Risk and Health Assessment Program for Windows Desktop Contoso

Risk and Health Assessment Program for Windows Desktop

Key Findings Report

Prepared for:

Contoso

July 8, 2009

On-Site Resource: Sunil Patil Case Number: RQ6067 Request Number: ROSS5500000394456767 Legal Disclaimer

The information in this document represents the current view of Microsoft on the content.

MICROSOFT DISCLAIMS ANY IMPLIED REPRESENTATION EXCEPT FOR THE EXPRESS WARRANTY PROVIDED IN YOUR SERVICES AGREEMENT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WE DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON-INFRINGEMENT, SATISFACTORY CONDITION, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO ANY SERVICES, SERVICE DELIVERABLES, FIXES, PRODUCTS, OR ANY OTHER MATERIALS OR INFORMATION.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS DOCUMENT, NEITHER PARTY NOR THEIR CONTRACTORS WILL BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL (INCLUDING WITHOUT LIMITATION, DAMAGES FOR BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), SPECIAL, OR INCIDENTAL DAMAGES OR DAMAGES FOR LOSS OF PROFITS OR REVENUES ARISING IN CONNECTION WITH THE INFORMATION PROVIDED IN THIS DOCUMENT, SERVICES, SERVICE DELIVERABLES, SERVICES RECOMMENDATIONS, FIXES, PRODUCTS, OR ANY OTHER MATERIALS OR INFORMATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF SUCH POSSIBILITY WAS REASONABLY FORESEEABLE.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft and Windows Desktop Risk Assessment Program (WDRAP) are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Windows Desktop Risk Assessment Program Page 2 of 82

Copyright 2009 Microsoft Corporation Table of Contents Program Overview ...... 4 Program Goals ...... 4 Program Phases ...... 4 Executive Summary ...... 5 Risk Assessment Scorecards ...... 6 Scorecard Legend ...... 6 Detailed Issues Legend ...... 6 Consolidated Scorecard ...... 7 Medium Risk Scorecard ...... 9 Low Risk Scorecard ...... 12 Operational Excellence ...... 14 Design ...... 14 Strategy ...... 15 Operate ...... 16 Transition ...... 18 Disaster Recovery ...... 20 Backup ...... 21 Monitoring ...... 24 Security ...... 25 Hardware ...... 27 BIOS ...... 27 Processor ...... 28 Physical Memory ...... 29 Video Controller ...... 30 Problem Devices ...... 31 Hard Disk Drive ...... 31 Device Driver ...... 33 Driver Installation Behavior ...... 33 Driver Validation ...... 33 Windows System Startup Process ...... 35 XPERF Boot Trace ...... 36 Boot Configuration ...... 36 Boot Drivers and Signatures ...... 37 Boot Optimizations ...... 38 Winlogon ...... 38 Interactive Logon Process ...... 39 UserEnv Log File ...... 40 System Boot and User Logon Time ...... 41 Windows System Shutdown Process ...... 42 Shutdown Optimizations ...... 42 Windows System Performance ...... 43 Processor Scheduling and Memory Management ...... 43 File System ...... 44 Event Log Sizing ...... 44 Windows Search ...... 45 Performance Information ...... 45 Windows Reliability ...... 47 Event Logs ...... 47 Windows Desktop Risk Assessment Program Page 3 of 82

Copyright 2009 Microsoft Corporation Security Updates ...... 47 System Restore ...... 47 WinSAT Rating ...... 48 Windows Reliability Rating ...... 49 Dump Configuration ...... 49 Networking ...... 52 NIC Configuration ...... 52 Diagnostics ...... 53 Wireless Services ...... 53 Tuning Parameters ...... 54 Group Policy Management ...... 55 Processing ...... 55 Asynchronous Processing ...... 56 Slow Link Detection ...... 57 Client Side Extensions ...... 58 Scripting ...... 59 Security ...... 61 Patch Management ...... 61 Windows Firewall ...... 62 Operating System Security ...... 63 Physical Device Security ...... 64 Logical Network Hardening ...... 66 Printing Security ...... 66 Microsoft Internet Explorer Security ...... 67 Power Management ...... 69 ACPI ...... 69 Device Wakeup Supportability ...... 70 Interrupt ...... 71 Processor Capabilities ...... 72 Power Management Plan ...... 73 Applications ...... 76 Application Compatibility ...... 76 Startup Programs ...... 76 Services ...... 77 Task Scheduler ...... 77 Windows Shell ...... 78 Microsoft Internet Explorer ...... 80 Microsoft Office ...... 81

Windows Desktop Risk Assessment Program Page 4 of 82

This report describes the purpose and summary findings of the Microsoft® Risk and Health Assessment Program for Windows® Desktop (WDRAP).

Program Goals WDRAP is a proactive, low-cost service offered by Microsoft that highlights Personal Computer (PC) environment risks before they can adversely affect your business operations and user base. The primary goals of WDRAP are to help you accomplish the following:

· Assess the health of your PC configuration, deployment and operational practices using a suite of data collection tools and results from your staff interviews. · Identify key areas where a PC configuration deviates from Microsoft best practices. · Develop an enterprise-class PC configuration and deployment system that is built on the Windows platform.

The recommendations outlined in this report are based on Microsoft best practices gathered through configuring, deploying and supporting Windows® based PCs.

The Microsoft IT Operations Excellence (ITOE) team developed this best practice guidance in partnership with various organizations within Microsoft including Worldwide Services, the Windows Server Product Group, and the Information Technology (IT) organization.

Program Phases The Microsoft® Risk and Health Assessment Program for Windows® Desktop is divided into three phases to provide you with accurate and reliable results. These include the Environmental Assessment phase, Analysis and Reporting phase, and the Remediation phase. The program is designed to ensure that the most qualified Microsoft delivery personnel are engaged at the right time.

Environmental Assessment Phase

Microsoft-accredited WDRAP engineer execute a series of steps to establish a thorough picture of your PC configuration and deploymenthealth. This phase is centered on understanding PC users current pain points, reviewing operational procedures, and identifying your high risk issues. A qualified engineer uses tools to collect relevant data about your current PC state and also conducts an interview with your staff that focuses on key operational risk areas such as Planning, Change Management, Monitoring, Security Policy, and Disaster Recovery. Both of these steps provide the engineer with information to evaluate the health of your cluster server environment. Analysis and Reporting Phase

This phase involves reviewing your data, collected through automation and interviews of your staff, and checks this data for compliance with Microsoft® Windows® Desktop configuration and deployment best practices and other methodologies. Your data is systematically analyzed and compared to Microsoft® best practices to identify both significant gaps and opportunities for improvement. This report reflects the outcome of that analysis, including a detailed assessment of the current health of your environment, and also provides recommendations for addressing the risks currently present in your PCs. The Microsoft engineer also provides your IT staff with information about how to use the data collection tool, how to interpret and understand the report findings, and how to remediate the identified issue. Remediation Phase

The recommendations provided by Microsoft in the key findings report will enable you to improve the stability and availability of your PCs. After the identified issues are remediated, you should see marked performance improvement and reduction in incidents. Greater stability and availability of your PCs can lead to increased user satisfaction and potential productivity gains.

Windows Desktop Risk Assessment Program Page 5 of 82

Copyright 2009 Microsoft Corporation Executive Summary Microsoft has conducted a risk assessment of your Personal Computers (PCs) through staff interviews and by running a suite of tools to collect data from PCs and its dependencies such as the Domain Controllers (DCs), network infrastructure, physical hardware, and Domain Name System (DNS).

The accredited Microsoft professional from the Premier Field Engineering (PFE) organization, in partnership with the Microsoft® Information Technology Operational Excellence (ITOE) organization, analyzed the collected data and prepared this key findings report.

WDRAP Delivery PFE Comments Go Here...

The results of the findings from this engagement indicated that overall, Contoso’s PC environment is at high risk and issues exist that must be addressed immediately to prevent significant disruptions with your users.

The critical issues listed below, however, are the most urgent ones identified during this engagement. Immediate resolution of these issues is vital to the continued health of your PCs.

· Networking / Diagnostics : Single-Label domain name used · Operational Excellence / Backup : The organization does not have a formal backup and restore process · Operational Excellence / Disaster Recovery : The organization does not have service continuity plans in place that be performed by any member of the IT staff. · Operational Excellence / Monitoring : The organization has not implemented management packs or guides to monitor the service environment. · Operational Excellence / Operate : The organization does not have a formal Incident Management Process · Operational Excellence / Strategy : Customer does not appreciate the products and services offered by their key vendors. · Operational Excellence / Transition : The organization does not have a change management process.

Subsequent sections of this report contain an in-depth description of all issues identified in each of your PCs. A step-by-step guidance for the remediation of these issues is included in the relevant sections of this report.

Windows Desktop Risk Assessment Program Page 6 of 82

Scorecard Legend The following scorecard is a consolidated view of the risk assessment, based on the collected data and the answers provided during the operational interview. Using a scale of High, Medium, and Low, the scorecard illustrates the likelihood of encountering issues in a specific category.

Indicates that no significant issues were found in this area that posed a future risk to Low service.

Indicates that issues were identified that should be addressed in the near-term to Medium prevent future disruptions in service.

Indicates that critical issues exist that must be addressed immediately to prevent High significant disruptions in service.

Additionally, overall risk levels for each major category are determined based on the cumulative results of its subcategories. Categories containing at least one high-risk issue will be presented as High risk. Categories containing Medium or Low risk issues will be presented as such unless the cumulative values of the identified issues indicate a high-risk level.

Subsequent to the consolidated scorecard, the High, Medium, and Low scorecards are presented to show you the specific issues within the major and minor categories that were identified in each of these risk areas.

Detailed Issues Legend

For readability, each issue presented in this report is prefaced with one of the following icons to indicate its criticality:

Indicates a critical issue. Immediate resolution of this issue is vital to the continued health of your cluster environment (Critical Issues are presented as High Risk in the scorecards)

Indicates a high-risk issue which should be addressed immediately to prevent significant disruptions in service

Indicates a medium-risk issue which should be addressed in the near-term to prevent future disruptions in service

Indicates a low-risk issue has occurred or is imminent

A minor problem or configuration issue has been found that should be reviewed

Windows Desktop Risk Assessment Program Page 7 of 82

Copyright 2009 Microsoft Corporation Consolidated Scorecard WindowsDesktop Consolidated Scorecard Before After Applications High High Application Compatibility Low Low Microsoft Internet Explorer Medium Medium Microsoft Office High High Services Medium Medium Startup Programs Medium Medium Task Scheduler Low Low Windows Shell Medium Medium Device Driver Low Low Driver Installation Behavior Low Low Driver Validation Low Low Group Policy Management Medium Medium Asynchronous Processing Low Low Client Side Extensions Medium Medium Processing Low Low Scripting Medium Medium Slow Link Detection Low Low Hardware High High BIOS Low Low Hard Disk Drive High High Physical Memory Medium Medium Problem Devices Medium Medium Processor Low Low Video Controller Low Low Networking High High Diagnostics High High NIC Configuration Medium Medium Tuning Parameters Low Low Wireless Services Low Low Operational Excellence High High Backup High High Design Medium Medium Disaster Recovery High High Monitoring High High Operate High High Security Medium Medium Strategy High High Transition High High Power Management Medium Medium ACPI Medium Medium Device Wakeup Supportability Low Low Interrupt Medium Medium Power Management Plan Medium Medium Windows Desktop Risk Assessment Program Page 8 of 82

Copyright 2009 Microsoft Corporation Processor Capabilities Medium Medium Security High High Logical Network Hardening Medium Medium Microsoft Internet Explorer Security Low Low Operating System Security High High Patch Management High High Physical Device Security Medium Medium Printing Security Medium Medium Windows Firewall High High Windows Reliability High High Dump Configuration Medium Medium Event Logs High High Security Updates Low Low System Restore Low Low Windows Reliability Rating Medium Medium WinSAT Rating High High Windows System Performance Medium Medium Event Log Sizing Low Low File System Medium Medium Performance Information Low Low Processor Scheduling and Memory Management Medium Medium Windows Search Medium Medium Windows System Shutdown Process Low Low Shutdown Optimizations Low Low Windows System Startup Process High High Boot Configuration Low Low Boot Drivers and Signatures Medium Medium Boot Optimizations High High Interactive Logon Process Low Low System Boot and User Logon Time Medium Medium UserEnv Log File Low Low Winlogon Low Low XPERF Boot Trace High High High Risk Scorecard WindowsDesktop High Risk Scorecard Before After Applications Microsoft Office Default printer is pointing to a network location High High Hardware Hard Disk Drive PIO Mode Is Used for HDD Connectivity High High Networking Diagnostics Single-Label domain name used High High Operational Excellence Windows Desktop Risk Assessment Program Page 9 of 82

Copyright 2009 Microsoft Corporation Backup The organization does not have a formal backup and restore process High High Disaster Recovery The organization does not have service continuity plans in place that be High High performed by any member of the IT staff. Monitoring The organization has not implemented management packs or guides to High High monitor the service environment. Operate The organization does not have a formal Incident Management Process High High Strategy Customer does not appreciate the products and services offered by their High High key vendors. Transition The organization does not have a change management process. High High Security Operating System Security User Account Control (UAC) for Build-In Administrators is disabled High High Patch Management Service Pack installed for the Operating System is not up-to-date High High Windows Firewall Windows Firewall Service is not started High High Windows Reliability Event Logs Event ID 1025, UserEnv: Cache Option for Roaming Profiles enabled High High WinSAT Rating WinSAT Base Score Rating 1.0 – 1.9 High High Windows System Startup Process Boot Optimizations Boot optimization is disabled High High XPERF Boot Trace Boot Phase: Average CPU Utilization more than 90% High High Medium Risk Scorecard WindowsDesktop Medium Risk Scorecard Before After Applications Microsoft Internet Explorer Internet Explorer Browser version is not up-to-date Medium Medium Services Service Alerter is not disabled Medium Medium Startup Programs Applications are configured in the Registry to automatically start after user Medium Medium logon Windows Shell Visual effects are configured to Let Windows choose Medium Medium Group Policy Management Client Side Extensions Windows Desktop Risk Assessment Program Page 10 of 82

Copyright 2009 Microsoft Corporation Client Side Extension Is Configured to Always Apply Settings Medium Medium Scripting Maximum Wait Time for Group Policy Scripts Is Not Configured Medium Medium Hardware Physical Memory Total physical memory is low Medium Medium Problem Devices Device Not Working Properly Is Detected Medium Medium Networking NIC Configuration Network controllers are using APIPA to get an IP address Medium Medium Operational Excellence Design The organization does not involve partners in a security review when Medium Medium deploying or upgrading a new solution Security BIOS settings are not protected through system BIOS password Medium Medium Power Management ACPI Old ACPI driver version is detected Medium Medium Interrupt Amount of interrupts per second is very high Medium Medium Power Management Plan Power Plan is set to "High Performance" Medium Medium Processor Capabilities Windows is not prevented from creating an artificial processor performance Medium Medium state control domain on a multi-core system Security Logical Network Hardening IP source routing is not disabled Medium Medium Physical Device Security Users are not prevented from installing devices Medium Medium Printing Security Point and Print Restrictions are not Enabled Medium Medium Windows Reliability Dump Configuration Kernel Dumps were found Medium Medium Windows Reliability Rating Windows Reliability Rating below 7.0. Medium Medium Windows System Performance File System Volume is not formatted with NTFS Medium Medium Processor Scheduling and Memory Management Processor Scheduling mode configured to “System” Medium Medium Windows Search Windows Search version is outdated Medium Medium Windows Desktop Risk Assessment Program Page 11 of 82

Copyright 2009 Microsoft Corporation Windows System Startup Process Boot Drivers and Signatures System boot driver files are missing Medium Medium System Boot and User Logon Time System Boot and User Logon Time Exceeds Expected Maximum Time of 5 Medium Medium Minutes

Windows Desktop Risk Assessment Program Page 12 of 82

Copyright 2009 Microsoft Corporation Low Risk Scorecard WindowsDesktop Low Risk Scorecard Before After Applications Task Scheduler Custom Task Scheduler entries are defined Low Low Device Driver Driver Installation Behavior Windows Update Driver Search Process enabled. Low Low Driver Validation Random Device Driver Verification enabled. Low Low Group Policy Management Asynchronous Processing Always Wait For Network Is Enabled Low Low Processing Turn Off Local Group Policy Objects Processing Is Not Enabled Low Low Hardware Video Controller Total used memory for Video Card is high or cannot be evaluated. Low Low Networking Tuning Parameters Network based long file name caching is disabled Low Low Wireless Services Wireless adapter is not disabled Low Low Security Microsoft Internet Explorer Security Security_HKLM_Only is enabled Low Low Windows Reliability System Restore System Restore is enabled. Low Low Windows System Performance Event Log Sizing Event Log file sizes are large Low Low Windows System Shutdown Process Shutdown Optimizations AutoEndTasks is disabled Low Low Windows System Startup Process Boot Configuration Missing optional boot configuration parameters, /nodebug and /noguiboot, Low Low for Windows XP Interactive Logon Process High amount of locally cached profiles Low Low UserEnv Log File UserEnv failure detected: Cannot process autoexec.bat Low Low Winlogon PreferLogonDC is configured Low Low

Windows Desktop Risk Assessment Program Page 13 of 82

The Microsoft Operations Framework (MOF) provides operational guidance that enables organizations to achieve the mission-critical system reliability, availability, supportability, and manageability of Microsoft products. With this guidance, you can assess your current IT service management maturity, prioritize your most important processes, and apply proven principles and best practices to optimize the management of your server clustering platform.

MOF guidance consists of four categories, or quadrants, that together form a continuous cycle of system and process improvement. These include:

• Supporting Quadrant – The activities and processes that are performed to resolve user-generated and system-generated queries, issues, or problems fall within the domain of the MOF Supporting Quadrant. This quadrant contains those processes and practices that are required to fully support the efficient use of an IT infrastructure. The key sets of activities or Service Management Functions (SMFs) that MOF identifies within this quadrant include Incident Management, Problem Management, and Service Desk. In addition, service level agreements (SLAs) document the performance and availability commitments made by IT to the consumers of its systems.

• Optimizing Quadrant – The MOF Optimizing Quadrant encompasses processes and IT functions dedicated to planning and implementing enhancements to the IT environment through a continuous cycle of process improvement. As organizations mature and become more capable in their service management, SMFs in the Optimizing Quadrant ensure tighter alignment of operations with business needs and long-term business strategies. The eight key SMFs within the Optimizing Quadrant include Availability Management, Capacity Management, Financial Management, Infrastructure Engineering, IT Service Continuity Management, Security Management, Service Level Management, and Workforce Management.

• Changing Quadrant – The MOF Changing Quadrant describes processes, responsibilities, reviews, and best practices that help organizations manage the changes to their IT infrastructure. Through the classification of change types, including appropriate assignment of authorization responsibilities and consistent change management and release processes, those organizations that follow MOF best practices can reduce incompatible and conflicting changes and also streamline their release efforts. The three key SMFs in this quadrant include Change Management, Configuration Management, and Release Management.

• Operating Quadrant – The MOF Operating Quadrant consists of a collection of processes and IT functions dedicated to the ongoing maintenance, monitoring, control, and protection of IT infrastructure assets. Efficient implementation of MOF best practices in this quadrant enables IT organizations to move beyond simple infrastructure maintenance to proactive measures that help optimize performance. MOF identifies seven key SMFs within this quadrant. These include Directory Services Administration, Job Scheduling, Network Administration, Security Administration, Service Monitoring and Control, Storage Management, and System Administration.

Design Effective design contributes towards the delivery of quality services that meet or exceed customer expectations. This phase gives IT professionals the tools to more effectively deliver IT services, infrastructure projects, or packaged product deployments, and helps to ensure that those services are envisioned, planned, built, stabilized, and deployed in line with business requirements and the customer’s specifications.

Windows Desktop Risk Assessment Program Page 15 of 82

Copyright 2009 Microsoft Corporation Issue The organization does not involve partners in a security review when deploying or upgrading a new solution Importance Security is an ongoing, always changing, concern. An experienced Security team and a well-developed process are required to ensure that ongoing changes are propagated to the applications.

Best Practice Security must be included in Architecture design and not handled once the architecture Guidance or design has been implemented.

Recommended Design and configuration changes made to a server have the potential for introducing Resolution risk to the environment. To reduce the effect of this risk, all new designs and core changes should undergo a formal security review. In addition, to support this strategy, an organization should define a security process with an understanding of the business requirements and the process for its implementation.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Strategy Services provided by IT should align with the company Business Strategy. It is vital for IT platform to be clear on what it is able to provide today and what it needs to be able to provide in the future. IT may also be able to influence Business Strategy by what it could provide through use of new technology.

This phase provides guidance on how to continually plan for and optimize the IT service strategy. It helps to deliver services that are: • Valuable and compelling for the overall business • Predictable and reliable • Compliant with your policies • Cost-effective • Adaptable to the changing needs of the business

Issue Customer does not appreciate the products and services offered by their key vendors. Importance An understanding of a vendors applications and services can be leveraged as a vital part of an organizations planning for the future of their IT environment.

Best Practice Engage with suppliers to provide roadmaps, showing the evolution of their products and Guidance offerings over time, as well as where they plan on going in the near future. Future plans are, of course, subject to change.

Windows Desktop Risk Assessment Program Page 16 of 82

Copyright 2009 Microsoft Corporation Recommended Speak to vendors and ensure they provide roadmaps for their future products. Many Resolution vendors like Microsoft will be able to arrange for an Executive Briefing which will be carried out over several days to discuss the roadmap and the organizational challenges of the Customer. This should occur annually at least.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Operate Once Services have been successfully delivered into the production environment they need to be managed effectively on a day to day basis. It is here where service users interface and your performance as a service provider are measured. This phase helps IT professionals efficiently operate, monitor, and support deployed services in line with existing service level agreement (SLA) targets.

Issue The organization does not have a formal Incident Management Process Importance All organizations experience incidents that either impact or threaten to impact the normal running of the business. As businesses have become increasingly dependent upon their IT services, the need to react quickly and effectively to any incidents that adversely affect IT services or infrastructure has become paramount.

Best Practice All organizations experience incidents that either affect or threaten to affect the normal Guidance running of the business. Also, businesses have become increasingly dependent on their IT services. Thus, it is essential to react quickly and effectively to any incident that adversely affects IT services or the infrastructure.

Incident management is a critical process that allows organizations to first detect an incident and then target the correct support resources in order to resolve the incident as quickly as possible. The process also provides management with accurate information about the incident so they can identify the required support resources and plan for their provision.

By using the incident management process, organizations can ensure that their support resources are focusing on the issues having the greatest urgency and the greatest impact, potentially, on the business. Without the control and management information provided by this process, organizations cannot be assured that their often substantial investment in IT support is truly meeting their objectives.

Key benefits of incident management include the following: · Timely incident resolution, thus resulting in minimized business impact · Improved utilization of support resources · Better understanding of the impact of incidents on SLA targets, thus allowing improved prioritization · Accurate information on the incidents that are occurring · Elimination of lost incidents and service requests · Increased availability of management information.

Recommended Implement a problem management process in line with best practices for ITIL or MOF. Resolution When implementing any process, the following should be considered: · Do not be overly ambitious · Consider what elements already exist, are in use, and are effective Windows Desktop Risk Assessment Program Page 17 of 82

The costs of implementing a process will include the following and should be budgeted for appropriately: · Setup vs. Ongoing vs. Enhancement · Cost must provide business benefit · Consider the cost of not taking action · Transfer - Staff from other areas of IT to assist · Hardware - PCs, printers, and servers to run tools · External - Consultants and contractors · Software - ITSM toolset, alert tools, spreadsheet tools, MS-Office · Personnel - Salaries, training, benefits · Accommodation - Office space, computer equipment room space, utilities

The following are common issues when implementing new processes: · Lack of commitment (IT, customer, management) · Resistance to incident · Knowing where to start · Over expectation, over commitment · Lack of tools, training, resources · Culture and geography of organization · Bypassing procedures · Cost justification

To assist in overcoming such problems, there must be clear guidelines in place about roles and responsibilities. The following should be defined early on: · Who is the process owner · What are the roles within the process · What skills are required to perform the roles · Relationships with other IT service management disciplines · Relationship with the rest of IT

Defining KPIs to assist in the measurement of the process and its ongoing success should also be defined. You must also ensure that the KPIs: · Are measurable · Are reported in terms that make sense to the recipient · Prove efficiency and effectiveness of process · Are reported as a percentage

Many organizations try to implement new processes through the purchase of a tool. However, selecting a service management tool must be done carefully and include the following considerations: · Process must come first · Tool should meet all mandatory requirements · Provide an 80% fit with operational requirements · Require little product customization · Conform with ITIL (consider verification products such as PinkVerify) · Sound data structure and handling, such as reporting capability · Service management driven, not technology driven · Admin and maintenance costs are within budget

In addition, choose your own reference site and try to visit it independently.

Windows Desktop Risk Assessment Program Page 18 of 82

Copyright 2009 Microsoft Corporation Recommended Incident Management Reading http://www.microsoft.com/technet/solutionaccelerators/cits/mo/smf/smfincmg.mspx Customer Service Service Management Function http://technet.microsoft.com/en-us/library/cc543262.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Transition Successfully bringing a well-designed service into the production environment takes efficient transition planning and execution. It is necessary to deliver new or changed services with the appropriate balance of speed, reliability and safety while ensuring minimum disruption to operations.

This area helps IT Pros coordinate processes described in the lifecycle phase SMFs, and provides guidance about: • Establishing decision-making processes • Employing risk management and controls as part of all processes • Promoting change and configuration processes that are appropriately controlled • Dividing work so that accountabilities for results are clear and do not conflict

Issue The organization does not have a change management process. Importance The objective of Change Management is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to controlled IT infrastructure, in order to minimize the number and impact of any related incidents upon service. Change Management can ensure standardized methods, processes and procedures are used for all changes, facilitate efficient and prompt handling of all changes, and maintain the proper balance between the need for change and the potential detrimental impact of changes.

Best Practice Implement a Change Management process in line with the good practice of ITIL or MOF. Guidance

Windows Desktop Risk Assessment Program Page 19 of 82

Copyright 2009 Microsoft Corporation Recommended When implementing any process the following should be considered: Resolution · Do not be over ambitious · Consider what elements already exist, are in use and effective · Identify what can be re-used or needs to be developed · Adapt the guidelines to meet your requirements · The costs of implementing an process will include the following and should be budgeted for appropriately: · SET UP vs. ONGOING vs. ENHANCEMENT · Cost must provide Business Benefit · Consider cost of NOT taking action · TRANSFER - staff from other areas of IT to assist · HARDWARE - PCs, Printers, servers to run tools etc. · EXTERNAL - consultants, contractors · SOFTWARE - ITSM toolset, alert tools, spreadsheet tools, MS-Office etc, · PEOPLE - salaries, training, benefits etc. · ACCOMMODATION - office space, computer equipment room space, utilities etc.

The following issues are common when implementing new processes: · Lack of commitment (IT, Customer, Management) · Resistance to change · Knowing where to start · Over expectation/Over commitment · Lack of Tools, Training, Resources · Culture/Geography of organization · By-passing procedures · Cost justification

To assist in overcoming such problems there must be clear guidelines in place regarding roles & responsibilities. Define early on: · Who is the process owner · What are the roles within the process · What skills are required to perform the roles · Relationships with other IT Service Management disciplines · Relationship with rest of IT · Defining KPIs to assist the measurement of the process and its ongoing success should also be defined but ensure that the KPIs: · Must be measurable · Reported in terms which make sense to recipient · Prove efficiency and effectiveness of process · Reported as a) number of b) percentage of · Many organizations attempt to implement new processes through the purchase of a tool but the selection of any Service Management tool must be carefully made, when selecting a Supporting Service Management Tool consider: · Process MUST come first · Meet all mandatory requirements · 80% fit to operational requirements · Little product customization · ITIL conformance (Consider verification products such as PinkVerify) · Sound data structure and handling (can get data out - reporting) · Service management driven - not technology driven · Admin and maintenance costs within budget · Choose your own reference site and try to visit independently

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 20 of 82

Disaster recovery is one of the most important functions of a cluster server administrator. Recovering from many disasters frequently requires the coordination of multiple individuals, across multiple teams. Without a predefined plan for activating and coordinating these critical resources, the success of your recovery cannot be assured.

A fully documented disaster recovery plan reduces the time spent deciding what to do, helps keep those involved up-to-date, and ensures that your organization can recover as quickly and efficiently as possible. Your plan should also ensure that the services and infrastructure that the cluster server relies upon are available, reliable, and recoverable. An additional benefit in creating a disaster recovery plan is that during the planning and development process, you may discover areas where your systems are vulnerable. These vulnerabilities can then be reduced or removed to make your systems more robust and recoverable.

Issue The organization does not have service continuity plans in place that be performed by any member of the IT staff. Importance In most cases, recovering from disaster requires the involvement of multiple personnel and resources. Without a predefined plan for activating, and more importantly, coordinating these resources, the success of your recovery is left to circumstance.

Best Practice If mission-critical or line-of-business applications are taken offline by a disaster, any Guidance delay in restoring them could have a serious effect on your business. One major factor that can prolong recovery from disaster is the time spent determining which step to perform next. An effective disaster recovery plan reduces downtime by keeping all parties informed about the current status and indicates what steps should be performed and in what order. An additional benefit in creating a disaster recovery plan is that during the plan development process, you can discover areas where your systems are vulnerable. This allows you to then address these vulnerable areas and thus make your systems more robust and recoverable. Service Continuity and Disaster recovery are the process, policies and procedures of restoring operations critical to the resumption of business, including regaining access to data (records, hardware, software, etc.), communications (incoming, outgoing, toll-free, fax, etc.), workspace, and other business processes after a natural or human-induced disaster.

Windows Desktop Risk Assessment Program Page 21 of 82

Copyright 2009 Microsoft Corporation Recommended To increase the opportunity for a successful recovery of valuable records, a Resolution well-established and thoroughly tested disaster recovery plan must be developed. This task requires the cooperation of a well-organized committee led by an experienced chairperson. A disaster recovery plan (DRP) should also include plans for coping with the unexpected or sudden loss of communications and/or key personnel, although these are not covered in this article, the focus of which is data protection. Disaster recovery planning is part of a larger process known as business continuity planning (BCP).

Prior to selecting a Disaster Recovery strategy, the Disaster Recovery planner should refer to their organization's business continuity plan which should indicate the key metrics of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for various business processes (such as the process to run payroll, generate an order, etc). The metrics specified for the business processes must then be mapped to the underlying IT systems and infrastructure that support those processes. Once the RTO and RPO metrics have been mapped to IT infrastructure, the DR planner can determine the most suitable recovery strategy for each system. An important note here however is that the business ultimately sets the IT budget and therefore the RTO and RPO metrics need to fit with the available budget. While most business unit heads would like zero data loss and zero time loss, the cost associated with that level of protection may make the desired high availability solutions impractical. The following is a list of the most common strategies for data protection. - Backups made to tape and sent off-site at regular intervals (preferably daily) - Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk - Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synced). This generally makes use of Storage Area Network (SAN) technology - High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities. In addition to preparing for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster situation in the first place. These may include some of the following: - Local mirrors of systems and/or data and use of disk protection technology such as RAID - Surge Protectors - to minimize the effect of power surges on delicate electronic equipment - Uninterruptible Power Supply (UPS) and/or Backup Generator to keep systems going in the event of a power failure - Fire Preventions - more alarms, accessible fire extinguishers - Anti-virus software and other security measures.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Backup

Backing up data is a critical process required. The process of performing regularly scheduled test restores of data, to verify both storage and data integrity and the integrity of backup hardware and processes is equally important. Investment in a solid backup system and accompanying restore process as well as

Windows Desktop Risk Assessment Program Page 22 of 82

Without data recovery processes in place, no matter how stable the service is itself is, the loss of that data will ultimately devalue the entire solution. Customers that experience a wholesale loss of business critical data will subsequently encounter serious business problems moving forward.

Issue The organization does not have a formal backup and restore process Importance Storing, restoring, and recovering data are key storage management operational activities surrounding one of the most important business assets: company data. These activities ensure that data are stored properly and available for both restore and recovery, according to business requirements.

Best Practice Data should be classified according to type, and a strategy should be developed to Guidance ensure that backup, restore, and recovery operations can be performed to fulfill business requirements and service level objectives. Storing, restoring, and recovering data are key storage management operational activities surrounding one of the most important business assets: company data. These activities ensure that data are stored properly and available for both restore and recovery, according to business requirements. Data should be classified according to type, and a strategy should be developed to ensure that backup, restore, and recovery operations can be performed to fulfill business requirements and service level objectives.

Recommended One of the first steps that operations must execute before developing a good backup Resolution strategy is to classify the various types of data in the IT environment. For example, most organizations do not back up user data, which is defined as personal data not related to the business. Thus, user data is a type of data that could be eliminated from scheduled backups. As a result, it would then be up to the individual users to store their data. A good rule is to classify data according to its business impact. For example, there is some data that a company must have available or the business cannot run, such as a parts list for a manufacturing company. This type of data has a high business impact and thus should be classified accordingly. There may also be data that does not have to be online all the time, but must be available when needed. An example of this would be testing data generated by medical companies performing drug research. This too could be classified as high business impact, because the company would be at risk if a product was flawed and the company could not produce testing data for the past several years. Therefore, determine for each of the different data types how much data needs to be stored. Your strategy will be affected by whether you are dealing with terabytes of data or megabytes. Understanding this will also help to determine the types of devices required for doing the backup, the media type required, and whether there is sufficient time for the backup or if an online storage method must be considered. Now that the types of data in the environment and the storage needs of each data type are known, you must determine where the data is located. This information is critical in determining the technologies needed to implement the backup strategy. For example, in a geographically distributed environment with servers located across the country, or worldwide, a centralized backup solution could result in flooding the networks with backup data. This could have a potentially serious impact on business productivity. In such a case, a localized backup solution may need to be considered, and perhaps even an automated mode, to reduce cost. Another critical piece of information required to develop a backup strategy is estimating the projected growth of data by type. IT should make sure that the backup strategy Windows Desktop Risk Assessment Program Page 23 of 82

Copyright 2009 Microsoft Corporation developed is not quickly outdated. Future plans about the projected number of users and what type of data they create should also be considered. If the company is planning to hire 100 new employees, the amount of user and business data will grow accordingly. Therefore, prepare for the future and build in the required capacity. Information technology (IT) operations need to determine the performance requirements for backups, restores, and recovery. These requirements should also align with business needs. In developing SLAs, specific service level objectives (metrics) regarding backup, restore, and recovery performance are defined, negotiated, and agreed upon between the different business units and IT. Note that these service level objectives must be monitored for compliance with SLAs to ensure that both IT and customer commitments are being met. A company's most pertinent, critical data resides in databases. Each database is different, so be certain to take advantage of the tools offered by database vendors for backing up, restoring, and recovering data contained in their different databases. Determine how often the data needs to be backed up per data type. For example, user work files may be backed up on a daily basis, while system data is backed up on a weekly basis. Critical database transactions may be backed up twice a day. Also determine the allowable timeframe for performing a backup. For instance, user files can be backed up any time users are not working on them. However, some transactional databases may only have a few hours available for backup. Evaluate the amount of data requiring backup, the existing infrastructure, and the technologies to use to estimate the time required for each backup. In the case of offline backups, all these factors can affect a user's access to data. For this reason, calculations for backup time requirements should be compared to specific business requirements. If the business requires that users have access to data 22 hours per day, a four-hour offline backup will not work. Thus, another solution would be required (for example, online backup, SAN, and so on). The allowable timeframe for data recovery on a per data type basis must be known. For example, it might be perfectly acceptable to take two days to restore some user files, while company business data might have to be recovered within two hours. When determining allowable recovery time, remember that this includes a combination of the time needed to access the storage media plus the time required to actually restore the data to disk. The clearest example of this is when a full system recovery is required and media must be obtained from offsite storage. This information is used to determine the specific backup schedules enforced by operations. When developing the requirements for different data types, also plan for each type how the storage media should be secured and maintained. For instance, high business impact data should be backed up regularly and also periodically stored offsite. User data, if backed up at all, will not require offsite storage. Security restrictions for data both onsite and offsite will also have to be gauged. Again, the data classification can help determine the security needs. In addition, determine the length of storage time per data type. For example, user files may need to be kept for only three weeks, while information about company employees may need to be kept for five years.

Consider the following types of data and information when planning for offsite storage: · Full backup of the entire system, done weekly · Contents of the Definitive Software Library · Copy of information required to re-install and reconfigure network hardware · Documents required to support an insurance claim, such as hardware and software inventory records, and copies of purchase orders or receipts for computer hardware and software.

Windows Desktop Risk Assessment Program Page 24 of 82

Copyright 2009 Microsoft Corporation Recommended Problem Management Reading http://www.microsoft.com/technet/solutionaccelerators/cits/mo/smf/smfprbmg.mspx Customer Service Service Management Function http://technet.microsoft.com/en-us/library/cc543262.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Monitoring

Monitoring a cluster server environment is critical to successful operations. Ineffective or absent monitoring can lead to a significant impact on performance, availability, and security. It can also lead to a degraded client experience going unnoticed by those responsible for timely response and resolution.

Thus, it is critical to design and deploy an effective monitoring system. Effective monitoring can drive improvements in performance, availability, and security of a cluster server environment. Consequently, it is essential that service levels are taken into consideration in the design and deployment of a cluster server monitoring solution.

Issue The organization has not implemented management packs or guides to monitor the service environment. Importance It is essential to apply an engineering focus to the design and deployment of a service in an enterprise environment. It is just as important to apply a similar focus to the design and deployment of an effective monitoring system. Effective monitoring can drive improvements in performance, availability, and the security of a service deployment. Therefore, make sure that service levels are considered in the design and deployment of a service monitoring solution. Of these considerations, the following two are very important: Time Required for Alerts to Reach the Console The time that is required for a generated alert to reach the operator's console will directly affect the ability of the operator to respond in a timely manner. In Microsoft IT, this metric is measured against a service level agreement (SLA) of 90 percent of alerts reaching the operator's console within one minute. Alert-to-Ticket Ratio Although there are many ways to measure the effectiveness of a monitoring solution, the alert-to-ticket (service request) ratio is an indispensable metric. For example, if the operator is presented with too many alerts that do not require action, there is a risk that the operator may ignore some of the information being presented by the monitoring solution. The perfect state would be one in which every alert presented to the operator requires action. However, to ensure effective monitoring, even this state would require measuring the number of actions required without an associated alert.

Best Practice Implement monitoring and vendor supplied management packs for the service. Guidance

Windows Desktop Risk Assessment Program Page 25 of 82

Copyright 2009 Microsoft Corporation Recommended · Implement monitoring on the service Resolution · Ensure that a monitoring agent or system is in place to gather Event log and Performance Monitor data for key health indicators of the environment. · Identify and ensure that rules are implemented to surface alerts for actionable events that affect the service. · Ensure that alerts based on this data are gathered and surfaced at a centralized console accessed by the individuals who have responsibility for resolving such issues.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Security

Security is an important part of system infrastructure. Any information system with a weak security foundation can eventually experience a security breach. In addition, depending on the information system and the severity of the breach, these breaches can range from data disclosure and loss of system availability to data corruption and even complete data loss.

Security can be separated into six categories, all of which are equally important in helping ensure the confidentiality, integrity, and availability of data. The categories include:

· Identification ─ Identification deals with user names and how users identify themselves to a computer system.

· Authentication ─ Authentication deals with passwords, smart cards, biometrics, and so forth. Specifically, authentication is how users demonstrate to the system that they are who they say they are.

· Access Control (also called authorization) ─ Access control deals with the access and privileges granted to users so they can perform certain functions on a computer system.

· Confidentiality ─ Confidentiality deals with encryption. Specifically, confidentiality mechanisms ensure that only authorized individuals are able to see data stored on or traversing the network.

· Integrity ─ Integrity deals with checksums and digital signatures. Specifically, integrity mechanisms ensure that data is not garbled, lost, or changed when traveling across the network.

· Non-repudiation ─ Non-repudiation is a means for providing proof of data transmission or receipt so that the occurrence of a transaction cannot be denied.

Another very important aspect of security is auditing. Audit logs might be the only indication that a security breach has occurred. Or, if the breach is discovered in some other way, correct audit settings can generate an audit log that helps administrators pinpoint the location and the perpetrator of the breach.

Windows Desktop Risk Assessment Program Page 26 of 82

Copyright 2009 Microsoft Corporation Issue BIOS settings are not protected through system BIOS password Importance Password protection for the BIOS can prevent unauthorized users who have physical access to your systems from booting from removable media. The security measures you should take to protect your environment against such attacks depend on the sensitivity of the information that the workstation contains and the location of the computer.

Recommended The BIOS settings are not secured by using an administrative system password. Users Resolution may change BIOS settings as well as the boot order of devices. They can start preinstallation environments or mini-os images from optical disk to reconfigure the corporate client build.

It is strongly recommended that you secure the BIOS settings with passwords.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 27 of 82

Computer hardware can include the following parts:

· Motherboard . The motherboard is sometimes referred to as the mainboard or system board. It holds the CPU, memory, and slots for expansion cards.

· Power Supply

· Storage Controller

· Integrated Drive Electronic (IDE), Small Computer System Interface (SCSI)

· Serial Advanced Technology Attachment (SATA), Fiber-optic Connector (FC)

· Hard Drive

· Floppy, CD-ROM, Hard Drive, Solid State Drive (SSD)

· Display Adapter

· Graphics Card and Monitor

· Interface Controller

· Parallel, Serial, Universal Serial Bus (USB), Firewire

· Input devices such as the mouse and keyboard

BIOS

On x86-based computers, BIOS is the set of essential software routines that test hardware at startup, start the operating system, and support the transfer of data among hardware devices. The BIOS is stored in read-only memory (ROM) so that it can be executed when you turn on the computer. Although critical to performance and energy savings, the BIOS is usually invisible to computer users.

The BIOS plays an essential role for all of the hardware components and their interaction. Using older versions of BIOS can lead to problems in power management, stability and functionality.

Windows Desktop Risk Assessment Program Page 28 of 82

Copyright 2009 Microsoft Corporation Issue BIOS Version is older than 6 months Importance Microsoft recommends installing the newest BIOS Version to avoid possible incompatibilities with the Windows® operating system and to prepare the PC for future Windows installations.

Also, any problems with power management, as well as general operations that could rely on Advanced Configuration and Power Interface (ACPI) such as startup and shutdown, rely on having the newest BIOS installed.

When manufacturers release a new motherboard, the BIOS on the board is already flashed. Because technology advances in quantum leaps, it is very important to keep in mind that new products are constantly being released.

Flashing your BIOS to the latest release is crucial because it enhances your system's capabilities, helps it to detect newer devices and components (bigger hard drives, newer processors, and so forth), and improves stability. In addition, manufacturers often include a series of bug fixes in their latest BIOS flashes.

Recommended It is recommended that you regularly check for new BIOS releases and install the Resolution update after verifying the package. There is always a change log included with every newer BIOS release that should be read first. It helps you decide whether or not it is worth it to flash that specific version.

Updating BIOS should only be done if necessary (for example, to solve a compatibility problem). It can be a complicated process, and if an error occurs, your computer could be rendered inoperable. Be sure to follow the manufacturer's instructions exactly.

Recommended BIOS: Frequently asked questions Reading http://windowshelp.microsoft.com/Windows/en-us/help/bcb67279-4986-4949-ae34-07e 6801015691033.mspx

You may experience power management-related symptoms on a computer that is running Windows Vista http://support.microsoft.com/kb/927393/

SMS 2003 Inventory Tool for Dell Update http://technet.microsoft.com/en-us/sms/bb676779.aspx

SMS 2003 Inventory Tool for Dell Update Frequently Asked Questions http://technet.microsoft.com/en-us/library/cc874667.aspx

Understanding Configuration Manager Features http://technet.microsoft.com/en-us/library/bb693873.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Processor

CPU is an acronym for Central Processing Unit, the computational and control unit of a computer. The CPU is the device that interprets and executes instructions. The CPU, or the microprocessor in the case of a microcomputer, has the ability to fetch, decode, and execute instructions and to transfer information to and from other resources over the computer's main data-transfer path, the bus. Problems in speed and recognition of Processor features can cause the system to act erratically, crash or show performance Windows Desktop Risk Assessment Program Page 29 of 82

Copyright 2009 Microsoft Corporation problems. Any problems in the correct implementation of HAL (Hardware abstraction layer) or BIOS issues will lead to day to day performance and stability issues for the user.

The speed of the processor is the base of the performance rating of the whole system. A slow processor can be the cause of a major bottleneck on the PC.

Issue The processor is not running with maximum speed. Importance The current and maximum speed of the CPU is not equal. A BIOS setting, the configuration of power management, or IntelSpeedStepping / AMD Cool'n'Quiet may reduce the system processor's speed.

Recommended It is recommended that you visit the home page of the hardware vendor and check if Resolution there are any updates for the Intel SpeedStep Technology. The BIOS, ACPI, and the chipset drivers should be checked for newer versions as well.

Recommended Different ways to determine CPU speed in Windows XP or in Windows Server 2003 Reading http://support.microsoft.com/kb/888282/en-us

Enhanced Intel SpeedStep(R) Technology How To Document http://www.intel.com/cd/channel/reseller/asmo-na/eng/203838.htm

Troubleshooting Guide for Intel SpeedStep® Technology http://www3.intel.com/cd/channel/reseller/apac/tha/products/mobile/processors/eng_p roc_mobile_p3/technical_reference/32701.htm

Energy Efficiency with AMD Cool'n'Quiet Technology http://www.amd.com/us-en/Processors/ProductInformation/0,,30_118_9485_9487%5e 10272,00.html

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Physical Memory

RAM is an acronym for random access memory. This is semiconductor-based memory that can be read and written by the central processing unit (CPU) or other hardware devices. The RAM sizing and speed of the components plays an essential role in the overall performance of the PC. Incorrect sizing will influence the way Windows pages memory out to the pagefile.sys and the speed of the used memory components has a large influence on memory intensive applications and operations.

Issue Total physical memory is low Importance Low memory results in paging operations and produces delays in working with applications and the operating system.

Due to the used chipset, hardware, or BIOS, the installed memory may not be reported correctly.

Best Practice For performance reasons, it is recommended that you use Windows XP with at least 1 Guidance gigabyte (GB) of physical RAM. For Windows Vista®, Microsoft recommends that you run with at least 2 GB of physical RAM.

Windows Desktop Risk Assessment Program Page 30 of 82

Copyright 2009 Microsoft Corporation Recommended For performance reasons, it is recommended that you use Windows XP with at least 1 Resolution GB of physical RAM. For Windows Vista, Microsoft recommends that you run with at least 2 GB of physical RAM.

Recommended The system memory that is reported in the System Information dialog box in Windows Reading Vista is less than you expect if 4 GB of RAM is installed http://support.microsoft.com/kb/929605

System requirements for Windows XP operating systems http://support.microsoft.com/kb/314865

System requirements for Windows Vista http://support.microsoft.com/kb/919183

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Video Controller

The video graphics controller is important for graphics intensive UIs and applications. Especially when working with 3d applications such as CAD programs or image rendering and video software, it is important to install a video card with high specification in regards to speed and video memory size.

Especially in mobile PC environments the video memory bus is shared with the physical memory bus and can influence the video performance of a PC.

When using a graphic intensive presentation of the desktop in Windows, make sure sure to size the video card accordingly.

Issue Total used memory for Video Card is high or cannot be evaluated. Importance If the video card is using shared memory, the amount of RAM will be deducted from physical RAM and applications and the operating system will not be able to use it anymore.

Best Practice Microsoft recommends that you use an extra hardware video card and disable the Guidance onboard video card. This will prevent the system from using shared memory and thus will give the main operating system more free RAM. This can result in less paging operations and a faster overall system performance.

Recommended It is recommended that you verify whether the video card is using shared memory or Resolution physical memory. If shared memory is being used, it is recommended that you check if there is a performance gain after replacing the video card with one that has dedicated memory, or that you limit the shared memory through BIOS settings.

Recommended Pushing the Limits of Windows: Physical Memory Reading http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx (scroll to 32-bit Client Effective Memory Limits)

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Problem Devices

Windows Desktop Risk Assessment Program Page 31 of 82

Copyright 2009 Microsoft Corporation Problem devices are devices that are reported by the operating system as not working correctly. This can be due to faulty hardware, bad drivers, or incorrect configurations.

Issue Device Not Working Properly Is Detected Importance Devices with reported issues may result in unstable and non-performing working experience.

Recommended Please check the hardware manufacturer Web site for any missing drivers and updates. Resolution Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Hard Disk Drive

Hard disk drives come in several different form factors and speeds. Newer technologies use SSD components in order to improve read and seek times as well as device power consumption. Performance on Laptops can significally differ for this reason. Laptop drives are usually smaller in a form factor perspective. This usually also means that they are slower.

The fact is, that the hard drive speed strongly determines the overall performance of the PC. The slower the drive can read and write data, the more the system will have to queue I/O operations in order to continue operating.

Some manufacturers include drive noise functionality which may reuce the amount of sound the hard drive produces but also have a performance deterioration side effect.

Speeds can vary significantly:

For a desktop drive, this is typically 5400 to 7200 rpm. But some drives can have as low as 4200 rpm and reach as much as 15000 rpm.

Issue PIO Mode Is Used for HDD Connectivity Importance Windows will turn off Direct Memory Access (DMA) mode for a device after encountering certain errors during data transfer operations. DMA is faster than the older Programmed Input/Output (PIO) transfer mode.

Recommended It is recommended that you check why the PIO mode was selected automatically or was Resolution set manually during installation. A performance increase can result by using this mode. The device drivers for chipset, bus, and controller should be also verified.

Windows Desktop Risk Assessment Program Page 32 of 82

Poor DVD playback when DVD drive is set to PIO mode http://support.microsoft.com/kb/317962

An IDE device runs in PIO mode instead of in DMA mode after you update the firmware for the device in Windows XP http://support.microsoft.com/kb/920918

IDE ATA and ATAPI disks use PIO mode after multiple time-out or CRC errors occur http://support.microsoft.com/kb/817472

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 33 of 82

Microsoft® Windows XP supports thousands of hardware accessories, generally referred to as devices, including printers, digital cameras, and network adapters. These extend what your computer can do. To provide this level of flexibility, Windows XP uses software called a device driver to communicate with the hardware. Every hardware device you connect to your computer has its own device driver. Over time, the manufacturer may update the driver for your device to improve its performance, to improve security, or to correct a problem.

Driver Installation Behavior

This section is about the way drivers are installed on the operating system. This can be done in several ways, such as in the OS image or even after installation.

Issue Windows Update Driver Search Process enabled. Importance If a user attaches any kind of hardware to the client, the Plug and Play (PNP) manager checks if the device is already installed. In case the device has never been used on the client, the PNP manager searches for the driver locally and on Windows Update.

Recommended In a managed environment, only tested device drivers should be allowed. This means Resolution that installation and updates must be performed with software management tools and that Windows Update capability should be moved to Windows Server Update Services (WSUS) or turned off.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Driver Validation

There are three main aspects to driver validation: Driver Verification

Driver verification is a built-in function of Windows where drivers are randomly verified during the boot process.

Out-of-Date Device Drivers

Each hardware manufacturer releases new drivers because of bug fixes, performance enhancements, or feature enrichments. Typically, these are released every quarter, every six months, or every year, depending on the manufacturers update cycle. It is very important to check whether the new drivers solve known issues corresponding to the existing hardware environment and to also test and implement those within the normal Change Management processes.

Signature Status

Device driver signature status is very important. Because device drivers run with system-level privileges and can access anything on your computer, it is critical that you trust the device drivers you install. Trust, in this context, includes two main principles:

Windows Desktop Risk Assessment Program Page 34 of 82

· Integrity – Integrity is an assurance that the package is 100 percent intact and that it has not been modified by anyone after it was released.

Windows uses digital certificates and digital signatures to provide support for these principles.

Issue Random Device Driver Verification enabled. Importance Device drivers are randomly verified for debugging.

Recommended Disable random driver verification. In an enterprise environment, it is strongly Resolution recommended to test device drivers before they are installed on client systems. For driver testing, use the verifier.exe application. This helps to avoid issues in the field.

Recommended Using Driver Verifier to identify issues with Windows drivers Reading http://support.microsoft.com/kb/244617

Driver Verifier in Windows XP http://www.microsoft.com/whdc/devtools/tools/verifier.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 35 of 82

Copyright 2009 Microsoft Corporation Windows System Startup Process The Windows System Startup Process affects the user experience most, especially when it is slow. To understand what causes the system startup to be slow, you have to first understand how the system startup in Windows XP® and Windows Vista® works.

The Windows System Startup Process can be separated into seven phases in Windows XP and into six in Windows Vista.

Windows XP 32/64 Bit Windows Vista 32/64 Bit

1 Power-on self test (POST) phase 1 Power-on self test (POST) phase

2 Initial startup phase 2 Initial startup phase

3 Boot loader phase 3 Windows Boot Manager phase

4 Detect and configure hardware phase 4 Windows Boot Loader phase

5 Kernel loading phase 5 Kernel loading phase

6 Logon phase 6 Logon phase

7 Plug and Play Device Detection phase

In order to analyze the boot process, you need a solid understanding of these phases. The following is a detailed graphic of the Vista System Startup Process.

To identify possible problems, all of the previously mentioned phases are analyzed in detail and against best practices. Existing issues during the startup phase can also affect overall performance.

Windows Desktop Risk Assessment Program Page 36 of 82

Copyright 2009 Microsoft Corporation XPERF Boot Trace Xperf is part of the Windows Performance Tools Kit. These tools are designed for analysis of a wide range of performance problems, including application start times, boot issues, deferred procedure calls and interrupt activity (DPCs and ISRs), system responsiveness issues, application resource usage, and interrupt storms.

The Windows Performance Tools Kit can only be installed on Windows Vista or later versions. The binaries, except for the graphical interface, can also be used to capture traces on Windows XP because it uses Event Tracing for Windows (ETW) to create the traces. ETW is a high-performance, kernel-level tracing system that was introduced in Windows 2000 and which has since been widely used.

The latest release version of the Windows Performance Tools Kit can be downloaded from the following Web site: http://msdn.microsoft.com/performance/default.aspx

Issue Boot Phase: Average CPU Utilization more than 90% Importance During the boot phase (until winlogon.exe is started), mainly device drivers, system services, and prefetch and super fetch data are loaded. If the CPU or disk utilization is high, file processing may be delayed.

Recommended The CPU appears to be a bottleneck while processing files during the boot phase. It is Resolution recommended that you verify the following:

* Correct HAL has been installed * Processor, BUS, and controller device drivers are current * Phantom devices are not present * Signatures and files of boot drivers and service entries exist * Prefetching and super fetching are working properly * Disk is not fragmented * Master File Table (MFT) is not fragmented * Registry and pagefile are not fragmented * Boot optimization is working properly * BootExecute is not modified and is working properly * Pagefile is not re-created during system startup (Clear Pagefile during system shutdown is enabled)

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Boot Configuration Boot configurations can be evaluated and changed by editing the boot.ini (Windows XP) or by using BCDEdit (Windows Vista).

During the third phase of Windows XP, the Boot loader phase, the NT boot file NTLDR reads the hiberfil.sys to determine if it contains a proper “hibernate” file. If a hibernate file is found, the file is loaded into memory and the boot process is completed. If no file is found, NTLDR reads the boot.ini. If it contains references to more than one operating system, the boot loader screen will be displayed.

Several aspects of the Windows Vista startup process are different from Windows XP. Most significantly, NTLDR (the Windows XP component that displayed the boot menu and loaded the Windows XP kernel) has been replaced by the Windows Boot Manager and the Windows Boot Loader. The boot.ini file, a file that contains entries describing the available boot options, has been replaced by the Boot Configuration Data (BCD) registry file. Ntdetect.com functionality has been merged into the kernel, and Windows Vista no Windows Desktop Risk Assessment Program Page 37 of 82

Copyright 2009 Microsoft Corporation longer supports hardware profiles. In fact, hardware profiles are no longer required. Specifically, Windows Vista will automatically detect different hardware configurations without requiring administrators to explicitly configure profiles. Finally, the command-line recovery console has been replaced by the graphical Windows Recovery Environment, which simplifies troubleshooting.

There are some switches inside the boot.ini file and inside the BCD store that can affect startup performance. These settings are checked against best practices.

Issue Missing optional boot configuration parameters, /nodebug and /noguiboot, for Windows XP Importance To further optimize the Windows startup, you can set the /nodebug and /noguiboot parameters in the client Windows boot configuration file (boot.ini).

/noguiboot - This switch disables the bitmap that displays the progress bar for Windows startup. (The progress bar appears just before the logon prompt.)

/nodebug - This switch turns off debugging. This scenario can cause a Stop error if a program has a hardcoded debug, breakpoint in its software.

Recommended It is recommended that you verify whether the /nodebug and /noguiboot parameters Resolution can be used to optimize the Windows XP boot experience. Also make sure that you test these parameters in your environment.

Recommended How to edit the Boot.ini file in Windows XP Reading http://support.microsoft.com/kb/289022

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Boot Drivers and Signatures It is very important to have signed drivers on the operating system. Only signed drivers are checked against various tests, which helps minimize any problems. This is particularly important because drivers generally cause most of the performance and reliability issues that can potentially occur on Windows systems. It is also important to delete old driver entries where the physical file is missing or if an imaging technology is used to deploy the clients.

Issue System boot driver files are missing Importance Missing boot driver files have been detected. This could delay the system boot process.

Best Practice All drivers and services are stored in the system registry hive, Guidance (HKLM\System\CurrentControlSet\Services ), which is loaded by the operating system loader during system Windows startup. If boot drivers are configured in the system registry, but do not actually exist on the client (image files are missing), delays will occur while the system tries to access these files.

Recommended Verify if the missing boot driver or service image file is required for Windows system Resolution startup or for later operation of the client. If not, remove or disable the driver or service by using an uninstall routine, or by directly deleting the registry entries.

Windows Desktop Risk Assessment Program Page 38 of 82

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Boot Optimizations There are multiple boot optimization functions included in Windows XP® and Windows Vista®. Some of these features are enabled by default, such as prefetching, but there are also settings that cannot be enabled and settings that can be tuned, such as the boot optimization function in Windows XP®, ReadyBoot in Vista®, and also disk fragmentation.

If the boot optimization has not completed successfully, the user will notice a substantial decrease in boot performance, therefore a regular monitoring of the optimization components is necessary to ensure a correct operation of Windows.

Issue Boot optimization is disabled Importance Boot optimization improves startup time by locating startup files in contiguous clusters on the volume and by reducing the movement of the disk head when the volume is being read.

Recommended Boot optimize functionality must be enabled by configuring the following registry Resolution setting:

Hive: HKEY_LOCAL_MACHINE Path: SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction Key: Enable Type: REG_SZ Value: "Y" (without the quotation mark)

Recommended Disk Defragmenter Tools and Settings Reading http://technet.microsoft.com/en-us/library/cc784391.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Winlogon Winlogon is a trusted process responsible for managing security-related user interactions. It coordinates logon, starts the user's first process at logon, handles logoff, and manages various other operations relevant to security, including entering passwords at logon, changing passwords, and locking and unlocking the workstation. The Winlogon process must ensure that operations relevant to security are not visible to any other active processes. For example, Winlogon guarantees that an untrusted process cannot get control of the desktop during one of these operations and thus gain access to the password.

If the user supplies valid credentials, access is granted.

Windows Desktop Risk Assessment Program Page 39 of 82

Copyright 2009 Microsoft Corporation Issue PreferLogonDC is configured Importance DFS referral ordering is used to provide sysvol and netlogon referrals. If the PreferLogonDC registry key is enabled, the high priority domain controller is moved to the top of the referral list.

Recommended The PreferLogonDC registry entry should be used with caution because the high priority Resolution domain controller is moved to the top of the referral list. This changes the DFS connectivity.

Recommended An update for Windows Server 2003 and Windows 2000 Server makes it possible to put Reading the logon server at the top of the DFS referrals list http://support.microsoft.com/kb/831201

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Interactive Logon Process The components of the interactive logon process are responsible for helping to establish secure user authentication. During the Interactive Logon Process, Winlogon is responsible for loading the user profile.

User profiles contain global user settings and configuration information and are stored for each user account created on a server or in a domain. User profiles allow users to maintain their desktop environments so they are the same whenever they log on. The profile is created the first time a user logs on. Additionally, different profiles are created for local user accounts and domain user accounts.

When a user has a local profile, all the user data is stored locally on that user's computer. When a user has a roaming profile, all the user data is stored in the profile itself and can be located on a network share. You can examine the contents of the profile folders using Windows Explorer. However, many of the folders are hidden from view by default.

On Windows XP and Windows Server® 2003, local user profiles are stored by default in the %SystemDrive%\Documents and Settings folder. On Windows Vista and Windows Server 2008, local user profiles are stored by default in the %SystemDrive%\Users\ %UserName% folder. As with Windows Server 2003, Windows Server 2008 saves roaming profiles to a server when a user logs off, even if an application has the Registry open. When a user logs on to a domain or that user's profile is in use on the network, the Delete and Copy To buttons on the Advanced tab of the System Properties dialog box are not available.

To speed up the system startup process, there are multiple things to check regarding user profiles, such as the number of user profiles, the size of user profiles, network configuration, and client-side caching.

Issue High amount of locally cached profiles Importance Too many locally cached user profiles may delay the Windows logon experience.

Recommended If the Windows client is used by more than one user, you can use delprof.exe to remove Resolution old profiles that have not been used for a long time. This application can be added as a system shutdown script.

Recommended User Profile Deletion Utility (Delprof.exe) Reading http://www.microsoft.com/downloads/details.aspx?familyid=901a9b95-6063-4462-815 0-360394e98e1e&displaylang=en

Windows Desktop Risk Assessment Program Page 40 of 82

UserEnv Log File This section only applies to Windows XP. When you enable debug UserEnv logging, you can perform debug logging of the user profile and the system policy processes. UserEnv log files also contain information about the status of each Group Policy extension, such as Application Deployment, Security, and Folder Redirection. UserEnv log files reveal what is occurring in the user profile logon component of the operating system.

UserEnv log files are especially useful because they can be used to troubleshoot Windows XP operating systems for which you cannot use Resultant Set of Policy (RSoP). In addition, if Microsoft® Active Directory® replication is not working, RSoP will not work,. This leaves UserEnv log files as the only troubleshooting option. RSoP also depends on Windows Management Instrumentation (WMI). However, this might also fail and leave you with no option but to analyze the UserEnv log files. With verbose logging, information is logged every second. Thus, if something fails, you can review the UserEnv logs and pinpoint the likely source of the failure.

UserEnv log files contain information about the following:

· Group Policy settings that are not processed or not applied as expected

· Folder redirection that does not occur

· Profile or registry hive load, unload, or deletion failures

· Logon script or script not applied as expected

· Default behaviors occurring because a slow link was detected

· Roaming profile issues

· Slow logon issues due to process or threat hangs

· Whether a given Group Policy Object (GPO) is accessible, and if not, why access was denied

· Name of the domain controller that is accessing System Volume (SYSVOL)

For more information about UserEnv logging, refer to the following article:

How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/kb/221833/en-us

Interpreting UserEnv files http://technet.microsoft.com/en-us/library/cc786775.aspx

Issue UserEnv failure detected: Cannot process autoexec.bat Importance Searching for autoexec.bat files that are not available takes time. It could also delay system-related tasks and sequences.

Windows Desktop Risk Assessment Program Page 41 of 82

Copyright 2009 Microsoft Corporation Recommended The following entry should not be modified: Resolution Hive: HKCU Path: Software\Microsoft\Windows NT\CurrentVersion\Winlogon Key: ParseAutoexec Value: 0 = autoexec.bat is not parsed 1 = autoexec.bat is parsed

Recommended Microsoft Press: Microsoft® Windows XP Registry Guide Reading Chapter 5: Mapping Tweak UI continued

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

System Boot and User Logon Time The system boot time is the time needed for the system to boot until the logon screen is presented to the user. The Logon time is the time from when the user successfully entered their credentials to when the first user startup application can be run.

Issue System Boot and User Logon Time Exceeds Expected Maximum Time of 5 Minutes Importance System boot and user logon experience are important factors for the user's overall experience

Recommended Find possible bottlenecks of the system boot and user logon process by using the Resolution Windows Performance Tools Kit. This kit is available through the following Web page:

Windows Performance Tools Kit, v.4.1.1 (QFE) http://www.microsoft.com/whdc/system/sysperf/perftools.mspx

Recommended Improving "Cold Boot" Time for System Manufacturers Reading http://www.microsoft.com/whdc/archive/fast-boot.mspx

Windows Performance Tools Kit, v.4.1.1 (QFE) http://www.microsoft.com/whdc/system/sysperf/perftools.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 42 of 82

Copyright 2009 Microsoft Corporation Windows System Shutdown Process System shutdown brings the system to a condition in which it is safe to turn off the computer. All file-system buffers are flushed to the disk and a message box is displayed informing the user that the computer can be turned off. There is also a reboot option that will restart the computer, rather than display this system shutdown message box.

Shutdown Optimizations Windows stores a number of values in its registry that are responsible for determining how long to wait before the shutting down process terminates open applications and services after the shutdown command has been given.Actions such as clear Pagefile on shutdown on the Pagefile can delay the shutdown process.

Applications with open handles into the user profile can also heavily delay a system shutdown process.

Issue AutoEndTasks is disabled Importance By default, Windows will prompt the user for input if there are one or more applications that have failed, or are not responding, and it receives a shutdown command. This halts the shutdown process entirely until the user approves stopping of the non-responsive application.

Recommended It is recommended that you allow Windows to close non-responsive applications Resolution automatically upon shutdown. By doing this, you should add the following registry setting:

Hive: HKEY_CURRENT_USER Path: Control Panel\Desktop Key: AutoEndTasks Type: REG_DWORD Value: 1

Recommended AutoEndTasks Reading http://technet.microsoft.com/en-us/library/cc736867.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 43 of 82

Windows System Performance can be affected by processor scheduling, memory management, the size of the event log, and also by the Windows Search configuration.

Processor Scheduling and Memory Management Processor scheduling specifies the strategy that is used for optimizing processor time on the system. Memory management optimization can be divided into four parts:

System Cache The System Cache mode controls the partitioning between the memory that Microsoft Windows allocates to file caching and the memory that Windows allocates to applications.

Kernel Mode Driver and Kernel Mode System Code Kernel mode drivers and kernel mode system code can be paged to disk by default when not in use.

Unload DLL Files On Application Close By default, Windows does not unload DLL files used by programs that have been closed to speed up possible restarts of that application.

Pagefile Settings This controls the settings for a Pagefile. For example, specifying a fixed Pagefile setting for the minimum and maximum values decreases the chance of Pagefile file fragmentation on the filesystem.

Issue Processor Scheduling mode configured to “System” Importance The Processor Scheduling mode specifies the strategy used for optimizing processor time on the system. The value of this entry determines, in part, how much processor time the threads of a process receive each time they are scheduled, and how much the allotted time can vary. It also affects the relative priority of the threads of foreground and background processes.

Recommended Configure the following registry key to 0x2. Programs are scheduled with the most Resolution processor time, while background processes receive less:

Hive: HKLM Path: System\CurrentControlSet\Control\PriorityControl Key: Win32PrioritySeparation Type: REG_DWORD Recommended value: 0x2

Recommended Win32PrioritySeparation Reading http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/2962 3.mspx?mfr=true

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

File System

Windows Desktop Risk Assessment Program Page 44 of 82

Copyright 2009 Microsoft Corporation The file system of an operating system is the overall structure in which files are named, stored, and organized. A file system consists of files, directories, or folders, and the information needed to locate and access these items.

Microsoft Windows NT FIle System (NTFS) is a robust and secure disk filesystem that has been optimized for size and performance. To keep NTFS in an optimal performing state it is important to schedule defragmentation job on a regular basis.

Issue Volume is not formatted with NTFS Importance A file system is a part of the operating system that determines how files are named, stored, and organized on a volume or disk.

Recommended It is recommended that you use NTFS without conversion to avoid reducing Resolution performance.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Event Log Sizing

The event log system is used to allow troubleshooting in case of errors. If there are is no adequate number of hours traced and retained, a support engineer may not have the ability to find the root cause of issues. The size should be set to an adequate size. If the event log size is set to a high value, it can affect system performance. This is because the event log is loaded into memory during startup.

You should enable sensible log size policies for all computers in your organization so that legitimate users can be held accountable for their actions, unauthorized activity can be detected and tracked, and computer problems can be detected and diagnosed.

Issue Event Log file sizes are large Importance The event log service must load the event log files during system startup and then unload them during system shutdown. Depending on the log file size, this time may increase.

Best Practice You should enable sensible log size policies for all computers in your organization so Guidance that legitimate users can be held accountable for their actions, unauthorized activity can be detected and tracked, and computer problems can be detected and diagnosed.

Recommended If you significantly increase the number of objects to audit in your organization, the Resolution system performance during system startup and shutdown may decrease due to loading and unloading the event log system service.

Recommended Threats and Countermeasures Reading Chapter 6: Event Log http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch06n.mspx

Event Log http://technet.microsoft.com/en-us/library/cc722385.aspx

Affected PC.RAPID-VSN-01 Objects

Windows Desktop Risk Assessment Program Page 45 of 82

Windows Search Windows Search, formerly Windows Desktop Search, is the search technology that lets users quickly find information on their computers. The search engine is a system service that works in the background to maintain its index. When first installed, it scans selected locations to build the initial index. After that, it uses system or application notifications to index new or changed content. When items are deleted, the corresponding entries in the index are also deleted.

Issue Windows Search version is outdated Importance Windows Search provides an easy and comprehensive solution for finding and organizing the content on the client. Windows Search 4.0 includes stability, performance, and overall search improvements.

Recommended Windows Search 4.0 should be used to improve overall client performance. Resolution Recommended What's new in Windows Search 4.0 Reading http://technet.microsoft.com/en-us/library/cc772446.aspx#BKMK_WhatsNewinWindows Search4

Download Windows Search for Windows Vista SP1 32-bit http://www.microsoft.com/downloads/details.aspx?FamilyID=bc28ed7f-c51b-49cd-b505 -95b91b453284&DisplayLang=en

Download Windows Search for Windows Vista SP1 64-bit http://www.microsoft.com/downloads/details.aspx?FamilyId=D45E9B5E-B52A-489C-A9 35-172F0002C492&displaylang=en

Download Windows Search for Windows XP 32-bit http://www.microsoft.com/downloads/details.aspx?FamilyId=55C18CB3-C916-4298-AB A3-5B98904F7CDA&displaylang=en

Download Windows Search for Windows XP 64-bit http://www.microsoft.com/downloads/details.aspx?familyid=2720F870-F910-412A-8C4 1-D04BD93890F9&displaylang=en

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Performance Information In this section, Windows performance counter data will be collected. This allows us to make very basic statements and recommendations about the client system performance. No full system performance analysis is run. Only the values required for healthy operation of a Windows workstation will be collected. These values are from our specification and guidelines for correct operation of a Windows operating system.

Windows Desktop Risk Assessment Program Page 46 of 82

Copyright 2009 Microsoft Corporation Issue Overall CPU Utilization 10 Percent or Greater Importance Consistently present CPU utilization can indicate a misbehaving process that is running on the workstation. If the tested workstation is running in a production environment, the CPU load is most likely created through the user's normal day-to-day work.

If the tested workstation is running in a lab environment and shows a consistently present CPU utilization, this can indicate a misbehaving process that is running on the workstation.

Best Practice Test all Windows client releases and updates for performance issues. If the new client Guidance release shows any abnormal process behavior which creates consistently present CPU load on the client system, resolve this issue before you release the client to production.

Recommended Depending on how the Windows workstations are being utilized by their users and Resolution applications, this might be acceptable.

Monitor Windows client CPU utilization and identify the root cause of the CPU utilization (for client systems in production and the current client release under lab conditions). Identify any misbehaving processes.

Recommended WHDC Performance Page Reading http://www.microsoft.com/whdc/system/sysperf/default.mspx

For Windows Vista®:

Measuring Performance in Windows Vista http://www.microsoft.com/whdc/system/sysperf/Vista_perf.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 47 of 82

System reliability shows the current state of a computer system and if the hardware components are causing any performance issues due to their age or features.

Event Logs The Windows Event Log service enables an application and the operating system to publish, access, and process events. Events are stored in event logs, which can be routinely checked by an administrator or monitoring tool to detect occurrences or problems on a computer.

Issue Event ID 1025, UserEnv: Cache Option for Roaming Profiles enabled Best Practice Enabled cache option on roaming profiles could corrupt files Guidance Recommended Enabling the automatic client caching on the profile server's share is not recommended Resolution for roaming user profiles. To avoid any issues and profile corruption, it is recommended that you turn off the caching feature.

287566 The Cache Option for Offline Files Must Be Disabled on Roaming User http://support.microsoft.com/?id=287566

830856 A roaming profile is not loaded from a DFS share http://support.microsoft.com/?id=830856

831651 "The roaming profile cannot be found" error message when you log on to http://support.microsoft.com/?id=831651

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Security Updates The Security Update Status test queries every PC to determine if any security patches are missing. It requires that the automatic update service be running on the PC in order to collect the data, and will report all missing security patches.

Issue Summary for MBSA Scan Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

System Restore System Restore helps you restore your computer's system files to an earlier point in time. It is a way to undo system changes to your computer without affecting your personal files, such as e-mail, documents, or photos.

System Restore uses the feature, System Protection, to regularly create and save restore points on your computer. These restore points contain information about registry settings and other system information that Windows uses. You can also create restore points manually.

Windows Desktop Risk Assessment Program Page 48 of 82

Copyright 2009 Microsoft Corporation System Restore is not intended for backing up personal files, so it cannot help you recover a personal file that has been deleted or damaged. You should regularly back up your personal files and important data using a backup program.

In a managed environment, System Restore should be used only rarely. In addition, System Restore will not help you find the root cause of a system failure or solve a failure. In managed environments, it is better to have a test environment in which to reproduce the failure and determine the root cause so that the changes can be made in a company-wide scenario.

Issue System Restore is enabled. Importance You can use System Restore to remove any system changes that were made since the last time the computer was working correctly. This capability is mainly used by end users or in unmanaged environments.

Recommended In a managed environment, the System Restore capability is not appropriate for all Resolution configurations. It is recommended that you verify your backup and recovery processes and, possibly, disable Restore Point creation by disabling the SystemRestore Service in services.msc.

To disable the SystemRestore Service, complete the following steps:

1. Click Start, click Run, and then type services.msc. 2. Click OK. 3. Locate System Restore and disable the service.

Recommended Use System Restore to Undo Changes if Problems Occurs Reading http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore. mspx

DisableSR http://technet.microsoft.com/en-us/library/cc722304.aspx

The Registry Keys and Values for the System Restore Utility http://support.microsoft.com/kb/295659/

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

WinSAT Rating The Windows System Assessment Tool (WinSAT) assesses the performance characteristics and capabilities of a computer.

The results can be used for a formal assessment to determine which scenarios and applications will perform well on a computer. For example, if a software package contains a rating on its packaging, the rating can be used to determine whether the software will run well on the computer.

The system rating returned uses the value of the slowest component to determine the overall system performance rating. As all hardware components rely heavily on each other, it assumes that the PC can only be as fast as its slowest piece of hardware.

Windows Desktop Risk Assessment Program Page 49 of 82

Copyright 2009 Microsoft Corporation Issue WinSAT Base Score Rating 1.0 – 1.9 Importance The Windows System Assessment Tool (WinSAT) measures the various performance characteristics and capabilities of the hardware and reports them as a Windows Experience Index score. PCs with a base score of 1.0 to 1.9 are equipped with the minimum hardware specification to run Windows Vista®.

Recommended A base score of 1.0 is intended to reflect the minimum specification needed to run Resolution Windows Vista. PCs that meet this level will run Windows Vista in a basic, but acceptable manner. This is a catch-all level assigned to any computer that can realistically be upgraded to Windows Vista, but which will not meet level 2 specifications.

It is recommended that you use hardware components to at least reach a WinSAT score rating of 4.x.

Recommended Using WinSAT Reading http://msdn.microsoft.com/en-us/library/bb530740(VS.85).aspx

WinSPRLevel (IProvideWinSATResultsInfo::SystemRating) http://msdn.microsoft.com/en-us/library/aa969193(VS.85).aspx

The System Assessment Tool http://www.microsoft.com/technet/scriptcenter/topics/vista/winsat.mspx

Get Windows Vista: Windows Experience Index http://www.microsoft.com/windows/windows-vista/get/experience-index.aspx

Windows Experience Index: An In-Depth Look http://windowsteamblog.com/blogs/windowsvista/archive/2006/09/22/windows-experie nce-index-an-in-depth-look.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Reliability Rating Reliability Monitor calculates a System Stability Index that reflects whether unexpected problems reduced the reliability of the system. A graph of the Stability Index over time quickly identifies dates when problems began to occur. The accompanying System Stability Report provides details to help troubleshoot the root cause of reduced reliability. By viewing changes to the system (installation or removal of applications and updates to the operating system) side by side with failures (application, operating system, or hardware failures), you can develop a strategy for quickly addressing the issues.

Issue Windows Reliability Rating below 7.0. Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Dump Configuration There are two types of dumps that are important: kernel mode dumps and user mode dumps.

Windows Desktop Risk Assessment Program Page 50 of 82

During a system crash, the Windows crash dump settings determine whether a dump file will be created, and if so, what size the dump file will be.

There are three kinds of kernel mode crash dump files:

· Complete Memory Dump

· Kernel Memory Dump

· Small Memory Dump

The difference between these dump files is the size and content of the crash information. The Complete Memory Dump is the largest and contains the most information. This dump file will contain kernel and usermode information. The Kernel Memory Dump is somewhat smaller, and only contains kernel relevant information. The Small Memory Dump is only 64 KB in size and only contains basic information in regards to the failure event but no information regarding what might have led to the failure in the first place. For deeper analysis we recommend setting either a kernel memory dump or a full memory dump.

The advantage to the larger files is that, because they contain more information, they are more likely to help you find the cause of the crash.

After a Complete Memory Dump or Kernel Memory Dump has been created, it is possible to create a Small Memory Dump file from the larger dump file.

User Mode Dumps

User mode dumps can be created by Dr. Watson, the Corporate Error Reporting service or any other debugging application.

Corporate Error Reporting is the set of feedback technologies and captures software crashes and hangs. Using the CER is similar to having thousands of testers reporting bugs on your company's applications. You can monitor error trends and download debug information to help your developers determine the precise causes of application errors.

Dr. Watson is a program error troubleshooting tool that traps program faults (that are running in ring three of the processor), and generates a snapshot of the operating system. You can then use this to diagnose the fault. This tool interprets program errors in Windows-based programs and tries to diagnose them. When you run Dr. Watson, it automatically creates a log file when a program fault occurs. The log files have a .wlg extension and are stored in the \Windows\Drwatson folder. The log file indicates the program that created the fault, the program that the fault occurred in, and the memory address where the fault occurred. Dr. Watson cannot create a snapshot if the program does not respond (hangs).

Issue Kernel Dumps were found Importance Windows can be configured to write debugging information to disk when the computer stops unexpectedly as a result of a Stop error. This file can be analyzed later to determine the root cause.

Windows Desktop Risk Assessment Program Page 51 of 82

Copyright 2009 Microsoft Corporation Recommended Dump files were found on the target system. It is recommended that you analyze the Resolution files to determine the root cause and solve the issue globally in your client infrastructure environment.

Recommended Overview of memory dump file options for Windows Server 2003, Windows XP, and Reading Windows 2000 http://support.microsoft.com/kb/254649

How to read the small memory dump files that Windows creates for debugging http://support.microsoft.com/kb/315263

Debug Diagnostic Tool v1.1 http://www.microsoft.com/downloads/details.aspx?FamilyID=28bd5941-c458-46f1-b24 d-f60151d875a3&displaylang=en

Windows feature lets you generate a memory dump file by using the keyboard http://support.microsoft.com/kb/244139

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 52 of 82

Networking is one of the primary functions of Windows, and much of the operating system is designed around its networking architecture. When you install the operating system, the Windows setup program can detect the network interface adapter, if there is one in the computer, and install a basic network software configuration consisting of a network interface adapter driver, the Client for Microsoft Networks, the File and Printer Sharing for Microsoft Networks service, and the Internet Protocol (TCP/IP) protocol module. These components make up the default configuration that provides basic local area network (LAN) connectivity in Windows.

NIC Configuration It is very important to configure the Network Interface Card (NIC) so it corresponds to the existing network infrastructure. Every NIC manufacturer has different NIC settings. Thus, these settings have to be checked manually against the recommendations of the network infrastructure company. Essential network settings are checked to make sure that the base configuration is configured correctly.

Issue Network controllers are using APIPA to get an IP address Importance Automatic Private Internet Protocol Addressing (APIPA), a common alternative to Dynamic Host Configuration Protocol (DHCP), is used to request and retrieve an Internet Protocol (IP) address for a host. APIPA simplifies the assignment of IP address and subnet-mask configuration information to hosts in small networks. When APIPA is used, the operating system allows the assignment of a unique IP address to each station on a small local area network (LAN).

Recommended Appearance of IP addresses in the APIPA range on a network that normally assigns Resolution addresses using DHCP might indicate a connectivity issue or a DHCP server configuration problem. It also may delay the system startup and user logon procedure because that IP address generation takes more time.

To disable APIPA, complete the following steps:

1. From the Windows Start menu, choose Run, and then type regedit. The Registry Editor is displayed. 2. Go to the key, HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. 3. From the Edit menu, choose New DWORD value. 4. Name the value IPAutoconfigurationEnabled and enter a value of 0.

Recommended APIPA Reading http://msdn.microsoft.com/en-us/library/aa505918.aspx

How to use automatic TCP/IP addressing without a DHCP server http://support.microsoft.com/kb/220874

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 53 of 82

Copyright 2009 Microsoft Corporation Diagnostics For diagnostics, the Resource Kit tool Netdiag is used. Netdiag is a utility that helps isolate networking and connectivity problems by performing a series of tests to determine the state of your network client and whether it is functional. These tests and the key network status information they expose give network administrators and support personnel a more direct means of identifying and isolating network problems.

Netdiag diagnoses network problems by checking all aspects of a host computer's network configuration and connections.

Issue Single-Label domain name used Importance Supported Microsoft® Active Directory® domain names consist of one or more subdomains that are combined with a top-level domain. The subdomain and top-level domain are separated by a dot character ("."). Single-label DNS names consist of a single word, such as contoso, and have no suffix (for example, .com, .corp, and .net).

Active Directory domain names should consist of two or more labels for the current and future operating system, and for application compatibility and reliability.

Recommended It is not recommended that you use domains that have single-label DNS names for the Resolution following reasons:

* Single-label DNS names cannot be registered by using an Internet registrar. * Client computers and domain controllers that joined to single-label domains require additional configuration to dynamically register DNS records in single-label DNS zones. * Client computers and domain controllers may require additional configuration to resolve DNS queries in single-label DNS zones. * By default, Windows Server® 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates to single-label DNS zones. * Some server-based applications are incompatible with single-label domain names. Application support may not exist in the initial release of an application, or support may be dropped in a future release. * Some server-based applications are incompatible with the domain rename feature that is supported in Windows Server 2003 domain controllers and in Windows Server® 2008 domain controllers. These incompatibilities either block or complicate the use of the domain rename feature when you try to rename a single-label DNS name to a fully qualified domain name.

Recommended Information about configuring Windows for domains with single-label DNS names Reading http://support.microsoft.com/kb/300684

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Wireless Services IEEE 802.11 wireless LAN technology is a popular option for network connectivity on organization intranets, home networks, and for accessing the Internet. Wireless functionality is usually provided in conjunction with Bluetooth service and requires security settings in order to protect the roaming user utilizing his laptop in public places.

Windows Desktop Risk Assessment Program Page 54 of 82

Copyright 2009 Microsoft Corporation Issue Wireless adapter is not disabled Importance When using wireless networks, people can be more productive and can stay in touch when traveling. However, these networks have also introduced some challenges. Unfortunately, malicious users have created tools to exploit vulnerabilities in wireless communications, thus putting confidential information at risk. Additionally, as the number of wireless users increased, so did the number of support center calls related to connecting and troubleshooting wireless connections. Finally, information technology (IT) departments discovered they needed better tools to manage the growing number of wireless clients and connections.

Recommended It is recommended that you educate users about using wireless networks and about Resolution their possible risks. Wireless networking should be disabled when not needed and should only be enabled when actually being used. For example, a shutdown script can be used to disable the wireless adapter so that the user has to enable the adapter manually. This task also could be automated by an application with an icon in the taskbar notification area. This helps to secure the client environment.

Recommended Wireless Networking in Windows Vista Reading http://www.microsoft.com/downloads/details.aspx?FamilyID=eb958617-b3d3-42cf-a43 4-87ad81259fc6&DisplayLang=en

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Tuning Parameters There are some parameters in the operating system than can be tuned to access network share faster or to even reduce existing network traffic. These settings are related to the way that the network is accessed.

Especially the GUI portion of the Windows Explorer brings a lot of settings that can be changed or tweaked in order to improve network performance. However, similar to enforcing security on a system, tweaking network performance may mean that there are functionality tradeoffs.

Issue Network based long file name caching is disabled Importance Accessibility to files with long file names on a server may be slow. This problem occurs if the network-based files use the long filename syntax instead of the 8.3 short filename syntax. Specifically, the Windows Server Message Block (SMB) redirector component does not cache path information from long file names. In this scenario, Windows sends two SMB packets for every GetFileAttributes function call.

Windows Desktop Risk Assessment Program Page 55 of 82

Copyright 2009 Microsoft Corporation Recommended File and directory information will be cached with this setting. It is recommended that Resolution you use the InfoCacheLevel setting with the value of 0x10 to improve overall client performance.

Hive: HKEY_LOCAL_MACHINE Path: SYSTEM\CurrentControlSet\Services\MRxSmb\Parameters Entry: InfoCacheLevel Type: REG_DWORD Values 0 = Disables the caching for all files and folders 1 = Enables the caching for files with short file name (8.3) - default value 10 = Enables caching for all files

Recommended You experience reduced performance while accessing network resources on Reading http://support.microsoft.com/?id=843418

Your access to network resources is slower in Windows XP than in earlier http://support.microsoft.com/?id=834350

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low Group Policy Management Group Policy is an infrastructure that allows you to specify managed configurations for users and computers in an Active Directory service environment. Group Policy settings are contained in GPOs. GPOs exist in a domain and can be linked to the following Active Directory containers: sites, domains, or organizational units (OUs). A GPO consists of two parts: one part is located in Active Directory, and the other is located in the Sysvol folder. Both of these are replicated to all domain controllers in the domain. The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory. Core Group Policy or the Group Policy engine is the framework that handles common functionalities across all client-side extensions.

Processing The Group Policy engine uses the following logic in processing GPOs: If a GPO is linked to a domain, site, or OU that applies to the user or computer, the Group Policy engine must then determine whether the GPO should be added to its GPO list for processing. A GPO is blocked from processing in the following circumstances:

· The GPO is disabled. You disable either or both the computer or user components of a GPO from its Policy Properties dialog box.

· The computer or user does not have permission to read and apply the GPO. You control permission to a GPO through security filtering, as explained in the following section.

· A WMI filter must evaluate to true before the Group Policy engine will allow it to be processed.

Additional Processing

Loopback Processing with Merge or Replace

Windows Desktop Risk Assessment Program Page 56 of 82

Copyright 2009 Microsoft Corporation Loopback is an advanced Group Policy setting that is useful on computers in certain, closely managed environments such as servers, kiosks, laboratories, classrooms, and reception areas.

Group Policy Inheritance

In addition to the ability to filter the scope of GPOs, you can change the way GPOs are applied by managing Group Policy inheritance. In most environments, the actual settings for a given user and computer are the result of the combination of GPOs that are applied at a site, domain, or OU. When multiple GPOs apply to these users and computers, the settings in the GPOs are aggregated. The settings deployed by GPOs linked to higher containers (parent containers) in Active Directory are inherited by default to child containers and combine with any settings deployed in GPOs linked to child containers. If multiple GPOs try to set a setting to conflicting values, the GPO with the highest precedence sets the setting. GPO processing is based on a “last writer wins” model, and GPOs that are processed later have precedence over GPOs that were processed earlier.

Issue Turn Off Local Group Policy Objects Processing Is Not Enabled Importance Stand-alone computers benefit the most from Multiple Local Group Policy objects, wherein managing each computer is local. Domain-based computers apply Local Group Policy first and then domain-based policy. Windows Vista® continues to use the Last Writer Wins method for conflict resolution.

Therefore, policy settings originating from domain Group Policy overwrite any conflicting policy settings found in any Local Group Policy to include administrative, non-administrative, and user specific Local Group Policy. Domain administrators can disable processing Local Group Policy objects on clients running Windows Vista by enabling the Turn off Local Group Policy objects processing policy setting in a domain Group Policy object. You can find this setting under Computer Configuration\Administrative Templates\System\Group Policy.

Recommended Enable the Group Policy setting. Turn off Local Group Policy objects processing on Resolution domain member clients to only allow domain-based group policies.

Recommended Step-by-Step Guide to Managing Multiple Local Group Policy Objects Reading http://technet.microsoft.com/en-us/library/cc766291.aspx

Deploying Group Policy Using Windows Vista http://technet.microsoft.com/en-us/library/cc766208.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Asynchronous Processing Asynchronous processing refers to processes that do not depend on each other's outcome and, therefore, can occur on different threads simultaneously. The opposite is synchronous processing. Synchronous processes wait for one process to complete before the next begins. For those Group Policy settings where both types of processes are available as options, you choose between the faster asynchronous or the safer, more predictable synchronous processing.

By default, the processing of Group Policy is synchronous. Computer policy is completed before the CTRL+ALT+DEL dialog box is presented, and user policy is completed before the shell is active and available to the user. Windows Desktop Risk Assessment Program Page 57 of 82

Copyright 2009 Microsoft Corporation Issue Always Wait For Network Is Enabled Importance Group Policy can be applied during startup and logon (synchronous processing) or as a background task after startup or logon has completed (asynchronous processing). Changes received during periodic Group Policy refresh or in response to the gpupdate.exe command are processed asynchronously. On computers running Windows XP and Windows Vista®, group policies received during logon are also processed asynchronously by default. Thus, the logon is completed more quickly.

Recommended To get the best experience possible from roaming user profiles, the option Always wait Resolution for the network should be enabled. By using this configuration, a delay in the computer startup procedure will take place. However, you can ensure that policy changes effect the user and system directly.

Fast Logon Optimization is always off during logon under the following conditions:

* When a user first logs on to a computer * When a user has a roaming user profile or a home directory for logon purposes * When a user has synchronous logon scripts

In situations where you need users to receive software, implement folder redirection, or run new scripts in a single logon, apply a GPO with the setting Always wait for the network at computer startup and logon to the computer.

Recommended Description of the Windows XP Professional Fast Logon Optimization feature Reading http://support.microsoft.com/kb/305293

Scripts May Not Run Before Windows Explorer Starts Even Though the "Run Logon Scripts Synchronously" Setting is Enabled http://support.microsoft.com/kb/304970

Troubleshooting Group Policy Problems http://technet.microsoft.com/en-us/library/cc787386.aspx

Best Practices for User Profiles http://technet2.microsoft.com/WindowsServer/en/library/ede493f2-0327-4e65-879c-c9 52427578821033.mspx?mfr=true

Users are not automatically logged on to the domain when you apply a startup script to automate the logon process on computers that are running Windows Fundamentals for Legacy PCs http://support.microsoft.com/kb/920319

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Slow Link Detection Windows includes a method for determining whether a client computer is gaining access to a domain controller over a slow link to apply Group Policy or download a roaming user profile. This takes the form of a sequence of TCP/IP ping requests to the destination server. There is more reliance on the detection of slow links in Windows because this is used to determine the types of Group Policy that are applied.

The mechanism takes the form of measuring the response time from a sequence of TCP/IP pings from the client computer to the server to determine the average transfer rate in kilobits per second (kbps). The Windows Desktop Risk Assessment Program Page 58 of 82

Copyright 2009 Microsoft Corporation client pings the server three times with 0 bytes and three times with 2048 bytes. If the response time from any of the pings is less than 10 milliseconds (ms), the link is automatically considered fast. Otherwise, the average transfer rate is calculated by averaging the differences between the first (0 byte) and second (2048 byte) ping times. If the transfer rate is slower than the default or a value that is defined by the administrator, the connection is considered slow.

Issue Threshold for Slow Link Detection Is Not Defined Importance If a policy update travels from the domain controller to the computer at a rate slower than is specified in the value of this entry, the system defines the connection as slow. The default threshold is 500 kbps (Kilobytes per second).

Recommended To avoid heavy network traffic on slow or limited network connections, the Slow Resolution Network Detection routine should be defined. By using this setting, specific tasks for user profiles, Client Side Caching, and Group Policies may or may not run on the client side. These specific tasks can be modified and configured as needed.

Depending on the topology used for LAN, an adequate link speed must be defined. It is recommended that you verify users experience over Slow Link by using Modem, ISDN, DSL, and slow LAN connectivity.

Recommended Group Policy does not apply when connecting remotely over a slow link Reading http://technet2.microsoft.com/WindowsServer/en/library/92c46246-7cb7-441e-92d6-2 b6671c2980e1033.mspx?mfr=true

How to troubleshoot Group Policy object processing failures that occur across multiple forests http://support.microsoft.com/kb/910206/en-us

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Client Side Extensions Group policy is an infrastructure with pluggable extensions. Extensions that exist on client computers include Administrative Templates (also known as registry-based policy), Security Settings, Software Installation, Folder Redirection, Scripts, and Wireless Network Policies.

The policy settings exist in a GPO, which is a virtual object that lives in the domain. Part of the GPO is located in Active Directory and is called the Group Policy container. The other part of a GPO is located in the Sysvol and is called the Group Policy template. When policy settings need to be applied, the framework calls each extension and the extension then applies the necessary settings.

Each Group Policy extension has two extensions: a client extension that is called by the Group Policy engine to apply policy, and a server-side extension that plugs into Group Policy Object Editor to define and set the policy settings that need to be applied to client computers.

However, you can configure Local Group Policy objects (Local GPOs) on individual computers.

Windows Desktop Risk Assessment Program Page 59 of 82

Copyright 2009 Microsoft Corporation Issue Client Side Extension Is Configured to Always Apply Settings Importance Group Policy settings are applied during system startup, user logon, and background refresh. By default, only changed policies get applied, but this rule can be overwritten so that they get applied, even when the Group Policy objects have not changed.

Recommended It is not recommended that you apply settings even when they have not changed Resolution because of performance degradation. There is a security recommendation about this setting which is described in http://support.microsoft.com/kb/812541/en-us. For performance reasons, Microsoft does not recommend configuring the setting Process even if the Group Policy objects have not changed because of the fact that the GPO settings must be deleted and applied again. During this timeframe, no restrictions are applied and the computer could be compromised.

Recommended NoGPOListChanges Reading http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/9380 7.mspx?mfr=true

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Scripting

The Group Policy script, Client Side Extension (CSE), is not responsible for running scripts. Instead, its sole purpose is to determine which scripts should run at startup, logon, logoff, or shutdown, and to add registry keys with information about those scripts to each computer target by the Group Policy object. A separate process, which is not part of Group Policy, actually runs the scripts at startup, logon, logoff, or shutdown, based on the information placed in those registry keys. It is very possible for Group Policy to run without difficulty, but for the scripts to fail to run at all.

Issue Maximum Wait Time for Group Policy Scripts Is Not Configured Importance The group policy setting, Maximum wait time for Group Policy scripts, is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next script runs.

Recommended It is recommended that you preconfigure an adequate and low value for the maximum Resolution wait time for Group Policy scripts. If a script stops responding and the script was called in a synchronous mode, the client startup, logon, logoff, or shutdown process is also interrupted by this delay. If the script timeout has been exceeded before the script has completed, the script will be terminated.

Because scripts vary, the optimal configuration for this setting must be evaluated in a test environment. Recommended values are between 1 and 3 minutes.

The default interval is 600 seconds (10 minutes), and valid intervals range from 0 to 32000 seconds.

Windows Desktop Risk Assessment Program Page 60 of 82

MaxGPOScriptWait http://technet.microsoft.com/en-us/library/cc780635.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 61 of 82

Security is not binary, and it is not a switch or even a series of switches. In addition, it cannot be expressed in absolute terms, because security is relative. Specifically, there is only more secure and less secure. Furthermore, security is dynamic in that people, process, and technology all change. In other words, security is simply Risk Management.

Security consists mainly of three elements, formerly known as CIA:

· Confidentiality – Confidentiality refers to limiting information access and disclosure to authorized users.

· Integrity – Integrity refers to the trustworthiness of information resources.

· Availability – Availability refers, not surprisingly, to the availability of information resources.

Security and functionality must be carefully balanced in order to achieve the highest possible productivity level for the end user.

However, at the same time data confidentiality must be achieved, in order to keep personal data protected from manipulation or theft.

Patch Management Patch Management is a circular, ongoing process. Specifically, because of the general vulnerability of software, after you apply a patch today, a new vulnerability will need to be addressed tomorrow.

Develop and automate a Patch Management process that includes the following:

· Detection – Use tools to scan your systems for missing security patches. The detection should be automated and trigger the Patch Management process.

· Assessment – If the necessary updates are not installed, determine the severity of the issue addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.

· Acquisition – If the vulnerability is not addressed by the security measures already in place, download the patch for testing.

· Testing – Install the patch on a test system to verify the ramifications of the update against your production configuration.

· Deployment – Deploy the patch to production computers. Make sure that your applications are not affected. Employ your rollback or backup restore plan, if necessary.

· Maintenance – Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the Patch Management process again.

The ability to react quickly to the announcement of a security vulnerability is key in keeping your environment secure from virus infection and attacks. Patches should be evaluated accordingly in order to reduce the chance of downtime.

Windows Desktop Risk Assessment Program Page 62 of 82

Recommended It is recommended that you install the latest available operating system with the service Resolution pack.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Firewall A firewall is a program that is designed to prevent unauthorized and malicious access to your computer over the Internet. In other words, a firewall is your defense against hackers, viruses, Trojan horses, worms, and all other malicious attacks. Unfortunately, a firewall can also block legitimate traffic, so you may still need to tweak your settings.

The Windows Firewall, introduced in Microsoft Windows XP Professional Service Pack 2 and Microsoft Windows Server 2003 Service Pack 1, provides a high level of local security for computers on which Firewall is enabled. However, by default, Firewall blocks most incoming connections, thus making remote administration of any kind impossible, including scripting. However, that is not reason enough to turn off Firewall. You only need to modify Firewall to allow the necessary incoming connections.

· For file and folder access, enable a Firewall exception for file sharing.

· For WMI access, enable remote management and Distributed Component Object Model (DCOM) connections.

· For other scripting technologies, enable incoming DCOM connections and possibly Remote Procedure Call (RPC) connections.

Compared with the firewall included in Windows XP, Windows Firewall has been enhanced in several ways:

· Windows Firewall supports both incoming and outgoing network traffic.

· Through its Windows Firewall With Advanced Security console, Windows Firewall provides far more configuration options and it can be configured remotely. A new wizard makes it easier to create and configure rules. Configuration of Internet Protocol Security (IPsec), a mechanism that provides for authentication, encryption, and filtering of network traffic, is also done in the Windows Firewall With Advanced Security console.

· In addition to the usual criteria (addresses, protocols, and ports), firewall exceptions can be configured for services, Active Directory accounts and groups, source and destination IP addresses for incoming and outgoing traffic, transport protocols other than TCP and User Datagram Protocol (UDP), network connection types, and more.

· Windows Firewall maintains three separate profiles, with the appropriate one selected depending on whether the computer is connected to a domain, to a private non-domain network, or to a public n e t w o r k .

Windows Desktop Risk Assessment Program Page 63 of 82

Copyright 2009 Microsoft Corporation Issue Windows Firewall Service is not started Importance Windows Firewall provides protection for PCs that are connected to a network by preventing unsolicited inbound connections through TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6). You need to start the service in order to enable Windows Firewall.

Recommended To reach a higher level of risk management for corporate security, it is highly Resolution recommended that you use a desktop firewall. A client-based firewall ensures that malware and spyware cannot spread throughout the corporate environment. It also ensures that the client is restricted to a hacker's attacks in non-corporate environments. This is very important for notebook users.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Operating System Security User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, referred to as standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.

Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy settings in effect for a specific user or computer. Administrators can run GPResult on any remote computer within their scope of management. By default, GPResult returns the settings that are in effect on the computer where GPResult is run. As a result, you are then able to identify the GPO settings that are not applied.

Windows Security Center in Windows Vista and Windows XP puts all your computer's security needs in one easy-to-find, easy-to-monitor location.

Windows Security Center helps make your PC more secure by alerting you when your security software is out-of-date or when your security settings should be strengthened. The Security Center displays your Firewall settings and tells you whether your PC is set up to receive automatic software updates from Microsoft.

Windows Vista contains several improvements over the version of Windows Security Center that was introduced in Microsoft Windows XP SP2. These include showing the status of software designed to protect against spyware, your Microsoft® Internet Explorer® 7 security settings, and User Account Control. In addition, Windows Security Center can monitor security products from multiple companies and show you which are enabled and up-to-date.

Issue User Account Control (UAC) for Build-In Administrators is disabled Importance Users in corporate environments are mainly local administrators so that applications can work correctly. With the use of UAC, a local administrator is logged on as a standard user account. Only when an application requests more privileges, will the user be asked if the request is acceptable.

Windows Desktop Risk Assessment Program Page 64 of 82

To enable this Group Policy, complete the following steps:

1. Navigate to start, Run and type in gpedit.msc 2. Select Computer Configuration, select Windows Settings, and then select Security Settings. 3. Select Local Policies and then select Security options. 4. For User Account Control: Admin Approval Mode for the Built-in Administrator Account.

Recommended UAC References Reading http://msdn.microsoft.com/en-us/library/bb756883.aspx

Understanding and Configuring User Account Control in Windows Vista http://technet.microsoft.com/en-us/library/cc709628.aspx

Inside Windows Vista User Account Control http://technet.microsoft.com/en-us/magazine/cc138019.aspx

Managing User Account Control and Security Issues http://msdn.microsoft.com/en-us/library/bb189298.aspx

Using the Standard User Analyzer Wizard http://technet.microsoft.com/en-us/library/cc838041.aspx

What is the User Account Control Compatibility Evaluator http://technet.microsoft.com/en-us/library/cc721968.aspx

EnableLUA http://msdn.microsoft.com/en-us/library/cc206332(PROT.10).aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Physical Device Security Controlling Device Installation Using Group Policy

It is more difficult for a user to make unauthorized copies of company data if the user’s computer cannot install unapproved devices that support removable media. For example, if users cannot install a CD-R device, they cannot burn copies of company data onto a recordable CD. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data. You can also reduce the risk of data theft by using Group Policy to deny write access to users for devices that are removable or that use removable media. You can grant access on a per-group basis when you use Group Policy.

Group Policy Settings for Removable Storage Access

In Windows Vista and Windows Server 2008, an administrator can apply computer policy to control whether users are allowed to read from or write to any device using removable media. These policies can be used to

Windows Desktop Risk Assessment Program Page 65 of 82

Copyright 2009 Microsoft Corporation help prevent sensitive or confidential material from being written to removable media, or to a removable device containing storage, and then removed from the premises.

Securing Security Accounts Management Database by Using SysKey

The Microsoft Windows XP and Microsoft Windows Vista Security Accounts Management Database (SAM) store hashed copies of user passwords. This database is encrypted with a locally stored system key. To keep the SAM database secure, Windows requires that the password hashes be encrypted. Windows prevents the use of stored, unencrypted password hashes. You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key from the Windows-based computer.

Issue Users are not prevented from installing devices Importance It is more difficult for users to make unauthorized copies of company data if those user computers cannot install unapproved or unknown devices.

Recommended Removable devices as well as the installation of device drivers must be restricted. Resolution This can be accomplished in two ways:

* By creating a black list: Restricting specific devices and classes. * By creating a white list: Allowing only specific devices and classes.

Refer to Step-by-Step Guide to control device installation using Group Policies and configure the Group Policy as necessary.

To configure this Group Policy, complete the following steps:

1. Navigate to Start, Run and type in gpedit.msc 2. Select Computer Configuration, select Administrative Templates, and then select System. 3. Select Sevice Installation and then select Device Installation Restrictions. 4. Enable the following options:

* Prevent installation of devices not described by other policy settings. * Prevent installation of devices that match any of these device IDs. * Prevent installation of devices using drivers that match these device setup classes. * Prevent installation of removable devices.

5. Specify additional policy settings as necessary, including:

* Allow installation of devices that match any of these device IDs. * Allow installation of devices using drivers that match these device setup classes.

Recommended Step-By-Step Guide to Controlling Device Installation Using Group Policy Reading http://msdn.microsoft.com/en-us/library/bb530324.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Logical Network Hardening

Windows Desktop Risk Assessment Program Page 66 of 82

Copyright 2009 Microsoft Corporation To help prevent denial of service (DoS) attacks, keep your computer updated with the latest security fixes and harden the TCP/IP protocol stack on your Windows Server 2003-based and Windows Vista-based computers that are exposed to potential attackers. The default TCP/IP stack configuration is tuned to handle standard intranet traffic. If you connect a computer directly to the Internet, we recommend that you harden the TCP/IP stack to protect against DoS attacks.

DoS attacks that are directed at the TCP/IP stack tend to be one of two kinds: attacks that use an excessive number of system resources (one way to do this is to open numerous TCP connections) or attacks that send specially crafted packets that cause the network stack or the entire operating system to fail.

Issue IP source routing is not disabled Importance IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network.

Recommended An attacker could use source routed packets to obscure their identity and location. Resolution Source routing allows a computer that sends a packet to specify the route that the packet takes. If you set this value to 2, all incoming source routed packets will be dropped.

Hive: HKEY_LOCAL_MACHINE Path: SYSTEM\CurrentControlSet\Services\TcpIp\Parameters Key: DisableIPSourceRouting Type: REG_DWORD Value: 0 (forward all packets) 1 (do not forward source routed packets) 2 (drop all incoming source routed packets) Description: Disables IP source routing and allows a sender to determine the route that a datagram should take through the network.

Recommended Threads and Vulnerabilities Mitigation Reading Additional Registry Entries http://technet.microsoft.com/en-us/library/cc766102.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Printing Security Point and Print is the Windows feature that automatically downloads and installs a printer driver when a user connects to a shared printer. Point and Print also updates the printer driver on the client computer when the driver configuration is updated on the print server. This allows restricting the use of unknown and untested printer drivers, including malicious printer drivers.

Windows Desktop Risk Assessment Program Page 67 of 82

Copyright 2009 Microsoft Corporation Issue Point and Print Restrictions are not Enabled Importance Point and Print is a Windows feature that automatically downloads and installs a printer driver when a user connects to a shared printer. Point and Print also updates the printer driver on the client computer when the driver configuration is updated on the print server. This prevents the use of unknown and untested printer drivers, including malicious printer drivers.

Recommended Enable the Point and Print Restrictions policy by using group policies. Resolution Recommended Description of the Point and Print Restrictions policy setting in Windows Server 2003 and Reading Windows XP http://support.microsoft.com/kb/319939

Point and Print Security on Windows Vista http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac818 4a/VistaPnPSec.doc

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Microsoft Internet Explorer Security Browsing the Web is one of the top activities of PC users. As the Web has become more complex yet more mission-critical, the ability to easily search and consume multiple sources of information daily has become a necessity, whether looking at favorite news sites, consulting intranet sites, managing finances, performing research, shopping, sending e-mail, or even blogging.

As the internet poses as much a threat as a helpful tool of productivity, it enables hackers to distribute malicious code.

Therefore it is extremely important to understand and utilize the built in security features that Microsoft Internet Explorer provides.

Issue Security_HKLM_Only is enabled Importance Security-related settings are usually configured per user. The registry key, Security_HKLM_Only, allows configuration of computer-wide restrictions. However, only user settings appear in Internet Options.

Recommended Because Internet Options shows only user settings, this key should only be used in Resolution combination with restricting the Internet Options page.

Recommended Security_HKLM_only Reading http://technet.microsoft.com/en-us/library/cc779973.aspx

Internet Explorer security zones registry entries for advanced users http://support.microsoft.com/kb/182569

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 68 of 82

Copyright 2009 Microsoft Corporation Power Management Energy efficiency is one of the most important topics in the computing industry. Processor and chipset manufacturers promote their hardware in terms of performance per watt consumed. In addition, governmental agencies are increasing their scrutiny of PC energy consumption and are encouraging consumers to purchase energy-efficient hardware and software.

Energy efficiency impacts all Microsoft Windows platforms from ultra-mobile systems to many-processor servers. Energy efficiency helps extend battery life in mobile PCs and helps reduce energy expenses for desktop PCs and server systems.

Windows helps enable energy efficiency on PC platforms by providing power policy configuration options. System manufacturers and IT professionals can use power policy configuration options to tune Windows platforms for power savings or performance. Simple changes to power policy configuration can help extend mobile PC battery life or enable extra system processor and disk performance.

Windows also provides group policy support that allows IT professionals to enforce power policy settings across an enterprise. This functionality can be used to enable monitor and computer power management settings to help reduce PC and server energy expenses.

ACPI ACPI-compliant computers can take full advantage of reduced power consumption by controlling power requirements for Plug and Play hardware and applications. ACPI is a more advanced form of power management supported by both the operating system and the computer system hardware.

If a computer is ACPI-compliant, it is indicated in Device Manager under the Computer node. ACPI support is provided by the ACPI driver (ACPI.SYS) and the ACPI-embedded controller driver, (ACPIEC.SYS).

In ACPI systems, the operating system, not the hardware, is tasked with managing hardware power consumption. The operating system controls power consumption of the ACPI-compliant system board and all connected Plug and Play devices. To optimize power efficiency, consider replacing any legacy hardware with Plug and Play devices.

ACPI functionality is deeply tied to BIOS functionality, any problems that might arise from the BIOS compatibility can directly influence any ACPI commands. It is very important to keep the BIOS version up to date in order to achieve a high level of compatibility and functionality.

Issue Old ACPI driver version is detected Importance On systems that have an ACPI BIOS, the HAL (Hardware Abstraction Layer) causes the ACPI driver to be loaded during system startup at the base of the device tree. It is here, where the driver acts as the interface between the operating system and the BIOS. The ACPI driver is transparent to other drivers.

The ACPI driver's responsibilities include support for Plug and Play and Power Management. For example, ACPI tasks on a system might include reprogramming the resources for a COM port or enabling the USB controller for system wake-up.

It is essential that you have the latest ACPI driver installed on the system.

Windows Desktop Risk Assessment Program Page 70 of 82

Copyright 2009 Microsoft Corporation Recommended It is recommended that you regularly verify whether a newer ACPI driver is available for Resolution the target computers. Only by using the latest ACPI driver release will Power Management capabilities be used efficiently and system resiliency thus guaranteed.

Recommended Processor Power Management in Windows Vista and Windows Server 2008 Reading http://www.microsoft.com/whdc/system/pnppwr/powermgmt/ProcPowerMgmt.mspx

The Battery Life Challenge - Balancing Performance and Power (Intel Corporation). http://download.intel.com/pressroom/kits/events/wmd_05/ExtendingBatteryLifeWP.pdf

Application Power Management Best Practices for Windows Vista http://www.microsoft.com/whdc/system/pnppwr/powermgmt/PM_apps.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Device Wakeup Supportability If a device has Wakeup support, these can be configured to allow system wake-up when the computer has entered Sleep mode.

Certain hardware configurations also allow devices to be started when being turned off completely (such as Wake On Lan WOL).

In rare scenarios this can also lead to the PC waking up although it should, especially in the case of faulty hardware.

Issue Devices that are user-configurable to wake the system from a sleep state are detected Importance Devices can be configured to allow system wake-up when being used during Sleep mode.

Recommended It is recommended that you limit the use of this feature. It requires power, even when Resolution in Sleep mode, and thus could drain the battery.

It is possible to disable the wakeup option for those devices that are causing problems. For example, a problem device could be a USB mouse that wakes up Windows when you unplug it from your computer.

To disable a specific device, complete the following steps:

1. Open Device Manager, double-click the corresponding device, and then choose Properties. 2. Click the Power Management tab. 3. Select the device that you want to disable.

Recommended Increasing System Power Efficiency through Driver Support for Runtime Idle Detection Reading http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac818 4a/S0idle_driver.docx

Windows Desktop Risk Assessment Program Page 71 of 82

Interrupt Interrupts/sec is the number of interrupts to which the processor was asked to respond. Interrupts are generated from hardware components such as hard disk controller adapters and network interface cards (NICs). A sustained value of over 1000 per processor is usually an indication of a problem. Problems could include a poorly configured driver, errors in drivers, excessive utilization of a device, or hardware failure. A high number of interrupts/sec keeps the CPU busy and has an important impact on total power consumption.

Issue Amount of interrupts per second is very high Importance Interrupts/sec is the number of interrupts that the processor was asked to respond to. Interrupts are generated from hardware components such as hard disk controller adapters and network interface cards. A sustained value that is over 1000 per processor is usually an indication of a problem. Problems can include poorly configured drivers, errors in drivers, excessive utilization of a device, or a hardware failure. A high number of interrupts/sec keeps the CPU busy and has a significant impact on total power consumption and performance.

Recommended It is recommended that you perform an in-depth analysis to determine the root cause of Resolution the high number of interrupts per second.

This can be done by using the Windows Performance Tools Kit and the following command-line command:

Xperf - on PROC_THREAD+DISK_IO+INTERRUPT

If you run multimedia applications on your computer system, make sure that the default timer has not been changed. A timer resolution change from 15.6 milliseconds (default) to 1 millisecond will have a 10 to 15 percent impact on total power consumption. That reduces a 5-hour notebook by 30 to 45 minutes, which is significant. The goal is to run in the default timer resolution whenever possible, particularly if your application is not delivering any active functionality. You should also verify the interrupts/sec counter results in Performance Monitor (perfmon.exe) both with and without the multimedia application.

In addition to explicitly using the Windows Multimedia APIs to increase timer resolution, application developers should validate that any external libraries or application development frameworks do not unexpectedly change the system timer interval on behalf of the application.

To help application developers and users determine whether an application has changed the system timer interval, Windows Vista® automatically generates a system event when the system timer interval changes. It then logs the process name and the requested interval. This event is written to the kernel power diagnostic log, and the event has an event ID 63:

The application or service [path-to-process-image] is attempting to update the system timer resolution to a value of [timer-interval-in-100-ns-units].

For example, a test application named test generates the following event when it calls the timeBeginPeriod API with a value of 1 millisecond:

The application or service \Device\harddiskVolume1\test.exe is attempting to update Windows Desktop Risk Assessment Program Page 72 of 82

To enable the kernel power diagnostic event log, complete the following steps:

1. Open the Windows Event Viewer. 2. On the View menu, enable Show Analytic and Debug Logs. 3. In the left tree view, go to Applications and Services Logs, select Microsoft, select Windows, and then select Kernel-Power. 4. Right-click Diagnostic and select Enable Log. 5. Restart the system.

Recommended Analyzing Processor Activity Reading http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/pred_an a_tbbt.mspx?mfr=true

Windows Performance Tools Kit http://www.microsoft.com/whdc/system/sysperf/perftools.mspx

Windows Multimedia Timer Resolution http://msdn.microsoft.com/en-us/library/ms713422.aspx

Application Power Management Best Practices for Windows Vista http://www.microsoft.com/whdc/system/pnppwr/powermgmt/PM_apps.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Processor Capabilities Modern processors support a range of power management technologies, including processor performance states and processor idle states. These technologies trade performance for power savings by exploiting periods of reduced processor demand and idle time between platform hardware events.

Windows Desktop Risk Assessment Program Page 73 of 82

Copyright 2009 Microsoft Corporation Issue Windows is not prevented from creating an artificial processor performance state control domain on a multi-core system Importance When Windows Vista® and Windows Server® 2008 were developed, several dual-core and dual-logical processor designs were widespread in the marketplace. These CPUs typically provide one set of performance state controls that are shared across both cores, or logical processors, thus implying that a control dependency exists. However, firmware for these platforms targets legacy operating systems or predates the release of Windows Vista and therefore generally does not provide the ACPI 3.0 dependency objects.

To support these popular processors without first requiring a platform BIOS update, Windows Vista and Windows Server 2008 create an artificial processor performance state dependency domain for the operating system to use. Windows synthesizes a dependency domain for all processors (cores or logical processors) within the same physical package. This is the default behavior for Windows Vista and Windows Server 2008. Thus, the _PSD object is not required to be present in the ACPI namespace to realize multiprocessor performance states on platforms equipped with these dual-core processors.

Recommended For future systems that may provide two processor cores sharing the same physical Resolution package but which have independent controls, this default behavior of creating an artificial control dependency domain can be overridden in the following two ways: * The ACPI namespace may include a _PSD object describing a separate dependency domain number for each logical processor or core. * The following registry key may be set: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Throttle DWORD: PerfEnablePackageIdle Value: Set to 1 to prevent Windows from creating an artificial processor performance state control domain

Recommended Processor Power Management in Windows Vista and Windows Server 2008 Reading http://www.microsoft.com/whdc/system/pnppwr/powermgmt/ProcPowerMgmt.mspx

The Battery Life Challenge - Balancing Performance and Power (Intel Corporation). http://download.intel.com/pressroom/kits/events/wmd_05/ExtendingBatteryLifeWP.pdf

Windows Driver Kit: Driver Development Tools Index of Windows Driver Kit Tools http://msdn.microsoft.com/en-us/library/aa469207.aspx

Application Power Management Best Practices for Windows Vista http://www.microsoft.com/whdc/system/pnppwr/powermgmt/PM_apps.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Power Management Plan A power plan is a collection of hardware and system settings that manages how your computer uses and conserves power. Power plans can save energy, maximize system performance, or balance energy

Windows Desktop Risk Assessment Program Page 74 of 82

Issue Power Plan is set to "High Performance" Importance If a sleep idle timeout is enabled in power policy, Windows Vista® automatically places the computer in the Sleep state after a period of inactivity. The idle detection threshold determines the amount of required processor idleness for the system to automatically enter the Sleep state.

Recommended The Windows Power Manager tracks the following inputs to determine if a system is idle Resolution and should automatically enter the Sleep state:

* User input, including mouse and keyboard input * Application requests such as a PVR application requesting that the system remain in wake to record a television program even though the user is not present at the system * Processor idleness or the amount of processor idle time on the system

The idle detection threshold configures the minimum amount of processor idle time (the percentage) that is required for Windows to accrue time toward the Sleep idle timeout. By default, the idle detection threshold is configured to 80 percent, indicating that the processor must be 80-percent idle for the Power Manager to automatically place the system into the Sleep state.

The Windows Power Manager reviews current system idleness every 15 seconds. During each review period, the Power Manager determines the time since the last user input, any application requests for the system to remain in wake, and the amount of processor idle time over the last 15-second period. If the processor idle time is greater or equal to 80 percent and all other conditions are met, the Power Manager considers the system to be idle for the last 15-second period and increments the accrued idle time by 15 seconds. The processor idle time is correctly adjusted for processor performance states where processor frequency may be adaptively changed, based on workload.

System manufacturers and IT professionals can adjust the idle detection threshold to a lower value. This allows the Power Manager to be more aggressive in transitioning the system to the Sleep state automatically, thus helping to reduce energy consumption and extend mobile PC battery life. Setting the idle detection threshold to 0 percent is the most aggressive value for power savings and indicates to the Power Manager that processor activity should be ignored in determining if the system is idle enough to automatically transition to the Sleep state.

By using powercfg, the setting can be specified in the following way:

Friendly name Idle detection threshold Description Required processor idleness to sleep GUID 81cd32e0-7833-44f3-8737-7081f38d1f70

Windows Desktop Risk Assessment Program Page 75 of 82

Copyright 2009 Microsoft Corporation Recommended Optimizing Windows Vista Platforms for Energy Efficiency Reading http://download.microsoft.com/download/0/0/b/00bba048-35e6-4e5b-a3dc-36da83cbb 0d1/Optimize_Power.doc

Windows Driver Kit: Driver Development Tools Index of Windows Driver Kit Tools http://msdn.microsoft.com/en-us/library/aa469207.aspx

Application Power Management Best Practices for Windows Vista http://www.microsoft.com/whdc/system/pnppwr/powermgmt/PM_apps.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 76 of 82

Applications in general are programs designed to assist in the performance of a specific task, such as word processing, accounting, inventory management, and more. Applications are used to fulfill open tasks faster and more efficiently. Thus, it is important that these applications are correctly configured.

Application Compatibility

Application compatibility is often a deployment-blocking issue. Since the arrival of Microsoft Windows as a ubiquitous application platform, independent software vendors (ISVs) and internal developers have created thousands of applications for it. Many are mission-critical applications. However, some are not compatible with the latest version of Windows. Types of applications that might not be compatible include the following:

· Line-of-business (LOB) applications such as enterprise resource-planning suites

· Core applications that are part of standard desktop configurations

· Administrative tools such as antivirus, compression, and remote-control applications

· Custom tools such as logon scripts

You can use four main tools to mitigate application-compatibility issues: Program Compatibility Assistant, Program Compatibility Wizard, ACT, and application virtualization.

The principal set of tools available to deal with application compatibility issues is the Application Compatibility Toolkit. This toolkit contains documentation, usage guides, and several tools that support the deployment of third-party applications.

Issue Use Microsoft Application Compatibility Toolkit (ACT) to resolve application compatiblity issues Importance The Microsoft Application Compatibility Toolkit (ACT) 5.0 helps customers understand their application compatibility situation by identifying which applications are compatible with the Windows Vista® operating system and which require further testing. ACT helps customers lower their costs for application compatibility testing and prioritize their applications.

Recommended Use Microsoft Application Compatibility Toolkit (ACT) to resolve application compatibility Resolution issues.

Recommended Microsoft Application Compatibility Toolkit 5.0 Reading http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-B4 5E-492DD6DA2971&displaylang=en

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Startup Programs Startup programs are programs that are run during or after the user logon process. These programs can often be found in the system tray but can be hidden as well. Usually, they provide additional information to the user or provide additional functions at runtime. Every application can be a startup program. Thus, it is

Windows Desktop Risk Assessment Program Page 77 of 82

A large number of software components have startup elements which might be necessary for use in a day to day environment.

A close evaluation of functionality and turning these components off can significantly reduce overall boot times.

Issue Applications are configured in the Registry to automatically start after user logon Importance Applications that are configured to automatically start after user logon may delay the user logon procedure and result in poor user experience, overall.

Recommended It is recommended that you verify the need of the listed applications against the line of Resolution business applications and requirements. If it is not necessary to start the listed applications automatically after user logon, they should be removed to avoid delays in the user logon procedure.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Services Microsoft Windows services, formerly referred to as NT services, allow you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface.

Issue Service Alerter is not disabled Importance The Alerter service is used to send alert messages to specified users and computers that are connected to the network.

Recommended The service can be used for social engineering attacks and should be disabled. Resolution Recommended Windows XP Security Guide Reading Chapter 3: Security Settings for Windows XP Clients http://technet.microsoft.com/en-us/library/cc163074.aspx

Windows Vista Security Guide http://technet.microsoft.com/en-us/library/bb629420.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Task Scheduler The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. The Task Scheduler does this by monitoring whatever criteria you choose to initiate the tasks (referred to as triggers) and then executing the tasks when the criteria is met.

Windows Desktop Risk Assessment Program Page 78 of 82

Copyright 2009 Microsoft Corporation The Task Scheduler can be used to execute tasks such as starting an application, sending an e-mail, or showing a message box. Tasks can be scheduled to execute the following: · When a specific system event occurs

· At a specific time

· At a specific time on a daily schedule

· At a specific time on a weekly schedule

· At a specific time on a monthly schedule

· At a specific time on a monthly day-of-week schedule

· When the computer enters an idle state

· When the task is registered

· When the system is booted

· When a user logs on

· When a Terminal Server session changes state

Windows Vista® comes with a extended subset of Tasks (defragmentation, boot optimization) which are regularly scheduled and can help optimize performance on computers with the latest hardware.

On older systems with less hardware capacity and performance features, these regular tasks can cause an overhead in day to day operations. Therefore it is important to understand the particular tasks and their functions before optimizing them.

Issue Custom Task Scheduler entries are defined Importance The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. The Task Scheduler does this by monitoring whatever criteria you choose to initiate the tasks (referred to as triggers) and then executing the tasks when the criteria is met.

Recommended Customized Task Scheduler entries may interact with the user's desktop or may Resolution allocate system resources that prevent the user from working efficiently.

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Shell Windows Shell is the container that the entire Windows user interface is presented in, including the taskbar, the Desktop, Windows Explorer, and many of the dialog boxes and interface controls.

The Windows user interface (UI) provides users with access to a wide variety of objects necessary for running applications and managing the operating system. The most numerous and familiar of these objects are the folders and files that reside on computer disk drives. There are also a number of virtual objects that allow the user to perform tasks such as sending files to remote printers or accessing the Recycle Bin. The

Windows Desktop Risk Assessment Program Page 79 of 82

A lot of third party products hook into the Windows Shell in order to bring additional functionality to the user. Typically these functionality can be found in context menus or in special buttons that may appear in program taskbars.

These additional pieces of code can cause instability with system components. Therefore it is very important to understand, what pieces of software are installed and what they are used for.

Issue Visual effects are configured to Let Windows choose Importance If Windows is running slowly, you can speed it up by disabling some of its visual effects. The decision will be appearance versus performance. For example, should Windows run faster or be visually interesting? If your PC is fast enough, you do not have to make this tradeoff. However, if your computer is not quite powerful enough for Windows Vista®, it can be helpful to scale back the visual effects.

Recommended To help improve the performance of your computer, you can disable some or all of the Resolution visual effects. There are 20 visual effects you can control, such as the transparent glass look for Vista, the way menus open or close, and whether shadows are displayed.

When you disable visual effects, you change only the graphical elements on your desktop. You can still do everything you did before with your computer, but now only faster.

To disable specific visual effects, complete the following steps:

1. Click Start, right-click My Computer, and then click Properties. 2. The System Properties dialog box appears. Click the Advanced tab. In the Performance area, click Settings. 3. The Performance Options dialog box appears. On the Visual Effects tab, select the Custom option. 4. Clear the check boxes for the visual effects you want to disable. 5. Click OK. 6. You are returned to the System Properties dialog box. Click OK.

To disable all visual effects for the best performance, complete the following steps:

1. Click Start, right-click My Computer, and then click Properties. 2. The System Properties dialog box appears. Click the Advanced tab. In the Performance area, click Settings. 3. The Performance Options dialog box appears. On the Visual Effects tab, select the Adjust for best performance option. 4. Click OK. 5. You are returned to the System Properties dialog box. Click OK.

Recommended Optimize Windows Vista for better performance Reading http://windowshelp.microsoft.com/Windows/en-US/help/83EC0FFE-EE04-4D53-8B87-25 D1F05C954E1033.mspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 80 of 82

Copyright 2009 Microsoft Corporation Microsoft Internet Explorer Internet Explorer makes everyday tasks easier with improved navigation through tabbed browsing with IE7, Web search from the toolbar, advanced printing, easy discovery, reading and subscription to RSS feeds, and much more.

Internet Explorer provides dynamic security protection through a robust new architecture, security features that help defend against malicious software (also known as malware), and new ways to better protect against the theft of personal data from fraudulent Web sites, a practice known as phishing. Internet Explorer is an improved platform for Web development and manageability, including improved support for cascading style sheets (CSS), a rich RSS feeds platform, and robust tools for deploying and managing Internet Explorer 7 in large enterprise environments.

As Internet Explorer serves as a window to the internet, it provides a set of security configuration settings in order to protect your PC. We recommend reviewing these settings in order to achieve a high level of security.

Issue Internet Explorer Browser version is not up-to-date Importance Microsoft® Internet Explorer® 8.0 is the most recent version.

Best Practice The most recent release of Internet Explorer is version 8.0, which is available as a free Guidance update for Windows XP, Windows Server® 2003 and Windows Vista®.

Installing Internet Explorer 8.0 helps reduce attack surface and resolves known application and security-related issues.

Availability of Internet Explorer:

Browser Windows

OS Vista XP SP2 XP 2000 release pre-SP2

IE8 Update Update available available

IE7 Build-in Update - - available

IE6SP2 - Built-In - -

IE6SP1 - - Built-In Update with SP1, available Update for RTM available

IE6 - - Built-In Update with RTM available

Windows Desktop Risk Assessment Program Page 81 of 82

Recommended Internet Explorer 8: Home page Reading http://www.microsoft.com/windows/internet-explorer/default.aspx

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Microsoft Office The Microsoft® Office Suite provides a number of applications to the user, allowing the use of word processing, table calculation, email and many more.

In time, the amount of data stored within these applications can grow considerably. While the Microsoft Office system centers around performance to provide the best possible end user experience, misconfiguring certain features can lead to performance slowdowns.

It is important to understand that a regular administration is required to ensure optimal results for the end user.one example is the sizing of pst files and preventing users from storing pst files on network shares.

Issue Default printer is pointing to a network location Importance A Microsoft® Office 2007 application may respond slowly if a network printer is used as default printer.

Recommended When you start a Microsoft® Office 2007 application, it gathers information for Resolution document formatting and printing operations. If the files, drivers, or fonts are damaged, are missing, or are located on a remote server, an Office Word document may require more time to connect to the server and gather the information that it needs.

It is recommended that you use a local printer as a default printer and change the printer in the applications printer settings, if needed.

Recommended Word is slow to start, print, or load documents Reading http://support.microsoft.com/kb/280821

Affected PC.RAPID-VSN-01 Objects Back to: TOC Consolidated High Med Low

Windows Desktop Risk Assessment Program Page 82 of 82