Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
M I C R O S O F T
L E A R N I N G
P R O D U C T
6292A
Installing and Configuring Windows 7
Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at
http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks
of the Microsoft group of companies. All other marks are property of their respective owners.
Module 1
Installing, Upgrading, and Migrating to Windows 7
Contents:
Lesson 1: Preparing to Install Windows 7
11
16
18
21
1-1
1-2
Lesson 1
1-3
Editions of Windows 7
Question 1: Which edition of Windows 7 might you choose in the following scenarios?
Scenario 1: There are a few users in your organization. Currently, you do not have a centralized file
server and all of the computers are not joined to a domain.
Scenario 2: Your organization has more than one hundred users who are located in several offices
across the country. In addition, you have several users that travel frequently.
Answer: Choose Windows 7 Professional for Scenario 1 and Windows 7 Enterprise for Scenario 2.
Scenario 1: For a business environment, choose either Windows 7 Professional or Windows 7
Enterprise. Windows 7 Home Premium, Windows 7 Home Basic, and Windows 7 Starter are targeted
for home users. Because you only have few users, Windows 7 Professional will be the best fit.
Scenario 2: Choose Windows 7 Enterprise and take the advantage of features such as BranchCache
and DirectAccess to increase the productivity of your mobile users.
Question 2: What is the difference between the Enterprise and the Ultimate edition of Windows 7?
Answer: There is no difference in terms of features between the Enterprise and Ultimate editions.
Windows 7 Enterprise is available through Microsoft Software Assurance with Volume Licensing and
Windows 7 Ultimate is available through the retail channel. There is no upgrade path between the
two.
1-4
Scenario 1: Your users have computers that are at least three years old and your organization plans to
deploy Windows 7 to many new computers.
Scenario 2: There are only a few users in your organization, their computers are mostly new, but they
have many applications installed and a lot of data stored in their computers.
Answer: The answers may vary. Your selection of the type of installation may not be decided by just
these factors. In general, it is recommended that you perform a clean installation followed by
migration of user settings and data. Avoid selecting upgrade, unless it only involves a few users or
computers. In Scenario 1, you may want to purchase new hardware for your organization, perform a
clean installation of Windows 7, and migrate the necessary user settings and data. In Scenario 2, you
may want to perform an in-place upgrade to Windows 7.
Lesson 2
1-5
1-6
The computer has more than one partition and needs to support a multiple-boot
configuration that uses Windows 7 and the current operating system.
A clean installation is the preferred installation method. Performing a clean installation ensures that
all of your systems begin with the same configuration and all applications, files, and settings are reset.
Solution
1-7
1-8
2.
3.
4.
In the Computer name, domain, and workgroup settings area, click Change settings.
5.
In the System Properties window, click the Change button. Note that the Network ID
button performs the same task with a wizard.
6.
7.
Click OK.
8.
9.
Lesson 3
10
1-9
1-10
1-11
Lesson 4
12
13
1-12
1-13
2.
Click Start, point to All Programs, click Microsoft Windows AIK, and then click Windows
System Image Manager.
3.
In the Windows Image area, right-click Select a Windows image or catalog file and then click
Select Windows Image.
4.
Note: If a catalog file does not exist for this edition of Windows 7, then you will be prompted
to create a catalog file. The creation process takes several minutes. In this demonstration, you
are not prompted to create a catalog file because it has already been created for you.
5.
In the Answer File area, right-click Create or open an answer file, and then click New Answer
File.
6.
In the Windows Image area, expand Components and scroll down and expand x86_MicrosoftWindows-Setup. This group of settings is primarily used in the windowsPE stage of an
unattended installation. Notice that it includes Disk Configuration.
7.
Expand UserData and right-click ProductKey. Notice that this setting can only be applied in the
windowsPE stage. This is used for an unattended installation where Windows 7 is installed from
the install.wim file on the Windows 7 installation DVD.
8.
Scroll down and click x86_Microsoft-Windows-Shell-Setup. Notice that the option for the
product key is available here and shown in the Properties area.
9.
10. In the Microsoft-Windows-Shell-Setup Properties area, in the ProductKey box, type 1111122222-33333-44444-55555 and press Enter. Placing a product key in this answer file prevents
the need to enter the product key during the installation of a new image.
11. Close Windows System Image Manager and do not save any changes.
Note: For more information, please refer to Windows SIM Technical Reference at
http://go.microsoft.com/fwlink/?LinkID=154216.
1-14
2.
Click Start, point to All Programs, click Microsoft Windows AIK, and then click
Deployment Tools Command Prompt.
3.
At the command prompt, type copype.cmd amd64 E:\winpe_amd64 and press Enter. This
command copies the necessary files to the E:\winpe_amd64 folder. If the folder does not exist, it
is created.
4.
5.
Note: For more information on copype, copy, and oscdimg, refer to:
http://go.microsoft.com/fwlink/?LinkID=154217
http://go.microsoft.com/fwlink/?LinkID=154218
http://go.microsoft.com/fwlink/?LinkID=154219
2.
Click Start, point to All Programs, click Microsoft Windows AIK, and then click Deployment
Tools Command Prompt.
3.
At the command prompt, type dism and press Enter. This displays help information for the
command.
4.
5.
6.
When the image mounting is complete, at the command prompt, type dism /getmountedwiminfo and press Enter. This displays information about the mounted image. Notice
that an index number is displayed instead of the name.
7.
8.
At the command prompt, type dir and press Enter. You can see the installation files for
Windows 7 ENTERPRISE and modify them.
9.
1-15
10. At the command prompt, type dism /image:C:\img /? and press Enter. This displays the
available options for servicing an image such as adding a driver or adding a feature.
11. At the command prompt, type dism /image:C:\img /add-driver
/driver:E:\LabFiles\Mod01\vx6000\vx6000.inf and press Enter. This adds the driver for the
VX6000 Lifecam to the image so that it is available for all computers configured with this image.
12. At the command prompt, type dism /unmount-wim /mountdir:C:\img /discard and press
Enter. Use the /commit option to save changes.
13. Close all open Windows.
1-16
Lesson 5
17
1-17
1-18
Troubleshooting Tips
1-19
Troubleshooting Tips
Evaluate system requirements and application compatibility before upgrading the operating
system.
When capturing an image, use the ImageX /flags option to create the Metadata to apply to the
image.
1-20
Tools
Tool
Use for
Where to find it
Windows Setup
Windows Upgrade
Advisor
Microsoft Assessment
and Planning Toolkit
Windows Easy
Transfer
Windows Automated
Installation Kit
(Windows AIK)
Windows AIK
Windows SIM
Windows AIK
ImageX
Windows AIK
Windows PE
Sysprep
Windows AIK
Diskpart
Windows 7
WDS
DISM
Application
Compatibility Toolkit
Compatibility
Administrator Tool
ACT
1-21
Module 2
Configuring Disks and Device Drivers
Contents:
Lesson 1: Partitioning Disks in Windows 7
13
17
23
2-1
2-2
Lesson 1
2-3
2-4
2.
Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then
click Run as administrator.
3.
4.
At the DISKPART> prompt, type list disk and then press ENTER.
5.
At the DISKPART> prompt, type select disk 2 and then press ENTER.
6.
At the DISKPART> prompt, type convert gpt and then press ENTER.
7.
2.
3.
In the Initialize Disk dialog box, click GPT (GUID Partition Table) and then click OK.
2.
3.
Lesson 2
2-5
2-6
2-7
If necessary, on LON-CL1 click Start, right-click Computer, and then click Manage.
2.
3.
In Disk Management on Disk 2, right-click Unallocated and then click New Simple Volume.
4.
5.
On the Specify Volume Size page, in the Simple volume size in MB box, type 100 and then
click Next.
6.
7.
On the Format Partition page, in the Volume label box, type Simple, click Next, and then
click Finish.
If necessary, click Start, point to All Programs, click Accessories, right-click Command Prompt,
and then click Run as administrator.
2.
3.
At the DISKPART> prompt, type list disk and then press ENTER.
4.
At the DISKPART> prompt, type select disk 3 and then press ENTER.
5.
At the DISKPART> prompt, type create partition primary size=100 and then press ENTER.
6.
At the DISKPART> prompt, type list partition and then press ENTER.
7.
At the DISKPART> prompt, type select partition 2 and then press ENTER.
8.
At the DISKPART> prompt, type format fs=ntfs label=simple2 quick and then press ENTER.
9.
On LON-CL1 in Disk Management on Disk 2, right-click Unallocated and then click New
Spanned Volume.
2.
3.
On the Select Disks page, in the Select the amount of space in MB box, type 100.
4.
In the Available list, click Disk 3 and then click Add >.
5.
In the Selected list, click Disk 3, and in the Select the amount of space in MB box, type 250
and then click Next.
2-8
6.
7.
On the Format Partition page, in the Volume label box, type Spanned, click Next and then
click Finish.
8.
In Disk Management, right-click Disk 2 and then click New Striped Volume.
2.
3.
On the Select Disks page, in the Available list, click Disk 3 and then click Add >.
4.
On the Select Disks page, in the Select the amount of space in MB box, type 512 and then
click Next.
5.
6.
On the Format Partition page, in the Volume label box, type Striped, click Next, and then
click Finish.
2.
At the DISKPART> prompt, type list disk, and then press ENTER.
3.
At the DISKPART> prompt, type select disk 2, and then press ENTER.
4.
At the DISKPART> prompt, type list volume, and then press ENTER.
5.
At the DISKPART> prompt, type select volume 6, and then press ENTER.
6.
At the DISKPART> prompt, type shrink desired = 50, and then press ENTER.
7.
8.
2.
3.
In the Select the amount of disk space in MB box, type 50, click Next, and then click Finish.
4.
Lesson 3
10
11
2-9
2-10
2-11
2.
3.
In the Striped (I:) Properties dialog box, click the Quota tab.
4.
On the Quota tab, select the Enable quota management check box.
5.
Select the Deny disk space to users exceeding quota limit check box.
6.
Click Limit disk space to, in the adjacent box type 6, and then in the KB list, click MB.
7.
In the Set warning level to box, type 4, and then in the KB list click MB.
8.
Select the Log event when a user exceeds their warning level check box and then click OK.
9.
In the Disk Quota dialog box, review the message and then click OK.
2.
3.
At the command prompt, type fsutil file createnew 2mb-file 2097152 and then press ENTER.
4.
At the command prompt, type fsutil file createnew 1kb-file 1024 and then press ENTER.
5.
Test the configured quotas by using a standard user account to create files
1.
Log off and then log on to the LON-CL1 virtual machine as Contoso\Alan with a password of
Pa$$w0rd.
2.
3.
4.
5.
In the file list, right-click 2mb-file, drag it to Alans files, and then click Copy here.
6.
7.
8.
Press CTRL+V.
9.
10. In the file list, right-click 1kb-file, drag it to Alans files, and then click Copy here.
11. Double-click Alans files.
12. Right-click 2mb-file and then click Copy.
2-12
Log off and then log on to the LON-CL1 virtual machine as Contoso\Administrator with a
password of Pa$$w0rd.
2.
3.
4.
In the Striped (I:) Properties dialog box, click the Quota tab and then click Quota Entries.
5.
In the Quota Entries for Striped (I:), in the Logon Name column, double-click Contoso\Alan.
6.
In the Quota Settings for Alan Brewer (CONTOSO\alan) dialog box, click OK.
7.
8.
9.
Lesson 4
14
15
2-13
2-14
2.
3.
Use the a parameter along with the path to the driver and name of the driver to perform
the addition to the driver store.
4.
Make note of the newly assigned driver name, including the number.
2-15
2.
3.
Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver
Software.
4.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my
computer for driver software.
5.
On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
6.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key)
and then click Next.
7.
Click Close.
8.
In the System Settings Change dialog box, click Yes to restart the computer.
2.
3.
4.
Expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key) and then click
Properties.
5.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver
tab.
6.
7.
8.
Click Close, and then in the System Settings Change dialog box, click Yes to restart the
computer.
9.
2-16
Click Start, point to All Programs, click Accessories, and then right-click Command Prompt.
2.
3.
4.
5.
In the Command Prompt, type pnputil e, and then press ENTER. Take note of the driver
version and date for the driver you just installed into the store.
2-17
assign
Question 3: Your organization has recently configured Windows Update to automatically update the
Accounting departments computers at 03:00. This conflicts with the weekly defragmentation of the
computers on Wednesday mornings. You must reconfigure the scheduled defragmentation task to occur
at midnight on Tuesdays instead. List the steps to modify the defragmentation schedule.
Answer: Follow these steps to modify the defragmentation schedule:
1.
Right-click the volume in Windows Explorer, click Properties, click the Tools tab, and then click
Defragment Now.
2.
3.
In the Disk Defragmenter: Modify Schedule window, change Choose day to Tuesday, and
change Choose time to 12:00 AM (midnight). Click OK.
4.
Click Close on the Disk Defragmenter window, and OK on the Properties window.
Question 4: You recently upgraded to Windows 7 and are experiencing occasional problems with the
shortcut keys on your keyboard. Describe the first action you might take to the resolve the issue and list
the steps to perform the action.
Answer:
1.
Update the device driver for the keyboard. To manually update the driver used for the keyboard,
follow these steps in Device Manager:
2.
3.
2-18
4.
Common issues
Identify the causes for the following common issues and fill in the troubleshooting tips. For answers, refer
to relevant lessons in the module and the course companion CD content.
Issue
Troubleshooting tip
Once a quota is created, you can export it and then import it for
a different volume. In addition to establishing quota settings on
an individual computer by using the methods outlined above,
you can also use Group Policy settings to configure quotas. This
enables administrators to configure multiple computers with the
same quota settings.
Best practices
Supplement or modify the following best practices for your own work situations:
Every time a change is made to a computer, record it. It can be recorded in a physical notebook
attached to the computer, or in a spreadsheet or database available on a centralized share that is
backed up nightly.
If you keep a record of all changes made to a computer, you can trace the changes to
troubleshoot problems and offer support professionals correct configuration information. The
Reliability Monitor can be used to track changes to the system such as application installs or
uninstalls.
When deciding what type of volume to create, consider the following questions:
If the computer became unbootable, what will be the impact on your business?
Task
Reference
http://go.microsoft.com/fwlink/?LinkId=64100
http://go.microsoft.com/fwlink/?LinkId=153231
Create partitions or
volumes
http://go.microsoft.com/fwlink/?LinkId=64106
http://go.microsoft.com/fwlink/?LinkId=64107
http://go.microsoft.com/fwlink/?LinkId=143990
http://go.microsoft.com/fwlink/?LinkId=14507
http://go.microsoft.com/fwlink/?LinkId=64101
http://go.microsoft.com/fwlink/?LinkId=64104
http://go.microsoft.com/fwlink/?LinkId=64105
Overview of Disk
Management
http://go.microsoft.com/fwlink/?LinkId=64098
Performance tuning
http://go.microsoft.com/fwlink/?LinkId=121171
2-19
2-20
guidelines
Windows 7 Springboard
Series
http://go.microsoft.com/fwlink/?LinkId=147459
Windows Device
Experience
http://go.microsoft.com/fwlink/?LinkId=132146
http://go.microsoft.com/fwlink/?LinkId=153231
Tools
Tool
Use for
Where to find it
Defrag.exe
Command Prompt
Device Manager
Control Panel
Device Stage
Taskbar
Devices and
Printers
Control Panel
In Windows Explorer,
right-click a volume, click
Properties, click the Tools
tab, and then click
Defragment Now.
Disk Management
Diskpart.exe
Disk
Defragmenter
2-21
Fsutil.exe
Command Prompt
(elevated)
Pnputil.exe
Command Prompt
(elevated)
Quota Settings
In Windows Explorer,
right-click a volume, click
Properties, click Quota,
and then click Show
Quota Settings.
File Signature
Verification
(Sigverf.exe)
Start menu
Volume Shadow
Copy Service
(Vssadmin.exe)
Command Prompt
(elevated)
Windows Update
Online
Definition
Basic disk
A disk initialized for basic storage. A basic disk contains basic volumes, such as
primary partitions, extended partitions, and logical drives.
Dynamic disk
A disk initialized for dynamic storage. A dynamic disk contains dynamic volumes,
such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and
RAID-5 volumes.
Volume
A storage unit made from free space on one or more disks. It can be formatted with
a file system and assigned a drive letter. Volumes on dynamic disks can have any of
the following layouts: simple, spanned, mirrored, striped, or RAID-5. All volumes on a
physical disk must be either basic or dynamic, and each disk must be partitioned.
You can view the contents of a volume by clicking its icon in Windows Explorer or in
My Computer. A single hard disk can have multiple volumes, and volumes can also
span multiple disks.
System volume
The disk volume that contains the hardware-specific files that are needed to start
Windows. On x86 computers, the system volume must be a primary volume that is
marked as active. This requirement can be fulfilled on any drive on the computer
that the system BIOS searches when the operating system starts. The system volume
can be the same volume as the boot volume; this configuration is not required.
2-22
Boot volume
The disk volume that contains the Windows operating system files and the
supporting files. The boot volume can be the same volume as the system volume;
this configuration is not required. There is one boot volume for each operating
system in a multi-boot system.
Partition
Disk
partitioning
The process of dividing the storage on a physical disk into manageable sections that
support the requirements of a computer operating system.
Logical Block
Address (LBA)
A method of expressing a data address on a storage medium. Used with SCSI and
IDE disk drives to translate specifications of the drive into addresses that can be used
by enhanced BIOS. LBA is used with drives that are larger than 528MB.
2-23
3-1
Module 3
Configuring File Access and Printers on Windows 7 Clients
Contents:
Lesson 1: Overview of Authentication and Authorization
11
14
17
20
3-2
Lesson 1
Log on to computers.
3-3
3-4
Lesson 2
3-5
3-6
Question 2: The Users group has Read permission for Folder1. The Sales group has Write permission
for Folder2. What permissions does User1 have for File2?
Answer: User1 has Read and Write permissions for File2, because User1 is a member of the Users
group, which has Read permission for Folder1, and the Sales group, which has Write permission for
Folder2. File2 inherits permissions from both Folder2 and Folder1.
Question 3: The Users group has Modify permission for Folder1. File2 is accessible only to the Sales
group, and they are only able to read File2. What do you do to ensure that the Sales group has only
Read permission for File2?
Answer: Prevent permissions inheritance for Folder2 or File2. Remove the permissions for Folder2 or
File2 that Folder2 has inherited from Folder1. Grant only Read permission to the Sales group for
Folder2 or File2.
3-7
2.
Click Start, click Computer, and then double-click Local Disk (C:).
3.
4.
5.
6.
Right-click an empty space in the Name column, point to New, and then click Microsoft Office
Word Document.
7.
2.
In the Deliverables Properties dialog box, on the Security tab, click Edit.
3.
4.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select (examples) box, type Contoso\Adam, click Check Names, and then
click OK.
5.
6.
In the Permissions for Deliverables dialog box, next to Write, select the Allow check box and
then click OK.
7.
2.
In the Deliverables Properties dialog box, on the Security tab, click Edit.
3.
4.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select (examples) box, type Contoso\Martin, click Check Names, and then
click OK.
5.
6.
In the Permissions for Deliverables dialog box, next to Modify, select the Deny check box and
then click OK.
7.
8.
3-8
In the Project Documents folder, right-click Deliverables and then click Properties.
2.
In the Deliverables Properties dialog box, on the Security tab, click Advanced.
3.
In the Advanced Security Settings for Deliverables dialog box, on the Effective Permissions
tab, click Select.
4.
In the Select User, Computer, Service Account or Group dialog box, type Contoso\Martin,
click Check Names, and then click OK.
5.
6.
In the Advanced Security Settings for Deliverables dialog box, on the Effective Permissions
tab, click Select.
7.
In the Select User, Computer, Service Account or Group dialog box, type Contoso\Adam,
click Check Names, and then click OK.
8.
Verify that all attributes are selected except for Full control, Change permissions, and Take
ownership.
9.
In the Advanced Security Settings for Deliverables dialog box, click OK.
Lesson 3
10
3-9
3-10
Lesson 4
12
3-11
3-12
2.
3.
4.
5.
6.
7.
In the Project Documents folder, right-click Compressed Files and then click Properties.
2.
3.
Select the Compress contents to save disk space check box and then click OK.
4.
Click Start, and in the Search programs and files box, type C:\Program Files\Microsoft
Office\CLIPART\PUB60COR and then press ENTER.
2.
Select the following files, right-click on them, and then click Copy:
AG00004_
3.
AG00011_
4.
5.
6.
7.
8.
9.
Click Advanced.
10. Click Cancel and then click Cancel again to close the properties dialog box.
2.
3.
4.
5.
Right-click the Taskbar and then click Show Windows Side by Side.
6.
In the Compressed Files folder, drag AG00004_ to the Uncompressed Files folder.
3-13
In the Compressed Files folder, right-click and then drag AG00011_ to the Uncompressed Files
folder.
2.
2.
3.
4.
Right-click Uncompressed Files, click Send To, and then click Compressed (zipped) Folder.
5.
6.
7.
8.
9.
Click the left arrow in the menu bar to go back to the Project Documents folder.
10. Right-click Zipped Data and then drag it to the Compressed Files folder.
11. Click Copy Here.
12. Double-click Compressed Files.
13. Close all open windows.
3-14
Lesson 5
Managing Printing
Contents:
Detailed Demo Steps
15
3-15
On LON-CL1, click Start, click Control Panel, and then click View devices or printers.
2.
3.
4.
On the Choose a printer port page, in the Use an existing port list, click LPT1: (Printer Port)
and then click Next.
5.
On the Install the printer driver page, in the Manufacturer list, click Epson, and in the Printers
list, click Epson Stylus Photo RX630 (M) and then click Next.
6.
7.
On the Printer Sharing page, accept the defaults and click Next.
8.
In Devices and Printers, right-click Epson Stylus Photo RX630 (M) and then click Printer
properties.
2.
3.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select (examples) box, type Contoso\IT, click Check Names, and then click
OK.
4.
5.
In the Permissions for IT dialog box, next to Manage this printer, select the Allow check box.
6.
In the Permissions for IT dialog box, next to Manage documents, select the Allow check box
and then click Apply.
7.
8.
9.
3-16
Manage documents
The Printer Properties dialog box also included the following printer options that can be maintained.
Location
Printer Option
General tab
Ports tab
Advanced
tab
Advanced
tab
Advanced
tab
Advanced
tab
3-17
3-18
When setting up a computer, you are required to create a user account. This account is an
administrator account used to set up your computer and install any required programs.
Once you are finished setting up the computer, it is recommended to use a standard user
account for your daily computing.
It is safer to use a standard user account instead of an administrator account because it can
prevent users from making changes that affect everyone who uses the computer, especially if
your user account logon credentials are stolen.
Assigning ownership of a file or folder might require elevating your permissions through
User Access Control.
To simplify the assignment of permissions, you can grant the Everyone group Full Control share
permission to all shares and use only NTFS permissions to control access. Restrict share
permissions to the minimum required to provide an extra layer of security in case NTFS
permissions are configured incorrectly.
When permissions inheritance is blocked, you have the option to copy existing permissions or
begin with blank permissions. If you only want to restrict a particular group or user, then copy
existing permissions to simplify the configuration process.
If the guest user account is enabled on your computer, the Everyone group includes anyone. In
practice, remove the Everyone group from any permission lists and replace it with the
Authenticated Users group.
Using a firewall other than that supplied with Windows 7 can interfere with the Network
Discovery and file-sharing features.
Tools
Use the following Command Prompt tools to manage file and printer sharing.
Tool
Description
Net share
Net use
Cacls.exe
Configure NTFS file and folder permissions from the Command Prompt
Compact.exe
Pnputil.exe
3-19
3-20
Module 4
Configuring Network Connectivity
Contents:
Lesson 1: Configuring IPv4 Network Connectivity
10
13
15
4-1
4-2
Lesson 1
16.16.254
b.
16.18.5
c.
168.1.1
d.
255.255.254
Answer: A and B.
4-3
4-4
2.
Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3.
At the command prompt, type ipconfig /all and then press ENTER. This displays the
configuration for all network connections on the computer.
4.
5.
6.
Under Network and Internet, click View network status and tasks.
7.
In Network and Sharing Center, to the right of the Contoso.com Domain network, click Local
Area Connection 3. (Note: The local Area Connection number may be different in some cases.)
8.
In the Local Area Connection 3 Status window, click Details. This window shows the same
configuration information for this adapter as the ipconfig command.
9.
10. In the Local Area Connection 3 Status window, click Properties. This window allows you to
configure protocols.
11. Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. You can configure the
IP address, subnet mask, default gateway and DNS servers in this window.
12. Click Advanced. The Advanced TCP/IP Settings window allows you to configure additional
settings such as additional IP addresses, DNS settings, and WINS servers for NetBIOS name
resolution.
13. Close all open windows without modifying any settings.
Lesson 2
4-5
4-6
4-7
2.
Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3.
At the command prompt, type ipconfig /all and then press ENTER. This displays all network
connections for the computer. Notice that a link-local IPv6 address has been assigned.
4.
5.
6.
Under Network and Internet, click View network status and tasks.
7.
In Network and Sharing Center, to the right of the Contoso.com Domain network, click Local
Area Connection 3.
Note: The local Area Connection number may be different in some cases.
8.
In the Local Area Connection 3 Status window, click Details. This window shows the same
configuration information for this adapter and the ipconfig command.
9.
10. In the Local Area Connection 3 Status window, click Properties. This window allows you to
configure protocols.
11. Click Internet Protocol Version 6 (TCP/IPv6) and then click Properties. You can configure the
IPv6 address, subnet prefix length, default gateway, and DNS servers in this window.
12. Click Use the following IPv6 address and enter the following:
13. Click Advanced. The Advanced TCP/IP Settings window allows you to configure additional
setting such as additional IP addresses and DNS settings.
14. In the Advanced TCP/IP Settings window, click Cancel.
15. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click OK.
16. In the Local Area Connection 3 Properties window, click Close.
17. In the Local Area Connection 3 Status window, click Details. Verify that the new IPv6 address
has been added.
18. Close all open windows.
4-8
Lesson 3
4-9
2.
Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3.
At the command prompt, type ipconfig /all and then press ENTER. This displays all network
connections for the computer.
4.
5.
6.
Under Network and Internet, click View network status and tasks.
7.
In Network and Sharing Center, to the right of the Contoso.com Domain network, click Local
Area Connection 3.
8.
In the Local Area Connection 3 Status window, click Properties. This window allows you to
configure protocols.
9.
10. Click Obtain an IP address automatically. Notice that the Alternate Configuration tab
becomes available when you do this.
11. Click Obtain DNS server address automatically.
12. Click the Alternate Configuration tab. Configuration information on this tab is used when no
DHCP server is available.
13. Click OK to save the changes.
14. In the Local Area Connection 3 Properties window, click Close.
15. In the Local Area Connection 3 Status window, click Details. Notice that DHCP is enabled and
the IP address of the DHCP server is displayed.
16. Close all open windows.
4-10
Lesson 5
11
12
4-11
4-12
2.
Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3.
At the command prompt, type ipconfig /all and then press ENTER. This displays all network
connections for the computer. This shows all network adapter configuration information.
4.
At the command prompt, type ipconfig /displaydns and then press ENTER. This displays the
contents of the DNS cache.
5.
At the command prompt, type ipconfig /flushdns and then press ENTER. This clears the
contents of the DNS cache.
6.
At the command prompt, type ping 127.0.0.1 and then press ENTER. This pings the local host.
7.
At the command prompt, type ping 10.10.0.10 and then press ENTER. This verifies connectivity
to LON-DC1 by using an IPv4 address.
8.
At the command prompt, type ping LON-DC1 and then press ENTER. This verifies connectivity
to LON-DC1 by using a host name.
9.
At the command prompt, type nslookup d1 LON-DC1 and then press ENTER. This provides
detailed information about the host name resolution. You can use the d2 option for even more
detail.
4-13
Troubleshooting tip
4-14
Tools
You can use the following tools to troubleshoot network connectivity issues.
Tool
Description
Network and
Sharing Center
The Network and Sharing Center informs you about your network and verifies
whether your PC can successfully access the Internet; then, it summarizes this info
in the form of a Network Map.
Netsh.exe
A command that you can use to configure network properties from the
command-line.
Pathping.exe
A command-line tool that combines the functionality of Ping and Tracert, and
that you can use to troubleshoot network latency and provide information about
path data.
Nslookup.exe
A command-line tool that you can use to test and troubleshoot DNS and name
resolution issues.
IPConfig.exe
Ping.exe
A basic command-line tool that you can use for verifying IP connectivity.
Tracert.exe
4-15
Module 5
Configuring Wireless Network Connections
Contents:
Lesson 2: Configuring a Wireless Network
5-1
5-2
Lesson 2
5-3
5-4
Click Start and then click Network to view a list of devices available.
2.
Right-click the wireless AP and click View device webpage to configure the device.
3.
Enter the required credentials. These usually come from the devices manufacturer. It is
recommended to change these credentials after the initial configuration of the wireless AP.
4.
Click Wireless Settings. This is a Netgear router. Note that other devices may have different
administrative interfaces, but they contain similar settings.
5.
Enter ADATUM in Name (SSID) to change the default SSID to something relevant to your
organization.
6.
You can change the channel to avoid interference from other devices.
7.
Select g only for mode to configure the 802.11 mode. If you have older 802.11b devices, you
can enable support for them.
8.
Clear Allow Broadcast of Name (SSIS) to prevent the wireless AP to broadcast its SSID.
9.
Select WPA2 with PSK. The particular security options vary between manufacturers, but typically
include the ones offered here: WEP, WPA and WPA2, and support for both PSK and Enterprise
options.
Note: If you select an enterprise option, you must provide additional information about how
authentication is handled within your organization. For example, the name of a RADIUS server
and other settings.
Right-click the wireless network icon on the system tray and click Open Network and Sharing
Center.
2.
3.
Click Add to launch the wizard to guide you through the process of defining the properties of
the network.
4.
5.
Enter ADATUM in Network name, select WPA2-Personal for Security type, select AES for
Encryption type, and enter Pa$$w0rd for Security Key/Passphrase to define the appropriate
SSID and the security settings that correspond to those defined on the wireless AP.
5-5
Note: The specifics of the settings vary from network to network. In addition, the options
available may be restricted by Group Policy. Your ability to create a network connection may be
restricted.
6.
7.
Right-click the wireless network icon on the system tray and click Open Network and Sharing
Center. Click Wireless Network Connection (ADATUM) to view the status of the network.
8.
Click Close to close the Wireless Network Connection Status dialog box.
9.
By default, all networks are placed in the Public network profile, which is the most restrictive.
From the Network and Sharing Center, click Public network.
10. Click Work Network and then click Close. Once you define a network location profile for a
network connection, Windows remembers it for subsequent connections to that network.
11. Close all opened Windows.
Right-click the wireless network icon on the system tray and click Open Network and Sharing
Center to view the available networks. You can also click the wireless network icon on the system
tray to view the available networks.
2.
Notice that there is a wireless network available; the shield icon next to the wireless signal icon
denotes that the wireless network is open. This is can cause a possible security issue. Always be
careful when connecting to public networks.
3.
Click the wireless network, select Connect Automatically, and then click Connect. This connects
you to the wireless network.
4.
Windows prompts the user to define the network location profile. Select public.
5.
Click Close and then close the Network and Sharing Center.
5-6
Troubleshooting Tips
Proximity or physical
obstruction
Interference from
other signal
Cannot detect
wireless network
Check the information that came with the router or access point to
find out what connection mode the device is set to. The mode must be
either ad hoc (when devices communicate directly without going
through a router or access point) or infrastructure (when devices
communicate by going through a router or access point). Make sure
the setting in Windows for this network matches the setting on the
device.
If you have other computers that are connecting to the network, try
temporarily disconnecting them.
Windows is not
configured to
connect to the right
type of network
5-7
Tools
Tool
Use to
Where to find it
Network and
Sharing Center
Connect to a
Network
Netsh
Command prompt
Windows Network
Diagnostics
5-8
Module 6
Securing Windows 7 Desktops
Contents:
Lesson 1: Overview of Security Management in Windows 7
10
15
20
24
29
33
37
44
6-1
6-2
Lesson 1
2.
3.
In Control Panel, click System and Security and then click Action Center.
4.
Click the down arrow next to Security and scroll down to review the settings.
5.
6.
Under Maintenance Messages, ensure that the Windows Troubleshooting and Windows
Backup check boxes are cleared and then click OK.
Click Change User Account Control Settings in the left window pane.
2.
Move the slide bar down by one setting and then click OK.
2.
View any archived messages about computer problems and then click OK.
3.
6-3
6-4
Lesson 2
6-5
6-6
2.
Click Start, in the Search programs and files box, type mmc and then press ENTER.
3.
In Console1 [Console Root], click File and then click Add/Remove Snap-in.
4.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy
Object Editor and then click Add.
5.
6.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy
Object Editor and then click Add.
7.
8.
In the Browse for a Group Policy Object dialog box, click the Users tab.
9.
In the Local Users and Groups compatible with Local Group Policy list, click Administrators
and then click OK.
10. In the Select Group Policy Object dialog box, click Finish.
11. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy
Object Editor and then click Add.
12. In the Select Group Policy Object dialog box, click Browse.
13. In the Browse for a Group Policy Object dialog box, click the Users tab.
14. In the Local Users and Groups compatible with Local Group Policy list, click NonAdministrators and then click OK.
15. In the Select Group Policy Object dialog box, click Finish.
16. In the Add or Remove Snap-ins dialog box, click OK.
17. In Console1 [Console Root], on the menu, click File and then click Save.
18. In the Save As dialog box, click Desktop.
19. In the File name box, type Multiple Local Group Policy Editor and then click Save.
In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local Computer
Policy.
2.
Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
3.
4.
5.
6.
In the Browse dialog box, right-click in the empty folder, point to New, click Text Document,
and then press ENTER.
7.
8.
Type msgbox Default Computer Policy , click File, click Save As.
9.
Type ComputerScript.vbs, change Save as type: to All Files, and then click Save.
6-7
In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local
Computer\Administrators Policy.
2.
Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
3.
4.
5.
6.
In the Browse dialog box, right-click in the empty folder, click New, click Text Document, and
then press ENTER.
7.
8.
Type msgbox Default Administrators Policy , click File, and then click SaveAs.
9.
Type AdminScript.vbs, change Save as type: to All Files, and then click Save.
In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local
Computer\Non-Administrators Policy.
2.
Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
3.
4.
5.
6.
In the Browse dialog box, right-click in the empty folder, click New, click Text Document, and
then press ENTER.
7.
6-8
8.
Type msgbox Default Users Policy , click File, and then click SaveAs.
9.
Type UserScript.vbs, change Save as type: to All Files, and then click Save.
2.
Click OK when prompted by the message box and then click OK again.
3.
Log off.
4.
5.
Click OK when prompted by the message box and then click OK again.
6.
On the desktop, right-click Multiple Local Group Policy Policy Editor and then click Open.
7.
In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local
Computer\Non-Administrators Policy.
8.
Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
9.
10. In the Logon Properties dialog box, click Remove and then click OK.
11. In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local
Computer\Administrators Policy.
12. Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
13. In the results pane, double-click Logon.
14. In the Logon Properties dialog box, click Remove and then click OK.
15. In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local Computer
Policy.
16. Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
17. In the results pane, double-click Logon.
18. In the Logon Properties dialog box, click Remove and then click OK.
19. Close the Multiple Local Group Policy Editor [Console Root] snap-in.
20. Click Yes if prompted to save.
21. Log off.
6-9
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press ENTER.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows
Settings, and then expand Security Settings.
4.
5.
6.
In the left pane, click and expand Local Policies and then click Audit Policy.
7.
In the main window, right-click Audit account management and then select Properties.
8.
In the Audit account management Properties dialog box, select Success and Failure and then
click OK.
9.
6-10
Lesson 3
11
13
6-11
What Is BitLocker?
Question: BitLocker provides full volume encryption. What does this mean?
Answer: Full volume encryption means: 1) the entire Windows operating system volume can be
encrypted, and 2) fixed data volumes can be encrypted (with the requirement that the OS volume is
also encrypted).
BitLocker Modes
Question: What is a disadvantage of running BitLocker on a computer that does not contain TPM
1.2?
Answer: Computers without TPMs will not be able to use the system integrity verification during
boot-up that BitLocker can also provide.
Configuring BitLocker
Question: When turning on BitLocker on a computer with TPM version 1.2, what is the purpose of
saving the recovery password?
Answer: If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if
someone tries to start the computer from a product CD or DVD to circumvent the operating system,
the computer will switch to recovery mode and will remain there until the user provides the recovery
password. Storing the recovery password so that it is accessible to the user allows him or her to
complete the startup process.
Configuring BitLocker to Go
Question: How do you enable BitLocker To Go for a USB flash drive?
Answer: Insert the drive, and in Windows Explorer, right-click the drive and then click Turn On
BitLocker.
6-12
Find the password ID under a Computers properties, which you can use to locate recovery passwords
stored in Active Directory.
6-13
2.
3.
4.
Right-click an empty space in the Name column, point to New, and then click Folder.
5.
6.
Double-click Encrypted, and then right-click an empty space in the Name column, point to
New, and then click Microsoft Office Word Document.
7.
8.
Click the left arrow in the menu bar to return to Local Disk (C:).
9.
2.
3.
4.
5.
Double-click Private.
6.
7.
8.
9.
Log off.
2.
Click Start, click Computer, and then double-click Local Disk (C:).
6-14
3.
4.
5.
Clear the Encrypt contents to secure data check box and then click OK.
6.
7.
8.
Log off.
2.
3.
4.
5.
Double-click Private.
6.
7.
8.
Log off.
Lesson 4
16
17
6-15
6-16
AppLocker Rules
Question: When testing AppLocker, you must carefully consider how you will organize rules between
linked GPOs. What do you do if a GPO does not contain the default AppLocker rules?
Answer: If a GPO does not contain the default rules, then either add the rules directly to the GPO or
add them to a GPO that links to it.
6-17
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press ENTER.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows
Settings, and then expand Security Settings.
4.
5.
Click Executable Rules and then right-click and select Create New Rule.
6.
Click Next.
7.
On the Permissions screen, select Deny and then click the Select button.
8.
In the Select User or Group dialog box, in the Enter the object names to select (examples)
box, type Contoso\Marketing, click Check Names, and then click OK.
9.
Click Next.
10. On the Conditions screen, select Path and then click Next.
11. Click the Browse Files button and then click Local Disk (C:).
12. Double-click Windows, select Regedit, and then click Open.
13. Click Next.
14. Click Next again and then click Create.
15. Click Yes when prompted to create default rules.
Select Windows Installer Rules and then right-click and select Create New Rule.
2.
Click Next.
3.
4.
5.
Click the Browse button, browse to E:\Labfiles\Mod06, select Microsoft Article Authoring
Add-In, and then click Open.
6.
On the Publisher screen, move the slide bar up by three settings so that the rule scope is set to
Applies to all files signed by the specified publisher.
7.
Click Next.
8.
9.
6-18
Select Script Rules and then right-click and select the Automatically Generate Rules option.
2.
In Automatically Generate Script Rules, on the Folder and Permissions screen, click Next.
3.
4.
Click Create.
5.
6.
Close the Local Group Policy Editor and then log off.
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press ENTER.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows
Settings, and then expand Security Settings.
4.
5.
6.
On the Enforcement tab, under Executable rules, click the Configured check box and then
select Enforce rules.
7.
On the Enforcement tab, under Windows Installer rules, click the Configured check box and
then select Audit only.
8.
Click OK.
9.
Click Start, and in the Search programs and files box, type cmd and then press ENTER.
2.
In the Command Prompt window, type gpupdate /force and then press ENTER. Wait for the
policy to be updated.
3.
4.
5.
Click System.
6.
In the result pane, locate and click the latest event with Event ID 1502.
7.
8.
9.
Right-click Application Identity service in the main window pane and then click Start.
12. Expand Windows, expand AppLocker, and then click EXE and DLL.
13. Review the entries in the results pane.
14. Close Computer Management.
15. Log off.
6-19
6-20
Lesson 5
21
22
6-21
6-22
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press
ENTER.
3.
In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings,
expand Security Settings, expand Local Policies, and then click Security Options.
4.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5.
In the User Account Control: Behavior of the elevation prompt for standard users dialog
box, click Automatically deny elevation requests then click OK.
6.
7.
Log off.
2.
3.
4.
Log off.
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press
ENTER.
3.
In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings,
expand Security Settings, expand Local Policies, and then click Security Options.
4.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5.
In the User Account Control: Behavior of the elevation prompt for standard users dialog
box, click Prompt for credentials and then click OK.
6.
7.
Log off.
2.
3.
4.
5.
Click Yes.
6.
7.
Log off.
6-23
6-24
Lesson 6
25
27
6-25
Home or work (private) networks: for networks at home or work where you know and
trust the people and devices on the network. When Home or work (private) networks is
selected, Network Discovery is turned on. Computers on a home network can belong to a
HomeGroup.
Domain networks: for networks at a workplace that are attached to a domain. When this
option is selected, Network Discovery is on by default and you cannot create or join a
HomeGroup.
Public networks: for networks in public places. This location keeps the computer from being
visible to other computers. When Public place is the selected network location, HomeGroup
is not available and Network Discovery is turned off.
You can modify the firewall settings for each type of network location from the main Windows
Firewall page. To set up or modify network location profile settings, click Change advanced sharing
settings in the left pane of the Network and Sharing Center.
Multiple active firewall policies enable computers to obtain and apply domain firewall profile
information, regardless of the networks that are active on the computers.
Program rules
Port rules
Predefined rules
6-26
Custom rules
Isolation rules
Server-to-server
Tunnel rules
Custom rules
2.
3.
4.
5.
6.
In Windows Firewall with Advanced Security, select Inbound Rules in the left pane.
7.
Review the existing inbound rules, right-click Inbound Rules, and click New Rule.
8.
On the Rule Type page of the New Inbound Rule wizard, select Predefined and then select
Remote Scheduled Tasks Management from the dropdown menu.
9.
Click Next.
10. Select both of the Remote Scheduled Tasks Management (RPC) rules and then click Next.
11. Select Block the connection and then click Finish.
2.
3.
4.
Type http://LON-DC1 into the Address field and then press ENTER to connect to the default
Web site on LON-DC1.
5.
6.
In the Windows Firewall with Advanced Security console, select Outbound Rules in the left
pane.
7.
Review the existing Outbound rules, right-click Outbound Rules, and then click New Rule.
8.
On the Rule Type page of the New Outbound Rule wizard, select Port and then click Next.
9.
Select TCP, select Specific remote ports and then type 80.
6-27
6-28
2.
3.
Type http://LON-DC1 into the Address field and then press ENTER to attempt to connect to
the default Web site on LON-DC1.
4.
In Windows Firewall with Advanced Security, select Connection Security Rules in the left
pane.
2.
Right-click Connection Security Rules and then select the New Rule option.
3.
4.
5.
Select Require authentication for inbound and outbound connections and then click Next.
6.
7.
8.
In the Add First Authentication Method dialog box, select Computer (Kerberos V5) and then
click OK.
9.
10. In the Add Second Authentication Method dialog box, select User (Kerberos V5) and then
click OK.
11. In the Customize Advanced Authentication Methods, click OK.
12. Click Next and then click Next again.
13. Type Kerberos Connection Security Rule and then click Finish.
In Windows Firewall with Advanced Security, select Monitoring in the left pane.
2.
3.
4.
5.
6.
Select the HTTP TCP 80 rule and then right-click and select Disable Rule.
7.
8.
Select Kerberos Connection Security Rule, right-click and then click Disable Rule.
9.
Lesson 7
30
31
6-29
6-30
6-31
2.
3.
If the Set Up Windows Internet Explorer 8 window comes up, click Ask me later.
4.
5.
Click to select the Display all websites in Compatibility View check box and then click Close.
2.
3.
Select Preserve Favorites website data and History. Clear all other options.
4.
Click Delete.
5.
2.
Type http://LON-DC1 into the Address bar and then press ENTER.
3.
Click on the down arrow next to the Address bar to confirm that the address you typed into it is
stored.
4.
In Internet Explorer, click the Tools button and then click Internet Options.
5.
6.
In the Delete Browsing History dialog box, clear Preserve Favorites website data, select
Temporary Internet Files, Cookies, History, and then click Delete.
7.
8.
Confirm that there are no addresses stored in the Address bar by clicking on the down arrow next
to the Address bar.
9.
10. Type http://LON-DC1 into the Address bar and then press ENTER.
11. Confirm the address you typed in is not stored by clicking on the down arrow next to the Address
bar.
12. Close the InPrivate Browsing window.
13. Close Internet Explorer.
6-32
2.
3.
Click Let me choose which providers receive my information to choose content to block or
allow.
4.
5.
Click OK.
2.
Ensure that Toolbars and Extensions is selected and then click Research.
3.
4.
Click Bing.
5.
Click Accelerators.
6.
7.
8.
Click Close.
9.
Lesson 8
34
35
6-33
6-34
Data risks: Stolen laptops or removable universal serial bus (USB) hard drives
Network risks: Internal worm attacks, internal workstations that do not comply with
organizational security policies
Question: How can you be sure that you have addressed the appropriate security risks before and
after a desktop deployment?
Answer: Conduct a structured security risk management process that will help you to identify and
assess risk, identify and evaluate control solutions, implement the controls, and then measure the
effectiveness of the mitigation. Identifying security risks before a desktop deployment helps you to be
proactive in mitigating and implementing solutions.
6-35
2.
Click Start, click Search programs and files, type Windows Defender, and press ENTER.
3.
4.
5.
6.
In the main window, ensure that the Automatically scan my computer (recommended) check
box is selected.
7.
8.
9.
10. Ensure the Check for updated definitions before scanning check box is selected.
11. In Options, select Default actions.
12. Set Severe alert items to Remove.
13. Set Low alert items to Allow.
14. Ensure the Apply recommended actions check box is selected.
15. In Options, select Real-time protection.
16. In Options, select Excluded files and folders.
17. In Options, select Excluded file types.
18. In Options, select Advanced.
19. Click Scan e-mail.
20. Click Scan removable drives.
21. In Options, select Administrator.
22. Click Save.
2.
Click View.
3.
Microsoft SpyNet
1.
6-36
2.
3.
Click Save.
In Tools and Settings, point out the Windows Defender Website link.
2.
Review and discuss the content of the Windows Defender Web site.
6-37
Turn on real-time protections by clicking Tools, clicking Options, and then clicking
Real-time protection. In the Options area, perform the following additional tasks:
6-38
Use the Advanced options to scan archived files, email, and removable drives, and to use
heuristics and create a restore point.
Select whether to use Windows Defender and what information to display to all users
of the computer. History, Allowed items, and Quarantined items are hidden by default
to protect user privacy.
The Diagnose Connections Problems button helps users find and resolve issues
potentially without involving the Helpdesk. When Internet Explorer 8 is unable to
connect to a Web site, it shows a Diagnose Connection Problem button. Clicking the
button helps the user resolve the problem by providing information to troubleshoot the
problem. This option was available in Internet Explorer 7 but is now simpler to find in
Internet Explorer 8.
Resetting Internet Explorer 8 settings
If Internet Explorer 8 on a users computer is in an unstable state, you can use the
Reset Internet Explorer Settings (RIES) feature in Internet Explorer 8 to restore the
default settings of many browser features. These include the following:
Search scopes
Appearance settings
Toolbars
6-39
You can choose to reset personal settings by using the Delete Personal Settings option
for the following:
Home pages
Browsing history
Form data
Passwords
RIES disables all custom toolbars, browser extensions, and customizations that have
been installed with Internet Explorer 8. To use any of these disabled customizations,
you must selectively enable each customization through the Manage Add-ons dialog
box.
RIES does not do the following:
Note: Unless you enable the Group Policy setting titled Internet Explorer Maintenance
policy processing, Normal mode settings on the browser created by using IEM are lost
after you use RIES.
2.
3.
In the Reset Internet Explorer Settings dialog box, click Reset. To remove personal
settings, select the Delete Personal Settings check box. To remove branding, select the
Remove Branding check box.
4.
When Internet Explorer 8 finishes restoring the default settings, click Close, and then click OK
twice.
5.
Close Internet Explorer 8. The changes take effect the next time you open Internet Explorer 8.
6-40
Note: To prevent users from using the RIES feature, enable the Do not allow resetting
Internet Explorer settings policy in Group Policy Administrative Templates.
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the
Local Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is
preferred because it can be centrally managed and controlled. There are nine Group Policy object
(GPO) settings that can be configured for UAC.
Because the user experience can be configured with Group Policy, there can be different user
experiences, depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you may require administrative permissions to change the UAC
setting to Always notify me or Always notify me and wait for my response.
With this type of configuration, a yellow notification appears at the bottom of
the User Account Control Settings page indicating the requirement.
Because BitLocker stores its own encryption and decryption key in a hardware device that is
separate from the hard disk, you must have one of the following:
A removable Universal Serial Bus (USB) memory device, such as a USB flash drive. If your
computer does not have TPM version 1.2 or higher, BitLocker stores its key on the memory
device.
The most secure implementation of BitLocker leverages the enhanced security capabilities of
Trusted Platform Module (TPM) version 1.2.
On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the
Windows operating system volume. However, this implementation will require the user to insert a
USB startup key to start the computer or resume from hibernation and does not provide the prestartup system integrity verification offered by BitLocker that is working with a TPM.
Before manually creating new rules or automatically generating rules for a specific folder, create
the default rules. The default rules ensure that the key operating system files are allowed to run
for all users.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a
GPO does not contain the default rules, then either add the rules directly to the GPO or add
them to a GPO that links to it.
After creating new rules, enforcement for the rule collections must be configured and the
computers policy refreshed.
By default, AppLocker rules do not allow users to open or run any files that are not specifically
allowed. Administrators must maintain a current list of allowed applications.
6-41
If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To
ensure interoperability between Software Restriction Policies rules and AppLocker rules, define
Software Restriction Policies rules and AppLocker rules in different GPOs.
When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an
application that is included in the rule, the application is opened and runs normally and
information about that application is added to the AppLocker event log.
At least one Windows Server 2008 R2 domain controller is required to host the AppLocker rules.
To help keep your definitions current, Windows Defender works with Windows Update to
automatically install new definitions as they are released. You can also set Windows Defender to
check online for updated definitions before scanning.
When scanning your computer, it is recommended that you select the advanced option to
Users should export their certificates and private keys to removable media and store the media
securely when it is not in use. For the greatest possible security, the private key must be removed
from the computer whenever the computer is not in use. This protects against attackers who
physically obtain the computer and try to access the private key. When the encrypted files must
be accessed, the private key can easily be imported from the removable media.
Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that
the personal folder, where most documents are stored, is encrypted by default.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level makes sure that files are not unexpectedly
decrypted.
The private keys that are associated with recovery certificates are extremely sensitive. These keys
must be generated either on a computer that is physically secured, or their certificates must be
exported to a .pfx file, protected with a strong password, and saved on a disk that is stored in a
physically secure location.
Recovery agent certificates must be assigned to special recovery agent accounts that are not
used for any other purpose.
Do not destroy recovery certificates or private keys when recovery agents are changed. (Agents
are changed periodically). Keep them all, until all files that may have been encrypted with them
are updated.
Designate two or more recovery agent accounts per organizational unit (OU), depending on the
size of the OU. Designate two or more computers for recovery, one for each designated recovery
agent account. Grant permissions to appropriate administrators to use the recovery agent
6-42
accounts. It is a good idea to have two recovery agent accounts to provide redundancy for file
recovery. Having two computers that hold these keys provides more redundancy to allow
recovery of lost data.
Implement a recovery agent archive program to make sure that encrypted files can be recovered
by using obsolete recovery keys. Recovery certificates and private keys must be exported and
stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored
in a controlled access vault and you must have two archives: a master and a backup. The master
is kept on-site, while the backup is located in a secure off-site location.
Avoid using print spool files in your print server architecture, or make sure that print spool files
are generated in an encrypted folder.
The Encrypting File System does take some CPU overhead every time a user encrypts and
decrypts a file. Plan your server usage wisely. Load balance your servers when there are many
clients using Encrypting File System (EFS).
You can configure Windows Firewall with Advanced Security in the following ways:
Configure a local or remote computer by using either the Windows Firewall with
Advanced Security snap-in or the Netsh advfirewall command.
Configure Windows Firewall with Advanced Security settings by using the Group Policy
Management Console (GPMC) or using the Netsh advfirewall command.
If you are configuring the firewall by using Group Policy, you need to ensure that the
Windows Firewall service has explicit write access by its service security identifier (SID) to
the location that you specify.
If you deploy Windows Firewall with Advanced Security by using Group Policy and then
block outbound connections, ensure that you enable the Group Policy outbound rules
and do full testing in a test environment before deploying. Otherwise, you might
prevent all of the computers that receive the policy from updating the policy in the
future, unless you manually intervene.
For more information about IANA port-assignment standards, visit the IANA Web site
The new Application Compatibility Toolkit (ACT) with support for Internet
Explorer 8 is available from MSDN
6-43
6-44
Module 7
Optimizing and Maintaining Windows 7 Client Computers
Contents:
Lesson 1: Maintaining Performance by Using the Windows 7
Performance Tools
10
14
17
19
21
7-1
7-2
Lesson 1
7-3
7-4
Click Start. In the search box, type res and then click Resource Monitor. The Overview tab shows
CPU usage, disk I/O, network usage, and memory usage information for each process. Summary
information is provided in a bar above each section.
2.
3.
Click the Views button and then click Medium. This controls the size of the graphs that display CPU
usage, disk I/O, network usage, and memory activity.
4.
Click the CPU tab. This tab has more detailed CPU information that you can filter so that it is based
on the process.
5.
In the Processes area, select the check box for a process and then expand the Associated Handles
area. This shows the files that are used by this process. It also keeps the selected process at the top of
the list for effortless monitoring.
6.
Click the Memory tab. This tab provides detailed information about memory usage for each process.
Notice that the previously selected process is still selected so that you can review multiple kinds of
information about a process as you switch between tabs.
7.
Click the Disk tab. This tab shows processes with recent disk activity.
8.
Expand the Disk Activity area and clear the Image check box to remove the filter and show all
processes with current disk activity. The Disk Activity area provides detailed information about the
files in use. The Storage area provides general information about each logical disk.
9.
Click the Network tab. This tab provides information about all processes with current network
activity.
10. Expand the TCP Connections area. This shows current TCP connections and information about those
connections.
11. Expand the Listening Ports area. This shows the processes that are listening for network connections
and the ports they are listening on. The firewall status for those ports is also shown.
12. Close the Resource Monitor.
2.
Click Start, and in the search box, type per, and then click Performance Monitor.
3.
In the Performance Monitor window, click the Performance Monitor node. Notice that only %
Processor Time is displayed by default.
4.
5.
In the Available counters area, expand PhysicalDisk and then click % Idle Time.
6.
In the Instances of selected object box, click 0 C:, click Add, and then click OK.
7.
8.
9.
In the left pane, expand Data Collector Sets and then click User Defined.
7-5
10. Right-click User Defined, point to New, and then click Data Collector Set.
11. In the Name box, type CPU and Disk Activity and then click Next.
12. In the Template Data Collector Set box, click Basic and then click Next. Using a template is
recommended.
13. Click Next to accept the default storage location for the data.
14. Click Open properties for this data collector set and then click Finish. On the General tab, you can
configure general information about the data collector set and the credentials that are used when it is
running.
15. Click the Directory tab. This tab lets you define information on how the collected data is stored.
16. Click the Security tab. This tab lets you configure which users can change this data collector set.
17. Click the Schedule tab. This tab lets you define when the data collector set is active and collecting
data.
18. Click the Stop Condition tab. This tab lets you define when data collection is stopped based on time
or data that is collected.
19. Click the Task tab. This tab lets you to run a scheduled task when the data collector set stops. This
can be used to process the collected data.
20. Click Cancel.
21. Notice that there are three kinds of logs listed in the right pane.
Performance Counter collects data that can be viewed in the Performance Monitor.
Kernel Trace collects detailed information about system events and activities.
22. In the right pane, double-click Performance Counter. Notice that all Processor counters are
collected by default.
23. Click Add.
24. In the Available counters area, click PhysicalDisk, click Add, and then click OK. All the counters for
the PhysicalDisk object are now added.
25. In the left pane, right-click CPU and Disk Activity and then click Start.
26. Wait a few moments and the data collector set will stop automatically.
7-6
27. Right-click CPU and Disk Activity and then click Latest Report. This report shows the data that is
collected by the data collector set.
28. Close the Performance Monitor.
Lesson 2
7-7
7-8
7-9
2. Restart LON-CL1 and press a key to start from the DVD when you are prompted.
3. On the Windows 7 page, click Next.
4. Click Repair your computer.
5. In the System Recovery Options window, read the list of operating systems
found and then click Next.
6. Read the options that are listed.
Startup Repair tries to automatically repair a Windows system that is not starting correctly.
System Restore is used to restore system configuration settings based on a restore point.
System Image Recovery is used to perform a full restore from Windows backup.
Command Prompt lets you manually access the local hard disk and perform repairs.
7-10
Lesson 3
11
12
7-11
7-12
2.
3.
In the Documents window, right-click an open area, point to New, and then click Text Document.
4.
5.
Double-click Important Document, enter some text in the document, and then close Notepad.
6.
Click Save to save the file and then close the Documents window.
7.
Click Start, point to All Programs, click Maintenance, and then Backup and Restore.
8.
9.
10. Click Let me choose and then Next. Notice that by default, both the libraries for all users and a
system image are selected.
11. Clear all check boxes in the window, select the bolded Administrators Libraries check box, and
then click Next.
12. Click Change schedule.
13. Ensure that the Run backup on a schedule (recommended) check box is selected; review the
available options for How often, What day, and What time, and then click OK.
14. Click Save settings and Run Backup.
15. Watch as the backup completes. Click View Details to see detailed progress.
16. Close the Backup and Restore window
2.
Click Start, point to All Programs, click Maintenance, and then Backup and Restore.
3.
4.
In the Browse the backup for file window, click administrator.CONTOSOs backup, and then in
the right pane, double-click Documents, click Important Document, and then Add files.
5.
Click Next.
6.
7.
When prompted that the file already exists, click Copy and Replace.
8.
Click Finish.
9.
7-13
7-14
Lesson 4
15
16
7-15
7-16
2.
3.
Double-click Important Document, enter some new text, and then close Notepad.
4.
5.
6.
7.
In the Protection settings area, click Local Disk (C:) (System) and then Configure.
8.
In the Restore Settings area, click Restore system settings and previous versions of files and then
click OK.
9.
In the Protection settings area, click Allfiles (E:) and then Configure.
10. In the Restore settings area, click Restore system settings and previous versions of files and then
OK.
11. In the System Properties window, click Create. The system typically performs this automatically,
rather than manually, before software installation is performed.
12. In the System Protection window, type Restore Point 1 and then click Create.
13. When the creation of the restore point is finished, click Close.
14. In the System Properties window, click OK and then close the System window.
15. Click Start and then click Documents.
16. Right-click Important Document and click Restore previous versions. This version of the file was
created during the restore point creation.
17. Click Cancel and close the Documents window.
18. Click Start, point to All Programs, click Accessories, System Tools, and then System Restore.
19. In the Restore system files and settings window, click Next.
20. Click Restore Point 1 and then Next.
21. On the Confirm your restore point page, click Finish.
22. Click Yes to continue. Be aware that this restores only system files, not data files.
23. Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.
24. Read the message in the System Restore window and click Close.
Lesson 5
18
7-17
7-18
7-19
2.
Will the computer restore to software that you installed two days ago?
3.
4.
Answer:
1.
You need to create a system restore to return your files to a point before you got the virus.
2.
3.
Restore points are saved until the disk space System restore reserves are filled up. As new
restore points are created, old ones are deleted.
4.
If System restore does not fix the problem, you can undo the system restore or try choosing
a different restore point.
Tools
Tool
Use for
Where to find it
Performance
Information and Tools
Control Panel
Performance Monitor
Administrative Tools
Resource Monitor
Advanced tools in
Performance
Information and tools
Windows Experience
Index
Performance
Information and Tools
Monitoring Tools
Performance Monitor
Performance monitor
Performance Counters
Performance monitor
7-20
Administrative tools
Reliability Monitor
Action center
Action Center
Windows 7 DVD
Image Backup
System restore
Control Panel
Previous versions of
files
System Properties
Restore Point
System Properties
System Properties
Windows Update
Change Update
Settings
Windows Update
Windows Update
7-21
Module 8
Configuring Mobile Computers and Remote Access in
Windows 7
Contents:
Lesson 1: Configuring Mobile Computer and Device Settings
11
13
17
20
8-1
8-2
Lesson 1
8-3
8-4
2.
Click Start, point to All Programs, click Microsoft Office, and then click Microsoft
Office Outlook 2007.
3.
4.
On the E-mail accounts page, click No, and then click Next.
5.
On the Create Data File page, select the Continue with no e-mail support check box
and then click Finish.
6.
7.
If prompted, in the Welcome to the 2007 Microsoft Office System, click Next, click I dont want
to use Microsoft Update, and then click Finish.
8.
9.
10. In the results pane, click the Month tab and then double-click tomorrow.
11. In the Untitled Event dialog box, in the Subject field, type Quarterly meeting.
12. In the Location field, type Meeting room 1 and then click Save & Close.
13. If prompted with a reminder for the appointment, click Dismiss.
14. In Outlook, on the left, click Contacts.
15. On the menu, click New.
16. In the Untitled Contact dialog field, in the Full Name field, type Amy Rusko.
17. In the Job title box, type Production Manager and then click Save & Close.
18. Close Outlook.
Click Start, point to All Programs, and then click Windows Mobile Device Center.
2.
3.
In the Windows Mobile Device Center dialog box, click Mobile Device Settings and
then click Connection settings.
4.
In the Connection Settings dialog box, in the Allow connections to one of the
following list, click DMA and then click OK.
5.
In the User Account Control dialog box, in the User name box, type administrator.
6.
7.
8-5
Click Start, point to All Programs, click Windows Mobile 6 SDK, click Standalone
Emulator Images, click US English, and then click WM 6.1.4 Professional.
2.
3.
Click Start, point to All Programs, click Windows Mobile 6 SDK, click Tools, and then
click Device Emulator Manager.
4.
In the Device Emulator Manager dialog box, click the play symbol.
5.
6.
In the Windows Mobile Member Center dialog box, click Dont Register.
2.
3.
In the Set up Windows Mobile Partnership wizard, on the What kinds of items do
you want to sync? page, click Next.
4.
On the Ready to set up the Windows Mobile partnership page, click Set Up.
5.
On the Windows Mobile Device, click Start and then click Calendar.
2.
3.
Click Start and then click Contacts. Are there contacts listed?
4.
2.
Click System and Security, click Power Options, and then on the left, click Create a
power plan.
3.
4.
In the Plan name box, type Amys plan and then click Next.
8-6
5.
On the Change settings for the plan: Amys plan page, in the Turn off the display box,
click 5 minutes and then click Create.
2.
On the Change settings for the plan: Amys plan page, click Change advanced
power settings.
3.
Configure the following properties for the plan and then click OK.
4.
On the Change settings for the plan: Amys plan page, click Cancel.
5.
Lesson 2
8-7
8-8
8-9
2.
Click Start, point to All Programs, click Microsoft Office, and then click Microsoft
Office Word 2007.
3.
In the Document window, type This is my document, and then click the Office button.
4.
2.
3.
In the Windows Remote Assistance wizard, click Invite someone you trust to
help you.
4.
On the How do you want to invite someone to help you page, click Save this
invitation as a file.
5.
On the Save as page, in the File name box, type \\LON-dc1\users\Public\DonsInvitation.msrcincident and then click Save.
6.
Switch to the 6292A-LON-DC1 virtual machine and log on as Administrator with the password of
Pa$$w0rd.
2.
3.
In the Remote Assistance dialog box, in the Enter password box, type the password you
noted in the previous task and then click OK.
4.
5.
6.
7.
8.
9.
8-10
Lesson 3
12
8-11
8-12
DirectAccess Deployment Wizard - simplifies deployment. The wizard can create and export
scripts, which can be reviewed, further customized, and applied manually.
Custom Scripts - primarily uses netsh.exe and is more complex, but provides vast design
flexibility.
Group Policy - only supported for configuring clients, not DirectAccess servers.
Lesson 4
14
15
8-13
8-14
BranchCache Requirements
Question: Which of the following operating systems is a requirement on client computers using
BranchCache?
Answer: The answer(s) are in bold.
Windows Vista
Windows 7
Windows XP
8-15
2.
3.
4.
5.
6.
In the BranchCache Properties dialog box, on the Sharing tab, click Advanced
Sharing.
7.
In the Advanced Sharing dialog box, select the Share this folder check box and then click
Permissions.
8.
9.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) field, type authenticated users, click
Check Names, and then click OK.
10. In the Permissions for Authenticated Users list, select the Allow check box next to
Full Control and then click OK.
11. In the Advanced Sharing dialog box, click Caching.
12. Select the Enable BranchCache check box and then click OK.
13. In the Advanced Sharing dialog box, click OK.
14. In the BranchCache Properties dialog box, click the Security tab.
15. Click Edit and then click Add.
16. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) field, type Authenticated Users, click
Check Names, and then click OK.
17. In the Permissions for Authenticated Users list, select the Allow check box next to
Full Control and then click OK.
18. In the BranchCache Properties dialog box, click the Close button.
On LON-DC1, click Start, point to Administrative Tools, and then click Group Policy
Management.
8-16
2.
3.
4.
5.
Double-click Set BranchCache Distributed Cache mode, click Enabled, and then click
OK.
6.
7.
Double-click Set percentage of disk space used for client computer cache, click
Enabled, under Options, type 10, and then click OK.
8.
9.
2.
Click Start, click Control Panel, click System and Security, and then click Windows
Firewall.
3.
4.
Under Allowed programs and features, in the Name list, select the following check boxes
and then click OK. Also ensure that the check box under Domain is selected.
5.
6.
7.
At the Command Prompt, type gpupdate /force and then press ENTER.
8.
At the Command Prompt, type netsh branchcache set service mode=DISTRIBUTED and then press
ENTER.
8-17
Common issues
Issue
Troubleshooting tip
8-18
BranchCache at fault?
8-19
8-20
Resources
Contents:
Microsoft Learning
Communities
R-1
R-2
Microsoft Learning
This section describes various Microsoft Learning programs and offerings.
Microsoft Learning
Search Help and Support for standard account and administrator account. For
information about groups
Adding a Disk
Partition Styles
Copy
MSDN
This section includes content from MSDN for this course.
The new Application Compatibility Toolkit (ACT) with support for Internet Explorer 8 is
available from MSDN
R-3
R-4
Communities
This section includes content from Communities for this course.
ACT 5.5
Port Numbers
R-5
Note Not all training products will have a Knowledge Base article if that is the case, please ask your
instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort.
We review every e-mail received and forward the information on to the appropriate team. Unfortunately,
because of volume, we are unable to provide a response but we may use your feedback to improve your
future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following:
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the
product Knowledge Base article.