Installing, Upgrading, and Migrating to ­ Go back and add notes here.

Deploying Windows ­ Run to prepare a computer for capturing an image with the Welcome prompts ­ ImageX is included with Windows AIK ­ imagex /capture c: c:\wind7desktop.wim ← Capture an image of the C drive to the C drive ­ If you save another image with image to the same filename, it only saves the changes ­ /compress fast switches compress the file ­ DISM (deployment image services and management tool) can update a WIM file ­ dism /get­wiminfo /WimFile:install.wim ← Shows images contained in the WIM file ­ dism /Mount­Wim /WimFile:install.wim /index:1 /mountdir:c:\mount← Mounts the Wim file to the C drive for editing ­ Created in C:\Mount. Can add files to default ’s desktop... etc. ­ dism /Image: /Add­Driver /Driver: ­ To add software, only supports MSU and CAB files ­ to diskpart (further commands come later) ­ select disk 0 ­ clean ­ create partition primary size=100 (size in MB) ­ select partition 1 (partitions start with 1, as opposed to HDD starting with 0) ­ fs= quick =system ­ active (copies bootstrap data to the HDD to make it bootable) ­ create partition primary (creates partition using all available space) ­ select partition 2 ­ format fs=ntfs quick label=windows ­ assign latter=g (assigns partition 2 the letter g) ­ (leaves diskpart) ­ Navigate to network drive with ImageX in it ­ imagex /apply win7desktop.wim 1 g: (applies the image to partition 2) ­ g:\windows\system32\bcdboot g:\windows ­ System is now complete and ready to boot ­ All of these commands can be put into a batch file ­ Can alternatively download MDT (MS Deployment Toolkit) ­ It’s hella robust and complicated

Configuring Hardware and Applications ­ Go back and add notes here.

Configuring Network Connectivity ­ IP troubleshooting commands: ­ /release /renew /flushdns /registerdns

1 ­ ping (test connection to other device) ­ tracert (see each hop) ­ ­a (see open ports on your machine) ­ Metal structures can interfere with wireless signals ­ Wireless networks generally not as fast as wired ­ WEP, WPA, WPA2 ← In order of security ­ Can change channel under Wireless Device advanced tab to reduce interference ­ first introduced with Windows XP. ­ State Full Firewall = data is allowed in only if first requested by the client computer ­ Network Locations in Windows 7 = Home, Work, Public. Sets firewall rules. ­ Windows Firewall > Allowed Programs to allow certain programs through the firewall ­ Port 80 is Internet port. Port 23 is telnet port (unencrypted). ­ Windows Firewall with Advanced Security can be exported and imported into for your domain ­ Remote Desktop settings → > System and Security > System > Remote Settings ­ Allow Connections from Computers ­ Select Users and add administrative user account ­ Good to create a WIM image with these settings for company computers ­ Windows Remote Management Service (WinRS) and PowerShell are used for executing commands from a remote computer ­ WinRM quickconfig can be run on the client computer to allow it to receive commands ­ WinRS ­r:CompName ipconfig will run ipconfig on that computer ­ PowerShell used cmdlets, which are pre­configured scripts that are very powerful ­ PowerShell: icm computername {get­wmiobject ­class win32_desktop} ­ Remote Assistance can request for someone to remote in via email ­ Easy Connect requires IPv6 ­ Must have Allow Remote Access ticked under the Remote tab in Computer props ­ Remote Desktop, on the other hand, will lock the desktop. Used for remote control. ­ Windows 7 Professional, Enterprise, and Ultimate required ­ Can edit properties (color depth, connection speed... etc.) to improve Remote Connections ­ Two computers on a DOMAIN already have a trust for PowerShell communication

Configuring Access to Resources ­ Folder virtualization = Windows 7 Libraries ­ Library properties > Set save location = files are saved to that folder within the Library ­ Workgroup is de­centralized and hard to manage for lots of computers and users ­ Homegroup is centralized with one password, and printers and files can be shared ­ Computers on a domain cannot create or access resources from a Homegroup ­ Network location awareness for printers only available on computers with a battery installed ­ When Share and NTFS permissions are combined, the most restrictive rule wins ­ Encrypted (EFS) on Professional, Enterprise, or Ultimate only

2 ­ Encrypted file certificates are tied to your user account. ­ You can backup your certificates in case you ever delete your user data ­ Data Recovery Agent (DRA) places a second decryption key within the file ­ Run mmc and add a new Certificates Snap­In to enable certificates ­ Right­click on file and tick Encrypt files to protect data. ­ DRA → Create a new account: ­ Open up command prompt, and cipher /r:DRAKeys ­ Then type in password to protect the PFX file. ­ This will create two keys, one public and one private. ­ Open up Local Group Policy Editor ­ Security Settings > Public Key Policies > ­ Right­click and Add Data Recovery Agent. ­ Select the public certificate file (.CER) that was created. ­ Do this before users start encrypting files ­ UAC works by using two SIDs (one for logged in user, and one for admin) ­ Certificate Authority (CA) can either be private (managed by company) or third­party ­ certmgr.msc is the Certificate Manager ­ From here, you can import and export certificates created on the computer ­ Smart card is any card with a chip embedded in it, such as Authentication cards for Win7 ­ Some businesses might use smart cards because they are secure than name/pass ­ Smart cards contain a public and private key. Needs either laptop reader or external one. ­ Most smart cards will not allow you to export a private key from the card. ­ Personal Identify Verification (PIV) standard used with smart cards (defines how data is stored) ­ Windows 7 automatically supports PIV and downloads drivers ­ TLS is protocol used with Smart Cards to communicate with network ­ Group Policy location: Computer config\Policies\Windows Settings\Security Settings\Local Policies\Security Options ­ Contains flags and settings to make smart card logon required ­ Define what happens if a smart card is removed (can force log off or no action) ­ Rights = Allow or Deny; best to use default groups in Windows when assigning rights ­ Open Local Security Policy to jump right to the user rights assignment section ­ Simply add different user groups to each right (i.e. Log on locally) ­ PROTIP: Shift + Right­click adds “Run as a different user” option ­ /user:computername\username ­ BranchCache caches files sent over WAN within the LAN for faster access ­ Requires Win7 Enterprise/Ultimate or 2008 R2 ­ Auto kicks in when round trip latency exceeds 80 ms ­ Hosted mode requires Server 2008 each location and SSL cert ­ Distributed cache mode = Each Win7 has its own cache ­ Group Policy > Admin Templates > Network > Branch Cache ­ branchcache show status (shows BC mode running) ­ netsh branchcache set service mode=hostedclient location=servername

3 ­ mode=distributed (no location param needed b/c no server) ­ netsh branchcache show localcache (shows cache size/location) ­ BC needs port 80 (ib/ob TCP) open regardless of mode ­ Distributed needs UDB port 3702 ib/ob ­ Hosted needs ob TCP port 43

Configuring Mobile Computing ­ Bitlocker encrypts the entire including the ­ Windows 7 Enterprise or Ultimate only ­ Needs a 100mb separate system partition (configured when enabling BitLocker) ­ Hard drive can’t be removed and used on another computer ­ Trusted Platform Module (TPM) chip on the motherboard that stores keys ­ Keys can be stored on a USB key instead if you don’t have TPM ­ The chip needs to be 1.2 or higher and enabled in BIOS ­ Bitlocker Modes: ­ TPM Only = computer will boot normally ­ TPM w/ a PIN = User is prompted for a PIN on startup ­ TPM and USB key = Store a key on USB. Read on bootup. ­ TPM, USB Key and PIN = Most secure ­ Without TPM = Just a USB key ­ BitLocker Recovery Key is created during the wizard. Keep this for recovery later. ­ Also gives you option to place the key on a USB drive ­ TPM Administration under Control Panel > System and Security > Bitlocker ­ Bitlocker To Go encrypts portable drives like flash drives ­ When configured, reader software for older versions of Windows is installed ­ Read only access on older versions of Windows ­ Configuring BitLocker to Go from Group Policy ­ gpedit.msc to open the local group policy editor ­ Bitlocker > Removable Data Drives ­ Several options in there (six in total) ­ DirectAccess requires IPv6 to run ­ Requires Server 2008 for DC and DNS and a Public Key Infrastructure ­ Requires two network cards on the server using DirectAccess ­ Used for laptops outside of work instead of VPN to connect to work network ­ In Group Policy > Windows Settings > Name Resolution Policy ­ Add DNS servers to use with DirectAccess ­ Can also use netsh (for scripts or a couple of computers) ­ netsh interface IPv6 set Teredo enterpriseclient ­ netsh namespace show effectivepolicy (see which settings are in effect)

4 Monitoring and Maintaining Systems that Run Windows ­ VPN = virtual private network ­ Data is encrypted ­ Has integrity checking and prevents a replay attack ­ Protocols: ­ PPTP → Weakest because it doesn’t require certs (port 1723) ­ L2TP → Uses IPsec for encryption and requires certs (1701 and UDP port 500) ­ SSTP → Uses HTTPS for encryption and port 443 (popular protocol) ­ IKEv2 → Supports new W7 reconnect feature, requires W7 to Server 2008 R2 ­ Authentication Protocols: ­ PAP → uses unencrypted passwords. Disabled by default. ­ CHAP → Sends a challenge (Hash) to the client. ­ MS­CHAPv2 → Improved CHAP and user can use current login credentials ­ EAP → Additional protocols can be bolted on ­ PEAP → Protected EAP. EAP traffic is encrypted. ­ To set up a VPN: Network/Sharing Center > Setup a Connection or Network > Connect to a workplace ­ diskpart list partition ­ Asterisk next to primary partition ­ clean command wipes the hard disk ­ gpt converts disk to GPT format ­ Paging file on a separate partition from the OS = performance benefits ­ A volume is a single logical storage area, can contain several partitions ­ When moving a dynamic disk to another computer, the drive letter will not change ­ You can convert a basic disc to dynamic, but not the other way around ­ RAID (Redundant Array of Independent Disks) ­ Raid 0 (striped) and Raid 1 (Mirror) ­ RAID in Windows is software only ­ Raid 0 is when data on hard disks are spread evenly across all the drives in the volume ­ Requires two or more drives ­ Read/Write performance is increased because all HDD’s work at same ­ If one HDD fails, you lose all the data in the set. ­ You can’t boot Win7 in a Raid 0 HDD ­ All hard disks in the set must be the same size ­ Raid 1 can still function if one HDD fails ­ Requires 2 hard disks ­ No performance advantage; data cost is effectively doubled. ­ Disk Management > Import Foreign Disk ­ Right­click on a disk > Add Mirror. This makes it a dynamic disk and enables a RAID 1 setup.

5 Configuring Backup and Recovery Options ­ System image works for bare metal recoveries (different hardware) ­ Windows 7 will automatically detect the different hardware ­ Includes ­ Cannot backup Windows to the same volume as Windows, recovery partition, or a partition encrypted with BitLocker ­ All Programs > Maintenance > ­ Control Panel > Backup and Restore > Create a system image ­ You can restore using a system image via a disc ­ Restore disc > Advanced > Search for a system image on the network ­ Previous Versions used to be called “shadow copies.” ­ Restore point is created on startup/mid day/ and when a significant change occurs ­ Only saves documents that have been modified ­ Only saves one change per day ­ Computer Properties > System Protection > Restore system settings and previous versions of files ­ To access previous versions of files that have been deleted, right­click on the container folder and restore prev. versions

Professor Messor Notes

Section 1: Installing, Upgrading, and Migrating to Windows 7

Windows 7 Editions: ­ Starter (32­bit only): ­ Built for netbooks ­ No Aero, DVD playback, , web server... etc. ­ Limited to 2GB of RAM ­ Home Basic: ­ Geographical activation restriction (emerging markets only) ­ Similar restrictions to Starter, except it has a 64­bit version ­ Home Premium: ­ Everything except for Enterprise technologies ­ Can’t connect to domain, no Bitlocker, EFS, Applocker, BranchCache... etc. ­ x64 supports up to 16GB of RAM ­ Professional: ­ Can connect to a ­ Supports Remote Desktop Host and EFS (encrypted file system) ­ No BitLocker, AppLocker, BranchCache... etc.

6 ­ Includes XP mode ­ x64 supports up to 192GB of RAM ­ Ultimate: ­ BitLocker, Applocker, BrachCache... etc. included ­ x64 supports 192GB of RAM ­ Enterprise: ­ Can’t buy off the shelf ­ Same as Ultimate, but designed for volume licensing

Windows 7 Installation Sources ­ DVD or ISO ­ Cheap, but doesn’t scale well. Slower. ­ USB Drive or portable hard drive ­ Flexible. Can add drivers and other files. ­ Faster read/write than a DVD. ­ Need at least 4GB of space. ­ Preparing a USB Installation: ­ Run diskpart from an Admin command prompt ­ list disk to see which disk the USB drive is ­ select disk # ­ clean, create partition primary, format fs=fat32 quick ­ active makes it bootable ­ exit to leave diskpart ­ Then just contents of Wind7 install disc to USB drive ­ Network share ­ Copy the installation media to a share ­ Boot from PE (barebones Windows environment) ­ Can easily be updated and modified ­ Windows PE is downloadable for free with AIK ­ Run Deployment Tools Command Prompt ­ copype C:\windowspe­86 will copy the PE install files to that folder ­ winpe.wim can be customized ­ Copy the winpe.wim file to C:\windowspe­86\ISO\sources ­ Rename winpe.wim to boot.wim ­ oscdimg command creates ISO’s from a directory ­ Automated Deployment ­ Windows Deployment Services (WDS) ­ Requires a network, Server 2008, AD, PXE network adapter ­ Uses multicast and scales very well

Windows 7 Clean Installation

7 ­ Unattended installation: ­ Answers are in Unattend.xml (used when not from installation media) ­ Autounattend.xml can also have answers ­ Contains partitioning information and used in conjunction with boot media ­ Clean installation just means no existing OS on the HDD when doing the installation

Windows 7 Dual­boot Installation ­ Each OS needs its own partition (Win7 needs at least 15GB) ­ Alternatively, you can install to a VHD without the need to make a new partition (Win7 Ultimate) ­ The 100MB recovery (WinRE) partition isn’t created when dual­booting ­ bcdedit ­ Edits /boot/bcd in the Windows 7 hidden partition ­ Needs to be run from an elevated prompt ­ displayorder → [] = XP [current] = Win7 ­ bcdedit /export C:\save­bcd → Export current boot settings ­ bcdedit /import C:\save­bcd → Import settings to undo changes ­ bcdedit /set {current} description “New Entry Description” ­ bcdedit /displayorder {ntldr} /addfirst (or /addlast) → Change the OS list order ­ bcdedit /default {ntldr} → Changes the default option for when it times out

Upgrading to Windows 7 ­ Only Business can upgrade to Win7 Professional ­ Vista Enterprise can only upgrade to Win7 Enterprise ­ Windows Vista Ultimate can only upgrade to Ultimate ­ All versions of Vista can upgrade to Ultimate ­ Windows 7 Upgrade Advisor will determine if your system can support Win7 ­ Assessment and Planning Toolkit (MAP) → large­scale upgrade planning ­ Before upgrading, make sure OS is completely up­to­date ­ Upgrade needs at least 10GB of free space ­ MAP integrates with (scans the network to computers) ­ Can inventory many different operating systems ­ Doesn’t require any agent software

Migrating User Profiles with ­ When doing a side­by­side transfer, best to launch Easy Transfer from Windows 7 (not XP) ­ Easy Transfer saves to a file/folder to be imported on the newer computer or OS. ­ Side­by­side can be done with either an easy transfer cable or a network share

Migrating User Profiles with the User State Migration Tool (UMST) ­ Included with Windows AIK and works at the command line ­ Can migrate from Xp to Vista or 7, as well as Win7 to Vista. Not Win7 to XP. ­ MigApp.xml → Migrates application settings (folder options, fonts, wallpapers... etc.)

8 ­ MigUser.xml → Migrates user folders, files, and file types ­ MigDocs.xml → Location of user documents ­ Config.xml → Exclude migration features ­ Storing Migrated Data: ­ Uncompressed → Stored in folders, viewable in Explorer ­ Compressed → Uses less space, can’t be viewed in Explorer ­ Hardlink → Creates links to the user data, doesn’t duplicate files ­ Minimum of 250 MB free to transfer user info ­ scanstate grabs the user data and saves it to a file (USMT.MIG) ­ loadstate imports the USMT.MIG file and user data

Section 2: Deploying Windows 7

Deploying Windows 7 Overview ­ Windows Automated Installation Kit (AIK): ­ Windows SIM (System Image Manager) → Manages image distribution ­ ImageX → Create and modify Windows images (WIM) ­ DISM → Modify an image with updates and drivers ­ Windows PE → Minimal boot OS ­ oscdimg → Command line creation of ISO files

Creating a Reference Image ­ Create an answer file and save autounattend.xml to the root ­ Use sysprep to generalize and set oobe (out of box experience) ­ Create bootable Windows PE disc or flash drive and create image from there ­ Windows System Image Manager (SIM) automates building an answer file ­ SIM: ­ Import a WIM file (from Win7 DVD, for example) ­ install.wim file located under sources folder of the install disc ­ Create New Answer File ­ Windows_Setup component > Userdata folder ­ Add to answer file ­ AcceptEula = true to auto accept agreement ­ Tools > Validate answer file ­ This file can be saved to a flash drive if you want. ­ Run audit mode (Shift­Ctrl­F3) on bootup ­ Bypasses Windows welcome ­ Tweak the reference image, load apps and drivers... etc. ­ This is done on the reference computer ­ From here, you can install applications and patches like normal ­ Run sysprep

9 ­ Clear unique names ­ Set OOBE (Windows Welcome) ­ C:\windows\system32\sysprep\sysprep.exe /oobe /generalize / ­ /generalize lets it install on different hardware

Capturing an Image ­ Copy ImageX to Windows PE disc/flash drive or copy it to a network drive ­ copy “C:\Program Files\windows AIK\tools\x86\imagex.exe” C:\winpe\ISO ­ copy c:\winpe\winpe.wim c:\winpe\iso\sources\boot.wim ­ oscdimg ­n ­bc:\winpe\etsfboot.com c:\winpe\iso c:\winpe\winpe­imagex.iso ­ WIM file does not contain partition information. Can contain many images. ­ Once in WinPE: ­ use h: \\networkshare­folder /u:admin\2191admin ­ Enter user password for that account. ­ Drive H is now mapped to \\networkshare­folder ­ net use to find the drive you want to image. In this case, D is the Windows drive. ­ If E drive is mounted , run e:\imagex /capture d: h:\win­lab.wim “Name” /compress fast /verify ← This will capture the contents of D and save as WIM file to mapped H

Preparing for Deployment ­ DISM can be used to: ­ Update applications ­ Manage drivers ­ Manage updates ­ dism.exe /Get­WimInfo /WimFile: /Index: ­ Can alternative use imagex /info 1 (index num) → Messy XML results ­ Shows human readable info about the image ­ dism.exe /Mount­Wim /WimFile: {/Index:} /MountDir: ­ Alternatively, imagex /mountrw ­ Good to create a folder called “Mount” as the target directory ­ Managing Drivers: ­ dism /online /get­drivers /all ← Currently running OS. Read only. ­ dism /image /get­drivers /all ← WIM file. Can read/write. ­ dism /image: /add­driver (or /remove­driver) ­ 64­bit drivers must be signed, unless you use /forceunsigned ­ /add­driver: /recurse ← Recurse will add all drivers found in folder ­ Third­party drivers are renamed to oem1, oem2... etc. after adding to WIM file ­ Managing Applications: ­ /get­packages, /add­package, /remove­package ­ Only works with .cab and .msu files ­ /get­features, /disable­feature:, /enable­feature:

10 ­ To save changes, you must run /Commit­Wim /MountDir: ­ Alternatively, /Unmount­Wim /MountDir: /Commit (or /Discard) ­ Need to unmount either way, so second option is better if done ­ Make sure Explorer windows and other apps are closed when unmounting ­ Use Unattend.xml to configure package installation order after deployment ­ dism /Image: /Apply­Unattend: ­ Create the Unattend.xml files using Windows SIM

Deploying a System Image ­ Microsoft Deployment Toolkit (MDT) 2010 ← Graphical, makes process easier ­ Windows Deployment Services (WDS) ← Image many systems at once with multicast ­ Lite Touch Installation (LTI) deploy without large systems management infrastructure ­ Zero Touch Installation (ZTI) ← Integrates Systems Management Server (SMS) or System Center Configuration Manager (SCCM) 2007 for complete automation ­ MDT 2010 (requires Windows AIK): ­ Provides graphical frontend for everything we did with ImageX, dism... etc. ­ New Deployment Share wizard ­ You can set the local admin account ­ Can set whether or not to ask for Product Key ­ Once share is created, right­click and go to Properties. Other options in here. ­ Right­click on Operating Systems and select Import Operating System. ­ Can choose full source files (DVD) or custom image file (WIM) ­ Out­of­Box Drivers > Import drivers > Select folder with drivers ­ Packages can be added (.cab and/or .msu) ­ New Task Sequence Wizard ­ Can set product key, local password, and IE homepage ­ Can create different task sequences for diff. computers ­ .Right­click > Update deployment share to apply changes ­ Can pull the resulting ISO file from the Deployment Share directory and run on a comp ­ Will run a custom version of Windows PE with deployment options ­ Need to enter in the credentials for access to the deployment share ­ Windows Deployment Services requirements: ­ AD Domain Services ­ NTFS file system ­ Local admin rights ­ DHCP server (or PXE) ­ WDS is graphical, whereas wdsutil is command line­based ­ WDS Images ← Boot image (via PXE), Install image (OS to be installed) ­ Administrative Tools > Windows Deployment Services ­ Set the WIM file as the Install Image in WDS ­ Boot image = boot.wim from the Windows 7 DVD ­ This is still a Light Touch installation. SCCM is needed for zero touch.

11 ­ Discover image is needed if the client comp doesn’t support PXE

Working with Virtual Hard Disks ­ VHD supported in Ultimate and Enterprise only ­ Ideally, the VHS would be on a separate disk (or at least another partition) ­ Can use ImageX to apply a WIM file to the VHD ­ Computer Management (Disk management): ­ Action > Create VHD > Choose where to save the file ­ Fixed size vs Dynamically expanding. Fixed size is recommended. ­ Using Diskpart: ­ create vdisk file­c:\\win7lab.vhd maximum=20000 (20GB) type=fixed ­ select vdisk file= ­ list disk ­ attach disk ­ create partition primary ­ format fs=ntfs quick label=Win7Lab2 ­ assign letter=j (Assigns drive letter J to the VHD) ­ ImageX: ­ imagex /apply ­ Can then check the drive in Explorer to make sure everything is there ­ diskpart → detach vdisk... Then you can the VHD file elsewhere ­ Need to use bcdedit to make the VHD bootable ­ Can only boot to Windows 7 from a VHD ­ Can’t store the VHD on a driver using Bitlocker or hibernation. This is bad for laptops. ­ bcdedit /copy [current] /d “Windows blah blah” ­ bcdedit /set device vhd=[c:]\\vhd\win7lab2.vhd ­ Do the same for osdevice ­ /set detecthal (detect layer) ­ Windows Blah Blah option will now boot to the VHD when selected

Section 3: Configuring Hardware and Applications

Configuring Devices ­ Device > Properties > Details > Device GUID to lookup device unique ID ­ Device Installation Settings ← Set who and what can make changes ­ Plug and Play (PnP) are drivers that are already installed ­ Driver Store → Windows/CurrentVersion/DevicePath ­ Copies the driver for use to Windows\System32\drivers ­ New drivers can be staged using pnputil ­ pnputil.exe ­a C:\drivers\driver.inf ← Add new driver (pre­stage) 12 ­ pnputil.exe ­e ← Shows all third­party drivers installed ­ Can set classes of allowed device installations within Local Group Policy ­ You can run verifier from the command line to launch a GUI version ­ Can look at the really deep, nitty­gritty details for drivers ­ Signed drivers contain a cryptographic “signature” from Microsoft ­ Must be an admin to install an unsigned driver ­ If you have a Certificate Authority, you can sign drivers yourself ­ This is more important with Windows 7 64­bit ­ Run sigverif to scan for device drivers that have not been digitally signed ­ msinfo can be run to get a list of resource conflicts on your system

Configuring Application Compatibility ­ Application Compatibility Toolkit ← Download from Microsoft.com ­ Comes with Application Compatibility Manager ­ Compatibility Administrator ­ View compatibility fixes for 3rd­party apps ­ Analyze apps, create your own shim ­ Compatibility Test Tool ­ Application Compatibility Manager is used to monitor issues across a large network ­ Has a HUGE list of applications and what happens when you try to run them ­ These compatibility fixes are called shims ­ IE Compatibility test tool needs to be run while surfing the web with IE8 ­ When it detects problems with web sites/apps, it will list them ­ App Compatibility Group Policies ­ Can change policies to modify how Windows reacts to errors ­ If an installer fails, for example, you can enable Detect Application install failures ­ This will prompt a user when an install fails to run it in XP compat mode ­ Windows XP Mode: ­ Runs XP in a virtual machine ­ Only available in Professional and up ­ Integrates with Win7, so you can launch applications from within Windows 7 ­ XP mode kicks in in the background in that case

Software Restriction Policies ­ Group Policy editor ← Run > gpedit.msc or search for Group Policy ­ A bit of overlap with AppLocker, but AppLocker only works in 7 Ult and Enterprise ­ Group policy works across XP, Vista, and 7 ­ Computer Config\Windows Settings\Security Settings\Software Restriction Policies ­ Use Local Security Policy editor if not on a domain ­ Enforcement Properties can set rules to apply to all users or all users except local admins ­ Under Designated File Types, you can add or remove file types that will be affected ­ If Applocker is in use, Applocker always wins over group policy rules

13 ­ Order of priority: ­ Hash rules ← Specific rule, allowing or disallowing an exact executable, incl. version ­ Cert rules ← Control app usage by publisher, hard to fool, app must be signed ­ Path Rules ← Control based on files or folders, can be circumvented by moving file ­ Network Zone Rules ← Control based on download location, only applies to .msi files ­ Default Rules ← Either disallowed, basic user, or unrestricted (which is the default) ­ To apply a hash rule, just right­click, New Hash Rule, navigate to the app, then Disallow.

Understanding AppLocker ­ Only available on W7 Ultimate, Enterprise, and Server 2008 R2 ­ Can control by users or groups within Group Policy ­ Requires Application Identity server to be running automatically ­ Block rules always override Allow rules ­ Group Policy ← Windows Settings\Security Settings\Application Control Policies\AppLocker ­ AppLocker has wizards for configuring settings ­ Rule categories: ­ Executable rules ← .exe and .com files ­ Window Installer rules ← .msi and .msp files ­ Script rules ← .bat, .cmd, .js, .ps1, and .vbs files ­ Default is to block everything after enabling AppLocker ­ When create new defaults, everything is allowed. ­ Publisher Rules: ­ Pulled from the file information ­ Existing file and all future versions ­ Path Rules: ­ Pick file or folder and allow executables to run ­ File Hash Rules: ­ Specific rules for specific programs ­ File version = * ← Applies to any version of the program ­ Exceptions can be made for certain versions of a program ­ Under AppLocker properties, enable Enforcement or Audit mode to test new rules ­ Then start the Application Identity service on the client computer ­ Audit Mode results can be viewed under the AppLocker folder in ­ Says whether or not the program would have opened had enforcement been enabled ­ Can do Automatically Generate Rules for an entire directory

Internet Explorer Configuration ­ Admin Templates\Windows Components\Internet Explorer\Compatibility View ­ Can enable/disable the button, set sites for automatic compat. view ­ IE Zones: ­ Internet, Local Intranet, Trusted Sites, Restricted Sites ­ InPrivate Filtering blocks certain elements on sites automatically

14 ­ InPrivate browsing is Incognito Mode. Opens in new Window. ­ Admin Templates\Windows Components\Internet Explorer\InPrivate ← InPrivate settings

Section 4: Network Connectivity

An Overview of IPv4 and IPv6 ­ IPv4: ­ 32­bit addresses, number of addresses is quickly being depleted ­ Four sets of 1­4 numbers; each set of four is 8 bits (binary). 8x4=32­bit ­ IPv6: ­ 128­bit addresses, bajillions of addresses ­ Leading 0’s are optional ­ Groups of 0’s can be abbreviated by :: (only one per address allowed) ­ Subnetting: ­ Every device needs a unique IP address ­ Subnet mask used to have devices on same local network communicate ­ Default gateway is the router that allows outside communication ­ Private Addresses (used for local communication) ­ 10.0.0.0 ­ 10.255.255.255 ­ 172.16.0.0­172.31.255.255 ­ 192.168.0.0­192.168.255.255 ­ DNS (Domain Name System) ­ Converts names to IP addresses ­ DHCP (Dynamic Host Configuration Protocol) ­ Automatically assigns IP addresses, subnet mask, gateway... etc. to devices ­ APIPA (automatic private IP addressing) ­ Connect an entire network without configuration (and w/o a DHCP server) ­ NAT (network address translation) ­ Usually the router or modem. Device that is connected to the internet. ­ Allows all devices to communicate to the Internet ­ Communication methods ­ Unicast ← One to one ­ Multicast ← One packet to multiple devices ­ Broadcast ← One to all (IPv4) ­ Anycast ← One to nearest (IPv6) ­ IPv6 Unicast Addresses ­ Global ← Routable everywhere ­ Local ← Used on local network (no Internet) ­ Link­local ← Used in local subnet only (start with fe80::/10 ­ Teredo allows you to tunnel IPv6 through NATed IPv4. No special router needed ­ Addresses start with 2001::/32

15 Configuring IPv4 ­ Network and Sharing Center / Change Adapter Settings / Right­click > Properties ­ netsh interface ipv4 show ← Show names ­ netsh interface ipv4 set address “name” static ­ ipconfig /all returns a 169.251.x.x address, no DHCP response ­ ping and tracert

Configuring IPv6 ­ Configuration mostly the same as IPv4 ­ netsh interface show neighbors ­ Use ­6 switch after ping or tracert to use IPv6 using Teredo tunnel

Configuring Networking Settings ­ Wireless standards: ­ 802.11a: ­ Operates in 5GHz range, 64 Mbit/s ­ Higher freq. absorbed by objects in the way ­ Today only see in specific cases ­ 802.11b: ­ Operates in 2.4 GHz range, 11Mbit/s ­ Better range than 802.11a, less absorption ­ More frequency conflict with cordless phones, microwaves... etc. ­ 802.11g ­ 2.4Ghz range, 54 Mbit/s ­ Same freq. problems as 802.11b ­ 802.11n ­ 5GHz and/or 2.4GHz ­ 600 Mbit/s ­ New standard has MIMO (multiple antennas) ­ Security Settings: ­ WPA­Personal ← Older version of WPA. Uses passphrase. ­ WPA2­Personal ← Always choose this. ­ WPA­Enterprise ← Uses an authentication server. No shared passphrase. ­ Encryption types: ­ WEP ← Not very good way to encrypt data ­ TKIP ← Temporal Key Integrity Protocol. Meant to WEP. ­ AES ← Used in WPA2 ­ WPA2 with AES is generally the best, most secure combination ­ netsh wlan show interfaces ← Show network cards ­ netsh wlan show networks ← Show available networks ­ netsh wlan add profile filename=whatever.xml ← Create profile to connect with.

16 ­ netsh wlan connect name=whatever ssid=whatever ← Connect to whatever network ­ Location­aware Printing: ­ New to Windows 7 ­ Keeps track of default printer based on wireless location

Configuring Windows Firewall ­ Windows Firewall ← Based on applications, all traffic applies (no scope) ­ Different settings for Home/Work and Public ­ Windows Firewall with Advanced Security: ­ Inbound and Outbound rules ­ Connection security rules ­ Granular ← Program, port, custom... etc. ­ Scope = IP addresses that are associated with a particular rule ­ Can have a rule apply to all users or only certain ones

Remote Management ­ Remote Assistance: ­ User­initiated , end user is in control ­ System Properties > Remote Tab > Check Allow Remote assistance ­ Start > All Programs > Maintenance > Remote Assistance ­ Generates an invitation file and password. ­ Also can use Easy Connect and/or email the remote user. ­ End­user needs to grant permission for them to take control ­ Remote Desktop: ­ Initiated by the remote user, host is always waiting for a connection ­ Start > All programs > Accessories > Remote Desktop Connection ­ Only available in Professional, Ultimate, and Enterprise ­ Host user gets locked out and cannot see desktop ­ System Properties > Remote > Remote Desktop ­ Any user with Authentication is the most secure option ­ Select Users ← Allow and/or disallow specific user groups ­ Windows PowerShell: ­ Win7 comes with PowerShell 2.0 ­ Over 240 cmdlets (extensive use of pipelines) ­ Windows Remote (WinRS) ­ Run shell command on remote computer ­ Remote Desktop not required ­ winrm quickconfig on host computer and select “Yes” ­ Allows remote commands to be run on that computer ­ winrs ­r:http://atlantis­lab­pc:5985 ­u:\username “ c:\” ­ Listens on port 5985 ­ Will be asked for password

17 ­ Will show C directory from the remote computer ­ Get­WmiObject ­class win32_service ­computername atlantis­lab­pc ­credential ­ Will prompt you for password ­ Will then return all services running on the computer

Section 5: Resource Access

Shared Resources ­ Folder virtualization allows for roaming user profiles, access to files from any computer ­ Sharing Folders: ­ net share command to set shared folders via the command line ­ net share “sharename”=”drive:path” /grant:username,full ­ Shares the folder with username, grants full control ­ Sharing Printers: ­ Share this printer under Sharing tab ­ Can pre­install drivers using Additional Drivers ­ Can apply different access settings per user under Security tab ­ HomeGroup settings: ­ For use on non­domain network, separate accounts and passwords ­ Easy access to files and printers ­ Need at least Home Premium to use this ­ Other editions can connect to it but not create it ­ Uses a global password for other users to access shared stuff ­ Control Panel > HomeGroup > Join Now.

File and Folder Access ­ Encrypting File System (EFS) ­ Requires NTFS ­ Encrypt for multiple users, regardless of persmissions ­ Create a Recovery Agent before encrypting any files ­ cipher /R:filename ­ Right­click on Folder > Advanced Attributes > Encrypt contents to secure data ­ cipher command reveals which files in a folder are encrypted/unencrypted ­ Generates CER and PFX files. Save these somewhere important. ­ NTFS and Share permissions are separate ­ Share permissions ← Sharing tab / NTFS permissions ← Security tab ­ icacls ← Configure NTFS permissions from command line ­ net share ← Configure Share permissions from command line ­ NTFS permissions apply to both local and network connections ­ Share permissions only apply to connections over the network ­ The most restrictive setting always wins.

18 ­ If you copy a file to another folder, it will inherit the permissions of the new folder. ­ If you move a file, its permissions will follow it. ­ Advanced button under Security > Effective Permissions Tabs

User Account Control ­ Inform when new device drivers, firewall changes, modifying user accounts ­ Secure Desktop ← Background dims and freezes. Limits automated access. ­ Group Policy management: ­ Local Security Policy > Local Policies > Security Options ­ Enable/disable various variable pertaining to UAC ­ Control Panel > User Accounts > Change UAC Settings

Authentication and Authorization ­ Configuring rights: ­ Group Policy > Comp Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment ­ Rights are different from NTFS or Share permissions ­ Examples of rights: change , deny log on as a service, log on locally ­ Can assign rights to OU’s or individual users ­ Managing Credentials: ­ Windows Vault stores names and passwords. “Remember my credentials” ­ Windows Credential Manager ­ Backup and restore the Windows Vault (uses secure desktop) ­ Control Panel > Credential Manager ­ Can restore on another computer to move over credentials/logons ­ Managing Certificates: ­ Manage file encryption certificates (certmgr.msc) ­ Personal > Certificates > Username ← Export as backup for EFS certificate ­ Smart Cards with PIV: ­ Personal Identity Verification ­ Biometric capture and storage, cryptographic algorithms, key sizes ­ It’s a standard associated with the storage and formatting of credentials ­ Carry your cert with you ­ Multifactor authentication (multiple requirements for more security) ­ Username, password, smart card, fingerprint ­ PIV is built into Windows 7 ­ Under Security Options ­ Interactive Logon: Require smart card ­ Interactive Logon: Smart card removal behavior ­ Elevating User Privileges: ­ Use rights and permissions of another user without logging out ­ Right­click > run as admin or run as different user (shift+right­click)

19 ­ Command line: runas /user: program ­ Resolving Authentication Issues ­ On a domain, don’t have to worry about this as much. ­ On a local computer, can use Create a Password Reset Disk ­ If you change a user’s password, access to EFS­encrypted data is lost ­ Can be restored if you restore the EFS cert from before

BranchCache ­ Caching for branch offices ­ Conserve bandwidth over slower links ­ New to Windows 7/ R2 ­ Seamless to the end­user ­ Only kicks in if latency exceeds 80ms ­ Infrastructure Requirements ­ Hosted Cache Server ­ Required at each remote location ­ Run distributed mode if cache server not local ­ ­ Created trusted SSL certificate on the server ­ Clients need W7 Ultimate or Enterprise ­ May need to import Certificate Authority via group policy ­ Distributed Mode: ­ Asks other local machines if they have already downloaded and cached a file ­ Local computer caches files that it grabs from the outside server ­ Hosted Mode: ­ Caching server is local ­ Any files grabbed from outside server is cached on local server ­ Local computers grab cached files from server when available ­ Configuring Client settings: ­ Group Policy ← Comp Config\Policies\Admin Templates\Network\BranchCache ­ Command line: ­ netsh Branchcache set service mode=distributed ­ netsh Branchcache set service mode=hostedclient location=server ­ Enables BC and configures Windows Firewall rules ­ Check PeerDistSvc service. Started, Manual.

Section 6: Mobile Computing

Bitlocker and Bitlocker to Go ­ Bitlocker: ­ Encrypt an entire volume, not just a single file ­ Protects all data as well as the operating system

20 ­ Important for mobile devices ­ W7 Ultimate and Enterprise only ­ TPM (Trusted Platform Module) ­ Securely generates and stores crypto keys ­ Chip that is on the motherboard ­ Also stands for a set of standards ­ Hardware­based pseudo­random number generator for encyrption ­ Modes: ­ BitLocker with a TPM (no additional authentication factors) ­ BL with a TPM and a PIN (input PIN during startup) ­ BL with TPM and USB startup key (need USB key to operate) ­ BL without a TPM (boot with startup key on flash drive) ­ BL with TPM, USB key, and PIN number ­ Data Recovery Agents ­ Configured in Group Policy ­ Add this before anyone configures BitLocker on their laptops ­ Computer Config\Win Settings\Security Settings\Public Key Policies\BL Drive Encryption ­ Configuring the unique identifiers: ­ Admin Templates\Windows Components\BL Drive Encryption\Operating System Drives ­ Right­click > Add Data Recovery Agent (wizard) > Select Cert that allows disk encryption. Needs to be created by the admin. ­ Issue to Administrator group ­ Bitlocker Drive Encryption > Provide unique IDs for your organization ­ Enable and type in identification field a unique ID ­ Choose how Bitlocker­protected OS drives can be recovered ­ Enable, and check “Allow recovery agent” box ­ On Client Computer: ­ Control Panel > Bitlocker Drive Encryption ­ Turn on for desired drives, select startup preferences ­ BitLocker To Go: ­ Encrypt portable drives ­ Set Group Policies on “Removable Data Drives.” ­ Recovery Mode: ­ Get your USB drive with the recovery key ­ manage­bde ­status c: ← Get status of that drive ­ manage­bde ­unlock c: ­cert ­ct

DirectAccess ­ Automated VPN connectivity; always on regardless of location

21 ­ Needs IPv6 ­ Needs Windows Server 2008 R2, Windows Domain, Two NICs, Digital certs for authentication ­ Lots of encryption involved. ­ Client will see “Currently connected to: Internet and Corporate Access” ­ Certificate Management: ­ mmc ← MS Management Console ­ Certificates snap­in ­ Certificates (Local Computer)\Personal\Certificates ­ Command­line configuration: ­ netsh interface ipv6 set teredo enterpriseclient ­ netsh interface 6to4 set relay ­ netsh interface httpstunnel add interface client https://myserver/IPHTTPS

Configuring Windows 7 Mobility ­ Offline Files: ­ Syncs files on server share with mobile computer (automatically) ­ Online Mode ← Write to server, read from the cache ­ Auto offline mode ← If server is offline, converts to local cache operations ­ Will check if server is back online every 2 minutes ­ If so, goes back to online mode ­ Manual offline mode ← Force yourself into offline mode ­ “Work offline” ­ Slow­link Mode ← Kicks to cache version if speeds drop below 64kbps ­ Right click > Always available offline ­ Offline File Group Policy: ­ Comp Config\Admin Templates\Network\Offline Files ­ Tons of settings to configure (file types to sync, low­link speeds) ­ Transparent Caching: ­ Increase file performance across WAN links ­ Keeps a copy that you’ve previously opened cached on your computer ­ More flexible than BranchCache (works with Professional, no domain required) ­ “Enable Transparent Caching” group policy ← Determine latency limit ­ Managing Power: ­ ← Processor off, memory active, mouse and keyboard powered ­ Hybrid Sleep ← Processor off, mem active and copy written to disk ­ Hibernate ← All devices are off, memory is written to disk ­ Can configure at command line with

Remote Connections ­ Part 1 ­ VPNs (Virtual Private Networks) ­ Authentication Protocols: ­ PAP (Password Authentication Protocol)

22 ­ Unencrypted passwords, don’t use this normally ­ CHAP (Challenge Authentication Protocol) ­ Send the password as a hash, still not a great idea ­ MS­CHAPv2 ­ Integrates the Windows username and password ­ Still some brute­force weaknesses ­ PEAP/PEAP­TLS ­ Protected Extensible Authentication Protocol ­ Sends EAP authentication over TLS (Transport Layer Security) ­ Cert­based; quite secure ­ EAP­MS­CHAPv2/PEAP­MS­CHAPv2 ­ Security of PEAP with Windows integration ­ Smart card or certificate ­ Need cert on both the client and the server ­ VPN Protocols (Under VPN Connection Properties > Security Tab) ­ IKEv2 (Internet Key Exchange v2) ­ The more secure option ­ New in Windows 7 (IPv6, VPN reconnect support) ­ Authentication options: ­ EAP and certs ­ No support for PAP, CHAP... etc. ­ Uses UDP port 500 ­ SSTP (Secure Socket Tunneling Protocol) ­ Uses TCP 443 (HTTPS port) ­ Very compatible with existing firewalls ­ Doesn’t work through proxies ­ L2TP (Layer 2 Tunneling Protocol) ­ L2TP tunnels, IPsec to encrypt ­ Compatible with 3rd­party VPNs ­ PPTP (Point­to­Point Tunneling Protocol) ­ Least secure VPN protocol ­ Encryption but no data integrity or authentication ­ VPN Reconnection: ­ Move between networks ← VPS reconnects automatically ­ Uses IKEv2 tunneling protocol ­ Maximum of 8 hours ← This is configurable. ­ After timeout, will have to reconnect manually

Remote Connections ­ Part 2 ­ NAP (Network Access Protection) ­ Check firewall, virus/spyware protection, automatic updates, securiy updates ­ Users not matching the policy get a time­out (remediation network)

23 ­ On remediation network, should be able to download whatever they need ­ Once all updates/patches have been applied, they are allowed back on to network ­ Smaller organizations may not have the resources ­ Enable security auditing ← View logons in Event Viewer/Security Log ­ Remote Desktop: ­ Remote Desktop Gateway Server (formerly known as Terminal Services Gateway) ­ RemoteApp ← Run applications remotely, looks like its running locally ­ RDP files = RemoteApp executables. Created on server. Place on client desktop.

Section 7: Monitoring and Maintaining Windows 7

Updating Windows 7 ­ Most updates can be automated ­ works in conjunction with Windows Update Service ­ Can point everyone to a local Windows Update Service server ­ Faster, saves bandwidth ­ wuauclt /detectnow ← Check to new updates manually ­ Windows Update Categories: ­ Important Updates ← Security updates ­ Recommended Updates ← No as critical, but still useful. Patches/OS updates. ­ Optional updates ← Driver updates, new languages... etc. ­ Install Updates Automatically is recommended (will install Important updates) ­ Can hide updates; won’t be asked to update it again. Must be admin. ­ View update historu ­ Can uninstall updates from Control Panel > Programs and Features ­ If IE has the correct proxy settings that you want to use for Windows Update: ­ netsh winhttp import proxy source=ie ­ Can manually install updates via .msu files (standard users can do this as well) ­ wusa.exe C:\ /quiet /norestart ← Command­line MSU install ­ Windows Server Update Services (WSUS): ­ Central configuration, managed through group policy ­ Admins can determine rollout schedule for updates ­ Central rollback management ­ Computer Config\Admin Templates\Win Components\Windows Update ­ Group computers together into OU for scheduled updates ­ Can create your own updates and sign them

Managing Disks ­ MBR () ← Four partitions per disk, 2TB disk size maximum ­ GPT (GUID Partition Table) ← 128 partitions, Max 256 TB disk size ­ Convert using diskpart ← Diskpart … convert gpt ­ Computer Management > Disk Management

24 ­ Basic disks ← MBR partitioned only ­ Dynamic disks ← GPT or MBR. (LDM) instead of an MBR ­ LDM is replicated to other dynamic disks ­ Moving disks between computers ­ Basic disks are independent, can be moved with no problem ­ Dynamic disks are aware of each other, so should be moved together ­ Need to uninstall the disk before moving in Disk Manager ­ For dynamic disks, Remove Disk ­ In new computer, Disk Management > Rescan Disks ­ Dynamic Disk Advantages: ­ Spanned volumes ← Many disks look like on big drive in Windows ­ RAID in Windows 7 software ­ RAID 0 ­ Striping ← Split single file across multiple drives ­ RAID 1 ­ Mirroring ← Keeps copy of all data on another disk ­ Only available in Professional, Ultimate, and Enterprise ­ Right­click > Create new Striped Volume ­ Select disks you want

Disk Tools ­ Run defrag from command prompt ← defrag C: ­ Only admin can run defrag from an elevated prompt ­ Removable device policies: ­ Comp Config\Admin Templates\System\Removable Storage Access ­ Changes made require a restart

Monitoring Windows 7 ­ Event Viewer: ­ Control Panel > Administrative Tools ­ View log information ← Application, security, setup, system, forwarded events ­ Can create custom views (filter by type, severity... etc.) ­ Event Subscriptions: ­ Centralize event logs on a collector computer (needs a lot of disk space) ­ Collector­initiated subscriptions don’t scale well. Clients always listening. ­ Source­initiated subscriptions are best for large environments ­ Collector is always listening, source computers send logs ­ winrm quickconfig on all client machines ­ Add collector computer to the “Event Log Readers” group in Local GP ­ wecutil quick­config on the collector comp to run the Win Event Collector ­ wecutil create­subscription subscription.xml ← Create a subscription ­ Subscriptions are easy to create in the Event Viewer (on collector) ­ On source computer, point to the collector under Event Forwarding in local GP. ­ :

25 ­ perfmon /report ← System diagnostics report ­ Data collector sets save long­term data to disk for later analysis (graphs) ­ Application Event Log to look at application errors

Performance Settings ­ Part 1 ­ Page file = ­ Hard­drive write caching is always enabled by default ­ Windows write­cache buffer flushing in case of power outages ­ USB drive write caching is disabled by default to avoid data loss ­ Configure drives’ caching in > Properties > Policies tab ­ Configure network performance under Internet Properties > Advanced tab ­ > Set Affinity = assign an application to a particular CPU

Performance Settings ­ Part 2 ­ All obvious stuff

Section 8: Backup and Recovery Options

Windows 7 Backup ­ Control Panel > Backup and Restore ­ keeps backups of previous versions of files ­ Does not backup by default system files, profiles, recycle bin, or temp files ­ Can tell Windows to explicitly back those up as well ­ Back up entire volume to a VHD (system image) ­ Could copy the VHD to another computer and tell Windows to boot from it ­ Ultimate and Enterprise only ­ Must backup to an NTFS partition ­ Initiate from the command line: ­ start backup ­backupstarget:d: ­include:c: ­quiet ­ Or schedule within task scheduler ­ Allowed backup locations: CD­R, DVD­R, HDD, network location (Professional and up) ­ No tape drives or flash drives ­ Backup structure for files and folders: ­ Folder with computer name, multiple zip files for versions ­ GlobalCatalog.wbcat as catalog of all file locations within the backup ­ System Image Backup: ­ Stored in \WindowsImageBackup ­ Only one system image, updated each time

Windows 7 System Recovery Options ­ System Restore: ­ Restore points are created automatically, but can also create them manually

26 ­ System restore when booted or from System Recovery (F8) ­ System Properties > System Protection tab ­ Use System Recovery to restore if a driver update prevents you from booting ­ Last Known Good Configuration: ­ Useful is boot is caught in a loop ­ Each time you log in, LKGC is saved. Only log in if everything is okay! ­ Complete Restore: ­ Recovery entire system using recovery image ­ Boot from Windows Installation media ← Repair Your Computer

Windows 7 File Recovery Options ­ Backup and Restore or Shadow Copy ­ Can go into backup folder and pull from compressed ZIP files ­ Shadow copy, create during a restore point: ­ Right­click > Restore previous versions ­ If a file was moved or renamed, you can restore previous version of the folder ­ Replacing with Previous Version cannot be undone

27