Installing, Upgrading, and Migrating to Windows 7 Go back and add notes here.
Deploying Windows Run sysprep to prepare a computer for capturing an image with the Welcome prompts ImageX is included with Windows AIK imagex /capture c: c:\wind7desktop.wim ← Capture an image of the C drive to the C drive If you save another image with image to the same filename, it only saves the changes /compress fast switches compress the file DISM (deployment image services and management tool) can update a WIM file dism /getwiminfo /WimFile:install.wim ← Shows images contained in the WIM file dism /MountWim /WimFile:install.wim /index:1 /mountdir:c:\mount← Mounts the Wim file to the C drive for editing Created in C:\Mount. Can add files to default user’s desktop... etc. dism /Image:
Configuring Hardware and Applications Go back and add notes here.
Configuring Network Connectivity IP troubleshooting commands: ipconfig /release /renew /flushdns /registerdns
1 ping (test connection to other device) tracert (see each hop) netstat a (see open ports on your machine) Metal structures can interfere with wireless signals Wireless networks generally not as fast as wired WEP, WPA, WPA2 ← In order of security Can change channel under Wireless Device advanced tab to reduce interference Windows Firewall first introduced with Windows XP. State Full Firewall = data is allowed in only if first requested by the client computer Network Locations in Windows 7 = Home, Work, Public. Sets firewall rules. Windows Firewall > Allowed Programs to allow certain programs through the firewall Port 80 is Internet port. Port 23 is telnet port (unencrypted). Windows Firewall with Advanced Security settings can be exported and imported into Group Policy for your domain Remote Desktop settings → Control Panel > System and Security > System > Remote Settings Allow Connections from Computers Select Users and add administrative user account Good to create a WIM image with these settings for company computers Windows Remote Management Service (WinRS) and PowerShell are used for executing commands from a remote computer WinRM quickconfig can be run on the client computer to allow it to receive commands WinRS r:CompName ipconfig will run ipconfig on that computer PowerShell used cmdlets, which are preconfigured scripts that are very powerful PowerShell: icm computername {getwmiobject class win32_desktop} Remote Assistance can request for someone to remote in via email Easy Connect requires IPv6 Must have Allow Remote Access ticked under the Remote tab in Computer props Remote Desktop, on the other hand, will lock the desktop. Used for remote control. Windows 7 Professional, Enterprise, and Ultimate required Can edit properties (color depth, connection speed... etc.) to improve Remote Connections Two computers on a DOMAIN already have a trust for PowerShell communication
Configuring Access to Resources Folder virtualization = Windows 7 Libraries Library properties > Set save location = files are saved to that folder within the Library Workgroup is decentralized and hard to manage for lots of computers and users Homegroup is centralized with one password, and printers and files can be shared Computers on a domain cannot create or access resources from a Homegroup Network location awareness for printers only available on computers with a battery installed When Share and NTFS permissions are combined, the most restrictive rule wins Encrypted File System (EFS) on Professional, Enterprise, or Ultimate only
2 Encrypted file certificates are tied to your user account. You can backup your certificates in case you ever delete your user data Data Recovery Agent (DRA) places a second decryption key within the file Run mmc and add a new Certificates SnapIn to enable certificates Rightclick on file and tick Encrypt files to protect data. DRA → Create a new account: Open up command prompt, and type cipher /r:DRAKeys Then type in password to protect the PFX file. This will create two keys, one public and one private. Open up Local Group Policy Editor Security Settings > Public Key Policies > Encrypting File System Rightclick and Add Data Recovery Agent. Select the public certificate file (.CER) that was created. Do this before users start encrypting files UAC works by using two SIDs (one for logged in user, and one for admin) Certificate Authority (CA) can either be private (managed by company) or thirdparty certmgr.msc is the Certificate Manager From here, you can import and export certificates created on the computer Smart card is any card with a chip embedded in it, such as Authentication cards for Win7 Some businesses might use smart cards because they are more secure than name/pass Smart cards contain a public and private key. Needs either laptop reader or external one. Most smart cards will not allow you to export a private key from the card. Personal Identify Verification (PIV) standard used with smart cards (defines how data is stored) Windows 7 automatically supports PIV and downloads drivers TLS is protocol used with Smart Cards to communicate with network Group Policy location: Computer config\Policies\Windows Settings\Security Settings\Local Policies\Security Options Contains flags and settings to make smart card logon required Define what happens if a smart card is removed (can force log off or no action) Rights = Allow or Deny; best to use default groups in Windows when assigning rights Open Local Security Policy to jump right to the user rights assignment section Simply add different user groups to each right (i.e. Log on locally) PROTIP: Shift + Rightclick adds “Run as a different user” option runas /user:computername\username
3 mode=distributed (no location param needed b/c no server) netsh branchcache show localcache (shows cache size/location) BC needs port 80 (ib/ob TCP) open regardless of mode Distributed needs UDB port 3702 ib/ob Hosted needs ob TCP port 43
Configuring Mobile Computing Bitlocker encrypts the entire volume including the operating system Windows 7 Enterprise or Ultimate only Needs a 100mb separate system partition (configured when enabling BitLocker) Hard drive can’t be removed and used on another computer Trusted Platform Module (TPM) chip on the motherboard that stores keys Keys can be stored on a USB key instead if you don’t have TPM The chip needs to be 1.2 or higher and enabled in BIOS Bitlocker Modes: TPM Only = computer will boot normally TPM w/ a PIN = User is prompted for a PIN on startup TPM and USB key = Store a key on USB. Read on bootup. TPM, USB Key and PIN = Most secure Without TPM = Just a USB key BitLocker Recovery Key is created during the wizard. Keep this for recovery later. Also gives you option to place the key on a USB drive TPM Administration under Control Panel > System and Security > Bitlocker Bitlocker To Go encrypts portable drives like flash drives When configured, reader software for older versions of Windows is installed Read only access on older versions of Windows Configuring BitLocker to Go from Group Policy gpedit.msc to open the local group policy editor Bitlocker > Removable Data Drives Several options in there (six in total) DirectAccess requires IPv6 to run Requires Server 2008 for DC and DNS and a Public Key Infrastructure Requires two network cards on the server using DirectAccess Used for laptops outside of work instead of VPN to connect to work network In Group Policy > Windows Settings > Name Resolution Policy Add DNS servers to use with DirectAccess Can also use netsh (for scripts or a couple of computers) netsh interface IPv6 set Teredo enterpriseclient
4 Monitoring and Maintaining Systems that Run Windows VPN = virtual private network Data is encrypted Has integrity checking and prevents a replay attack Protocols: PPTP → Weakest because it doesn’t require certs (port 1723) L2TP → Uses IPsec for encryption and requires certs (1701 and UDP port 500) SSTP → Uses HTTPS for encryption and port 443 (popular protocol) IKEv2 → Supports new W7 reconnect feature, requires W7 to Server 2008 R2 Authentication Protocols: PAP → uses unencrypted passwords. Disabled by default. CHAP → Sends a challenge (Hash) to the client. MSCHAPv2 → Improved CHAP and user can use current login credentials EAP → Additional protocols can be bolted on PEAP → Protected EAP. EAP traffic is encrypted. To set up a VPN: Network/Sharing Center > Setup a Connection or Network > Connect to a workplace diskpart list partition Asterisk next to primary partition clean command wipes the hard disk convert gpt converts disk to GPT format Paging file on a separate partition from the OS = performance benefits A volume is a single logical storage area, can contain several partitions When moving a dynamic disk to another computer, the drive letter will not change You can convert a basic disc to dynamic, but not the other way around RAID (Redundant Array of Independent Disks) Raid 0 (striped) and Raid 1 (Mirror) RAID in Windows is software only Raid 0 is when data on hard disks are spread evenly across all the drives in the volume Requires two or more drives Read/Write performance is increased because all HDD’s work at same time If one HDD fails, you lose all the data in the set. You can’t boot Win7 in a Raid 0 HDD All hard disks in the set must be the same size Raid 1 can still function if one HDD fails Requires 2 hard disks No performance advantage; data cost is effectively doubled. Disk Management > Import Foreign Disk Rightclick on a disk > Add Mirror. This makes it a dynamic disk and enables a RAID 1 setup.
5 Configuring Backup and Recovery Options System image works for bare metal recoveries (different hardware) Windows 7 will automatically detect the different hardware Includes boot sector Cannot backup Windows to the same volume as Windows, recovery partition, or a partition encrypted with BitLocker All Programs > Maintenance > Backup and Restore Control Panel > Backup and Restore > Create a system image You can restore using a system image via a System Restore disc Restore disc > Advanced > Search for a system image on the network Previous Versions used to be called “shadow copies.” Restore point is created on startup/mid day/ and when a significant change occurs Only saves documents that have been modified Only saves one change per day Computer Properties > System Protection > Restore system settings and previous versions of files To access previous versions of files that have been deleted, rightclick on the container folder and restore prev. versions
Professor Messor Notes
Section 1: Installing, Upgrading, and Migrating to Windows 7
Windows 7 Editions: Starter (32bit only): Built for netbooks No Aero, DVD playback, Windows Media Center, web server... etc. Limited to 2GB of RAM Home Basic: Geographical activation restriction (emerging markets only) Similar restrictions to Starter, except it has a 64bit version Home Premium: Everything except for Enterprise technologies Can’t connect to domain, no Bitlocker, EFS, Applocker, BranchCache... etc. x64 supports up to 16GB of RAM Professional: Can connect to a Windows Domain Supports Remote Desktop Host and EFS (encrypted file system) No BitLocker, AppLocker, BranchCache... etc.
6 Includes XP mode x64 supports up to 192GB of RAM Ultimate: BitLocker, Applocker, BrachCache... etc. included x64 supports 192GB of RAM Enterprise: Can’t buy off the shelf Same as Ultimate, but designed for volume licensing
Windows 7 Installation Sources DVD or ISO Cheap, but doesn’t scale well. Slower. USB Drive or portable hard drive Flexible. Can add drivers and other files. Faster read/write than a DVD. Need at least 4GB of space. Preparing a USB Installation: Run diskpart from an Admin command prompt list disk to see which disk the USB drive is select disk # clean, create partition primary, format fs=fat32 quick active makes it bootable exit to leave diskpart Then just copy contents of Wind7 install disc to USB drive Network share Copy the installation media to a share Boot from PE (barebones Windows environment) Can easily be updated and modified Windows PE is downloadable for free with AIK Run Deployment Tools Command Prompt copype x86 C:\windowspe86 will copy the PE install files to that folder winpe.wim can be customized Copy the winpe.wim file to C:\windowspe86\ISO\sources Rename winpe.wim to boot.wim oscdimg command creates ISO’s from a directory Automated Deployment Windows Deployment Services (WDS) Requires a network, Server 2008, AD, PXE network adapter Uses multicast and scales very well
Windows 7 Clean Installation
7 Unattended installation: Answers are in Unattend.xml (used when not booting from installation media) Autounattend.xml can also have answers Contains partitioning information and used in conjunction with boot media Clean installation just means no existing OS on the HDD when doing the installation
Windows 7 Dualboot Installation Each OS needs its own partition (Win7 needs at least 15GB) Alternatively, you can install to a VHD without the need to make a new partition (Win7 Ultimate) The 100MB recovery (WinRE) partition isn’t created when dualbooting bcdedit Edits /boot/bcd in the Windows 7 hidden partition Needs to be run from an elevated prompt displayorder → [ntldr] = XP [current] = Win7 bcdedit /export C:\savebcd → Export current boot settings bcdedit /import C:\savebcd → Import settings to undo changes bcdedit /set {current} description “New Entry Description” bcdedit /displayorder {ntldr} /addfirst (or /addlast) → Change the OS list order bcdedit /default {ntldr} → Changes the default option for when it times out
Upgrading to Windows 7 Only Windows Vista Business can upgrade to Win7 Professional Vista Enterprise can only upgrade to Win7 Enterprise Windows Vista Ultimate can only upgrade to Ultimate All versions of Vista can upgrade to Ultimate Windows 7 Upgrade Advisor will determine if your system can support Win7 Microsoft Assessment and Planning Toolkit (MAP) → largescale upgrade planning Before upgrading, make sure OS is completely uptodate Upgrade needs at least 10GB of free space MAP integrates with Active Directory (scans the network to find computers) Can inventory many different operating systems Doesn’t require any agent software
Migrating User Profiles with Windows Easy Transfer When doing a sidebyside transfer, best to launch Easy Transfer from Windows 7 (not XP) Easy Transfer saves to a file/folder to be imported on the newer computer or OS. Sidebyside can be done with either an easy transfer cable or a network share
Migrating User Profiles with the User State Migration Tool (UMST) Included with Windows AIK and works at the command line Can migrate from Xp to Vista or 7, as well as Win7 to Vista. Not Win7 to XP. MigApp.xml → Migrates application settings (folder options, fonts, wallpapers... etc.)
8 MigUser.xml → Migrates user folders, files, and file types MigDocs.xml → Location of user documents Config.xml → Exclude migration features Storing Migrated Data: Uncompressed → Stored in folders, viewable in Explorer Compressed → Uses less space, can’t be viewed in Explorer Hardlink → Creates links to the user data, doesn’t duplicate files Minimum of 250 MB free to transfer user info scanstate grabs the user data and saves it to a file (USMT.MIG) loadstate imports the USMT.MIG file and user data
Section 2: Deploying Windows 7
Deploying Windows 7 Overview Windows Automated Installation Kit (AIK): Windows SIM (System Image Manager) → Manages image distribution ImageX → Create and modify Windows images (WIM) DISM → Modify an image with updates and drivers Windows PE → Minimal boot OS oscdimg → Command line creation of ISO files
Creating a Reference Image Create an answer file and save autounattend.xml to the root Use sysprep to generalize and set oobe (out of box experience) Create bootable Windows PE disc or flash drive and create image from there Windows System Image Manager (SIM) automates building an answer file SIM: Import a WIM file (from Win7 DVD, for example) install.wim file located under sources folder of the install disc Create New Answer File Windows_Setup component > Userdata folder Add to answer file AcceptEula = true to auto accept agreement Tools > Validate answer file This file can be saved to a flash drive if you want. Run audit mode (ShiftCtrlF3) on bootup Bypasses Windows welcome Tweak the reference image, load apps and drivers... etc. This is done on the reference computer From here, you can install applications and patches like normal Run sysprep
9 Clear unique names Set OOBE (Windows Welcome) C:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown /generalize lets it install on different hardware
Capturing an Image Copy ImageX to Windows PE disc/flash drive or copy it to a network drive copy “C:\Program Files\windows AIK\tools\x86\imagex.exe” C:\winpe\ISO copy c:\winpe\winpe.wim c:\winpe\iso\sources\boot.wim oscdimg n bc:\winpe\etsfboot.com c:\winpe\iso c:\winpe\winpeimagex.iso WIM file does not contain partition information. Can contain many images. Once in WinPE: net use h: \\networksharefolder /u:admin\2191admin Enter user password for that account. Drive H is now mapped to \\networksharefolder net use to find the drive you want to image. In this case, D is the Windows drive. If E drive is mounted CD, run e:\imagex /capture d: h:\winlab.wim “Name” /compress fast /verify ← This will capture the contents of D and save as WIM file to mapped H
Preparing for Deployment DISM can be used to: Update applications Manage drivers Manage updates dism.exe /GetWimInfo /WimFile:
10 To save changes, you must run /CommitWim /MountDir:
Deploying a System Image Microsoft Deployment Toolkit (MDT) 2010 ← Graphical, makes process easier Windows Deployment Services (WDS) ← Image many systems at once with multicast Lite Touch Installation (LTI) deploy without large systems management infrastructure Zero Touch Installation (ZTI) ← Integrates Systems Management Server (SMS) or System Center Configuration Manager (SCCM) 2007 for complete automation MDT 2010 (requires Windows AIK): Provides graphical frontend for everything we did with ImageX, dism... etc. New Deployment Share wizard You can set the local admin account Can set whether or not to ask for Product Key Once share is created, rightclick and go to Properties. Other options in here. Rightclick on Operating Systems and select Import Operating System. Can choose full source files (DVD) or custom image file (WIM) OutofBox Drivers > Import drivers > Select folder with drivers Packages can be added (.cab and/or .msu) New Task Sequence Wizard Can set product key, local password, and IE homepage Can create different task sequences for diff. computers .Rightclick > Update deployment share to apply changes Can pull the resulting ISO file from the Deployment Share directory and run on a comp Will run a custom version of Windows PE with deployment options Need to enter in the credentials for access to the deployment share Windows Deployment Services requirements: AD Domain Services NTFS file system Local admin rights DHCP server (or PXE) WDS is graphical, whereas wdsutil is command linebased WDS Images ← Boot image (via PXE), Install image (OS to be installed) Administrative Tools > Windows Deployment Services Set the WIM file as the Install Image in WDS Boot image = boot.wim from the Windows 7 DVD This is still a Light Touch installation. SCCM is needed for zero touch.
11 Discover image is needed if the client comp doesn’t support PXE
Working with Virtual Hard Disks VHD supported in Ultimate and Enterprise only Ideally, the VHS would be on a separate disk (or at least another partition) Can use ImageX to apply a WIM file to the VHD Computer Management (Disk management): Action > Create VHD > Choose where to save the file Fixed size vs Dynamically expanding. Fixed size is recommended. Using Diskpart: create vdisk filec:\vhd\win7lab.vhd maximum=20000 (20GB) type=fixed select vdisk file=
Section 3: Configuring Hardware and Applications
Configuring Devices Device > Properties > Details > Device GUID to lookup device unique ID Device Installation Settings ← Set who and what can make changes Plug and Play (PnP) are drivers that are already installed Driver Store → Windows/CurrentVersion/DevicePath Copies the driver for use to Windows\System32\drivers New drivers can be staged using pnputil pnputil.exe a C:\drivers\driver.inf ← Add new driver (prestage) 12 pnputil.exe e ← Shows all thirdparty drivers installed Can set classes of allowed device installations within Local Group Policy You can run verifier from the command line to launch a GUI version Can look at the really deep, nittygritty details for drivers Signed drivers contain a cryptographic “signature” from Microsoft Must be an admin to install an unsigned driver If you have a Certificate Authority, you can sign drivers yourself This is more important with Windows 7 64bit Run sigverif to scan for device drivers that have not been digitally signed msinfo can be run to get a list of resource conflicts on your system
Configuring Application Compatibility Application Compatibility Toolkit ← Download from Microsoft.com Comes with Application Compatibility Manager Compatibility Administrator View compatibility fixes for 3rdparty apps Analyze apps, create your own shim Internet Explorer Compatibility Test Tool Application Compatibility Manager is used to monitor issues across a large network Has a HUGE list of applications and what happens when you try to run them These compatibility fixes are called shims IE Compatibility test tool needs to be run while surfing the web with IE8 When it detects problems with web sites/apps, it will list them App Compatibility Group Policies Can change policies to modify how Windows reacts to errors If an installer fails, for example, you can enable Detect Application install failures This will prompt a user when an install fails to run it in XP compat mode Windows XP Mode: Runs XP in a virtual machine Only available in Professional and up Integrates with Win7, so you can launch applications from within Windows 7 XP mode kicks in in the background in that case
Software Restriction Policies Group Policy editor ← Run > gpedit.msc or search for Group Policy A bit of overlap with AppLocker, but AppLocker only works in 7 Ult and Enterprise Group policy works across XP, Vista, and 7 Computer Config\Windows Settings\Security Settings\Software Restriction Policies Use Local Security Policy editor if not on a domain Enforcement Properties can set rules to apply to all users or all users except local admins Under Designated File Types, you can add or remove file types that will be affected If Applocker is in use, Applocker always wins over group policy rules
13 Order of priority: Hash rules ← Specific rule, allowing or disallowing an exact executable, incl. version Cert rules ← Control app usage by publisher, hard to fool, app must be signed Path Rules ← Control based on files or folders, can be circumvented by moving file Network Zone Rules ← Control based on download location, only applies to .msi files Default Rules ← Either disallowed, basic user, or unrestricted (which is the default) To apply a hash rule, just rightclick, New Hash Rule, navigate to the app, then Disallow.
Understanding AppLocker Only available on W7 Ultimate, Enterprise, and Server 2008 R2 Can control by users or groups within Group Policy Requires Application Identity server to be running automatically Block rules always override Allow rules Group Policy ← Windows Settings\Security Settings\Application Control Policies\AppLocker AppLocker has wizards for configuring settings Rule categories: Executable rules ← .exe and .com files Window Installer rules ← .msi and .msp files Script rules ← .bat, .cmd, .js, .ps1, and .vbs files Default is to block everything after enabling AppLocker When create new defaults, everything is allowed. Publisher Rules: Pulled from the file information Existing file and all future versions Path Rules: Pick file or folder and allow executables to run File Hash Rules: Specific rules for specific programs File version = * ← Applies to any version of the program Exceptions can be made for certain versions of a program Under AppLocker properties, enable Enforcement or Audit mode to test new rules Then start the Application Identity service on the client computer Audit Mode results can be viewed under the AppLocker folder in Event Viewer Says whether or not the program would have opened had enforcement been enabled Can do Automatically Generate Rules for an entire directory
Internet Explorer Configuration Admin Templates\Windows Components\Internet Explorer\Compatibility View Can enable/disable the button, set sites for automatic compat. view IE Zones: Internet, Local Intranet, Trusted Sites, Restricted Sites InPrivate Filtering blocks certain elements on sites automatically
14 InPrivate browsing is Incognito Mode. Opens in new Window. Admin Templates\Windows Components\Internet Explorer\InPrivate ← InPrivate settings
Section 4: Network Connectivity
An Overview of IPv4 and IPv6 IPv4: 32bit addresses, number of addresses is quickly being depleted Four sets of 14 numbers; each set of four is 8 bits (binary). 8x4=32bit IPv6: 128bit addresses, bajillions of addresses Leading 0’s are optional Groups of 0’s can be abbreviated by :: (only one per address allowed) Subnetting: Every device needs a unique IP address Subnet mask used to have devices on same local network communicate Default gateway is the router that allows outside communication Private Addresses (used for local communication) 10.0.0.0 10.255.255.255 172.16.0.0172.31.255.255 192.168.0.0192.168.255.255 DNS (Domain Name System) Converts names to IP addresses DHCP (Dynamic Host Configuration Protocol) Automatically assigns IP addresses, subnet mask, gateway... etc. to devices APIPA (automatic private IP addressing) Connect an entire network without configuration (and w/o a DHCP server) NAT (network address translation) Usually the router or modem. Device that is connected to the internet. Allows all devices to communicate to the Internet Communication methods Unicast ← One to one Multicast ← One packet to multiple devices Broadcast ← One to all (IPv4) Anycast ← One to nearest (IPv6) IPv6 Unicast Addresses Global ← Routable everywhere Local ← Used on local network (no Internet) Linklocal ← Used in local subnet only (start with fe80::/10 Teredo allows you to tunnel IPv6 through NATed IPv4. No special router needed Addresses start with 2001::/32
15 Configuring IPv4 Network and Sharing Center / Change Adapter Settings / Rightclick > Properties netsh interface ipv4 show ← Show names netsh interface ipv4 set address “name” static
Configuring IPv6 Configuration mostly the same as IPv4 netsh interface ipv6 show neighbors Use 6 switch after ping or tracert to use IPv6 using Teredo tunnel
Configuring Networking Settings Wireless standards: 802.11a: Operates in 5GHz range, 64 Mbit/s Higher freq. absorbed by objects in the way Today only see in specific cases 802.11b: Operates in 2.4 GHz range, 11Mbit/s Better range than 802.11a, less absorption More frequency conflict with cordless phones, microwaves... etc. 802.11g 2.4Ghz range, 54 Mbit/s Same freq. problems as 802.11b 802.11n 5GHz and/or 2.4GHz 600 Mbit/s New standard has MIMO (multiple antennas) Security Settings: WPAPersonal ← Older version of WPA. Uses passphrase. WPA2Personal ← Always choose this. WPAEnterprise ← Uses an authentication server. No shared passphrase. Encryption types: WEP ← Not very good way to encrypt data TKIP ← Temporal Key Integrity Protocol. Meant to replace WEP. AES ← Used in WPA2 WPA2 with AES is generally the best, most secure combination netsh wlan show interfaces ← Show network cards netsh wlan show networks ← Show available networks netsh wlan add profile filename=whatever.xml ← Create profile to connect with.
16 netsh wlan connect name=whatever ssid=whatever ← Connect to whatever network Locationaware Printing: New to Windows 7 Keeps track of default printer based on wireless location
Configuring Windows Firewall Windows Firewall ← Based on applications, all traffic applies (no scope) Different settings for Home/Work and Public Windows Firewall with Advanced Security: Inbound and Outbound rules Connection security rules Granular ← Program, port, custom... etc. Scope = IP addresses that are associated with a particular rule Can have a rule apply to all users or only certain ones
Remote Management Remote Assistance: Userinitiated help, end user is in control System Properties > Remote Tab > Check Allow Remote assistance Start > All Programs > Maintenance > Remote Assistance Generates an invitation file and password. Also can use Easy Connect and/or email the remote user. Enduser needs to grant permission for them to take control Remote Desktop: Initiated by the remote user, host is always waiting for a connection Start > All programs > Accessories > Remote Desktop Connection Only available in Professional, Ultimate, and Enterprise Host user gets locked out and cannot see desktop System Properties > Remote > Remote Desktop Any user with Authentication is the most secure option Select Users ← Allow and/or disallow specific user groups Windows PowerShell: Win7 comes with PowerShell 2.0 Over 240 cmdlets (extensive use of pipelines) Windows Remote Shell (WinRS) Run shell command on remote computer Remote Desktop not required winrm quickconfig on host computer and select “Yes” Allows remote commands to be run on that computer winrs r:http://atlantislabpc:5985 u:
17 Will show C directory from the remote computer GetWmiObject class win32_service computername atlantislabpc credential
Section 5: Resource Access
Shared Resources Folder virtualization allows for roaming user profiles, access to files from any computer Sharing Folders: net share command to set shared folders via the command line net share “sharename”=”drive:path” /grant:username,full Shares the folder with username, grants full control Sharing Printers: Share this printer under Sharing tab Can preinstall drivers using Additional Drivers Can apply different access settings per user under Security tab HomeGroup settings: For use on nondomain network, separate accounts and passwords Easy access to files and printers Need at least Home Premium to use this Other editions can connect to it but not create it Uses a global password for other users to access shared stuff Control Panel > HomeGroup > Join Now.
File and Folder Access Encrypting File System (EFS) Requires NTFS Encrypt for multiple users, regardless of persmissions Create a Recovery Agent before encrypting any files cipher /R:filename Rightclick on Folder > Advanced Attributes > Encrypt contents to secure data cipher command reveals which files in a folder are encrypted/unencrypted Generates CER and PFX files. Save these somewhere important. NTFS and Share permissions are separate Share permissions ← Sharing tab / NTFS permissions ← Security tab icacls ← Configure NTFS permissions from command line net share ← Configure Share permissions from command line NTFS permissions apply to both local and network connections Share permissions only apply to connections over the network The most restrictive setting always wins.
18 If you copy a file to another folder, it will inherit the permissions of the new folder. If you move a file, its permissions will follow it. Advanced button under Security > Effective Permissions Tabs
User Account Control Inform when new device drivers, firewall changes, modifying user accounts Secure Desktop ← Background dims and freezes. Limits automated access. Group Policy management: Local Security Policy > Local Policies > Security Options Enable/disable various variable pertaining to UAC Control Panel > User Accounts > Change UAC Settings
Authentication and Authorization Configuring rights: Group Policy > Comp Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment Rights are different from NTFS or Share permissions Examples of rights: change system time, deny log on as a service, log on locally Can assign rights to OU’s or individual users Managing Credentials: Windows Vault stores names and passwords. “Remember my credentials” Windows Credential Manager Backup and restore the Windows Vault (uses secure desktop) Control Panel > Credential Manager Can restore on another computer to move over credentials/logons Managing Certificates: Manage file encryption certificates (certmgr.msc) Personal > Certificates > Username ← Export as backup for EFS certificate Smart Cards with PIV: Personal Identity Verification Biometric capture and storage, cryptographic algorithms, key sizes It’s a standard associated with the storage and formatting of credentials Carry your cert with you Multifactor authentication (multiple requirements for more security) Username, password, smart card, fingerprint PIV is built into Windows 7 Under Security Options Interactive Logon: Require smart card Interactive Logon: Smart card removal behavior Elevating User Privileges: Use rights and permissions of another user without logging out Rightclick > run as admin or run as different user (shift+rightclick)
19 Command line: runas /user:
BranchCache Caching for branch offices Conserve bandwidth over slower links New to Windows 7/Windows Server 2008 R2 Seamless to the enduser Only kicks in if latency exceeds 80ms Infrastructure Requirements Hosted Cache Server Required at each remote location Run distributed mode if cache server not local Windows Server 2008 R2 Created trusted SSL certificate on the server Clients need W7 Ultimate or Enterprise May need to import Certificate Authority via group policy Distributed Mode: Asks other local machines if they have already downloaded and cached a file Local computer caches files that it grabs from the outside server Hosted Mode: Caching server is local Any files grabbed from outside server is cached on local server Local computers grab cached files from server when available Configuring Client settings: Group Policy ← Comp Config\Policies\Admin Templates\Network\BranchCache Command line: netsh Branchcache set service mode=distributed netsh Branchcache set service mode=hostedclient location=server Enables BC and configures Windows Firewall rules Check PeerDistSvc service. Started, Manual.
Section 6: Mobile Computing
Bitlocker and Bitlocker to Go Bitlocker: Encrypt an entire volume, not just a single file Protects all data as well as the operating system
20 Important for mobile devices W7 Ultimate and Enterprise only TPM (Trusted Platform Module) Securely generates and stores crypto keys Chip that is on the motherboard Also stands for a set of standards Hardwarebased pseudorandom number generator for encyrption Modes: BitLocker with a TPM (no additional authentication factors) BL with a TPM and a PIN (input PIN during startup) BL with TPM and USB startup key (need USB key to operate) BL without a TPM (boot with startup key on flash drive) BL with TPM, USB key, and PIN number Data Recovery Agents Configured in Group Policy Add this before anyone configures BitLocker on their laptops Computer Config\Win Settings\Security Settings\Public Key Policies\BL Drive Encryption Configuring the unique identifiers: Admin Templates\Windows Components\BL Drive Encryption\Operating System Drives Rightclick > Add Data Recovery Agent (wizard) > Select Cert that allows disk encryption. Needs to be created by the admin. Issue to Administrator group Bitlocker Drive Encryption > Provide unique IDs for your organization Enable and type in identification field a unique ID Choose how Bitlockerprotected OS drives can be recovered Enable, and check “Allow recovery agent” box On Client Computer: Control Panel > Bitlocker Drive Encryption Turn on for desired drives, select startup preferences BitLocker To Go: Encrypt portable drives Set Group Policies on “Removable Data Drives.” Recovery Mode: Get your USB drive with the recovery key managebde status c: ← Get status of that drive managebde unlock c: cert ct
DirectAccess Automated VPN connectivity; always on regardless of location
21 Needs IPv6 Needs Windows Server 2008 R2, Windows Domain, Two NICs, Digital certs for authentication Lots of encryption involved. Client will see “Currently connected to: Internet and Corporate Access” Certificate Management: mmc ← MS Management Console Certificates snapin Certificates (Local Computer)\Personal\Certificates Commandline configuration: netsh interface ipv6 set teredo enterpriseclient
Configuring Windows 7 Mobility Offline Files: Syncs files on server share with mobile computer (automatically) Online Mode ← Write to server, read from the cache Auto offline mode ← If server is offline, converts to local cache operations Will check if server is back online every 2 minutes If so, goes back to online mode Manual offline mode ← Force yourself into offline mode “Work offline” Slowlink Mode ← Kicks to cache version if speeds drop below 64kbps Right click > Always available offline Offline File Group Policy: Comp Config\Admin Templates\Network\Offline Files Tons of settings to configure (file types to sync, lowlink speeds) Transparent Caching: Increase file performance across WAN links Keeps a copy that you’ve previously opened cached on your computer More flexible than BranchCache (works with Professional, no domain required) “Enable Transparent Caching” group policy ← Determine latency limit Managing Power: Sleep ← Processor off, memory active, mouse and keyboard powered Hybrid Sleep ← Processor off, mem active and copy written to disk Hibernate ← All devices are off, memory is written to disk Can configure at command line with powercfg
Remote Connections Part 1 VPNs (Virtual Private Networks) Authentication Protocols: PAP (Password Authentication Protocol)
22 Unencrypted passwords, don’t use this normally CHAP (Challenge Authentication Protocol) Send the password as a hash, still not a great idea MSCHAPv2 Integrates the Windows username and password Still some bruteforce weaknesses PEAP/PEAPTLS Protected Extensible Authentication Protocol Sends EAP authentication over TLS (Transport Layer Security) Certbased; quite secure EAPMSCHAPv2/PEAPMSCHAPv2 Security of PEAP with Windows integration Smart card or certificate Need cert on both the client and the server VPN Protocols (Under VPN Connection Properties > Security Tab) IKEv2 (Internet Key Exchange v2) The more secure option New in Windows 7 (IPv6, VPN reconnect support) Authentication options: EAP and certs No support for PAP, CHAP... etc. Uses UDP port 500 SSTP (Secure Socket Tunneling Protocol) Uses TCP 443 (HTTPS port) Very compatible with existing firewalls Doesn’t work through proxies L2TP (Layer 2 Tunneling Protocol) L2TP tunnels, IPsec to encrypt Compatible with 3rdparty VPNs PPTP (PointtoPoint Tunneling Protocol) Least secure VPN protocol Encryption but no data integrity or authentication VPN Reconnection: Move between networks ← VPS reconnects automatically Uses IKEv2 tunneling protocol Maximum timeout of 8 hours ← This is configurable. After timeout, will have to reconnect manually
Remote Connections Part 2 NAP (Network Access Protection) Check firewall, virus/spyware protection, automatic updates, securiy updates Users not matching the policy get a timeout (remediation network)
23 On remediation network, should be able to download whatever they need Once all updates/patches have been applied, they are allowed back on to network Smaller organizations may not have the resources Enable security auditing ← View logons in Event Viewer/Security Log Remote Desktop: Remote Desktop Gateway Server (formerly known as Terminal Services Gateway) RemoteApp ← Run applications remotely, looks like its running locally RDP files = RemoteApp executables. Created on server. Place on client desktop.
Section 7: Monitoring and Maintaining Windows 7
Updating Windows 7 Most updates can be automated Windows Update works in conjunction with Windows Update Service Can point everyone to a local Windows Update Service server Faster, saves bandwidth wuauclt /detectnow ← Check to new updates manually Windows Update Categories: Important Updates ← Security updates Recommended Updates ← No as critical, but still useful. Patches/OS updates. Optional updates ← Driver updates, new languages... etc. Install Updates Automatically is recommended (will install Important updates) Can hide updates; won’t be asked to update it again. Must be admin. View update historu Can uninstall updates from Control Panel > Programs and Features If IE has the correct proxy settings that you want to use for Windows Update: netsh winhttp import proxy source=ie Can manually install updates via .msu files (standard users can do this as well) wusa.exe C:\
Managing Disks MBR (Master Boot Record) ← Four partitions per disk, 2TB disk size maximum GPT (GUID Partition Table) ← 128 partitions, Max 256 TB disk size Convert using diskpart ← Diskpart … convert gpt Computer Management > Disk Management
24 Basic disks ← MBR partitioned only Dynamic disks ← GPT or MBR. Logical Disk Manager (LDM) instead of an MBR LDM is replicated to other dynamic disks Moving disks between computers Basic disks are independent, can be moved with no problem Dynamic disks are aware of each other, so should be moved together Need to uninstall the disk before moving in Disk Manager For dynamic disks, Remove Disk In new computer, Disk Management > Rescan Disks Dynamic Disk Advantages: Spanned volumes ← Many disks look like on big drive in Windows RAID in Windows 7 software RAID 0 Striping ← Split single file across multiple drives RAID 1 Mirroring ← Keeps copy of all data on another disk Only available in Professional, Ultimate, and Enterprise Rightclick > Create new Striped Volume Select disks you want
Disk Tools Run defrag from command prompt ← defrag C: Only admin can run defrag from an elevated prompt Removable device policies: Comp Config\Admin Templates\System\Removable Storage Access Changes made require a restart
Monitoring Windows 7 Event Viewer: Control Panel > Administrative Tools View log information ← Application, security, setup, system, forwarded events Can create custom views (filter by type, severity... etc.) Event Subscriptions: Centralize event logs on a collector computer (needs a lot of disk space) Collectorinitiated subscriptions don’t scale well. Clients always listening. Sourceinitiated subscriptions are best for large environments Collector is always listening, source computers send logs winrm quickconfig on all client machines Add collector computer to the “Event Log Readers” group in Local GP wecutil quickconfig on the collector comp to run the Win Event Collector wecutil createsubscription subscription.xml ← Create a subscription Subscriptions are easy to create in the Event Viewer (on collector) On source computer, point to the collector under Event Forwarding in local GP. Performance Monitor:
25 perfmon /report ← System diagnostics report Data collector sets save longterm data to disk for later analysis (graphs) Application Event Log to look at application errors
Performance Settings Part 1 Page file = Virtual Memory Harddrive write caching is always enabled by default Windows writecache buffer flushing in case of power outages USB drive write caching is disabled by default to avoid data loss Configure drives’ caching in Device Manager > Properties > Policies tab Configure network performance under Internet Properties > Advanced tab Task Manager > Set Affinity = assign an application to a particular CPU
Performance Settings Part 2 All obvious stuff
Section 8: Backup and Recovery Options
Windows 7 Backup Control Panel > Backup and Restore Shadow Copy keeps backups of previous versions of files Does not backup by default system files, profiles, recycle bin, or temp files Can tell Windows to explicitly back those up as well Back up entire volume to a VHD (system image) Could copy the VHD to another computer and tell Windows to boot from it Ultimate and Enterprise only Must backup to an NTFS partition Initiate from the command line: wbadmin start backup backupstarget:d: include:c: quiet Or schedule within task scheduler Allowed backup locations: CDR, DVDR, HDD, network location (Professional and up) No tape drives or flash drives Backup structure for files and folders: Folder with computer name, multiple zip files for versions GlobalCatalog.wbcat as catalog of all file locations within the backup System Image Backup: Stored in \WindowsImageBackup Only one system image, updated each time
Windows 7 System Recovery Options System Restore: Restore points are created automatically, but can also create them manually
26 System restore when booted or from System Recovery (F8) System Properties > System Protection tab Use System Recovery to restore if a driver update prevents you from booting Last Known Good Configuration: Useful is boot is caught in a loop Each time you log in, LKGC is saved. Only log in if everything is okay! Complete Restore: Recovery entire system using recovery image Boot from Windows Installation media ← Repair Your Computer
Windows 7 File Recovery Options Backup and Restore or Shadow Copy Can go into backup folder and pull from compressed ZIP files Shadow copy, create during a restore point: Rightclick > Restore previous versions If a file was moved or renamed, you can restore previous version of the folder Replacing with Previous Version cannot be undone
27