70-680 Notes
70-680 Notes
45) Windows Vista Improvements New Improved Desktop Windows Aero Windows Sidebar Sidebar with gadgets Improved Windows Firewall Restrict OS resources if used in unusual ways Parental Controls Set specific sites, set times for specific users User Access Control (UAC) Security features that allow standard users to perform administrator functions through credential prompt Windows Search Search files or applications quickly from anywhere in Vista. Real time search Live Icons With Windows Aero, you can preview applications by hovering over them with your mouse
Windows 7 Improvements Windows 7 Editions: Starter, Home Basic, Home Premium, Professional, Enterprise, Ultimate Windows 7 Taskbar Pin applications to taskbar / no Quick Launch Jump Lists Right click Word & go to Recent Documents, right click taskbar icon New Preview Pane Preview text, music, picture, HTML, video, Office (w/ Office) and PDF (w/ Adobe) files Windows Touch Support for touch screen Windows XP Mode Windows XP in Virtual PC to run XP applications Simple Home Networking (HomeGroups) HomeGroups are just an easier way to set up a network. All versions are supported but Starter and Home Basic cant create HomeGroups Device Stage Shows a picture of a compatible connected device, supports Bluetooth and Wireless as well View Available Networks (VAN) Shows the networks available (wireless as well) in the notification tray Internet Explorer 8 Faster and more efficiently with new search features, address bars, and favorites Instant Search Quickly access search requests without typing in the entire search criteria. (Uses browser history as well to narrow down the suggestion) Accelerators shortcuts (search for an address and able to view the map next to the link). Web Slices Instances on a website that you can access without the need of accessing the site itself Aero Peek Allows you to look at a window while other windows are transparent Aero Snap Allows you to snap windows side by side
Aero Shake You can shake a window and have all other windows minimize AppLocker Prevents unauthorized software from running via policy.
x86 (32bit) vs. x64 (64bit) 32bit 64bit o o o o processor supports up to 4GB RAM (Starter 2GB) processor supports up to 16 exabytes of RAM Professional, Enterprise, Ultimate: 192GB Home Premium: 16GB Home Basic: 8GB Starter: Not Supported in x64 bit
Windows 7 Upgrade Paths Vista requires SP1 before upgrading to Windows 7 Vista Business => 7 Professional, Enterprise, Ultimate Vista Enterprise => 7 Enterprise Vista Home Basic => 7 Home Basic, Home Premium, Ultimate Vista Home Premium => 7 Home Premium, Ultimate Vista Ultimate => 7 Ultimate 7 Home Basic => 7 Home Premium, Professional, Ultimate 7 Home Premium => 7 Professional, Ultimate 7 Professional => 7 Ultimate 7 Starter => 7 Home Premium, Professional, Ultimate
Disk Space Partitioning The System Partition The system partition and the boot partition can be on the same partition. The system partition contains the files needed to boot the Windows 7 operating system. The system partition contains the Master Boot Record (MBR) and boot sector The Boot Partition The boot partition contains the files that are the Windows 7 operating system files. By default, the Windows operating system files are located in a folder named Windows. The partition must be marked as Active to boot Primary Partition A hard drive can have up to 4 primary partitions, or 3 primary partitions with one extended partition Extended Partition Storage volumes on an extended partition cannot be used to start the operating system
Performing a Clean Install of Windows 7 Collect Information Windows 7 gathers your local time, location, keyboard, license agreement, installation type, and installation disk partition
Install Windows This is where the installation copies Windows 7 files to the HD and the installation is completed. This is the longest phase Set up Windows This phase you set up your username, computer name, password, product key, and security settings along with reviewing the date & time
Troubleshooting with Installation Log Files The action log includes all of the actions that were performed during the setup process and a description of each action. These actions are listed in chronological order. The action log is stored as \Windows\setupact.log The error log includes any errors that occurred during the installation. For each error, there is a description and an indication of the severity of the error. This error log is stored as \Windows\setuperr.log
Creating a bootable USB Connect the USB and go to command prompt Diskpart > list disk (identify the USB) > select disk X (where X is the number that represents the USB) > clean > create partition primary (size in MB) > select part (partition number) > format fs=fat32 quick > active (MUST do)> exit Copy windows 7 installation DVD to the USB device
User State Migration Tool (USMT) (downloadable with WAIK) ScanState.exe (source computer) Collects user data and settings information based on the configuration of the Migapp.xml , Migsys.xml , and Miguser.xml files and stores it as an image file. (Documents, Videos, Music, Pictures, Desktop, Start Menu, Quick Launch Toolbar, IE Favorites, ACLS) LoadState.exe (destination computer) Deposits the information that is collected to a computer running a fresh copy of Windows 7 ScanState & LoadState Commands o o o o o o o o o o o /config Specifies the Config.xml file that should be used /encrypt Encrypts the store (Scanstate.exe only) /decrypt Decrypts the store (Loadstate.exe only) /nocompress Disables data compression /genconfig Generates a Config.xml file but does not create a store /targetxp Optimizes ScanState for use with Windows XP /all Migrates all users /ue User exclude: excludes the specified user /i Include: includes the specified user /uel Excludes user based on last login time /o Overwrites any existing data in the store
/v verboselevel Used to identify what verbosity level will be associated with the log file on a scale of 013, with 0 being the least verbose
USMT will not migrate hardware settings, drivers, passwords, application binaries, synchronization files, DLL files, or other executable files Windows Easy Transfer (migsetup.exe located in DVD\Support\Migwiz\) To use with XP, XP must have Service Pack 2 Transfers User Accounts, Folders and Files, Program Settings, Internet Settings, Favorites, Emails, Contacts and settings Transfer methods include Easy Transfer Cable (USB Cable), CD/DVD, Network Share, Removable USB, Direct Network Connection Located in All Programs > Accessories > System Tools > Windows Easy Transfer (windows 7 only) Windows Easy Transfer will not transfer encrypted files, they must be decrypted first or Windows Easy Transfer will stop
Multiboot/DualBoot Support Only Windows NT4 (w/ SP4) and up can recognize NTFS file systems To dual boot with Windows 9x, disk compression must be turned off Windows 7 encrypted files will not show on Windows NT4 Bcdedit utility is used to edit boot options in the BCD store BCDEDIT Commands o /default Allows you to specify which operating system will start when the timeout expires o /displayorder Shows the display order that the boot manager uses when showing the display order to the user o /timeout Specifies the amount of time used
Network Access Protection (NAP) NAP is a compliancy checking platform that is included with Windows Server 2008, Windows Vista, Windows 7, and Windows XP with SP3
Chapter 2 (pg. 104) Choosing Automated Deployment Options Microsoft Deployment Toolkit (MDT) 2010 o Administrative tools that allow for deployment of desktops and servers through the use of a common console
Zero Touch installation (ZTI) Requires no user intervention but requires that Microsoft System Center Configuration Manager (SCCM) 2007 with the OS Deployment Feature Pack is available on the network, also requires SQL server o Lite Touch Installation (LTI) Lets you distribute images with a small degree of user intervention and can be used when no other distribution tools are in place o To deploy Windows 7 or Server 2008, SCCM 2007 SP2 is required o To deploy previous versions, SCCM 2007 SP1 will work but cannot use Deployment Workbench to maintain the MDT database, SP2 preferred Thick image Includes applications and windows updates right in the system image Thin image Minimal system image, often operating system only o Applications and updates are installed either manually or through the use of some other software management system such as SCCM 2007 Hybrid image Combination of thin and thick image types o Unattended installation o Unattended installations utilize an answer file called Autounattend.xml o You can use the Windows 7 DVD with an answer file on the root of the DVD, floppy disk, or USB drive o To automate batch files, scripts, programs and commands after deployment, use the GuiRunOnce section in Sysprep.inf. The files must be saved in the same folder as sysprep.inf
Windows Automated Installation Kit (WAIK) Centrally manage volume activations by using Volume Activation Management (VAMT) o Can only be installed on Windows Vista w/ SP1 and up Microsoft Deployment Toolkit Allows an administrator to easily deploy and configure Windows operating systems and images Application Compatibility Toolkit This allows administrators to help solve issues to where applications that ran on previous versions may not work properly o Application Compatibility Manager A SQL serverbased tool that collects application information from existing computers o Compatibility Administrator A set of application compatibility fixes that have already been verified to allow applications to work under Windows 7 o IE Compatibility Test Tool Tests websites compatibility with IE8 o Setup Analysis Tool Monitors application installers to test compatibility o Standard User Analyzer Determines if an app will have problems with UAC Microsoft Assessment and Planning (MAP) Toolkit Locates computers on a network and then performs a thorough inventory of them System Preparation Tool (Sysprep.exe) o
o o o o o o
Used to prepare a computer for disk imaging, and then the disk image can be captured using ImageX A new imaging management tool included in Windows 7 Strips away security identifier (SID), event logs, and any other unique system information Located in %windir%\System32\sysprep directory Activation can be reset unlimited amount of times for Key Management Service (KMS) clients, and only up to 3 times on a nonactivated KMS client Must be part of workgroup, not domain. If joined, Sysprep will remove from domain If files are encrypted, Sysprep will make the files unreadable and corrupt SysPrep Commands /pnp forces a minisetup wizard to start at reboot so that all Plug and Play devices can be recognized /generalize this allows Sysprep to remove all systemspecific data from the Sysprep image. If youre running the GUI version of Sysprep, this is a check box option /oobe initiates the Windows Welcome screen at the next reboot /audit initiates Sysprep in Audit mode /reboot Stops and restarts the computer system /quit Closes sysprep after the specified commands complete /quiet runs without any confirmation dialog messages being displayed /unattend:answerfile Applies settings in an answer file to Windows during unattended installation Configuration passes auditSystem Adds additional device drivers, specify firewall settings, and applies a name to the system when the image is booted into audit mode auditUser Processes unattended setup settings after a user logs on to the computer in Audit mode windowsPE Configures Windows PE options and basic Windows Setup options offlineServicing Specifies language packs and packages to apply to an image prior to the image being extracted to the hard disk oobeSystem Specifies settings to apply to the computer on the first boot up specialize Configures specific settings for the target computer, such as network settings Log File Locations Generalize pass %WINDIR%\System32\Sysprep\Panther Specialize pass %WINDIR%\Panther Unattended Windows setup actions %WINDIR%\Panther\Unattend
Windows System Image Manager o You can validate existing answer files against newly created images o You can include additional applications and device drivers in the answer file o You can create and edit answer files through a GUI o Answer files must have the name Autounattend.xml
Using the Windows Preinstallation Environment Windows PE Sets the Windows PE specific configuration settings, as well as several setup settings such as partitioning, formatting the HD, selecting an image, and applying a product key
Typically, you use copype.cmd script in the C:\Program Files\Windows AIK\Tools\PETools to create the local Windows PE build directory Then you use the Oscdimg Windows AIK tool in the same subdirectory to create an ISO image of Windows PE 3.0 You use this image to create a bootable DVD of Windows PE Creating a bootable Windows PE Image 1. Cd C:\Program Files\Windows AIK\Tools\PETools\ 2. Win AIK\Tools\PETools\>Copype.cmd <x86 or x64> <destination such as C:\winpe_x86> 3. C:\winpe_x86> copy winpe.wim ISO\sources\boot.wim 4. C:\winpe_x86> copy C:\Program Files\Windows AIK\Tools\x86\imagex.exe C:\winpe_x86\iso 5. C:\winpe_x86> Oscdimg n b c:\winpe_x86\eftsboot.com C:\winpe_x86\iso C:\winpe_x86\winpe_x86.iso 6. Once logged on, type net start to do any network deployment installation
ImageX ImageX is a commandline tool that enables OEM and corporations to capture, modify, and apply filebased disk images for rapid deployment ImageX is ran from WinPE Wimscript.ini is used to exclude specified files and folders when capturing an image To have ImageX detect Wimscript.ini, Wimscrip.ini must be saved in the same folder as ImageX Commands o ImageX /capture <FROM image path> <TO image path & file name> <description> (/compress fast, /verify) o ImageX /apply <image file name> <image path>
o o
ImageX /cleanup Deletes all resources associated with a mounted image that has been abandoned. Does not unmount mounted images or delete images ImageX /delete <image file name>
Windows Deployment Services (WDS) Updated version of Remote Installation Services (RIS) AutoAdd policy makes the administrative approval required before clients that are not prestaged can have an install image Must be configured with the Preboot Execution Environment (PXE) boot files, the images to be deployed, and the answer files Must be part of a network with AD, DNS, and DHCP Supported on Windows Server 2003 and 2008 Requires one NTFS partition Install image Operating system image that you deploy to the client computer Boot image Windows PE image into which you boot a client before you load the install image WDSUTIL command line tool can prestage a client computer WDSUTIL commands o Enter WDSUTIL /NewCaptureImage /Image:<source boot image name> /Architecture:{x86|ia64|x64} /DestinationImage /FilePath:<file path>, where <file path> is the path and name for the capture image. Enter WDSUTIL /Verbose /Progress /AddImage /ImageFile:<path> /ImageType:Boot, where <path> is a full path to the image file. Enter WDSUTIL /NewDiscoverImage /Image:<name> /Architecture:{x86|x64|ia64} /DestinationImage /FilePath:<path and name to new file>. To specify which server the discover image connects to, append /WDSServer:<server name or IP>. If you need to create an image group, enter WDSUTIL /AddImageGroup /ImageGroup:<image group name>. Enter WDSUTIL /Verbose /Progress /AddImage /ImageFile:<path to .wim file> /ImageType:Install. /convertripimage Converts Remote Installation Preparation (RIPrep) /initializeserver Initializes the configuration of the WDS server /uninitializedserver Undoes any changes made during the initialization of the WDS server /add Adds images and devices to the WDS server images to WIM images /remove Removes images from the server /set Sets information in images, image groups, WDS servers, and WDS devices
o o
o o o o o o o o
o o o o o o o o o o o o
/get Gets information from images, image groups, WDS servers, and WDS devices /new Creates new capture images or discover images /copyimage Copies images from the image store /exportimage Exports to WIM files images contained within the image store /start Starts WDS services /stop Stops WDS services /disable Disables WDS services /enable Enables WDS services /approveautoadddevices Approves AutoAdd devices /rejectautoadddevices Rejects AutoAdd devices /deleteautoadddevices Deletes records from the AutoAdd database /update Uses a known good resource to update a server resource
Deployment Image Servicing and Management Tool (DISM) o Configure and edit images such as enabling or disabling windows features, upgrading an image to another windows edition, add, remove, enumerate packages/drivers, configure international settings, and implement powerful logging features Supports Windows Vista with SP1 & up DISM Commands /mountwim Mounts the WIM file so that it is available for servicing (/WimFile:<image_name> /name description /MountDir:C:\folder) /commit Applies the changes you made to the mounted images (/mountdir:<path_to_mount_directory) /remountwim Recovers an orphaned WIM mount directory (/mountdir:path_to_mount_directory) /cleanupwim Deletes all resources associated with a mounted WIM that has been abandoned /getwiminfo Displays information about the images within the WIM (/WimFile:<image_name>) /getmountedwiminfo Lists the images that are currently mounted and information about he mounted image /adddriver Adds driver to the specified image file (dism /image:C:\test\offline /add-driver /driver:C:\driver.inf or /driver:C:\drivers /recurse /forceunsigned) /getpackages Lists the packages in the wim (dism /image:C:\test\offline /get-packages) /removepackage Removes package from image /removedriver - Removes specified driver from image /applyunattend Applies unattended answer file (/applyunattend:C:\answerfile.xml)
o o
/add-package /packagepath (msu file) Adds package to mounted image (/add-package /packagepath:C:\Test.cab) /get-featureInfo /featurename Gets the information from the feature specified /enable-feature or /disable-feature Enables or disables feature specified /get-TargetEditions Use this to find out which higher editions you can set the edition to be /apple-unattend Applies an autounattend.xml file to an image
Microsoft Assessment and Planning (MAP) Toolkit MAP is a utility that will locate computers on the network and then perform a thorough inventory of them. MAP uses Windows Management Instrumentation (WMI), Remote Registry Service, and the Simple Network Management Protocol (SNMP) Advises you of any available upgrades for hardware and drivers Supports Windows XP Professional, Windows Vista w/ SP1 & up Requires SQL Server 2005 Express Edition, Microsoft Word/Excel 2003 w/ SP2 or 2007 Chapter 3 (pg. 150) File Systems NTFS o NTFS can have volume size up to 16TB with 4KB clusters or 256TB with 64 clusters o Windows 2K uses NTFS 3.0 o Windows XP, Vista, 7, and Server 2003 uses NTFS 3.1 FAT32 o FAT32 can have volume size up to 32GB and does not support local security, encryption support, disk quotas, or compression o All windows editions can detect FAT32 o Maximum file size is just under 4GB o Maximum volume size is 32GBDynamic disk o Supported by Windows 2K, XP, Vista, 7, Server 2003, and Server 2008 and allows storage to be configured as volumes o Supports up to 2K dynamic volumes per disk o Speed improved by striping across multiple disks o Reliability improved by mirroring data across multiple disks Simple Volume
o Nothing but a single volume on a dynamic disk Spanned Volume o Consists of disk space on two or more dynamic drives; up to 32 dynamic drives o Data is written sequentially, filling space on one physical drive at a time o You do not need to allocate the same amount of space on each drive o No performance increase o If one disk fails, all goes out Striped Volume (RAID 0) o Stores data in equal stripes between two or more (up to 32) dynamic drives o Used by administrators when wanting to combine the space of several physical drives into a single logical drive and increase disk performance o If one drive goes out, all striped volume is lost o Consists of space from two or more dynamic drives GUID Partition table (GPT) o GPT disk partitioning system uses the GUID Partition Table to configure the disk o GPT header and partition table is written to both front and back of disk for better redundancy o Allows a volume size larger than 2TB (256TB max) and up to 128 partitions o Includes Cyclical Redundancy Check (CRC) for greater liability o GPT drive can only be converted if the disk is empty and unpartitioned
Using the Disk Management Utility The MMC console contains three panes: a console tree on the left, a details pane in the middle, and an optional Actions pane on the right. There are three MMC Modes are: User Author Mode Full Access o Gives the user full access to window management commands, but they cannot add or remove snapins or change console properties User Mode Limited Access, Multiple Window o Allows users to create new windows but not close any existing windows. Users can access only the areas of the console tree that were visible when the console was last saved User Mode Limited Access, Single Window o Allows users to access only the areas of the console tree that were visible when the console was last saved, and they cannot create new windows Managing Administrative Hard Disk Tasks o View disk properties, view volume and local disk properties, add a new disk, create partitions and volumes, upgrade a basic disk to dynamic disk, change a drive letter and path, delete partitions and volumes
On a dynamic disk, you manage volume properties. On a basic disk, you manage partition properties. On volume/disk properties, the Security and Quotas tab will only appear in NTFS
volumes. The Previous Versions tab is from System Restores. Only Administrators can install a new drive. Any basic partition can be converted to a dynamic disk but only formatted space can be converted to a GTP disk Once a volume is extended, no portion of the volume can be deleted without losing data on the entire set, but you can shrink it Disk Management Status Codes o Online Indicates that the disk is accessible and that it is functioning properly (Default) o Online (Errors) Used only with dynamic disks. Indicates that I/O errors have been detected. Possible fix is to right click > reactivate disk which will only work if the I/O errors were temporary o Healthy Specifies that the volume is accessible and functioning properly o Healthy (At Risk) Used to indicate that a dynamic volume is currently accessible but I/O errors have been detected on the underlying dynamic disk o Offline or Missing Used only with dynamic disks indicating that the disk is not accessible. Causes are disk corruption or hardware failure. If the disk was originally offline and then changed to missing, it indicates that the disk has become corrupted, powered down, or disconnected o Unreadable This can occur on dynamic or basic disks. Indicates the disk is inaccessible and might have encountered hardware errors, corruption, or I/O errors or that the system disk configuration database is corrupted o Failed Basic or dynamic disks specifying that the volume cant be started. Can be damaged disk or corrupted file system o Unknown Used with basic and dynamic disks if the boot sector for volume is corrupted or no disk signature is created for the volume o Incomplete Occurs when you move some, but not all, of the disks from a multi disk volume o Foreign Occurs if you move a dynamic disk from any OS (besides Windows 7) to a Windows 7 computer. Its caused because the configuration data is unique to computers where the dynamic disk was created. Right click > Import Foreign Disks
Disk Compression If you copy or move a compressed folder or file to a FAT32 partition, Windows 7 automatically uncompresses the file or folder. The only way to cancel an NTFS conversion prior to reboot is to edit the registry setting for HKLM\System\CurrentControlSet\Control\SessionManager to autocheck autochk *. Conversions cannot be reversed Compact CLI Utility Offers you more control over file and folder compression than Windows Explorer (such as with a batch script or for files that only meet specific criteria) o /c Compresses the specified file or folder
o o o o o o o
/u Uncompresses the specified file or folder /s:dir Used to specify which folder should be compressed or uncompressed /a Displays any files that have been hidden or system file attributes /i Indicates that any errors should be ignored /f Forces a file to be compressed /q Used with reporting, to report only critical information /? Displays help
Encrypted File System For Windows 7 computers that are part of a Windows Server 2008 AD domain, the domain administrator user account is automatically assigned the role of DRA For Windows 7 computers that is installed as standalone computers or if the computer is part of a workgroup, no default DRA is assigned and all access to the files will be lost To begin, create a recovery agent and assign it a password using the commands below > Then import the certificate in Group Policy by navigating to the GP and right clicking Encrypting File System > Add data recovery agent Cipher <command> <filename> o /E Specifies that files or folders should be encrypted. Any files that are subsequently added to the folder will be encrypted o /D Specifies that files or folders should be decrypted. Any files that are subsequently added to the folder will not be encrypted o /S:dir Specifies that subfolders of the target folder should also be encrypted or decrypted based on the option specified o /I Causes any errors that occur to be ignored. By default, the Cipher utility stops whenever an error occurs o /H By default, files with hidden or system attributes are omitted from display. This option specifies that hidden and system files should be displayed o /K Creates a new certificate file and certificate key o /R:recoveryagent Used to generate a recovery agent key and certificate for use with EFS (recovery agent works AFTER using the command) o /X Used to back up the EFS certificate and key into the specified file name
Understanding Redundant Array Independent Disk (RAID) In RAID, you can only recover from a single disk failure. If multiple disks fail, RAID will no longer be an option RAID 0 (Striped Volume) o No data recoverability but used for better performance o Requires a minimum of two hard disks and these two works as a single volume. Because of this, they use their own read/write heads, giving better performance o If either disk is lost, you lose the entire striped volume. Best for temp files or noncritical data
o RAID o o o RAID o o o o
Writes data from disk to disk back & forth 1 (Mirroring) Allows two disks to mirror each other If you lose one of the disks, you can boot to the second disk (the mirror) to recover data More expensive than other RAID options 5 Volume Stripe set with party Uses a minimum of 3 disks (max of 32 disks) that works as one volume Uses a parity bit, which allows you to recover data in event of hard disk failure Writes data back & forth from disk to disk Chapter 4 (pg. 203)
Virtual memory is overflow memory for RAM. When memory is filled, the oldest data in RAM gets put into virtual memory. This way the system does not need to look at an entire hard drive for that data. It goes straight to the virtual memory for it Registry Keys HKEY_CURRENT_USER Configuration information for the user who is currently logged on to the computer. Its a sub key of HKEY_USERS key HKEY_USERS Configuration information for all users of the computer HKEY_LOCAL_MACHINE (HKLM) Computer hardware configuration information. This computer configuration is used regardless of the user who is logged in HKEY_CLASSES_ROOT Configuration information used by Windows Explorer to properly associate file types with applications HKEY_CURRENT_CONFIG Configuration of the hardware profile that is used during system startup
Configuring Remote Connections Remote Assistance Provides a method for inviting help by IM, email, file, or now Easy Connect EasyConnect Uses Peer Name Resolution Protocol (PNRP) to set up direct peerto peer transfer using a central machine on the Internet to establish a connection. PNPR uses IPv6 and Teredo tunneling to register a machine as globally unique. After the option is selected and the network connectivity is verified, PNRP will put the users information into a cloud in the internet space. The users contact information is entered into the PNRP cloud and an associated password is created and displayed to the user. The user relays the password to the remote assistance helper. The user waits for the expert to send the request and then have to accept the connection Remote Desktop Windows 7 is using the latest version of RDP, RDP 7.0 New features includes: RDP Core Performance Enhancements, True MultiMonitor Support,
Direct 2D and Direct 3D 10.1 Application Support, Windows 7 Aero Support, Bi directional Audio Support, and Multimedia and Media Foundation Support Virtual Private Network Allows a public network to connect to a private network. Tunneling protocols include (greatest security to least): o IKEv2/VPN Reconnect (Internet Key Exchange) Supports IPv6 and NAT friendly. Supported in Windows 7 & Server 2008 R2 o Secure Socket Tunneling Protocol (SSTP) Newest of the tunneling protocols when tunneling with Server 2008. SSTP allows encapsulated PPP packets to be transmitted over an HTTP connection. SSTP is the best choice for secure VPN connections. Supported in Vista SP1 & up. Uses port 443 o Layer 2 Tunneling Protocol (L2TP) Tunneling protocol that has no encryption included. L2TP uses IPSec to make L2TP secure. Supported in Windows 2K & up. Uses Port 1701 o PointtoPoint Tunneling Protocol (PPTP) One of the predecessors to SSTP and also allows PPP packets to have encryption for secure connections. PPTP uses TCP/IP for encryption. Supported in Windows 2K & up. Uses Port 1723
Configuring Mobile Computing Sleep power state Combines the speed of standby with the features of hibernation mode Sleep New power state introduced with Windows 7 that combines the features of hibernate and stand by. When a computer enters the sleep power state, data including window locations and running applications is saved to the hard disk, and the computer is put in a low powersaving state
Configuring Power Plans Commands o Powercfg devicequery wake_from_any Allows you to query the devices that can wake the computer up o Powercfg energy Creates an energy policy report to energyreport.html in the command it was run o Powercfg export export_name GUID Exports a power plan o Powercfg import filename GUID Imports a power plan Balanced Provides a balance between power savings and performance o By default: Display turns off after 20 minutes, puts computer to sleep after 1hr idle time o Wireless adapters set to maximum performance Power Saving Optimized for power savings o By default: Display and hard drive turns off after 20 minutes inactivity High Performance Provide maximum performance for portable computers
o o
By default: never enters sleep mode, but display turns off after 20 minutes Multimedia settings are configured with the Allow the Computer to Enter Away Mode, which allows the computer to enter a new power state called Away Mode. Away mode configures the computer to look asleep but remains accessible for media sharing
ReadyBoost ReadyBoost allows for the use of multiple nonvolatile flash memory devices and as an additional memory cache. When the physical memory devices become full on a computer with ReadyBoost configured, data is written to the flash device instead of to the hard drive. This improves performance because data can be read faster from flash devices than from the hard drive. ReadyBoost tab is displayed on the device properties dialog that can be used to configure ReadyBoost ReadyBoost Requirements o The device must have a storage capacity of at least 256MB o The device must support USB 2.0 o The device must support a throughput of 2.5MB/sec for 4k random reads and 1.75MB/sec for 512K random writes
ReadyDrive A technology included in Windows 7 that you can use to speed up the boot process, resume from hibernation state faster, and conserve battery power for mobile computers when used in conjunction with ReadyDrive capable hard drives Relies on new hybrid hard disks, which use flash memory technology in conjunction with mechanical hard disk technology Data is written to flash memory instead of the mechanical hard disk, saving battery power because of less read/write actions Chapter 5 (pg. 269) Installing and Updating Device Drivers The driver takes a standard instruction from the operating system and issues the command to the hardware to perform the desired function Uninstalling a device driver does not delete the driver files from the machine; uninstalling the device drivers only removes the operation system configuration for the hardware Sigverif.exe Will verify that all drivers on the machine are verified with signatures. SIGVERIF.TXT is the log file that it generates to Verifier.exe Driver Verifier Manager Pnputil.exe Tool to manage the driver store
o o o o o
a <driver file name> to add driver to store i <driver file name> to install the driver e <driver file name> shows all third party drivers d <driver file name> deletes a driver from the store f <driver file name> forces deletion from driver store
Managing I/O Devices You can eject a device through Device and Printers, as well as through the Taskbar icon Managing Printers Removing a printer will remove the software configuration but necessarily the files (drivers and software) from the local machine Printer pooling Gives the IT staff the ability to configure multiple print devices (using identical drivers) to appear as one printer to connected users. The print jobs will be printed on one of the devices in the pool (first available print device prints the job). If a print device fails, the others will keep working Printer spooling Software components that buffers the print job until the print devices can complete it
Windows Virtual PC Requirements: o 400 MHz Pentiumcompatible processor (1 GHz or faster recommended) o 35MB free disk space o Windows 7, Windows Vista with SP1 (Enterprise, Business, Ultimate), or Windows XP with SP3
The shim (known as Shim Infrastructure) is a coding fix that allows applications to function properly. It consists of application programming interface (API) hooking Overview of Internet Explorer 8 (IE8) Accelerators Allow you to gain access to internet services with a click. By highlighting a word within a web page and clicking the accelerator icon, you have access to a range of various services by default and can add more accelerators if desired o Managed by IE8 > Tools > Manage Addons > Accelerators Web Slices Allows IE8 to check for updates to web page content you may frequently want to have
You can add the piece of the web page with the content youre looking for to the new favorites bar and IE8 will check it for you and give you a visual clue when the contents changes o You can control how often IE8 checks for changes as well as have IE8 play a sound when Web Slice content is found on a page and even when an update to the content is discovered o If there is web slice content available on a web page, the green web slice icon will become active on the favorites toolbar as well as when you hover the web slice content on the page itself Compatibility View Displays a web page the way it would have been displayed in IE7 o Once you select this for one site, it will remember it for the next time you go there (IE > Tools > Compatibility View Settings) o Compatibility View Settings page has the default setting for all intranet sites to be displayed in Compatibility View o You have the choice to display all websites in Compatibility View Domain Highlighting Gives users more feedback about the website theyre visiting o When a user surfs to a website, they normally types in the URL in the form of www.google.com. This is displayed in the address bar of the browser, and then the user can see it during the entire browsing session o In IE8, the displayed URL is shown to the user with the domain highlighted o As users surf to other pages within the domain, the domain portion remains clear and the other text softens to grey Scripting filter Attempts to detect XXS attacks and disable the harmful scripts. If the user surfs to a website that has been compromised, the problem can be detected and IE8 can modify the request, avoiding the potential risk. A message will appear on top of IE8 indicating to the user that IE has modified this page to help prevent crosssite scripting SmartScreen Filtering If an unsafe website is chosen from Microsofts database, IE8 will block the users request and present a page displaying the fact that the page has been identified as unsafe and changing the background color of the address bar to reflect the same. (This website has been reported unsafe. Disregard or go back) InPrivate Browsing Prevents the browsing history from being recorded nor will temporary internet files be retained. Cookies, usernames, passwords, and form data will be cleared after closing InPrivate session. Can be opened by new tab, safety > start InPrivate session, and ctrl + shift + p from a normal instance InPrivate Filtering You are given the option to have IE8 automatically block some thirdparty content or choose to let the user select which thirdparty providers will receive the users browsing information Protected Mode Forces IE8 to run in a protected mode, isolated memory space preventing malicious code from writing data outside the Temporary Internet Files o
directly unless the program trying to write the information is specifically granted access by the user. Enabled by default. Turned off from security tab in IE properties Defending Against CrossSite Scripting and ClickJacking Crosssite scripting attacks attempt to exploit vulnerabilities that exist in the websites you use. They are set up by inserting an address to a malicious website in a link a user might click on in an email. The data in the link directs the browser to a legitimate website that has been compromised to contain malicious code that can capture keystrokes, letting the cybercriminal capture a users logon credentials. Chapter 6 (pg. 335) Local Logon Process o When the user authenticates with the machine locally, it is assigned an access token Access tokens are used to identify the user and the group which associated o If group changes, user must relog for reassignment of access token o Policy is refreshed User Accounts in Control Panel also includes: o Change User Account Control Settings Allows you to set the level of notification when changes are made to your computer o Manage Your Credentials Set up credentials that allow you to easily connect to websites that require username and passwords or computer that require certificates o Link Online IDs Allows you to link an online ID with your Windows account. This makes it easy to share files with other computers o Manage Your File Encryption Certificates Allows you to manage file encryption certificates o Configure Advanced User Profile Properties Brings you directly to the Users profile dialog box Username rules and conventions o A username must be from 1 to 20 characters o It must be unique among all other users and groups stored on the computer o Cannot contain special characters o Cannot consist exclusively of periods or spaces
Username and Security Identifiers Security settings get associated with SIDs and not user accounts, making it possible to rename an account while maintaining security settings and user properties. SIDs ensure that if you delete and recreate a user account with the same username, the new user will not have any of the properties of the old account because its a new SID
Profiles
Users can be created through the commandline utility NET USER Renaming an account does not rename the users home folder. Must be done manually NTUSER.DAT File that contains directory links to the users desktop items NTUSER.MAN A file that contains the mandatory profile settings Group names must be unique to the computer, different from all other group names and usernames that exist on the computer Group names can be up to 256 characters SIDs are associated with user accounts along with groups as well
Roaming profiles are copied to the local machine each time the roaming profile is accessed. These profiles are stored on a network server Mandatory profiles are profiles that cannot be modified by the user. Only members of the administrators group can manage mandatory profiles. They can modify different desktop preferences while logged on, but the changes will not be saved upon logoff. Mandatory profiles only apply to roaming profiles Super mandatory profile When mandatory profiles are not available, temporary profiles are created. When super mandatory profiles are configured, temporary profiles are not created when mandatory profiles are not available When copying profiles, the Favorites, cookies, documents, start menu items, and other unique registry settings are copied %username% can be used when setting up home folders in the Profile tab of an account properties
Group Policy Objects Group Policy Result Tool (gpresult), also known as Resultant Set of Policy (RSoP) is a tool that tells you policy is applied to your machine via commandline Policies that have been linked through AD will, by default, take precedence over any established local group policy. Local group policies are typically applied to computers that are not part of a network or are in a network that does not have a DC Domain administrators can disable LGOPs by enabling the Turn Off Local Group Policy Objects processing domain GPO setting Comp Configuration\Administrative Templates\System\Group Policy GPResult Switches o /f Forces gpresult to override the file name specified in the /x or /h command o /h Saves the report in an HTML format o /p Specifies the password for the given user context o /r Displays RSoP summary data o /s Specifies the remote system to connect to
o o o o o
/u Specifies the user context under which command should be executed /v Specifies that verbose information should be displayed /x Saves the report in XML format /z Specifies that the super verbose information should be displayed /user Specifies the username for which the RSoP data is to be displayed
MLGPOs are applied in a certain hierarchical order: 1. Local Computer Policy Includes computer and user settings; the other LGOPs contain only user settings. This applies to all users of the computer 2. Administrators and NonAdministrators Local Group Policy New to vista & 7. The Administrators LGOP is applied to users who are members of the builtin local Administrators group 3. UserSpecific Group Policy Makes it possible for specific policy settings to apply to a single user Setting Password Policies Enforce Password History Prevents users from repeatedly using the same password. Max is remember 24 passwords Maximum Password Age Forces users to change their password after a maximum password age is exceeded. 0 means it will never expire. Max password length is 127 characters and 999 days is the max it will hold Minimum Password Age Prevents users from changing their passwords several times in a rapid succession in order to defeat the purpose of Enforce Password History. Min password age can be set to 998 at the max Minimum Password Length Ensures that users create a password and specifies the length requirement for that password Password Must Meet Complexity Requirements Passwords must be six character or longer and cannot contain the users account name or any part of the users full name o English uppercase characters (A through Z) o English lowercase characters (a through z) o Decimal digits (0 through 9) o Symbols (such as !, @, #, $, and %) Store Passwords Using Reversible Encryption This is required for Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS) and for Digital Authentication with Internet Information Services (IIS)
The account lockout policies specify how many invalid logon attempts should be tolerated so that after x amount of unsuccessful logon attempts within x amount of minutes, the account will be locked out for x amount of time or until administrator unlocks it Account Lockout Duration Specifies how long an account will remain locked if account lockout threshold is reached. 30 minutes by default, 99,999 max. 0 means administrator have to unlock it Account Lockout Threshold Specifies number of invalid attempts allowed before account is locked out. Maximum is 999 attempts, minimum is 0 Reset Account Lockout Counter After Specifies how long counter will remember unsuccessful logon attempts
Setting Audit Policies Audit policies can be implemented to track the success or failure of specified user actions such as user creation, successful and unsuccessful logon attempts Assigning User Rights User rights apply to the system. Permissions apply to specific objects Windows Defender Microsoft SpyNet is an online community that can help you find out how others respond to software that has not yet been classified by Microsoft Using BitLocker Drive Encryption BitLocker encrypts the entire system drive. New files added to this drive are encrypted automatically, and files moved from this drive to another drive or computer is decrypted automatically Requirements o Windows 7 Enterprise or Ultimate o Trusted Platform Module (TPM) version 1.2 or higher to store a security key. A TPM is a chip that is found in newer computers. If no hardware supports it, you can store the key on a removable USB drive o Only works on the OS drive or internal HD. Files on other types of removable drives must be encrypted using BitLocker To Go o Requires that you have a hard disk with at least two partitions with NTFS (one partition will be the system partition that will be encrypted, other will be active that is used to start the computer which is unencrypted) If the TPM discovers a potential security risk, such as a disk error or changes made to the BIOS, hardware, system files, or startup components, the system drive will not be unlocked until you enter the 48digit BitLocker recovery password or use a USB drive with a recovery key as a recovery agent
Must be set up within Local Group Policy editor or through the BitLocker icon in Control Panel Can prevent any unencrypted data from being copied onto a removal disk Managebde gives CLI options for managing BitLocker Encryption
NTFS Permissions Traverse folders gives you the ability to access files and folders in lower subdirectories, even if you do not have permissions to access specific portions of the directory path Permissions are inherited by default in Windows 7 When an object is initially created on an NTFS partition, an associated security descriptor is created. A security descriptor contains the following information The most restrictive set of permissions wins The user or group that owns the object The users and groups that are allowed or denied access to the object The users and groups whose access to the object will be audited
Dir /q will display ownership of a directory from command prompt ICACLS Commandline utility that can also be used to display or modify user access rights o /grant grants permission o /remove revokes permission o /deny Denies permission o /setintegritylevel Sets an integrity level of Low, Medium, or High
Determining NTFS permissions for Copied or Moved Files If you move a file within the same volume, it will retain NTFS permissions If you move it to another any volume, it will treat it as a copy If you copy a file/folder to another file/folder on the same volume, it drops permissions and inherit from destination hierarchy If moved or copied from NTFS to FAT, it will not retain any NTFS permissions
Audit Object Access The result from this is recorded in the Security event log. Its turned via GP Chapter 7 (pg. 427) Windows Server 2008 Active Directory Network
Microsoft domains are represented as triangles When setting up child domains, the parent and child domains already establish a trust relationship. Trust allows users to be granted access to resources in a domain even when their accounts reside in another domain Transitive twoway trusts means all domains within the same forest automatically trust each other There are no such thing as PDC or BDC in Server 2008 Member Server A server that is a member of a domain based network but does not contain a copy of Active Directory Standalone Server Not a member of a domain, usually used for virtualization DNS Server Hosts DNS services. Required for AD o Forward Lookup Hostname to IP o Reverse Lookup IP to hostname o Can resolve IPv4 and IPv6 because of Link Local Multicast Name Resolution (LLMNR), which allows IPv6 and IPv6 hosts to perform name resolution for hosts on the same local network DHCP Server Runs the DHCP service that assigns TCP/IP information to computers dynamically o 169.254.x.x means the client was not able to connect to the DHCP server, called Automatic Private IP Addressing (APIPA) o Windows 7 clients continues to search for a DHCP server every 5 minutes Global Catalog A database of all AD objects without the attributes. GC pretty much indexes the AD domain. When you need to find a resource in the domain, you can search the Global Catalog to find its location
Wireless Security WPA o WPA2Personal allows you to set up WPA2 by using a shared password key o WPA2Enterprise allows you to set up WPA2 by using a server for verification Cards that are compatible with 802.11b can only connect to 802.11b or 802.11b/g access devices configured to accept b Cards that are compatible with 802.11a can only connect to 802.11a or 802.11a/b/g access devices configured to accept a
TCP/IP
TCP/IP provides reliability by verifying that each data segment is received and passed to the application requiring the data by retransmitting lost information TCP/IP is designed to be fault tolerant. Its able to dynamically reroute packets if network links become unavailable (assuming alternate paths exist) IPv6 includes IPSec, allowing a more robust network protocol
Logical and physical multihoming, enabling multiple IP addresses on a single or multiple network adapters, usually associated with routing for internetwork connectivity Default Gateway must be configured to communicate outside of local network
IPv4 Address Types Broadcast address Read by all hosts that hear it. Does not go across a router. 255.255.255.255 Multicast address A special address that one or more devices will listen for by joining a multicast group. Multicast addresses usually have a value between 224 and 239 in the first octet Unicast address Uniquely identifies a computer or device on a network Class Assignments o Class A supports up to 16,777,214 hosts o Class B supports up to 65,534 hosts o Class C supports up to 254 hosts Extra ipconfig commands o /release6 Releases an IPv6 address that has been assigned through DHCP o /renew6 Renews an IPv6 address through DHCP o /registerdns Refreshes DHCP leases and reregisters DNS names o /displayDNS Displays the contents of the DNS Resolver Cache o /showclassid List the DHCP class IDs allowed by the computer Private Addresses o 10.0.0.0 10.255.255.255 o 172.16.0.0 172.31.255.255 o 192.168.0.0 192.168.255.255
IPv6 Global Unicast Address IPv6 equivalent of IPv4 public addresses and are globally routable and reachable on the IPv6 Internet LinkLocal Addresses IPv6 equivalent of IPv6 addresses allocated through APIPA SiteLocal Addresses IPv6 equivalent of IPv6 private addresses Special Address Loopback address 0:0:0:0:0:0:0:1 or (::1) IPv6 Multicast Address Enables an IPv6 packet to be sent to a number of hosts, all which have the same multicast address. IPv6 Anycast Address Assigned to multiple interfaces. Packets sent to an anycast address are forwarded by the routing infrastructure to the nearest of these interfaces
Windows Remote Management Windows Remote Management (WinRM) utility is Microsofts version of the WSManagement Protocol. You can use the WinRM utility on both Windowsbased OSes and nonwindows based
OSes. It creates a WinRM exception in firewall, and creates a WinRM listener to allow incoming connections. Sets the service to start automatically Three o o o o ways to access the WinRM utility WinRM commandline tool WinRM scripting objects Windows Remote Shell commandline Must be enabled via command line or group policy Winrm set winrm/config/client @{TrustedHosts=XXXX} (needed to enable remote management via powershell) WinRM Commands o WinRM get Retrieves management information o WinRM set Modifies management information o WinRM create Creates a new instance on the managed resources o WinRM delete Removes an instance from a managed resource o WinRM enumerate Lists all instances of a managed resource o WinRM invoke Executes a method on a management resource o WinRM identity Determines whether a WSManagement implementation is running on a remote machine o WinRM quickconfig Configures a machine to accept WSManagement commands from a remote machine o WinRM configSDDL Modifies an existing security descriptor for a Uniform Resource Identifier (URI) o WinRM helpmsg Displays error message for an error code o WinRS r:<server> <command>s Windows Powershell A commandline scripting utility that allows you to remotely execute commands on a Windows 7 machine o A cmdlet is a command that is built into Windows PowerShell
Understanding BranchCache, DirectAccess, and AppLocker BranchCache is a new technology that allows an organization with slower links between offices to cache data so downloads between offices does not have to occur each time a file is accessed. o The BranchCache Content Retrieval (Uses HTTP) If this rule is not available, create the rule that allows inbound and outbound traffic on TCP port 80. This rule is required for both Hosted Cache and Distributed Cache Mode o The BranchCache Peer Discovery (Uses WSD) If this rule is not available, create the rule that allows inbound and outbound traffic on UDP port 3702. Only used for Distributed Cache Mode o The BranchCache Hosted Cache Client (HTTPS-OUT) If this rule is not available, create the rule that allows outbound traffic on TCP port 443. This rule is required only when using Hosted Cache Mode
Distributed Cache Mode All windows 7 client machines cache the files locally on the client machine Uses inbound & outbound UDP port 3702 Supports Windows 7 Enterprise or Ultimate Must install a Server 2008 R2 content server at main office first Clients have BranchCache installed by default but must be enabled and configured along with firewall exceptions o Hosted Mode The cache files are cached on a local Server 2008 R2 Enterprise / Datacenter machine Uses outbound port TCP 443 Uses an SSL certificate during setup Supports Windows 7 Enterprise or Ultimate Must install a server 2008 R2 hosted cache server at main office first When client downloads data from main cache server, the host cache server at the branch obtains a copy of the downloaded data for other users to access Cache server must obtain a server certificate so clients in branch can identify cache servers DirectAccess Enables a remote user to work on their corporate network when theyre away without the need of VPN. DirectAccess connects to the corporate network automatically once connected to the internet with no user intervention o Takes place soon as a user turns on the computer, not after the logon o Supports Windows 7 Enterprise and Ultimate o Can be integrated with Network Access Protection (NAP) o Uses IPv6 o Bidirectional VPN connection o Must be added to the DirectAccess security group to connect via DirectAccess o Requires a minimum of one domain controller and one DNS server running Server 2008 SP2 or Server 2008 R2 o CA that will issue computer certificates, smart cards, or health certificates o IPSec policies to specify protection for traffic o IPv6 on the DirectAccess server that uses ISATAP, Teredo (for clients behind a NAT) , or 6to4 AppLocker is used to configure a Denied list and an Allowed list for applications in Group Policy (Application Control Policies) o Provides granular application control to help prevent execution of unauthorized software o Supports Windows 7 Enterprise and Ultimate o Relies on the use of the Application Identity service o Enable the Application Identity service before configuring GPO AppLocker Rules o Path Rule Based on the file path o
o o Virtualization
File Hash Based on the unique file hash and used when a file is not signed Publisher Rule Based on digital signatures
Hypervisor Is a 64bit mechanism that allows HyperV to run multiple virtual machines on the same physical machine. The hypervisors job is to create and manage partitions between virtual machines. Its a thin software layer that sits between the virtual machine and the hardware CTLR + ALT+ DEL = Right ALT + DEL Full Screen = Right ALT + Enter To release the mouse, press the right Alt key Chapter 8 (pg. 505)
Windows 7 Performance Optimization Performance monitor Used to measure the performance of a local or remote computer on the network Create baselines o A snapshot of how your system is currently performing from the first baseline Identify system bottlenecks o A system resource that is inefficient compared with the rest of the computer system as a whole Determine trends o With reactive management, you focus on a problem when it occurs o With proactive management, you take steps to avoid the problem before it happens Test configuration changes or tuning efforts Create alert thresholds
Optimizing Windows 7 with Performance Monitor With performance monitor you can do the following; Collect data from local or remote computers concurrently View data as its being collected in real time, or historically from collected data Create HTML pages for viewing data Determine which format the data will be viewed in In line, histogram bar, or report views
Data collector sets are used to collect data into a log so that the data can be reviewed. Data sets can collect the following data:
Performance counters Records data about hardware usage and the activity of system services Event trace data System configuration information
Windows 7 includes four data collector sets that are stored within the System subfolder LAN Diagnostics System Diagnostics used to troubleshoot an unreliable system System Performance used to troubleshoot a system thats not performing well (disk, ram network, processor) Wireless Diagnostics
Resource Monitor The resource monitor can be accessed via Performance Tab in Task Manager, in control panel, or Start > All Programs > Accessories > System Tools > Resource Monitor Tabs o o Overview Gives you a fair amount of detail in terms of a graphical representation on the right side CPU Displays individual process currently running on the machine as well as the process ID (PID), a brief description, the running status of the process, the number of threads the process is running, currently CPU utilization, and average CPU utilization Memory Shows the process information as displayed in the CPU tab with an overview of memory allocation in the form of a graphical representation Disk Used to display the disk activity of your machine. Also shows a realtime graphical representation of Disk transfer in KB/sec and Disk Queue Length Network Shows network utilization as well as network protocol information. The items available for detailed information includes Process with Network Activity, TCP Connections, and Listening Ports as well as realtime graphical information for Network data transfer
o o o
There are four main subsystems that you should monitor. You should configure counters in your data collector set for each of the following: The memory subsystem o Physical memory The physical RAM you have installed on your computer o Page file Logical memory that exists on your hard drive o Memory > AvailableMBytes Measures the amount of physical memory that is available to run processes on the computer If below 20% of installed
memory, indicates shortage of physical memory or app not releasing memory properly o Memory > Pages/Sec Shows the number of times the requested information was not in memory and had to be retrieved from disk Should stay below 20, for optimal performance, it should be 4.5. if higher than 20, consider adding memory o Paging File > %Usage Indicates the percentage of the allocated page file that is currently in use If above 70%, consider adding more memory or increasing page file The processor subsystem o Processor bottlenecks can develop when the threads of a processor require more processing cycles than are currently available o Processor > %Processor Time Measures the time that the processor spends responding to the system requests Should stay below 85% o Processor > Interrupts/Sec Shows average number of hardware interrupts received by the processor each second Should stay below 3k, if above, indicates theres hardware or program problem generating interrupts o System > Processor Queue Length Used to determine whether a processor bottleneck is due to high levels of demand for processor time The disk subsystem o Disk access is the amount of time your disk subsystem takes to retrieve data that is requested by the OS o Physical Disk/Logical Disk > % Disk Time Shows the amount of time the disk is busy because its servicing read or write requests If busy more than 90%, recommended adding another disk o Physical Disk / Logical Disk > Current Disk Queue Length Indicate the number of outstanding disk requests that are waiting to be processed Should stay less than 2 o Logical Disk > % Free Space Specifies how much free disk space is available Should indicate at least 15% The network subsystem o Network bottlenecks are indicated when network traffic exceeds the capacity that can be supported by the LAN Typically monitored by Network Monitor solution o Network Interface > Bytes Total/Sec Measures the total number of bytes sent or received from the network interface and includes all network protocols o TCPv4 > Segments/Sec Measures the number of bytes sent or received from the network interface and only includes the TCPv4 protocol
Using Reliability Monitor Reliability monitor is a new standalone feature in Windows 7 that provides an overview of the stability of your computer. The upper half of the graphical display indicates the relative
reliability of your windows 7 machine on a scale of 1 to 10 (1 being horrible and 10 being completely reliable) Application failures Programs that hang or crash Windows failures Includes operating system and boot failures Miscellaneous failures Includes unexpected shutdowns Warnings Items that are detrimental, but not failures Information Informational messages that Windows 7 uses (includes recent installed applications) Reliability History can be saved in XML format
Using Windows 7 Tools to Discover System Information System Information Shows details about hardware, software, and resources Accessed from msinfo32 Task Manager Shows more information about opened applications, processes, services, performance, networking, and users o Set Affinity Allows you to choose which process is operated by which processor Performance Information and Tools Provides a numerical score that lets you know how well your system performs o Processor, based on calculations per second o Memory (RAM), based on memory operations per second o Graphics, based on Windows Aero performance o Gaming Graphics, based on 3D graphics performance o Primary Hard Disk, based on disk transfer rate
Using Event Viewer Windows 7 version of Event Viewer contains the following Windows Logs: Application log Used to log events relating to applications, such as whether an application, driver, or service fails Security log Used to log security events, such as successful or failed logon events Setup log Used only by domain controllers, so it doesnt have much practical use in Windows 7 System log Used to log events related to the operating system and related services Forwarded Events Used to collect events that have been forwarded from other computers Administrative Event view Contains critical, error, and warnings from all logs, enabling you to easily view only the most important events Chapter 9 (pg. 559) Using Advanced Boot Options
Boot Logging Creates a log file that tracks the loading of drivers and services. When you enable this option, windows 7 loads normally and not in safe mode o Log file is written to \Windows\Ntbtlog.txt o Allows you to log all of the processes that take place during a normal boot sequence Enable LowResolution Video (640x480) Loads a standard VGA driver without restarting the computer in safe mode. This mode bails you out by loading a default driver, providing access to video so that you can properly install and test the correct driver Safe Mode Loads all the basic drivers for troubleshooting purposes o Starts Windows 7 at a resolution of 800x600 Last Known Good Configuration (Advanced) Boots Windows s7 by using the registry information that was saved the last time the computer was successfully booted o HKLM\System\ControlSet001 copies to HKLM\System\CurrentControlSet after successful log on Debugging Mode This runs the Kernel Debugger, if installed Disable Driver Signature Enforcement Allows drivers to be installed even if they do not contain valid signatures
Maintaining Windows 7 with Backup and Restore Supports Windows 7 Professional, Ultimate, or Enterprise for backup to network User right to network location must include full control to both share and NTFS Cannot back up to a Windows volume, recovery partition, or locked BitLocker partition, or tape drive Cannot backup EFS files Wbadmin start backup backuptarget:<drive letter>: include:<drive letter>: quiet System Image Enables you to take a snapshot of the entire hard disk and capture that image to a specific location so you can restore that image at a later date o You restore this image by booting up from the Windows 7 media and selecting repair your computer o Cannot restore individual files from a system image System Protection Creates backup and saves the configuration information of your computers system files and settings on a regular basis o Does not overwrite previous configuration o Restore points are created every 7 days automatically o System Protection is turned on by default in Windows 7 for any drive formatted with NTFS Restore Points Contains registry and system information as they were at a certain point in time o System restore points can be managed through the System Protection tab of System Properties
Restore points can NOT be created through the System Restore utility Other Information
Offline Files Allows a client to locally cache files and folders hosted on a network share so they are accessible when the computer is unable to connect to the network Available only to Windows 7 Professional, Enterprise, and Ultimate Computer Configuration > Admin Templates > Network > Offline Files Operational Methods o Online Mode (online) Connected access to serverbased files o Auto Offline Mode (offline: not connected) When network issues occur, offline files move to auto offline mode, which redirects file operations to offline mode o Manual Offline Mode (offline: working offline) Users can force Windows 7 to use the offline copy of the data at will o Slowlink mode (offline: slow connection) If enabled in group policy, allows a transition to offline mode when a network connection slows down
Transparent Caching Typically, when a user accesses a file and then accesses it again later, the file is downloaded again from the server. With transparent caching, the file is stored locally once opened so that later on it can be opened again from the local cache
VHDs Booting to a VHDs require a Windows 7 Enterprise/Ultimate or Windows Server 2008 R2 environment You cannot dual boot Windows XP or Vista computers with Windows 7 installed on a VHD Not recommended to have dynamic expanding VHDs for native boot environments
Using Offline Virtual Machine Servicing Tool Requires Windows Server 2008 or Windows Server 2003 with SP2 Works with Microsoft System Center Virtual Machine Manager (SCVMM) 2007 or SCVMM 2008 Maintains offline virtual machines and VHDs Can be configured to boot the client computer from the VHD just long enough for the VHD to receive updates from either SCCM 2007 or WSUS
For Local Administrators Elevate without prompting Applications that are marked as administrator applications and applications that are detected as setup applications are run automatically with the full administrator access token. All other applications are automatically run with the standard user token Prompt for credentials on the secure desktop The User Account Control dialog box is displayed on the secure desktop. To give consent for an application to run with the full administrator access token, the user must enter administrative credentials. This setting supports compliance with Common Criteria or corporate policies Prompt for consent on the secure desktop The User Account Control dialog box is displayed on the secure desktop. To give consent for an application to run with the full administrator access token, the user must click Yes or No on the User Account Control dialog box. If the user is not a member of the local Administrators group, the user is prompted for administrative credentials. This setting supports compliance with Common Criteria or corporate policies
For Standard Users Automatically deny elevation requests Administrator applications cannot run. The user receives an error message that indicates a policy is preventing the application from running. Prompt for credentials This is the default setting. For an application to run with the full administrator access token, the user must enter administrative credentials in the User Account Control dialog box that is displayed on the desktop Prompt for credentials on the secure desktop For an application to run with the full administrator access token, the user must enter administrative credentials in the User Account Control dialog box that is displayed on the secure desktop
Locationaware printing Windows 7 switches the default printer depending on the location and network connected to Requires Windows 7 Professional, Ultimate, or Enterprise Start > Devices and Printers > Manage default printers. From this setting you can manage location aware printing
Netsh Run as administrator Enable a program o netsh advfirewall firewall add rule name=My Application dir=in action=allow program=C:\MyApp\MyApp.exe enable=yes Enable a port
netsh advfirewall firewall add rule name=Open Port 80 dir=in action=allow protocol=TCP localport=80 Delete enabled program/port o netsh advfirewall firewall delete rule name=rule name program=C:\MyApp\MyApp.exe o netsh advfirewall firewall delete rule name=rule name protocol=udp localport=500 Configure ICMP settings o netsh advfirewall firewall add rule name=ICMP Allow incoming V4 echo request protocol=icmpv4:8,any dir=in action=allow o netsh advfirewall firewall add rule name=All ICMP V4 protocol=icmpv4:any,any dir=in action=allow Enable Windows Firewall o netsh advfirewall set currentprofile state on o netsh advfirewall set domainprofile/privateprofile state on Enable specific services o netsh advfirewall firewall set rule group=File and Printer Sharing new enable=Yes Reset windows firewall o Netsh advfirewall reset BranchCache o Netsh branchcache show status (all) o Netsh branchcache set service mode=hostedclient location=<FQDN> o Netsh branchcache set service mode=hostedserver clientauthentication=<domain> o Netsh branchcache set service mode=distributed o Netsh branchcache set cachesize size=<percentage> percent=true o Netsh branchcache show localcache o Netsh branchcache smb set latency=1000<in milliseconds> o
Policies Removable Devices Policy Computer Configuration > Administrative Templates > System >Device Installation > Device installation Restrictions Smart Card Policy Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options Interactive Logon: Require Smart Card (Yes/No) Power Policy Computer Configuration > Administrative Templates > System > Power Management Windows Update Policy Computer Configuration > Administrative Templates > Windows Components > Windows Updates Windows Remote Management Computer Configuration > Admin Templates > Windows Components > Windows Remote Management
Compatibility Related Group Policy Computer Configuration > Administrative Templates > System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics Software Restriction Policy Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies AppLocker Policy Computer Configuration > Windows Settings > Security Settings > Application Control Policies Compatibility Mode Policy Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Compatibility View IE Addons & Search Provider Policy Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Accelerators o Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Addon Management InPrivate Browsing Policy Computer Configuration > Administrative Tools > Windows Components > Internet Explorer > InPrivate Offline Files Policy Computer Configuration > Administrative Templates > Network > Offline Files Encrypting File System Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System/BitLocker Drive Encryption BitLocker To Go Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives BitLocker Drive Encryption Policy Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives DirectAccess Policy Client Side Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies BranchCache Policy Computer Configuration > Administrative Templates > Network > BranchCache Audit Object Access Computer Configuration> Windows Settings > Security Settings > Local Policy > Audit Policy Windows Remote Assistance (Server 2008) Computer Configuration > Policies > Administrative Templates > System > Remote Assistance
HOW TO (For 70680 objectives): Forwarded Events 1. On the forwarding computer, go to CMD and type winrm quickconfig 2. On the forwarding computer, add the collecting computer to the Event Log Readers group 3. On the collectors computer, go to CMD and type wecutil gc 4. On the forwarding computer, go to the event viewer and right click on Subscriptions > Create subscription
5. From this screen, you can select the computers to collect from, the kind of logs, the user account to use, and the delivery optimization according to bandwidth User State Migration Tool 1. On the source computer, download WAIK and navigate to the USMT directory from command line 2. Type in scanstate.exe <path to directory share> /o /i:migapp.xml /i:miguser.xml /encrypt /key:<password> 3. On the destination computer, navigate to the USMT folder and run the same command, just using the loadstate command and the decrypt command Attach a VHD 1. Go to Disk Management and right click Disk Management > Create VHD > Name the VHD file you want to create and save > Specify the size of the VHD Install to VHD 1. During Windows Installation Set Up, press Shift + 10 to bring up CMD 2. Diskpart.exe > list disk > select disk 0 > clean > create partition primary > format quick > list volume > assign letter=c > list volume > create vdisk file=C:\Win7.vhd maximum=<size in MB> type=fixed/expandable> select vdisk file=C:\Win7.vhd > attach vdisk > list disk > create partition primary > format quick label=WIN7VHD > assign letter=V > setup Boot to VHD natively 1. Boot up in Win PE and load Diskpart 2. Create a primary partition, assign it a letter, format 3. Copy the VHD file to the primary partition > select the vdisk file & attach it 4. List the volumes and assign it a letter 5. Navigate to the VHD\windows\system32 and go to bcdboot VHD\windows /s <physical drive letter C:> 6. Detach the VHD Automating Image Capture Wizard 1. Create a WDSCapture.inf
2. After modifying the WDSCapture.inf, replace the images version at X:\windows\system32\WDSCapture.inf by using imageX to mount/dismount 3. Add the image to WDS