touch as if they were in the office
–Enabling this mobility in a way that doesn‘t leave the organization at risk for exploit is key
Scenario
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• DirectAccess is a new Windows Server 2008 R2 and Windows 7 feature that enables VPN-like connectivity but without the need to establish a traditional VPN connection
– Fully bidirectional – corporate servers can see clients
–Can be integrated with Network Access Protection to improve security
–Requires no user intervention; connects even before the user logs on to the machine
– Fully transparent to the end user as the connection process is automatic
–Connected as soon as the computer is able to use the network connection
–Allows the remote machine to continue to receive Group Policies and software updates
DirectAccess Features
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• DirectAccess requires significant server-side configuration in order to operate (beyond the scope of this course)
–Domain-joined Windows Server 2008 R2 server
–At least two network adapters
• The ―public‖ network adapter must have two consecutive public IP addresses
• Other adapter must be connected to internal network
–A public key infrastructure (PKI) must be in place
–An Active Directory security group that contains accounts for the computers that will connect via DirectAccess
–Domain must have a Windows Server 2008 R2 domain controller and DNS server
– Internally accessed resources must be IPv6 capable
DirectAccess Server Requirements
102
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• Public IPv6
–The eventual goal; the client is using a public IPv6 address and connects to Globomantics‘ network via IPv6
• 6to4
– For clients that use a public IPv4 address, a 6to4 tunnel can be established
• Teredo
– For clients that sit behind a Network Address Translation (NAT) device and using a private IP address, DirectAccess uses a Teredo connection method
• IP-HTTPS
–When all else fails, this is the fallback connection type
–Does not perform as well as other methods
Understanding DirectAccess Connection Types
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• Only the Enterprise and Ultimate editions of Windows 7 support DirectAccess
• Only domain-joined computers that belong to a DirectAccess security group can connect to DirectAccess servers
• DirectAccess configuration is distributed to clients via Group Policy with little manual configuration necessary
– It is possible to configure individual clients with the netshcommand
DirectAccess Client Requirements
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• Group Policy Objects
–Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies
• 6to4 Relay Name
• IP-HTTPS State
• Teredo Default Qualified
• Teredo Server Name
• Computer Configuration > Windows Settings > Name Resolution Policy
– General configured during the server-side setup
Configuring DirectAccess – Client Side
103
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• Netsh commands (overridden by Group Policies)
–netsh interface ipv6 set teredo enterpriseclient<serverIPv4address>
–netsh interface 6to4 set relay <serverIPv4address>
–netsh interface httpstunnel add interface client https://externalIPv4name/IPHTTPS
–netsh interface
• ipv6 show teredo
• 6to4 show relay
• httpstunnel show interfaces
Configuring DirectAccess – Client Side
Windows 7 Administration Training
Using DirectAccess and VPN Connections
Enabling VPN-Based Remote Access
• VPNs are traditional broadly supported remote access and point-to-point connection mechanisms
• For the purposes of this lesson, we‘re focused on the remote access side of the VPN house
• Windows 7 supports four different VPN connection methods
– IKEv2/VPN Reconnect (Internet Key Exchange)
–SSTP (Secure Socket Tunneling Protocol)
– L2TP/IPSec (Layer 2 Tunneling Protocol)
–PPTP (Point-to-point Tunneling Protocol)
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• IKEv2/VPN Reconnect
–Brand new in Windows 7
• Works only in Windows 7 & Windows Server 2008 R2
–Supports IPv6
–Also supports VPN Reconnect
–NAT-friendly
• SSTP
–Tunnels traffic over port 443, making it firewall-friendly
–Cannot be used on a web proxy environment that requires user authentication
–Works in Windows Vista SP1 and Windows Server 2008
Enabling VPN-Based Remote Access
104
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• L2TP/IPSec
–More secure than PPTP
–NAT-friendly (supports NAT-T when clients do)
–Supports either preshared key or certificate-based authentication
–Very commonly deployed VPN type
–Works in Windows 2000 and later
• PPTP
– Least secure VPN type
–Does not support the use of certificate-based authentication
–Arguably the most deployed VPN type
• Works in Windows 2000 and later
Enabling VPN-Based Remote Access
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• Password-based options
–EAP/PEAP-MS-CHAPv2 (Protected/Extensible Authentication Protocol)
–PEAP/PEAP-TLS (Protected Extensible Authentication Protocol-Transport Layer Security)
–MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol)
–CHAP (Challenge Authentication Protocol)
–PAP (Password Authentication Protocol)
• VPN connections can also be authenticated using smart cards or pre-installed certificates
VPN Authentication Mechanisms
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• EAP/PEAP-MS-CHAPv2
–Most secure of the password-based options
–Requires a computer certificate on the VPN server
–No client certificate is necessary
• PEAP/PEAP-TLS
–Requires a computer certificate on the VPN server
–Clients authenticate using certificates
• MS-CHAPv2
–A simple password-based authentication protocol
Password-Based Authentication Mechanisms
105
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• CHAP
–Not supported under Windows Server 2008‘s remote access services, but is enabled in Windows 7 clients
–Used as a fallback when more secure options are not available
• PAP
– Least secure
–Not supported under Windows Server 2008‘s remote access services
–Not enabled in Windows 7 clients
• Can be enabled if necessary
Password-Based Authentication Mechanisms
Windows 7 Administration Training
Using DirectAccess and VPN Connections
• VPN Reconnect
–VPN Reconnect is a brand new feature in Windows 7 intended to allow for a more stable remote experience
–As users lose network connections or move to other connections (i.e. between Wi-Fi hotspots), VPN Reconnect automatically reconnects the user to the VPN connection
–Network connectivity can be lost for as long as 8 hours
• Globomantics has established a Windows Server 2008 R2-based remote access server
–Your job is to create a VPN connection from a client and explore the possible options
Windows 7 VPN Connections
Windows 7 Administration Training
Using DirectAccess and VPN Connections
What We Covered
DirectAccess features
DirectAccess server requirements
Configuring DirectAccess – client side
Understanding DirectAccess connection types
DirectAccess client requirements
Enabling VPN-based remote access
VPN authentication mechanisms
Password-based authentication mechanisms
Windows 7 VPN connections
106
Windows 7 Administration Training
Using DirectAccess and VPN Connections
My Favorite Supporting Resources
1. Teredo tunneling
• http://en.wikipedia.org/wiki/Teredo_tunneling
2. DirectAccess Technical Overview for Windows 7 and Windows Server 2008 R2
• http://technet.microsoft.com/en-us/library/dd637827(WS.10).aspx
3. 10 things you should know about DirectAccess
• http://blogs.techrepublic.com.com/10things/?p=1371
4. Group Policy Management Console and Editor (DirectAccess)
• http://technet.microsoft.com/en-us/library/ee624060(WS.10).aspx
Windows 7 Administration TrainingInstructor: Scott Lowe
Managing BranchCache
Windows 7 Administration Training
Managing BranchCache
In This Lesson:
Understanding BranchCache
Requirements
BranchCache operating modes
About local cache mode
BranchCache operational diagram
Managing BranchCache with Group Policy
Managing BranchCache with Netsh
Monitoring BranchCache
107
Windows 7 Administration Training
Managing BranchCache
• Globomantics has a number of small regional offices with relatively slow connections to the Internet
• Corporate IT has become concerned with ever-increasing bandwidth costs related to constant communication with headquarters
• The Globomantics CIO has decided that all smaller regional sites will use Distributed Mode BranchCache (the mode covered in this lesson)
• Larger regional offices will eventually use Hosted Mode
• Business need
– Increase employee productivity by reducing the time it takes to download items
–Reduce bandwidth costs by caching content locally
Scenario
Windows 7 Administration Training
Managing BranchCache
• BranchCache is new to Windows 7 and Windows Server 2008 R2
–Does not work at all on older versions of Windows
• The feature caches remote content on local computers and
–Speeds up access to information
–Reduces bandwidth costs
• Lowers TCO
• Increases efficiency
• Transparent to the end user
–Automatically activates when the latency to a file hosting server exceeds 80 ms (definable via Group Policy)
–Has been described as a "black box"
Understanding BranchCache
Windows 7 Administration Training
Managing BranchCache
• A working, configured BranchCache server
–Windows Server 2008 R2 Enterprise or Datacenter
–Beyond the scope of this course to cover server side deployment
–See My Favorite Supporting Resources slide for more information
• Client
–Windows 7 Enterprise or Ultimate
Requirements
108
Windows 7 Administration Training
Managing BranchCache
• Hosted Cache mode
–Uses a BranchCache-enabled server at a remote location to cache content from a central site
–Clients at the remote site obtain their content from this caching server
• Only if that server has the content
• Otherwise, content is acquired from the original server
• Distributed Cache mode
– Ideal for small offices – General Microsoft guidance indicates this as a site with fewer than 50 people
–Negates the need for a dedicated branch server
–Each Windows 7 client maintains its own cache and other clients request the data via network broadcasts
BranchCache Operating Modes
Windows 7 Administration Training
Managing BranchCache
• There is a third BranchCache operating mode
• Local cache mode
–When enabled, the local client caches the files
–These files are used only by the local client
–None of the cached information is shared with other systems
About Local Cache Mode
Windows 7 Administration Training
Managing BranchCache
• Computer Configuration > Administrative Templates > Network > BranchCache
• Required firewall changes
– Inbound & outbound TCP port 80
–Distributed mode: Inbound & outbound UDP port 3702
–Hosted mode: Outbound TCP port 443
–We cover firewall rules creation in the lesson entitled Protecting Windows 7
Managing BranchCache with Group Policy
109
Windows 7 Administration Training
Managing BranchCache
• Disk space
–Default: BranchCache uses up to 5% of available disk space
–Policy name: Set Percentage of Disk Space Used For Client Computer Cache
• Latency
–Default: 80 milliseconds
–Policy name: Configure BranchCache for Network Files
• Group Policy configured items trump netsh configured items
Managing BranchCache with Group Policy
Windows 7 Administration Training
Managing BranchCache
• Netsh branchcache set service mode=distributed
–Enables BranchCache in distributed mode
– Firewall rules are automatically created
–Other mode options
• Local (Netsh branchcache set service mode=local)
• Hosted client (Netsh branchcache set service mode=hostedclient location=gm-file.globomantics.com)
• Hosted server (Netsh branchcache set service mode=hostedserver clientauthentication=domain)
• Netsh branchcache show status
–Shows the current status of the BranchCache service
Managing BranchCache with Netsh
Windows 7 Administration Training
Managing BranchCache
• Netsh branchcache set cachesize size=30 percent=true
–Allows BranchCache to use up to 30% of total disk space for caching
• Netsh branchcache show localcache
–Show the contents of the local BranchCache cache
• Netsh branchcache smb set latency 1000
–Set the latency value at 1000 milliseconds
Managing BranchCache with Netsh
110
Windows 7 Administration Training
Managing BranchCache
• Netsh branchcache show status all
• Performance monitor counters
–Windows 7 includes more than twenty BranchCache related counters
–Performance Monitor is covered in the lesson entitled Monitoring and maintaining Windows 7
Monitoring BranchCache
Windows 7 Administration Training
Managing BranchCache
What We Covered
Understanding BranchCache
Client side requirements
BranchCache operating modes
About local cache mode
BranchCache operational diagram
Managing BranchCache with Group Policy
Managing BranchCache with Netsh
Monitoring BranchCache
Windows 7 Administration Training
Managing BranchCache
My Favorite Supporting Resources
1. BranchCache Deployment Guide for Windows Server 2008 R2 and Windows 7
• http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4b14f942-b488-4f51-99e1-c4c8834b750e
2. BranchCache: Helping You Save on WAN Bandwidth Consumption at Branch Offices
• http://technet.microsoft.com/en-us/ff607489.aspx
111
Windows 7 Administration TrainingInstructor: Scott Lowe
Monitoring and Maintaining Windows 7
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
In This Lesson:
Performance Information and Tools utility
Event logging
Centralizing event logs
Using Performance Monitor
Data Collector Sets
Creating a new Data Collector Set
Task Manager
Resource Monitor
Reliability Monitor
A sample WMI script
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Monitoring the infrastructure for problems is a major component of a technology architecture
• You‘ve been asked to understand desktop performance monitoring to keep users operating at peak productivity and keep potential minor security events from becoming big ones
• Business need
–Event monitoring provides early identification for what could become larger security or performance problems
–Performance monitoring helps identify what steps need to be taken to keep Globomantics operating at a high level
Scenario
112
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Windows Experience Index
–Creates a metric based on the hardware and software capabilities for each listed component
–The system base score is determined by the lowest subscore
–More detailed information can be gathered
Performance Information and Tools
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Commonly used to gain in-depth knowledge about what is creating a system problem
• Most Windows programs are designed to write detailed information into the Windows event logs
• Windows logs
–Application
–Security
–Setup
–System
– Forwarded events
–Other application and service logs
Event Logging
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Filtering logs and creating views
–View only Critical event types
–Create a view that logs only Critical events
• Globomantics will create this log view on every desktop PC to aid in future troubleshooting efforts
• Saving/exporting log files
–A user is experiencing an intermittent hardware problem
• You will export the contents of the user‘s event logs to a file so that you can examine them on your own machine so the user can continue working
Event Logging
113
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Not all problems are limited to a single computer
• Aggregating log files may help to identify broader issues, such as network, DHCP or DNS issues, among other items
• Globomantics will aggregate critical desktop log events on the server named GM-DC
–Enable WinRM on all systems (winrm quickconfig)
–On GM-DC (collector), execute the command wecutil qc
• WECutil = Windows Event Collector tool
– Enable the ForwardedEvents channel
– Start the Windows Event Collector service
–Add the computer account for GM-DC to the local Administrators group on each desktop
Centralizing Event Logs
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• On the Collector machine (GM-DC)
–Create a subscription
• Choose subscription parameters, including
– Computers from which events should be pulled
– Event/source types to forward
– Severity types to forward
– Date/time range
– Log to which events should be written
• Note: Events are copied to the collector machine; they also remain local
• View event collection status to verify operation
Centralizing Event Logs
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Used to visually monitor any variety of Windows performance counters, event trace data and configuration information
–Performance counters measure system state and activity
–Event trace data is collected from trace providers
• Operating system or application components that report actions or events
–Configuration information is collected from values stored in the registry
• Can be used to view data in real time or save information to a log file for future viewing
• Useful for tracking down errant software
Using Performance Monitor
114
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Performance counter permissions
–Regular users
• Can view only historical information
• Cannot manipulate Data Collector Sets
• Cannot view real-time information
–Members of the Performance Monitor Users group
• Can view both historical and real-time information
• Cannot manipulate Data Collector Sets
–Members of the Performance Log Users group
– Can view both historical and real-time performance information
– Can manipulate Data Collector Sets
Using Performance Monitor
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Globomantics needs to track down software or software combinations that might be creating adverse disk performance
–Create a performance view that includes the following counters to see how disks are performing
• PhysicalDisk: Disk Read Bytes/sec
• PhysicalDisk: Disk Reads/sec
• PhysicalDisk: Disk Write Bytes/sec
• PhysicalDisk: Disk Writes/sec
• PhysicalDisk: Disk Queue Length
Using Performance Monitor
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Performance Monitor views that have been exported
–Brings together multiple data collection items into single reports that can be used to review system performance
–Collector types
• Performance Counter Data Collector
– Collect historical performance counter-related system statistics
• Event Trace Data Collector
– Collect event-related information
• Configuration Data Collector
– Information from the system registry
• Performance Counter Alert
– A specific performance counter condition is met
Data Collector Sets
115
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Data sets included in Windows 7
–System Performance
• Use to troubleshoot a system that is not performing well
– Disk
– Network
– RAM
– Processor
–System Diagnostics
• Use to troubleshoot an unreliable system
– All of the stats gathered by the System Performance data collector set
– Additional system information related to reliability
Data Collector Sets
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Use a built-in Data Collector Set to determine which files are having the most impact on disk performance and correlate these files with a running process
• Modify the System Performance Data Collector Set to run for five minutes and to run daily at 3:00 PM
Data Collector Sets
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Simply watching disk performance in real time could be a laborious task and the intermittent issue may not surface
• Globomantics will create a new Data Collector Set that watches and logs the same disk counters we looked at previously
–PhysicalDisk: Disk Read Bytes/sec
–PhysicalDisk: Disk Reads/sec
–PhysicalDisk: Disk Write Bytes/sec
–PhysicalDisk: Disk Writes/sec
–PhysicalDisk: Disk Queue Length
–Base the Data Collector Set on an existing Performance Monitor set
Creating a New Data Collector Set
116
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Provides information about
–Running applications, processes and services
• Can kill running applications and misbehaving processes as well as start and stop services
–CPU usage – overall and by core
–RAM usage
–Network utilization
–Currently logged in users
• Arguably the most used monitoring tool in Windows
Task Manager
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• Resource Monitor is relatively new to Windows, but adds a huge punch to the monitoring arsenal
• Quickly access at-a-glance system statistics and associate processes with specific system characteristics
–Ascertain which processes are actively using the disk or network
• What exact iexplore.exe process is using major bandwidth?
• Globomantics will use the Resource Monitor to determine file and process associations
Resource Monitor
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• A new tool in Windows 7 availablevia the Control Panel‘s Action Center
• Divines a ―stability index‖ as a valuefrom 1 to 10 that describes systemperformance as a function ofreliability
• Provides administrators with at-a-glance information that can help tocorrelate system stability issues withnew updates, software installationsand other system events
• Use Reliability Monitor to attempt to find a root cause for ongoing stability issues reported by a Globomantics user
Reliability Monitor
117
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
• GUIs are good for gathering information from a single system
• If you want to gather information from other systems, considering writing a script to gather information using Windows Management Instrumentation
• Globomantics will write a script that help desk technicians can use to gather basic system information, including
–System name
–Total virtual memory
–Available memory
–Operating system version and service pack level
A Sample WMI Script
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
What We Covered
Event logging
Centralizing event logs
Using Performance Monitor
Data Collector Sets
Creating a new Data Collector Set
Task Manager
Resource Monitor
Reliability Monitor
A sample WMI script
Windows 7 Administration Training
Monitoring and Maintaining Windows 7
My Favorite Supporting Resources
1. Windows Performance Analysis Developer Center
• http://msdn.microsoft.com/en-us/performance/default.aspx
2. Windows Management Instrumentation (WMI) scripting guide
• http://msdn.microsoft.com/en-us/library/Aa286547
118
Windows 7 Administration TrainingInstructor: Scott Lowe
Configuring Performance Settings
Windows 7 Administration Training
Configuring Performance Settings
In This Lesson:
Changing graphics settings
Configuring virtual memory
Understanding write caching
Optimizing processes with Task Manager
Managing processor scheduling settings
Optimizing services
Using msconfig to boost performance
Windows 7 Administration Training
Configuring Performance Settings
• A high performance organization, Globomantics demands top performing computing hardware
• Just like not maximizing a sale is ―leaving money on the table‖ not optimizing hardware has a similar result: Lost money due to inefficiency
• Business need
–Maximize computing resources to maximize ROI on the computing investment
Scenario
119
Windows 7 Administration Training
Configuring Performance Settings
• Windows Aero is visually stunning, but can require significant system resources, particularly for lower-end or borderline systems
• Selectively disable Aero features – or disable Aero altogether –to improve overall system performance
• Globomantics has a two year old system that they‘d like to keep in production but the system is having trouble keeping up with the user‘s demand
–By disabling Aero, you may be able to extend the life of that PC investment and save the company money
Changing Graphics Settings
Windows 7 Administration Training
Configuring Performance Settings
• Systems have only so much RAM
• As programs and services begin to consume all available memory, Windows uses temporary storage called a paging file
• A paging file consists of a file on each hard disk
• Information is automatically moved between RAM and the paging file as necessary, freeing up RAM for system needs
–RAM = extremely fast data access and retrieval
–Paging file = Relatively very slow access and retrieval
Configuring Virtual Memory
Windows 7 Administration Training
Configuring Performance Settings
• Running low on memory has a major impact on system performance as the system begins ―paging‖
• As users begin to receive virtual memory-related error messages, this is an indication that the system needs more RAM or you need to increase the size of the paging file
–More RAM is always the preferred option
–Windows generally does a very good job managing the size of the paging file
• The users in the Globomantics Marketing department have been complaining about virtual memory errors for particularly large projects
–New computers are on order for this department
– For now, simply increase the size of the paging file
Configuring Virtual Memory
120
Windows 7 Administration Training
Configuring Performance Settings
• When a system‘s hard drive is busy, information intended to be written can be saved in a high-speed cache
–Once the hard drive is available, cached information is written to the disk
–Keeps the user working while the system handles the technicalities
–Can result in data loss if system power is interrupted or if the storage device is removed before the cache is cleared
• Device properties page for the system hard drive
–Enable write caching on the device
–Turn off Windows write-cache buffer flushing on the device
• Globomantics uses USB-connected batteries on all desktops so make sure that write caching is enabled
Understanding Write Caching
Windows 7 Administration Training
Configuring Performance Settings
• Removable devices – i.e. flash drives – have similar options available on the drive‘s Device Manager page
–Removal Policy
• Quick removal (default)
– Device uses write-through caching
– The device can be simply removed
• Better performance
– Write caching and buffering are enabled
– Need to use Safely Remove Hardware to remove device
• A user accidentally configured a USB device for ‗Better performance‘ and has been losing information
Understanding Write Caching
Windows 7 Administration Training
Configuring Performance Settings
• Understanding process affinity
–Choose the processor/core on which to run a particular process
• Globomantics will run DVD burning software – a sometimes CPU intensive task – on a specific core
• Understanding process priority
–Provide a process with a modified priority level
• Marketing wants to make sure that their hefty PowerPoint presentations don‘t have major contention with other system resources
• You will set the PowerPoint priority level to AboveNormal
• Don‘t set too many processes to High or Realtime
Optimizing Processes with Task Manager
121
Windows 7 Administration Training
Configuring Performance Settings
• By default, Windows 7 is configured to favor programs over background services when it comes to scheduling processor time
• You can change this setting if you have a desktop machine that handles more background services than programs
• Globomantics has a desktop PC that will be used for backup purposes
–Set this PC‘s processor scheduling to favor background services
Managing Processor Scheduling Settings
Windows 7 Administration Training
Configuring Performance Settings
• Windows 7 ships with a core set of enabled and running services
• Every service
–Uses system resources such as RAM and processor
–Opens an additional system attack vector
• Not all services are necessary in order for users to do their jobs
• Disable or set to Manual services not needed by users
– In general, Manual is a safe choice
• The Windows Media Player Network Sharing Service should never be used by Globomantics employees and will be disabled
Optimizing Services
Windows 7 Administration Training
Configuring Performance Settings
• Although it‘s better to uninstall software you don‘t want, you can disable software that starts up with the system using the msconfig tool
• Msconfig is also a great troubleshooting tool
• Globomantics will use Msconfig to verify that only absolutely necessary startup items load at boot time
Using Msconfig to Boost Performance
122
Windows 7 Administration Training
Configuring Performance Settings
What We Covered
Changing graphics settings
Configuring virtual memory
Understanding write caching
Optimizing processes with Task Manager
Managing processor scheduling settings
Optimizing services
Using msconfig to boost performance
Windows 7 Administration TrainingInstructor: Scott Lowe
Configuring Backup and Recovery
Windows 7 Administration Training
Configuring Backup and Recovery
In This Lesson:
Windows 7's backup and restore utility
Configuring Windows Backup
Restoring files from a backup
Creating and restoring system images
Creating a system repair disk
Creating and using system restore points
Previous versions
Understanding advanced boot options
Understanding Last Known Good Configuration
123
Windows 7 Administration Training
Configuring Backup and Recovery
• Globomantics‘ regional offices sit in areas prone to earthquakes, tornados, and hurricanes
• You need to make sure that the company is ready to quickly recover should the unthinkable happen
• Some business desktops hold critical company information and are key to business processes
• Business need
–Backups remain a key component of a recovery plan
–Automating this process keeps costs at a reasonable level
–Testing backups by recovering data is a good best practice
Scenario
Windows 7 Administration Training
Configuring Backup and Recovery
• Windows 7 includes a utility capable of backing up and restoring files, folders and even a full image of the computer
• You can back up to a number of destinations, including
– Internal hard drives
–External hard drives
–Network locations
–USB flash drives
–Writeable CDs and DVDs
• There are significant pros and cons to all of the options
Windows 7's Backup and Restore Utility
Windows 7 Administration Training
Configuring Backup and Recovery
• Internal hard drives
–Pros
• Cheap storage with lots of space
• Secure since they're in the chassis
• Very fast
–Cons
• Not separate from the computer itself
• Installation requires some technical knowledge
Windows 7's Backup and Restore Utility
124
Windows 7 Administration Training
Configuring Backup and Recovery
• External hard drives
–Pros
• Also very cheap with a lot of space
• Easy to connect
• Easy to keep separate from the computer
–Cons
• "Out of sight, out of mind"
Windows 7's Backup and Restore Utility
Windows 7 Administration Training
Configuring Backup and Recovery
• Network locations
–Pros
• Extremely convenient
• Easy to add additional server storage space
–Cons
• Can be slow if the network isn't up to snuff
• Can only save to Windows 7 Professional, Enterprise and Ultimate
• User rights to storage location must be Full Control for both the share and for NTFS
Windows 7's Backup and Restore Utility
Windows 7 Administration Training
Configuring Backup and Recovery
• USB flash drives
–Pros
• Easy to install
• Ubiquitous; it's easy to find flash drives
• You can store the backups separately from the computer
–Cons
• USB flash drives don‘t support all backup use cases, such as system image backups
• USB flash drives don't scale well; eventually, your backup needs will outgrow available space
Windows 7's Backup and Restore Utility
125
Windows 7 Administration Training
Configuring Backup and Recovery
• Writeable CDs and DVDs
–Pros
• CD/DVD burners are readily available in most new systems
• Media is very inexpensive
• You can store the backups separately from the computer
–Cons
• Not flexible; can't save system images to CD/DVD
• You may need several discs to perform a full backup
Windows 7's Backup and Restore Utility
Windows 7 Administration Training
Configuring Backup and Recovery
• Cannot back up to
–Volumes not formatted as NTFS, FAT or UDF
–The drive being backed up
–The Windows volume
–A recovery partition
–A locked BitLocker partition
–Tape
Windows 7's Backup and Restore Utility
Windows 7 Administration Training
Configuring Backup and Recovery
• Globomantics will schedule a file/folder backup (Let Windows choose) that runs on the default schedule
• Steps
–Choose a location to which to store backups
–Choose what to back up
• Let Windows choose
– Backs up files saved in libraries, stored on the desktop and in default Windows folders for all user accounts
– Only local files are included, even if remote files are included in a local library
– If there is space at the destination, Windows includes a system image
Configuring Windows Backup
126
Windows 7 Administration Training
Configuring Backup and Recovery
• Let me choose
– You get to decide exactly what gets backed up
• Decide on a backup schedule
–Default is to run the backup every Sunday at 7PM
–Can be configured to run daily, weekly or monthly
–Can be configured to not recut; i.e. configure the backup job to run one time and back up the system
• Review settings
• Await backup completion
–Monitoring backup status
Configuring Windows Backup
Windows 7 Administration Training
Configuring Backup and Recovery
• Individual files and folders can be restored from a backup
–You can restore objects to their original location; this will overwrite the current copy
–You can restore objects to a different location; this will preserve both copies of the object
• The POS system operator has indicated that she's lost an important spreadsheet and wants you to see if you can restore it from a system backup using the backup utility
• The other POS operator (Steve Smith) has been having strange problems that seem to be related to user profile corruption
–Restore Steve's user profile from backup
Restoring Files from a Backup
Windows 7 Administration Training
Configuring Backup and Recovery
• A Windows 7 system image is basically a snapshot of one of the volumes in a system (allows a ―bare metal restore‖)
– It includes everything needed for Windows to run
– Includes system settings, personal files and programs
–Can't be scheduled to run on a periodic basis with the GUI
–Stored as a VHD file (usable in Virtual PC)
–Does not allow restoration of individual files; it's all or nothing
• Globomantics will use this feature to back up and test restore a Windows 7-based point of sale system on a scheduled basis
–Use the wbadmin utility to schedule
–You will also use the bcdedit utility to convert the VHD system image file into a bootable device
Creating and Restoring System Images
127
Windows 7 Administration Training
Configuring Backup and Recovery
• Sometimes, a system becomes completely unbootable
• A system repair disk can be used to boot a computer when this happens
• You can also use a system repair disk to restore a computer from a system image
• You will create a system repair disk for the Globomantics POS system
Creating a System Repair Disk
Windows 7 Administration Training
Configuring Backup and Recovery
• System restore points contain critical system information, such as registry information
• Among other times, restore points are created
–When new software is installed
–When Windows Update installs new updates
–When new drivers are installed that are not digitally signed by Windows Hardware Quality Labs
–Upon request by the user
• Windows automatically deletes the oldest restore point in order to make room for the newest
Creating and Using System Restore Points
Windows 7 Administration Training
Configuring Backup and Recovery
• This is not a full system restore
–Only system files and the registry are manipulated
–User files are not touched
• System Restore Point notes
–Restore points created from within Safe Mode cannot be undone
–NTFS required due to use of shadow copies (discussed later)
• Globomantics will create a system restore point on the aforementioned POS system right before a hardware upgrade
–You will explore the System Protection configuration tool
Creating and Using System Restore Points
128
Windows 7 Administration Training
Configuring Backup and Recovery
• Windows 7 includes the ability to restore individual files and folders right from the Explorer interface
– Files included in both backups and restore points can often be rolled back to previous versions
• This Previous Versions capability uses Shadow Copies – shadow copies of files are automatically created by Windows
• These provide you with some powerful restore options
• If you're careful, you can even recover files that have been accidentally deleted
• Globomantics POS operator deleted a file and wants you to see if you can get it back using the Previous Versions feature
Previous Versions
Windows 7 Administration Training
Configuring Backup and Recovery
• Safe Mode
• Safe Mode with Networking
• Safe Mode with Command Prompt
• Enable Boot Logging
• Enable low-resolution video (640x480)
• Last Known Good Configuration (advanced)
• Directory Services Restore Mode
• Debugging Mode (discussed previously)
• Disable automatic restart on system failure
• Disable Driver Signature Enforcement
Understanding Advanced Boot Options
Windows 7 Administration Training
Configuring Backup and Recovery
• This is often considered a last ditch effort to get a system back to working order after a system failure
• This boot option uses a configuration set that Windows knows allowed the system to boot at some point in the past
• The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet is used
–The key named ControlSet001 becomes CurrentControlSetafter a successful boot
–Once this happens, you can't go back
• There's not a lot to do around this except to understand how it works, so let's take a look at the registry
Understanding Last Known Good Configuration
129
Windows 7 Administration Training
Configuring Backup and Recovery
What We Covered
Windows 7's backup and restore utility
Configuring Windows Backup
Restoring files from a backup
Creating and restoring system images
Creating a system repair disk
Creating and using system restore points
Previous versions
Understanding advanced boot options
Understanding Last Known Good Configuration
Windows 7 Administration TrainingInstructor: Scott Lowe
Preparing for TS: Windows 7, Configuring
(70-680)
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• Remember the exact steps taken to perform specific tasks
• Understand multiple ways for achieving the same goal
–GUI-based methods
–Command line-based methods
• Everything you learned in this course must combine with all of your own experience and exam preparation study if you want to pass
• Don‘t expect to watch the videos and then walk into the exam!
• Real-life – even lab-based – experience is essential for success
• Microsoft‘s exams are not easy
An Overview of Exam 70-680
130
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• Candidates should be able to install, deploy, and upgrade to Windows 7, including ensuring hardware and software compatibility. Additionally, candidates should be able to configure pre-installation and post-installation system settings, Windows security features, network connectivity applications included with Windows 7, and mobile computing. Candidates should also be able to maintain systems, including monitoring for and resolving performance and reliability issues. Candidates should have a basic understanding of Windows PowerShell syntax.
The Candidate Profile
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• Don‘t let the profile scare you
• You may not yet have all of the knowledge and working experience under your belt just yet
• Between this course, your personal prep work, lab practice and, hopefully, real-world experience you have with Windows 7, you can pass this exam
The Candidate Profile
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• The exam measures your ability to accomplish the technical tasks below
– Installing, Upgrading, and Migrating to Windows 7 (14%)
–Deploying Windows 7 (13%)
–Configuring Hardware and Applications (14%)
–Configuring Network Connectivity (14%)
–Configuring Access to Resources (13%)
–Configuring Mobile Computing (10%)
–Monitoring and Maintaining Windows 7 Systems (11%)
–Configuring Backup and Recovery Options (11%)
• The percentages indicate the relative weight of each major topic area on the exam
Skills Being Measured
131
Objective/Lesson Mapping
Objective Weight Lessons
Installing, Upgrading, and Migrating
to Windows 714%
An Introduction to Windows 7
Installing Windows 7
Deploying Windows 7 13% Deploying Windows 7 Machines
Configuring Hardware and
Applications14%
Configuring Hardware in Windows 7
Understanding Windows 7 Storage
Managing applications
Managing Internet Explorer
Configuring Network Connectivity 14%Configuring Networking in Windows 7
Protecting Windows 7
Configuring Access to Resources 13%
Shared access to resources
Configure file and folder access
Protecting Windows 7
Managing BranchCache
Configuring Mobile Computing 10%
Using DirectAccess and VPN connections
Configure file and folder access
Managing Mobility Options
Protecting Windows 7
Monitoring and Maintaining
Windows 7 Systems11%
Monitoring and maintaining Windows
Configure performance settings
Protecting client computers with Windows updates
Understanding Windows 7 storage
Configuring Backup and Recovery
Options11% Configuring Backup and Recovery
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• To prepare for this exam, I recommend the following
–Watch and study this course
–Use the Transcender test prep software included with this course
–Explore all topics in greater detail using Microsoft resources such as TechNet
– If possible, build a small home lab and get as much hands-on experience as possible
• What not to do
–Do not attempt to locate exam questions and answers online in the form of brain dumps
Personal Study Recommendations
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• Schedule your exam
– It will motivate you to move ahead and study
• Practice, practice, practice
• Don‘t pull all-nighters when exam time rolls around
• Make sure you don‘t forget your ID on exam day
• Eat, sleep and don‘t rush
General Exam Prep Advice
132
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• This exam is strictly focused on the configuration aspect of Windows 7 and is one exam included in the following client certification paths
–MCTS: Windows 7, Configuration
–MCITP: Enterprise Desktop Support Technician 7
• Pro: Windows 7, Enterprise Desktop Support Technician (70-685)
–MCITP: Enterprise Desktop Administrator 7
• Pro: Windows 7, Enterprise Desktop Administrator (70-686)
Credit Toward Certification
Windows 7 Administration Training
Preparing for TS: Windows 7, Configuring (70-680)
• 70-680 is also included in the following server certification paths
–MCITP: Enterprise Administrator
• TS: Windows Server 2008 Active Directory, Configuring (70-640)
• TS: Windows Server 2008 Network Infrastructure, Configuring (70-642)
• TS: Windows Server 2008 Applications Infrastructure, Configuring (70-643)
• Pro: Windows Server 2008, Enterprise Administrator (70-647)
Credit Toward Certification
Windows 7 Administration TrainingInstructor: Scott Lowe
Next Steps
133
Windows 7 Administration Training
Next Steps
• Globomantics was running mostly Windows XP with some Windows Vista thrown in with no plans to move to Windows 7
• The company was recovering from a major security breach
• Globomantics increasingly mobile sales force was challenged when on the road due to difficulty in connecting to the office
• Some users were having performance problems with the Windows Vista desktops
• The company was convinced that Windows 7 was a non-starter due to software compatibility issues with their finance tool
• Files were not always synchronized between HQ and the large regional office file server in a timely manner
• Bandwidth costs were rising as traffic between large office and HQ grew
Where You Started
Windows 7 Administration Training
Next Steps
• Section 1: Getting started with Windows 7 – features, deployment and configuration
• Section 2: Managing Windows 7 mobility and security
• Section 3: Configuring and managing applications and shared resources
• Section 4: Maintaining Windows 7
Course Building Blocks
Windows 7 Administration Training
Next Steps
• You‘ve now completed the Windows 7 pilot deployment project for Globomantics!
• You‘ve learned how to secure the organization from outside attack and prevent issues that could cause the company further embarrassment
• You‘ve learned how to manage Windows 7 to achieve the highest possible effectiveness, highest possible ROI and lowest possible TCO
• You‘ve enabled the Globomantics mobile sales force to be able to stay on the road while they stay well connected with the office
• You‘ve learned how to leverage Windows 7‘s brand new features and integrate them into Globomantics‘ operations
What You’ve Accomplished
134
Windows 7 Administration Training
Next Steps
• Review the course areas where you still feel a little fuzzy
• Take a practice certification exam
• Join the community for supplemental information
–There are many Windows 7-focused resources (TechNet) where you can expand your Windows 7 knowledge by reading other people‘s questions
• Get hands-on practice (can‘t stress this enough)
• Keep the course as reference material for when you run into future problems
Your Road Ahead
Windows 7 Administration Training
Next Steps
• Consider social media feeds like Twitter and follow people you find knowledgeable in Windows 7
• Use the included Transcender lessons
–How to Use Transcender to Prepare for a Certification Exam
–Redeeming your Transcender
• How to redeem your Transcender voucher
• How to download and install the software
• Watch my lesson on preparing for the 70-680 exam
Your Road Ahead
Windows 7 Administration Training
Next Steps
My Favorite Supporting Resources
1. My favorite Windows 7 sites
• Microsoft‘s Springboard Series for Windows 7http://technet.microsoft.com/en-us/windows/dd361745.aspx?ITPID=carepgm
• The Windows Team bloghttp://windowsteamblog.com/
• Windows 7 Technical Library http://technet.microsoft.com/en-us/library/dd349342(WS.10).aspx
• Petri IT Knowledgebase – Windows 7http://www.petri.co.il/windows-7.htm
135
Windows 7 Administration Training
Next Steps
We Value Your Opinion
Next Steps
• There are many ways to reach us
• Call us at 1-888-229-5055 (worldwide: 1-847-776-8800)
• Email us a [email protected]
• Post in our forums at http://forums.trainsignal.com
• Comment on our blogs at http://www.trainsignaltraining.com
Windows 7 Administration Training
Next Steps
• Thank you for watching this course!
• I hope that you‘ve enjoyed watching it as much as I‘ve enjoyed creating it
• Now, go forth and study, study, study and pass that 70-680 exam!
Thank You and Good Luck!