Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
M I C R O S O F T
L E A R N I N G
P R O D U C T
6292A
Installing and Configuring Windows 7 Client
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2009 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.
1. DEFINITIONS. a. Academic Materials means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time. c. Authorized Training Session(s) means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. d. Course means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter. e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or analog device. f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content. Student Content means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.
g.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location. i.
j.
k. Trainer Content means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. l.
Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
n.
you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms. i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session. 4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions in this agreement, these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement. c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i.
Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.
ii.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the information. Confidential information does not include information that d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (beta term). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.
e.
f.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks: You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.
o o o o o
You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement. iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in the format provided below: Form of Notice: 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means. 7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy; transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. 9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as NFR or Not for Resale. 10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. 11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts. 12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services. 13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and noninfringement. 16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.
ix
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
xi
Contents
Module 1: Installing, Upgrading, and Migrating to Windows 7
Lesson 1: Preparing to Install Windows 7 Lesson 2: Performing a Clean Installation of Windows 7 Lesson 3: Upgrading and Migrating to Windows 7 Lesson 4: Performing Image-based Installation of Windows 7 Lesson 5: Configuring Application Compatibility Lab: Installing and Configuring Windows 7 1-3 1-14 1-19 1-31 1-51 1-58
xii
Lesson 3: Securing Data by Using EFS and BitLocker Lesson 4: Configuring Application Restrictions Lesson 5: Configuring User Account Control Lab A: Configuring UAC, Local Security Policies, EFS, and AppLocker Lesson 6: Configuring Windows Firewall Lesson 7: Configuring Security Settings in Internet Explorer 8 Lesson 8: Configuring Windows Defender Lab B: Configuring Windows Firewall, Internet Explorer 8 Security Settings, and Windows Defender
xiii
Course Description
This three-day instructor-led course is intended for IT professionals who are interested in expanding their knowledge base and technical skills about Windows 7 Client. In this course, students learn how to install, upgrade, and migrate to Windows 7 client. Students then configure Windows 7 client for network connectivity, security, maintenance, and mobile computing.
Audience
This course is intended for IT professionals who are interested in: Expanding their knowledge base and technical skills about Windows 7 Client. Acquiring deep technical knowledge of Windows 7. Learning the details of Windows 7 technologies. Focusing on the "how to" associated with Windows 7 technologies.
Most of these professionals use some version of Windows client at their work place and are looking at new and better ways to perform some of the current functions.
Student Prerequisites
This course requires that you meet the following prerequisites: Experience installing PC hardware and devices. Basic understanding of TCP/IP and networking concepts. Basic Windows and Active Directory knowledge. The skills to map network file shares. Experience working from a command prompt. Basic knowledge of the fundamentals of applications. For example, how client computer applications communicate with the server. Basic understanding of security concepts such as authentication and authorization. An understanding of the fundamental principles of using printers.
Course Objectives
After completing this course, students will be able to: Perform a clean installation of Windows 7, upgrade to Windows 7, and migrate user-related data and settings from an earlier version of Windows. Configure disks, partitions, volumes, and device drivers to enable a Windows 7 client computer. Configure file access and printers on a Windows 7 client computer. Configure network connectivity on a Windows 7 client computer. Configure wireless network connectivity on a Windows 7 client computer. Secure Windows 7 client desktop computers. Optimize and maintain the performance and reliability of a Windows 7 client computer. Configure mobile computing and remote access settings for a Windows 7 client computer.
Course Outline
This section provides an outline of the course:
xiv
Module 1, Installing, Upgrading, and Migrating to Windows 7 Module 2, Configuring Disks and Device Drivers Module 3, Configuring File Access and Printers on Windows 7 Client Computers Module 4, Configuring Network Connectivity Module 5, Configuring Wireless Network Connections Module 6, Securing Windows 7 Desktops Module 7, Optimizing and Maintaining Windows 7 Client Computers Module 8, Configuring Mobile Computing and Remote Access in Windows 7
xv
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
xvi
Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course: Virtual machine 6292A-LON-DC1 6292A-LON-CL1 6292A-LON-CL2 6292A-LON-CL3 6292A-LON-VS1 Role Domain controller in the Contoso.com domain Windows 7 computer in the Contoso.com domain Windows 7 computer in the Contoso.com domain Virtual machine with no operating system installed Windows Vista computer in the Contoso.com domain
Software Configuration
The following software is installed on the VMs: Windows Server 2008 R2 Windows 7 Windows Vista, SP1 Office 2007, SP1
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
1-1
Module 1
Installing, Upgrading, and Migrating to Windows 7
Contents:
Lesson 1: Preparing to Install Windows 7 Lesson 2: Performing a Clean Installation of Windows 7 Lesson 3: Upgrading and Migrating to Windows 7 Lesson 4: Performing Image-based Installation of Windows 7 Lesson 5: Configuring Application Compatibility Lab: Installing and Configuring Windows 7 1-3 1-14 1-19 1-31 1-51 1-58
1-2
Module Overview u e
Windows 7 is the latest vers W sion of the Win ndows operati system from Microsoft It is built on the ing . sa ame kernel as Windows Vista Windows 7 ships in seve editions to specifically m a. eral o meet customer needs. Windows 7 enhances user pro W oductivity, secu urity, and redu uces IT overhead for deploym ment. It provid des ad dditional mana ageability with several key fe h eatures, such a BitLockerTM, BitLocker To G AppLocker and as Go, im mprovements in the Window Taskbar. Win i ws ndows 7 also e enhances the e end-user expe erience with im mprovements on how users o o organize, man nage, search, and view inform mation. Th here are severa ways to inst Windows 7 but before you start, verify that the hard al tall 7, y dware platform meets m th requirements of the editio you want to install. If nec he on o cessary, plan fo hardware up or pgrades. It is a also re ecommended that you test y t your applicatio for compat ons tibility and pre epare for any n necessary mitig gation pl lan. Depending on the version of your current o t operating syste you may b able to upg em, be grade directly t to Windows 7, or you may need to perform a clean installation of Window 7 and migra the necessary W y ws ate se ettings and dat ta.
1-3
Lesson 1 L
Be efore installing Windows 7, e g ensure that yo computer m our meets the min nimum hardwa requiremen In are nts. ad ddition, you must decide wh edition of W m hat Windows 7 best suits your organizational needs. You mu also ust de ecide which ar rchitecture to use, either the 32 or the 64- platform o Windows 7. e -bit of Once you have established yo hardware r O our requirements a decide wh and hich edition of Windows 7 to install, f o yo have severa options to in ou al nstall and deploy Windows 7 Depending o several fact 7. on tors, such as yo our or rganizations deployment infrastructure, p d policy and auto omation, you m want to se may elect one or m more in nstallation opti ions.
1-4
Key Points
Windows 7 includes many fea W atures that ena able users to b more produ be uctive. It also p provides a high level her of reliability and increases com f d mputer securit when comp ty pared to the pr revious version of Windows ns s. The key features of Windows 7 are categorized as follows: h e i s Usability: Windows 7 inc W cludes tools to simplify a use ability to o o ers organize, search for, and view w information In addition, Windows 7 co n. ommunication, mobility, and networking fe , d eatures help u users connect to people, inform mation, and de evices by using simple tools. g W built on a fundamentally secu platform b ure based on the W Windows Vista Security: Windows 7 is b foundation. User Account Control (UAC in Windows 7 adds securit by limiting administrator-level C) ty he restricting mos users to run as Standard U st Users. access to th computer, r
treamlined UA in Windows 7 reduces the number of operating system applications and tasks tha AC s e at St re equire elevatio of privileges and provides flexible prom behavior fo administrato allowing st on s s mpt or ors, tandard us sers to do mor and adminis re strators to see fewer UAC ele evation promp pts. Multi-tiere data prote ed ection: Rights Management Services (RMS), Encrypting F System (EF File FS), Windows BitLockerTM Driv Encryption, and Internet Protocol Secur (IPsec) pro B ve rity ovides different level of data pro otection in Win ndows 7. RMS en nables organiz zations to enfo orce policies regarding document usage. e EFS pro ovides user-ba ased file and directory encryption. BitLock and BitLocker To GoTM pr ker rovides full-vo olume encryption of the system volume, including i e n Windows system files and removab devices. s ble solates networ resources fro unauthenticated computers and encrypts network rk om t y IPsec is commu unication.
Reliability and performance: Window 7 takes adva ws antage of mod dern computin hardware, r ng running bly sistent perform mance than pre evious versions of Windows. more reliab and providing more cons
1-5
Deployment: Windows 7 is deployed by using an image, which makes the deployment process efficient because of several factors: Windows 7 installation is based on the Windows Imaging (WIM), which is a file-based, diskimaging format. Windows 7 is modularized, which makes customization and deployment of the images simpler. Windows 7 uses Extensible Markup Language (XML)-based, unattended setup answer files to enable remote and unattended installations. Deploying Windows 7 by using Windows Deployment Services in Windows Server 2008 R2 is optimized with Multicast with Multiple Stream Transfer and Dynamic Driver Provisioning. Consolidated tool for servicing and managing image in Deployment Image Servicing and Management (DISM). Migrating user state is made more efficient with hard-link migration, offline user state capture, volume shadow copy, and improved file discovery in USMT 4.0.
Manageability: Windows 7 introduces several manageability improvements that can reduce cost by increasing automation. Microsoft Windows PowerShell 2.0, which enables IT professionals to create and run scripts on a local PC or on remote PCs across the network. Group Policy scripting, which enables IT professionals to manage Group Policy Objects (GPOs) and registry-based settings in an automated manner.
Windows 7 improves the support tools to keep users productive and reduce help desk calls, including: Built-in Windows Troubleshooting Packs, which enable end-users to solve many common problems on their own. Improvements to the System Restore tool, which informs users of applications that might be affected when they restore Windows to an earlier state. The new Problem Steps Recorder, which enables users to record screenshots, click-by-click, to reproduce a problem. Improvements to the Resource Monitor and Reliability Monitor, which enable IT Professionals to more quickly diagnose performance, compatibility, and resource limitation problems.
Windows 7 also provides flexible administrative control with the following features: AppLocker, which enables IT professionals to more flexibly set policy on which applications and scripts users can run or install. Auditing improvements, which enable IT professionals to use Group Policy to configure more comprehensive auditing of files and registry access. Group Policy Preferences that define the default configuration, which users can change, and provide centralized management of mapped network drives, scheduled tasks, and other Windows components that are not Group Policy-aware.
Productivity: Windows 7 improvements to the user interface help users and IT Professionals increase their productivity with features such as Windows Search. Windows 7 improves mobile and remote users experience by introducing BranchCache TM, DirectAccess, and VPN Reconnect. BranchCache increases network responsiveness of applications and gives users in remote offices an experience like working in the head office. DirectAccess connects mobile workers seamlessly and safely to their corporate network any time they have Internet access, without the need to VPN.
1-6
VPN Reconnect provides seamless and consistent VPN connectivity by automatically reestablishing a VPN when users temporarily lose their Internet connections.
Windows 7 introduces Windows Virtual PC that provides the capability to run multiple environments, such as Windows XP mode, from Windows 7 computer. This feature enables you to publish and launch applications installed on virtual Windows XP directly from Windows 7 computer, as if they were installed on the Windows 7 host itself. Question: What are the key features of Windows 7 that will help your organization?
1-7
Editions of Windows 7
Key K Points
Th here are six Windows 7 editi ions. Two editi ions for mainst tream consum mers and business users and f four sp pecialized editions for enterp prise customer technical en rs, nthusiasts, eme erging market and entry lev PCs. ts vel Th following are the availabl editions of W he le Windows 7: Windows 7 Starter: this edition is targ geted specifica for small form factor PCs in all markets. It is ally o s s only availab for 32-bit p ble platform. Features include: An imp proved Window Taskbar and Jump Lists ws Windows Search, abi ility to join a H HomeGroup, A Action Center, Device Stage, Windows Fax and Scan ced eaming, includ ding Play To Enhanc media stre Broad applications and device com mpatibility with hout limitation on how many applications can run n y aneously simulta
Windows 7 Home Basic this edition i targeted for value PCs in e c: is emerging mark kets, it is mean for nt accessing the internet and running bas productivity applications. It includes all features availa sic y able in other features, such as Live T Thumbnail prev views, enhance visual expe ed eriences, Windows 7 Starter, and o ced and advanc networking support. Windows 7 Home Prem mium: this edit tion is the stan ndard edition f customers. It provides ful for ll functionalit on the latest hardware, sim ty mple ways to c connect, and a visually rich e environment. T This edition includes all featur available in Windows 7 H res n Home Basic and other featur such as: res, vanced Windo navigation and Aero background ows n c Windows Aero, adv Windows Touch omeGroup Ability to create a Ho V k g DVD Video playback and authoring
1-8
Windows Media Center, Snipping Tool, Sticky Notes, Windows Journal and Windows SideshowTM
Windows 7 Professional: this edition is the business-focused edition for small and lower mid-market companies and users who have networking, backup, and security needs and multiple PCs or servers. It includes all features available in Windows 7 Home Premium, and other features, such as core business features including: Domain Join and Group Policy Data protection with advanced network backup and Encrypted File System Ability to print to the correct printer at home or work with Location Aware Printing Remote Desktop host and Offline folders Windows Virtual PC and Windows XP Mode
Windows 7 Enterprise: this edition provides advanced data protection and information access for businesses that use IT as a strategy asset. It is a business-focused edition, targeted for managed environments, mainly large enterprises. This edition includes all features available in Windows 7 Professional, and other features, such as: BitLocker and BitLocker To Go AppLocker DirectAccess BranchCache Enterprise Search Scopes All worldwide interface languages Virtual Desktop Infrastructure (VDI) enhancements Ability to start from a VHD
Windows 7 Ultimate: this edition is targeted for technical enthusiasts who want all Windows 7 features, without a Volume License agreement. It includes all of the same features as the Windows 7 Enterprise. Windows 7 Ultimate is not licensed for VDI scenarios.
Note: Microsoft also produces an N edition of Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Professional. The N editions of Windows 7 include all of the same features as the corresponding editions, but do not include Microsoft Windows Media Player and related technologies. This enables you to install your own media player and associated components.
Note: There are 32 and 64-bit versions available for all editions of Windows 7 except Windows 7 Starter, which is available only as a 32-bit operating system. Question: Which edition of Windows 7 might you choose in the following scenarios? 1. 2. Scenario 1: There are a few users in your organization. Currently, you do not have a centralized file server and all of the computers are not joined to a domain. Scenario 2: Your organization has more than one hundred users who are located in several offices across the country. In addition, you have several users that travel frequently.
Question: What is the difference between the Enterprise and the Ultimate edition of Windows 7?
1-9
Key K Points
In general, the hardware requ n h uirements for W Windows 7 are the same as f Windows V e for Vista. The preceding ta able shows the minimum har e rdware require ements for diff ferent editions of Windows 7 s 7.
Note: An Aero Capable GPU supports Dir N rectX 9 with a WDDM driver Pixel Shader 2.0, and 32 r, bi per pixel. its
When consideri the deploy W ing yment of Wind dows 7, use the previous table as a guideline for minimu e um ha ardware standards, but cons sider the level or performanc that you wa to achieve as this table o ce ant only sp pecifies the mi inimum require ements. To achieve optimum performance consider har m e, rdware that is more po owerful.
1-10
Question: What is the typical computer specification within your organization currently? Contrast that specification to what was typically available when Windows Vista was released. Do you think Windows 7 can be deployed to the computers within your organization as they currently are?
1-11
Key K Points
Th features in the 64-bit edit he tions of Windo 7 are iden ows ntical to their 3 32-bit counterparts. However, there p e ar several adva re antages of usin a 64-bit edition of Windo 7. ng ows Improved Performance the 64-bit pr e: rocessors can p process more d data for each c clock cycle, en nabling you to scale your applications to run fa e aster or suppor more users. To benefit fro this improv rt om ved processor capacity, you m c must install a 6 64-bit edition o the operatin system. of ng Enhanced Memory: a 64 4-bit operating system can a g address memo above 4GB. This is unlike all 32ory . ng cluding all 32- editions of Windows 7, w -bit f which are limit to 4 GB of ted bit operatin systems, inc addressable memory. The following tab lists the me e e ble emory configu urations suppo orted by 64-bit t editions of Windows 7. Windows 7 Edition Home Basic / Home Basic N Home Prem mium Professional / Profession N nal Enterprise / Ultimate Memory 8 GB 16 GB 128 GB or more 128 GB or more
Improved Device Suppo although 64-bit process ort: sors have been available for some time, in the n tain third-part drivers for commonly used devices, such as printers, ty d h past it was difficult to obt mon uipment. scanners, and other comm office equ
ince Windows Vista was first released, the availability of drivers for the devices has improved gre t ese s eatly. Si Be ecause Windows 7 is built on the same kernel as Window Vista, most of the drivers that worked w n ws t s with Windows Vista also work with Windows 7. W h
1-12
Improved Security: the processor architecture of x64-based processors from Intel and AMD improve security with Kernel Patch Protection, mandatory kernel-mode driver signing and Data Execution Prevention.
1-13
Key K Points
Windows 7 supports the follo W owing types of installation: allation: perfo a clean ins orm stallation when installing Windows 7 on a new partition or n Clean insta when replacing an existin operating system on a pa ng artition. You ca run setup.ex from the pr an xe roduct share and can also use an im mage to perform a clean insta m allation. DVD or from a network s nstallation: pe erform an upg grade, which also is known as an in-place u upgrade, when n Upgrade in replacing an existing vers sion of Window with Windo 7 and you need to retain all user applications, ws ows n ettings. files, and se Migration: perform a mi : igration when you have a co omputer alread running Windows 7 and n dy need to move files and settings fr a rom your old o operating syste (source computer) to the Windows 7 em e (destination computer). n
Th here are two migration scenarios: side-bym -side and wipe and load. In s e side-by-side m migration, the s source co omputer and the destination computer are two different computers. In wipe and loa migration, the t n e ad ta arget compute and the sour computer are the same. er rce Question: Whic type of installation do you use in the fo Q ch ollowing scenarios? a 1. 2. Scenario 1: Your user have compu rs uters that are a least three y at years old and your organization t plans to deploy Wind dows 7 to man new compu ny uters. Scenario 2: There are only a few us e sers in your org ganization, the computers are mostly new, but eir they ha many applications installed and a lot o data stored in their computers. ave of
1-14
Lesson 2
Th here are severa ways to inst Windows 7 The method you use may d al tall 7. depend on wh hether you are e in nstalling it on a new computer or on a com mputer that is running anoth version of W her Windows. A clean in nstallation is do when you install Window 7 on a new partition or w one ws w when you repla an existing ace g op perating system on a partitio on.
1-15
1-16
Key K Points
Th here are severa methods to perform a clean installation of Windows 7. al n Running Windows 7 ins W stallation from DVD: installing from the product DVD is the simplest way to m t install Wind dows 7. Running Windows 7 ins W stallation from a Network Share: instead of a DVD, the Windows 7 m d installation files can be st tored in a netw work share. Ge enerally, the ne etwork source is a shared folder on r. a file server If your computer doe not currently have an operating system, start the computer by using es e m m Windows PE. eady has an op perating system, you can start the computer with the old m a t d If your computer alre operating system.
W y mage: install W Windows 7 to a reference com mputer and pr repare Installing Windows 7 by Using an Im the reference computer f duplication Capture the volume image to a WIM file by using the ImageX for n. e e X, DT he mage. tool. Then, use the deployment tools, such as ImageX WDS, or MD to deploy th captured im ed will d Image-base installation of Windows w be covered in more detail in a later lesson.
Note: Windows PE is a minim 32 or 64-bi operating sy N s mal it ystem with limited services, b built on the Windows 7 kern Windows P is used to in W nel. PE nstall and repa Windows operating syste air em. Question: In wh situation w you use eac method of performing a clean installation of Windows Q hat will ch op perating system?
1-17
Key K Points
Th installation of Windows 7 is robust and trouble free if your hardware meets the m he d minimum re equirements. However, a var H riety of problem can occur d ms during an insta allation, and a methodical ap pproach helps solve them. Yo can use the following fou ou e ur-step approa in any trou ach ubleshooting e environment: 1. . 2. . 3. . 4. . Determine what has chan nged. Eliminate th possible causes to determ he mine the proba able cause. Identify a solution. Test the sol lution.
If the problem persists, go back to step thre and repeat the process. p ee Pr resent and discuss your idea on this topic in the class. as c
1-18
Demonstra D ation: Conf figuring th Computer Name and Domain/Work he t a Group Settings G
Key K Points
Ty ypically, you will configure the Computer Name and Domain/Work Group settings after installing w o g Windows. W Th demonstration shows how to configure domain and workgroup settings. his e e
Note: You can open the DNS Suffix and N N S NetBIOS Comp puter Name d dialog box and set the d pr rimary DNS su uffix to have th computer se he earch DNS dom mains other th the Active Directory han do omain that it is joined to. Th NetBIOS name is used for backward com he r mpatibility wit older th ap pplications. Question: Whe will you con Q en nfigure the prim mary DNS suffix to be different from the Active Directory f e r do omain?
1-19
Lesson 3 L
When you perfo a clean installation of W W orm Windows 7, the installation process does no transfer use e ot er se ettings from th legacy oper he rating system. If you need to retain user se o ettings, conside performing an er up pgrade or a migration to Wi m indows 7 inste ead. Depending on the version of your current o t operating syste you may n be able to upgrade direc to em, not ctly Windows 7. You can install W W u Windows Upgra Advisor to provide upgra guidance for Windows 7 If ade ade 7. yo current op our perating system does not sup m pport direct up pgrade to Win ndows 7, consid performing a der g clean installatio and migrating user setting and data by using migration tools. on gs y
1-20
Key K Points
Not all operatin systems can be upgraded or migrated t Windows 7. While several operating sys ng n d to stems su upport in-place upgrades, ot thers only support migration of user settin and data a n ngs after you perfo a orm clean installatio of Windows 7. on s
Migration Co M onsideration ns
Pe erform a migra ation when yo ou: Want a stan ndardized env vironment for a users runnin Windows. A migration takes advantage of a all ng e clean installation. A clean installation ensures that all of your system begin with the same n ms on, tings are reset. Migration en nsures that you can u configuratio and that all applications, files, and sett retain user settings and d data. ge ore tate. Typically, you will need storage space to store the u e user Have storag space to sto the user st state when performing m migration. User State Migration Tool 4.0 int r troduces hard-link migration in n, d extra storage sp pace. This is only applicable to wipe and lo migration oad n. which you do not need e Plan to replace existing computer hardware. If you do not plan to replace the existing computers, you x t rform a migrat tion by doing a wipe and loa migration. ad can still per Plan to dep ploy Windows to many computers. p
1-21
An upgrade scenario is suitable in small organizations or in the home environment, while in large enterprises when significant numbers of computers are involved, clean installation followed by migration is the recommended solution. The most common method of deploying Windows 7 in large enterprises is by performing a clean installation by using images, followed by migrating user settings and data. Question: You are deploying Windows 7 throughout your organization. Given the following scenarios, which do you choose, upgrade or migration? 1. 2. 3. Scenario 1: Your organization has a standardized environment. You have several servers dedicated as storage space and the computers in your organization are no later than two years old. Scenario 2: Your organization has a standardized environment. You have several servers dedicated as storage space and plan to replace existing computers, which are more than three years old. Scenario 3: You do not have extra storage space and the computers in your organization are less than two years old. In addition, there are only five users in your organization and you do not want to reinstall existing applications to your user computers.
1-22
Key K Points
Th following ta he able identifies the Windows operating syst tems that you can upgrade directly to or m migrate to Windows 7. o Supported S Scenario S Clean C Installation Migration M
Windows Vers W sion Earlier version than Windows XP W Windows XP, Windows W W Vista V
Remarks Windows ve ersions earlier than Window XP do not su ws upport in-place up pgrade or migr ration to Wind dows 7. Windows XP and Window Vista (witho any Service Pack) ws out e port in-place u upgrade to Windows 7. You can do not supp use WET or USMT to migrate the user s r state from thes se versions of Windows to any editions of Windows 7 w the with edition. exception to the Starter e Windows V Vista with Service Pack 1 or la is required to ater d support in-place upgrade to Windows 7. There are es s limitations o which editi you can up on ion pgrade from and to. Windows 7 supports upgrades to highe editions with er h Anytime Upgrade. There are limitations on which Windows A edition you can upgrade from and to. u
Windows 7 W
1-23
Upgrade Limitations
An in-place upgrade does not support cross architecture. This means that you cannot upgrade from 32bit to 64-bit or vice versa. An in-place upgrade does not support cross language. In both cases, you need to perform a clean installation and the necessary migration.
1-24
Key K Points
Windows Upgra Advisor is a downloadab application you can use t identify whi edition of W ade ble n to ich Windows 7 mee your needs whether your computers are ready for an upgrade to W W ets s, n Windows 7, an nd which features of Windows 7 will run on yo computers. The end result is a report th provides u w o our . hat upgrade gu uidance to Windows 7 and s suggestions ab bout what, if any, hardware u updates are ne ecessary to ins stall and ru the appropriate edition and features of Windows 7. un f
Requirement R ts
To install and ru the Window Upgrade Ad o un ws dvisor, you nee the followin ed ng: Administrat privileges tor .NET 2.0 MSXML6 ree space 20 MB of fr hard disk s An Internet connection t
Windows Upgra Advisor is an ideal tool if you only hav a few comp W ade ve puters. For ente erprise deployment, co onsider the Ap pplication Com mpatibility Toolkit and the M Microsoft Assess sment and Pla anning Toolkit to pr repare your or rganization rea adiness for Windows 7.
1-25
Key K Points
An in-place upg grade replaces the operating system on yo computer w s g our while retaining all programs g s, pr rogram setting user-related settings, and user data. Pe gs, d d erforming an in n-place upgrad from Windows de Vista with Servic Pack 1 is the simplest way to upgrade t Windows 7. The process for upgrading to ce y to Windows 7 is de W escribed in the following ste e eps: 1. . Evaluate: you must evalu y uate whether y your computer meets the requirements ne eeded to run Windows 7. You must als determine w so whether any in nstalled applica ation program will have ms compatibili problems ru ity unning on Windows 7. You can use the Window Upgrade Adv e ws visor to help y perform th evaluation. If you have m you his many computers to upgrade, co onsider using the Applicatio Compatibilit Toolkit (ACT and Microso on ty T) oft Assessment and Planning (MAP) to asse your organ t g ess nization readin ness. 2. . 3. . 4. . 5. . Back Up: to protect against data loss d o during the upg grade process, it is important to back up any data t and person settings bef nal fore starting th upgrade. he Upgrade: to perform the upgrade, run the Windows 7 installation program (setup.exe) from the t e n s u product DV or a networ share. VD rk Verify: afte the upgrade completes, ve er e erify that all of the applications and hardware devices function f o w u correctly. Update: de etermine whet ther there are a updates to the Windows 7 operating system and ap any o pply any relevant up pdates to your computer. Dy ynamic Update is a feature o Windows 7 S e of Setup that wor with rks Windows Update to dow U wnload any critical fixes and d drivers that the setup proces requires. e ss
1-26
Key K Points
If you choose to do a clean in o nstallation follo owed by migra ation to Windo 7, you mu back up use ows ust erre elated settings, applications settings, and u user data that you will restor after the Wi re indows 7 installation.
1-27
User State Migration Tool (USMT) 4.0: use USMT 4.0 to perform a side-by-side migration for many computers and to automate the process as much as possible, or to perform a wipe-and-load migration on the same computer.
1-28
Key K Points
If you cannot, or prefer not, to perform an in-place upgra o ade, you can p perform a clean installation o n of Windows 7 and then migrate the user-relat settings. Th process for migrating to W W ted he Windows 7 is de escribed in the following ste e eps. 1. . 2. . 3. . 4. . 5. . Back Up: before installing the new ope b erating system you must back up all user-related settings and m, g program se ettings. Also co onsider backing up your user data. Install Win ndows 7: run t Windows 7 installation p the program (setup.exe) from the product DVD or a p e D network share and perfor a clean inst rm tallation. Update: if you chose not to check for u t updates during the installation process, it is important to do so g i o after verifyi the installa ing ation. Install App plications: when you have c completed the Windows 7 in nstallation, you must reinstall all u applications. Windows 7 may block the installation of any incompa e atible program ms. Restore: af installing y fter your applicatio use WET or USMT to mig on, r grate your application settings and p g user-related settings to complete the m d migration proc cess.
1-29
Key K Points
Windows Easy Transfer (WET) is the recomm W T ) mended tool fo scenarios in which you ha a small num or n ave mber of co omputers to migrate. You ca decide what to transfer an select the t m an nd transfer metho to use. You can use od WET W to transfer files and folde E-mail sett r ers, tings, contacts and message application settings, user s es, ac ccounts and se ettings, Interne settings and favorites. et d If your source computer is run nning Window 7, you can find WET in the System Too program gr ws e ols roup fo older. If your co omputer is run nning Window XP or Windo Vista, WET can be obtained from a Windows ws ows T 7 product DVD or from any computer that is running Win ndows 7. Windows Vista has an older v W version of WET while you can still use Windows Vista WE to migrate user T, ET st tate to Window 7, you may want to use th latest functionality of Win ws he ndows 7 WET. Obtain the W WET from Windows 7 product DVD or from any computer tha is running W D at Windows 7. Win ndows 7 WET includes a new file explo that enables you to selec exactly whic files to copy to your new PC. And if Win orer ct ch y ndows fin a file or se nds etting it cannot work with, W Windows 7 WET prevents you transfer from hanging up. It will T ur m . co omplete the tr ransfer and giv you a full re ve eport of anythi that fails to migrate. ing o If the source computer is runn ning Windows 7, you can skip the followin procedure of storing the s ng Windows 7 WET files to be us on the sou W T sed urce computer.
1-30
5. 6. 7.
8.
Click This is my new computer. Click I need to install it now. Select the destination media where you want to store the Windows Easy Transfer Wizard files. You can store the wizard files to an external hard drive or network drive, or you can store them on a USB flash drive. A Browse for Folder window opens. Type the path and folder name where you want to store the Windows Easy Transfer Wizard files and then click Next.
You must now start your source computer to install Windows Easy Transfer.
Migrate Files and Settings from the Source Computer to the Destination Computer
You can select one of the three methods to transfer files and settings: Use an Easy Transfer Cable. Use a network connection. Use removable media such as a USB flash drive or an external hard disk.
Note: If your computer already has WET, you can run it from the System Tools program group folder. 2. 3. Click Next. Click A network.
Note: Both computers must support the transfer method you choose. For example, both computers must be connected to the same network. 4. 5. 6. 7. 8. Click This is my old computer. WET creates Windows Easy Transfer key. This key is used to link the source and destination computer. Follow the steps to enter the Windows Easy Transfer key on your destination computer to allow the network connection. On your destination computer, after entering the Windows Easy Transfer key, click Next. A connection is established and Windows Easy Transfer checks for updates and compatibility. Click Transfer to transfer all files and settings. You can also determine which files must be migrated by selecting only the user profiles you want to transfer or by clicking Customize. Click Close after Windows Easy Transfer has completed the migration of files and settings to the destination computer.
1-31
Lesson 4 L
Many medium to large-sized organizations use an image M t e-based deploy yment model t deploy desk to ktop op perating systems. After insta alling and conf figuring a reference comput most imaging solutions c ter, capture an image based on a sector-b n d by-sector copy of the referen computer. This technolo y nce . ogy, although ef ffective in som situations, h a number o disadvantag to the over efficiency o your imagin me has of ges rall of ng sy ystem. Windows 7 setu process relie upon image W up es e-based install lation architec cture. This arch hitecture consists of de eployment too and techno ols ologies to assis with customizing and deploying Window 7 througho the st ws out or rganization. Using these too organizatio can configu an effectiv computer im ols, ons ure ve maging and de eployment me ethodology tha will ensure a standardized Microsoft Wi at d indows deskto environmen op nt.
1-32
Key K Points
Th Windows Im he maging (WIM) file is a file-ba ased disk imag format that was introduce in Windows Vista. ge t ed s All Windows 7 installations us this image f When insta se file. alling Window 7, you are ap ws pplying an ima to age th hard disk. he
Benefits of WIM B W
WIM W provides several benefits over other im s maging format such as the following: ts, A single WI file can add IM dress many dif fferent hardwa configurations. WIM doe not require t are es that the destination hardware match the source hardware, so you need only one image to address man n e ny different ha ardware config gurations. WIM can st tore multiple im mages within a single file. Fo example, yo can store images with and or ou m d without cor applications in a single im re s mage file. WIM enables compressio and single in on nstancing, whi reduces the size of image files significa ich e e antly. ancing is a tech hnique that all lows multiple images to share a single cop of files that are py Single insta common between the ins stances. offline. You can add or remo certain ope ove erating system m WIM enables you to service an image o ts, es, s ting a new ima age. component files, update and drivers without creat WIM enables you to insta a disk image on partitions of any size, u all s unlike sector-b based image fo ormats e oy e n ame size or larg than the source ger that require you to deplo a disk image to a partition that is the sa disk. API M v s Windows 7 provides an A for the WIM image format called WIMGAPI that developers can use to W es. work with WIM image file WIM allows for nondestru s uctive applicat tion of images This means t s. that you can le eave data on th he volume to which you app the image because the application of the image does not erase the disks w ply e existing con ntents.
1-33
WIM provides the ability to start Windows Preinstallation Environment (Windows PE) from a WIM file.
1-34
Key K Points
Th here are severa tools and te al echnologies that you can use to perform image-based installation of e m n Windows. W Windows Setup (setup.exe): this is th program tha installs the W S he at Windows operating system or r upgrades previous versio of the Wind p ons dows operatin system. ng Answer File: this is an XM file that sto ML ores the answe for a series of graphical u ers user interface ( (GUI) es. r ows ommonly calle Unattend.xm ed ml. dialog boxe The answer file for Windo Setup is co
ou his dows System Im mage Manage (Windows SIM). The er Yo can create and modify th answer file by using Wind Oobe.xml answer file is used t customize W O to Windows Welc come, which st tarts after Windows Setup an nd du uring the first system startup p. Catalog: th binary file ( his (.clg) contains the state of th settings and packages in a Windows image. he d Windows Automated In A nstallation Kit (Windows A t AIK): this is a c collection of to and ools documenta ation that you can use to aut tomate the de eployment of W Windows opera ating systems. It includes the following: e Windo ows System Im mage Manage (Windows SIM): this tool enables you t create unattended er l to installa ation answer files and distrib bution shares o modify the f or files contained in a configura d ation set. ows Preinstall lation Environ nment (Windo ows PE): this i a minimal 32 or 64-bit operating is 2 Windo system with limited s m services, built o the Window 7 kernel. Us Windows PE in Windows on ws se E installa ation and deployment. Image this comma eX: and-line tool c captures, modi ifies, and appli installation images for ies deploy yment. User State Migratio Tool (USMT): this tool is used to migra user settings from a previous on ate g v system to Win ndows 7. Windows operating s
1-35
Deployment Image Servicing and Management (DISM): this tool is used to service and manage Windows images. System Preparation (Sysprep): Sysprep prepares a Windows image for disk imaging, system testing, or delivery to a customer. Sysprep can be used to remove any system-specific data from a Windows image. After removing unique system information from an image, you can capture that Windows image and use it for deployment on multiple systems. Diskpart: this is a command-line tool for hard disk configuration. Windows Deployment Services (WDS): WDS is a server-based deployment solution that enables an administrator to set up new client computers over the network, without having to visit each client. Virtual Hard Disk (VHD): the Microsoft Virtual Hard Disk file format (.vhd) is a publicly available format specification that specifies a virtual hard disk encapsulated in a single file. It is capable of hosting native file systems and supporting standard disk operations.
1-36
Key K Points
Th image-base installation process consists of five high-level steps. These steps include the following: he ed s h c w 1. . Build an Answer File: yo can use an answer file to configure Win A ou ndows settings during install s lation. You can use Windows System Image M e Manager (Wind dows SIM) to assist in creatin an answer fi ng ile, although in principle you can use any t n u text editor to c create an answ file. wer Build a ref ference installation: a reference compute has a custom er mized installation of Window that ws you plan to duplicate ont one or more destination c o to computers. Yo can create a reference ou installation by using the W Windows prod duct DVD and an answer file e. Create a Bootable Wind dows PE medi you can cre ia: eate a bootabl Windows PE disk on a CD/ le E /DVD by using th Copype.cmd script. Windo PE enables you to start a computer fo the purposes of he d ows or s deploymen and recovery nt y. Capture th Installation Image: you c capture an image of you reference co he n can n ur omputer by us sing Windows PE and the ImageX tool. You can store the captured imag on a netwo share. P ge ork Deploy the Installation Image: after y have an im e you mage of your r reference insta allation, you ca an deploy the image to the target comput You can us the DiskPar tool to forma the hard drive and ter. se rt at copy the im mage from the network share e. Use ImageX to apply the image to the destination co X omputer. For h high-volume deployments, y can you store the im mage of the ne installation to your distrib ew bution share and deploy the image to des e stination computers by using deployment tools, such as Windo Deployme Services (W ows ent WDS) or Micros soft Deploymen Toolkit (MDT). nt
2. .
3. .
4. . 5. .
1-37
Key K Points
Th demonstration shows how to create an answer file by using Windows SIM. his n y o
Note: If a catalo file does no exist for this edition of Wi N og ot s indows 7, then you will be prompted to n cr reate a catalog file. The creation process ta g akes several m minutes. 4. . 5. . 6. . Expand Com mponents and expand x86_ _Microsoft-W Windows-Setup to configure settings primarily u e m used in the windowsPE st tage of an una attended instal llation and for Disk Configuration. r r Expand Use erData and cli ProductKe to configure settings for unattended installation, where ick ey e s e Windows 7 is installed fro the install.w file on the Windows 7 installation DVD. om wim e V Expand x86 6_Microsoft-W Windows-She ell-Setup and open Add set tting to Pass 4 specialize at t x86_Micro osoft-Window ws-Shell-Setup to configure settings that w be applied after an operating p will d r system has been generali ized by using S Sysprep. Enter a Product Key in the Microsoft-W Windows-She ell-Setup Prop perties area.
7. .
Note: Placing a product key i this answer file prevents the need to enter in the product key N in d du uring the insta allation of a ne image. ew
1-38
8.
Close Windows System Image Manager and do not save any changes.
Note: For more information, please refer to Windows SIM Technical Reference at http://go.microsoft.com/fwlink/?LinkID=154216. Question: Why might you use an answer file rather than manually completing the installation of Windows 7?
1-39
Key K Points
Th Sysprep too prepares an installation of the Windows operating sys he ol f s stem for duplic cation, auditin and ng, en nd-user delive ery.
Option /audit /
Descr ription Restar the comput in audit mo rts ter ode. Audit mo enables yo to add drive or ode ou ers applic cations to Wind dows. You can also test an in n nstallation of W Windows befo it is ore sent to an end user. o . If an u unattended Windows setup file is specified the audit mo of d, ode Windo Setup runs the auditSys ows stem and aud ditUser configu uration passes s. Prepares the Windo installation to be imaged If this option is specified, a ows n d. n all rmation is rem moved from the Windows installation. The s e security unique system infor D) system restore points are cle e eared, and eve logs are de ent eleted. ID (SID resets, any s The next time the co omputer starts the specializ configuratio pass runs. A new s, ze on security ID (SID) is c created, and th clock for Wi he indows activat tion resets, if th clock he has no already bee reset three t ot en times. Restar the comput in Window Welcome mode. Windows Welcome ena rts ter ws s ables end users to custom their Wind mize dows operating system, crea user accoun ate nts, name the computer and other tasks. Any settin in the oobeSystem r, ngs
/generalize /
/oobe /
1-40
Option
Description configuration pass in an answer file are processed immediately before Windows Welcome starts.
Restarts the computer. Use this option to audit the computer and to verify that the first-run experience operates correctly. Shuts down the computer after the Sysprep command finishes running. Runs the Sysprep tool without displaying on-screen confirmation messages. Use this option if you automate the Sysprep tool. Closes the Sysprep tool after running the specified commands.
/unattend:answerfile Applies settings in an answer file to Windows during unattended installation. answerfile Specifies the path and file name of the answer file to use.
1-41
Key K Points
Th demonstration shows how to create bootable Windows PE media that can be used for imaging his o o s g co omputers.
Note: For more information o copype, copy, and oscdim please refe to: N e on mg, er ht ttp://go.microsoft.com/fwlin nk/?LinkID=154217, ht ttp://go.microsoft.com/fwlin nk/?LinkID=154218, ht ttp://go.microsoft.com/fwlin nk/?LinkID=154219 Question: After you have cre Q r eated the iso file, what do yo do with it? ou
1-42
Capturing and Apply C a ying the In nstallation Image by Using Ima ageX
Key K Points
Im mageX is a com mmand-line to that enable you to captu modify, an apply file-b ool es ure, nd based WIM ima ages.
Descrip ption Specifie the version of Windows that you need to capture. This is required if you es plan to re-deploy a c o custom Install.w with Wind wim dows Setup. The Quotes are also e require Valid Editio ed. onID values inc clude: HomeBa asic, HomePremium, Starter, , Ultimat Business, Enterprise, Serv te, verDatacenter, ServerEnterpr rise, and ServerS Standard. Display a list of files a folders within a volume image. y and Returns information about the .wim file. Informa m ation includes t total file size, t the image index number the directory count, file co r, y ount, and a des scription. Captur a volume im res mage from a d drive to a new .wim file. Capt tured directori ies include all subfolders and data. e s Applies a volume ima to a specif s age fied drive. Not that you mu create all h te ust hard disk pa artitions before beginning th process and run this optio from Windo PE. e his d on ows Adds a volume image to an existin .wim file. Cr ng reates a single instance of the file,
1-43
Command
Description comparing it against the resources that already exist in the .wim file, so you do not capture the same file twice.
Removes the specified volume image from a .wim file. Exports a copy of a .wim file to another .wim file. Mounts a .wim file with read or read/write permission. After the file is mounted, you can view and modify all of the information contained in the directory. Unmounts a mounted image from a specified directory. If you have modified a mounted image, you must apply the /commit option to save your changes. Splits large .wim files into multiple read-only .wim files.
Note: The preceding table is only a subset of the tools and functionality provided by ImageX. For a more detailed list of syntax commands, read the ImageX Technical Reference included in the Windows Automated Installation Kit Users Guide.
1-44
Key K Points
Deployment Im mage Servicing and Managem ment (DISM) is a command line tool used t service Win s to ndows im mages offline before deploym b ment. You can use it to insta uninstall, co n all, onfigure, and u update Windo ows fe eatures, packag drivers and internationa settings. Sub ges, al bsets of the DIS servicing c SM commands are also e av vailable for ser rvicing a running operating system.
Th following ta he able shows som of the mor common co me re ommand-line o options availab for DISM: ble
1-45
Option /Get-Help /?
Description Displays information about available DISM command-line options and arguments. The options available for servicing an image depend on the servicing technology that is available in your image. Specifying an image, either an offline image or the running operating system will generate information about specific options that are available for the image you are servicing. Example:
Dism /? Dism /image:C:\test\offline /? Dism /online /?
/Mount-Wim
Mounts the WIM file to the specified directory so that it is available for servicing. /ReadOnly sets the mounted image with read-only permissions. Optional. An index or name value is required for most operations that specify a WIM file. Example:
Dism /Mount-Wim /WimFile:C:\test\images\install.wim /index:1 /MountDir:C:\test\offline /ReadOnly Dism /Mount-Wim /WimFile:C:\test\offline\install.wim /name:"Windows 7 Enterprise" /MountDir:C:\test\offline
/GetLists the images currently mounted and information about the mounted image such MountedWimInfo as read/write permissions, mount location, mounted file path, and mounted image index. Example:
Dism /Get-MountedWimInfo
/Commit-Wim
Applies the changes you have made to the mounted image. The image remains mounted until the /unmount option is used. Example:
Dism /Commit-Wim /MountDir:C:\test\offline
/Unmount-Wim
Unmounts the WIM file and either commits or discards the changes made while the image was mounted. Example:
Dism /unmount-Wim /MountDir:C:\test\offline /commit Dism /unmount-Wim /MountDir:C:\test\offline /discard
1-46
5.
At the command prompt, type dism /mount-wim /wimfile:<path_to_image.wim> /name:<image_name> /mountdir:<path_to_mount_directory> to mount the WIM file to the mount directory. At the command prompt, type dism /get-mountedwiminfo to display information about the mounted image. When the image mounting is complete, type cd <path_to_mount_directory> to go to the mount directory. At the command prompt, type dir to see the installation files for Windows 7 and modify them. At the command prompt, type cd \ to go to the root directory.
6. 7. 8. 9.
10. At the command prompt, type dism /image:<path_to_image> /? to display the available options for servicing an image such as adding a driver or adding a feature. 11. At the command prompt, type dism /image:<path_to_image> /add-driver /driver:<folder_containing_INF> to add the driver (INF) file to the image in the mount directory. 12. At the command prompt, type dism /unmount-wim /mountdir:<path_to_mount_directory> /discard to unmount the image from the mounted folder and discard changes. 13. Close all open Windows.
1-47
Key K Points
USMT is a script table comman nd-line tool tha provides a h at highly-customizable user-pro ofile migration n ex xperience for IT professional The followin shows the c ls. ng components o USMT: of ScanState.exe: the ScanS State tool scans the source computer, collects the files a settings, and then n and n tore. creates a st LoadState. .exe: the Load dState tool mig grates the files and settings, one at a time, from the store to a r temporary location on th destination computer. he d . Migration .xml file: the .xml files used by USMT for migrations are the MigApp.xml, MigUser.xml, or ml stom .xml files that you create. s MigDocs.xm and any cus The MigApp.xml fil specify this file with both the ScanState and LoadStat commands to le: e te settings to com mputers runnin Windows 7 ng 7. migrate application s s h e The MigUser.xml file: specify this file with both the ScanState and LoadState commands to puters running Windows 7. migrate user folders, files, and file types to comp ile: s h te ate The MigDocs.xml fi specify this file with both the ScanStat and LoadSta tools to migrate all olders and files that are found by the MigX s XmlHelper.Gen nerateDocPatte erns helper fun nction. user fo Custom .xml files: y can create custom .xml f m you e files to custom the migrat mize tion for your u unique needs. For example, you may want to create a cu t ustom file to m migrate a line-o of-business ation or to modify the default migration behavior. applica
Config.xm if you want to exclude com ml: mponents from the migratio you can cre m on, eate and modify the i Config.xml file using the /genconfig o option with the ScanState too e ol. nt for en or Componen Manifests f Windows Vista and Windows 7: whe the source o destination computer is running Windows Vista or Windows 7, th component he t-manifest files control which s h s s d y d. operating system settings are migrated and how they are migrated
1-48
Down-level Manifest files: when the source computer is running a supported version of Windows XP, these manifest files control which operating-system and Internet Explorer settings are migrated and how they are migrated. USMT internal files: all other .dll, .xml, .dat, .mui, and .inf files that are included with USMT are for internal use.
USMT is intended for administrators who are performing large-scale automated deployments. For example, you can automate USMT by scripting it in the logon script. If you are only migrating the user states of a few computers, you can use Windows Easy Transfer.
The ScanState tool provides various options related to specific categories. These categories are explained in the following sections.
ScanState Options
The following table describes ScanState commonly used options: Option StorePath Description Indicates the folder in which to save the files and settings (for example, a network share; StorePath cannot be c:\). You must specify StorePath on the ScanState command line except when using the /genconfig option. You cannot specify more than one StorePath. Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to specify all of your .xml files. Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option. Additionally, the <HardLinkStoreControl> element can be used in the Config.xml file to change how the ScanState command creates hard-links to files that are locked by another application.
/i:[Path\]Filename /hardlink
The LoadState tool uses most of the same options as the ScanState tool.
1-49
Configuring VHDs C g
Key K Points
In Windows 7, a VHD can be used to store a operating s n an system to run on a compute without a pa er arent op perating system, virtual mac chine or hyperv visor. This feat ture, called VH boot, is a ne feature in HD ew Windows 7 that eases the tran W t nsition betwee virtual and physical enviro en onments. It is best used in th he fo ollowing scena arios: In an organ nization that has hundreds o users workin remotely through VDI, bu also needs the same of ng ut desktop images as the us sers working onsite using ph hysical comput ters. nization with u users in a highl managed en ly nvironment tha use technologies such as Folder at In an organ Redirection and Roaming User Profiles so that the us state is not stored in the image. n g ser As dual boo when you o ot, only have a sin ngle disk volum as an alternative to running virtual machines. me n i c
2. . 3. .
1-50
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD) stores and BCDboot is a command-line tool for initializing the BCD store and copying boot environment files to the system partition. You can also automate the network deployment of VHD by using WDS. WDS can be used to copy the VHD image to a local partition and to configure the local Boot Configuration Data (BCD) for nativeboot from the VHD.
3. 4.
Question: Given that a Windows 7 based VHD is configured to run in a Virtual PC, can you configure the same VHD to run in native boot?
1-51
Lesson 5 L
Application com mpatibility is a considerable factor that det termines the success of an o operating syste em de eployment pro oject. Application compatibility issues can affect core bu usiness functions by preventi ing us sers from perfo orming their w work. You mus plan for thes issues by un st se nderstanding c common probl lems th can occur. Additionally, y must unde hat you erstand common application compatibility issues that m be n y may ex xperienced during a typical o operating syst tem deployme and how to mitigate and resolve these issues. ent o
1-52
Key K Points
An application written for a specific operati system can cause proble w ing n ems when insta alled on a com mputer with w a different operating system. This can occur for a nu umber of reaso Generally, applications a ons. and ha ardware that worked on Win w ndows Vista will continue to work on Wind dows 7. To troubleshoot and d ad ddress the pro oblems effectiv vely, it is impor rtant to be aware of the gen neral areas that typically caus most t se co ompatibility iss sues. Th following shows several a he areas of concern with Windo 7 application compatibility. ows l Setup and installation o application during application setup and installatio two commo of ns: on, on p pplication from installing pro m operly or even installing at all: issues can prevent the ap Applica ations try to co files and shortcuts to folders that exist in a previo Windows opy ted ous operating system, bu no longer ex for the new operating sy ut xist w ystem. ations try to re to Window feature, which has been renamed in Windows 7. efer ws i Applica
User Accou Control (U unt UAC): UAC ad security to Windows by limiting admin dds nistrator-level a access to the computer, restricting most users to run as Stan s ndard Users. U UAC also limits the context in which n nimize the ability of users to inadvertently expose their c o y computer to v viruses a process executes to min or other ma alware. UAC m result in th following co may he ompatibility iss sues: Custom installers, un m ninstallers, and updaters may not be detected and elevated to run as y t admini istrator. Standa user applications that req ard quire administrative privileges to perform their tasks may fail or e a not ma this task av ake vailable to stan ndard users. Applica ations that atte empt to perform tasks for w which the curre user does n have the ent not necessa permission may fail. Ho the failure m ary ns ow manifests itself is dependent upon how the f t applica ation was writt ten.
1-53
Control panel applications that perform administrative tasks and make global changes may not function properly and may fail. DLL applications that run using RunDLL32.exe may not function properly if they perform global operations. Standard user applications writing to global locations will be redirected to per-user locations through virtualization.
Windows Resource Protection (WRP): WRP is designed to protect Windows resources (files, folders, registries) in a read-only state. Application installers that attempt to replace, modify, or delete operating system files and/or registry keys that are protected by WRP may fail with an error message indicating that the resource cannot be updated. Internet Explorer Protected Mode: Internet Explorer Protected Mode helps to defend against elevation-of-privilege attacks by restricting the ability to write to any local computer zone resources other than temporary Internet files. Applications that use Internet Explorer and try to write directly to the disk while in the Internet or Intranet zone may fail. 64-Bit architecture: Windows 7 fully supports 64-bit architecture. Applications or components that use 16-bit executables, 16-bit installers, or 32-bit kernel drivers will either fail to start or will function improperly. Windows Filtering Platform (WFP): WFP is an application program interface (API) that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of this API in your environment, you may experience failures when running security class applications, such as network-scanning, antivirus programs, or firewall applications. Operating System Version Changes: the operating system version number changes with each operating system release. For Windows Vista, the internal version number is 6, whereas for Windows 7, the internal version number is 6.1. This change affects any application or application installer that specifically checks for the operating system version and might prevent the installation from occurring or the application from running. Kernel-mode drivers: kernel-mode drivers must support the Windows 7 operating system or be redesigned to follow the User-Mode Driver Framework (UMDF). UMDF is a device driver development platform that was introduced in Windows Vista. Deprecated components: the release of Windows 7 has also introduced issues with deprecated APIs or DLLs from Windows XP and Windows Vista, the new credential provider framework, and service isolation. These cause applications that used the deprecated APIs or DLLs, applications that use the old credential provider, and applications that do not support service isolation to lose functionality or to fail to start.
1-54
Key Points
Th Application Compatibility Toolkit (ACT) 5.5 enables y to determi whether yo application are he n y ) you ine our ns co ompatible with Windows 7. A also helps you determin how an upd h ACT s ne date to the new version will affect w yo application You can use the ACT feat our ns. tures to: Verify your application, d device, and computer compatibility with a new version of the Windows m a w s operating system. e t Verify a Windows update's compatibility. v t o h Become involved in the ACT community and share your risk assessment with other ACT users. W ons i a e n d Test your Web applicatio and Web sites for compatibility with new releases and security updates to Internet Exp plorer.
Note: For more information o ACT 5.5, ref to: N e on fer ht ttp://go.microsoft.com/fwlin nk/?LinkID=154220.
Mitigation Methods M M
Mitigating an application com M mpatibility issu typically dep ue pends on various factors, such as the type of o c ap pplication and current support for the application. Some of the more common mitigation methods d o p e g d include the following: n o g ration of the e existing appli ication: you can use tools su as the uch Modifying the configur Compatibility Administrator or the Stan ndard User Analyzer (installe with ACT) to detect and create ed o address the compatibility issues. o s application fixes (also called shims) to a u ervice packs to the application: updates or service packs may be available o t a Applying updates or se to address many of the compatibility is ssues and help the application to run with the new operating p o vironment. system env
1-55
Upgrading the application to a compatible version: if a newer, compatible version of the application exists, the best long-term mitigation is to upgrade to the newer version. Modifying the security configuration: as an example, Internet Explorer Protected mode can be mitigated by adding the site to the trusted site list or by turning off Protected Mode (which is not recommended). Running the application in a virtualized environment: if all other methods are unavailable, you may be able to run the application in an earlier version of Windows using virtualization tools such as Windows Virtual PC and Microsoft Virtual Server.
You can also use the Windows Virtual PC and Windows XP Mode to run older Windows XP business software from Windows 7 computer. Install legacy applications in virtual Windows XP, and then publish and seamlessly launch the applications from Windows 7 computer as if the applications are Windows 7 capable. Using application compatibility features: application issues, such as operating system versioning, can be mitigated by running the application in compatibility mode. This mode can be accessed by right-clicking the shortcut or .exe file and applying Windows Vista compatibility mode from the Compatibility tab. You can also use the Program Compatibility Wizard to assist in configuring compatibility mode with an application. The Program Compatibility Wizard is found in the Control Panel under Programs and Features. Selecting another application that performs the same business function: if another compatible application is available, you may want to consider switching to the compatible application.
1-56
Updating Shims
Key Points
A shim is a softw ware program added to an e existing applic cation or other program to p r provide enhanc cement or stability. In th application compatibility context, shim refers to a compatibility fix, which is a sm r he , mall pi iece of code th intercepts API calls from applications, t hat transforming t them so Windo 7 will prov ows vide the sa ame product support for the application as earlier versio of Window This can me anything f e ons ws. ean from di isabling a new feature in Windows 7 to em w mulating a particular behavio of an earlier version of Win32 or r API set. he to w y Th Compatibility Administrator Tool, installed with ACT, can be used t create a new compatibility fix. Th tool has preloaded many common app his y plications, inclu uding any kno own compatibility fixes, co ompatibility modes, or AppH m Help messages Before you c s. create a new co ompatibility fix search for an x, ex xisting application and then copy and past the known fixes into your customized d te r database.
1-57
2.
1-58
1-59
Note: 6292A-LON-VS1 is the computer running Windows Vista. 6292A-LON-CL1 is the computer running Windows 7.
Note: The migration process used in this lab for moving settings from Windows Vista to Windows 7 also applies to moving settings from Windows XP to Windows 7.
1-60
Save settings only for CONTOSO\Don. Use a password of Pa$$w0rd to protect the settings. Save the settings as DonProfile in \\LON-DC1\Data.
1-61
Note: 6292A-LON-CL2 is the computer configured with the reference image that you will be generalizing.
Note: The steps in Task 3 of this exercise are required only because the exercise is being performed with virtual machines. The legacy network adapter is required because Window PE includes a driver for the legacy network adapter, but does not include a driver for the synthetic network adapter.
1-62
Open the settings for 6292A-LON-CL2 and attach C:\Program Files\Microsoft Learning\6292\Drives\winpe_x86.iso to the DVD drive. In Hyper-V Manager, right-click 6292A-LON-CL2 and click Settings. In the left pane, click DVD Drive. In the right pane, click Image file and then click Browse. Browse to C:\Program Files\Microsoft Learning\6292\Drives, click winpe_x86.iso, and then click Open.
Add a legacy network adapter: In the left pane, click Add Hardware. In the right pane, click Legacy Network Adapter and then click Add. In the Network box, click Private Network. Click OK.
While the image creation is performed, begin working on Exercise 3. Results: After this exercise, you will have created a generalized image of LON-CL2 and stored it on the network share \\LON-DC1\Data.
1-63
Note: 6292A-LON-VS1 is a computer running Windows Vista that the user state information is captured from. 6292A-LON-CL3 is the new computer that Windows 7 is being deployed to.
1-64
Format the new partition: Select partition 1 Format fs=ntfs label=Windows quick Assign letter=c
Task 5: Perform initial operating system configuration for the new computer
On LON-CL3, close the command prompt to reboot the computer. Do not start from the CD or DVD. Use the following settings: Country, time and current currency format, keyboard: select the default values User name: LocalAdmin Computer name: 6292A-LON-CL3 Password: Pa$$w0rd Password hint: Local Admin Do not automatically activate Windows Accept the license agreement Ask me later about Windows updates Time zone, date: select the default values Network location: Work network
1-65
1-66
1-67
Tools
Tool Windows Setup Windows Upgrade Advisor Microsoft Assessment and Planning Toolkit Windows Easy Transfer Use for Installing Windows or upgrading previous Windows versions Assessing the feasibility of an upgrade to Windows 7 Assessing organization readiness for Windows 7 Migrating user settings and data in side-by-side migration for a single or few computers Where to find it Windows 7 Product DVD Microsoft Download Center Microsoft Download Center Windows 7 Windows 7 Product DVD Microsoft Download Center
Windows Automated Supporting the deployment of Installation Kit (Windows Windows operating system AIK) User State Migration Tool Windows SIM ImageX Windows PE Sysprep Migrating user settings and data for a large number of computers Creating unattended installation answer files Capturing, creating, modifying, and applying the WIM file Installing and deploying Windows operating system Preparing Windows installation for disk
1-68
Tool
Where to find it Windows AIK Windows 7 Microsoft Download Center for Windows Server 2003 SP1 Server Role in Windows Server 2008 and Windows Server 2008 R2 Windows 7 Windows AIK Microsoft Download Center ACT
Diskpart WDS
DISM
Servicing and managing Windows images Inventorying and analyzing organization application compatibility Creating application fixes
2-1
Module 2
Configuring Disks and Device Drivers
Contents:
Lesson 1: Partitioning Disks in Windows 7 Lesson 2: Managing Disk Volumes Lesson 3: Maintaining Disks in Windows 7 Lesson 4: Installing and Configuring Device Drivers Lab: Configuring Disks and Device Drivers 2-3 2-9 2-18 2-23 2-33
2-2
Module Overview u e
Whether IT prof W fessionals man nage and deploy desktops, la aptops, or virtual environme ents, the Windows 7 op perating system simplifies co ommon tasks a leverages existing tools and skills. and To help ensure that previously installed dev o y vices continue to work in Windows 7, when updated dev vice dr rivers are requ uired, Microsof is working to ensure that y can get th ft o you hem directly fro Windows U om Update or from device manufacturer Web sites. r Although most computers tha are running Windows 7 have a single physical disk co at g onfigured as a single vo olume, this is not always the case. For exam n mple, there ma be times wh you want to have multip ay hen ple op perating systems on a single computer or to have the vi e irtual memory on a different volume. Ther y t refore, it is important tha you underst at tand how to cr reate and man nage simple, sp panned, and st triped volumes To s. he optimize fi system perf elp ile formance, you must be familiar with file sy u ystem fragmen ntation and the tools us to help de sed efragment a vo olume. In addit tion, a good understanding of disk quotas helps you ma s anage av vailable disk sp pace on installed volumes.
2-3
Lesson 1 L
When you insta a disk in a co W all omputer that is running Windows 7, you can choose to select one of two n pa artitioning sch hemes: Master Boo Record (MBR ot R)-based partitioning scheme m Globally un nique identifier (GUID) partit r tion table (GPT)-based partitioning scheme T t e
he easons to parti ition a disk: Th following are common re Separate op perating system files from data and user files. m i Place applic cations and da files in the same location. ata n Put cache, log, and pagin files in a loc ng cation separate from other files. e i environments. Create multiboot setup e
ou sk nt asks such as cr reating and for rmatting partit tions Yo can use Dis Managemen to perform disk-related ta an volumes, an assigning d nd nd drive letters. In addition, you can use the d diskpart command, along wit other th co ommand-line utilities, to per rform disk man nagement task such as part ks titioning disks or converting disks from one partition scheme to the other. o
2-4
Key Points
A Master Boot Record (MBR) disk is a boota R able hard disk that contains an MBR. The M is the first sector MBR on a hard disk. The MBR is cre n eated when th disk is partit he tioned and con ntains a four-p partition entry table de escribing the size and locatio of a partitio on disk usin 32-bit Logi Block Address (LBA) field s on on ng ical ds. Th MBR is stor at a consist he red tent location o a physical d on disk, enabling t computer BIOS to refere the ence it. During the start process, th computer e tup he examines the M to determ MBR mine which par rtition on the installed di isks is marked as active. The active partitio contains the operating sy on e ystem startup f files. h m r e g The MBR scheme imposes certain restrictions that include the following: Four partitions for each disk t u A 2 Terabyte (TB) maximum partition size d No redundancy provided
Question: Wha are three res Q at strictions of an MBR partition disk? Have you encountered these limitations n ned e t m in your organiza n ation, and if so what did you do to work a o, around them?
2-5
Key K Points
As operating sy ystems evolve a hard disks grow larger, t inherent re and s the estrictions of a MBR partitioned an di limit the via isk ability of this p partitioning scheme as an op ption in many scenarios. Con nsequently, a n new di partitioning system has b isk g been develope Globally un ed: nique identifier (GUID) partit r tion table or GPT. GPT-based disk address the limitations of MBR-based disks. ks GPT contains an array of partition entries describing the s n start and end LBA of each pa artition on disk. Each GPT partition ha a unique identification GU and a part as UID tition content type. Also, eac LBA describ in ch bed th partition tab is 64-bits in length. Both 32-bit and 64 he ble n h 4-bit Windows operating sys s stems support GPT for da disks on BI ata IOS systems, b they canno start from th but ot hem. The 64-bit Windows op perating system ms su upport GPT for boot disks on UEFI systems r n s. GPT disks suppo ort: 128 partitio for each di ons isk 18 Exabyte (EB) volume s size cy Redundanc
On O a GPT partit tioned disk, the following sec e ctors are defin ned: Sector 0 co ontains a legacy protective M MBR. The prote ective MBR con ntains one primary partition that m covers the entire disk. e Sector 1 co ontains a partit tion table head The partiti table head contains th unique disk GUID, der. ion der he the number of partition e entries (usually 128), and pointers to the p y partition table. on ach t e The partitio table starts at sector 2. Ea partition entry contains a unique partition GUID, the partition of ffset, length, ty ype, attributes, and a name.
Question: How does a GPT p Q w partitioned disk on a 64-bit W k Windows 7 ope erating system use an MBR? m ?
2-6
Key Points
With W either the Disk Managem ment Microsof Managemen Console (MM snap-in or diskpart.exe, you ft nt MC) ca initialize dis create volu an sks, umes, and form the volum file system. A mat me Additional com mmon tasks in nclude moving disks be m etween compu uters, changing disks betwee basic and dynamic types, and changing the g en g pa artition style of disks. Most d o disk-related tasks can be per rformed witho restarting t system or out the in nterrupting use and most c ers, configuration changes take effect immediately.
o M click Start, type diskmgmt.m in the search box, and then click e msc To open Disk Management, c diskmgmt.msc in the results list. c
Diskpart.exe D e
Diskpart.exe allo you to ma ows anage fixed dis and volum by using sc sks mes cripts or direct input from the co ommand line. The following are common diskpart action ns: To run disk kpart.exe, open a command prompt and ty diskpart. n ype To view a li of diskpart commands, at the DISKPART command prompt, type commands, or start ist t T> Disk Manag gement, and th open the Help Topics fr hen rom the Help m menu. To create a log file of the diskpart sessi e ion, type diskp part /s testscript.txt > logfile.txt. r f
2-7
Question: What is the effect on existing data when you convert a basic disk to a dynamic disk and vice versa?
2-8
. Th demonstration shows how to use both the diskpart command-line tool and the Disk Management his e m sn nap-in to manage disk types s.
Question: Whic tool do you prefer to use to convert a new disk to GPT, the Disk Management snap-in Q ch u P a n or the diskpart.e command-line tool? r exe
2-9
Lesson 2 L
Be efore the Wind dows 7 operat ting system can access newly installed dyn y namic disks, yo must create and ou fo ormat one or more volumes on a disk. Dyn m namic disks use a private reg e gion of the disk to maintain a k Lo ogical Disk Ma anager (LDM) d database. The LDM database contains volu e ume types, off fsets, members ships, an drive letters for each volu nd ume. The LDM database is also replicated, so each dynamic disk know about M ws ev very other dyn namic disk con nfiguration. This feature mak dynamic disks more reliable and recove kes erable th basic disks han s. Yo can configu volumes to use some or all the availab space on a single disk, or configure the ou ure o ble e vo olume to span multiple disks The followin are example of the types of dynamic volumes that ca be s. ng es s an cr reated on dyna amic disks: Simple Spanned Striped Mirrored RAID-5
ou ure o b e Yo can configu volumes to use some or all the available space on a single disk, or configure the vo olume to span multiple disks s.
2-10
Key Points
A simple volume is a dynamic volume that encompasses available free space from a s c single, dynami hard ic, di drive. It is a portion of a physical disk that functions as though it w isk were a physically separate un nit. Si imple volumes can be extended on the same disk. s Si imple volumes are not fault tolerant. When you use simple volumes, a physical disk failure results in s any da loss. Howe ata ever, the loss is limited to the failed drives. In some scena s e arios, this prov vides a level of data f isolation that ca be interpret as greater reliability. an ted Vo olume I/O per rformance on a simple volum is the same as Disk I/O pe me e erformance. In some scenari a n ios, simple volume may provide b better perform mance than striped data layou schemes. St ut triped volumes are s di iscussed in a la topic. For example, whe serving multiple, lengthy, sequential streams, perform ater en mance is be when a single disk servic each stream Also, worklo est ces m. oads that are c composed of small, random re equests do not always result in performanc benefits wh they are m t ce hen moved from a s simple to a stri iped da layout. ata
2-11
Use the followin information for guidance when creating or modifying simple volumes: ng n e g m You must be a member o the Backup Operator or Administrator group. b of Either diskp part.exe or Disk Managemen can be used to initialize disks, create volumes, and format the nt r file system. a mes, ach e u Before you can store data on the volum format ea for use with the file system. Before you can olume, assign i either a drive letter or a m it e mount point. format a vo Before dele eting volumes, make sure tha the informa at ation on them has been back up onto another ked n storage me edium and veri ified, or that th data is no lo he onger needed. You can cre eate more than 26 volumes w Windows 7, but you cannot assign m n with s more than 26 drive letters for accessing these volumes. Volumes created after the twen a e nty-sixth drive letter has bee used e en must be accessed using v volume mount points. t
his simple volume First a volum is created b using the Disk e. me by i Th demonstration shows how to create a s Management sn M nap-in and the by using the diskpart com en mmand-line to ool.
2-12
create partition primary size=100 list partition select partition 2 format fs=ntfs label=simple2 quick assign
Question: In what circumstances will you use less than all the available space on a disk in a new volume?
2-13
Key K Points
A spanned volume joins areas of unallocate space on at least two, and at most thirty s ed d y-two, disks in a nto single logical di Similar to a spanned volu isk. ume, a striped volume also r requires two o more disks; or ho owever, striped volumes map stripes of da cyclically ac d ata cross the disks s. Create a spanne volume when you want to encompass s ed o several areas o unallocated space on two or of more disks. The benefits of us m e sing spanned v volumes includ fault isolatio uncomplic de on, cated capacity pl lanning, and straightforward performance analysis. d e Th following are characterist of spanned volumes: he tics d nly nned volumes o dynamic di on isks. You can on create span If you are creating a new spanned volu c ume, define ho much space to allocate from each physical ow e r s disk. atenates areas of unallocated space on at l d least two, and at most thirty-two, y A spanned volume conca disks into a single logical disk. This type of volume does not provide a fault tolera s any ance. plementing spanned volume I/O performance is comparable es; m There is no performance benefit to imp to simple volumes. me; it ble e You can shrink an entire spanned volum however, i is not possib to selectively remove areas from a specific disk. tend a spanne volume to in ed nclude areas o unallocated space on a new disk, provided the of e d You can ext 32 disk limi is not exceed it ded.
me or (up d y of A striped volum (or RAID 0) requires two o more disks ( to 32) and maps equally sized stripes o data yclically in una allocated space across the disks. It is possib to delete a striped volum but it is not e ble me, t cy
2-14
possible to extend or to shrink the volume. A striped volume requires multiple dynamic disks and the allocated space from each disk must be identical. Create a striped volume when you want to improve the I/O performance. Consider the following about striped volumes: A striped data layout provides better performance than simple or spanned volumes if the stripe unit is appropriately selected based on workload and storage hardware characteristics. Striped volumes provide for higher throughput by distributing I/O across all disks configured as part of the set. Because no capacity is allocated for redundant data, RAID 0 does not provide fault tolerance like those in RAID 1 and RAID 5. Striped volumes are well suited for isolating the paging file so that it is less likely to become fragmented, which helps improve performance. The more disks that you combine, the faster the potential throughput is, however, the less reliable the volume becomes. The loss of any disk results in data loss on a larger scale than a simple or spanned volume because the entire file system spread across multiple physical disks is disrupted.
Question: Describe scenarios when you create a spanned volume and when you create a striped volume.
2-15
Th demonstration shows how to create bo spanned and striped volumes. his oth
Question: Wha is the advant Q at tage of using s striped volume and conversely what is the major es, r h di isadvantage?
2-16
Key Points
Yo can shrink existing volum to create a ou mes additional, unallocated space to use for data or program on a a e ms ne volume. On the new volu ew n ume, you can: Install another operating system and then perform a dual boot. h s Save data separate from the operating system.
When you exten a simple vo W nd olume on the s same disk, the volume remains a simple vo olume. However, when you exten a simple volume to includ unallocated space on oth disks on the same compu w nd de d her e uter, a sp panned volume is created. To perform the shrink operation, ensure tha the disk is e o at either unformatted or format tted with the N NTFS fil system and that you are p of the Bac le part ckup Operator or Administra ator group. Wh you shrink a hen k vo olume, contigu uous free spac is relocated to the end of the volume. Before you perf ce form the shrin nk pr rocess, defragm ment the disk, reduce shado copy disk space consump , ow ption, and mak sure that no page ke o fil are stored on the volume to be shrunk les e k.
Note: If the par N rtition is a raw partition (that is, one witho a file system that contain data (such t out m) ns as a database file), shrinking t partition m destroy the data. Remem s the may mber to make a backup pr to extendi or shrinkin a partition o volume. rior ing ng or
2-17
Th demonstration shows how to resize a v his volume with th diskpart utility; then, you see how to use the he s Disk Manageme tool to ext ent tend a simple v volume.
Question: Whe might you n Q en need to reduce the size of th system partition? e he
2-18
Lesson 3 L
When you first create a volum new files and folders are created on av W me, vailable free sp pace on the vo olume in co ontiguous bloc this provid an optimiz file system environment. As the volume becomes ful the cks; des zed . ll, av vailability of co ontiguous bloc diminishes this can lead to sub-optimal performanc This lesson cks s; ce. ex xplores file sys stem fragment tation and the tools you can use to reduce fragmentatio e on.
2-19
Key K Points
Fr ragmentation of the file syst tem occurs ove time as you save, change, and delete files. Initially, the er e Windows I/O manager saves files in contigu W m uous areas on a given volum This is efficient for the ph me. hysical di as the read isk d/write heads a able to acc are cess these cont tiguous blocks quickly. s As the volume fills up with da and other f f ata files, contiguou areas of free-space are ha us arder to find. In ad ddition, when a file is extend ded, there may not be contig y guous free-spa following t existing file ace the bl locks. This forc the I/O ma ces anager to save the remainde of the file in a non-contigu er uous area, resu ulting in di fragmentat isk tion. Although the NTFS file system is more efficient than earlier file systems at handling d fragmenta N m s disk ation, th fragmentation still presen a potential performance problem. his nts
2-20
Key K Points
When defragme W enting a disk, f files are optim mally relocated. This ability to relocate files benefits you w . o when sh hrinking a volu ume, since it en nables the syst tem to free up space which can be reclaim as required. Disk p med Defragmenter is a tool included with Windo 7 that rearranges fragm s ows mented data so that disks and drives o d ca work more efficiently. an Disk Defragmen runs autom nter matically on a scheduled basis; however, y can perfor a manual you rm de efragmentatio at any time. To manually d on defragment a volume or driv or to chang the automa ve, ge atic de efragmentatio schedule, rig on ght-click a volume in Windo Explorer, c ows click Propertie click the To es, ools tab, an then click Defragment N nd D Now. You can then perform the following tasks: Disable aut tomatic defrag gmentation. Modify the defragmentat tion schedule. u Select which volumes you want to defragment. Analyze the disk to deter e rmine whether it requires de r efragmentation n. Launch a manual defragm m mentation.
o defragmentati ion, in Disk De efragmenter se elect the disk y want to you To verify that a disk requires d de efragment and then click An d nalyze disk. O Once Windows is finished ana alyzing the dis check the sk, pe ercentage of fragmentation on the disk in the Last Run column. If the number is high, defragment the f n e n di isk. Disk Defragmen might take from several minutes to a few hours to f nter l finish depending on the size and e de egree of fragm mentation of th disk or USB device, for ex he B xample an exte ernal hard driv You can use the ve. e co omputer durin the defragm ng mentation proc cess. Yo can configu and run disk defragment ou ure tation from an elevated Com n mmand Prompt by using the defrag p e co ommand-line utility instead of the Disk De efragmenter to ool.
2-21
Key K Points
A disk quota is a way for you to limit each p person's use of disk space on a volume to conserve disk space. n Disk quotas ena able you to pro oactively track and restrict d consumpti k disk ion. You can enable quotas o any on NTFS-formatted volume, inclu d uding local volumes, networ volumes, and removable s rk storage. Yo can use quotas to only tr ou rack disk space consumption and determin who is consuming available e n ne s b sp pace; it is not required to res r strict disk cons sumption at th same time. he Yo can also ma ou anage quotas by using the f fsutil quota and fsutil behavior commands from the a n Co ommand Prom mpt. Once a quota is created, you can export it a then impo it for a diffe O s and ort erent volume. In addition to es stablishing quo settings on an individual computer by using the methods outlined above, you c also ota n y d can us Group Polic settings to c se cy configure quot This enables administrat tas. tors to configu multiple ure co omputers with the same quo settings. h ota Over time, the amount of ava O a ailable disk spa inevitably b ace becomes less, so make sure that you have a plan to increase storage capacity. o
Note: Quotas are tracked for every volume N a e. Question: How do you increa free disk sp Q w ase pace after exce eeding the quota allowance?
2-22
Th optional de his emonstration s shows how to create and ma anage disk quo otas.
Test the Con nfigured Quotas by using a Standard User Account to Create Files n a c e
Create a ne folder and copy the test files into the folder. ew o
2-23
Lesson 4 L
Devices have ch hanged from b being single-fu unction peripherals to complex, multifunct tion devices with a la arge amount of local storage and the abilit to run applications. They have evolved f o e ty from a single t type of co onnection, suc as USB, to m ch multi-transport devices that s t support USB, B Bluetooth, and WiFi. d Many of todays devices are o M s often integrate and sold with services tha are delivered over the Inte ed at d ernet which has simplified a compu w uters ability to recognize and use devices. Microsoft has expanded the list of o d s e de evices and per ripherals that a being teste for compatibility with Windows 7. are ed Th device expe he erience in Windows 7 is designed on existi connectivity protocols and driver mod to ing dels maximize comp m patibility with e existing device Seamless us experience begin with the ability to co es. ser es onnect de evices efficient Additional drivers are ret tly. trieved automatically from W Windows Upda and when ate, ap ppropriate, use are given a option to download and i ers an install addition application for the devic All nal ns ce. of this helps red f duce support c calls and increa customer s ase satisfaction.
2-24
Key K Points
A driver is small software prog gram that allo the compu to commu ows uter unicate with ha ardware or dev vices. It is also specific to an operating system. With g hout drivers, th hardware yo connect to the computer does he ou r no work prope ot erly. In most cases, drivers come w Windows o can be foun by going to Windows Update and chec n d with or nd o cking for up pdates. If Wind dows does not have the required driver, lo for it on th disc that came with the t ook he ha ardware or dev vice, or on the manufacturer's Web site. e Th following is an overview o device drive information: he s of er Windows 7 is available in 32-bit and 64 n 4-bit versions. Drivers develo oped for the 32-bit versions do not t sions, and vice versa. You mu make sure that you obtain the appropriate ust work with the 64-bit vers device drive before you install Window 7. er ws The device drivers that ar included wit Windows 7 have a Micros re th soft digital signature. The digital ndicates that a particular driver or file has met a certain level of testing and is stable and g e signature in reliable. s iver repository You can preload the driver store with dri y. r ivers for comm monly The driver store is the dri used periph heral devices. T driver stor is located in systemroot\System32\Drive The re n erStore. During hard dware installat tion, if the app propriate drive is not availab Windows 7 uses Windows Error er ble, w Reporting to report an un t nknown device e. The Device Metadata Sys stem provides an end-to-end process for d d defining and d distributing dev vice p se ontain device e experience XM documents that represent the ML t metadata packages. Thes packages co properties of the device a its functio together w applications and services that support the o and ons, with t device. Thro ough these XM documents the Devices a Printers fo ML s, and older and Devi Stage prese ice ent users with an interface th is specific to the device as defined by the device mak a hat o ker.
2-25
Key K Points
Windows has su W upported Plug and Play for d device and driv installation since Window 9x. To supp ver n ws port Pl and Play, devices contain configuration and driver in lug d n nformation and must meet t following the re equirements: Be uniquely identified. y State the se ervices it provides and resources it requires. u e Identify the driver that su e upports it. Allow softw ware to configu it. ure
wo s t Tw key factors that impact the success of driver installation are when: The device is supported b a driver package included with Windows or available on Windows Update. by c d w e as d o The user ha media with the driver package provided by the vendor.
Windows 7 includes several fe W eatures that help an administrator make device driver installation more e s n r st traightforward for users: Staging driv packages i the protected driver store. ver in e e Configuring client compu g uters to autom matically search a list of folde specified in the DevicePa h ers, n ath registry ent when a new device is att try, w tached to the c computer. The folders can be hosted on a ese n n network share. t rarely necessary when installing Plug and Play devices. r Restarting the system is r
2-26
copies the device driver files from the driver store to their operational locations, and updates the registry as needed. Finally, Plug and Play starts the newly installed device driver. During this process the digital signature of the driver package is validated. If a matching package is not found in the driver store, Windows searches for a matching driver package by looking in the following locations: Folders specified by the DevicePath registry entry The Windows Update Web site Media or a manufacturers Web site provided after prompting the user
Staging the device driver packages in this manner provides significant benefit. After a driver package has been successfully staged, any user that logs on to that computer can install the drivers by simply plugging in the appropriate device.
2-27
Key K Points
Th here are severa areas in whi you can ma al ich anage devices and their rela s ated drivers: De evice Manager, Devices and Printers, Device S Stage, and the Pnputil too run from an elevated Com ol mmand Prompt t.
he d whether the device has drive installed an whether Windows is able to ers nd e Th status of a device shows w co ommunicate with the device To view the s w e. status of a dev vice: 1. . 2. . Right-click the device and then click Pr d roperties. Click the Ge eneral tab and view the Dev d vice status area for a description of the current status. e
2-28
and attempts to automatically download and install any drivers required for that device. Devices that display in Devices and Printers are usually external devices that you connect or disconnect from the computer through a port or network connection. In Devices and Printers, a multifunction printer shows and can be managed as one device instead of individual printer, scanner, or fax devices. In Device Manager, each individual component of a multifunction printer is displayed and managed separately.
Device Stage
Device Stage provides users with a new way to access devices and advanced options for managing them. Devices in use are shown with a photo-realistic icon. This icon can include quick access to common device tasks; status indicators that let users quickly discern battery status, device synchronization status, remaining storage capacity, links to product manuals, additional applications, community information and help, or additional products and services. The entire Device Stage experience remains current. Graphics, task definitions, status information, and links to Web sites are distributed to computers by using the Windows Metadata Information Service (WMIS).
2-29
Key K Points
A newer version of a device d n driver often adds functionalit and fixes problems that w ty were discovered in d ea arlier versions; many hardwa problems c be resolved by installing updated device drivers. In are can d ad ddition, device driver update often help r e es resolve security problems an improve performance. y nd Dynamic Updat is a feature t te that works wit Windows Up th pdate to down nload any critical fixes and device c dr rivers that are required for the setup proce ess. Dynamic Updat downloads t following t te the types of files: Critical Upd dates Device driv vers
When updated device drivers are required, Microsoft is w W s working to ensu that you can get them directly ure from Windows Update or from device manufacturer Web sites. m b Yo can manua update the driver used fo a device in D ou ally e or Device Manag by right-clicking the device and ger i th clicking Up hen pdate Driver Software. Windows 7 includes several enhancements to the upgrad experience. A load driver feature is pro W de r ovided so that you can load a new or updated driv from the Co o r ver ompatibility Report and con ntinue with the e up pgrade.
2-30
Key Points
A signed driver is a device dri iver that includ a digital sig des gnature. A dig gital signature is an electroni ic se ecurity mark th indicates th publisher o the software and if someone has change the original hat he of e ed l co ontents of the driver packag If a driver h been signed by a publish you can be confident the driver ge. has her, e e co omes from tha publisher an is not altere at nd ed. Be enefits of using signed drive include: ers Improved security. s Reduced su upport costs. Better user experience.
On O each compu uter, Windows maintains a st tore for digital certificates. A the compute administrator, you l As er ca add certificates from trusted publishers You can use Group Policy t deploy the certificates to client an s. to co omputers. Gro Policy allow you to have the certificat automatically installed to all managed oup ws e te co omputers in a domain, organ nizational unit or site. t, If your organiza ation has a Sof ftware Publishi Certificate, you can use t ing that to add yo own digital our l signature to drivers that you h have tested an that you tru You can us Sigverif.exe to check if un nd ust. se nsigned de evice drivers are in the syste area of a co em omputer. You can obtain a b basic list of sign and unsig ned gned de evice drivers fr rom a command prompt by running the d driverquery co ommand with the /si switch.
2-31
If you have a ha ardware proble it can be c em, caused by hard dware or a dev driver. For vice rtunately, the p process to update devic drivers to a newer version is straightforw o ce n ward. Troubles shooting hardw ware problems often st tarts by trouble eshooting dev drivers. To identify a dev driver problem, answer the following vice o vice qu uestions: Did you rec cently upgrade the device dr e river or other software related to the hardware? e Are you exp periencing occ casional proble ems, or is the driver not compatible with the current version of m r Windows? rdware sudden stop workin nly ng? Did the har
2-32
Th demonstration shows how to update a device driver and then rollb his back that drive update. This er s de emonstration will also show how to install a driver into t driver store. This demon the nstration requir two res machine restart m ts.
3. .
Run pnputil e to verify that the driver is installed in the driver s r nto store.
Question: If your computer d Q does not startu normally du a device dri up ue iver issue, what options are there a fo performing driver roll bac or ck?
2-33
2-34
To do this, at the command prompt, type diskpart and then press ENTER. Enter the following commands sequentially: List disk Select disk 3
2-35
Create partition primary size =100 List partition Select partition 1 Format fs=ntfs label=simple2 quick assign
2-36
2.
Results: After this exercise, you have two additional volumes: a spanned volume drive F of 250 MB and a striped volume drive G of 2048 MB.
2-37
Use the fsutil command-line to create a file with the following properties: Path: G:\ Name: 1kb-file Size: 1024
4.
Task 3: Test the configured quotas by using a standard user account to create files
1. 2. 3. 4. Log off and then log on to the LON-CL1 virtual machine as Contoso\Adam with a password of Pa$$w0rd. Create a new folder called G:\Adams files. Copy G:\1mb-file into G:\Adams files. Change into the G:\Adams files folder.
2-38
5. 6. 7. 8. 9.
Copy the 1mb-file an additional four times. Change into the G:\ folder. Copy the 1kb-file into G:\Adams files. Change into the G:\Adams files folder. Copy the 1mb-file a further four times.
10. Copy the 1mb-file one more. 11. Review the error message and click Cancel.
Results: After this exercise, you have disk quotas enabled for drive G.
2-39
Results: After this exercise, you will have reverted your mouse driver to the original driver.
2-40
What two commands mu you use for these tasks? c ust r 3. . Your organ nization has rec cently configured Windows Update to aut tomatically update the Accounting departments computers at 03:00. This conflicts with the weekly de efragmentation of the computers on n y ou eduled defragmentation tas to occur at sk Wednesday mornings. Yo must reconfigure the sche midnight on Tuesdays ins stead. List the steps to modify the defragm mentation sche edule. You recentl upgraded to Windows 7 a are experie ly o and encing occasio onal problems with the short tcut keys on you keyboard. D ur Describe the fir action you might take to the resolve th issue and lis the rst he st steps to perform the actio on.
4. .
Common Issues C
Id dentify the cau uses for the following commo issues and fill in the troubleshooting tips. For answer refer on rs, to relevant lesso in the mod o ons dule or the cou urse companio CD content on t. Issue Configuring disk quotas on multiple volum mes Trou ubleshooting tip
2-41
Issue Exceeding the quota allowance If you have a hardware problem, it can be caused by hardware or a device driver. Troubleshooting hardware problems often starts by troubleshooting device drivers. Verify a disk requires defragmentation View shadow copy storage information,
Troubleshooting tip
Best Practices
Supplement or modify the following best practices for your own work situations: Every time a change is made to a computer, record it. It can be recorded in a physical notebook attached to the computer, or in a spreadsheet or database available on a centralized share that is backed up nightly. If you keep a record of all changes made to a computer, you can trace the changes to troubleshoot problems, and offer support professionals correct configuration information. The Reliability Monitor can be used to track changes to the system such as application installs or uninstalls. When deciding what type of volume to create, consider the following questions: How critical is the data or information on the computer? Can automatic replication be set up quickly and easily? If the computer became unbootable, what might be the impact on your business? Is the computer handling multiple functions? Is the data on the computer being backed up on a regular basis?
Use the information in the following table to assist as needed: Task Add a new disk. Best Practices for Disk Management. Confirm that you are a member of the Backup Operators group or the Administrators group. Reference http://go.microsoft.com/fwlink/?LinkId=64100 http://go.microsoft.com/fwlink/?LinkId=153231 Search Help and Support for "standard account" and "administrator account". For information about groups: http://go.microsoft.com/fwlink/?LinkId=64099 http://go.microsoft.com/fwlink/?LinkId=64106; http://go.microsoft.com/fwlink/?LinkId=64107 http://go.microsoft.com/fwlink/?LinkId=143990 http://go.microsoft.com/fwlink/?LinkId=14507
Create partitions or volumes. Device Management and Installation. For information about driver signing, including requirements, review the Driver Signing Requirements for Windows page in Windows Hardware Developer Central. Format volumes on the disk.
http://go.microsoft.com/fwlink/?LinkId=64101;
2-42
Task
Overview of Disk Management. Performance tuning guidelines. Windows 7 Springboard Series. Windows Device Experience.
Tools
Tool Defrag.exe Device Manager Use for Performing disk defragmentation tasks from the command-line. Where to find it Command Prompt
Viewing and updating hardware settings and Control Panel driver software for devices such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components. Help when interacting with any compatible device connected to the computer. From Device Stage, you can view the devices status and run common tasks from a single window. There are pictures of the devices which helps make it simpler to view what is there. Taskbar
Device Stage
Provides users a single location to find and Control Panel manage all the devices connected to their Windows 7 -based computers. Provides quick access to device status, product information, and key functions such as faxing and scanning to enhance and simplify the customer experience with a Windows 7 - connected device. Rearranging fragmented data so that disks and drives can work more efficiently. In Windows Explorer, rightclick a volume, click Properties, click the Tools tab, and then click Defragment Now. Click Start, type diskmgmt.msc in the search box, and then click diskmgmt.msc in the results list.
Disk Defragmenter
Disk Management
Managing disks and volumes, both basic and dynamic, locally or on remote computers.
Diskpart.exe Fsutil.exe
Managing disks, volumes, and partitions from the Open a command prompt command-line or from Windows PE and then type diskpart Performing tasks that are related to file allocation Command Prompt table (FAT) and NTFS file systems, such as (elevated)
2-43
managing reparse points, managing sparse files, or dismounting a volume Pnputil.exe Quota Settings Adding drivers to and managing drivers in the device store Tracking and restricting disk consumption Command Prompt (elevated) In Windows Explorer, rightclick a volume, click Properties, click Quota, and then click Show Quota Settings.
Use to check if unsigned device drivers are in the Start menu system area of a computer Command Prompt (elevated)
Volume Shadow Copy Viewing and managing shadow copy storage Service (Vssadmin.exe) space Windows Update
Automatically applying updates that are Online additions to software that can help prevent or fix problems, improve how your computer works, or enhance your computing experience.
Volume
System volume
Boot volume
Partition
2-44
Definition The process of dividing the storage on a physical disk into manageable sections that support the requirements of a computer operating system. A method of expressing a data address on a storage medium. Used with SCSI and IDE disk drives to translate specifications of the drive into addresses that can be used by enhanced BIOS. LBA is used with drives that are larger than 528MB.
3-1
Module 3
Configuring File Access and Printers on Windows 7 Clients
Contents:
Lesson 1: Overview of Authentication and Authorization Lesson 2: Managing File Access in Windows 7 Lesson 3: Managing Shared Folders Lesson 4: Configuring File Compression Lesson 5: Managing Printing 3-3 3-8 3-20 3-29 3-36
Lab: Configuring File Access and Printers on Windows 7 Client Computers 3-45
3-2
Module Overview
This module provides the information and tools needed to help you manage access to shared folders and printers on a computer running the Windows 7 operating system. Specifically, the module describes how to share and protect folders, configure folder compression, and how to install, configure, and administer printing. To maintain network or local file and printer systems, it is essential to understand how to safeguard these systems and make them operate as efficiently and effectively as possible. This includes setting up NTFS folder permissions, compressing and managing shared folders and files, and configuring printers.
3-3
Lesson 1
The Windows 7 operating system provides a new generation of security technologies for the desktop. Some of these security technologies are aimed at strengthening the overall Windows infrastructure, and others are aimed at helping to control both your system and your data. Before effectively defining Windows 7 security measures such as NTFS permissions and file and folder sharing properties, it is essential to understand the user account types that are used during security configuration, and how the Kerberos protocol authenticates and authorizes user logons. This lesson examines these features, which provide the foundation upon which the Windows security infrastructure is built.
3-4
Key Points
Authentication is the process used to confirm a users identity when he or she accesses a computer system or an additional system resource. In private and public computer networks (including the Internet), the most common authentication method used to control access to resources involves verification of a users credentials; that is, a username and password. However, for critical transaction types, such as payment processing, username/password authentication has an inherent weakness given its susceptibility to passwords that can be stolen or accidentally revealed. Because of this weakness, most Internet businesses, along with many other transactions now implement digital certificates that are issued and verified by a Certification Authority. Authentication logically precedes authorization. Authorization allows a system to determine whether an authenticated user can access and possibly update secured system resources. Examples of authorized permissions include file and file directory access, hours of access, amount of allocated storage space, and so on. There are two components to authorization: The initial definition of permissions for system resources by a system administrator. The subsequent checking of permission values by the system or application when a user attempts to access or update a system resource.
It is possible to have authorization and access without authentication. This is the case when permissions are granted for anonymous users that are not authenticated. Typically, these permissions are very limited.
3-5
Key Points
Users must be authenticated to verify their identity when accessing files over the network. This is done during the network logon process. The Windows 7 operating system includes the following authentication methods for network logons: Kerberos version 5 protocol: The main logon authentication methods used by clients and servers running Microsoft Windows operating systems. It is used to authenticate both user accounts and computer accounts. Windows NT LAN Manager (NTLM): Used for backward compatibility with pre-Windows 2000 operating systems and some applications. It is less flexible, efficient, and secure than the Kerberos version 5 protocol. Certificate mapping: Typically used in conjunction with smart cards for logon authentication. The certificate stored on a smart card is linked to a user account for authentication. A smart card reader is used to read the smart cards and authenticate the user.
Question: Which authentication method is used when a client computer running the Windows 7 operating system logs on to Active Directory?
3-6
Key Points
Windows Vista included a number of improvements related to the Windows logon and authentication processes. These enhancements extended a strong set of platform-based authentication features to help provide better security, manageability, and user experience. In Windows 7, Microsoft continues the efforts that began in Windows Vista by providing the following new authentication features: Smartcards Biometrics Online Identity Integration
Smart Cards
Smart card use is expanding rapidly. To encourage more organizations and users to adopt smart cards for enhanced security, Windows 7 includes new features that make smart cards simpler to use and to deploy. These new features also make it possible to use smart cards to complete a greater variety of tasks, and include the following: Smart cardrelated Plug and Play Personal Identity Verification (PIV) standard from the National Institute of Standards and Technology (NIST) Kerberos support for smart card logon Encrypting drives with BitLockerTM Drive Encryption Document and e-mail signing Use with line-of-business applications
3-7
Biometrics
Biometrics is an increasingly popular technology that provides convenient access to systems, services, and resources. Biometrics relies on measuring an unchanging physical characteristic of a person to uniquely identify that person. Fingerprints are one of the most frequently used biometric characteristics, with millions of fingerprint biometric devices embedded in personal computers and peripherals. Until now, there has been no standard support for biometric devices or for biometric-enabled applications in Windows. To address this issue, Windows 7 introduces the Windows Biometric Framework (WBF). The Windows Biometric Framework provides support for fingerprint biometric devices through a new set of components. These components improve the quality, reliability, and consistency of the user experience for customers who have fingerprint biometric devices. The Windows Biometric Framework makes biometric devices simpler for users and administrators to configure and control on a local computer or in a domain.
3-8
Lesson 2
The most common way that users access data is from file shares on the network. Controlling access to files shares is done with file share permissions and NTFS permissions. Understanding how to determine effective permissions is essential to securing your files. NTFS file system permissions enable you to define the level of access that users have to files that are available on the network, or locally on your Windows 7 computer. This lesson explores NTFS file system permissions and the effect of various file and folder activities on these permissions.
3-9
Key Points
Permission is the authorization to perform an operation on a specific object, such as a file. Permissions can be granted by owners and by anyone with permission to grant permissions. Normally, this includes administrators on the system. If you own an object, you can grant any user or security group any permission on that object, including the permission to take ownership. Every container and object on the network has a set of access control information attached to it. Known as a security descriptor, this information controls the type of access allowed to users and groups. Permissions, which are defined within an objects security descriptor, are associated with, or assigned to, specific users and groups. File and folder permissions define the type of access that is granted to a user, group, or computer on a file or folder. For example, you can let one user read the contents of a file, let another user make changes to the file, or prevent all other users from accessing the file. You can set similar permissions on folders. There are two levels of permissions: Shared folder permissions: Allow security principals, such as users, to access shared resources from across the network. Shared folder permissions are only in effect when a user accesses a resource from the network. This topic is covered in greater detail in the next lesson. NTFS file system permissions: Are always in effect, whether connected across the network or logged on to the local machine where the resource is located. You can grant NTFS permissions to a file or folder for a named group or user.
There are two types of NTFS permissions: Standard: Standard file and folder permissions are the most commonly used permissions; these include basic permissions such as Read, Write, Modify, and Full Control. Special: Special permissions provide a finer degree of control for assigning access to files and folders; however, special permissions are more complex to manage than standard permissions. These include
3-10
such permissions as Read/Write Attributes and Extended Attributes, Delete subfolders and files, Take Ownership, and Synchronize. Question: Do you have to apply permissions to keep other people from accessing your files?
3-11
Key Points
There are two types of permissions: Explicit permissions: Permissions that are set by default on non-child objects when the object is created, or by user action on non-child, parent, or child objects. Inherited permissions: Permissions that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
Permissions inheritance allows the NTFS permissions set on a folder to be applied automatically to files created in that folder and its subfolders. This means that NTFS permissions for an entire folder structure can be set at a single point. And if modification is required, modification needs to be done only at that single point. Permissions can also be added to files and folders below the initial point of inheritance, without modifying the original permissions assignment. This is done to grant a specific user or group a different file access than the inherited permissions. There are three ways to make changes to inherited permissions: Make the changes to the parent folder, and then the file or folder will inherit these permissions. Select the opposite permission (Allow or Deny) to override the inherited permission. Choose not to inherit permissions from the parent object, and then make changes to the permissions or remove the user or group from the Permissions list of the file or folder.
In most cases, Deny overrides Allow unless a folder is inheriting conflicting settings from different parents. In that case, the setting inherited from the parent closest to the object in the sub-tree will have precedence.
3-12
Only inheritable permissions are inherited by child objects. When permissions are set on the parent object, you need to decide whether folders or subfolders can inherit them by configuring Advanced Security Settings.
Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
3-13
This demonstration shows how to safeguard files and folders by updating their NTFS permissions. This demonstration also shows how to: Set permissions, such as a Read, Write, and Full Control to provide access for a specific user. Set the Deny permission for a user to restrict his or her ability to modify a file. Verify the set permissions.
3-14
4.
On the Effective Permissions tab, select Contoso\Adam and verify configured permissions.
3-15
Key Points
When file or folder is copied or moved, the permissions can change depending on where the file or folder is moved to. It is important for you to understand the impact on permissions when files are copied or moved.
Note: When copying a file or folder within a single NTFS partition or between NTFS partitions, you must have Read permission for the source folder and Write permission for the destination folder.
3-16
When moving a file or folder within an NTFS partition, the file or folder inherits the permissions of the new parent folder. If the file or folder has explicitly assigned permissions, those permissions are retained in addition to the newly inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit permissions from their parent folder. If files that have only inherited permissions are moved, they do not retain these inherited permissions during the move. When moving a file or folder to a different NTFS partition, the folder or file inherits the permissions of the destination folder. When moving a folder or file between partitions, Windows 7 copies the folder or file to the new location and then deletes it from the old location. When moving a file or folder to a non-NTFS partition, the folder or file loses its NTFS file system permissions, because non-NTFS partitions do not support NTFS file system permissions.
Note: When moving a file or folder within an NTFS partition or between NTFS partitions, you must have both Write permission for the destination folder and Modify permission for the source file or folder. Modify permission is required if moving a folder or file because Windows 7 deletes the folder or file from the source folder after it copies it to the destination folder. Question: Why is administration time reduced when files and folders are moved within the same partition?
3-17
Key Points
Each file and folder contains user and group permissions. Windows 7 determines a file or folders effective permissions by combining its user and group permissions. For example, if a user is assigned Read permission and a group the user is a member of is assigned Modify permission, the effective permissions of the user are Modify. When permissions are combined, Deny permission takes precedence and overrides Allow permission. For example, if a group is assigned Modify permission to a folder and a user that is a member of that group is denied Modify permission for the same folder, then the user is denied the Modify permission for the folder.
3-18
Question: If a group is assigned Modify permission to a folder and a user that is a member of that group is denied Modify permission for the same folder, what is the users effective permission for the folder?
3-19
This discussion includes a scenario and three underlying situations in which you are asked to apply NTFS permissions. You and your classmates will discuss possible solutions to each situation.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the slide, which shows folders and files on the NTFS partition, includes three situations, each of which has a corresponding discussion question. Question 1: The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1? Question 2: The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2? Question 3: The Users group has Modify permission for Folder1. File2 is accessible only to the Sales group, and they are only able to read File2. What do you do to ensure that the Sales group has only Read permission for File2?
3-20
Lesson 3
Collaboration is an important part of your job. Your team might create documents that are only shared by its members, or you might work with a remote team member who needs access to your teams files. Because of collaboration requirements, you must understand how to manage shared folders in a network environment. Sharing folders gives users access to those folders over a network. Users can connect to the shared folder over the network to access the folders and files that are contained in the shared folder. It is important to understand the authorization implications when resources are shared, especially network shared resources. Shared folders can contain applications, public data, or a users personal data. Managing shared folders helps you provide a central location for users to access common files and simplifies your task of backing up data that is contained in those files.
3-21
Key Points
Sharing a folder makes it available to multiple users simultaneously over the network. When sharing a folder, you can identify specific users to share the folder with or share it with all the users on the network. Sharing is limited to folders and not to specific files within a folder. When creating a shared folder by using the Provision a Shared Folder Wizard in the Share and Storage Management console or by using the File Sharing Wizard, you can configure the permissions assigned to each share as it is created. In Windows 7, members of the Administrators, Power Users, and Server Operators groups can share folders. Other users who have been granted the Create Permanent Shared Objects user right can also share folders. If a folder resides on an NTFS volume, you must have at least Read permission to share the folder. There are several different ways to share folders with others on the network: In the Microsoft Management Console (MMC) snap-in titled Shares In Windows Explorer by right-clicking on a folder and selecting the Share with option Through the command line using the Net Share command Through Computer Management
3-22
Key Points
Windows 7 provides two methods for sharing folders directly from your computer: Any folder sharing: Allows sharing of music, photos, and other files from any folder on your computer without having to move them from their current location. There are two types of Any Folder sharing - basic and advanced. Public folder sharing: Public folders serve as open drop boxes. Copying a file into a public folder makes it immediately available to other users on your computer or network.
To use Advanced Sharing, right-click the folder to share, click Properties, click the Sharing tab, and then click Advanced Sharing.
3-23
When you turn on Public folder sharing, users who have an account on the computer or network can connect to this folder both locally and remotely to access shared files. Public folder sharing does not allow you to fine-tune sharing permissions, but it does provide a simple way to make your files available to others. You can select one of these two Public folder permission options through the Network and Sharing Center, which is a topic discussed later in this lesson. Question: When is it necessary to avoid using Public folder sharing? Question: Do you have to apply permissions to share your files with other users on your computer?
3-24
Key Points
When a shared folder is created on a partition formatted with the NTFS file system, both the shared folder permissions and the NTFS file system permissions are combined to protect file resources. NTFS file system permissions apply whether the resource is accessed locally or over a network, but they are filtered against the share folder permissions. When shared folder permissions are granted on an NTFS volume, the following rules apply: By default, the Everyone group is granted the shared folder permission Read. Users must have the appropriate NTFS file system permissions for each file and subfolder in a shared folderin addition to the appropriate shared folder permissionsto access those resources. When NTFS file system permissions and shared folder permissions are combined, the resulting permission is the most restrictive one of the effective shared folder permissions or the effective NTFS file system permissions. The share permissions on a folder apply to that folder, to all files in that folder, to sub folders, and to all files in those subfolders.
The following analogy can be helpful in understanding what happens when you combine NTFS and share permissions. When dealing with a shared folder, you must always go through the shared folder to access its files over the network. Therefore, you can think of the shared folder permissions as a filter that only allows users to perform actions on its contents that are acceptable to the share permissions. All NTFS permissions that are less restrictive than the share permissions are filtered out so that only the share permission remains. For example, if the share permission is set to Read, then the most you can do is read through the shared folder, even if the individual NTFS file permission is set to Full Control. If you configure the share permission to Modify, then you are allowed to read or modify the shared folder contents. If the NTFS
3-25
permission is set to Full Control, then the share permissions filter the effective permission down to just Modify. Discussion Question: If a user is assigned Full Control NTFS permission to a file but is accessing the file through a share with Read permission, what will be the effective permission the user will have on the file? Discussion Question: If you want a user to view all files in a shared folder but can modify only certain files in the folder, what permissions do you give the user? Discussion Question: Identify a scenario at your organization where it might be necessary to combine NTFS and Share permissions. What is the reason for combining permissions?
3-26
Key Points
With earlier versions of Windows, many different graphical interfaces and commands were required to fully configure networking and network sharing. Windows 7 makes this significantly simpler by providing all the required tools in one central location, the Network and Sharing Center. The Network and Sharing Center is accessed through the Windows Control Panel, or by typing Network and Sharing Center in the search box on the Start menu. It is important to be familiar with all aspects of the Network and Sharing Center, and be able to use it to configure all types of network connections. This topic focuses on the network sharing aspect of the Center, while the network configuration topics are covered later in the Networking module. The Network and Sharing Center provides the following tools: View a Network Map Set Up a New Connection or Network Change Advanced Sharing Options Choose Homegroup and Sharing Options Fix a Network Problem
3-27
Note: The Network Map is not just a topology; it shows active network devices that you can configure or troubleshoot.
Note: You can change the network location profile between private and public. This changes firewall and visibility settings for that network connection.
3-28
Domain: The domain network location is used for domain networks such as those at enterprise workplaces. This type of network location is controlled by your network administrator and cannot be selected or changed.
For each of these network locations, you can configure the following settings: Network Discovery File sharing Public folder sharing Printer sharing Media Sharing
You need to know how to enable Network Discovery and configure the features so that your users can access available network resources and shared folders. Network Discovery provides two key benefits: Once it is enabled, components on the computer allow it to map to the network and respond to map requests. It is used to directly access each device on the network map by double-clicking on the device icon.
3-29
Lesson 4
It is important for you to understand the benefits of file and folder compression, and how to compress files and folders using the two methods available in Windows 7: NTFS file compression Compressed (zipped) Folders
This lesson explores and contrasts these two methods of compression. In addition, the lesson examines the impact of various file and folder activities on compressed files and folders.
3-30
Key Points
The NTFS file system supports file compression on an individual file basis. NTFS compression, which is available on volumes that use the NTFS file system, has the following features and limitations: Compression is an attribute of a file or folder. Volumes, folders, and files on an NTFS volume are either compressed or uncompressed. New files created in a compressed folder are compressed by default. The compression state of a folder does not necessarily reflect the compression state of the files within that folder. For example, you can compress a folder without compressing its contents, and uncompress some or all of the files in a compressed folder. It works with NTFS-compressed files without decompressing them because they are decompressed and recompressed without user intervention. When a compressed file is opened, Windows automatically decompresses it for you. When the file is closed, Windows compresses it again.
NTFS-compressed file and folder names are displayed in a different color to make them clearer to identify. NTFS-compressed files and folders only remain compressed while they are stored on an NTFS Volume. A NTFS-compressed file cannot be encrypted. The compressed bytes of a file are not accessible to applications; they see only the uncompressed data. Applications that open a compressed file can operate on it as if it were not compressed.
3-31
3-32
Key Points
Moving and copying compressed files and folders can change their compression state. This discussion includes five situations in which you are asked to identify the impact of copying and moving compressed files and folders. You and your classmates will discuss the possible solutions to each situation.
3-33
Key Points
In Windows 7, several files and folders can be combined into a single compressed folder by using the Compressed (zipped) Folders feature. This feature can be used to share a group of files and folders with others without being concerned about sending them individual files and folders. Files and folders that are compressed by using the Compressed (zipped) Folders feature can be compressed on FAT and NTFS file system drives. A zipper icon identifies files and folders that are compressed by using this feature. Files can be opened directly from these compressed folders, and some programs can be run directly from these compressed folders without uncompressing them. Files in the compressed folders are compatible with other file-compression programs and files. These compressed files and folders can also be moved to any drive or folder on your computer, the Internet, or your network. Compressing folders by using Compressed (zipped) Folders does not affect the overall performance of your computer. CPU utilization increases only when Compressed (zipped) Folders is used to compress a file. Compressed files take up less storage space and can be transferred to other computers more quickly than uncompressed files. Work with compressed files and folders the same way you work with uncompressed files and folders.
Alternatively, if a compressed folder is already created and now a new file or folder needs to be added to it, drag the desired file to the compressed folder instead of using the Send To > Compressed (zipped) Folder command.
3-34
Note: Unlike NTFS compressed folders and files, Compressed (zipped) Folders can be moved and copied without change between volumes, drives, and file systems.
3-35
This demonstration shows how to compress a folder and a file, and it also shows the impact of moving and copying a compressed file.
3-36
Lesson 5
Managing Printing
To set up a shared printing strategy to meet the your users needs, you must understand what the Windows 7 printing components are and how to manage them. This lesson examines the printing components in a Windows 7 environment, including printer ports and drivers. The instructor will demonstrate how to install and share a printer, and you will review how to use the Print Management tool to administer multiple printers and print servers.
3-37
Key Points
When a printer is installed and shared in Windows 7, you must define the relationship between the printer and two printer components: the printer port and the printer driver.
Installing a Driver
The printer driver is a software interface that allows your computer to communicate with the printer device. Without a printer driver, the printer that is connected to your computer will not work properly. The printer driver is responsible for converting the print job into a page description language (PDL) that the printer can use to print the job. The most common PDLs are PostScript, printer control language (PCL), and XML Paper Specifications (XPS). In most cases, drivers come with the Windows application, or you can find them by going to Windows Update in Control Panel and checking for updates. If the Windows application does not have the driver needed, you can find it on the disk that came with the printer, or on the manufacturer's Web site. If the Windows operating system does not recognize your printer automatically, you must configure the printer type during the installation process. The printer setup wizard presents you with an exhaustive list of currently installed printer types. However, if your printer is not listed, you must obtain and install the necessary driver. You can preinstall printer drivers into the driver store, thereby making them available in the printer list by using the pnputil.exe command-line tool.
3-38
When you connect a new printer to your computer, the Windows application tries to find and install a software driver for the printer. Occasionally, you might see a notification that a driver is unsigned or is altered or that Windows cannot install it. You have a choice whether to install a driver that is unsigned or is altered since it was signed.
3-39
The XML Paper Specification (XPS) is a new document description language that provides users and developers with a robust, open, and trustworthy format for electronic paper. XPS is platform independent, openly published, and is integrated into Microsoft Windows 7 and the 2007 Microsoft Office system. XPS is a single format for document presentation that can be used to display documents and as a PDL for printing. XPS describes electronic paper in a way that can be read by hardware, software, and people. XPS documents print better, can be shared easier, are more protected, and can be archived with confidence. When XPS is used as a document description language, documents are saved in XPS format. This is done as an alternative to sharing documents in Word or Rich Text Format (RTF). The benefit of using XPS to distribute documents is that the exact page layout is defined. When the document is viewed or printed, the layout does not vary depending on the printer driver that is installed. XPS documents are not meant to be edited. When XPS is used as a PDL, documents are converted to XPS during printing. The printer accepts the XPS document and prints it. In this case, XPS is a replacement for PCL or PostScript.
GDI-Based Printing
Graphical Device Interface (GDI) printing is a software API used by applications to communicate with the drivers of graphical output devices, such as printers or graphics cards. Graphical Device Interface (GDI) printing is used in versions of Windows before Windows Vista. The set of application programming interfaces (APIs) used by applications to access operating system resources is Microsoft Win32. Win32 applications use GDI-based printing. With GDI-based printing, the rendering of printed documents is moved to the printer driver that is running on the PC. When a document is printed, the printer knows nothing about how the text characters look or how color adjustment works. Instead, the printer driver that is running on the PC renders the bitmap of each printed page and the bitmap is sent to the printer. GDI-based printing is also known as
3-40
host-based printing, because every printer comes with a driver CD containing a driver exactly for the particular printer.
XPS-Based Printing
XPS-based printing uses only XPS as a single format for print jobs. Only newer applications that use Windows Presentation Foundation (WPF) APIs use XPS-based printing. XPS-based printing results in better quality printed copies. The print quality of graphics is superior because conversion is removed from the process and better color information is stored in the XPS file. The XPS files are also smaller than the equivalent EMF files. The XPS printing process also simplifies applications task of querying print job and printer configuration information.
3-41
The most common and simplest way to install a printer is to connect it directly to your computer (known as a local printer.) If your printer is a USB model, Windows automatically detects and installs it when you plug it in. If your printer is an older model that connects using the serial or parallel port, you might have to install it manually. In the workplace, many printers are network printers. These connect directly to a network as a stand-alone device. Network printers typically connect through an Ethernet cable or wireless technologies such as WiFi or Bluetooth. Note: Available network printers can include all printers on a network, such as Bluetooth and wireless printers, or printers that are plugged into another computer and shared on the network. Ensure that you have permission to use these printers before adding them to the computer. This demonstration shows how to install and share a printer through Devices and Printers. It also sets several permissions, including Share the Printer permission. Advanced options that can be set for the printer are also discussed.
3-42
2. 3.
Right-click on the printer and select Printer Properties. Select the Edit option in the Security tab and then type Contoso\IT as the user to assign permissions to.
4. 5.
In the list of permissions, assign the ability to Manage Printers and to Manage Documents. In the Advanced tab, select the Hold mismatched documents option. Review the other print options available on this tab.
6. 7.
In the General tab, in the Location field, type the name of the location where the printer resides. Click Preferences, and in the Printing Shortcuts tab, set Print Quality to Best. Review the other printing preferences.
3-43
Key Points
Print Management provides a single interface to administer multiple printers and print servers. Print Management (or the Printbrm.exe command-line tool) is also used to export printers and settings from one computer and import them on another computer. To open the Microsoft Management Console (MMC) snap-in for Print Management, click Start, click Control Panel, click System and Maintenance, click Administrative Tools, and then click Print Management. The Print Management MMC snap-in is used to perform all the basic management tasks for a printer. Printers can also be managed from the Devices and Printers page in the Control Panel. These tasks include: Cancel print jobs. Pause or Resume a print job. Restart a print job. Reorder the print queue.
Once a print job is initiated, you can view, pause, and cancel your print job through the print queue. The print queue shows what is printing or waiting to print. It also displays information such as job status, who is printing what, and how many unprinted pages remain. From the print queue, you can view and maintain the print jobs for each printer. The print queue can be accessed from the Print Management MMC snap-in and through the See whats printing option on the Devices and Printers control panel page. This is used to view what is printing and what is waiting to print for a specific printer. Documents that are listed first will be the first to print.
3-44
Key Points
Windows 7 offers the ability to automatically switch your laptops default printer when it detects you have moved from one network location to another, such as from public to domain. This feature, called location-aware printing, is only found on laptops and other portable devices that use a battery.
If you do not want Windows to change your default printer settings when moving from place to place, click Always use the same printer as my default printer in the Manage Default Printers dialog box. If you want a wireless network to appear in the Manage Default Printers dialog box, it is necessary to have successfully connected to that wireless network at least once. Note: Location-aware printing does not work when you are connecting to a network through Remote Desktop (Terminal Services).
3-45
3-46
Create a public share on the Windows 7 computer that all engineering department users are able to access. Create a restricted share for specific files that only specific users can access. Share a printer on the workstation that can be accessed by authorized users.
3-47
Exercise 1: Create and Configure a Public Shared Folder for All Users
Your first task is to create a shared folder that all engineering users can access. The main tasks for this exercise are: 1. 2. 3. 4. Create a folder. Share the folder. Log on to LON-CL2 as a different user. Access the shared folder.
Results: After this exercise, you will have a folder shared as \\LON-CL1\public. Everyone will have permissions to connect to this folder. This will also prove that you can access the shared folder and create files within that folder.
3-48
Results: After this exercise, you will have created a folder with restrictive NTFS permissions and verified that the permissions are applied correctly.
3-49
Results: After this exercise, you will have a created and shared a local printer and configured access to the printer.
3-50
Review Questions
1. You decided to share a folder containing the Scoping Assessment document and other planning files created for your upcoming Microsoft Dynamics CRM implementation at Fabrikam, Inc. However, now you do not want any of these planning files available offline. Which advanced sharing options must you configure to enforce this requirement? Contoso is installing Microsoft Dynamics GP and they have contracted with a vendor to provide some custom programming work. Contoso asked Joseph, their senior IT desktop specialist, to configure the NTFS permissions for the GP planning files it will be accumulating. Contoso has asked that all IT users be assigned Modify permissions to the GP Implementation Planning folder. However, Contoso only wants the subfolder titled Vendor Contracts to be available for viewing by a select group of managers. How can Joseph accomplish this by taking into account permission inheritance? Peter is an IT professional working at Fabrikam. He is having trouble accessing a particular file and suspects it has something to do with his NTFS permissions associated with the file. How can he view his effective file permissions? Robin recently created a spreadsheet in which she explicitly assigned it NTFS file permissions that restricted file access to just herself. Following the system reorganization, the file moved to a folder on another NTFS partition and Robin discovered that other users were able to access the spreadsheet. What is the probable cause of this situation? Contoso recently installed Windows 7 on its client computers. Because many of their sales staff travel and work from various branch offices throughout any given month, Contoso decided to take advantage of the location-aware printing functionality in Windows 7. Michael, a sales representative, was pleased that he no longer had to configure printers each time he needed to print a document at a branch office. However, to Michaels dismay, on his last trip he tried to connect to the company network using Terminal Services and found that he still had to manually select the printer when he wanted to print a file. Why did the system not automatically recognize the printer for Michael?
2.
3.
4.
5.
3-51
Tools
Use the following Command Prompt tools to manage file and printer sharing. Tool Net share Net use Cacls.exe Compact.exe Pnputil.exe Description Share folders from the Command Prompt Connect to shared resources from the Command Prompt Configure NTFS file and folder permissions from the Command Prompt Compress NTFS files and folders from the Command Prompt Preinstall printer drivers into the driver store
3-52
4-1
Module 4
Configuring Network Connectivity
Contents:
Lesson 1: Configuring IPv4 Network Connectivity Lesson 2: Configuring IPv6 Network Connectivity Lesson 3: Implementing Automatic IP Address Allocation Lesson 4: Overview of Name Resolution Lesson 5: Troubleshooting Network Issues Lab: Configuring Network Connectivity 4-3 4-10 4-16 4-22 4-25 4-30
4-2
Module Overview
Network connectivity is essential in todays business environment and is also becoming critical in home environments. Whether you are part of a business network infrastructure, operate a home office, or need to share files and access the Internet, an increasing number of computer users want to connect their computers to a network. The Windows 7 operating system provides enhanced networking functionality as compared to the previous Microsoft Windows desktop operating systems, and it introduces support for newer technologies. Windows 7 has both TCP/IP version 4 and TCP/IP version 6 installed and enabled by default. An understanding of both IPv4 and IPv6, and the operating systems access capabilities help you configure and troubleshoot Windows 7 networking features.
4-3
Lesson 1
IPv4 uses a specific addressing scheme and name-resolution mechanism to transmit data between connected systems. To connect computers running Windows 7 to a network, you must understand the concepts of IPv4 addressing, Domain Name System (DNS), and Windows Internet Naming Service (WINS) name resolution.
4-4
Key Points
An IPv4 address identifies a computer to other computers on a network. Assign a unique IPv4 address to each networked computer. An IPv4 address is a 32-bit addresses divided into four octets. To make the IP addresses more readable, the binary representation is typically shown in decimal form. The address, in conjunction with a subnet mask, identifies: The unique identity of the computer, which is the host ID. The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed environment. The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes. The number of hosts that a network has determines the class of addresses that is required. IANA has named the IPv4 address classes from Class A through Class E.
4-5
Key Points
A subnet mask specifies which part of an IPv4 address is the network ID and which part of the IPv4 address is the host ID. A subnet mask has four octets, similar to an IPv4 address. To understand subnet masks, you first must understand what a subnet is. A subnet is a networks segment. A router or routers separates the subnet from the rest of the network. You can subdivide the network address range to match the networks physical layout. When you subdivide a network into subnets, create a unique ID for each subnet derived from the main network ID. By using subnets, you can: Use a single Class A, B, or C network across multiple physical locations. Reduce network congestion by segmenting traffic and reducing broadcasts on each segment. Overcome limitations of current technologies, such as exceeding the maximum number of hosts that each segment can have.
4-6
decimal 224 is 11100000 in binary, and the lowest bit has a value of 32, so that is the increment between each subnet address.
4-7
Key Points
A default gateway is a device, usually a router, which forwards IP packets to other subnets. It connects groups of subnets to create an intranet. You must configure one router as the default gateway for local hosts. This enables the local hosts to transmit with hosts on remote networks as follows: When a host delivers an IPv4 packet, it uses the subnet mask to determine whether the destination host is on the same network or on a remote network. If the destination host is on the same network, the local host delivers the packet. If the destination host is on a different network, the host transmits the packet to a router for delivery. If the routing table on the router does not contain routing information about the destination subnet, IPv4 forwards the packet to the default gateway.
Use a Dynamic Host Configuration Protocol (DHCP) server to assign the default gateway automatically to a DHCP client.
4-8
Key Points
Devices and hosts that connect directly to the Internet require a public IPv4 address. Hosts and devices that do not connect directly to the Internet do not require a public IPv4 address. Public IPv4 addresses are assigned by IANA and must be unique. The number of addresses allocated to you depends upon how many devices and hosts you have to connect to the Internet. The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate superfluous IPv4 addresses. IANA defines address ranges as private so that Internet-based routers do not forward packets originating from, or destined to, these ranges. Technologies such as Network Address Translation (NAT) enable administrators to use a relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect to remote hosts and services on the Internet. Question: Which of the following is not a private IP address? a. b. c. d. 171.16.16.254 192.16.18.5 192.168.1.1 10.255.255.254
4-9
Key Points
This demonstration shows how to configure an IPv4 address manually. 1. 2. Log on to the computer for which you are configuring the IPv4 address. Open a command prompt and display all network connections for the computer by typing the ipconfig /all command. 3. In Control Panel, open the Network and Sharing Center to view the details of Local Area Connection 3. You will see the same configuration information as returned by the ipconfig /all command. (Note: The local Area Connection number may be different in some cases) Open the Local Area Connection 3 Properties window. This window allows you to configure protocols. Open the Internet Protocol Version 4 (TCP/IPv4) Properties window. You can configure the IP address, subnet mask, default gateway, and DNS servers in this window. Open the Advanced TCP/IP Settings window. Here you configure additional setting such as additional IP addresses, DNS settings, and WINS servers for NetBIOS name resolution.
4. 5. 6.
4-10
Lesson 2
While most networks to which you connect Windows 7-based computers currently provide IPv4 support, many also support IPv6. To connect computers that are running Windows 7 to IPv6-based networks, you must understand the IPv6 addressing scheme, and the differences between IPv4 and IPv6.
4-11
Key Points
The new features and functionality in IPv6 address many IPv4 limitations. IPv6 enhancements help enable secure communication on the Internet and over corporate networks. Some IPv6 features include the following: Larger address space: IPv6 uses a 128-bit address space, which provides significantly more addresses than IPv4. More efficient routing: IANA provisions global addresses for the Internet to support hierarchical routing. This reduces how many routes that Internet backbone routers must process and improves routing efficiency. Simpler host configuration: IPv6 supports dynamic client configuration by using DHCPv6. IPv6 also enables routers to configure hosts dynamically. Built-in security: IPv6 includes native IPSec support. This ensures that all hosts encrypt data in transit. Better prioritized delivery support: IPv6 includes a Flow Label in the packet header to provide prioritized delivery support. This designates the communication between computers with a priority level, rather than relying on port numbers that applications use. It also assigns a priority to the packets in which IPSec encrypts the data. Redesigned header: The design of the header for IPv6 packets is more efficient in processing and extensibility. IPv6 moves nonessential and optional fields to extension headers for more efficient processing. Extension headers are no more than the full size of the IPv6 packet, which accommodates more information than possible in the 40 bytes that the IPv4 packet header allocates.
4-12
Key Points
Windows 7 uses IPv6 by default and includes several features that support IPv6. Both IPv6 and IPv4 are supported in a dual stack configuration. The dual IP stack provides a shared transport and framing layer, shared filtering for firewalls and IPSec, and consistent performance, security, and support for both IPv6 and IPv4. These items help lower maintenance costs. DirectAccess enables remote users to access the corporate network anytime they have an Internet connection; it does not require virtual private networking (VPN). DirectAccess provides a flexible corporate network infrastructure to help you remotely manage and update user PCs both on and off the network. With DirectAccess, the end user experience of accessing corporate resources over an Internet connection is almost indistinguishable from the experience of accessing these resources from a computer at work. DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients. The Windows 7 operating system supports remote troubleshooting capabilities, such as Remote Desktop. Remote Desktop uses the Remote Desktop Protocol (RDP) to allow users to access files on their office computer from another computer, such as one located at their home. Additionally, Remote Desktop allows administrators to connect to multiple Windows Server sessions for remote administration purposes. IPv6 addresses can be used to make remote desktop connections.
4-13
Key Points
The IPv6 address space uses 128-bits compared to the 32-bits that the IPv4 address space uses. Therefore, a larger number of addresses are possible with IPv6 than with IPv4. An IPv6 address allocates 64-bits for the network ID and 64-bits for the host ID. IPv6 does not use a dotted decimal notation to compress the addresses. Instead, IPv6 uses hexadecimal notation, with a colon between each set of four digits. Each hexadecimal digit represents four bits. To shorten IPv6 addresses, drop leading zeros and use zero compression. By using zero compression, you represent multiple contiguous groupings of zeros as a set of double colons. Each IPv6 address uses a prefix to define the network ID. The prefix is a forward slash followed by the number of bits that the network ID includes.
4-14
Key Points
The IPv6 address types are unicast, multicast, and anycast. Unicast is used for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses. There are three types of unicast address as follows: Global Unicast Address These addresses are equivalent to IPv4 public addresses so they are globally routable and reachable on the IPv6 portion of the Internet. Link-Local Addresses Hosts use link-local addresses when communicating with neighboring hosts on the same link. Unique local unicast addresses These are the equivalent to IPv4 private address spaces, Multicast is used for one-to-many communication between computers that you define as using the same multicast address. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When IPv6 addresses communication to an anycast address, only the closest host responds. You typically use this for locating services or the nearest router. The last 64-bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4 address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface identifier is unique to each interface, IPv6 uses it rather than media access control (MAC) addresses to identify hosts uniquely. To preserve privacy in network communication, generate an interface identifier rather than use the network adapters hardware address.
4-15
Key Points
This demonstration shows how to configure an IPv6 address manually. 1. 2. Log on to the computer for which you are configuring the IPv6 address. Open a command prompt and display all network connections for the computer by typing the ipconfig /all command. Notice that a link-local IPv6 address has been assigned. 3. In Control Panel, open the Network and Sharing Center to view the details of Local Area Connection 3. You will see the same configuration information as returned by the ipconfig /all command. Open the Local Area Connection 3 Properties dialog box. This window allows you to configure protocols. (Note: The local Area Connection number may be different in some cases). Open the Internet Protocol Version 6 (TCP/IPv6) Properties window. You can configure the IP address, subnet mask, default gateway, and DNS servers in this dialog box. Click Internet Protocol Version 6 (TCP/IPv6) and then click Properties. You can configure the IPv6 address, subnet prefix length, default gateway, and DNS servers in this dialog box. Use the following IP address information: 8. 9. IPv6 address: 2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A Subnet prefix length: 64
4. 5. 6. 7.
Open the Advanced TCP/IP Settings window. Here you configure additional setting such as additional IP addresses, DNS settings, and WINS servers for NetBIOS name resolution. In the Local Area Connection 3 Status window, verify that the new IPv6 address has been added.
4-16
Lesson 3
Windows 7 enables both the IPv4 and IPv6 protocols to obtain configuration automatically. This helps you deploy IP-based computers that are running Windows 7 in a fast, straightforward manner.
4-17
Key Points
You can assign static IP addresses manually or use DHCPv4 to assign IP addresses dynamically. Static configuration requires that you visit each computer and input the IPv4 configuration. This method of computer management is time-consuming and heightens the risk of mistakes. DHCPv4 enables you to assign automatic IPv4 configurations for large numbers of computers without having to assign each one individually. The DHCP service receives requests for IPv4 configuration from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 information from scopes that you define for each of your networks subnets. The DHCP service identifies the subnet from which the request originated and assigns IP configuration from the relevant scope. If you use DHCP to assign IPv4 information, you must do the following: Include resilience in the DHCP service. Configure the scopes on the DHCP server carefully.
If you use a laptop to connect to multiple networks, each network may require a different IP configuration. Windows 7 supports the use of Automatic Private IP Addressing (APIPA) and an alternate static IP address for this situation. With APIPA, a Windows computer can assign itself an Internet Protocol (IP) address in the event that a DHCP server is not available or does not exist on the network. By default, Windows 7 uses APIPA to assign itself an IP address from the 169.254.0.0 to 169.254.255.255 address range. This enables you to use a DHCP server at work and the APIPA address range at home without reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the computer has an address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP server.
4-18
Key Points
IP Automatic Configuration is a method of assigning an IPv6 address to an interface automatically. It can be stateful or stateless. Stateful addresses are assigned by a service on a server or other device. The service that allocated the address to the client manages the stateful address. DHCPv6 performs stateful automatic configuration. Stateless addresses are configured by the client and are not maintained by a service. The record of the address assignment is not maintained. Router advertisements perform stateless automatic configuration.
The first step in automatically configuring an IP address generates a link-local address. The link-local address is used by the host to communicate with other hosts on the local network. When the host generates the link-local address, the host also performs duplicate address detection to ensure that it is unique. When a host obtains an IPv6 address from a DHCPv6 server, the following occurs: The client sends a message to locate DHCPv6 servers. The server sends a message to indicate that it offers IPv6 addresses and configuration options. The client sends a message to a specific DHCPv6 server to request configuration information. The selected server sends a message to the client that contains the address and configuration settings.
4-19
Key Points
This demonstration shows how to configure a computer to obtain an IPv4 address dynamically. 1. 2. Log on to the computer which you are configuring receive an IPv4 address dynamically. Open a command prompt and display all network connections for the computer by typing the ipconfig /all command. Notice that a link-local IPv6 address has been assigned. 3. 4. 5. 6. 7. 8. In Control Panel, open the Network and Sharing Center and then open the properties of the Local Area Connection 3 Status window. This window allows you to configure protocols. Open the Internet Protocol Version 4 (TCP/IPv4) Properties window to select to obtain an IP address automatically. Notice that the Alternate Configuration tab becomes available when you do this. Select to automatically obtain the DNS server address. On the Alternate Configuration tab, view configuration information on when no DHCP server is available. Save the changes. Open the Local Area Connection 3 Status window to view the details of Local Area Connection 3. Notice that DHCP is enabled and the IP address of the DHCP server is displayed.
4-20
Key Points
The IPConfig tool is the primary client-side DHCP troubleshooting tool and can be used to determine the computers IP address. You use the IPConfig at a Command Prompt. The following IPv4 options are helpful when diagnosing problems. /all displays all IP address configuration information /release forces the computer to release its IP address /renew forces the computer to renew its DHCP lease
You can use the IPConfig /release6 and /renew6 options to perform these same tasks on IPv6-configured computers. The following are some troubleshooting examples. Problem The DHCP client does not have an IP address configured or indicates that its IP address is 0.0.0.0. Solution Verify that the client computer has a valid functioning network connection. First, check that related client hardware (cables and network adapters) are working properly at the client using basic network and hardware troubleshooting steps. If the client hardware appears to be prepared and functioning properly, check that the DHCP server is available on the network by pinging it from another computer on the same network as the affected DHCP client. First, use the ping command to test connectivity from the client to the server. Your next step is to either verify or manually attempt to renew the client lease. Depending on your network requirements, it might be necessary to disable IP autoconfiguration at the client. You can learn more about IP autoconfiguration and how it works prior to making this decision.
The DHCP client appears to have automatically assigned itself an IP address that is incorrect for the current network.
4-21
Problem The DHCP client appears to have incorrect or incomplete options, such as an incorrect or missing router (default gateway) configured for the subnet on which it is located.
Solution Change the IP address list for the router (default gateway) option at the applicable DHCP scope and server. If you are configuring the router option as a Server Option at the affected DHCP server, remove it there and set the correct value in the Scope Options node for the applicable DHCP scope that services the client. In rare instances, you might have to configure the DHCP client to use a specialized list of routers different from other scope clients. In such cases, you can add a reservation and configure the router option list specifically for the reserved client.
Many DHCP clients are A DHCP server can only service requests for a scope that has a network ID unable to get IP addresses that is the same as the network ID of its IP address. from the DHCP server. Make sure that the DHCP server IP address falls in the same network range as the scope it is servicing. For example, a server with an IP address in the 192.168.0.0 network cannot assign addresses from scope 10.0.0.0 unless superscopes are used.
4-22
Lesson 4
Computers can communicate over a network by using a name in place of an IP address. Name resolution is used to find an IP address that corresponds to a name, such as a hostname. This lesson focuses on different types of computer names and the methods to resolve them.
4-23
Key Points
Name resolution is the process of converting computer names to IP addresses. The application developer determines an applications name. In Windows operating systems, applications can request network services through Windows Sockets, Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS name. A host name is associated with a hosts IP address and identifies it as a TCP/IP host. It is no more than 255 characters in length and contains alphanumeric characters, periods, and hyphens. Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a network. A NetBIOS name represents a single computer or a group of computers. NetBIOS uses the first 15 characters for a specific computers name and the final sixteenth character to identify a resource or service on that computer.
4-24
Key Points
The methods supported by Windows 7 for resolving computer names include Domain Name System (DNS) and Windows Internet Naming Service (WINS). DNS is a service that manages the resolution of host names to IP addresses. DNS assigns user-friendly names to the computers IPv4 address. A host name is the most common name type that DNS uses. Applications use DNS to do the following: Locate domain controllers and global catalog servers. Resolve IP addresses to host names. Locate mail server for e-mail delivery.
WINS is a NetBIOS name server used to resolve NetBIOS names to IPv4 addresses. WINS provides a centralized database for registering dynamic mappings of a networks NetBIOS names. WINS is built on a protocol that registers, resolves, and releases NetBIOS names by using unicast transmissions rather than repeated transmissions of broadcast messages. This protocol allows the system to work across routers and eliminates the need for an LMHOSTS file. The protocol also restores the dynamic nature of NetBIOS name resolution and enables the system to work seamlessly with DHCP.
4-25
Lesson 5
The tools and utilities included in this lesson help IT professionals better manage computers and troubleshoot problems, enabling them to keep users productive while working to reduce costs, maintain compliance, and improve operational efficiency.
4-26
Key Points
As the complexity of the networking stack increases, it is becoming more important to provide methods to quickly trace and diagnose issues. Windows 7 includes a number of utilities that help you to diagnose network problems including: Event Viewer Windows Network Diagnostics IPConfig Ping Tracert NSlookup Pathping Unified tracing
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an error. You can use Event Viewer to read the log. When you select a log and then select an event, a preview pane under the event list contains details of the specified event. To help diagnose network problems, look for errors or warnings in the System log related to network services.
4-27
IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh DHCP and DNS settings as discussed in the Windows Network Diagnostics topic.
Ping
Ping verifies IP-level connectivity to another TCP/IP computer. Ping is the primary TCP/IP command used to troubleshoot connectivity.
Tracert
Tracert determines the path taken to a destination computer by sending Internet Message Control Message Protocol (ICMP) Echo Requests. The path displayed is the list of router interfaces between a source and a destination.
Pathping
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides more detailed statistics on the individual steps, or hops, through the network.
NSlookup
NSlookup displays information that you can use to diagnose the DNS infrastructure. You can use NSlookup to confirm connection to the DNS server and that the required records exist.
Unified Tracing
The unified tracing feature is intended to help you simplify the process of gathering relevant data to assist in troubleshooting and debugging network connectivity problems. Data is collected across all layers of the networking stack and grouped into activities across the following individual components: Configuration information State information Event or Trace Logs Network traffic packets
4-28
Key Points
If you experience network connectivity problems while using Windows 7, use Window Network Diagnostics to start the troubleshooting process. If Windows Network Diagnostics cannot resolve the problem, follow a troubleshooting process using the available Windows 7 tools. 1. Consult Windows Network Diagnostics. Windows Network Diagnostics analyzes the problem and, if possible, presents a solution or a list of possible causes. It either completes the solution automatically or requires that the user perform steps to resolve the problem. Check local IP configuration by using IPConfig. IPConfig with the /all switch displays the computers IP configuration. Look for an invalid IP address, subnet mask, default gateway, and DNS server. Diagnose two-way communication by using Ping. Ping confirms two-way communication between two computers. This means that if the Ping utility fails, the local computers configuration may not be the cause of the problem. Indentify each hop, or router, between two systems by using Tracert. Tracert identifies each hop between the source and destination systems. If communication fails, use Tracert to identify how many hops are successful and at which hop system communication fails. Verify DNS configuration by using NSlookup. NSlookup verifies that the DNS server is available and contains a record for the computer with which you are attempting to transmit data. If you suspect that name resolution is the problem, add an entry to the hosts file, and then retest name resolution. You must purge the host-name resolution cache by using ipconfig /flushdns before rerunning the name resolution test.
2. 3.
4.
5.
4-29
Key Points
This demonstration shows how to resolve common network related problems. 1. 2. Log on to the computer where you will be resolving common network problems. Open a command prompt and run the following commands: 3. ipconfig /all - Displays all network connections for the computer and shows all network adapter configurations. ipconfig /displaydns - Displays the contents of the DNS cache. ipconfig /flushdns - Clears the contents of the DNS cache. ping - The local host. ping - The domain controller by using an IPv4 address. pinging - The domain controller - verifies connectivity to domain controller by using a host name. nslookup d1 domain controller - Provides detailed information about the host name resolution. You can use the d2 option for even more detail.
4-30
4-31
Note: LON-CL1 is the computer running Windows 7 where you will configure IPv4 addressing. LON-DC1 is the computer running Windows Server 2008 R2 that is running the DHCP service.
4-32
2. 3.
2.
3. 4. 5.
Results: After this exercise, you will have tested various scenarios for dynamic IP address assignment and then configured a static IPaddress.
4-33
Note: LON-CL1 is the computer running Windows 7 where you will configure IPv6 addressing. LON-DC1 is the computer running Windows Server 2008 R2 that is running the DHCP service.
4-34
Results: After this exercise, you will have configured a static IPv6 address and a dynamic IPv6 address.
4-35
Note: LON-CL1 is the computer running Windows 7 where you will use to troubleshoot IP connectivity. LON-DC1 is the computer running Windows Server 2008 R2 that is used to test network connectivity.
2.
4-36
3. 4.
Run the command ping 10.10.0.10. Run the command ipconfig /all. What DNS server is the computer using?
Results: After this exercise, you will have resolved the connectivity problem between LON-CL1 and LON-DC1.
4-37
Review Questions
1. 2. After starting her computer, Amy notices that she is unable to access her normal Enterprise Resources. What tool can she use to determine if she has a valid IP address? When transmitting Accounts Receivable updates to the billing partner in China, Amy notices that the files are being transmitted slowly. What tool can she use to determine the network path and latency of the network? Amy notices that she cannot access normal Enterprise Web sites. She knows that she has a valid IP address but wants to troubleshoot the DNS access of her computer. What tool must she use? What is the IPv6 equivalent of an IPv4 APIPA address? You are troubleshooting a network-related problem and you suspect a name resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do you do that? You are troubleshooting a network-related problem. The IP address of the host you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
3. 4. 5. 6.
4-38
Issue Windows 7 Host cannot connect to the internet DNS server is not resolving FQDNS correctly
Troubleshooting tip
Tools
You can use the following tools to troubleshoot network connectivity issues. Tool Description
Network and Sharing Center The Network and Sharing Center informs you about your network and verifies whether your PC can successfully access the Internet; then it summarizes this info in the form of a Network Map. Netsh.exe Pathping.exe A command that you can use to configure network properties from the command-line. A command-line tool that combines the functionality of Ping and Tracert, and that you can use to troubleshoot network latency and provide information about path data. A command-line tool that you can use to test and troubleshoot DNS and name resolution issues. A general IP configuration and troubleshooting tool. A basic command-line tool that you can use for verifying IP connectivity. Similar to Pathping, which provides information about network routes.
5-1
Module 5
Configuring Wireless Network Connections
Contents:
Lesson 1: Overview of Wireless Networks Lesson 2: Configuring a Wireless Network Lab: Configuring Wireless Network Connections 5-3 5-10 5-19
5-2
Module Overview u e
Th definition of a wireless ne he o etwork is broad. It can refer to any type of wireless devic that are f ces in nterconnected between node without the use of wires o cables. The wireless netwo discussed i this es e or ork in module refers to wireless loca area network (wireless LAN which is a t m al N), type of wireles network that uses ss ra adio waves inst tead of cables to transmit an receive data between com nd mputers. A wir reless network enables yo to access network resourc from a com ou ces mputer that is not physically attached to the network by cables. y y Wireless networ technologie have grown tremendously over the past few years. The security and speed W rk es y t d of wireless netw f works have bec come reliable, such that increasingly more organizations prefer the use of e s wireless networ over the tra w rks aditional wired networks. Wi d indows 7 pro ovides a simple intuitive, and e, st traight forward user interface for connecting to wireless networks. d e
5-3
Lesson 1 L
In ncreasingly mo organizatio prefer wire ore ons eless networks over the tradi itional wired n networks. A wir reless ne etwork gives users flexibility and mobility around the of u ffice. Users can have internal meetings or n pr resentations while maintaini connectivit and produc w ing ty ctivity. With a w wireless netwo you can cre ork, eate a pu ublic network that enables y your guests to have internet connection w without creating security issue to g es yo corporate network. The wireless netwo technologi have evolve tremendou over the ye our ork ies ed usly ears. Many mobile co M omputers have built-in wireless network adapters and numerous hardware exist that e su upport wireless networks wit high stabilit and reliabilit th ty ty.
5-4
Key Points
A wireless network is a network of interconnected devices that are connected by radio signals, instead of o n i e wires or cables. w
Although wirele networks m ess make roaming convenient an remove uns nd sightly wires fr rom your netw work, th also have disadvantages, such as possi hey d ible interferenc and increas security co ce sed osts, and they p pose se ecurity risks that you may ha to spend ti ave ime mitigating g.
Re egardless of th operating m he mode, a Service Set Identifier (SSID), also k e r known as the w wireless network na ame, identifies a specific wir s reless network by name. The SSID is config gured on the w wireless AP for in nfrastructure mode or the ini m itial wireless cl lient for ad hoc mode. The w wireless AP or t initial wire the eless
5-5
client periodically advertises the SSID so that other wireless nodes can discover and join the wireless network.
5-6
Key K Points
Th following ta he able summariz the Institut of Electrical and Electronic Engineers (IEEE 802.11) st zes te cs tandards fo wireless netw or work technolo ogy. Standard Adv vantages 802.11a Disadvantage es Remarks Not widely u used due to co and ost limited range.
Fast speed F Expensive Many simultan M neous users Short signa range al Not prone to i N interference Not compa atible with
802.11b
802.11b
Widely used especially in public d, places such as airports and d coffee shops s.
Prone to in nterference
802.11g
Fast speed F Prone to in nterference More simultan M neous users Good signal ra G ange Compatible with 802.11 b C
Gaining pop pularity due to its faster speed, backward compatibility and cheaper cost. y,
802.11n
Fastest speed F Cost more than 802.11g Gaining pop pularity, even t though standard is s under still Not prone to i N interference developmen nt. Compatible with 802.11 a, C
b, g b
5-7
Note: Standard 802.11n is a proposed 802.11 standard. The operating frequency is in both the 5 GHz and 2.4 GHz bands, providing more scope that enables networks to avoid interference with other wireless devices. This standards speed will be 600 Mbps, with a range of approximately 300 meters. The IEEE likely will not finalize 802.11n until late 2009. Even so, more organizations have begun migrating to 802.11n based on the Draft 2 proposal. Windows 7 provides built-in support for all 802.11 wireless networks, but the wireless components of Windows are dependent upon the following: Capabilities of the wireless network adapter: The installed wireless network adapter must support the wireless network or wireless security standards that you require. Capabilities of the wireless network adapter driver: To enable you to configure wireless network options, the driver for the wireless network adapter must support the reporting of all of its capabilities to Windows.
Wireless Broadband
Wireless broadband is a wireless technology that provides high-speed wireless internet and data network access. Wireless broadband has high internet speed that is comparable to wired broadband, such as ADSL or cable modems. Windows 7 provides a driver-based model for mobile broadband devices. With Windows 7, users can simply connect a mobile broadband device and immediately begin using it. The interface in Windows 7 is the same regardless of the mobile broadband provider. You can connect to a wireless broadband just as you connect to any other wireless network.
5-8
Key K Points
To protect your wireless netw o r work, configure authenticatio and encrypt e on tion options: ation: Comput ters must prov vide either vali account credentials (such as a user nam and id me Authentica password) or proof that t o they have been configured w an authen n with ntication key b before being al llowed to send dat frames on th wireless net ta he twork. Encryption The content of all wireless data frames is encrypted so that only the receiver can n: t s o e interpret its contents. s
Wireless LAN su W upports the fol llowing securit standards: ty IEEE 802.11: The original IEEE 802.11 s standard defined the open system and sha ared key tion methods f authentication and Wired Equivalent P for d Privacy (WEP) f encryption. for authenticat WEP can us either 40 or 104-bit encry se r yption keys. W has several security flaws The IEEE has WEP l s. declared th WEP has be deprecate as it fails to meet the secu hat een ed urity goals, alth hough despite its weaknesses WEP is still w s, widely used. IEEE 802.1X The IEEE 80 X: 02.1X was a sta andard that ex xisted for Ether rnet switches a was adapt to and ted wireless LANs to provide much stronge authenticatio than the or er on riginal 802.11 standard. IEEE 802.1X authenticatio is designed for medium a large wireless LANs that contain an X on and authenticat tion infrastruct ture consisting of Remote Authentication Dial-In User Se g ervice (RADIUS S) servers and account databases such as the Active Dir d rectory direc ctory service. Wi-Fi Protected Access: While the IEE 802.11i wire : EE eless LAN security standard w being fina was alized, A ganization of w wireless equipm ment vendors, created an int terim standard known d the Wi-Fi Alliance, an org as Wi-Fi Pro otected Access (WPA). s WPA replac WEP with a much strong encryption method know as the Temp ces ger wn poral Key Integ grity Protocol (TKIP). WPA also allows the op o ptional use of the Advanced Encryption St tandard (AES) f for encryption. WPA is availa . able in two diff ferent modes:
5-9
WPA-Enterprise: In the Enterprise mode, an 802.1X authentication server distributes individual keys to users that have a wireless designation. It is designed for medium and large infrastructure mode networks. WPA-Personal: In the Personal mode, a pre-shared key (PSK) is used for authentication and you provide the same key to each user. It is designed for small office/home office (SOHO) infrastructure mode networks.
Wi-Fi Protected Access 2: The IEEE 802.11i standard formally replaces WEP and the other security features of the original IEEE 802.11 standard. Wi-Fi Protected Access 2 (WPA2) is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the IEEE 802.11i standard. WPA2 requires support for both TKIP and AES encryption. Similar to WPA, WPA2 is available in two different modes: WPA2-Enterprise and WPA2-Personal.
5-10
Lesson 2
In an organizati that has a wireless netwo users may choose to use the wireless n n ion ork, y e network as the main e co onnectivity to network resou urces. You mus understand how to create and connect to a wireless n st e network from a Window 7-based com ws mputer. You also need to kno how to imp ow prove the wire eless signal stre ength fo your users and how to tro or oubleshoot com mmon wireless connection p s problems. This troubleshooting pr rocess uses the new network diagnostics included with W e k Windows 7. Yo need to be familiar with t new ou the ne etwork diagno ostics so that y can assist y you your users.
5-11
Key K Points
To configure a wireless netwo you must h o w ork, have a wireless AP that phys sically connect to your netw ts work an a wireless network adapter in your clien computers. A wireless AP uses radio wa nd n nt aves to broadcast its SS SID. To configure a wireless AP, yo must enter its SSID and co o w ou onfigure a vali TCP/IP addr id ress on your network. Ty ypically, a wire eless AP has an administrator page that can be accessed by an interne browser, by using n et its default IP ad s ddress. Depend ding on the ma anufacturer, different wireles APs have different default IP ss t ad ddress to start with. Several wireless APs ca also be con an nfigured from command pro ompt by using telnet co ommand-line tool. t
5-12
Key Points
With W Windows 7, connecting to a wireless n network has ne ever been simp pler. If the Wir reless Access P Point (w wireless AP) is configured to advertise its Service Set Iden c ntifier (SSID), t Windows 7 client can detect the the signal and automatically create a wireless n network profile and set the configuration t connect to t e to the wireless networ w rk. If you choose to add a wireles network ma o ss anually, there a several sett are tings that you can configure in e Windows 7 whe creating a w W en wireless network profile. You have to configure these set u ttings to match the h wireless AP that you want to c w t connect to. Th Manage Wireless Networ window is u he rks used to config gure wireless network connec ctions. It can b be ac ccessed from the Network and Sharing Ce t enter. The Netw work and Shar ring Center too can be accessed ol from the Contro Panel or from the network icon on the S ol k System Tray. T view the set To ttings of a wire eless ne etwork, from the Manage W t Wireless Networks windows, r right-click the wireless netwo profile and then ork d click Properties. .
General Settings
The following settings are mandatory for every wireless network profile. h e a v e SSID: Every wireless netw y work has an SSID. If you are c configuring the wireless netw work profile m manually, you must know the exact SSID of the w k t wireless networ that you want to connect to. rk Network Type: There are two options: Access point and Adhoc ne T : etwork. Select Access point t to connect to a wireless AP, which means configuring th wireless net he twork to opera as the ate ure onnect to another wireless ne etwork adapte which er, infrastructu mode, and select Adhoc network to co means conf figuring the w wireless network to operate a the ad hoc m as mode.
Connection Settings C S
Th following se he ettings configu how the W ure Windows 7 client connects to a wireless network. o t
5-13
Connect automatically when this network is in range: The computer will try to connect to this particular wireless network whenever it is in range. Connect to a more preferred network if available: If this is selected, when there are multiple wireless networks in range, the computer will try to connect to one of the others instead of this particular wireless network. Connect even if the network is not broadcasting its name (SSID): Select this if the wireless AP is configured to not advertise its SSID.
Security Types
The following settings determine what type of authentication and encryption are used to connect to a wireless network. No authentication (open): If you select this security type, two options are available for the encryption type: None and WEP. Shared: If you select this security type, only WEP is available for the encryption type. WPA (Personal and Enterprise): In the personal mode, you provide the same network security key to each user. In the enterprise mode, an authentication server distributes individual key to the users. If you select this security type, two options are available for the encryption type: TKIP and AES. WPA2 (Personal and Enterprise): Similar to WPA, it also has the Personal and Enterprise mode and two options for the encryption type: TKIP and AES. 802.1X: If you select this security type, only WEP is available for the encryption type.
5-14
Note: If you sel N lect an enterpr option, yo must provid additional in rise ou de nformation about how au uthentication is handled within your organ i nization. For example, the na ame of a RADI server and other IUS d se ettings. 10 Define the pre-shared ke 0. ey. 11 Save the se 1. ettings. Most w wireless APs have a separate persistent save which means that the devi e s ice remembers the settings e s even after you power it down and start again. 12 Most wirele APs also pr 2. ess rovide options for more adva anced settings These includ MAC addres s. de ss filtering and bridging and are out of th scope of this demonstratio d d he on.
5-15
Question: What advanced wireless settings do you consider that improve security?
Note: The specifics of the settings vary from network to network. In addition, the options available may be restricted by Group Policy. Your ability to create a network connection may be restricted. 6. 7. 8. After defining the network settings, you can connect to the network. You can view the network status through the Network and Sharing Center. By default, all networks are placed in the Public network profile which is the most restrictive. Define a location profile for this network. Once you define a network location profile for a network connection, Windows remembers it for subsequent connections to that network.
Question: Can a user connect a computer to an unlisted network if he or she does not know the SSID?
3. 4.
Question: What are possible issues that arise when you connect to unsecured networks?
5-16
Key K Points
Co onnecting to the wireless AP on a network with the stro t P k ongest signal w provide the best wireless will e pe erformance. The following ta able shows sev veral common problems and solution with regards to lo n d h ow signal strength. Problem Proximity or physical p obstruction Troublesho ooting Tips
If you ar unable to get closer to the wireless AP, consider insta re alling
an exter rnal antenna to your wireless network adapter. o s
Check fo physical obj or jects that may cause interfer rence, such as a thick
wall or m metal cabinet and consider r removing the physical objec or cts repositio oning the wire eless AP or the client. Add wireless APs to th wireless net he twork wheneve applicable. er Interference fr rom other signal
In cases where you cannot see the wireless network, cons n y sider the follow wing troubleshooting steps: h Check that your wireless network adapter has the correct driver and is working properly. r r witch for the w wireless network adapter. Check your computer for an external sw Check that the wireless A is turned on and working properly. AP n ther the wirele AP is config ess gured to advertise its SSID. Check whet
5-17
5-18
Key K Points
Windows 7 includes the Netw W work Diagnosti tool, which c be used to troubleshoot network prob ic can o t blems. Use this tool to diagnose the issues that might prevent yo from conne ou ecting to any n network, includ ding wireless networ This tool ca reduce the time you spen diagnosing wireless network problems. w rks. an nd
2. . 3. . 4. . 5. .
5-19
Note: Your inst N tructor may run this exercise as a class disc e cussion.
5-20
Contoso Corporation Production Plant Wireless Network Requirements Document Reference Number: AR-09-15-01 Document Author Date Amy Rusko September 15th
Requirement Overview I want to deploy wireless networks across all of the production plants in the UK, starting with the largest in Slough. Security is critical, and we must deploy the strongest security measures available. Some of our older computer equipment supports earlier wireless standards only. Cordless telephones are in use at the plants. Some of the production plants are located in busy trading districts with other commercial organizations located nearby. Again, it is important that the Contoso network is not compromised. Additional Information What technical factors will influence the purchasing decision for the WAPs that Amy needs to consider? How many WAPs does Amy need to purchase? Where will you advise Amy to place the WAPs? Which security measures will you recommend to Amy? Proposals
Task 1: Read the Contoso Corporation Production Plant Wireless Network Requirements document
Read the Contoso Corporation Production Plant Wireless Network Requirements document.
5-21
Note: Your instructor may run this exercise as a class discussion. Incident Record Incident Reference Number: 501235 Date of Call Time of Call User Status October 21st 10:45 Amy Rusko (Production Department) OPEN
Incident Details Intermittent connection problems from computers connecting to the Slough production department. Some users can connect to the Slough wireless access points from the parking lot. Additional Information How will you verify that these problems are occurring? What do you suspect is causing these problems? How will you rectify these problems? Plan of action
5-22
Results: After this exercise, you will have a completed action plan for resolution of the problem at the Slough plant.
5-23
Common Issues related to finding w C wireless net tworks and improving signal stren ngth
Th following table lists com he t mmon issues r related to find ding wireless n networks and improving sig gnal st trength
Problem Proximity or physical obstruction p Trou ubleshooting Tips
5-24
Problem
Troubleshooting Tips
Tools
Tool Network and Sharing Center Connect to a Network Netsh Windows Network Diagnostics Use to Configure network settings Where to find it Control Panel
Configure Windows 7-based client Network and Sharing Center Systray to connect to a wireless network Configure local or remote network Command prompt settings Troubleshoot access to wireless networks Network and Sharing Center Systray
6-1
Module 6
Securing Windows 7 Desktops
Contents:
Lesson 1: Overview of Security Management in Windows 7 Lesson 2: Securing a Windows 7 Client Computer by Using Local Security Policy Settings Lesson 3: Securing Data by Using EFS and BitLocker Lesson 4: Configuring Application Restrictions Lesson 5: Configuring User Account Control Lab A: Configuring UAC, Local Security Policies, EFS, and AppLocker Lesson 6: Configuring Windows Firewall Lesson 7: Configuring Security Settings in Internet Explorer 8 Lesson 8: Configuring Windows Defender Lab B: Configuring Windows Firewall, Internet Explorer 8 Security Settings, and Windows Defender 6-3 6-7 6-17 6-33 6-42 6-49 6-54 6-63 6-73 6-78
6-2
Module Overview
Users increasingly expect more from the technologies they use. They expect to be able to work from home, from branch offices, and on the road without a decrease in productivity. With Windows 7, IT professionals can meet users diverse needs in a way that is more manageable. Security and control are enhanced, reducing the risk associated with data on lost computers or external hard drives. Because Windows 7 is based on the Windows Vista foundation, companies that have already deployed Windows Vista will find that Windows 7 is highly compatible with existing hardware, software, and tools. This module describes how to make a computer more secure while ensuring that you do not sacrifice usability in the process. Windows 7 helps make the system more usable and manageable by using the following security features to combat the continually evolving threat landscape: Fundamentally Secure Platform Helping Secure Anywhere Access Protecting Users and Infrastructure Protecting Data from Unauthorized Viewing
6-3
Lesson 1
The Windows 7 operating system provides a robust, secure platform through the provision of a number of programs that help simplify balancing security and usability. You need to understand how the new Windows 7 security features work so that you can quickly and effectively diagnose and fix any problems whenever there is the need to troubleshoot a security-related issue. This lesson introduces the security management topics covered in the remainder of the module. It then introduces the Windows 7 Action Center, which provides a central location for managing your security configuration.
6-4
Key Points
Windows 7 provides the following tools and features designed to maximize platform and client security while balancing security and usability: Windows 7 Action Center: A central location for users to deal with messages about their local computer and the starting point for diagnosing and solving issues with their system. Encrypting File System (EFS): The built-in encryption tool for Windows file systems. Windows BitLocker and BitLocker To Go: Helps mitigate unauthorized data access by rendering data inaccessible when BitLocker-protected computers are decommissioned or recycled. BitLocker To Go provides similar protection to data on removable data drives. Windows AppLocker: Allows administrators to specify exactly what is allowed to run on user desktops. User Account Control: Simplifies the ability of users to run as standard users and perform all necessary daily tasks. Windows Firewall with Advanced Security: Helps provide protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers. Windows Defender: Helps protect you from spyware and other forms of malicious software.
6-5
Key Points
Action Center is a central location for dealing with messages about your system and the starting point for diagnosing and solving issues with your system. You can think of Action Center as a message queue that displays the items that require your attention and need to be managed according to your schedule. Windows Action Center consolidates the Windows 7 security-related tools in one location, simplifying your ability to access and use the specific tool that you need. Windows Action Center includes access to the following four essential security features: Firewall Automatic updating Malware protection Other security settings
6-6
Action Center checks several security and maintenance-related items that help indicate the computer's overall performance. When the status of a monitored item changes, Action Center notifies you with a message in the notification area on the taskbar, the status of the item in Action Center changes color to reflect the severity of the message, and an action is recommended. If you prefer to keep track of an item yourself, and you do not want to see status notifications, turn off notifications for the item. When you clear the check box for an item on the Change Action Center Settings page, you will not receive any messages, and you will not see the item's status in Action Center. It is recommended that you check the status of all items listed, since many help warn you about security issues. However, if you decide to turn off messages for an item, you can always turn on messages again. This demonstration shows how to configure the Action Center Settings and User Control Settings in Windows 7.
6-7
Lesson 2
Group Policy provides an infrastructure for centralized configuration management of the operating system and applications that run on the operating system. This lesson discusses Group Policy fundamentals such as the difference between local and domain-based policy settings and introduces you to how Group Policy can simplify managing computers and users in an Active Directory environment. This lesson also discusses Group Policy features that are included with the Windows Server 2008 operating system and are available with the Windows 7 client.
6-8
Key Points
Group Policy is a technology that allows you to efficiently manage a large number of computer and user accounts through a centralized model. Group policy changes are configured on the server and then propagate to client computers in the domain. Group Policy in Windows 7 uses new XML-based templates to describe registry settings. When you enable settings in these templates, Group Policy allows you to apply computer and user settings either on a local computer or centrally through Active Directory. IT professionals typically use Group Policy to: Apply standard configurations. Deploy software. Enforce security settings. Enforce a consistent desktop environment.
A collection of Group Policy settings is called a Group Policy object (GPO). One GPO can be applied simultaneously to many different containers in Active Directorys Directory Service. Conversely, a container can have multiple GPOs simultaneously applied to it. In this case, users and computers receive the cumulative effect of all policy settings applied to them.
6-9
GPO, you can create custom local user group policy objects. You can maintain these local GPOs using the Group Policy Object Editor snap-in. With Group Policy, you can define the state of users' work environments once and rely on the system to enforce the policies that you define. With the Group Policy snap-in you can specify policy settings for the following: Registry-based policies Security options Software installation and maintenance options Scripts options
6-10
Key Points
Client components known as Group Policy client-side extensions (CSEs) initiate Group Policy by requesting GPOs from the domain controller that authenticated them. The CSEs interpret and apply the policy settings. Windows 7 applies computer settings when the computer starts and user settings when you log on to the computer. Both computer and user settings are refreshed at regular, configurable intervals. The default refresh interval is every 90 minutes. Group Policy is processed in the following order: Local computer policy settings Site-level policy settings Domain-level policy settings Organizational Unit (OU) policy settings
Policy settings applied to higher level containers pass through to all sub-containers in that part of the Active Directory tree. For example, a policy setting applied to an OU also applies to any child OUs below it. If policy settings are applied at multiple levels, the user or computer receives the effects of all policy settings. In case of a conflict between policy settings, the policy setting applied last is the effective policy, though you can change this behavior as needed.
6-11
Key Points
The computing environment provides users with hundreds, if not thousands, of configurable settings manageable by using Group Policy. IT professionals can manage the many configurable settings through Multiple Local Group Policy objects (MLGPO). MLGPO allows an administrator to apply different levels of Local Group Policy to local users on a standalone computer. This technology is ideal for shared computing environments where domain-based management is not available. MLGPO allows user settings targeted at the following three layers of Local Group Policy objects: Local Group Policy Administrator and Non-Administrators Group Policy User specific Local Group Policy
Processing Order
The benefits of MLGPO come from the processing order of the three separate layers. The layers are processed as follows: The Local Group Policy object is applied first. The Administrators and Non-Administrators Local Group Policy objects are applied next. User-specific Local Group Policy is applied last.
6-12
the conflict by overwriting any previous setting with the last read (most current) setting. The final setting is the one Windows uses. Question: An administrator disables the setting titled Disable the Security page in the Local Group Policy object. The administrator then enables the same setting in a user-specific Local Group Policy object. The user logging on to the computer is not an administrator. Which policy setting will be applied to this Local Group Policy object?
6-13
This demonstration shows how to create and verify settings of multiple local group policies in Windows 7.
6-14
5. 6.
Save the document as AdminScript.vbs of type All Files. Open the AdminScript, click OK in the Add a Script and Logon Properties dialog boxes.
6-15
You can use the Local Group Policy Editor to configure the settings on a standalone workstation that is running Windows 7. To configure local Group Policy, run gpedit.msc from the Search box with elevated privileges. Use the security-related information in the following table to configure the settings. Setting Password Policy Meaning A subcomponent of Account Policies that enables you to configure password history, maximum and minimum password age, password complexity, and password length. Note: This only applies to local accounts.
Account Lockout Policy A subcomponent of Account Policies that enables you to define settings related to the action you want Windows 7 to take when a user enters an incorrect password at logon. Note: This only applies to local accounts.
Audit Policy
A subcomponent of Local Policies that enables you to define audit behavior for various system activities, including logon events and object access.
User Rights Assignment A subcomponent of Local Policies that enables you to configure user rights, including the ability to log on locally, access the computer from the network, and shut down the system. Security Options A subcomponent of Local Policies that enables you to configure many settings, including Interactive logon settings, User Account Control settings,
6-16
Setting
Windows Firewall with Advanced Security Network List Manager Policies Public Key Policies Software Restrictions Policies IP Security Policies Windows Update Disk Quotas Driver Installation
Enables you to configure the firewall settings. Enables you to configure user options for configuring new network locations. Include settings for Certificate Auto-Enrollment and the Encrypting File System (EFS) Data Recovery Agents. Enables you to identify and control which applications can run on the local computer. Enables you to create, manage, and assign IPSec polices. Enables you to configure Automatic updating. Located under Administrative Templates\Windows Components. Enables you to configure disk quotas. Located under Administrative Templates\System. Enables you to configure driver installation behavior. Located under Administrative Templates\System.
This demonstration shows different security settings in Windows 7 Local Group Policy Editor and then how to change some of these settings.
In the Local Policies node, review the Audit Policy. Under Audit Policy, modify the Audit account management policy properties to audit both success and failure attempts.
4. 5.
In the Local Policies node, review policies for User Rights Assignments and Security Options. Open the Windows Firewall with Advanced Security Local Group Policy Object to view firewall rules.
6. 7.
Review Network List Manager Policies. In the Public Key Policies node, review policies for Encrypting File System and BitLocker Drive Encryption.
8.
Review Software Restriction Policies and Application Control Policies, including those for AppLocker.
9.
Review IP Security Policies on Local Computer and Advanced Audit Policy Configuration, including those in the System Audit Policies Local Group Policy Object.
6-17
Lesson 3
Laptops and desktop hard drives can be stolen, which poses a risk for confidential data. You can secure data against these risks by using a two-phased defensive strategy, one that incorporates both Encrypting File System (EFS) and Windows BitLocker Drive Encryption. This lesson provides a brief overview of EFS. IT professionals interested in implementing EFS must research this topic thoroughly before making a decision. If you implement EFS while lacking proper recovery operations or misunderstanding how the feature works, you can cause your data to be unnecessarily exposed. To implement a secure and recoverable EFS policy, you must have a more comprehensive understanding of EFS. Another defensive strategy that complements EFS is Windows BitLocker Drive Encryption. BitLocker protects against data theft or exposure on computers, and offers secure data deletion when computers are decommissioned. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by combining two major data-protection procedures: encrypting the entire Windows operating system volume on the hard disk, and encrypting multiple fixed volumes.
6-18
What Is EFS?
Key Points
The EFS is the built-in encryption tool for Windows file systems. A component of the NTFS file system, EFS enables transparent encryption and decryption of files by using advanced, standard cryptographic algorithms. Any individual or program that does not possess the appropriate cryptographic key cannot read the encrypted data. Encrypted files can be protected from those who gain physical possession of the computer. Persons who are authorized to access the computer and its file system cannot view the data without the cryptographic key.
6-19
Note: EFS certificates are only issued to individual users, not to groups. Backing Up Certificates CA Administrators can archive and recover CA-issued EFS certificates. Users must manually back up their self-generated EFS certificates and private keys. To do this, they can export the certificate and private key to a Personal Information Exchange (PFX) file. These PFX files are password protected during the export process. The password is then required to import the certificate into a users certificate store. If you need to distribute only your public key, you can export the client EFS certificate without the private key to Canonical Encoding Rules (CER) files. A users private key is stored in the users profile in the RSA folder, which is accessed by expanding AppData, expanding Roaming, expanding Microsoft, and then expanding Crypto. Because there is only one instance of the key, it is vulnerable to hard disk failure or data corruption. The Certificate Manager MMC exports certificates and private keys. EFS certificates are located in the Personal Certificates store.
EFS in Windows 7
Windows 7 includes a number of new EFS features, including: Support for Storing Private Keys on Smart Cards Encrypting File System Rekeying Wizard New Group Policy Settings for EFS Encryption of the System Page File Per-User Encryption of Offline Files
6-20
This demonstration shows how to encrypt and decrypt files and folders by using EFS.
6-21
What Is BitLocker?
Key Points
Data on a lost or stolen computer can become vulnerable to unauthorized access. BitLocker helps mitigate unauthorized data access by enhancing Windows file and system protections. BitLocker helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. BitLocker performs two functions to provide both offline data protection and system integrity verification: Encrypts all data stored on the Windows operating system volume (and configured data volumes). Is configured by default to use a Trusted Platform Module (TPM). A TPM is a specialized chip that authenticates the computer rather than the user. The TPM stores information specific to the host system, such as encryption keys, digital certificates, and passwords. Using a TPM helps ensure the integrity of early startup components, and "locks" any BitLocker-protected volumes so that they remain protected even if the computer is tampered with when the operating system is not running. During Windows 7 setup, a separate active system partition is created. This partition is required for BitLocker to work on operating system drives. BitLocker is extended from operating system drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This allows you to take protected data when traveling and use it on computers running Windows 7.
BitLocker To Go is manageable through Group Policy. When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that the drive is encrypted and prompt you to unlock it.
Question: BitLocker provides full volume encryption. What does this mean?
6-22
BitLocker Requirements
Key Points
In Windows 7, drives are automatically prepared for use. Therefore, there is no need to manually create separate partitions before enabling BitLocker. The system partition automatically created by Windows 7 does not have a drive letter, so it is not visible in Windows Explorer. This prevents inadvertently writing data files to it. In a default installation, a computer will have a separate system partition and an operating system drive. The system partition in Windows 7 requires 100 MB. Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from the hard disk, you must have one of the following: A computer with Trusted Platform Module (TPM) version 1.2. A removable Universal Serial Bus (USB) memory device, such as a USB flash drive.
On computers that do not have TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. This implementation does not provide the pre-startup system integrity verification offered by BitLocker using a TPM. In addition, you can also require users to supply a personal identification number (PIN). This security measure together with the USB option provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Hardware Requirements
To turn on BitLocker Drive Encryption, the computer's hard drive must meet the following requirements: Have the space necessary for Windows 7 to create the two disk partitions one for the system volume and one for the operating system volume.
6-23
Have a Basic Input/Output System (BIOS) that is compatible with TPM or supports USB devices during computer startup.
6-24
BitLocker Modes
Key Points
BitLocker can run on two types of computers: Those that are running Trusted Platform Module (TPM) version 1.2x. Those without TPM version 1.2, but that have a removable Universal Serial Bus (USB) memory device.
Once a computers operating system volume is encrypted, the computer will switch to recovery mode until the recovery password is supplied if any of the following conditions occur: The TPM changes or cannot be accessed. There are changes to key system files.
Someone tries to start the computer from a product CD or DVD to circumvent the operating system.
6-25
6-26
Key Points
BitLocker in Windows 7 introduces several new Group Policy settings that permit straightforward feature management. Group Policy settings that affect BitLocker are located in Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption. The BitLocker Drive Encryption folder contains the following sub-folders: Fixed Data Drives, Operating System Drives, and Removable Data Drives. The following table summarizes several of the key policy settings affecting Windows 7 client computers. Each setting includes the following options: Not Configured, Enabled, and Disabled. The default setting for each setting is Not Configured. Setting name Choose drive encryption method and cipher strength Location BitLocker Drive Encryption folder Description This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. If you enable this setting, you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt files. If you disable or do not configure this setting, BitLocker will use the default encryption method of AES 128-it with Diffuser, or the encryption method specified by the setup script.
Deny write access to fixed Fixed Data This policy setting determines whether BitLocker protection is drives not protected by Drives folder required for fixed data drives to be writable on a computer. BitLocker If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is BitLocker-protected, or if you disable or do not configure this setting, all fixed data drives will be mounted with read and write access.
6-27
Setting name
Location
Description
Allow access to BitLocker- Fixed Data This policy setting configures whether fixed data drives protected data drives Drives folder formatted with the FAT file system can be unlocked and from earlier versions of viewed on computers running Windows Server 2008, Windows Windows Vista, and Windows XP with SP3 or SP2 operating systems. Require additional authentication at startup Operating This policy setting allows you to configure whether BitLocker System Drive can be enabled on computers without a TPM, and whether folder multi-factor authentication may be used on computers with a TPM. Removable Data Drives folder Removable Data Drives folder Removable Data Drives folder This policy setting controls the use of BitLocker on removable data drives. This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLockerprotected removable drives on a computer. This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
Control use of BitLocker on removable drives Configure use of smart cards on removable data drives Deny write access to removable drives not protected by BitLocker
6-28
Configuring BitLocker
Key Points
Enable BitLocker from Control Panel or by right-clicking the volume to be encrypted. A command-line management tool, manage-bde.wsf, is also available to perform scripting functionality remotely. Enabling BitLocker initiates the BitLocker Setup Wizard. The BitLocker Drive Preparation tool validates system requirements.
6-29
To turn on BitLocker Drive Encryption on a computer without a compatible TPM: 1. 2. Open the Local Group Policy Object Editor. In the Local Group Policy Editor console tree, click Computer Configuration, click Administrative Templates, click Windows Components, click BitLocker Drive Encryption, and then click Operating System Drives. Double-click the Require additional authentication at startup setting. Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK. You have changed the policy setting so that you can use a startup key instead of a TPM. 5. 6. 7. Close the Local Group Policy Editor. To force Group Policy to apply immediately, you can click Start, type gpupdate.exe /force in the Start Search box, and then press ENTER. Perform the same steps listed earlier to turn on BitLocker from within the Windows Control Panel. The only difference is that on the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. This key must be inserted each time before you start the computer. At this point, insert your USB flash drive in the computer, if it is not already there, and complete the remaining steps in the wizard.
3. 4.
8.
Question: When turning on BitLocker on a computer with TPM version 1.2, what is the purpose of saving the recovery password?
6-30
Configuring BitLocker To Go
Key Points
BitLocker To Go protects data on removable data drives. A new Group Policy setting enables you to configure removable drives as Read Only unless they are encrypted with BitLocker To Go. This helps ensure that critical data is protected when a USB flash drive is misplaced. Enable BitLocker protection on a removable device by right-clicking the drive in Windows Explorer.
Configuring BitLocker To Go
When you turn on BitLocker To Go, the ensuing wizard requires that you specify how you want to unlock the drive. Select one of the following methods: A Recovery Password or passphrase A Smart Card Always auto-unlock this device on this PC Once the device is configured to use BitLocker, the user saves documents to the external drive. When the user inserts the USB flash drive on a different PC, the computer detects that the portable device is BitLocker protected; the user is prompted to specify the passphrase. At this time, the user can specify to unlock this volume automatically on the second PC. It is not required that the second PC be encrypted with BitLocker. If a user forgets the passphrase, there is an option from the BitLocker Unlock Wizard, I forgot my passphrase, to assist. Clicking this option displays a recovery Password ID that can be supplied to an administrator. The administrator uses the Password ID to obtain the recovery password for the device. This Recovery Password can be stored in Active Directory and recovered with the BitLocker Recovery Password tool. Question: How do you enable BitLocker To Go for a USB flash drive?
6-31
Key Points
When a BitLocker-enabled computer starts, BitLocker checks the operating system for conditions that may indicate a security risk. If a condition is detected, BitLocker does not unlock the system drive and enters recovery mode. When a computer enters recovery mode, the user must enter the correct recovery password to continue. The recovery password is tied to a particular TPM or computer, not to individual users, and does not usually change. The recovery information can be saved on a USB flash drive or in Active Directory using one of these formats: A 48-digit number divided into eight groups. During recovery, use the function keys to type this password into the BitLocker recovery console. A recovery key in a format that can be read directly by the BitLocker recovery console.
6-32
Prior to searching for and providing a recovery password to a user, confirm that the person is the account owner and is authorized to access data on the computer in question. Search for the password in Active Directory Users and Computers by using either one of the following: Drive Label Password ID
Examine the returned recovery password to ensure it matches the password ID that the user provided. Performing this step helps to verify that you have obtained the unique recovery password.
6-33
Lesson 4
The ability to control which applications a user, or set of users, can run offers significant increases in the reliability and security of enterprise desktops. Overall, an application lockdown policy can lower the total cost of computer ownership in an enterprise. Windows 7 and Windows Server 2008 R2 adds Windows AppLocker, a new feature that controls application execution and simplifies the ability to author an enterprise application lockdown policy. AppLocker reduces administrative overhead and helps administrators control how users access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and .dll files. Because AppLocker replaces the software restriction policies (SRP) feature in prior Windows versions, this lesson examines the benefits of AppLocker in comparison to SRP.
6-34
What Is AppLocker?
Key Points
Users who run unauthorized software can experience a higher incidence of malware infections and generate more help desk calls. However, it can be difficult for IT professionals to ensure that user desktops are running only approved, licensed software. Previous versions of Windows addressed this issue by supporting Software Restriction Policy, which IT professionals used to define the list of applications that users were allowed to run. Windows 7 builds upon this security layer with AppLocker, which provides administrators the ability to control how users run multiple types of applications.
AppLocker Benefits
IT professionals can use AppLocker to specify exactly what is allowed to run on user desktops. This allows users to run the applications, installation programs, and scripts they need to be productive while still providing the security, operational, and compliance benefits of application standardization. AppLocker can help organizations that want to: Limit the number and type of files that are allowed to run by preventing unlicensed or malicious software from running and by restricting the ActiveX controls that are installed. Reduce the total cost of ownership by ensuring that workstations are homogeneous across their enterprise and that users are running only the software and applications that are approved by the enterprise. Reduce the possibility of information leaks from unauthorized software. Question: What are some of the applications that are good candidates for applying an AppLocker rule?
6-35
AppLocker Rules
Key Points
AppLocker is an MMC snap-in in the Group Policy Object Editor consisting of two wizards. One wizard allows you to create a single rule, and another automatically generates rules based on rule preferences and the selected folder. To access AppLocker, click Start and type Gpedit.msc. Then navigate to Computer Configuration, Windows Settings, Security Settings, and then Application Control Policies. Expand the Application Control Policies node and highlight AppLocker.
6-36
6-37
This demonstration shows how to create a custom AppLocker rule and how to automatically generate rules.
6-38
After you create new AppLocker rules, you must configure enforcement for the rule collections and refresh the computer's policy. Enforcement is configured in the Local Security Policy console in the Configure Rule Enforcement area. There are three enforcement options for each rule type: Enforce rules with Group Policy inheritance Enforce rules Audit only
To view information about applications that are affected AppLocker rules, use the Event viewer. Review the entries in the log to determine if any applications were not included in the rules. This demonstration shows the different enforcement options, in addition to how to configure the enforcement for the rule that was created in the previous demonstration. The demonstration will then verify the enforcement with gpupdate.
6-39
5. 6.
Start the Application Identity service in Services and Applications. Test the previously created rule by typing regedit.exe at a Command Prompt.
Question: What is the command to update the computer's policy and where is it run?
6-40
Key Points
It can be difficult to make safe choices about which software to run. To address this situation, Software Restriction Policies (SRP) were included in previous Windows versions to help organizations control not just hostile code, but any unknown codemalicious or otherwise. With SRP, administrators were able to protect computers from non-trusted or unknown software by identifying and specifying which software is allowed to run. In Windows 7, AppLocker replaces the Software Restriction Policies feature found in prior Windows versions (although the Software Restriction Policies snap-in is included in Windows 7 computers for compatibility purposes).
6-41
However, if Windows 7 has both AppLocker and SRP rules applied in a group policy, then only the AppLocker rules are enforced and the SRP rules are ignored. Question: Why must AppLocker rules be defined in a GPO separate from SRP rules?
6-42
Lesson 5
When logged in as a local administrator, a user can install and uninstall applications and adjust system and security settings. As a result, IT departments often cannot gauge the holistic health and security of their PC environments. In addition, every application that these users launch can potentially use their accounts administrative-level access to write to system files, the registry, and to modify system-wide data. Common tasks like browsing the Web and checking e-mail can become unsafe. User Account Control provides resilience to attacks and is protective of data confidentiality, integrity, and availability. User Account Control has been redesigned in Windows 7 to make running as a standard user more feasible.
6-43
What Is UAC?
Key Points
User Account Control (UAC) provides a way for each user to elevate his or her status from a standard user account to an administrator account without logging off, switching users, or using Run as. Windows 7 includes changes that enhance the user experience, increase user control of the prompting experience, and increase security. UAC is a collection of features rather than just a prompt. These features - which include File and Registry Redirection, Installer Detection, the UAC prompt, and the ActiveX Installer Service - allow Windows users to run with user accounts that are not members of the Administrators group. These accounts are generally referred to as Standard Users and are broadly described as running with least privilege. The key is that when users run with Standard User accounts, the experience is typically much more secure and reliable.
UAC in Windows 7
Configuration settings provide users more control over the UAC prompt when running in Administrator Approval Mode. In Windows 7, the number of operating system applications and tasks that require elevation is reduced, so standard users can do more while experiencing fewer elevation prompts. When changes are going to be made to your computer that will require administrator-level permission, UAC notifies you as follows: If you are an administrator, you can click Yes to continue. If you are not an administrator, someone with an administrator account on the computer will have to enter his or her password for you to continue. If you are a standard user, providing permission temporarily gives you administrator rights to complete the task and then your permissions are returned back to standard user when you are finished. This makes it so that even if you are using an administrator account, changes cannot be made to your computer without you knowing about it, which can help prevent malicious software (malware) and spyware from being installed on or making changes to your computer.
6-44
Key Points
There are two general types of user groups in Windows 7: standard users and administrative users. UAC simplifies users ability to run as standard users and perform their necessary daily tasks. Administrative users also benefit from UAC because administrative privileges are available only after UAC requests permission from the user for that instance.
Standard Users
In previous Windows versions, many users were configured to use administrative privileges rather than standard user permissions. This was done because previous Windows versions required administrator permissions to perform basic system tasks such as adding a printer, or configuring the time zone. In Windows 7, many of these tasks no longer require administrative privileges. When UAC is enabled and a user needs to perform a task that requires administrative permissions, UAC prompts the user for the credentials of a user with administrative privileges. The default UAC setting allows a standard user to perform the following tasks without receiving a UAC prompt: Install updates from Windows Update. Install drivers from Windows Update or those that are included with the operating system. View Windows settings. Pair Bluetooth devices with the computer. Reset the network adapter and perform other network diagnostic and repair tasks.
Administrative Users
Administrative users automatically have: Read/Write/Execute permissions to all resources.
6-45
6-46
Prior to the implementation of UAC, standard users working on a personal computer or in a network setting often had the option of installing applications. Although administrators were able to create Group Policy settings to limit application installations, they did not have access to limit application installations for standard users by default. UAC improves upon this experience by allowing administrators to define a default setting that limits application installations for standard users. Additionally, administrators can use Group Policy to define an approved list of devices and deployment. The following Group Policy object (GPO) settings can be configured for UAC: Administrator Approval Mode for the built-in Administrator account Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Switch to the secure desktop when prompting for elevation Virtualize file and registry write failures to per-user locations Note: Modifying the "User Account Control: Run all administrators in Admin Approval Mode" setting requires a computer restart before the setting becomes effective. All other UAC Group Policy settings are dynamic and do not require a restart.
6-47
This demonstration shows the different UAC group policy settings in the Local Group Policy Editor (gpedit.msc) snap-in and additionally shows how to configure some of them.
Question: Which User Account Control detects when an application is being installed in Windows 7?
6-48
Key Points
With Windows 7, the "on or off only" approach of UAC notifications is changed. The following table identifies the four settings that enable customization of the elevation prompt experience. These notification settings can be maintained through the Action Center. Prompt Never notify Notify me only when programs try to make changes to my computer (do not dim my desktop) Notify me only when programs try to make changes to my computer Description UAC is off. When a program makes a change, a prompt appears, but the desktop is not dimmed. Otherwise, the user is not prompted. When a program makes a change, a prompt appears, and the desktop is dimmed to provide a visual cue that installation is being attempted. Otherwise, the user is not prompted. The user is always prompted when changes are made to the computer.
Always notify me
Question: What two configuration options are combined to produce the end user elevation experience?
6-49
6-50
Note: LON-CL1 is the computer running Windows 7 where you will configure the Action Center and UAC settings.
Note: It may take a few minutes for the Virus protection notification to appear. 4. Confirm you are not being notified about virus protection.
Results: After this exercise, you will no longer be notified about virus protection. UAC settings will be set to notify users when programs try to make changes to the computer.
6-51
Note: LON-CL1 is the computer running Windows 7 where you will configure and test the local security policies.
Results: After this exercise, you will have multiple local group policies defined and configured.
6-52
Results: After this exercise, you will have a local folder and files encrypted with EFS.
6-53
Note: LON-CL1 is the computer running Windows 7 where you will configure and test the AppLocker.
Note: If the enforcement rule message does not display, wait for a few minutes and then re-try step 2.
Results: After this exercise, you will have an AppLocker rule configured to prevent users of the Research department from running Windows Media Player.
6-54
Lesson 6
Windows Firewall is a host-based, stateful firewall included in Windows 7. It drops incoming traffic that does not correspond to traffic sent in response to a request (solicited traffic) or unsolicited traffic that has been specified as allowed (accepted traffic). Windows Firewall helps provide protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers. Windows Firewall can also drop outgoing traffic and is configured using the Windows Firewall with Advanced Security snap-in, which integrates rules for both firewall behavior and traffic protection with Internet Protocol security (IPsec).
6-55
Key Points
A firewall is software or hardware that checks information coming from the Internet or a network, and then either blocks it or allows it to pass through to a computer. Firewalls are the equivalent of door locks, employee badges, and security systems. Just as you use locks to secure a car and home, you use firewalls to protect computers and networks. No firewall makes a computer impenetrable to an attack. Firewalls, like locks, create barriers, and make it difficult for attackers to get into the computer. As a result, the computer becomes less attractive to attackers. Firewalls effectively block most intrusions. The two main firewall types are network firewalls and host-based firewalls. Network firewalls are located at the network's perimeter, and host-based firewalls are located on individual hosts within the network. Present and discuss your ideas on this topic in the class.
6-56
Key Points
In Windows 7 basic firewall information is centralized in Control Panel in the Network and Sharing Center and System and Security. The first time that a computer connects to a network, users must select a network location. When users are connecting to networks in different locations, choosing a network location helps ensure that the computer is always set to an appropriate security level. There are three network locations: Home or work (private) networks Domain networks Public networks
Firewall Exceptions
When you add a program to the list of allowed, you are allowing that program to send information to or from the computer. Continuing with the scenario from the previous topic, allowing a program to communicate through a firewall is like unlocking a door in the firewall. Each time the door is opened, the computer becomes less secure. It is generally safer to add a program to the list of allowed programs than to open a port in Windows Firewall with Advanced Security. If you open a port, the door is unlocked and open. It stays open until you close it, whether a program is using it or not. If you add a program to the list of allowed programs, you are unlocking the door, but not opening it. The door is open only when required for communication.
6-57
Notifications are also displayed in the Action Center in Control Panel. Question: List the three network locations. Where do you modify them, and what feature of Windows 7 allows you to use more than one?
6-58
Key Points
Windows Firewall with Advanced Security is a host-based firewall that filters incoming and outgoing connections based on its configuration. For example, you can allow incoming traffic for a specific desktop management tool when the computer is on domain networks but block traffic when the computer is connected to public or private networks. In this way, network awareness provides flexibility on the internal network without sacrificing security when users travel. A public network profile must have stricter firewall policies to protect against unauthorized access. A private network profile might have less restrictive firewall policies to allow file and print sharing or peer-to-peer discovery.
6-59
Inbound rules explicitly allow or block traffic that matches criteria in the rule. For example, if you want to run a Web server, then you must create a rule that allows unsolicited inbound network traffic on TCP port 80. Outbound rules explicitly allow or deny traffic originating from the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but allow the same traffic for other computers. Connection Security Rules secure traffic by using IPsec while it crosses the network. You use connection security rules to specify that connections between two computers must be authenticated or encrypted.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules, connection security rules, and security associations. The Monitoring overview page shows which profiles are active (domain, private, or public) and the settings for the active profiles. The Windows Firewall with Advanced Security events are also available in Event Viewer. Question: There are three types of rules that can be created in Windows Firewall with Advanced Security. List each type and the types of rules that can be created for each.
6-60
Key Points
Before you configure either inbound or outbound firewall rules, you must understand how applications communicate on a TCP/IP network. At a high level, when an application wants to establish communications with an application on a remote host, it creates a TCP or UDP socket which is a combination of transport protocol, IP address, and a port. Ports are used in TCP or UDP communications to name the ends of logical connections that transfer data.
Well-Known Ports
Well-known ports are assigned by the Internet Assigned Numbers Authority (IANA) and on most systems can only be used by system processes or by programs executed by privileged users. The following table identifies some well-known ports. Port 80 443 110 25 53 53 21 Protocol Application TCP TCP TCP TCP UDP TCP TCP HTTP used by a Web server HTTPS for secured Web server Post Office Protocol version 3 (POP3) used for e-mail retrieval from e-mail clients Simple Mail Transfer Protocol (SMTP) that e-mail servers and clients use to send email Domain Name System (DNS) DNS File Transfer Protocol (FTP)
6-61
This demonstration shows how to configure inbound and outbound rules, create a connection security rule, and review monitoring in Windows Firewall with Advanced Security.
6-62
2. 3.
In the Outbound Rules, disable the HTTP TCP 80 rule. In the Connection Security Rules, disable the Kerberos Connection Security Rule.
6-63
Lesson 7
A browser is like any other application; it can be well managed and secure or poorly managed. If a browser is poorly managed, IT professionals and enterprises risk spending more time and money supporting users and dealing with security infiltrations, malware, and loss of productivity. Windows Internet Explorer 8 helps users browse more safely, which in turn helps maintain customer trust in the Internet and helps protect the IT environment from the evolving threats presented on the Web. Internet Explorer 8 specifically helps users maintain their privacy with features such as InPrivate Browsing and InPrivate Filtering. The new SmartScreen Filter provides protection against social engineering attacks by identifying malicious Web sites trying to trick people into providing personal information or installing malicious software, blocking the download of malicious software, and providing enhanced antimalware support. Internet Explorer 8 helps prevent the browser from becoming an attack agent; it is built with the Secure Development Lifecycle (SDL) and provides more granular control over the installation of ActiveX controls with per-site and per-user ActiveX features. The Cross Site Scripting Filter protects against attacks against Web sites.
6-64
Internet Explorer 8 includes advancements in compliance with Web standards, enabling Web sites to be created more efficiently and to operate more predictably. Internet Explorer 8 provides a Compatibility View that uses the Internet Explorer 7 engine to display Web pages. In addition, new events are added to the Application Compatibility Toolkit (ACT) to help IT professionals detect and resolve issues between Internet Explorer 8 and custom internal applications and Web sites. The main features in Compatibility View are as follows: Internet Web sites display in Internet Explorer 8 Standards Mode by default. Use the Compatibility View button to fix sites that render differently than expected. Internet Explorer 8 remembers sites that have been set to Compatibility View so that the button only needs to be pressed once for a site. After that, the site is always rendered in Compatibility View unless it is removed from the list. Internet Explorer 8 ships with a list of sites provided by Microsoft known to require the Compatibility View. This list is periodically updated through Windows Update or Automatic Updates. Intranet Web sites display in Internet Explorer 7 Standards Mode by default. This means that internal Web sites created for Internet Explorer 7 will work. IT professionals can use Group Policy to set a list of Web sites to be rendered in Compatibility View. Switching in and out of Compatibility View occurs without requiring the browser to be restarted.
A new entry on the Tools menu allows for advanced configuration of the Compatibility View enabling IT professionals to customize the view to meet enterprise requirements. The ACT is a set of tools to help IT professionals identify potential application compatibility issues. The Internet Explorer Compatibility Evaluator component of ACT helps you identify potential compatibility issues with Web sites.
6-65
For Internet Explorer 8, new events have been added to ACT to help detect and resolve potential issues between Internet Explorer 8 and internal applications and Web sites. When ACT runs, a log of compatibility events is created and an error message is displayed when there is a compatibility event. A link is provided to a white paper that describes compatibility issues, mitigations, and fixes. Use the information from the white paper to help resolve compatibility issues. Present and discuss your ideas on this topic in the class.
6-66
Key Points
One of the biggest concerns for users and organizations is the issue of security and privacy when using the Internet. Internet Explorer 8 helps users maintain their security and privacy.
InPrivate Browsing
InPrivate Browsing helps protect data and privacy by preventing browsing history, temporary Internet files, form data, cookies, usernames, and passwords from being stored or retained locally by the browser. Defender is not anti-virus software.
InPrivate Filtering
Most Web sites today contain content from several different sites; the combination of these sites is sometimes referred to as a mashup. InPrivate Filtering monitors the frequency of all third-party content as it appears across all Web sites visited by the user. An alert or frequency level is configurable and is initially set to three. Third-party content that appears with high incidence is blocked when the frequency level is reached.
6-67
Key Points
Phishing attacks, otherwise known as social engineering attacks, can evade those protections and result in users giving up personal information. The majority of phishing scams target individuals in an attempt to extort money or perform identity theft. With the introduction of the SmartScreen Filter, Internet Explorer 8 builds on and replaces the Phishing Filter technology introduced in Internet Explorer 7 by providing: An improved user interface. Faster performance. New heuristics and enhanced telemetry. Anti-Malware support. Improved Group Policy support.
6-68
6-69
Key Points
Additional security features in Internet Explorer 8 include the following: Changes in ActiveX controls The XSS Filter Data Execution Prevention (DEP) changes
6-70
6-71
This demonstration shows how to configure security in Internet Explorer 8, including enabling the compatibility view, configuring browsing history, InPrivate Browsing, and InPrivate Filtering. The demonstration also shows the add-on management interface.
6-72
6-73
Lesson 8
Windows Defender helps protect you from spyware and other forms of malicious software. In Windows 7, Windows Defender is improved in several ways. It is integrated with Action Center to provide a consistent means of alerting you when action is required, and provides an improved user experience when you are scanning for spyware or manually checking for updates. In addition, in Windows 7, Windows Defender has less impact on overall system performance while continuing to deliver continuous, real-time monitoring.
6-74
Key Points
Malicious software, such as viruses, worms and Trojan horses, deliberately harm a computer and is sometimes referred to as malware. Spyware is a general term used to describe software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of the computer, generally without appropriately obtaining consent first. Other kinds of spyware make changes to the computer that are annoying and cause the computer to slow down or stop responding. Preventing the installation of malicious software requires that you understand the purpose of the software you intend to install, and you have agreed to install the software on the computer. When you perform an installation, read all disclosures, the license agreement, and privacy statement. Consider the following scenario: You are deploying Windows 7 throughout the organization. To decide upon which operating system features to implement, you need to understand security risks that might be relevant to the organization. Take part in a class discussion about this scenario. Question: What are common security risks that you must consider when deploying a new operating system? Question: How can you be sure that you have addressed the appropriate security risks before and after a desktop deployment?
6-75
Key Points
Windows Defender helps protect you from spyware and malicious software; it is not anti-virus software. Windows Defender uses definitions to determine if software it detects is unwanted, and to alert you to potential risks. To help keep definitions up to date, Windows Defender works with Windows Update to automatically install new definitions as they are released. In Windows Defender, run a quick, full, or custom scan. If you suspect spyware has infected a specific area of the computer, customize a scan by selecting specific drives and folders. You can choose the software and settings that Windows Defender monitors, including real-time protection options, called agents. When an agent detects potential spyware activity, it stops the activity and raises an alert. Alert levels help you determine how to respond to spyware and unwanted software. You can configure Windows Defender behavior when a scan identifies unwanted software. You are also alerted if software attempts to change important Windows settings. To help prevent spyware and other unwanted software from running on the computer, turn on Windows Defender real-time protection and select all real-time protection options. Question: List the four Windows Defender alert levels. What are the possible responses?
6-76
Key Points
Windows Defender includes automatic scanning options that provide regular spyware scanning and ondemand scanning: Quick scan Full scan Custom scan
It is recommended that you schedule a daily quick scan. At any time, if you suspect that spyware has infected the computer, run a full scan. When scanning the computer, you can choose from five additional advanced options: Scan archive files Scan e-mail Scan removable drives Use heuristics Create a restore point before applying actions to detected items
Once the scan is complete choose to remove or restore quarantined items and maintain the allowed list. Do not restore software with severe or high alert ratings because it can put your privacy and the security of the computer at risk. Question: Why might you consider creating a restore point before applying actions to detected items?
6-77
This demonstration shows how to configure Windows Defender settings, such as scanning options, frequency, default actions, and quarantine settings. Also shown is the Windows Defender Web site and the Microsoft SpyNet community.
Configure the scan to remove severe alert items and allow low alert items which applying recommended actions. Review real-time protection, excluded files, folders, and file type information. Make sure to scan e-mail and removable drives, and then view administrator options.
Microsoft SpyNet
From Tools and Settings, join Microsoft SpyNet with basic membership.
6-78
Lab B: Configuring Windows Firewall, Internet Explorer 8 Security Settings, and Windows Defender
6-79
Exercise 1: Configuring and Testing Inbound and Outbound Rules in Windows Firewall
Scenario
Some of users have been employing Remote Desktop to connect to and from other desktops. To comply with corporate policies, you must prevent them from doing so with the use of Windows Firewall rules. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure an inbound rule. Test the inbound rule. Configure an outbound rule. Test the outbound rule.
Note: LON-CL1 is the computer running Windows 7 where you will configure Windows Firewall. LONDC1 is the computer running Windows Server 2008 R2 that you will use to test the Windows Firewall configuration.
Lab Setup:
Complete these tasks to set up the prerequisites for the lab: 1. 2. 3. 4. 5. 6. Log on to LON-CL1 as Contoso\Administrator with the password of Pa$$w0rd. Click Start, right-click Computer and then click Properties. Click Advanced system settings. Click the Remote tab. Under Remote Desktop, select Allow connections from computer running any version of Remote Desktop (less secure) and then click OK. Log off of LON-CL1.
6-80
4.
Configure an outbound rule to block Remote Desktop Connection traffic TCP port 3389.
6-81
Note: LON-CL1 is the computer running Windows 7 where you will configure Internet Explorer 8. LONDC1 is the computer running Windows Server 2008 R2 and is hosting a Web site.
6-82
Results: After this exercise, you will be able to set various security settings in Internet Explorer 8, including enabling the compatibility view, configuring InPrivate Browsing and InPrivate Filtering.
6-83
Note: LON-CL1 is the computer running Windows 7 where you will configure Windows Defender.
6-84
Review Questions
1. 2. 3. 4. When User Account Control is implemented, what happens to standard users and administrative users when they perform a task requiring administrative privileges? What are the requirements for Windows BitLocker to store its own encryption and decryption key in a hardware device that is separate from the hard disk? When implementing Windows AppLocker, what must you do before manually creating new rules or automatically generating rules for a specific folder? You decide to deploy a third-party messaging application on your companys laptop computers. This application uses POP3 to retrieve e-mail from the corporate mail server, and SMTP to send mail to the corporate e-mail relay. Which ports must you open in Windows Firewall? Describe how the SmartScreen Filter works in Internet Explorer 8. What does Windows Defender do to software that it quarantines? What configuration options are available with Windows Defender, where do you set them, and why?
6. 7. 8.
2.
6-85
3.
A server has multiple network interface cards (NICs), but one of the NICs is not connected. In Windows Vista, this caused the machine to be stuck in the public profile (the most restrictive rule). How is this issue resolved in Windows 7?
You can choose to reset personal settings by using the Delete Personal Settings option for the following: Home pages Browsing history Form data Passwords
RIES disables all custom toolbars, browser extensions, and customizations that have been installed with Internet Explorer 8. To use any of these disabled customizations, you must selectively enable each customization through the Manage Add-ons dialog box. RIES does not do the following: Clear the Favorites list. Clear the RSS Feeds. Clear the Web Slices. Reset connection or proxy settings. Affect Administrative Template Group Policy settings that you apply.
Note: Unless you enable the Group Policy setting titled Internet Explorer Maintenance policy processing, Normal mode settings on the browser created by using IEM are lost after you use RIES. To use RIES in Internet Explorer 8, follow these steps:
6-86
1. 2. 3.
Click the Tools menu and then click Internet Options. On the Advanced tab, click Reset. In the Reset Internet Explorer Settings dialog box, click Reset. To remove personal settings, select the Delete Personal Settings check box. To remove branding, select the Remove Branding check box. When Internet Explorer 8 finishes restoring the default settings, click Close, and then click OK twice. Close Internet Explorer 8. The changes take effect the next time you open Internet Explorer 8.
4. 5.
Note: To prevent users from using the RIES feature, enable the Do not allow resetting Internet Explorer settings policy in Group Policy Administrative Templates.
The most secure implementation of BitLocker leverages the enhanced security capabilities of Trusted Platform Module (TPM) version 1.2. On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation and does not provide the pre-startup system integrity verification offered by BitLocker that is working with a TPM.
6-87
After creating new rules, enforcement for the rule collections must be configured and the computer's policy refreshed. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators must maintain a current list of allowed applications. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs. When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application is opened and runs normally, and information about that application is added to the AppLocker event log. At least one Windows Server 2008 R2 domain controller is required to host the AppLocker rules.
6-88
Implement a recovery agent archive program to make sure that encrypted files can be recovered by using obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlled access vault and you must have two archives: a master and a backup. The master is kept on-site, while the backup is located in a secure off-site location. Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder. The Encrypting File System does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server usage wisely. Load balance your servers when there are many clients using Encrypting File System (EFS).
If you are configuring the firewall by using Group Policy, you need to ensure that the Windows Firewall service has explicit write access by its service security identifier (SID) to the location that you specify. If you deploy Windows Firewall with Advanced Security by using Group Policy and then block outbound connections, ensure that you enable the Group Policy outbound rules and do full testing in a test environment before deploying. Otherwise, you might prevent all of the computers that receive the policy from updating the policy in the future, unless you manually intervene.
http://go.microsoft.com/fwlink/?LinkId=153908F
6-89
Task accompanied by a white paper that explains compatibility issues identified by the tool Information about anti-phishing strategies Information about the RIES feature
Reference
http://go.microsoft.com/fwlink/?linkid=69167 Internet Explorer 8 Help Microsoft Knowledge Base article 923737 http://go.microsoft.com/fwlink/?LinkId=83361
6-90
7-1
Module 7
Optimizing and Maintaining Windows 7 Client Computers
Contents:
Lesson 1: Maintaining Performance by Using the Windows 7 Performance Tools Lesson 2: Maintaining Reliability by Using the Windows 7 Diagnostic Tools Lesson 3: Backing Up and Restoring Data by Using Windows Backup Lesson 4: Restoring a Windows 7 System by Using System Restore Points Lesson 5: Configuring Windows Update Lab: Optimizing and Maintaining Windows 7 Client Computers 7-3 7-14 7-24 7-30 7-35 7-40
7-2
Module Overview u e
Fo todays com or mputer users, sy ystem perform mance is a key issue. Therefo it is import ore, tant to always op ptimize and manage your sy m ystem perform mance. Window ws 7 operatin system inclu ng udes several monitoring and configuration tools that can be used to o m d n obtain informa ation about a s systems performance. r
7-3
Lesson 1 L
A computer system that perfo orms at a low e efficiency level can cause problems in the work environm ment. It ca lead to redu an uced productiv and increa vity ased user frust tration. Windo 7 helps you determine th ows u he po otential cause of poor perfo ormance and th provides t appropriate tools to reso hen the olve the perfor rmance issues.
7-4
7-5
Key K Points
Th Performanc Information and Tools combines many of the performance-related tools that Windows 7 he ce n m n pr rovides. Yo can access Performance I ou Information an Tools from Control Panel and where you can: nd l o Adjust visua effects al Adjust inde exing options Adjust pow settings wer Open Disk Cleanup
rom the Perfor rmance Inform mation and Too you can also access the Advanced tools. ols, Fr Th Advanced tools are mostly used to iden he t ntify and show the following: w g Performanc issues ce Performanc ce-related events Graphs of system perform s mance Real-time system resourc usage s ce
rom the Perfor rmance Inform mation and Too you can also access the W ols, Windows Expe erience Index (WEI). Fr Th WEI provides information about each o your compu he n of uters key comp ponents. Processor Memory Graphics Gaming Graphics
7-6
The WEI measures each key component and each hardware component receives an individual subscore. The lowest subscore determines the computers base score. The base scores range from 1 to 7.9. The base scores are defined as follows: Base score of 1 2: Can perform the most general computing tasks, such as run office productivity applications and search the Internet. Base score of 3: Can run Windows Aero and many new features of Windows 7 at a basic level. Base score of 4 5: Can run all new features of Windows 7 with full functionality, and it can support high-end, graphics-intensive experiences, such as multiplayer and 3-D gaming and recording and playback of HDTV content. Basescore of 4 - 7.9: Have a excellent performance and high-end hardware.
7-7
Key K Points
Th Performanc Monitor giv an overview of system pe he ce ves w erformance an you can collect detailed nd in nformation for troubleshooti by using data collector s ing sets. Th Performanc Monitor inc he ce cludes the follo owing features s: Monitoring Tool g Data Collec ctor Sets Reports
Monitoring Tool M T
Th Monitoring Tools contain the Perform he g ns mance Monitor. The Performance Monitor provides a gra . a aphical view of the com mputers performance. Yo can add Pe ou erformance Co ounters to the Performance M Monitor to measure the system state or activity. e c Th Performanc Monitor is s he ce saved to a data log so that y always have a historical data review of the a you v f pe erformance.
7-8
To run at a schedule time To provide data for later analysis in Performance Monitor To generate reports To generate alerts
Reports
Use reports to view and create reports from a set of counters that you create by using Data Collector Sets.
Resource Monitor
The Resource Monitor lists the use and real time performance of: CPU: this tab has more detailed CPU information that you can filter, based on the process. Disk: this tab only shows the process with recent current disk activity. Network: this tab provides information about all processes with current network activity. Memory: this tab provides detailed information about memory utilization for each process.
This enables you to identify which processes are using which resources. Question: Which resources can cause performance problems if you have a shortage of them?
7-9
Key K Points
Th demonstration shows how to use Resource Monitor. his 1. . 2. . 3. . 4. . Log on to the computer b using the required credentials. t by e Open the Resource Mon R nitor. Expand the Disk section at the Overview tab. e e Select Med dium on Views This controls the size of th graphs showing CPU utilization, disk I/O, s. s he w z O network utilization, and m memory activit ty. 5. . 6. . 7. . 8. . 9. . Open the CPU tab. C Select a pro ocess, in the Processes area. Expand the Associated H e Handles area. This shows the files that are used by this process. It also keeps e o the selected process at th top of the li for simpler monitoring. d he ist Open the Memory tab. N M Notice that the previously se e elected process is still selecte so that you can s ed review mult tiple types of i information ab bout a process as you switch between tabs s h s. Open the Disk tab. This t shows processes with recent disk activity. D tab c c
10 Expand the Disk Activity area and clea the Image c 0. e y ar check box to remove the filt and show a ter all processes with current disk activity. The Disk Activity area provides detailed infor w e rmation about the t files in use. The Storage a area provides g general inform mation about e each logical dis sk. 11 Open the Network tab. 1. N 12 Expand the TCP Connect 2. e tions area. This shows current TCP connections and information about those c o u connections. 13 Expand the Listening Po 3. e orts area. This shows the pro ocesses that are listening for network conn e nections and the ports they are listening on. The firewall statu for those po is also show e us orts wn.
7-10
14. Close the Resource Monitor. Question: How can you simplify the task of monitoring the activity of a single process when it spans different tabs?
7-11
Demonstra D ation: Analyzing Syst tem Perfor rmance by Using Data Collector y a Sets and Pe erformance Monitor r
Key K Points
Th demonstration shows how to analyze system performance by using data collector sets and his m g o Pe erformance monitor. 1. . 2. . 3. . 4. . Log on to the computer b using the required credentials. t by e Open the Performance M P Monitor. Open the Performance M P Monitor node. Notice that only % Processor Time is displayed by default. e s s Open the Add Counters dialog box an add the % Idle Time counter from the PhysicalDisk area A nd for the syst tem disk object. 5. . Open the properties for t % Idle Time counter and set the color of the % Idle Time counter to p the m d r e e green. 6. . Open the Create new Dat Collector Set Wizard from the User Defined Options of the Data C ta e m f s Collector Sets node. S 7. . 8. . Enter a nam for the dat collector se select Basic from the Template, and accept the default me ta et, c m c a storage loc cation for the data. Select to op properties for the data c pen s collector set an finish the w nd wizard. The dat collector set is ta t saved and the properties window is opened. On the G t General tab, y can config you gure general information about the da collector se and the cred n ata et dentials that are used when it is running. Open the Directory tab. This tab lets you define information about how the collected data is s D o u stored.
9. .
10 Open the Security tab. T tab lets you configure which users can change this data collector set. 0. S This n
7-12
11. Open the Schedule tab. This tab lets you define when the data collector set is active and gathering data. 12. Open the Stop Condition tab. This tab lets you define when data collection is stopped based on time or data collected. 13. Open the Task tab. This tab lets you run a scheduled task when the data collector set stops. This can be used to process the collected data. 14. Close the properties window. 15. Notice that there are three types of logs listed in the right pane. Performance Counter collects data that can be viewed in the Performance Monitor. Kernel Trace collects detailed information about system events and activities. Configuration records changes to registry keys.
16. Open Performance Counter. Notice that all Processor counters are collected by default. 17. Open the Add Counters dialog box and add all PhysicalDisk counters for the total object. 18. Start the CPU and Disk Activity. 19. Wait a few moments and the data collector set will stop automatically. 20. Open the Latest Report for the CPU and Disk Activity. This report shows the data collected by the data collector set. 21. Close the Performance Monitor. Question: How can you use Performance Monitor for troubleshooting?
7-13
Key K Points
Re esource Monit shows you what happens with your cur tor s rrent Windows system. Use this as a starting point s n fo monitor and troubleshoot or d ting performan issues. nce With W Resource Monitor, you c investigate which product, tool, or application is currently running and M can e p r g co onsuming CPU disk, network, and memor resources. U, ry Se up a Baselin to evaluate the workload on your computer by using Performance Monitor to: et ne p Monitor sys stem resources. Observe ch hanges and trends in resource use. c Test configuration changes. Diagnose problems. p
y ollector sets, y can establish a baseline to use as a standard for comparison when: you i m n By using data co You first co onfigure the co omputer. At regular intervals of typ i pical usage. You make any changes to the computers hardware. a o e You make any changes to the computers software. a o e
propriate baselines, you can always determine which resources are affecting your m o e If you have app omputers perf formance. co Pl monitoring carefully to m lan g make sure that the data that you collect accurately represents system t t c e pe erformance.
7-14
Lesson 2
Maintain M ning Re eliability by Using the Windows 7 y i o Diagnos Too D stic ols
Th Windows Diagnostic Infra he D astructure (WDI) is a set of diagnostic tools that performs the following tasks: D m n Identifies ex xisting disk, m memory, and network problems. e Detects imp pending failure es. Alerts you to take correct t tive or mitigating action.
7-15
Key K Points
Th Windows diagnostic tools show you information about the existing problems and help you pre he f o g event fu uture problems s. Yo can solve computer prob ou blems effectively and reliably by using the Windows Diag e y gnostic Tools. Th WDI includes diagnostic t he tools to troubleshoot: Unreliable memory elated problem ms Network-re Startup pro oblems
Unreliable Memory U M
Fa ailing memory can cause application failures, operating system faults, and stop errors. y r o Fa ailing memory can be difficu to identify because problems can be int y ult termittent.
7-16
Startup Problems
Malfunctioning memory, incompatible or corrupted device drivers, missing or corrupt startup files, or corrupt disk data can all cause startup failures. Diagnosing startup problems is especially difficult because you do not have access to Windows 7 troubleshooting and monitoring tools when your computer does not start.
7-17
Key K Points
Th Windows Memory Diagnostics Tool (W he M WMDT) works w Microsoft Online Crash A with Analysis to mo onitor co omputers for defective mem d mory and deter rmines whethe defective ph er hysical memory is causing pr y rogram cr rashes. If the Windows Memory Diagnostic tool identifies a memory p W cs problem, Wind dows 7 avoids using th affected par of physical m he rt memory so tha the operatin system can start successfu and avoid at ng ully ap pplication failu ures. In most cases, Windows autom n W matically detec possible pr cts roblems with y your computer memory and rs di isplays a notification that asks whether you want to run the Memory D Diagnostics To ool. Yo can also sta the Window Memory Di ou art ws iagnostics tool from the System and Security locations l t r Administrative Tools option, w T which is in Con ntrol Panel.
7-18
You can also run the Windows Memory Diagnostics tool manually. You have the same choices: to run the tool immediately or to schedule it to run when the computer restarts. Additionally, you can start Windows Memory Diagnostics from the installation media.
7-19
Key K Points
Th Windows Network Diagn he N nostics tool pro ovides assistance in resolving network-related issues by using g a th Fix a Netwo Problem Fe he ork eature. Yo can access Windows Netw ou work Diagnostics tool from the Fix a Network Problem page in the Network t w e an Sharing Center. nd Th Windows Network Diagn he N nostics Tool can troubleshoot different network problems such as the n m fo ollowing: Internet Co onnections: C Connections to the Internet or to a particular Web site. o Connection to a Shared Folder: Access shared files and folders on other computers. d n u up: computers or shared files in a homegroup for workgroup configured p HomeGrou View the c computers. . Network Adapter: Troub A bleshoot Ethernet, Wireless, or other network adapters. r w Incoming Connections t This Comp C to puter: Allow for other computers to connect to your computer. o e m Printing: You can also troubleshoot pr Y roblems on printer connections. i o
he N nostics tool run automatically when it detects a problem. ns e m Th Windows Network Diagn
7-20
Key K Points
Th Reliability Monitor provid a timeline of system changes and repo the system reliability. It also he M des orts ms t pr rovides detaile information that you can use to achieve optimal syste reliability. ed n e em Yo can access the Reliability Monitor by cl ou licking View System History on the Maintenance tab in the y n Action Center. A Th Reliability Monitor provid a System S he M des Stability Chart. Th System Stab he bility Chart pro ovides an over rview of system stability, for the past year, in daily increm m ments. Th chart indica his ates any inform mation, error, o warning me or essages and sim mplifies your a ability to ident tify issues and the date on which they occurred d d. Th Reliability Monitor create a detailed Sy he M es ystem Stability Report for each event. These reports show the y a o fo ollowing event ts: Software In nstalls Software Uninstalls n Application Failures Hardware Failures F Windows Failures ous Miscellaneo Failures
he M ds ng Th Reliability Monitor record the followin key events in a timeline: Installation of new applic cations es Operating-system patche s Operating-system drivers
7-21
Additionally, the Reliability Monitor tracks the following events that help you identify the reasons for reliability issues: Memory problems Hard-disk problems Driver problems Application failures Operating system failures
The Problem Reports and Solutions Tool works together with Windows Error Reporting Services to provide a history of the attempts made to diagnose your computers problems. You can start the Problem Reports and Solutions tools from the Reliability Monitor. If you find a problem after running the Windows Diagnostics Tool, use the Problem Reports and Solutions tool to: Save the Reliability history. View problems and responses. Check for solutions to all problems. Clear the solution and problem history.
7-22
Key K Points
Th Startup and Recovery opt he d tion is accesse from the Ad ed dvanced tab in the System P n Properties. In the Sy ystem startup, you can speci the default operating syst ify tem for startup. Yo also select the number of seconds that you want the list of recover options to be displayed before ou f t ry th default reco he overy option is automatically selected. s y Under System Failure, you can specify what happens when the system stops unexpectedly: F n t e c Write an event to the System log: Sp e pecifies that event information will be recorded in the system v o o y log. cally restart: S Specifies that W Windows will automatically restart your computer. o Automatic
rmation, select the type of in t nformation tha you want W at Windows to reco ord Under Write debugging infor when the system stops unexp w m pectedly. This information is stored in the f folder under D Dump file. Yo can access the Advanced Boot Options for Troubleshooting Startup Problems. The following options ou d s h h ar used: re e Change the registry Load driver rs Remove drivers
7-23
The Startup Repair Tool is used to fix many common problems automatically and quickly diagnose and repair more complex startup problems. When you run the Startup Repair tool, it scans your computer for source of the problem, and then it tries to fix the problem so that your computer can start correctly. When a system detects a startup failure, it goes into the Startup Repair tool. This performs diagnostics and analyzes startup log files to determine the cause of the failure. After the Startup Repair tool determines the cause of failure, it tries to fix the problem automatically. The Startup Repair tool can repair the following problems automatically: Incompatible drivers Missing or corrupted startup-configuration settings Corrupted disk metadata
After the Startup Repair tool repairs the operating system, Windows 7 notifies you of the repairs and provides a log so that you can determine the steps the Startup Repair tool performed. If the Startup Repair tool cannot resolve startup errors, Windows 7 rolls the system back to the last known working state. If the Startup Repair tool cannot recover the system automatically, it provides diagnostic information and support options to make additional troubleshooting simpler. You can start the Startup Repair tool manually from the Windows 7 installation DVD. After you start the computer from the DVD, you can access the manual repair tools from the menus that display.
7-24
Key K Points
Th demonstration shows how to resolve startup related problems. his t 1. . 2. . 3. . 4. . Start the co omputer that h the ISO image of Windows 7 installation DVD. has w o Open the System Recove Options window. S ery n In the Syste Recovery O em Options window, read the list of operating systems found. w t d Read the options that are listed. e 5. . 6. . 7. . 8. . 9. . p mpts to automatically repair a Windows system that is not starting correctly. a s o r Startup Repair attem System Restore is use to restore system configuration settings based on a restore point. m ed u System Image Recov m very is used to perform a full restore from Windows backup. k Windows Memory Diagnostic is used to test physical memory for errors. s y ets a k Command Prompt le you manually access the local hard disk and perform repairs.
Open the Command Prom C mpt. At the command prompt type <first_d t, drive_letter>: to go to the first drive. At the command prompt type dir and notice that there are no files on the first: drive. t, h e At the command prompt type <secon t, nd_drive _letter>: to go to the second driv e ve. At the command prompt type dir and notice that th drive is the first drive when Windows 7 is t, his e running.
10 Close the Command Prom and restar the compute 0. C mpt rt er. Question: Whe do you use the command prompt to pe Q en d erform system repairs manually? a
7-25
Lesson 3 L
It is important to protect data on computer systems from accidental loss or corruptio Additionally, to t a r m on. re ecover from a problem, it is o often simpler t restore system settings th to reinstall the operating system to han l g an application By using Wi nd ns. indows Backup you can perform backups and when it is necessary, pe p, s erform re estores to reco over damaged or lost files, or repair corrup r pted system settings.
7-26
7-27
Key K Points
Th Backup and Restore optio in Control Panel provide access to all backup related setup procedures he d ons e d d an tasks. nd Fr rom the Backu and Restore Center, you can perform the following: up e h Create a ba ackup and sche edule for regular backups. u Restore a backup. b Create a system Image. Create a system repair disc.
Windows Backup W
To back up your files, locate t Backup and Restore Center, click Set u backup, specify the destination o the up dr rive to which you want to ba up, and then select the f types that y want to back up. y ack file you Windows Backu creates copies of the data files. You can let Windows select what to back up or you can W up a n o o se elect the indivi idual folders, libraries, and d drives that you want to back up. Yo can change the schedule and manually create a back at any time. ou e e y kup Yo can back up files to the following: ou External hard drive D Writeable DVD Network lo ocation
Restore a Backup R
If something go wrong that requires resto oes t oring data from a backup, you can select whether to restore m o s in ndividual files, selected folde or all perso ers, onal files.
7-28
Restore a back up helps you restore your computer's files to an earlier point in time.
System Image
A System Image Backup is a copy of the system drivers required for Windows to run. It can also include additional drives. A system image can be used to restore your computer if your hard disk or computer stops working.
7-29
Key K Points
Th demonstration shows how to perform a backup. his 1. . 2. . 3. . 4. . 5. . 6. . 7. . 8. . 9. . Log on to the computer b using the required credentials. t by e Create a ne text file tha has some arbitrary text and save it in the Documents Library. ew at b e Open the Backup and Re B estore. Open the Set up backup Wizard. S Select a volume for the b backup to be saved. Select to ch hoose your ow items to b wn backup. Notice that by default, the libraries for all users are e u e selected an also a system image. nd m Select the libraries that c contained the text file that was created earlier to be backed up and exclude c x s. other items Open the Change schedule to review the backup schedule. The av C vailable options include How n w Often, What day, and W What time to run the backup p. Save the se ettings, run the backup, and wait for it to complete. e
10 View the de 0. etailed progress. 11 Close the Backup and Restore. 1. B Question: Wha files do you need to back up on a computer? Q at
7-30
Key K Points
Th demonstration shows how to restore data. his 1. . 2. . 3. . 4. . 5. . 6. . Log on to the computer b using the required credentials. t by e Open the Backup and Re B estore. Open the Restore Files W R Wizard. Select a file to be restored and restore the file in the original location. e When you are prompted that the file already exists, select to copy and replace t file and finish the the n wizard. Close the Backup and Restore window. B
7-31
Lesson 4 L
Windows 7 prov W vides System R Restore to mon nitor and record changes that are made to the core Windows o o n sy ystem files and to the registr d ry. If your compute is not functioning correctl the System Restore tool c return your computer to a er ly, can o pr revious state by using System Restore Poin b m nts. Sy ystem Restore is often quick and simpler than using backup media. ker r
7-32
Key Points
System Restore enables you restore your computer's system files to an earlier point in time. y o e n All system files and folders are restored to the state they were in when you created the system restore a e h t po oint. The System Restore points backs up the following setting h a gs: Registry o Dllcache folder e User profile d a COM+ and WMI information s IIS metabase o m Certain monitored system files
Sy ystem restore points are diff ferent from data backup. It is not intended for backing u personal files. s d up e Th herefore, it can nnot help you recover a pers sonal file that is deleted or d damaged. un Protection tab of System Pro b operties. The S System Restore has a e Ru the System Restore from the System P de escription on each restore point to help yo restore you computer to the correct ti e ou ur o ime. You can a always un a system restore, if the s ndo r system restore does not fix t computer problem. e the Question: Wha are the situations when you might need to use System Restore? Q at o m Question: Whe do you resto a file from a restore poin rather than a backup? Q en ore nt
7-33
Key K Points
Pr revious versions of files let y recover an earlier versio of a data fil even if it ha never been backed you n on le, as up This feature recovers the earlier version from a volum Shadow Co p. e n me opy.
Th Volume Sha he adow Copy Se ervice (VSS) is available from Windows XP and later versions. VV automatica creates point when a restore point is ta VS ally aken. Shadow Copy is autom matically turned on in e Windows 7 and creates copie on a scheduled basis of file that have ch W es es hanged. After you enable System Protection, you can use both the previous versions feature and system restore e s s po oints. Yo can use pre ou evious versions to restore file and folders that you accid s es dentally changed or deleted or that g were damaged. w Depending on the type of file or folder, you can open, save to a differe location, or restore a previous t e u ent r v ve ersion. Question: Wha are the bene Q at efits of maintai ining previous versions of files? s
7-34
Key K Points
With W the System Protection p m program, you can keep copies of the system settings and previous versions of e m d s fil les. Access the Syst tem Protectio tab in the Sy on ystem Properties window. The window is accessed from System h Menu in the Sys M stem and Secu urity page in Control Panel. To restore the system, click Co o s onfigure in the System Protection tab. The following options are available: h o v Restore system settings a previous versions of files. This creates a full System Restore. and s re rsions of files. With this, you cannot use System Restore to undo unwa y anted Only restor previous ver System Cha anges. Turn off sys stem protectio This deletes existing resto points on t disk and new restore points will on. s ore the not be crea ated.
7-35
Key K Points
Th demonstration shows how to restore a system. his Re estore points are enabled by default in Wi a y indows 7. The process for enabling restore points shown in this n e n de emonstration is not typically required. y 1. . 2. . 3. . 4. . 5. . 6. . 7. . 8. . 9. . Log on to the computer b using the required credentials. t by e Create a ne text file tha has some arbitrary text and save it in the Documents Library. ew at b e Open the Computer pro C operties. Open the System Protec S ction. Configure the system driv to be able to restore system settings and previous versions of files. t ve e n e Configure the second drive to be able to restore system settings and previous versions of files. t t n e Create a restore point. Close the System window w. Select the file created ear f rlier and attempt to restore the previous version of the file. m
10 Open the System Restore Wizard from the System Tools menu. 0. S e 11 Select a res 1. store point and restore the system to that restore point. This restores only system files, not d data files. 12 Log on to the computer b using the required credentials. 2. t by e 13 Read the message in the System Restore window and close the window. 3. m r d n Question: Whe will the prev Q en vious version of a file be unavailable? a
7-36
Lesson 5
To ensure that Windows computers remain stable and pr o W n rotected, upda them regularly with the la ate atest se ecurity updates and fixes. Windows Update enables you to download and install imp portant and re ecommended updates autom matically instea of visiting t Windows U ad the Update Web si ite. As a Windows 7 Technology S Specialist, you must be awar of the config re guration optio that Windo ons ows Update has available, and you must be able to guide users on how to c u e configure these options. e
7-37
Key K Points
Windows Updat is a service t W te that provides software updates to keep a computer up-to-date and more a pr rotected. Windows Updat scans the us W te sers computer and provides a tailored selection of updates. s a Th following tw types of W he wo Windows Updates: t Important updates, includ u ding security updates and critical performance updates. r Recommen nded updates t that help fix or prevent problems. r b
Windows Updat downloads computer upd W te dates in the background while you are online. a l If your Internet connection is interrupted be efore an update downloads fully, the download process w s re esumes when the connection is available. t n Only important updates are in O nstalled autom matically. Recommended and optional updates have to be d d se elected manua ally. Question: How is the Automa Updates fe Q w atic eature useful?
7-38
Key K Points
As a best practice, configure c computers tha are running Windows 7 to download an install updat at o nd tes au utomatically. Therefore, mak sure that the computer ha the most up T ke as p-to-date and protected co onfiguration possible. p Yo can turn on Automatic Updates during the initial Windows 7 setup, or you can configure it later. ou n g n p In the Windows Update page you can conf n s e, figure how the updates will be installed, vi e iew the import tant an optional up nd pdates that are available for your compute view the his e er, story of updates, and restore e hi idden updates s. Th following se he ettings are ava ailable for customizing how the updates will be installed: t d Install upda ates automatic cally (recommended) e Download updates but le me choose whether to install them et u t w s Check for updates but let me choose whether to download and install them
o or d ly, cide to be notified If you do not want updates to be installed o downloaded automaticall you can dec when updates apply to your c w a computer so th you can do hat ownload and install them yo ourself. For exa ample if yo have a slow Internet conn ou w nection or you work is inter ur rrupted, you ca have Windo to check f an ows for up pdates, but do ownload and in nstall them yourself. Yo can use the View Update History page to review the update history The status c ou e e y. column in this page will w help you make sure that a important u all updates were i installed succe essfully. Yo can use the Restore Hidd Updates pa if you wan to restore an update that you have asked ou e den age nt e Windows not to notify you ab W o bout or install automatically. .
7-39
Key K Points
Windows Group Policy is an a W p administrative tool for managing user settings and computer settings over a p ne etwork. Th here are severa group Policy settings for Windows Update: al y Do not dis splay the Insta Updates an Shut Down option in th Shut Down Windows di all nd n he n ialog box This policy setting allows you to manag whether the Install Updat and Shut D ge e tes Down option is s displayed in the Shut Dow Windows d n wn dialog box. Do not adj just the defau option to Install Update and Shut D ult es Down in the S Shut Down W Windows dialog box x This policy setting allows you to manag whether the Install Updat and Shut D ge e tes Down option is s allowed to be the default choice in the Shut Down W t Windows dialog g. Enabling Windows Upd W date Power Management to automatica wake up t system to install ally the o scheduled updates Specifies whether the Windows Update will use the W e Windows Powe Managemen features to er nt automatica wake up th system from hibernation, if there are up ally he m pdates schedul for installation. led Configure Automatic Updates Specifies whether your co omputer will re eceive security updates and other important downloads y a s through the Windows automatic updat e ting service. Specify int tranet Micros soft update se ervice location Specifies an intranet server to host upd n dates from Mic crosoft Update You can then use this update e. n a service to automatically u a update compu uters on your n network.
7-40
Automatic Updates detection frequency Specifies the hours that Windows will use to determine how long to wait before checking for available updates.
Allow non-administrators to receive update notifications This policy setting allows you to control whether non-administrative users will receive update notifications based on the Configure Automatic Updates policy setting.
Turn on Software Notifications This policy setting allows you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service.
Allow Automatic Updates immediate installation Specifies whether Automatic Updates must automatically install certain updates that neither interrupt Windows services nor restart Windows.
Turn on recommended updates via Automatic Updates Specifies whether Automatic Updates will deliver both important and recommended updates from the Windows Update service.
No auto-restart with logged on users for Scheduled automatic updates installations Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
Re-prompt for restart with scheduled installations Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
Delay Restart for scheduled installations Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.
Reschedule Automatic Updates scheduled installations Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
Enable client-side targeting Specifies the target group name or names that must be used to receive updates from an intranet Microsoft update service.
Allow signed updates from an intranet Microsoft update service location This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
Question: What is the benefit of configuring Windows update by using Group Policy rather than by using Control Panel?
7-41
7-42
Note: LON-CL1 is the computer that is running Windows 7 where you will review running processes by using Resource Monitor and configure data collector sets. LON-DC1 is the computer that is running Windows Server 2008 R2 that is used for domain authentication.
Task 3: Configure the data collector set schedule and stop condition
1. 2. 3. Open the properties of the Bottleneck data collector set. Review the keywords defined for Bottleneck. Create a schedule for Bottleneck: 4. Beginning date: today Expiration date: one week from today Launch at 13:00 every day of the week
7-43
Maximum Size: 10 MB
Results: After this exercise, you will have scheduled a data collector set to run at 13:05 each day and reviewed the performance data that it gathers.
7-44
Note: LON-CL1 is the computer that is running Windows 7 where you will create, back up, and restore a data file. LON-DC1 is the computer that is running Windows Server 2008 R2 that is used for domain authentication.
Perform a backup.
7-45
7-46
Note: LON-CL1 is the computer that is running Windows 7 where you will enable and create restore points. LON-DC1 is the computer that is running Windows Server 2008 R2 that is used for domain authentication.
Task 1: Enable restore points for all disks except the backup disk
1. 2. On LON-CL1, open the System protection settings from the System window. Select the option to Restore system settings and previous versions of files for all drives.
Results: After this exercise, you will have created a restore point, restored the previous version of a file, and restored a restore point.
7-47
Note: LON-CL1 is the computer that is running Windows 7 where you will configure Windows Update. LON-DC1 is the computer that is running Windows Server 2008 R2 that is used for domain authentication and where you will configure automatic updates that use Group Policy.
Task 3: Verify that the automatic updates setting from the group policy is being applied
1. 2. On LON-CL1, run gpupdate /force to update the group policy settings. Open Windows Update and verify that the new settings have been applied.
Note: If the policy setting does not apply, restart LON-CL1 and then repeat Task 3.
Results: After this exercise, you will have enabled automatic updates by using a group policy.
7-48
Tools
Tool T Use for e Wh here to find it t Co ontrol Panel
Performance L informatio for speed a Lists on and nd performance p Information an Tools Performance Monitor M Resource Mon nitor Windows Expe W erience Index Monitoring To ools Data Collector Set r
M Multiple graph views of perf h formance Ad dministrative To ools M Monitor use an Performanc for nd ce
CPU, disk, netw C work, and mem mory Ad dvanced tools i Performance in Inf formation and tools Performance Info ormation and Tools Performance mo onitor Performance mo onitor
7-49
Tool Windows Memory Diagnostic Fix a Network Problem Reliability Monitor Problem reports and Solution tool Startup Repair Tool Backup and Restore Tool Image Backup System Repair Disc System restore Previous versions of files Restore Point Disk Space Usage Windows Update Change Update Settings View update History
Use for
Action Center Windows 7 DVD System and Security Backup and Restore Backup and Restore Control Panel System Properties
7-50
8-1
Module 8
Configuring Mobile Computing and Remote Access in Windows 7
Contents:
Lesson 1: Configuring Mobile Computer and Device Settings Lesson 2: Configuring Remote Desktop and Remote Assistance for Remote Access Lesson 3: Configuring DirectAccess for Remote Access Lesson 4: Configuring BranchCache for Remote Access Lab: Configuring Mobile Computing and Remote Access in Windows 7 8-3 8-13 8-18 8-25 8-32
8-2
Module Overview
Mobile computers are available in many types and configurations. This module helps you to identify and configure the appropriate mobile computer for your needs. It describes mobile devices, and how to synchronize them with a computer running the Windows 7 operating system. Additionally, this module describes various power options that you can configure in Windows 7. Windows 7 helps end users to be productive, regardless of where they are or where the data they need resides. With Windows DirectAccess, mobile users can access corporate resources when they are out of the office. IT professionals can administer updates and patches remotely to help improve connectivity for remote users. For those who want use Virtual Private Networks (VPNs) to connect to enterprise resources, the new features in the Windows 7 environment and Windows Server 2008 create a seamless experience for the user, where he or she does not need to log on to the VPN if the connection is temporarily lost. Users in branch offices are more productive when they use Windows BranchCache to cache frequently accessed files and Web pages. This helps reduce latency and bandwidth traffic.
8-3
Lesson 1
This lesson defines common mobile computing terminology and provides an overview of the related configuration settings that you can modify in Windows 7. It also provides guidelines for applying these configuration settings to computers running Windows 7.
8-4
Key Points
Computers play an important part in peoples daily lives, and the ability to carry out computing tasks at any time and in any place has become a necessity for many users. A mobile computer is a device that you can continue to use for work while away from your office. Discuss with the class the different mobile computers and devices you have used and how you have benefited from them.
8-5
Key Points
While selecting a mobile computer operating system, ensure that the mobile computer can adapt to a variety of scenarios. Windows 7 provides you with the opportunity to change configuration settings quickly and simply based on specific business requirements. You can access and configure commonly used mobility settings by using the Windows Mobility Center in Control Panel.
Power Management
Power management includes an updated battery meter that tells you how much battery life is remaining and provides information about the current power plan. By using power plans, you can adjust the performance and power consumption of the computer. To access Power Plans in Windows 7, right-click the Battery Icon in the Taskbar and select Power Options. You can also choose Battery Status in the Windows Mobility Center.
8-6
Presentation settings
Computer manufacturers can customize the Windows Mobility Center to include other hardware-specific settings, such as Bluetooth or auxiliary displays. To access the Widows Mobility Center, in Control Panel, in the Hardware and Sound category, choose Adjust commonly used mobility settings. Another way you can access the Windows Mobility Center is from the Start menu, clicking All Programs, and then clicking Accessories.
Sync Center
Sync Center provides a single interface to manage data synchronization in several scenarios: between multiple computers, between corporate network servers and computers, and with devices connected to the computer, such as a personal digital assistant (PDA), a mobile phone, or a music player. A Sync Partnership is a set of rules that tells the Sync Center how and when to synchronize files or other information between two or more locations. A Sync Partnership typically controls how files are synchronized between the computer and mobile devices, network servers, or compatible programs. Access the Sync Center by choosing Sync Center from the Windows Mobility Center screen, or from the Start menu, by clicking All Programs, clicking Accessories, and then clicking Sync Center.
Presentation Settings
Mobile users often have to reconfigure their computer settings for meeting or conference presentations. For example, they may have to change screen saver timeouts or desktop wallpaper. To improve the enduser experience and avoid this inconvenience, Windows 7 includes a group of presentation settings that are applied with a single click when you connect to a display device. To access the Presentation Settings, choose Presentation Settings in the Windows Mobility Center. Question: Aside from USB, how can you establish a connection for synchronizing a Windows Mobile device?
8-7
Key Points
A mobile device Sync Partnership updates information about the mobile device and the host computer. It typically synchronizes calendar information, clocks, and e-mail messages, in addition to Microsoft Office documents and media files on supported devices. Creating a Sync Partnership with a portable media player is straightforward: 1. Connect the device to a computer running Windows 7 and open Sync Center. Windows 7 includes drivers for many common devices, but you can obtain drivers from the CD that came with the device or from Windows Update. Set up a Sync Partnership by clicking Set up for a media device. Sync Partnership opens Windows Media Player version 11. Select some media files or a playlist to synchronize to the device. To select media, simply drag it onto the sync dialog box on the right side of Windows Media Player. Click Start Sync. After the selected media is transferred to the device, disconnect it from the computer and close Windows Media Player.
2. 3. 4.
Windows Mobile Device Center is the name for ActiveSync in Windows 7. This center provides overall device management features for Windows Mobile-based devices, including Smartphones and Pocket PCs.
8-8
Key Points
This demonstration shows how to configure Windows Mobile Device Center and then synchronise a Windows Mobile device.
8-9
2. 3. 4.
Once the emulator has started, from the Windows Mobile 6 SDK tools, open the Device Emulator Manager. In Device Emulator Manager, click the play symbol and then select Cradle from the Actions menu. Close Device Emulator Manager.
3.
8-10
Key Points
In Windows 7, Power Plans help you maximize computer and battery performance. By using power plans, with a single click, you can change a variety of system settings to optimize power or battery usage, depending on the scenario. There are three default power plans. Power saver: This plan saves power on a mobile computer by reducing system performance. Its primary purpose is to maximize battery life. High performance: This plan provides the highest level of performance on a mobile computer by adapting processor speed to your work or activity and by maximizing system performance. Balanced: This plan balances energy consumption and system performance by adapting the computers processor speed to your activity.
The balanced plan provides the best balance between power and performance. The power saver plan reduces power usage by lowering the performance. The high performance plan consumes more power by increasing system performance. Each plan provides alternate settings for AC or DC power. In addition to considering power usage and performance for a computer, as a Windows 7 Technology Specialist, you must also consider the following three options for turning a computer on and off: Shut down Hibernate Sleep
Shut Down
When you shut down the computer, Windows 7 saves all open files to the hard disk, saves the memory contents to the hard disk or discards them as appropriate, clears the page file, and closes all open applications. Windows 7 then logs out the active user, and turns off the computer.
8-11
Hibernate
When you put the computer in hibernate mode, Windows 7 saves the system state, along with the system memory contents to a file on the hard disk, and then shuts down the computer. No power is required to maintain this state because the data is stored on the hard disk. Windows 7 supports hibernation at the operating system level without any additional drivers from the hardware manufacturer. The hibernation data is stored on a hidden system file called Hiberfil.sys. This file is the same size as the physical memory contained in the computer and is normally located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open programs to memory. This provides fast resume capability, which is typically within several seconds, but still consumes a small amount of power. Windows 7 automatically goes into Sleep mode when you push the power button on the computer. If the computers battery power is low, Windows 7 puts the computer in hibernate mode. Alternatively, you can enable hybrid sleep. With hybrid sleep, data is saved to hard disk and to memory. If a power failure occurs on a computer when it is in a hybrid sleep state, data is not lost. Hybrid sleep can be used as an alternative to hibernation. Hybrid sleep uses the same Hiberfil.sys hidden system file as hibernation.
8-12
Key Points
This demonstration shows how to configure a power plan.
Question: Why are options such as what to do when I shut the power lid not configurable in the Wireless Adapter Settings, Power Saving Mode?
8-13
Lesson 2
Many organizations use remote management to lessen the time that troubleshooting takes and to reduce travel costs for support staff. Remote troubleshooting enables support staff to operate effectively from a central location.
8-14
Key Points
Remote Desktop uses the Remote Desktop Protocol (RDP) to enable users to access files on their office computer from another computer, such as one at their home. Additionally, Remote Desktop enables administrators to connect to multiple Windows Server sessions for remote administration purposes. While a Remote Desktop session is active, Remote Desktop locks the target computer, prohibiting interactive logons for the sessions duration. Remote Assistance enables a user to request help from a remote administrator. To access Remote Assistance, run the Windows Remote Assistance tool. Using this tool, you can do the following actions: Invite someone you trust to help you. Offer to help someone. View the remote users desktop. Chat with the remote user with text chat. Send a file to the remote computer. If permissions allow, request to take remote control of the remote desktop.
Windows 7 prevents remote troubleshooting tools from connecting to the local computer by using Windows Firewall. To enable support for remote troubleshooting tools, open Windows Firewall in the System and Security category in Control Panel and allow a program or feature through the firewall.
8-15
Key Points
Remote Desktop is a standard Windows 7 feature and it is accessible from within the Control Panel. Access the Remote Desktop options by launching Remote Desktop. The options are categorized into the following: General - Enter the logon credentials to connect to the remote computer. Display - Allows you to choose the Remote desktop display size. You have the option of running the remote desktop in full screen mode. Local Resources - The user can configure local resources for use by the remote computer such as clipboard and printer access. Programs - Lets you specify which programs you want to start when you connect to the remote computer. Experience - Allows you to choose connection speeds and other visual options. Advanced - Provide security credentialed options.
To use Remote Desktop, you must enable it in Control Panel. In Control Panel, click System and Security, click System, and then click Remote Settings. Select the Remote tab and then select one of the following options: Dont allow connections to this computer. Allow connections from computers running any version of Remote Desktop. This is a less secure option. Allow connections only from computers running Remote Desktop with Network Level Authentication. This is a more secure option.
The following are the steps to specify which computers can connect to your computer using Remote Desktop:
8-16
1. 2. 3. 4.
In System Properties on the Remote tab under Remote Desktop, click Select Users. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. If you are an administrator on the computer, your current user account is automatically added to the list of remote users and you can skip the next two steps. In the Remote Desktop Users dialog box, click Add. In the Select Users or Groups dialog box, do the following: a. b. To specify the search location, click Locations and then select the location to search. In Enter the object names to select, type the name of the user that to add and then click OK.
To access a computer using Remote Desktop, run Remote Desktop Connection and specify the necessary connection details, which may include the following: Computer name or IP address User name Display settings How the remote computer can access local resources, such as sound, printer, and clipboard Advanced settings, such as server authentication settings
The following steps outline how to use Remote Desktop: 1. 2. 3. 4. Start Remote Desktop. Before connecting, make desired changes to the Display, Local Resources, Programs, Experience, and Advanced tabs. Save these settings for future connections by clicking Save on the General tab. Connect to the remote desktop.
Remote Desktop Connection supports high-resolution displays that can be spanned across multiple monitors. The monitors must have the same resolution and be aligned side-by-side. To have the remote computer's desktop span multiple monitors, open a Command Prompt, and then type Mstsc /span. This feature is sometimes called continuous resolution. To toggle in and out of full-screen spanned mode, press CTRL+ALT+Break. For additional security, you can change the port that Remote Desktop Connection uses (or "listens on"), instead of using the standard port, 3389. When you log on, type the remote computer name, followed by a colon and the new port number, for example Computer1:3390. For instructions about making the change permanent, go to How to change the listening port for Remote Desktop on the Microsoft Help and Support Web site.
8-17
Key Points
This demonstration shows how to request remote assistance from a Windows 7 computer, configure Windows Firewall to enable remote administration, and provide remote assistance.
Question: Under what circumstances does one use Remote Desktop Connection or Remote Assistant?
8-18
Lesson 3
Advances in mobile computers and wireless broadband have enabled users to be more productive while away from the office. As users become more mobile, IT professionals must provide an infrastructure to allow them to remain productive. The changing structure of business puts more pressure on IT professionals to provide a high-performance and protected infrastructure for connecting remote users while managing remote users and minimizing costs. VPN connections use the connectivity of the Internet plus a combination of tunneling and data encryption technologies to connect remote clients and remote offices. VPN Reconnect enhances the connectivity experience for those who rely on VPN connections. DirectAccess, a new feature in Windows 7 and Windows Server 2008 R2, provides remote users with seamless access to internal network resources whenever they are connected to the Internet.
8-19
Key Points
A virtual private network is an extension of a private network that encompasses links across shared or public networks like the Internet. Virtual private networking is the act of creating and configuring a virtual private network. There are two key VPN scenarios: Remote access Site-to-site
With remote access, the communications are encrypted between a remote computer (the VPN client) and the remote access VPN gateway (the VPN server). With site-to-site (or router-to-router), the communications are encrypted between two routers. Currently, mobile workers reconnect to a VPN on every network outage. VPN Reconnect provides seamless and consistent VPN connectivity by using a single VPN server for laptops, desktops, and mobile computers. VPN Reconnect uses IKEv2 technology to supply constant VPN connectivity, automatically re-establishing a VPN connection when users temporarily lose Internet connections. IKEv2 is the protocol used to establish a security association in IPsec. While the reconnection might take several seconds, it is completely transparent to the end user.
8-20
Key Points
Creation of a VPN in the Windows 7 system environment requires Windows Server 2008. The steps for creating the VPN connection from Windows 7 computer are as follows: 1. 2. 3. 4. 5. 6. From Control Panel, select Network and Internet. Click Network and Sharing Center, and then choose Set up a new connection or wizard. In the Set Up a Connection or Network, choose Connect to a workplace. In the Connect to a Workplace page, choose No and then create a new connection. On the next page choose to Use my Internet connection (VPN). At the next screen, specify the Internet Address for the VPN Server and a Destination Name. You can also specify the options to use a Smart card for authentication, Allow other people to use this connection and Dont connect now, just set up so I can connect later.
8-21
What Is DirectAccess?
Key Points
DirectAccess allows authorized users on Windows 7 computers to access corporate shares, view intranet Web sites, and work with intranet applications without going through a VPN. DirectAccess benefits IT professionals by enabling them to manage remote computers outside of the office. Each time a remote computer connects to the Internet, before the user logs on, DirectAccess establishes a bi-directional connection that enables the client computer to remain current with company policies and to receive software updates. Additional security and performance features of DirectAccess include the following: Support of multifactor authentication methods, such as a smart card authentication. IPv6 to provide globally routable IP addresses for remote access clients. Encryption across the Internet using IPsec. Encryption methods include DES, which uses a 56-bit key, and 3DES, which uses three 56-bit keys. Integrating with Network Access Protection (NAP) to perform compliance checking on client computers before allowing them to connect to internal resources. Configuring the DirectAccess server to restrict which servers, users, and individual applications are accessible.
8-22
Key Points
DirectAccess helps reduce unnecessary traffic on the corporate network by not sending traffic destined for the Internet through the DirectAccess server. DirectAccess clients can connect to internal resources by using one of the following methods: Selected server access Full enterprise network access
The connection method is configured using the DirectAccess console or it can be configured manually by using IPsec policies. For the highest security level, deploy IPv6 and IPsec throughout the organization, upgrade application servers to Windows Server 2008 R2, and enable selected server access. Alternatively, organizations can use full enterprise network access, where the IPsec session is established between the DirectAccess client and server. DirectAccess clients use the following process to connect to intranet resources: 1. 2. 3. 4. The DirectAccess client computer running Windows 7 detects that it is connected to a network. The DirectAccess client computer attempts to connect to an intranet Web site that an administrator specified during DirectAccess configuration. The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec. If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the DirectAccess server, the client automatically attempts to connect using the IP-HTTPS protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity. As part of establishing the IPsec session, the DirectAccess client and server authenticate each other using computer certificates for authentication. By validating Active Directory group memberships, the DirectAccess server verifies that the computer and user are authorized to connect using DirectAccess.
5. 6.
8-23
7.
8.
If Network Access Protection (NAP) is enabled and configured for health validation, the DirectAccess client obtains a health certificate from a Health Registration Authority (HRA) located on the Internet prior to connecting to the DirectAccess server. The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet resources to which the user has been granted access.
8-24
DirectAccess Requirements
Key Points
DirectAccess requires the following: One or more DirectAccess servers running Windows Server 2008 R2 with two network adapters At least one domain controller and DNS server that are running Windows Server 2008 or Windows Server 2008 R2 A Public Key Infrastructure (PKI) IPsec policies IPv6 transition technologies available for use on the DirectAccess server Windows 7 Enterprise on the client computers
Organizations not ready to fully deploy IPv6 can use IPv6 transition technologies such as ISATAP, 6to4, and Teredo to enable clients to connect across the IPv4 Internet and to access IPv4 resources on the enterprise network. Question: What is the certificate used for in DirectAccess? Question: List three ways to deploy DirectAccess.
8-25
Lesson 4
Branch offices are often connected to enterprises with a low-bandwidth link. Therefore, accessing corporate data located in the enterprise is slow. Even in a smaller business, different departments have unique needs. Additionally, companies are investing in opening more branch offices to provide a work environment for mobile employees and to reach more customers. This trend generates challenges for end users and IT professionals. BranchCache helps to resolve these challenges by caching content from remote file and Web servers so that users in branch offices can access information more quickly.
8-26
What Is BranchCache?
Key Points
There are two ways that content can be cached when using BranchCache. The cache can be hosted centrally on a server in the branch location, or it can be distributed across user computers. If the cache is distributed, the branch users' computer automatically checks the cache pool to determine if the data has already been cached. If the cache is hosted on a server, the branch users' computer checks the branch server to access data. Each time a user tries to access a file, his or her access rights are authenticated against the server in the data center to ensure that the user has access to the file and is accessing the latest version. Question: How does BranchCache prevent malicious users from accessing content?
8-27
Key Points
BranchCache can operate in one of two modes: Distributed Caching Mode Hosted Caching Mode
In the distributed caching mode, cache is distributed across client computers in the branch. With this type of peer-to-peer architecture, content is cached on Windows 7 clients computers after it is retrieved from a Windows Server 2008 R2. Then, it is sent directly to other Windows 7 clients, as they need it. When you use the hosted caching mode, cache resides on a Windows Server 2008 R2 computer that is deployed in the branch office. Using this type of client/server architecture, Windows 7 clients copy content to a local computer (Hosted Cache) running Windows Server 2008 R2 that has BranchCache enabled. Compared to Distributed Cache, Hosted Cache increases cache availability because content is available even when the client that originally requested the data is offline. A computer must obtain the identifier that describes a piece of content to decrypt that content after downloading. The identifiers, provided by the server, include a digest of the content. After downloading from the cache, the client computer verifies that the content matches the digest in the identifier. If a client downloads an identifier from the server, but cannot find the data cached on any computers in the branch, the client returns to the server for a full download. Question: Which BranchCache caching mode has a peer-to-peer architecture?
8-28
BranchCache Requirements
Key Points
BranchCache supports the same network protocols that are commonly used in enterprises, for example HTTP(S) and SMB. It also supports network security protocols (SSL and IPsec), ensuring that only authorized clients can access requested data. Windows Server 2008 R2 is required either in the main server location or at the branch office, depending on the type of caching being performed. Windows 7 Enterprise is required on the client PC. On Windows 7 clients, BranchCache is off by default. Client configurations can be performed through Group Policy or done manually. After BranchCache is installed on Windows Server 2008 R2, you can configure BranchCache by using Group Policy and by using the following guidelines: Enable for all file shares on a computer, or on a file share by file share basis. Enable on a Web server (it must be enabled for all Web sites). Equip Hosted Cache with a certificate trusted by client computers that is suitable for Transport Layer Security (TLS).
Network Requirements
BranchCache supports Secure Sockets Layer (SSL) as available through HTTPS and IPv6 IPsec. If client computers are configured to use Distributed Cache mode, the cached content is distributed among client computers on the branch office network. No infrastructure or services are required in the branch office beyond client computers that are running Windows 7.
Client Configuration
BranchCache is disabled by default on client computers. Take the following steps to enable BranchCache on client computers: 1. 2. Turn on BranchCache. Enable either Distributed Cache mode or Hosted Cache mode.
8-29
3.
Enabling Distributed Cache or Hosted Cache mode (step 2) without explicitly enabling the overall BranchCache feature (step 1) will leave BranchCache disabled on a client computer. It is possible to enable BranchCache on a client computer (step 1) without enabling Hosted Cache mode or Distributed Cache mode (step 2). In this configuration, the client computer only uses the local cache and will not attempt to download from peers or from a Hosted Cache server. Multiple users of a single computer will benefit from a shared local cache in this local caching mode. Configuration can be automated using Group Policy or can be achieved manually by using the netsh command. Question: Which of the following operating systems is a requirement on client computers using BranchCache?
8-30
Key Points
This demonstration shows how to enable and configure BranchCache.
8-31
Refresh the computers policies by typing gpupdate /force at a Command Prompt. From the Command Prompt, set the clients BranchCache instance to Distributed Cache mode by using the command, netsh branchcache set service mode=DISTRIBUTED and Hosted Cache mode by using netsh branchcache set service mode=HOSTEDCLIENT LOCATION=<Hosted Cache name>, where <Hosted Cache name> is the machine name or fully qualified domain name of the computer serving as a Hosted Cache.
Test BranchCache
1. 2. Restart the Windows 7 client computer and log on as the administrator. At the Command Prompt, type netsh branchcache show status to verify that BranchCache is working.
Question: What is the effect of having the Configure BranchCache for network files value set to zero (0)?
8-32
Incident Record
Incident Reference Number: 502509 Date of Call Time of Call User Status November 5th 08:45 Don (Production Department) OPEN
Incident Details Don wants you to establish a sync partnership with his Windows Mobile device. Don needs the power options to be configured for optimal battery life when he is traveling.
8-33
Incident Record
Don wants to enable remote desktop on his desktop computer in the office for his own user account so he can connect remotely to his desktop from his laptop. Don wants to be able to access documents from the head-office and enable others at the plant to access those files without delay. Additional Information Dons laptop is running Windows 7 Enterprise. The Slough plant has no file-server at present. Resolution
8-34
Note: LON-CL1 is the computer running Windows 7 where you will use Windows Mobile Device Center to synchronize items between Outlook and a Windows Mobile device. LON-DC1 is the computer running Windows Server 2008 R2, which is used for domain authentication.
Create a contact with the following properties: a. b. Full name: Andrea Dunker Job title: IT department
5.
Close Outlook.
8-35
After synchronization is complete, verify that the appointment and contact items have synchronized successfully. Close all open Windows. Do not save changes. Log off of LON-CL1. Update the resolution section of incident record 502509 with the information about the successful creation of a sync partnership.
Results: After this exercise, you have created a sync partnership and successfully synchronized Dons Windows Mobile device.
8-36
Note: LON-CL1 is the computer running Windows 7 where you will configure a power plan. LON-DC1 is the computer running Windows Server 2008 R2, which is used for domain authentication.
Task 3: Update the incident record with the power plan changes
1. 2. Update the resolution section of incident record 502509 with the information about the successful configuration of a power plan for Dons laptop. Close any open windows.
Results: After this exercise, you have configured a suitable power plan for Dons laptop computer.
8-37
Note: LON-CL1 is the computer running Windows 7 to which you will enable Remote Desktop. LON-DC1 is the computer running Windows Server 2008 R2, which is used for domain authentication.
Task 1: Enable remote desktop through the firewall and enable Remote Desktop on
Dons office computer
1. 2. 3. 4. On LON-CL1, open Windows Firewall. Enable Remote Desktop through the firewall for all profiles (Domain, Home/Work, and Public). From System, select Remote settings. Select the following options: a. b. 5. Select Allow connections from computers running any version of Remote Desktop (less secure). Add Contoso\Don as a remote desktop user.
Connect to LON-CL1. When prompted, enter the password of Pa$$w0rd. Determine the computer name within the remote desktop session. Close the remote desktop session. Close all open windows. Switch to the LON-CL1 computer. Notice you are logged out. Log on as Contoso\Administrator with the password of Pa$$w0rd.
8-38
Task 3: Update the incident record with the remote desktop changes
Update the resolution section of incident record 502509 with the information about the successful configuration of remote desktop for Dons laptop. Results: After this exercise, you have successfully enabled Remote Desktop.
8-39
Note: LON-CL1 is the computer running Windows 7 to which you will enable BranchCache client settings. LON-DC1 is the computer running Windows Server 2008 R2 that is used for domain authentication and where you will enable BranchCache and configure Group Policy Settings.
a. b. c.
Turn on BranchCache: Enabled Set BranchCache Distributed Cache mode: Enabled Configure BranchCache for network files: Enabled and configure a delay of 0 seconds
8-40
d.
5. 6.
Set percentage of disk space used for client computer cache: Enabled, and configure a value of 10 percent
Close Group Policy Management Editor. Close Group Policy Management. Close all open windows.
Task 8: Update the incident record with the remote desktop changes
Update the resolution section of incident record 502509 with the information about the successful configuration of BranchCache. Results: After this exercise, you have enabled BranchCache for the Slough Plant shared folder and configured the necessary Group Policy settings.
8-41
Review Questions
1. Don wants to connect to the network wirelessly but is unable to, so she checks the Windows Mobility Center to turn on her wireless network adapter. She does not see it in the Windows Mobility Center. Why is that? You have purchased a computer with Windows 7 Home edition. When you choose to use Remote Desktop to access another computer, you cannot find it in the OS. What is the problem? You have some important files on your desktop work computer that you need to retrieve when you are at a clients location with your laptop computer. What do you need to do on your desktop computer to ensure that you can download your files when at a customer site? Your company recently purchased a Windows Server 2008 computer. You have decided to convert from a database server to a DirectAccess Server. What do you need to do before you can configure this computer with DirectAccess? Don needs to configure her Windows 7 client computer to access take advantage of BranchCache. How can Don configure the client to do this?
2. 3.
4.
5.
Common Issues
Issue BytesAddedToCache does not increase on the first client when accessing the BranchCache-enabled server. BytesAddedToCache does increase on the first client when accessing the BranchCache enabled server. BytesFromCache does not increase on the second client when accessing the BranchCache enabled server. Deployment is Distributed Cache mode. Troubleshooting tip
8-42
Issue BytesAddedToCache does increase on the first client when accessing the BranchCache enabled server. BytesFromCache does not increase on the second client when accessing the BranchCache enabled server. Deployment is Hosted Cache mode. Netsh shows BranchCache firewall rules have not been set, even though they have been configured using Group Policy. A client computer is running slowly. Is BranchCache at fault? A page fails to load or a share cannot be accessed. The client computer is unable to access the file share even when connected to the server.
Troubleshooting tip
8-43
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft keeps your answers to this survey private and confidential, and uses your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
8-44
A-1
Appendix
Starting Out in Windows PowerShell 2.0
Contents:
Lesson 1: Introduction to Windows PowerShell 2.0 Lesson 2: Remoting with Windows Power Shell 2.0 Lesson 3: Using Windows PowerShell Cmdlets for Group Policy A-3 A-13 A-21
A-2
Appendix Overview e w
Windows PowerShell enable IT professionals to automate repetitive tasks, helping them increase W es e co onsistency and be more prod d ductive. For ex xample, remot ting capabilitie enable IT pr es rofessionals to co onnect with multiple, remote computers a one time to run command With Windo e at ds. ows 7, IT pr rofessionals ca use Window PowerShell and its graphi scripting e an ws ical editor to write comprehensiv ve sc cripts that acce underlying technologies. ess .
A-3
Lesson 1 L
Windows PowerShell is a task W k-based command-line shell and scripting language desi igned especial for lly sy ystem administ tration. Built o the .NET Framework, W on Windows Power rShell helps IT professionals and us sers control an automate th administrat nd he tion of the Win ndows operating system and the applications that d ru on Window un ws. Bu uilt-in Window PowerShell commands, ca ws alled cmdlets, allow IT professionals to ma anage the com mputers in their enterpri from the co n ise ommand line. Windows Pow werShell provid ders enable acc cess to data stores, su as the regi uch istry and certif ficate store, in the same way the file system is accessed. Additionally, y m Windows PowerShell has a ric expression p W ch parser and a fu developed scripting lang ully d guage.
A-4
Sc cripting is a fle exible and pow werful automat tion tool for IT professionals Windows 7 in T s. ncludes an improved ve ersion of the Windows script W ting environment in Window PowerShell 2.0. Unlike traditional ws pr rogramming la anguages desi igned for deve elopers, the scr ripting language in Window PowerShell 2 is ws 2.0 de esigned for IT professionals and systems a administrators. Co ommand-line tools can be c called from Windows PowerS Shell, which allows control o over aspects of the f sy ystem that sup pport managem ment. Window PowerShell l ws leverages the . .NET Framewo providing access ork, to thousands of objects. o f Windows PowerShell includes the following features: W s g common system administrat tion tasks, such as managing the registry, s h g services, Cmdlets for performing c a s, Windows Management Instru umentation (W WMI). Cmdlets a not are processes, and event logs and using W case-sensiti ive. A task-base scripting lan ed nguage and support for existing scripts and command-line tools. u s n l Shared data between cmdlets. The output from one cmdlet can be used as the input to another a e n e cmdlet. -based navigat tion of the ope erating system which lets co m, onsumers navigate the regist and try Commandother data stores by using the same tec g chniques that they use to na avigate the file system. e nipulation capabilities. Windows PowerShe accepts and returns .NET objects. These objects ell d e Object man can be dire ectly manipulat or sent to other tools or databases. ted r Extensible interface, enab i bling independ dent software v vendors and e enterprise developers to build e custom too and utilities to administer their software ols s r e.
A-5
IT professionals can create, di T istribute, and r Windows P run PowerShell scr ripts on compu uters that are r running Windows 7 with W hout having to deploy or ser o rvice additiona software across the organi al ization. Th following are changes in Windows PowerShell 2.0 for Windows 7: he w r New cmdle Windows PowerShell 2.0 includes hun ets: 0 ndreds of new cmdlets, including Get-Hotf fix, Send-MailM Message, Get-C ComputerRest torePoint, New w-WebServiceP Proxy, Debug-Process, AddComputer, Rename-Com mputer, Reset-C ComputerMach hinePassword, and Get-Rand dom. Commands can be run on one or multiple computers by establishing an e y Remote management: C uter. Additiona you can es ally, stablish a session that receiv ves interactive session from a single compu mmands from multiple comp puters. remote com Windows PowerShell In P ntegrated Scri ipting Environment (ISE): W Windows Pow werShell ISE is a graphical user interface w where you can run command and write, e ds edit, run, test, a debug scr and ripts in the same window. It inclu w udes a built-in debugger, mu ultiline editing selective exe g, ecution, syntax colors, x line and column numbers and context-sensitive Help s, p. nd commands asy ynchronously a in the back and kground while continuing to work e o Backgroun jobs: Run c in your sess sion. You can r backgroun jobs on a lo or remote computer and store the res run nd ocal d sults locally or re emotely. Debugger: The Windows PowerShell d : s debugger help debug funct ps tions and scrip You can set and pts. t remove bre eakpoints, step through code check the va p e, alues of variab bles, and displa a call-stack trace. ay Modules: Use Windows PowerShell mo U odules to orga anize your Win ndows PowerShell scripts and d functions in independe self-contai nto ent, ined units and package them to be distributed to other users. m Modules ca include aud files, image Help files, and icons, and they run in a s an dio es, separate sessio to on avoid name conflicts. e Transactio ons: Transactio enable you to manage a set of comma ons u ands as a logica unit. A trans al saction can be com mmitted or it ca be complet an tely undone so that the affec o cted data is no changed by the ot y transaction.
A-6
Events: The new event infrastructure helps you create events, subscribe to system and application events, and then listen, forward, and act on events synchronously and asynchronously. Advanced functions: Advanced functions behave like cmdlets, but they are written in the Windows PowerShell scripting language instead of Visual C#. Script internationalization: Scripts, functions, display messages, and Help text is available in multiple languages. Online Help: In addition to Help at the command line, the Get-Help cmdlet has a new online parameter that opens a complete and updated version of each Help topic on Microsoft TechNet.
Windows PowerShell 2.0 includes cmdlets, providers, and tools that you can add to Windows PowerShell to manage other Windows technologies such as: Active Directory Domain Services Windows BitLocker Drive Encryption DHCP Server service Group Policy Remote Desktop Services Windows Server Backup
A-7
Windows PowerShell 2.0 inclu W udes hundreds of new cmdlets. For example, you can: s e p Manage client computers and servers. s gistry and file s system. Edit the reg Perform WMI calls. mework development environment. o o Connect to the .NET Fram
Windows PowerShell cmdlets have a specifi naming form a verb and a noun sepa W ic mat: d arated by a das (-), sh su as Get-Hel Get-Process, and Start-Se uch lp, ervice. Slashes (/ and \) are n used with p not parameters in Windows PowerShell. Cmdlets are designed to be used in combination with other cm W d n mdlets, for exam mple th following ty he ypes of cmdlet can be comb ts bined to take m multiple action ns: Get cmdlets only retrieve data. e s h a Set cmdlets only establish or change data. Format cmd dlets only form data. mat Out cmdlet only direct the output to a specified destination. ts s
ach c Ea cmdlet has a help file that you can access by typing the following:
get-help <cm mdlet-name> -detailed
Th detailed vie of the cmdlet help file inc he ew cludes a description of the c cmdlet, the com mmand syntax x, de escriptions of the parameter and an exam rs, mple that dem monstrates the use of the cmdlet. All cmdlets support a set of p parameters that are called co ommon parameters. This feat ture provides a co onsistent interface to Windo PowerShell. When a cmd supports a common par ows dlet rameter, the us of se
A-8
the parameter does not cause an error. However, the parameter might not have any effect in some cmdlets. For a description of the common parameters, type the following:
get-help about_commonparameters
Some parameter names are optional, meaning that you can use the parameter by typing a parameter value without typing the parameter name. The parameter value must appear in the same position in the command as it appears in the syntax diagram. For example, the Get-Help cmdlet has a Name parameter that specifies the name of a cmdlet or concept. You can type either of the following to include in the parameter:
get-help -name get-alias get-help get-alias
Optional parameter names appear in square brackets, such as: Get-Help [[-Name] <string>] To list the cmdlets in your shell, use Get-Command without specifying any command parameters. Three columns of information are returned: CommandType Name Definition
The Definition column displays the syntax of the cmdlet. Note: Windows PowerShell 2.0 is fully backward compatible. Cmdlets, providers, snap-ins, scripts, functions, and profiles designed for Windows PowerShell 1.0 work on Windows PowerShell 2.0 without changes.
A-9
Many applicatio support im M ons mmediate notif fications of important action or events, w ns which is commo only re eferred to as ev venting. Windows exposes h helpful notifica ations around file activity, se ervices, and pro ocesses. Th hese events fo the founda orm ation of many diagnostic and system management tasks s. In Windows 7, Windows Powe n W erShell 2.0 sup pports eventing by listening, acting on, and forwarding g d management an system eve m nd ents. IT professionals can crea Windows P ate PowerShell scr ripts that respo ond sy ynchronously or asynchronously to system events. When registering fo an event thr o m n or rough remotin ng, ev vent notificatio can be aut ons tomatically for rwarded to a c centralized com mputer. Th following are eventing ex he xamples that IT professionals can use: T s orms directory management when files are added to or removed from a e Create a script that perfo specific location. orms a manage ement task only when a spec cific event is added multiple times, d Create a script that perfo ent ur ecified amount of time. t or if differe events occu within a spe Create scrip that respon to events produced by internal applications and perform management pts nd t f m tasks specif to organizational requirem fic ments.
venting suppo WMI and .NET Framework events that provide more detailed notifications than those orts e f Ev av vailable in the standard even logs. nt
A-10
Overview of the Windows Pow O o werShell 2.0 Integrated Scripting 0 e n Environment (ISE)
Windows 7 includes the new Windows Pow W werShell 2.0 Int tegrated Script ting Environment (ISE), a gra aphical Po owerShell deve elopment environment with debugging ca h apabilities and an interactive console. The d e Windows PowerShell ISE requ W uires Microsoft .NET Framew t work version 3.0 or later and provides the 0 fo ollowing featur to simplify script develop res pment: Integrated environmen A one-stop shop for inter d nt: ractive shell tasks, and for editing, running, and s d debugging scripts. Syntax coloring: Keywords, objects, pr roperties, cmd dlets, variables, strings, and other tokens appear in , olors to improv readability and reduce er ve rrors. different co Unicode su upport: Unlike the command line, the ISE fully supports Unicode, complex script, and e n s m n right-to-lef languages. ft Selective in nvocation: Se elect any portion of a PowerShell script, run it, and view the results in the o S Output pan ne. Multiple se essions: Start up to eight independent ses ssions (PowerS Shell tabs) with the ISE. This hin enables IT professionals t manage mu p to ultiple servers, each in its own environment, from within the same applic cation. Script Editor: Use the script editor to c compose, edit, debug and ru functions, s , un scripts, and script he r utomatic indenting, line num mbers, search-andcmdlets. Th script editor includes tab completion, au replace, and go-to line, a d among other fe eatures. Multi-line editing: Use t multiline e the editing feature to type or paste several line of code into the e es o arrow to recall the previous c command; all lines in the co ommand Command pane at once. Press the up a d. ther line of code, press SHIFT+ENTER and a blank line appears under the are recalled To type anot current line e. Debugging The integrat visual scrip debugger allows the user to set breakpoints, step through g: ted pt o the script, check the call s c stack, and hov over variab to inspect their value. ver bles
A-11
Object model: The ISE comes with a complete object model, which allows the user to write Windows PowerShell scripts to manipulate the ISE. Customizability: The ISE is customizable, from the size and placement of the panes to the text size and the background colors.
A-12
Th Windows PowerShell Inte he P egrated Scripting Environme (ISE) provid a graphical environment to ent des t write, debug, an execute Windows PowerS w nd Shell scripts. There are two w ways to start W Windows Powe erShell IS SE: From the Start menu, po to All Prog oint grams, point to Windows P PowerShell 2.0, and then click 0 i P SE. Windows PowerShell IS In the Wind dows PowerShell console, type Cmd.exe, o in the Run b or box, type powershell_ise.exe. w x
he ommands and scripts are dis d splayed in the Windows Pow werShell ISE Ou utput pane. Move or Th results of co co the results from the Out opy s tput pane by u using shortcut keys or the Output toolbar and paste them an nywhere in Windows. Then, you can clear the Output pa display by clicking Clear Output, by ty ane r yping cl lear-host, or by typing cls. b Customize the Windows PowerShell ISE by: W Moving and resizing the Command pa d ane, Output pane, and Scrip pane. pt Showing or hiding the Sc r cript pane. Changing the text size in all panes of W t Windows Powe erShell ISE.
A-13
Lesson 2 L
In the past, man n naging a remo computer m ote meant having to connect to it using Remo Desktop. Th ote his made large-scale or automate manageme difficult. W m ed ent Windows Power rShell 2.0 addr resses this issue with e th introduction of remote ad he n dministration, also known as remoting. Remoting lets yo run Window s ou ws Po owerShell com mmands for automated or interactive remo group policy manageme by using th ote ent he st tandard manag gement protoc WS-Manag col gement (WS-M MAN). This allo you to: ows Create scrip that run on one or many remote computers. pts n y p Take contro of a remote Windows PowerShell session to run commands directly on that computer. ol w o m y p Create a Sy ystem Restore point to restore the computer to a previous state if necessary. r t u e Collect relia ability data acr ross the network. o Change fire ewall rules to p protect computers from a newly discovered vulnerability. u e e y
A-14
When you use remoting, you can run indivi W r idual comman or create a persistent con nds nnection ("sess sion") to ru a series of related comma un r ands. You can start an interactive session w a remote computer so t with that the co ommands run directly on the remote computer. When y are workin remotely, th commands you e you ng he ty on one com ype mputer (the "local computer are run on another comp r") puter (the rem mote computer r").
Remoting Re R equirements
Th remoting fe he eatures of Win ndows PowerSh are built o Windows Re hell on emote Management (WinRM the M), Microsoft imple M ementation of the WS-Mana agement proto ocol. WinRM is a standard SO OAP-based, fire ewallco ompatible com mmunications protocol. It uses the WS-Management pro otocol with a special SOAP p payload de esigned specif fically for Wind dows PowerShell commands s. To work remote the local and remote com o ely, mputers must have Window PowerShell 2 Microsoft .NET ws 2.0, Fr ramework 2.0 or higher, and the WinRM service. Any file and other re d es esources that a needed to run a are pa articular comm mand must be on the remote computer; th remoting co e he ommands do n copy any not re esources. IT pro ofessionals mu have permi ust ission to: Connect to the remote co omputer. ows Run Windo PowerShell. Access data stores and th registry on t remote co a he the omputer.
A-15
Th here are two ways to create a connection to a remote co w omputer: Create a temporary conn nection (telnet into). ersistent conne ection. Create a pe
emporary connections are m made by specif fying the name of the remot computer (o its NetBIOS name e te or Te of IP address). Persistent conn f P nections are m made by openin a Windows PowerShell se ng s ession on the r remote co omputer and then connectin to it. t ng
A-16
Use the Enter-PSSession cmdlet to connect to and start an interactive session. For example, after a new session is opened on Server01, the following command starts an interactive session with the computer:
Enter-PSSession server01
Once you enter a session, the Windows PowerShell command prompt on your local computer changes to indicate the connection, for example:
Server01\PS>
The interactive session remains open until you close it. This allows you to run as many commands as required. To end the interactive session, type Exit-PSSession.
A-17
When you conn W nect to a remo computer a send it a re ote and emote comma and, the comm mand is transm mitted ac cross the netw work to the Win ndows PowerS Shell client on the remote co omputer. The c command is th run hen on the remote computer's Wi n c indows PowerShell client. Th command r he results are sent back to the lo t ocal co omputer and appear in the W a Windows PowerShell session on the local c n computer. All of the local input to a rem i mote command is collected b d before any of it is sent to the remote computer. t e p However, the output is return to the loca computer as it is generated. ned al s When you conn W nect to a remo computer, t system use the user nam and password credentials on the ote the es me lo computer to authenticat you as a use on the remo computer. The credentia and all othe ocal te er ote als er tr ransmission are encrypted. e Additional protection is provided by the Us seSSL parameter of Invoke-C Command, New w-PSSession, a and En nter-PSSession This parameter uses HTTPS instead of HT and is des n. S TTP signed for use with basic au uthentication, where passwo ords might be delivered in plain text. To support remoting, the follo o owing new cm mdlets have been added: Invoke-Com mmand Enter-PSSes ssion Exit-PSSession
When running commands on multiple com W c n mputers, be awa of differen are nces between t remote the co omputers, such as difference in operating systems, file s h es g system structu and the system registry. For ure, ex xample, the de efault home fo older is differen depending on the version of Windows t nt n that is installed This d. lo ocation is store in the %hom ed mepath% environment varia able ($env:hom mepath) and th Windows he Po owerShell $ho ome variable. O Windows 7 if no home fo On older is assigne the system assigns a defa ed, ault lo home fold to the user account (on the root directo where the operating system files are in ocal der ory nstalled as the initial ver s rsion).
A-18
With W a PSSessio you can run a series of re on, n emote comman that share data, like func nds ctions, aliases, and th values of va he ariables. To run commands in a PSSession, use the Sessio parameter o the Invoken n on of Co ommand cmdlet. The follow wing command uses the Invo d oke-Command cmdlet to run a Get-Proces d n ss co ommand in the PSSession on the Server01 and Server02 computers. The command saves the proc n 1 2 cesses in a $p variable in each PSSessio on:
invoke-comma and -session $s -scriptblock {$p = ge et-process}
Be ecause the PSS Session uses a persistent con nnection, you c run another command in the same PS can SSession an use the $p variable. The f nd following command counts the number of processes sav in $p: f ved
invoke-comma and -session $s -scriptblock {$p.coun nt}
To interrupt a command, pres Ctrl+C. The interrupt requ o c ss e uest is passed to the remote computer wh e here it te erminates the remote command. r
A-19
Description Determine whether the ComputerName parameter requires Windows PowerShell remoting. Result: You see a statement similar to This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.
You can also run a command in multiple PSSessions. The following commands create PSSessions on Server01, Server02, and Server03, and then run a Get-Culture command in each PSSession:
$s = new-pssession -computername Server01, Server02, Server03 invoke-command -session $s -scriptblock {get-culture}
To include the local computer in the list of computers, type the name of the local computer, a dot (.) or localhost. To help manage resources on the local computer, Windows PowerShell includes a per-command throttling feature that limits the number of concurrent remote connections established for each command. The default is 32 or 50 connections depending on the cmdlet. You can use the ThrottleLimit parameter to set a custom limit. The throttling feature is applied to each command and not to the entire session or to the computer. When you are running commands concurrently in several temporary or persistent connections, the number of concurrent connections is the sum of the concurrent connections in all sessions. To find cmdlets with a ThrottleLimit parameter, use the following script:
get-help * -parameter ThrottleLimit
The results of the script are returned to the local computer. By using the FilePath parameter, you do not need to copy any files to the remote computers. Some tasks performed by IT professionals that use Windows PowerShell 2.0 include:
A-20
Running a command on all computers to check if the Anti-Virus software service is stopped, and to automatically restart it if necessary. Modifying the security rights on files or shares. Opening a data file and passing the contents into a pre-formatted output file like an HTML page or Microsoft Office Excel spreadsheet. Searching output specific information from Event Logs. Remotely creating a System Restore point prior to troubleshooting. Remotely querying for installed updates. Editing the registry using transactions. Remotely examining system stability data from the reliability database.
A-21
Lesson 3 L
Be ecause IT prof fessionals need to create many Group Policy Objects (GP d POs) that defin a wide rang of ne ge co omputer settin Microsoft provides the G ngs, Group Policy O Object Editor a the Group Policy Manag and gement Co onsole (GPMC tools. These tools allow ad C) dministrators to create and u o update GPOs. However, since there are thou usands of poss sible computer settings, updating multiple GPOs can be timer e co onsuming, rep petitive, and error-prone. Prio to Windows 7, automating GPOs was limited to the or s management of the GPOs the m emselves. Accessing the GPMC application programmin interfaces (A ng APIs) al required th skill set of an application developer. Windows 7 addre lso he esses these issues in Window ws Po owerShell 2.0.
A-22
Yo can use Windows PowerS ou Shell to autom mate the manag gement of GPOs and the configuration of f re egistry-based settings. To he perform the tasks are 2 cmdlets. You can use the Group Policy c s elp ese 25 cmdlets to perform the following task for domain-based GPOs: o ks Maintain GPOs: GPO crea ation, removal, backup, and import. G n p m Associate GPOs with Active Directory containers: Group Policy link creation, update, and removal. Set inherita ance flags and permissions on Active Directory organizational units and domains. c t n Configure registry-based policy settings and Group Policy Preferences Registry settings: Updat r g n te, retrieval, an removal. nd Create and edit Starter GPOs.
A-23
Group Polic Require G cy ements and Settings for Windows PowerShell 2.0 s e
To use the Wind o dows PowerSh Group Poli cmdlets, yo must be run hell icy ou nning one of the following: Windows Server 2008 R on a domai controller or on a membe server that h the GPMC R2 in er has installed. stalled. RSAT in ncludes the GP PMC and its cm mdlets. Windows 7 with RSAT ins
o ws Group Policy c cmdlets on a W Windows 7 client computer, y must use t you the To run Window PowerShell G Im mport-Module grouppolicy command to import the G y o Group Policy m module. This must be importe ed be efore you use the cmdlets at the beginnin of every scri that is using them and at the beginning of t ng ipt t ev very Windows PowerShell se ession. Yo can use the GPRegistryV ou e Value cmdlets to change reg gistry-based po olicy settings a the and GPPrefRegistry yValue cmdlet to change registry prefere ts ence items. For more information about th he Group Policy cm mdlets, use the Get-Help<cm e mdlet-name> and Get-Hel > lp<cmdlet_na ame>-detailed d cm mdlets. Th following ta he able displays the new group policy setting These group policy settings allow you to p gs. p sp pecify whether Windows Pow r werShell script run before n ts non-Windows PowerShell scr ripts during us ser co omputer startu and shutdo up own, and user l logon and logoff. By default Windows PowerShell script run t, ts af non-Windows PowerShe scripts. fter ell Se etting name Location Ru Windows un Po owerShell sc cripts first at co omputer st tartup, sh hutdown Computer Configuration n\ Administrativ ve Templates\ System\Script ts\ Default v value Possible value Not red Configur bled, disabled Not Configured, enab This policy setting determines w whether Windo ows Shell PowerShell scripts will run before non-PowerS pts mputer startup and shutdown By n. scrip during com default, PowerShell scripts run after non-Powe erShell pts. scrip If yo enable this policy setting,, within each ou
A-24
Default value Possible value applicable Group Policy object (GPO), PowerShell scripts will run before non-PowerShell scripts during computer startup and shutdown.
Not Configured
Computer Configuration\ Windows Settings\Scripts (Startup /Shutdown)\ Computer Configuration\ Policies\ Windows Settings\Scripts (Startup /Shutdown)\ User Configuration\ Policies\ Windows Settings\Scripts (Logon/Logoff)\ User Configuration\ Policies\ Windows Settings\ Scripts (Logon/Logoff)\
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
L1-1
L1-2
10. Click Next. 11. Click Next and then click Close. 12. Log off of LON-VS1.
L1-3
4. 5. 6. 7. 8.
Type the password of Pa$$w0rd and then click Next. Click Transfer to begin importing Dons profile. Wait until the transfer completes. Click Close. Log off of LON-CL1.
L1-4
L1-5
Note: Steps 1 and 2 must be performed quickly to ensure that you are able to boot from thevirtual DVD rather than the hard disk. If the operating system starts to boot because you do not complete the steps quickly enough, then click the Reset button in the virtual machine window to try again. You may want to take a snapshot of the virtual machine before attempting to boot from the DVD. 1. 2. 3. In the virtual machine window for 6292A-LON-CL2, click the Start button in the toolbar. Click in the virtual machine window, and press a key when prompted to press a key to boot from CD or DVD. At the command prompt, type ipconfig and the press ENTER. Verify that an IP address in the 10.10.0.0 range is assigned. This confirms that Windows PE obtained an IP address from the DHCP server. At the command prompt, type the following command and then press ENTER: net use i: \\londc1\data /user:contoso\administrator Pa$$w0rd. At the command prompt, type d: and press ENTER. This is the original C: drive on the reference computer. At the command prompt, type dir and then press ENTER. At the command prompt, type e: and press ENTER. This is a drive created in memory by Windows PE. At the command prompt, type dir and then press ENTER. At the command prompt, type imagex /capture d: i:\Reference.wim Reference Image for Windows 7 /compress fast and then press ENTER.
4. 5. 6. 7. 8. 9.
L1-6
10. At the command prompt, type the following command and then press ENTER: net use i: \\londc1\data /user:contoso\administrator Pa$$w0rd.
L1-7
Task 5: Perform initial operating system configuration for the new computer
1. 2. 3. 4. 5. 6. 7. 8. 9. Restart LON-CL3 by closing the command prompt. Do not start from CD or DVD. If prompted, select Start Windows normally and press ENTER. The computer will restart before asking for any input. In the Set Up Windows box, click Next to accept the default country, time and currency format, and keyboard layout. In the Type a user name box, type LocalAdmin. In the Type a computer name box, type LON-CL3 and then click Next. In the Type a password and Retype your password boxes, type Pa$$w0rd. In the Type a password hint box, type Local Admin and then click Next. Clear the Automatically activate Windows when Im online checkbox and then click Next. Select the I accept the license terms checkbox and then click Next.
10. Click Ask me later to delay the implementation of Windows updates. 11. Click Next to accept the default settings for time zone and date. 12. Click Work network to select your computers current location. 13. Click Start, right-click Computer, and click Properties. 14. Under Computer name, domain, and workgroup settings, click Change settings. 15. In the System Properties window, click Change. 16. In the Computer Name/Domain Changes window, click Domain, type contoso.com, and then click OK. 17. Authenticate as Administrator with a password of Pa$$w0rd. 18. Click OK to close the welcome message. 19. Click OK to close the message about restarting. 20. In the System Properties window, click Close. 21. Click Restart Now.
L1-8
7.
L2-1
L2-2
L2-3
2. 3. 4. 5. 6. 7.
At the DISKPART> prompt, type list disk, and press ENTER. At the DISKPART> prompt, type select disk 2, and press ENTER. At the DISKPART> prompt, type list partition, and press ENTER. At the DISKPART> prompt, type select partition 1, and press ENTER. At the DISKPART> prompt, type shrink desired = 100, and press ENTER. At the DISKPART> prompt, type exit, and press ENTER.
10. In the Selected list, click Disk 3, and in the Select the amount of space in MB box, type 150, and then click Next. 11. On the Assign Drive Letter or Path page, click Next. 12. On the Format Partition page, in the Volume label box, type Spanned, click Next, and then click Finish. 13. In the Disk Management dialog box, click Yes.
L2-4
Note: These filenames enable you to identify them later as being 1 megabyte (MB) and 1 kilobyte (KB), respectively. 5. Close the Command Prompt window.
Task 3: Test the configured quotas by using a standard user account to create files
1. Log off, and then log on to the LON-CL1 virtual machine as contoso\Adam with a password of Pa$$w0rd. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, click Computer, and then double-click Striped (G:). In the toolbar, click New Folder. Type Adams files, and then press ENTER. In the file list, right-click 1mb-file and drag it to Adams files, and then click Copy here. Double-click Adams files. Right-click 1mb-file, and then click Copy. Press CTRL+V four times. In the Address bar, click Striped (G:).
L2-5
10. In the file list, right-click 1kb-file and drag it to Adams files, and then click Copy here. 11. Double-click Adams files. 12. Right-click 1mb-file, and then click Copy. 13. Press CTRL+V four times. 14. Press CTRL+V again. 15. In the Copy Item dialog box, review the message, and then click Cancel.
10. In the Programs list, click Event Viewer. 11. In the Event Viewer (Local) list, expand Windows Logs, and then click System. 12. Right-click System, and then click Filter Current Log. 13. In the <All Events IDs> box, type 37, and then click OK. 14. Examine the listed entry. 15. Close all open windows.
L2-6
10. Click Start, right-click Computer, and then click Manage. 11. In Computer Management, click Device Manager. 12. Expand Mice and other pointing devices, and then click Microsoft PS/2 Mouse. 13. Verify that you have successfully rolled back the driver. 14. Close Computer Management.
L2-7
L2-8
L3-1
L3-2
Exercise 1: Create and Configure a Public Shared Folder for All Users
Task 1: Create a folder
1. 2. 3. Log on to LON-CL1 as Contoso\Administrator with the password of Pa$$w0rd. Click Start, click Computer, double-click Local Disk (C:). Right-click in the empty space below the Name column, point to New, then click Folder. Type Public in the folder name and then press ENTER.
4.
5.
2.
4.
L3-3
4.
5.
10. Right click in an empty space below the Name column, point to New, and then click Microsoft Office Excel Worksheet. 11. Type Personal Finances in the file name, and then press ENTER. 12. Right click in an empty space below the Name column, point to New, and then click Microsoft Office Excel Worksheet. 13. Type Public Finances in the file name, and then press ENTER. 14. Right-click Personal Finances, click Properties. 15. Click the Security tab. 16. Click Advanced and review all inherited permissions. 17. Click Change Permissions. 18. Remove the check mark next to Include inheritable permissions from this objects parent, and then click Add when prompted. 19. Once again review all permissions. Notice that they are no longer inherited.
L3-4
20. In Permission entries, click Terri Chudzik, then click Edit. 21. Uncheck all permissions under Allow, except the following: Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Read permissions. Click OK. 22. Click OK, and then click OK again. Click OK to close the Personal Finances Properties dialog box. 23. Right-click Public Finances, and click Properties. 24. Click the Security tab. 25. Click Advanced and review all inherited permissions.
26. Click OK, close all windows, and log off of LON-CL1.
2.
L3-5
11. Right click on the new printer, and then click Printer properties.
3. 4. 5. 6. 7.
7.
L3-6
L4-1
L4-2
L4-3
Clear the Validate settings, if changed, upon exit checkbox and then click OK to save the settings. In the Local Area Connection 3 Properties window, click Close. At the command prompt, type ipconfig /release and then press ENTER. At the command prompt, type ipconfig /renew, and then press ENTER. At the command prompt, type ipconfig /all, and then press ENTER What is the current IPv4 address? 10.10.11.1
L4-4
11. To which IPv4 network does this host belong? 10.10.0.0 12. What kind of address is this? An alternate configuration address 13. Close the command prompt.
Click OK. In the Local Area Connection 3 Properties window, click Close. Close all open windows.
L4-5
In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click OK. In the Local Area Connection 3 Properties window, click Close.
L4-6
4.
L4-7
L4-8
L5-1
Requirement Overview I would like to deploy wireless networks across all of the production plants in the UK, starting with the largest in Slough. Security is critical, and we must deploy the strongest security measures available. Some of our older computer equipment supports earlier wireless standards only. Cordless telephones are in use at the plants. Some of the production plants are located in busy trading districts with other commercial organizations located nearby again, it is important that the Contoso network is not compromised. Additional Information What technical factors will influence the purchasing decision for the WAPs that Amy should consider? Answers will vary, but should include at least the following points: Coverage of a WAP Use of overlapping coverage and the same Service Set Identifier (SSID) Security options: Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)/Wi-Fi Protect Access version 2 (WPA2) 802.1x Wireless technology 802.11b or 802.11g How many WAPs does Amy need to purchase? Answers will vary, but how much area each WAP must cover is a consideration Where would you advise Amy to place the WAPs? In the ceiling, to increase coverage area, and away from sources of interference, like generators or lift motors. Which security measures will you recommend to Amy? Answers will vary, but might include the strongest possible security measures. Proposals Answers will vary, but here is a suggested proposal: Deploy only WAPs that support WPA2-Enterprise authentication, and use additional infrastructure to provide this authentication. This will involve deploying additional server roles in the Windows Server 2008 enterprise. Specifically, the Network Policy and Access Services role. WAPs must support 802.11b because of the legacy hardware deployed at some of the production plants. It is possible that interference from cordless telephones might be an issue, so the choice of WAP should consider the ability to support a range of channels and, depending on 802.11 modes, the frequencies.
L5-2
Contoso Corporation Production Plant Wireless Network Requirements The proximity of other businesses does pose a risk, and we must ensure accurate placement of hubs, and directionality of antennae to mitigate this. So long as appropriate security is in-place, the risk should be low. Again, support of enterprise (802.1X) authentication is critical here.
L5-3
Incident Details Intermittent connection problems from computers connecting to the Slough production department. Some users can connect to the Slough wireless access points from the parking lot. Additional Information How will you verify that these problems are occurring? Attend the location with a laptop running Windows 7. What do you suspect is causing these problems? Answers will vary, but might include a WAP that has been misplaced or moved. How will you rectify these problems? Identify the current locations of the WAPs, and situate them accordingly. Plan of action Answers will vary, but here is a suggested proposal: Check the placement of all WAPs to ensure that they are not adjacent to any forms of interference.
L5-4
L6-1
L6-2
Note: It may take a few minutes for the Virus protection notification to appear. 5. Click the Action CENTER icon in the system tray. Notice that there is no message related to virus protection.
L6-3
10. In the Local Users and Groups compatible with Local Group Policy list, click Non-Administrators, and then click OK. 11. In the Select Group Policy Object dialog box, click Finish. 12. In the Add or Remove Snap-ins dialog box, click OK. 13. In Console1 [Console Root], on the menu, click File, and then click Save. 14. In the Save As dialog box, click Desktop. 15. In the File name box, type Custom Group Policy Editor, and then click Save. 16. In Custom Group Policy Editor [Console Root], in the tree, expand Local Computer\NonAdministrators Policy. 17. Expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar. 18. In the results pane, double-click Remove Music icon from Start Menu. 19. In the Remove Music icon from Start Menu dialog box, click Enabled, and then click OK 20. In the results pane, double-click Remove Pictures icon from Start Menu. 21. In the Remove Pictures icon from Start Menu dialog box, click Enabled, and then click OK 22. In Custom Group Policy Editor [Console Root], in the tree, expand Local Computer\Administrators Policy. 23. Expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar. 24. In the results pane, double-click Remove Documents icon from Start Menu. 25. In the Remove Documents icon from Start Menu dialog box, click Enabled, and then click OK. 26. Log off of LON-CL1.
L6-4
L6-5
10. On the General tab, click Advanced. 11. Select the Encrypt contents to secure data check box, and then click OK. 12. In the Properties dialog box, click OK, and then in the Confirm Attribute Changes dialog box, click Apply changes to this folder, subfolders and files. Click OK. 13. Log off. 14. Log on to the LON-CL1 as Contoso\Adam with a password of Pa$$w0rd. 15. Click Start, and then click Computer. 16. Double-click Local Disk (C:). 17. Double-click the Confidential folder. 18. Double-click Personal. 19. Click OK at all prompts and close the file. 20. Log off.
L6-6
10. On the Conditions screen, select Path, and then click Next. 11. Click Browse Files, and then click Computer. 12. Double click Local Disk (C:). 13. Double-click Program Files, then double-click Windows Media Player, and then select wmplayer and click Open. 14. Click Next. 15. Click Next again, then click Create. 16. Click Yes if prompted to create default rules. 17. In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then expand Security Settings. 18. Expand Application Control Policies. 19. Click AppLocker, and then right-click and select Properties. 20. On the Enforcement tab, under Executable rules, click the Configured checkbox and select Enforce rules. 21. Click OK. 22. Click Start, in the Search programs and files box, type cmd, and then press ENTER. 23. In the Command Prompt window, type gpupdate /force and press ENTER. Wait for the policy to be updated. 24. Click Start, right-click Computer and click Manage. 25. Expand Services and Applications, and then click Services. 26. Right-click Application Identity service in the main window pane, then click Properties. 27. Set the Startup type to Automatic, and then click Start. 28. Click OK once the service starts. 29. Log off.
L6-7
Note: If the enforcement rule message does not display, wait for a few minutes and then re-try step 2. 4. Log off.
L6-8
Lab B: Configuring Windows Firewall, Internet Explorer 8 Security Settings, and Windows Defender
Exercise 1: Configuring and Testing Inbound and Outbound Rules in Windows Firewall
Lab Setup
Complete these tasks to set up the prerequisites for the lab: 1. 2. 3. 4. 5. 6. Log on to LON-CL1 as Contoso\Administrator with the password of Pa$$w0rd. Click Start, right-click Computer and then click Properties. Click Advanced system settings. Click the Remote tab. Under Remote Desktop, select Allow connections from computer running any version of Remote Desktop (less secure) and then click OK. Log off of LON-CL1.
10. Click System and Security. 11. Click Windows Firewall. 12. In the left window pane, click Advanced settings. 13. In Windows Firewall with Advanced Security, select Inbound Rules. 14. Review the existing inbound rules, and then right-click Inbound Rules and click New Rule. 15. On the Rule Type page of the New Inbound Rule wizard, select Predefined, then select Remote Desktop from the dropdown menu. 16. Click Next. 17. Select the Remote Desktop (TCP-In) rule, and then click Next. 18. Select Block the connection, then click Finish.
L6-9
10. In the left window pane, click Advanced settings. 11. In Windows Firewall with Advanced Security, select Outbound Rules. 12. Review the existing outbound rules, then right-click Outbound Rules and click New Rule. 13. On the Rule Type page of the New Outbound Rule wizard, select Port, and then click Next. 14. Select TCP, and then select Specific remote ports and type 3389. 15. Click Next. 16. Select Block the connection, and then click Next. 17. Click Next. 18. Type Remote Desktop TCP 3389 in the Name field, and then click Finish.
L6-10
No. 5. 6. 7. Click OK. Close the Remote Desktop Connection dialog box. Log off of LON-CL1.
L6-11
L6-12
L7-1
L7-2
5.
In the Which template would you like to use? box, click System Performance and then click Finish.
Task 3: Configure the data collector set schedule and stop condition
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Performance Monitor window, right-click Bottleneck and click Properties. Review the keywords listed on the General tab. Click the Schedule tab and then click Add. In the Beginning date box, verify that todays date is listed. Select the Expiration date checkbox and then select a date one week from today. In the Launch area, in the Start time box, select 1:05 pm. Verify that all days of the week are selected and then click OK. Click the Stop Condition tab. In the Overall duration box, verify that 1 minute is selected.
10. In the Limits area, select the Maximum size checkbox, type 10 and then click OK.
L7-3
10. Click Save settings and run backup. 11. When the backup is complete, close Backup and Restore.
L7-4
L7-5
L7-6
5. 6.
Wait for the computer to restart and then log on as Contoso\Administrator with a password of Pa$$w0rd. In the System Restore window, click Close.
L7-7
Task 3: Verify that the automatic updates setting from the group policy is being applied
1. 2. 3. 4. 5. On LON-CL1, click Start, type gpupdate /force and then press ENTER. Click Start and click Control Panel. Click System and Security and then click Windows Update. Click Change settings and review the available settings. Notice that you can no longer change the settings because they are being enforced by the group policy. Click Cancel and then close the Windows Update window.
Note: If the policy setting does not apply, restart LON-CL1 and then repeat Task 3.
L7-8
L8-1
Incident Details Don would like you to establish a sync partnership with his Windows Mobile device. Don needs the power options to be configured for optimal battery life when he is traveling. Don wants to enable remote desktop on his desktop computer in the office for his own user account so he can connect remotely to his desktop from his laptop. Don wants to be able to access documents from the head-office and enable others at the plant to access those files without delay. Additional Information Dons laptop is running Windows 7 Enterprise. The Slough plant has no file-server at present. Resolution 1. You have synchronized the Windows Mobile device with Windows 7. 2. Dons laptop has an appropriate power plan. 3. Dons laptop has Remote Desktop enabled for Contoso\Don. 4. BranchCache Distributed Cache mode configured and enabled on the Slough Plant shared folder. Dons computer tested BranchCache successfully enabled.
L8-2
10. In the results pane, click the Month tab, and then double-click tomorrow. 11. In the Untitled Event dialog box, in the Subject field, type Production department meeting. 12. In the Location field, type Conference room 1, and then click Save & Close. 13. If prompted with a reminder for the appointment, click Dismiss. 14. In Outlook, on the left, click Contacts. 15. On the menu, click New. 16. In the Untitled Contact dialog field, in the Full Name field, type Andrea Dunker. 17. In the Job title box, type IT Department, and then click Save & Close. 18. Close Outlook.
L8-3
10. Update the resolution section of incident record 502509 with the information about the successful creation of a sync partnership.
L8-4
On the Change settings for the plan: Dons plan page, click Cancel.
Task 3: Update the incident record with the power plan changes
1. Update the resolution section of incident record 502509 with the information about the successful configuration of a power plan for Dons laptop. 2. Close Power Options.
L8-5
10. In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box, type Don, click Check Names, and then click OK. 11. In the Remote Desktop Users dialog box, click OK. 12. In the System Properties dialog box, click OK. 13. Close all open windows.
L8-6
11. Close all open windows. 12. Switch to the LON-CL1 virtual machine. 13. Notice you have been logged off. 14. Log on as Contoso\Administrator with a password of Pa$$w0rd.
Task 3: Update the incident record with the remote desktop changes
Update the resolution section of incident record 502509 with the information about the successful configuration remote desktop for Dons laptop.
L8-7
3. 4.
L8-8
5. 6. 7. 8. 9.
Double-click Set BranchCache Distributed Cache mode, click Enabled, and then click OK. Double-click Configure BranchCache for network files, click Enabled, under Options type 0, and then click OK. Double-click Set percentage of disk space used for client computer cache, click Enabled, under Options, type 10, and then click OK. Close Group Policy Management Editor. Close Group Policy Management.
Task 8: Update the incident record with the remote desktop changes
Update the resolution section of incident record 502509 with the information about the successful configuration of BranchCache.