Principles

of Operating System

Arthur D. Ollanda
Global Education Services
AMA University
11/8/2013
 Principles of Operating System

Preface

Many years ago, after the computer was introduced, it became the one of the most in-

demand man-made machine. The computer can use anytime, no matter how big or small the

device, as long as it is operational, the user can surf the net, do the office or home works and

even can play a game. It never runs without software, that leads the machine to do some task

and the interface of the user that can control and manage the system of the computer, and

these are all about the "Operating System".

Operating System sometimes referred as "OS", this software manages computer

hardware resources and provides common services for a computer programs. This Lecture

Manual, "Principles of Operating System" provides the concept and importance of software that

translates the human to machine language communication to execute a certain tasks. It

describes the architecture and design of the system, and it also includes the central processing

unit scheduling that shows the preemptive and non-preemptive events and style of a processor.

The main focus of this lecture manual are Configuring the Windows 7 Client and Basic

Administration, it introduces the previous and the recent Microsoft Operating System that shows

of what makes the Microsoft Windows became more popular than ever. The Windows 7

Operating System shows the differences from earlier version and the new features included

from there editions. These enhanced the ability, capability and security of the system that the

user has never been experienced before. It can explore the new interface of the net using the

Internet Explorer 8, 9, 10 and 11, improved the mobility of Windows that brought up the level of

wireless technology. And also include the explanation of some basic operations in Windows

Server 2008 R2. This lecture manual defines each modules, chapters and topics of the course

with understandable exercises and assessments that will develop the skills of a computer

student. It will serve as the references course for Microsoft Certified Technology Specialist

certification exam.

2

 Principles of Operating System

Acknowledgement

The Global Education Services personnel are grateful to Almighty God to reproduce this

lecture manual about the "Principles of Operating System; Configuring Windows 7 Client"

and it is a privilege for us to provide the necessary materials through Microsoft as the additional

references of our faculty and students to explore and experience the growth of computer

technology.

We wish to express our gratitude to our Chairman, Amable R. Aguiluz V for giving us an

opportunity to be part of AMA Education System that molds us in the world of Information

Technology. To our President, Amable C. Aguiluz IX to offer his trust to face the challenge in

many competition and to become more competitive.

We are sincerely thanks the GES Head, Christopher P. Satulan for the motivation he

gave us in every task that we have been through in our academic alliances and for being a good

team leader.

In addition, a many thanks to Academic Affairs Department Head, Dr. Alma V. Dela Cruz

for allowing us to be a part of supporting and enhancing academic excellence of our institution.

We also place on record, our sense of gratitude to one and all who, directly or indirectly,

have lent their helping hand in this scheme.

Thank you

Arthur D. Ollanda

AMAES - GES

3

 Principles of Operating System

Table of Contents

Preface ....................................................................................................................................2
Acknowledgement ....................................................................................................................3
Table of Contents .....................................................................................................................4
Principles of Operating System
Introduction...................................................................................................................5
Part 1: The Concepts of Operating System.................................................................................6
Functions of Operating System......................................................................................7
Types of Operating System...........................................................................................8
Operating System as User Interface...............................................................................9
I/O System Management...............................................................................................11
Assessment Part 1
Exercise 1....................................................................................................................13
The CPU Scheduling
CPU Scheduler.............................................................................................................15
First Come, First Served Scheduling..............................................................................18
Shortest-Job-First Scheduling........................................................................................19
Priority Scheduling........................................................................................................21
Round Robin Scheduling...............................................................................................21
Multi-Level Queue Scheduling........................................................................................23
Exercise 2....................................................................................................................27
Part 2: Microsoft Windows Operating System: Configuring Windows 7 Client
Background
The Early Version..............................................................................................31
Windows 9X.....................................................................................................32
Windows NT.....................................................................................................33
Windows XP.....................................................................................................33
Windows Vista 7 and 8......................................................................................34
Microsoft Windows 7
Module 1: Understanding Network Infrastructure..............................................................35
Lesson 1: Network Architecture Standards...........................................................36
Lesson 2: Local Area Network..............................................................................39
Lesson 3: Wide Area Network...............................................................................42
Lesson 4: Wireless Networking.............................................................................44
Lesson 5: Connecting to the Internet.....................................................................47
Lesson 6: Firewall ...............................................................................................48
Lesson 7: The OSI Model ....................................................................................50
Lesson 8: Understanding Adapters, Hub and Switches ..........................................51
Lesson 9: Understanding Routing .........................................................................54
Lesson 10: Understanding Media Types ................................................................57
Module 2: Windows Server Roles
Windows Server 2008 R2 ..................................................................................................62
Lesson 1: Role-Based Deployment.........................................................................63
Lesson 2: Deploying Role-Specific Servers ............................................................68
Module 3: Installing, Upgrading and Migrating to Windows 7
Overview
Lesson 1: Preparing to Install Windows 7 ................................................................71
Lesson 2: Performing a Clean Installation of Windows 7 ...........................................79
Lesson 3: Upgrading and Migrating to Windows 7 ....................................................81
Lesson 4: Performing an Image-Based Installation of Windows 7 .............................90
Lesson 5: Configuring Application Compatibility ......................................................107
Module 4: Implementing User Accounts and Groups ........................................................................113
Lesson 1: User Accounts ........................................................................................114
Lesson 2: The Domain Controller .............................................................................116

4

 Principles of Operating System

Lesson 3: Managing Users, Group and Computers ....................................................118

Lesson 4: Implementing Organizational Units ...........................................................127
Lesson 5: Implementing Group Policy .....................................................................130
Module 5: Configuring Disks and Drivers
Lesson 1: Partitioning Disks in Windows 7 ..............................................................135
Lesson 2: Managing Disk Volumes .........................................................................139
Lesson 3: Maintaining Disks in Windows 7 ..............................................................145
Lesson 4: Installing and Configuring Device Drivers .................................................149
Module 6: Configuring File Access and Printers on Windows 7 Clients
Lesson 1: Overview of Authentication and Authorization ...........................................164
Lesson 2: Managing File Access in Windows 7 ........................................................168
Lesson 3: Managing Shared Folders .......................................................................176
Lesson 4: Configuring File Compression .................................................................183
Lesson 5: Managing Printing ...................................................................................189
Module 7: Configuring Network Connectivity
Lesson 1: Configuring IPv4 Network Connectivity .....................................................201
Lesson 2: Configuring IPv6 Network Connectivity .....................................................208
Lesson 3: Implementing Automatic IP Address Allocation
Lesson 4: Overview of Name Resolution
Lesson 5: Troubleshooting Network Issues
Module 8: Configuring Wireless Network Connections
Lesson 1: Overview of Wireless Network
Lesson 2: Configuring Wireless Network
Module 9: Securing Windows 7 Desktops
Lesson 1: Overview of Security Management in Windows 7
Lesson 2: Securing a Windows 7 Client Computer by Using Local Security Policy
Settings
Lesson 3: Securing Data by Using EFS and BitLocker
Lesson 4: Configuring Application Restrictions
Lesson 5: Configuring User Account Control
Lesson 6: Configuring Windows Firewall
Lesson 7: Configuring Security Settings in Internet Explorer 8
Lesson 8: Configuring Windows Defender
Module 10: Optimizing and Maintaining Windows 7 Client Computers
Lesson 1: Maintaining Performance by Using the Windows 7 Performance Tools
Lesson 2: Maintaining Reliability by Using the Windows 7 Diagnostic Tools
Lesson 3: Backing Up and Restoring Data by Using Windows Backup
Lesson 4: Restoring a Windows 7 System by Using System Restore Points
Lesson 5: Configuring Windows Update
Module 11: Configuring Mobile Computing and Remote Access in Windows 7
Lesson 1: Configuring Mobile Computer and Device Settings
Lesson 2: Configuring Remote Desktop and Remote Assistance for Remote Access
Lesson 3: Configuring DirectAccess for Remote Access
Lesson 4: Configuring BranchCache for Remote Access

5

 Principles of Operating System

Principles of Operating System

Introduction

Turn on your computer, know that you are in control. There is the trusty
computer mouse, which you can move anywhere on the screen, summoning up your music
library, pictures, videos or Internet browser at the slightest whim. Although it is easy to feel like
being a director in front of your desktop and you might wondering how the machine do the
certain job, and the real one behind the curtain handling the necessary tasks is the operating
system.
An operating system act as an intermediary between the user of a computer and
computer hardware. The purpose of an operating system is to provide an environment in which
a user can execute programs in a convenient and efficient manner. It is a software that
manages the computer hardware. The hardware must provide appropriate mechanisms to
ensure the correct operation of the computer system and to prevent user programs from
interfering with the proper operation of the system.
Operating systems provide a software platform on top of which other programs,
called application programs, can run. The application programs must be written to run on top of
a particular operating system. Your choice of operating system, therefore, determines to a great
extent the applications you can run. For PCs, the most popular operating systems are
DOS, OS/2, and Windows, but others are available, such as Linux and Mac OS.

Important: We recommend that you use PowerPoint 2002 or a later version to display
the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all the features of the slides might not be display
correctly.

Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations and the lab exercises.
Work through the Module Review and Takeaways section, and determine how you will use this
section to reinforce student learning and promote knowledge transfer to on-the-job performance.

6

 Principles of Operating System

Part 1: The Concepts of Operating System

An Operating System is a program that controls the execution of application programs

and acts as an interface between the user of a computer and the computer hardware. A more
common definition is that the operating system is the one program running at all times on the
computer (usually called the kernel), with all else being applications programs. An Operating
system is concerned with the allocation of resources and services, such as memory,
processors, devices and information.
The Operating System correspondingly includes programs to manage these resources,
such as a traffic controller, a scheduler, memory management module, I/O programs, and a file
system. The operating system is a vital component of the system software in a computer
system. Application programs usually require an operating system to function.
It is the most important software that runs on a computer. It manages the computer's
memory, processes, and all of its software and hardware. It also allows you to communicate
with the computer without knowing how to speak the computer's "language." Without an
operating system, a computer is useless.

Functions of Operating System

Operating system performs three functions:

1. Convenience: An OS makes a computer more convenient to use.

2. Efficiency: An OS allows the computer system resources to be used in
an efficient manner.
3. Ability to Evolve: An OS should be constructed in such a way as to permit
the effective development, testing and introduction of new
system functions without at the same time interfering with
service.

Types of Operating System

1. GUI
The Graphical User Interface, a GUI Operating System contains graphics and
icons and is commonly navigated by using a computer mouse. A type of user

7

 Principles of Operating System

interface that allows users to interact with electronic devices using images rather than
text commands. represents the information and actions available to a user through
graphical icons and visual indicators such as secondary notation, as opposed to text-
based interfaces, typed command labels or text navigation. The actions are usually
performed through direct manipulation of the graphical elements.

2. Real-time
A real-time operating system is a multitasking operating system that aims at
executing real-time applications. An often use specialized scheduling algorithms so that
they can achieve a deterministic nature of behavior. The main objective of real-time
operating systems is their quick and predictable response to events. They have an
event-driven or time-sharing design and often aspects of both. An event-driven system
switches between tasks based on their priorities or external events while time-sharing
operating systems switch tasks based on clock interrupts.

3. Multi-user
A multi-user operating system allows multiple users to access a computer system
at the same time. Time-sharing systems and Internet servers can be classified as multi-
user systems as they enable multiple-user access to a computer through the sharing of
time. Single-user operating systems have only one user but may allow multiple programs
to run at the same time.

4. Multi-tasking
A multi-tasking operating system allows more than one program to be running at
a time, from the point of view of human time scales. Multi-tasking can be of two types,
the pre-emptive and co-operative.
a. Pre-emptive multitasking, the operating system slices the CPU time and
dedicates one slot to each of the programs. Unix-like operating systems
such as Solaris and Linux support pre-emptive multitasking.
b. Cooperative multitasking is achieved by relying on each process to give
time to the other processes in a defined manner. 16-bit versions of
Microsoft Windows used cooperative multi-tasking. 32-bit versions of both

8

 Principles of Operating System

Windows NT and Win9x, used pre-emptive multi-tasking. Mac OS prior to

OS X used to support cooperative multitasking.

5. Distributed
A distributed operating system manages a group of independent computers and
makes them appear to be a single computer. The development of networked computers
that could be linked and communicate with each other gave rise to distributed
computing. Distributed computations are carried out on more than one machine. When
computers in a group work in cooperation, they make a distributed system.

6. Embedded
Embedded operating systems are designed to be used in embedded computer
systems. They are designed to operate on small machines like PDAs with less
autonomy. They are able to operate with a limited number of resources. They are very
compact and extremely efficient by design. Windows CE and Minix 3 are some
examples of embedded operating systems.

Operating System as User Interface

Every general purpose computer consists of the hardware, operating system,
system programs, application programs. The hardware consists of memory, CPU, ALU,
I/O devices, peripheral device and storage device. System program consists of
compilers, loaders, editors, OS etc. The application program consists of business
program, database program. (see Figure 1.0)

9

 Principles of Operating System

Figure 1.0 Conceptual view of a computer system

Every computer must have an operating system to run other programs. The operating
system and coordinates the use of the hardware among the various system programs and
application program for a various users. It simply provides an environment within which other
programs can do useful work. The operating system is a set of special programs that run on a
computer system that allow it to work properly. It performs basic tasks such as recognizing input
from the keyboard, keeping track of files and directories on the disk, sending output to the
display screen and controlling a peripheral devices.

OS is designed to serve two basic purposes :

1. It controls the allocation and use of the computing system‘s resources among
the various user and tasks.
2. It provides an interface between the computer hardware and the programmer
that simplifies and makes feasible for coding, creation, debugging of
application programs.

The operating system must support the following tasks. The tasks are :
1. Provides the facilities to create, modification of program and data files using and editor.
2. Access to the compiler for translating the user program from high level language to
machine language.
3. Provide a loader program to move the compiled program code to the computer‘s
memory for execution.
4. Provide routines that handle the details of I/O programming.

I/O System Management

The module that keeps track of the status of devices is called the I/O traffic controller.
Each I/O device has a device handler that resides in a separate process associated with that
device.

The I/O subsystem consists of;

a. A memory management component that includes buffering, caching and spooling.
b. A general device driver interface.

10

 Principles of Operating System

Drivers for specific hardware devices.

A. Assembler
Input to an assembler is an assembly language program. Output is an object
program plus information that enables the loader to prepare the object program for execution. At
one time, the computer programmer had at his disposal a basic machine that interpreted,
through hardware, certain fundamental instructions. He would program this computer by writing
a series of ones and zeros(machine language), place them into the memory of the machine.

B. Compiler
A compilers is a program that accepts a source program in a high-level language
and produces a corresponding object program. An interpreter is a program that appears to
execute a source program as if it was machine language. The same name (FORTRAN, COBOL
etc) is often used to designate both a compiler and its associated language.

C. Loader
A loader is a routine that loads an object program and prepares it for execution. There
are various loading schemes: absolute, relocating and direct-linking. In general, the loader must
load, relocate, and link the object program. Loader is a program that places programs into
memory and prepares them for execution. In a simple loading scheme, the assembler outputs
the machine language translation of a program on a secondary device and a loader is placed in
core. The loader places into memory the machine language version of the user‘s program and
transfers control to it. Since the loader program is much smaller than the assembler, it makes
more core available to user‘s program.

11

 Principles of Operating System

Assessment Part 1:
Review Exercise 1:
1. It is concerned with the allocation of resources and services, such as memory, processors,
devices and information.
Answer: Operating System
2. A type operating system that aims at executing real-time applications. An often use
specialized scheduling algorithms so that they can achieve a deterministic nature of behavior.
Answer: Real-time OS
3. A program that accepts a source program in a high-level language and produces a
corresponding object program.
Answer: compilers
4. These are designed to be used in embedded computer systems.
Answer: Embedded OS
5. Give and explain the three main functions of Operating System.
6. A routine that loads an object program and prepares it for execution.
Answer: Loader
7. It manages a group of independent computers and makes them appear to be a single
computer.
Answer: Distributed OS
8. These operating system allows more than one program to be running at a time.
Answer: Multi-tasking OS
9. Output is an object program plus information that enables the loader to prepare the object
program for execution.
Answer: Assembler
10. A operating system that allows multiple users to access a computer system at the same
time.
Answer: Multi-user OS

12

 Principles of Operating System

The CPU Scheduling

Basic Concept
1. Maximum CPU utilization is obtained with multiprogramming
a. Several processes are kept in memory at one time
b. Every time a running process has to wait, another process can take over
use of the CPU

2. Scheduling of the CPU is fundamental to operating system design

3. Process execution consists of a cycle of a CPU time burst and an I/O time burst.
a. Processes alternate between these two states (i.e., CPU burst and I/O
burst)
b. Eventually, the final CPU burst ends with a system request to terminate
execution

Alternating Sequence of CPU and I/O Bursts

13

 Principles of Operating System

Histogram of CPU Burst

CPU bursts tend to have a frequency curve similar to the exponential curve shown
above. It is characterized by a large number of short CPU bursts and a small number of long
CPU bursts. An I/O-bound program typically has many short CPU bursts; a CPU-bound
program might have a few long CPU bursts.

CPU Scheduler

The CPU scheduler selects from among the processes in memory that are ready to
execute and allocates the CPU to one of them.
CPU scheduling is affected by the following set of circumstances:
1. (N) A process switches from running to waiting state
2. (P) A process switches from running to ready state
3. (P) A process switches from waiting to ready state
4. (N) A processes switches from running to terminated state
Circumstances 1 and 4 are non-preemptive; they offer no schedule choice

Circumstances 2 and 3 are pre-emptive; they can be scheduled

14

 Principles of Operating System

Dispatcher

The dispatcher module gives control of the CPU to the process selected by the short-
term scheduler; this involves:
• switching context
• switching to user mode
• jumping to the proper location in the user program to restart that program
The dispatcher needs to run as fast as possible, since it is invoked during process
context switch
The time it takes for the dispatcher to stop one process and start another process is
called dispatch latency

Scheduling Criteria
o Different CPU scheduling algorithms have different properties
o The choice of a particular algorithm may favor one class of processes over
another
o In choosing which algorithm to use, the properties of the various algorithms
should be considered
o Criteria for comparing CPU scheduling algorithms may include the following
• CPU utilization – percent of time that the CPU is busy executing a
process
• Throughput – number of processes that are completed per time unit
• Response time – amount of time it takes from when a request was
submitted until the first response occurs (but not the time it takes to
output the entire response)

15

 Principles of Operating System

• Waiting time – the amount of time before a process starts after first
entering the ready queue (or the sum of the amount of time a process has
spent waiting in the ready queue)
• Turnaround time – amount of time to execute a particular process from
the time of submission through the time of completion

Optimization Criteria
It is desirable to

• Maximize CPU utilization

• Maximize throughput
• Minimize turnaround time
• Minimize start time
• Minimize waiting time
• Minimize response time
In most cases, we strive to optimize the average measure of each metric In other cases,
it is more important to optimize the minimum or maximum values rather than the average
Single Processor Scheduling Algorithm
o First Come, First Served (FCFS)

o Shortest Job First (SJF)

o Priority

o Round Robin (RR)

First Come, First Served Scheduling

Process Burst Time

P1 24

P2 3

P3 3

With FCFS, the process that requests the CPU first is allocated the CPU first

16

 Principles of Operating System

Sample;

1. Suppose that the processes arrive in the order: P1 , P2 , P3

The Gantt Chart for the schedule is:

§ Waiting time for P1 = 0; P2 = 24; P3 = 27

§ Average waiting time: (0 + 24 + 27)/3 = 17
§ Average turn-around time: (24 + 27 + 30)/3 = 27

2. Suppose that the processes arrive in the order: P2 , P3 , P1

The Gantt chart for the schedule is:

§ Waiting time for P1 = 6; P2 = 0; P3 = 3

§ Average waiting time: (6 + 0 + 3)/3 = 3 (Much better than Case #1)
§ Average turn-around time: (3 + 6 + 30)/3 = 13

Sample 1 is an example of the convoy effect; all the other processes wait for one long-
running process to finish using the CPU
• This problem results in lower CPU and device utilization; Case #2 shows
that higher utilization might be possible if the short processes were
allowed to run first
The FCFS scheduling algorithm is non-preemptive

17

 Principles of Operating System

• Once the CPU has been allocated to a process, that process keeps the
CPU until it releases it either by terminating or by requesting I/O
• It is a troublesome algorithm for time-sharing systems

Shortest-Job-First Scheduling
The SJF algorithm associates with each process the length of its next CPU burst
When the CPU becomes available, it is assigned to the process that has the smallest
next CPU burst (in the case of matching bursts, FCFS is used)
Two schemes:
1. Non-preemptive – once the CPU is given to the process, it cannot be preempted until it
completes its CPU burst.
2. Preemptive – if a new process arrives with a CPU burst length less than the remaining
time of the current executing process, preempt. This scheme is know as the Shortest-
Remaining-Time-First (SRTF).

Sample 1 : Non-Preemtive SJF (simultaneous arrival

Process Arrival Time Burst Time

P1 0.0 6

P2 0.0 4

P3 0.0 1

P4 0.0 5

SJF (non-preemptive, simultaneous arrival)

§ Average waiting time = (0 + 1 + 5 + 10)/4 = 4

§ Average turn-around time = (1 + 5 + 10 + 16)/4 = 8

18

 Principles of Operating System

Sample 2: Non-Preemptive SJF (varied arrival times)

Process Arrival Time Burst Time

P1 0.0 7

P2 2.0 4

P3 4.0 1

P4 5.0 4

SJF (non-preemptive, varied arrival times)

Average waiting time:

= ( (0 – 0) + (8 – 2) + (7 – 4) + (12 – 5) )/4

= (0 + 6 + 3 + 7)/4 = 4

Average turn-around time:

= ( (7 – 0) + (12 – 2) + (8 - 4) + (16 – 5))/4

= ( 7 + 10 + 4 + 11)/4 = 8

Priority Scheduling
o The SJF algorithm is a special case of the general priority scheduling algorithm
o A priority number (integer) is associated with each process
o The CPU is allocated to the process with the highest priority (smallest integer =
highest priority)
o Priority scheduling can be either preemptive or non-preemptive
• A preemptive approach will preempt the CPU if the priority of the newly-
arrived process is higher than the priority of the currently running process
• A non-preemptive approach will simply put the new process (with the
highest priority) at the head of the ready queue

19

 Principles of Operating System

SJF is a priority scheduling algorithm where priority is the predicted next CPU
burst time. The main problem with priority scheduling is starvation, that is, low priority
processes may never execute.
A solution is aging; as time progresses, the priority of a process in the ready
queue is increased.

Round Robin (RR) Scheduling

In the round robin algorithm, each process gets a small unit of CPU time (a time
quantum), usually 10-100 milliseconds. After this time has elapsed, the process is
preempted and added to the end of the ready queue. If there are n processes in the
ready queue and the time quantum is q, then each process gets 1/n of the CPU time in
chunks of at most q time units at once. No process waits more than (n-1)q time units.
Performance of the round robin algorithm
q large Þ FCFS
q small Þ q must be greater than the context switch time; otherwise, the
overhead is too high
One rule of thumb is that 80% of the CPU bursts should be shorter than the time
quantum

Sample of RR with Time Quantum = 20

Process Burst Time

P1 53

P2 17

P3 68

P4 24

The Gantt chart is:

20

 Principles of Operating System

Typically, higher average turnaround than SJF, but better response time

Average waiting time

= ( [(0 – 0) + (77 - 20) + (121 – 97)] + (20 – 0) + [(37 – 0) + (97 - 57) + (134 –

117)]+[(57–0)+(117–77)])/4

=(0 + 57 + 24) + 20 + (37 + 40 + 17) + (57 + 40) ) / 4

=(81+20+94+97)/4

= 292 / 4 = 73

Average turn-around time

= 134 + 37 + 162 + 121) / 4 = 113.5

Time Quantum and Context Switches

Turnaround Time Varies with The Time Quantum

As can be seen from this graph, the average turnaround time of a set of processes does
not necessarily improve as the time quantum size increases. In general, the average

21

 Principles of Operating System

turnaround time can be improved if most processes finish their next CPU burst in a single time
quantum.

Multi-Level Queue Scheduling

o Multi-level queue scheduling is used when processes can be classified into groups
o For example, foreground (interactive) processes and background (batch) processes
• The two types of processes have different response-time requirements and so
may have different scheduling needs
• Also, foreground processes may have priority (externally defined) over
background processes
o A multi-level queue scheduling algorithm partitions the ready queue into several
separate queues
o The processes are permanently assigned to one queue, generally based on some
property of the process such as memory size, process priority, or process type
o Each queue has its own scheduling algorithm
• The foreground queue might be scheduled using an RR algorithm
• The background queue might be scheduled using an FCFS algorithm
o In addition, there needs to be scheduling among the queues, which is commonly
implemented as fixed-priority pre-emptive scheduling
• The foreground queue may have absolute priority over the background queue
o One example of a multi-level queue are the five queues shown below
o Each queue has absolute priority over lower priority queues
o For example, no process in the batch queue can run unless the queues above it are
empty
o However, this can result in starvation for the processes in the lower priority queues

22

 Principles of Operating System

o Another possibility is to time slice among the queues

o Each queue gets a certain portion of the CPU time, which it can then schedule among its
various processes
• The foreground queue can be given 80% of the CPU time for RR scheduling
• The background queue can be given 20% of the CPU time for FCFS scheduling

Multi-Level Feedback Queue Scheduling

o In multi-level feedback queue scheduling, a process can move between the various
queues; aging can be implemented this way
o A multilevel-feedback-queue scheduler is defined by the following parameters:
• Number of queues
• Scheduling algorithms for each queue
• Method used to determine when to promote a process
• Method used to determine when to demote a process
• Method used to determine which queue a process will enter when that process
needs service

Example of Multilevel Feedback Queue

Multi-Processor Scheduling
o If multiple CPUs are available, load sharing among them becomes possible; the
scheduling problem becomes more complex
o We concentrate in this discussion on systems in which the processors are identical
(homogeneous) in terms of their functionality

23

 Principles of Operating System

• We can use any available processor to run any process in the queue
o Two approaches: Asymmetric processing and symmetric processing (see next slide)

Asymmetric multiprocessing (ASMP)

• One processor handles all scheduling decisions, I/O processing, and other
system activities
• The other processors execute only user code
• Because only one processor accesses the system data structures, the need for
data sharing is reduced

Symmetric multiprocessing (SMP)

• Each processor schedules itself
• All processes may be in a common ready queue or each processor may have its
own ready queue
• Either way, each processor examines the ready queue and selects a process to
execute
• Efficient use of the CPUs requires load balancing to keep the workload evenly
distributed
4 In a Push migration approach, a specific task regularly checks the
processor loads and redistributes the waiting processes as needed
4 In a Pull migration approach, an idle processor pulls a waiting job from
the queue of a busy processor
• Virtually all modern operating systems support SMP, including Windows XP,
Solaris, Linux, and Mac OS X
o Symmetric Multithreading
o Symmetric multiprocessing systems allow several threads to run concurrently by
providing multiple physical processors
o An alternative approach is to provide multiple logical rather than physical processors
o Such a strategy is known as symmetric multithreading (SMT)
• This is also known as hyperthreading technology
o The idea behind SMT is to create multiple logical processors on the same physical
processor

24

 Principles of Operating System

• This presents a view of several logical processors to the operating system, even
on a system with a single physical processor
• Each logical processor has its own architecture state, which includes general-
purpose and machine-state registers
• Each logical processor is responsible for its own interrupt handling
• However, each logical processor shares the resources of its physical processor,
such as cache memory and buses

o SMT is a feature provided in the hardware, not the software

The hardware must provide the representation of the architecture state for each logical
processor, as well as interrupt handling

A typical SMT Architecture

Review Exercise 2:

1. Define the difference between preemptive and nonpreemptive scheduling.

2. Suppose that the following processes arrive for execution at the times indicated. Each
process will run the listed amount of time. In answering the questions, use
nonpreemptive scheduling and base all decisions on the information you have at the
time the decision must be made.
Process Arrival Time Burst Time

P1 0.0 8

P2 0.4 4

P3 1.0 1

25

 Principles of Operating System

a. What is the average turnaround time for these processes with the FCFS scheduling
algorithm?

b. What is the average turnaround time for these processes with the SJF scheduling
algorithm?

c. The SJF algorithm is supposed to improve performance, but notice that we chose to run
process P1 at time 0 because we did not know that two shorter processes would arrive
soon. Compute what the average turnaround time will be if the CPU is left idle for the
first 1unit and then SJF scheduling is used. Remember that processes P1and P2 are
waiting during this idle time, so their waiting time may increase. This algorithm could be
known as future-knowledge scheduling.

3. What advantage is there in having different time-quantum sizes on different levels of a

multilevel queueing system?

4. Many CPU-scheduling algorithms are parameterized. For example, the RR algorithm

requires a parameter to indicate the time slice. Multilevel feedback queues require
parameters to define the number of queues, the scheduling algorithms for each queue,
the criteria used to move processes between queues, and so on.

These algorithms are thus really sets of algorithms (for example, the set of RR algorithms for all
time slices, and so on). One set of algorithms may include another (for example, the FCFS
algorithm is the RR algorithm with an infinite time quantum).What (if any) relation holds between
the following pairs of sets of algorithms?
a. Priority and SJF

b. Multilevel feedback queues and FCFS

c. Priority and FCFS

d. RR and SJF

26

 Principles of Operating System

5. Suppose that a scheduling algorithm (at the level of short-term CPU scheduling) favors
those processes that have used the least processor time in the recent past. Why will this
algorithm favor I/O-bound programs and yet not permanently starve CPU-bound
programs?

6. Distinguish between PCS and SCS scheduling.

7. Assume an operating system maps user-level threads to the kernel usingthe many-to-
many model where the mapping is done through the useof LWPs. Furthermore, the
system allows program developers to createreal-time threads. Is it necessary to bind a
real-time thread to an LWP?

Answer:
1. Preemptive scheduling allows a process to be interrupted in the midst of its
execution, taking the CPU away and allocating it to another process.
Nonpreemptive scheduling ensures that a process relinquishes control of the
CPU only when it finishes with its
current CPU burst.
2.
a. 10.53
b. 9.53
c. 6.86

Remember that turnaround time is finishing time minus arrival time, so you
have to subtract the arrival times to compute the turnaround times. FCFS
is 11 if you forget to subtract arrival time.

3. Processes that need more frequent servicing, for instance, interactive processes
such as editors, can be in a queue with a small time quantum. Processes with no
need for frequent servicing can be in a queue with a larger quantum, requiring
fewer context switches to complete the processing, and thus making more
efficient use of the computer.

4.

27

 Principles of Operating System

a. The shortest job has the highest priority.

b. The lowest level of MLFQ is FCFS.
c. FCFS gives the highest priority to the job having been in existence the
longest.
d. None.
5. It will favor the I/O-bound programs because of the relatively short CPU burst
request by them; however, the CPU-bound programs will not starve because the
I/O-bound programs will relinquish the CPU relatively often to do their I/O.

6. PCS scheduling is done local to the process. It is how the thread library
schedules threads onto available LWPs. SCS scheduling is the situation where
the operating system schedules kernel threads. On systems using either many-
to-one or many-to-many, the two scheduling models are fundamentally
different. On systems using one-to-one, PCS and SCS are the same.

7. Yes, otherwise a user thread may have to compete for an available LWP prior to
being actually scheduled. By binding the user thread to an LWP, there is no
latency while waiting for an available LWP; the real-time user thread can be
scheduled immediately

28

 Principles of Operating System

PART 2: Microsoft Windows Operating System:

Configuring Windows 7 Client

Microsoft Windows is a series of graphical interface operating systems developed,

marketed, and sold by Microsoft. Introduced an operating environment named Windows on
November 20, 1985 as a graphical operating system shell for MS-DOS in response to the
growing interest in graphical user interfaces. Microsoft Windows came to dominate the
world's personal computer market with over 90% market share, overtaking Mac OS, which had
been introduced in 1984.

Background

The Early Version

The history of Windows dates back to September 1981, when Chase
Bishop, a computer scientist, designed the first model of an electronic
device and project "Interface Manager" was started. It was announced
in November 1983 under the name "Windows", but Windows 1.0 was
not released until November 1985. Windows 1.0 achieved little
popularity and was to compete with Apple's own operating system.
Windows 1.0 is not a complete operating system rather, it extends MS-
DOS. The shell of Windows 1.0 is a program known as the MS-DOS Executive. Included
components include Calculator, Calendar, Cardfile, Clipboard viewer, Clock, Control
Panel, Notepad, Paint, Reversi, Terminal and Write. Windows 1.0 does not allow overlapping
windows. Instead all windows are tiled. Only modal dialog boxes may appear over other
windows.

Windows 2.0 was released in December 1987 and was more popular than its
predecessor. It features several improvements to the user interface and memory management.
It also introduced more sophisticated keyboard shortcuts and could make use of expanded
memory.

Windows 2.03 changed the OS from tiled windows to overlapping windows. The result of
this change led to Apple Computer filing a suit against Microsoft alleging infringement on
Apple's copyrights.

29

 Principles of Operating System

Windows 2.1 was released in two different versions: Windows/286 and Windows/386.
Windows/386 uses the virtual 8086 mode of Intel 80386 to multitask several DOS programs and
the paged memory model to emulate expanded memory using available extended memory.
Windows/286, in spite of its name, runs on both Intel 8086 and Intel 80286. It runs in real
mode but can make use of the high memory area.

Windows 3.0, released in 1990, improved the design, mostly because of virtual
memory and loadable virtual device drivers (VxDs) that allow Windows to share arbitrary
devices between multi-tasked DOS applications. Windows 3.0 applications can run in protected
mode, which gives them access to several megabytes of memory without the obligation to
participate in the software virtual memory scheme.

Windows 3.1, made generally available on March 1, 1992, featured a facelift. In August
1993, Windows for Workgroups, a special version with integrated peer-to-peer
networking features and a version number of 3.11, was released. It was sold along Windows
3.1. Support for Windows 3.1 ended on December 31, 2001.

Windows 9x

Windows 95, was released on August 24, 1995. While still remaining MS-DOS-based,
Windows 95 introduced support for native 32-bit applications, plug and
play hardware, preemptive multitasking, long file names of up to 255 characters, and provided
increased stability over its predecessors. Windows 95 also introduced a redesigned, object
oriented user interface, replacing the previous Program Manager with the Start menu, taskbar,
and Windows Explorer shell.

Windows 98 released on June 25, 1998, which introduced the Windows Driver Model,
support for USB composite devices, support for ACPI, hibernation, and support for multi-
monitor configurations. Windows 98 also included integration with Internet Explorer 4
through Active Desktop and other aspects of the Windows Desktop Update (a series of
enhancements to the Explorer shell which were also made available for Windows 95).

In May 1999, Microsoft released Windows 98 Second Edition, an updated version of

Windows 98. Windows 98 SE added Internet Explorer 5.0 and Windows Media Player 6.2
amongst other upgrades. Mainstream support for Windows 98 ended on June 30, 2002 and
extended support for Windows 98 ended on July 11, 2006.[13]

30

 Principles of Operating System

On September 14, 2000, Microsoft released Windows ME (Millennium Edition), the last
DOS-based version of Windows. Windows ME incorporated visual interface enhancements from
its Windows NT-based counterpart Windows 2000, had faster boot times than previous
versions, expanded multimedia functionality (including Windows Media Player 7, Windows
Movie Maker, and the Windows Image Acquisition framework for retrieving images from
scanners and digital cameras), additional system utilities such as System File
Protection and System Restore, and updated home networking tools. However, Windows ME
was faced with criticism for its speed and instability, along with hardware compatibility issues
and its removal of real mode DOS support. PC World considered Windows ME to be one of the
worst operating systems Microsoft had ever released, and the 4th worst tech product of all time.

Windows NT

In November 1988, a new development team within Microsoft (which included

former Digital Equipment Corporation developers Dave Cutler and Mark Lucovsky) began work
on a revamped version of IBM and Microsoft's OS/2 operating system known as "NT OS/2". NT
OS/2 was intended to be a secure, multi-user operating system with POSIX compatibility and a
modular, portable kernel with preemptive multitasking and support for multiple processor
architectures. However, following the successful release of Windows 3.0, the NT development
team decided to rework the project to use an extended 32-bit port of the Windows API known as
Win32 instead of those of OS/2. The first release of the resulting operating system, Windows NT
3.1 (named to associate it with Windows 3.1) was released in July 1993 with versions for
desktop workstations and servers. Windows NT 3.5 was released in September 1994, focusing
on performance improvements and support for Novell's NetWare, and was followed up
by Windows NT 3.51 in May 1995, which included additional improvements and support for
the PowerPC architecture. Windows NT 4.0 was released in June 1996, introducing the
redesigned interface of Windows 95 to the NT series. On February 17, 2000, Microsoft
released Windows 2000, a successor to NT 4.0. The Windows NT name was dropped at this
point in order to put a greater focus on the Windows brand.[18]

Windows XP

The Windows XP, was released on October 25, 2001. The introduction
of Windows XP aimed to unify the consumer-oriented Windows 9x series
with the architecture introduced by Windows NT, a change which
Microsoft promised would provide better performance over its DOS-
based predecessors. Windows XP would also introduce an redesigned

31

 Principles of Operating System

user interface (including an updated Start menu and a "task-oriented" Windows Explorer),
streamlined multimedia and networking features, Internet Explorer 6, integration with
Microsoft's .NET Passport services, modes to help provide compatibility with software designed
for previous versions of Windows, and Remote Assistance functionality.

At retail, Windows XP was now marketed in two main editions: the "Home" edition was targeted
towards consumers, while the "Professional" edition was targeted towards business
environments and power users, and included additional security and networking features. Home
and Professional were later accompanied by the "Media Center" edition (designed for home
theater PCs, with an emphasis on support for DVD playback, TV tuner cards, DVR functionality,
and remote controls), and the "Tablet PC" edition (designed for mobile devices meeting
its specifications for a tablet computer, with support for stylus pen input and additional pen-
enabled applications). Mainstream support for Windows XP ended on April 14, 2009. Extended
support will continue until April 8, 2014.

Windows Vista, 7 and 8

Windows Vista was released on November 30, 2006 for volume

licensing and January 30, 2007 for consumers. It contained a number
of new features, from a redesigned shell and user interface to
significant technical changes, with a particular focus on security
features. It was available in a number of different editions, and has
been subject to some criticism. Vista's server counterpart, Windows
Server 2008 was released in early 2008.

On July 22, 2009, Windows 7 and Windows Server 2008 R2 were released as RTM
(release to manufacturing) while the former was released to the public 3 months later on
October 22, 2009. Unlike its predecessor, Windows Vista, which introduced a large number of
new features, Windows 7 was intended to be a more focused, incremental upgrade to the
Windows line, with the goal of being compatible with applications and hardware with which
Windows Vista was already compatible.[24] Windows 7 has multi-touch support, a
redesigned Windows shell with an updated taskbar, a home networking system called
HomeGroup and performance improvements.

Windows 8, the successor to Windows 7, was released generally on

October 28, 2012. A number of significant changes were made on
Windows 8, including the introduction of a user interface based around

32

 Principles of Operating System

Microsoft's Metro design language with optimizations for touch-based devices such
as tablets and all-in-one PCs. These changes include the Start screen, which uses large tiles
that are more convenient for touch interactions and allow for the display of continually updated
information, and a new class of apps which are designed primarily for use on touch-based
devices. Other changes include increased integration with cloud services and other online
platforms (such as social networks and Microsoft's own SkyDrive and Xbox Live services),
the Windows Store service for software distribution, and a new variant known as Windows
RT for use on devices that utilize the ARM architecture.

The Microsoft Windows 7 Operating System

Module 1: Understanding Network Infrastructure

•Describe physical network topologies and standards.
•Define local area networks (LANs).
•Define wide area networks (WANs).
•Describe wireless networking technologies.
•Explain how to connect a network to the Internet.
•Describe how technologies connect remote access

Important: We recommend that you use PowerPoint 2002 or a later version to display the slides
for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the
features of the slides might not be display correctly.

Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations and the lab exercises.
Work through the Module Review and Takeaways section, and determine how you will use this
section to reinforce student learning and promote knowledge transfer to on-the-job performance.

This module will provide a foundation for concepts and terminology related to network
infrastructure. The purpose is to introduce students to general definitions and explanations, but

33

 Principles of Operating System

not to go too in depth on any specific topic. More information specific to almost every topic will
be provided in Modules 2 and 3.

This topic introduces the student to basic networking concepts and terminology. Provide general
definitions, but do not spend too much time on any individual topic as they will be covered later
in this module and again with more detail in Modules 2 and 3.
Discuss with students the various aspects of a network and items they may have heard of or be
familiar with.

Lesson 1: Network Architecture Standard

Network architecture is the design of a communications network. It is a framework for
the specification of a network's physical components and their functional organization and
configuration, its operational principles and procedures, as well as data formats used in its
operation.
Network is a combination of computer hardware, cabling, network devices, and
computer software used together to allow computers to communicate with each other. A
network is basically all of the components (hardware and software) involved in connecting
computers across small and large distances. Networks are used to provide easy access to
information, thus increasing productivity for users.
Network Component play a major role in designing and maintaining network.

Network Components and Terminology

• Data are values of qualitative or quantitative variables, belonging to a set of items. Data
in computing (or data processing) are represented in a structure, often tabular
(represented by rows and columns), a tree (a set of nodes with parent-children
relationship) or a graph structure (a set of interconnected nodes).
• Node is a connection point, either a redistribution point or a communication
endpoint (some terminal equipment). The definition of a node depends on the network
and protocol layer referred to.
• Client is a piece of computer hardware or software that accesses a service made
available by a server.

34

 Principles of Operating System

• Server is a system (software and suitable computer hardware) that responds to requests
across a computer network to provide, or help to provide, a network service. Servers can
be run on a dedicated computer, which is also often referred to as "the server", but many
networked computers are capable of hosting servers. In many cases, a computer can
provide several services and have several servers running.
• Peer is a group of functional units in the same layer of a network, by analogy with peer
group.
• Network Adapter / Network interface controller (NIC) (also known as a network
interface card, LAN adapter and by similar terms) is a computer hardware component
that connects a computer to a computer network.
• Hub is a networking device that allows one to connect multiple PCs to a single network.
Hubs may be based on Ethernet, Firewire, or USB connections.
• Switch is a control unit that turns the flow of electricity on or data of in a circuit. It may
also be used to route information patterns in streaming electronic data sent over
networks. In the context of a network, a switch is a computer networking device that
connects network segments.
• Router is a device that forwards data packets between computer networks, creating an
overlay internetwork. A router is connected to two or more data lines from different
networks. When a data packet comes in one of the lines, the router reads the address
information in the packet to determine its ultimate destination. Then, using information in
its routing table or routing policy, it directs the packet to the next network on its journey.
Routers perform the "traffic directing" functions on the Internet.
• Media / Medium This is how the devices are connected together
• Transport protocols occupy layer 4 of the OSI protocol model. The protocols at this
level provide connection-oriented sessions and reliable data delivery services. The
transport layer sits on top of layer 3 networking services.
• Bandwidth is a measurement of bit-rate of available or consumed data communication
resources expressed in bits per second or multiples of it (bit/s, kbit/s, Mbit/s, Gbit/s, etc.).

Network Architecture
Most common network architecture types:
• Ethernet is a family of computer networking technologies for local area
networks (LANs). The Ethernet standards comprise several wiring and signaling variants
of the OSI physical layer in use with Ethernet.

35

 Principles of Operating System

• FDDI (Fiber Distributed Data Interface) provides a 100 Mbit/s optical standard for data
transmission in local area network that can extend in range up to 200 kilometers
(120 mi).
• Token ring local area network (LAN) technology is a protocol which resides at the data
link layer (DLL) of the OSI model. It uses a special three-byte frame called a token that
travels around the ring. Token-possession grants the possessor permission to transmit
on the medium. Token ring frames travel completely around the loop.

This topic is intended to introduce the students to the IEEE and the 802 set of standards and
how the standards are defined and labeled. Don’t spend too much time defining or explaining
individual standards.

Institute of Electrical and Electronics Engineers 802

IEEE 802 refers to a family of IEEE standards dealing with local area
networks and metropolitan area networks. the IEEE 802 standards are restricted to
networks carrying variable-size packets.

IEEE 802.3 - Ethernet Networks

A working group and a collection of IEEE standards produced by the working
group defining the physical layer and data link layer's media access control (MAC) of
wired Ethernet. This is generally a local area network technology with some wide area
network applications. Physical connections are made between nodes and/or
infrastructure devices (hubs, switches, routers) by various types of copper or fiber cable.

IEEE 802.5 - Token Ring Networks

Token ring local area network (LAN) technology is a protocol which resides at
the data link layer (DLL) of the OSI model. It uses a special three-byte frame called a
token that travels around the ring. Token-possession grants the possessor permission to
transmit on the medium. Token ring frames travel completely around the loop.

IEEE 802.11 - Local Wireless Networks

IEEE 802.11 is a set of standards for implementing wireless local area
network (WLAN) computer communication in the 2.4, 3.6, 5 and 60 GHz frequency
bands. They are created and maintained by the IEEE LAN/MAN Standards Committee

36

 Principles of Operating System

(IEEE 802). The base version of the standard was released in 1997 and has had
subsequent amendments. These standards provide the basis for wireless network
products using the Wi-Fi brand.

IEEE 802.16 - Broadband Wireless Networks

IEEE 802.16 is a series of Wireless Broadband standards written by the Institute
of Electrical and Electronics Engineers (IEEE). The IEEE Standards Board established a
working group in 1999 to develop standards for broadband for Wireless Metropolitan
Area Networks. The Workgroup is a unit of the IEEE 802 local area
network and metropolitan area network standards committee.

This topic is intended to introduce the LAN as a conceptual entity, rather than a strictly defined
set of standards or parameters. The line between LANs and WANs is becoming less defined as
network technologies and bandwidth capability evolves. Ensure to stress this growing blur to
students and emphasize the LANs ability to provide network resources to all clients on the LAN.

Lesson 2: Local Area Network

Local Area Network is a computer network that interconnects computers in a limited area such
as a home, school, computer laboratory, or office building using network media and the most
common form of computer network.

Introduce the components as listed, focusing on their role in a LAN rather than detailed
specifications of each component. More detail will be provided on these components as they are
addressed in Modules 2 and 3.

• Network Adapter / Network interface controller (NIC) (also known as a network

interface card, LAN adapter and by similar terms) is a computer hardware component
that connects a computer to a computer network.
• Wiring / Cabling
Wiring is done for less sophisticated systems and general household gadgets
are connected to electrical line through wiring.
Cabling is done to carry the data in the form of electrical pulses from continents
to continents. The biggest advantage of cabling is that cables are capable of carrying
electrical pulses at lightning speed without incurring any losses during the process.

37

 Principles of Operating System

• Hub is a networking device that allows one to connect multiple PCs to a single network.
Hubs may be based on Ethernet, Firewire, or USB connections.
• Switch is a control unit that turns the flow of electricity on or data of in a circuit. It may
also be used to route information patterns in streaming electronic data sent over
networks. In the context of a network, a switch is a computer networking device that
connects network segments.
• Termination Point is the connection of all physical and there technical access
specifications which form part of the public telecommunications network and are
necessary for access to and efficient communication through that public network.
• Wiring cabinet is a small room commonly found in institutional buildings, such as
schools and offices, where data / electrical connections are made. While they are used
for many purposes, their most common use is for computer networking.

Introduce physical topology, emphasizing the “physical” component of the term. Re-enforce with
the students that these terms are based on the actual physical layout and connection of the
devices on a LAN. This distinction will be critical to defining logical topologies and differentiating
the two in the next topic.

38

 Principles of Operating System

Review the definition and common usage for each topology. Use the question to initiate
discussion regarding possible implementations and combinations of physical topologies.
Question: What topology configuration might you recommend for a new Ethernet LAN being
built to connect computers located in several buildings together on a school
campus?
Answer: The most common configuration would be a hybrid topology using star
topology to connect computers together in each building and bus topology to
connect the individual buildings to each other. Students may also mention the
use of a mesh topology to provide a fault tolerant configuration between
buildings.

LAN Physical Topologies

Bus topology is a network architecture in which a set of clients are connected via a
shared communications line/cables, called a bus. There are several common instances of the
bus architecture, including one in the motherboard of most computers.

Ring Topology is a network topology in which each node connects to exactly two other
nodes, forming a single continuous pathway for signals through each node - a ring. Data travels
from node to node, with each node along the way handling every packet.

39

 Principles of Operating System

Star Topology are one of the most common computer network topologies. In its
simplest form, a star network consists of one central switch, hub or computer, which acts as a
conduit to transmit messages.

Hybrid Topology is created that is referred to as a physical hierarchical star topology,

although some texts make no distinction between the two topologies.

Mesh Topology is a type of networking where each node must not only capture and
disseminate its own data, but also serve as a relay for other nodes, that is, it must collaborate to
propagate the data in the network.

Introduce the basic concept of a WAN. Contrast general WAN technology with LAN technology,
acknowledging that the differences separating the two terms are becoming fewer as networking
and computing technology evolves.

Lesson 3: Wide Area Network

A Wide Area Network is a network that covers a broad area using private
or public network transports. (example; any telecommunications network that links across
metropolitan, regional, or national boundaries)

Introduce the concepts in the context of a WAN. Keep concepts basic and ensure students are
aware of how these components link LANs together to form a WAN.

Physical WAN Components

Bridge
A Bridge device filters data traffic at a network boundary. Bridges reduce the amount of
traffic on a LAN/WAN by dividing it into two segments. Bridges serve a similar function as
switches, that also operate at Layer 2.

Leased Line
A Leased Line is a service contract between a provider and a customer, whereby the
provider agrees to deliver a symmetric telecommunications line connecting two or more
locations in exchange for a monthly rent (hence the term lease).

40

 Principles of Operating System

Backbone
The Internet backbone refers to the principal data routes between large, strategically
interconnected networks and core routers on the Internet. These data routes are hosted by
commercial, government, academic and other high-capacity network centers, the Internet
exchange points and network access points, that interchange Internet traffic between the
countries, continents and across the oceans of the world.

WAN Standards

T-Carrier
T-carrier refers to one of several digital transmission systems developed by Bell Labs. T-
carriers are used in North America, South Korea, and Kyoto. In digital telecommunications,
where a single physical wire pair can be used to carry many simultaneous voice conversations
by time-division multiplexing, worldwide standards have been created and deployed.

E-Carrier
The E-carrier system revised and improved the earlier American T-carrier technology,
and this has now been adopted by the International Telecommunication
Union Telecommunication Standardization Sector (ITU-T). This is now widely used in almost all
countries outside the US, Canada, and Japan. The European Conference of Postal and
Telecommunications Administrations (CEPT) originally standardized E-carrier.

Optical Carrier (OC-X)

A set of signaling rates designed for transmission over Synchronous Optical Network
(SONET) networks. It levels also apply to Asynchronous Transfer Mode (ATM) networks. The
term “optical carrier” indicates that SONET runs over fiber-optic cabling.

Integrated Services Digital Network

Integrated Services Digital Network (ISDN) is a set of communication standards for
simultaneous digital transmission of voice, video, data, and other network services over the
traditional circuits of the public switched telephone network.

41

 Principles of Operating System

Lesson 4: Wireless Network

Wireless network refers to any type of computer network that uses wireless for network
connections. A wireless network uses radio waves to connect devices such as laptops to the
Internet and to your business network and its applications.

Introduce wireless network in general, followed by each individual component/term. Use the
Give examples for typical implementations of ad-hoc and infrastructure networks.

Wireless Networking Components

Wireless Network Adapter

A wireless network interface controller (WNIC) is a network interface controller which
connects to a radio-based computer network rather than a wire-based network such as Token
Ring or Ethernet. A WNIC, just like other NICs, works on the Layer 1 and Layer 2 of the OSI
Model.

42

 Principles of Operating System

Access Point
A wireless access point (AP) is a device that allows wireless devices to connect to a
wired network using Wi-Fi, or related standards. The AP usually connects to a router(via a wired
network) if it's a standalone device, or is part of a router itself.

Ad Hoc Network
Ad Hoc a Latin phrase "for this", a wireless ad hoc network is a decentralized type
of wireless network.[1] The network is ad hoc because it does not rely on a preexisting
infrastructure, such as routers in wired networks or access points in managed (infrastructure)
wireless networks. Instead, each node participates in routing by forwarding data for other nodes,
so the determination of which nodes forward data is made dynamically on the basis of network
connectivity. In addition to the classic routing, ad hoc networks can use flooding for forwarding
the data.

Infrastructure Network
Infrastructure mode wireless networking bridges (joins) a wireless network to a
wired Ethernet network. Infrastructure mode wireless also supports central connection points
for WLAN clients.

Service Set ID
SSID is a case sensitive, 32 alphanumeric character unique identifier attached to
the header of packets sent over a wireless local-area network (WLAN) that acts as a password
when a mobile device tries to connect to the basic service set. (BSS is a component of the IEEE
802.11 WLAN architecture.)

Wireless Standards and Protocols

IEEE 802.11 is a set of standards for implementing wireless local area network (WLAN)
computer communication in the 2.4, 3.6, 5 and 60 GHz frequency bands.
IEEE 802.16 is a series of Wireless Broadband standards written by the Institute of
Electrical and Electronics Engineers (IEEE). The IEEE Standards Board established a working
group in 1999 to develop standards for broadband for Wireless Metropolitan Area Networks.
The Workgroup is a unit of the IEEE 802 local area network and metropolitan area
network standards committee.

43

 Principles of Operating System

Wireless LAN Standards

Common versions:

802.11a
802.11a-1999 or 802.11a was an amendment to the IEEE 802.11 wireless local network
specifications that defined requirements for an orthogonal frequency division multiplexing
(OFDM) communication system.
802.11b
802.11b-1999 or 802.11b, is an amendment to the IEEE 802.11 wireless
networking specification that extends throughput up to 11 Mbit/s using the same 2.4GHz band.

802.11g
802.11g-2003 or 802.11g is an amendment to the IEEE 802.11 specification that
extended throughput to up to 54 Mbit/s using the same 2.4 GHz band as 802.11b.

802.11n
802.11n-2009 (802.11n *lite) is an amendment to the IEEE 802.11-2007 wireless
networking standard. Improvement of network throughput over the two previous standards
802.11a and 802.11g with a significant increase in the maximum net data rate from 54 Mbit/s to
600 Mbit/s with the use of four spatial streams at a channel width of 40 MHz.

Lesson 5: Connecting to the Internet

Introduce the Internet as defined in the handbook. Explain the vastness and evolving
physical structure of the Internet to the students. The purpose of this lesson is not to specifically
define the Internet and its services and functionality, but rather to introduce it as a medium for
intermediary corporate network connections. Use the cloud analogy to explain how, in corporate
LAN/WAN structure, the Internet is typically referred to as a single physical entity for the
purpose of access and its use as an intermediary for secured communications between two
nodes. Re-enforce its generally non-secure nature.

The Internet
The Internet is a global system of interconnected computer networks that use the
standard Internet protocol suite (TCP/IP) to serve billions of users worldwide. It is a network of

44

 Principles of Operating System

networks that consists of millions of private, public, academic, business, and government
networks, of local to global scope, that are linked by a broad array of electronic, wireless and
optical networking technologies. It is also carries an extensive range of information resources
and services, such as the inter-linked hypertext documents of the World Wide Web (WWW) and
the infrastructure to support email.

Intranet and Extranet

Again, these terms are introduced not to specifically define and qualify each term, but to
allow the user to understand them in the context of a network multiple connection possibilities
and the basic methods to best combine and utilize these possibilities. Introduce each concept in
general terms, emphasizing the intranets private nature and the combined benefits/drawbacks
of extranets (allows shared info with partners and customers, exposes an organization’s data to
greater risk for loss, theft or malicious intent).

Intranet
An Intranet is the generic term for a collection of private computer networks within an
organization. A group of services on a network and internet-like service provision.
Extranet
An Extranet is a computer network that allows controlled access from the outside for
specific business or educational purposes and similar to intranets services. Intranets and
extranets are communication tools designed to enable easy information sharing within
workgroups.

Lesson 6: Firewall

45

 Principles of Operating System

Introduce the concept of a firewall, illustrating its functionality and position within a
typical perimeter network. Re-enforce the concept of single point of entry and the importance of
a firewall’s role in ensuring the integrity of data both entering and leaving the network.

In computing, a firewall is software or hardware-based network security system that

controls the incoming and outgoing network traffic by analyzing the data packets and
determining whether they should be allowed through or not, based on a rule set. A network's
firewall builds a bridge between the internal network or computer it protects, upon securing that
the other network is secure and trusted, usually an external (inter)network, such as the Internet,
that is not assumed to be secure and trusted.

Introduce perimeter networks. The physical borders of perimeter networks and further security
principals will be discussed later in this lesson.
If applicable, compare and contrast perimeter networks with extranets (as discussed earlier)

Perimeter Network

46

 Principles of Operating System

In computer security, a perimeter network is a physical or logical sub-network that

contains and exposes an organization's external-facing services to a larger untrusted network,
usually the Internet. The purpose of a perimeter network is to add an additional layer of security
to an organization's local area network (LAN), an external attacker only has access to
equipment in the perimeter, rather than any other part of the network. Perimeter network also
called "DMZ", the name is derived from the term "demilitarized zone", an area between nation
states in which military action is not permitted.

Lesson 7: The OSI Model

The OSI model defines the generic tasks that are performed for network communication.
The Open Systems Interconnection (OSI) model (ISO/IEC 7498-1) is a conceptual model that
characterizes and standardizes the internal functions of a communications system by
partitioning it into abstraction layers. The model is a product of the Open Systems
Interconnection project at the International Organization for Standardization (ISO).

Application (Layer 7)
This layer supports application and end-user processes. Communication partners are
identified, quality of service is identified, user authentication and privacy are considered, and
any constraints on data syntax are identified.

Presentation (Layer 6)
This layer provides independence from differences in data representation
(e.g., encryption) by translating from application to network format, and vice versa. The
presentation layer works to transform data into the form that the application layer can accept.
This layer formats and encrypts data to be sent across a network, providing freedom from
compatibility problems. It is sometimes called the syntax layer.

Session (Layer 5)
This layer establishes, manages and terminates connections between applications. The
session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues
between the applications at each end. It deals with session and connection coordination.

47

 Principles of Operating System

Transport (Layer 4)
This layer provides transparent transfer of data between end systems, or hosts, and is
responsible for end-to-end error recovery and flow control. It ensures complete data transfer.

Network (Layer 3)
This layer provides switching and routing technologies, creating logical paths, known
as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions
of this layer, as well as addressing, internetworking, error handling, congestion control and
packet sequencing.

Data Link (Layer 2)

At this layer, data packets are encoded and decoded into bits. It furnishes transmission
protocol knowledge and management and handles errors in the physical layer, flow control and
frame synchronization. The data link layer is divided into two sub layers: The Media Access
Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sub layer controls how
a computer on the network gains access to the data and permission to transmit it. The LLC layer
controls frame synchronization, flow control and error checking.

Physical (Layer 1)
This layer conveys the bit stream or electrical impulse, light or radio signal through
the network at the electrical and mechanical level. It provides the hardware means of sending
and receiving data on a carrier, including defining cables, cards and physical aspects. Fast
Ethernet, RS232, and ATM are protocols with physical layer components.

Lesson 8: Understanding Adapters, Hubs and Switches

The key focus of this lesson is:

• Describe a network adapter
• Describe transmission speed.
• Describe hubs.
• Describe switches.
• Describe the capabilities of a virtual LAN (VLAN).

48

 Principles of Operating System

Network Adapter

The network adapter encapsulates the instructions it receives from the protocol
stack into a logical sequence known as a frame. Network Adapter / Network interface
controller (NIC) (also known as a network interface card, LAN adapter and by similar
terms) is a computer hardware component that connects a computer to a computer
network. Converts instructions from the network protocol stack into electrical signals and
merges these signals onto the wire .Converts electrical signals received on the wire into
meaningful instructions for the network protocol stack

Transmission Speed
Bandwidth is a measurement of bit-rate of available or consumed data communication
resources expressed in bits per second or multiples of it (bit/s, kbit/s, Mbit/s, Gbit/s, etc.). It is
often used to describe the transmission speed of a network

Hub
The Hub enables star wiring to provide a central wiring point and a networking device
that allows one to connect multiple PCs to a single network with provides for a degree of fault
isolation and extend your network. Hubs may be based on Ethernet, Firewire, or USB
connections.
A network hub is an unsophisticated device in comparison with, for example, a switch. A
hub does not examine or manage any of the traffic that comes through it: any packet entering

49

 Principles of Operating System

any port is rebroadcast on all other ports.[2] Effectively, it is barely aware of frames or packets
and mostly operates on raw bits or symbols. Consequently, due to the larger collision domains,
packet collisions are more frequent in networks connected using hubs than in networks
connected using more sophisticated devices.

Switch
Switch is a control unit that turns the flow of electricity on or data of in a circuit. It may
also be used to route information patterns in streaming electronic data sent over networks. In
the context of a network, a switch is a computer networking device that connects network
segments.

A switch is a telecommunication device that receives a message from any device

connected to it and then transmits the message only to the device for which the message was
meant. This makes the switch a more intelligent device than a hub (which receives a message
and then transmits it to all the other devices on its network). The network switch plays an
integral part in most modern Ethernet local area networks (LANs). Mid-to-large sized LANs
contain a number of linked managed switches. Small office/home office (SOHO) applications
typically use a single switch, or an all-purpose converged device such as a residential
gateway to access small office/home broadband services such as DSL or cable Internet. In

50

 Principles of Operating System

most of these cases, the end-user device contains a router and components that interface to the
particular physical broadband technology. User devices may also include a telephone interface
for VoIP.

Virtual LAN
A single layer-2 network may be partitioned to create multiple distinct broadcast
domains, which are mutually isolated so that packets can only pass between them via one or
more routers; such a domain is referred to as a Virtual Local Area Network, Virtual
LAN or VLAN.
It enables you to manage and isolates the network traffic. The VLAN increases the
number of nodes without needing to rewire the network and dispersed it into logical LAN in a
form of physically group nodes

Lesson 9: Understanding Routing

The key focus of this lesson is:

• Describe routers.
• Describe a routing table.
• Describe both static and dynamic routing.
• Understand routing protocols.
• Select a suitable routing configuration.

Routing is the process of selecting paths in a network along which to send network
traffic. Routing is performed for many kinds of networks, including the telephone network (circuit
switching),electronic data networks (such as the Internet), and transportation networks. This
article is concerned primarily with routing in electronic data networks using packet
switching technology.
In packet switching networks, routing directs packet forwarding (the transit of logically
addressed packets from their source toward their ultimate destination) through
intermediate nodes. Intermediate nodes are typically network hardware devices such
as routers, bridges, gateways, firewalls, or switches. General-purpose computers can also
forward packets and perform routing, though they are not specialized hardware and may suffer
from limited performance. The routing process usually directs forwarding on the basis of routing
tables which maintain a record of the routes to various network destinations. Thus, constructing

51

 Principles of Operating System

routing tables, which are held in the router's memory, is very important for efficient routing. Most
routing algorithms use only one network path at a time. Multipath routing techniques enable the
use of multiple alternative paths.

Router
A router is a device that manages network traffic by only forwarding packets when
required between computer networks, creating an overlay internetwork. It. A router is connected
to two or more data lines from different networks. When a data packet comes in one of the lines,
the router reads the address information in the packet to determine its ultimate destination.
Then, using information in its routing table or routing policy, it directs the packet to the next
network on its journey. Routers perform the "traffic directing" functions on the Internet. A data
packet is typically forwarded from one router to another through the networks that constitute the
internetwork until it reaches its destination node.

Key Message:
Discuss the process of the packet working its way through the network to the destination.
Ask students if they could recommend an alternative to using routing tables here. For
example, default gateway settings with each router configured with the other router’s local
interface as its default gateway.

52

 Principles of Operating System

Common Routing Protocol

Routing Information Protocol

The Routing Information Protocol (RIP) is a distance-vector routing protocol, which
employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit
on the number of hops allowed in a path from the source to a destination. The maximum
number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks
that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate
inaccessible, inoperable, or otherwise undesirable routes in the selection process.

Open Shortest Path First

Open Shortest Path First (OSPF) is a link-state routing protocol for Internet Protocol (IP)
networks. It uses a link state routing algorithm and falls into the group of interior routing
protocols, operating within a single autonomous system (AS). It gathers link state information
from available routers and constructs a topology map of the network. The topology determines
the routing table presented to the Internet Layer which makes routing decisions based solely on
the destination IP address found in IP packets. OSPF was designed to support variable-length
subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models.

Border Gateway Protocol

Border Gateway Protocol (BGP) is the protocol which is used to make core routing
decisions on the Internet and it involves a table of IP networks or "prefixes" which designate
network reachable among autonomous systems (AS). BGP is a path vector protocol or a variant
of a Distance-vector routing protocol. BGP neighbors, called peers, are established by manual
configuration between routers to create a TCP session on port 179. A BGP speaker periodically
(every 30 seconds) sends 19-byte keep-alive messages to maintain the connection.[1] Among
routing protocols, BGP is unique in using TCP as its transport protocol.

Discussion: Selecting a suitable routing protocol

Which routing protocol should you use?

Question: A subsidiary of Fabrikam has a medium-sized network consisting of around 500

nodes. These nodes are distributed across several floors in their headquarters
building. Additionally, there are about a dozen branch offices each with around ten

53

 Principles of Operating System

nodes. Routers have been deployed within the network to interconnect the networks.
Would you recommend static or dynamic routing?
Answer: It depends on the number of routers involved. Static routing has the advantage of
being entirely predictable; it does not change unless you change it. However, there
might be twenty or more networks in this organization. As some are remotely connected,
there is the possibility of link-failure. A routing protocol would be useful in this respect.

Question: Is the use of a routing protocol indicated? If so, which one would you recommend?
Answer: The use of OSPF would be sensible. The network is not too large to implement RIP;
however, the presence of remote links with their potential for failure would better suit a
link-state rather than a distance-vector protocol; hence OSPF rather than RIP.

Question: Tailspin Toys has a small network consisting of around 100 nodes. Recently,
network throughput has been affected by network traffic. You decide to install routers to
help manage the network traffic. Initially, there will be three networks connected by two
routers. Would you recommend static or dynamic routing?
Answer: With a small number of routers there is no need for dynamic routing. Static routing
tables would be quick and easy to configure.

Question: How else could you configure these routers?

Answer: You could configure each router to use the other router as its default gateway. There
would then be no need for routing tables at all.

Question: Tailspin Toys implements an Internet connection by using a router. How does this
change the router configuration you have selected?
Answer: The default gateway method would no longer work; two routers in sequence is the
maximum possible. Implementation of either static routing or RIP would now be
appropriate.

Lesson 10: Understanding Media Types

The key focus of this lesson is:

• Describe coaxial cable.
• Describe twisted-pair cable.

54

 Principles of Operating System

• Describe the CAT standards.

• Describe coaxial cable.
• Select a suitable cable type.

Coaxial cable
A coaxial cable is a type of cable that has an inner conductor surrounded by a tubular
insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an
insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the
outer shield sharing a geometric axis.

Coaxial cable is used as a transmission line for radio frequency signals. Its applications
include feed-lines connecting radio transmitters and receivers with their antennas, computer
network (Internet) connections, and distributing cable television signals. One advantage of coax
over other types of radio transmission line is that in an ideal coaxial cable the electromagnetic
field carrying the signal exists only in the space between the inner and outer conductors.
Coaxial cable conducts electrical signal using an inner conductor (usually a solid copper,
stranded copper or copper plated steel wire) surrounded by an insulating layer and all enclosed
by a shield.

55

 Principles of Operating System

Coaxial cable design choices affect physical size, frequency performance, attenuation,
power handling capabilities, flexibility, strength, and cost. The inner conductor might be solid or
stranded; stranded is more flexible. To get better high-frequency performance, the inner
conductor may be silver-plated. Copper-plated steel wire is often used as an inner conductor for
cable used in the cable TV industry.

Twisted Pair Cable

Twisted pair cabling is a type of wiring in which two conductors of a single circuit are
twisted together for the purposes of canceling out electromagnetic interference (EMI) from
external sources and the installation is comparatively inexpensive. It is easier to find fault or
trouble due to the star wired way in which the cable is laid and supports many uses including
date and telephony.
In balanced pair operation, the two wires carry equal and opposite signals and the
destination detects the difference between the two. This is known as differential
mode transmission. Noise sources introduce signals into the wires by coupling of electric or
magnetic fields and tend to couple to both wires equally. The noise thus produces a common-
mode signal which is canceled at the receiver when the difference signal is taken.

56

 Principles of Operating System

Fiber Cable
An optical fiber cable is a cable containing one or more optical fibers. The optical fiber
elements are typically individually coated with plastic layers and contained in a protective tube
suitable for the environment where the cable will be deployed.

Optical fiber consists of a core and a cladding layer, selected for total internal
reflection due to the difference in the refractive index between the two. In practical fibers, the
cladding is usually coated with a layer of acryl ate polymer or polyimide. This coating protects
the fiber from damage but does not contribute to its optical waveguide properties. Individual
coated fibers (or fibers formed into ribbons or bundles) then have a tough resin buffer layer
and/or core tube(s) extruded around them to form the cable core.

Discussion: Selecting a suitable Cabling strategy

What cabling system should you use?

Question: Fabrikam have purchased a new building to house their Research and Development
team. There are two floors, each to support around one hundred network nodes. Each
workstation is to have a telephone installed. You want to minimize future disruption, so
any cabling solution must provide for emerging standards. The nature of the work the R

57

 Principles of Operating System

& D team undertakes necessitates a high bandwidth solution. What cabling system
would you recommend?
Answer: Twisted pair cabling is indicated – CAT 5e or 6 and above would be suitable for
Gigabit Ethernet.

Question: Fabrikam’s R & D center is across the private parking lot from the head offices. You
need to connect the R & D office back to the head office so that research staff has
access to corporate services. What cable would you recommend for this application?
Answer: Fiber cabling. Currently, MMF would probably do, as it is cheaper. However, 10Gbps
may not be sufficient for future applications, and it is expensive to dig up the parking lot.
SMF might be more sensible to future-proof the installation.

Review Questions
1. Why are firewalls so critical when designing and deploying networks?
Answer: Firewalls provide selective separation between networks. They allow potentially
untrusted networks to be connected to each other without posing a significant security
risk. The traffic and data that needs to travel between networks can be filtered and
monitored by the firewall to ensure the integrity of the relationship between networks.

2. What makes a wireless network more vulnerable to unauthorized access than a wired
network?
Answer: A wired network requires a node to have immediate physical access to network
hardware (an Ethernet jack for instance) to attempt to gain access to the network. On a
wireless network, however, successfully receiving the wireless signal is the only
requirement for physical access. Methods that govern access to a wired network such as
locked doors, specific office hours and security cameras do not necessarily govern
physical access to a wireless network.

Module 2: Windows Server Roles

Presentation: 60 minutes
Lab: 30 minutes
After completing this module, students will be able to:
• Describe different types of server.

58

 Principles of Operating System

• Select and install server roles and features to support different types of server.
Required materials
To teach this module, you need the Microsoft® Office PowerPoint® file 6420B_06.ppt.
Important: We recommend that you use PowerPoint 2002 or a later version to display the
slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the
features of the slides might not be display correctly.

Preparation tasks
To prepare for this module:
• Read all of the materials for this module.
• Practice performing the demonstrations and the lab exercises.
• Work through the Module Review and Takeaways section, and determine how you will
use this section to reinforce student learning and promote knowledge transfer to on-the-
job performance.
Make sure that students are aware that the Course Companion CD contains additional module
information and resources.

After completing this module, students will be able to:

• Select and install server roles and features to support different types of server.
• Describe different types of server.

Windows Server 2008 R2

Windows® Server® 2008 R2 is the latest release of the Windows operating system for
Server workloads. Windows Server 2008 R2 builds upon the exceptional legacy of Windows
Server 2008. R2 is an incremental release to Windows Server 2008 – and only the second time
that Windows Client and Server releases are shipped simultaneously (Windows 2000 Server
was first). While Windows 7 is available in both 32- and 64-bit versions, R2 is the first 64-bit only
Server release.
Microsoft focused on the following key technology investment areas with Windows Server 2008
R2.
•Platform Scalability
• Virtualization
• Power Management
• Web Workloads

59

 Principles of Operating System

• Enterprise Workloads
• Powerful Platform Management

Lesson 1: Role-Based Deployment

The key focus of this lesson is:
• Describe server roles.
• Describe role services.
• Describe server features.
• Use Server Manager.
• Manage server roles and features.

Ensure that the students understand why they would want to dedicate a server to a
particular role and why they would commonly see many roles installed on one server. Briefly
discuss the common roles that are available and for what they are used. Mention that the Active
Directory binaries are installed when the AD DS role is installed, but DCPromo still needs to be
run to create a domain controller.

Reference:
Windows Server 2008 R2: Edition Comparison by Server Role
http://go.microsoft.com/fwlink/?LinkID=199658

Server Roles
Server roles – servers can be configured to perform a number of roles. The applications
that the server is running specify the particular server’s role. Servers typically need services and
additional features installed to perform its specific role. When compared to workstations, servers
have more disk space and memory and faster processors. The server’s role determines the
hardware that servers require.

Active Directory Certificate Services

AD CS starting in Windows Server® 2008 provides customizable services for creating
and managing public key certificates used in software security systems that employ public key
technologies.

60

 Principles of Operating System

Active Directory Domain Services

It provides secure hierarchical data storage for objects in a network such as users,
computer, printers and services

Active Directory Federation Services

It provides users with single sign-on access to system and application located across
organizational boundaries. It users a claims based access control authorization model to
maintain application security and implement federated identity.

Active Directory Lightweight Directory Services

It provides flexible support for directory enabled application without the dependencies
that are required for ADDS.

Active Directory Rights Management Services

A form of Information Right Management used on MS WIN the users encryption and a
form of selective functionality denial for limiting access to documents such as corporate e-mail,
word documents, web pages.

Application Server
It provides software application with services such as, data services, transaction
support, load balancing and management of large distributed system.

DHCP Server
A DHCP Server assigns IP addresses to client computers. This is very often used in
enterprise networks to reduce configuration efforts. All IP addresses of all computers are stored
in a database that resides on a server machine.

DNS Server
Domain Name System (DNS) is the name resolution protocol for TCP/IP networks, such
as the Internet. Client computers query a DNS server to resolve memorable, alphanumeric DNS
names to the IP addresses that computers use to communicate with each other. See more in
the DNS Server Overview for Windows Server 2008.

61

 Principles of Operating System

Fax Server
A fax server is a system installed in a local area network (LAN) server that allows
computer users whose computers are attached to the LAN to send and receive fax messages.

File Services
Primary purpose of providing a location for shared disk access.

Hyper-V
Codenamed Viridian and formerly known as Windows Server Virtualization
Native hypervisor that enable platform virtualization on x86 - 64.

Network Policy and Access Services

Provides technologies that allow you to deploy virtual private network dial-up net and
802.11 protected wireless access. It can define and enforce policies for net access
authentication, authorization.

Print and Document Services

Enables you to share printers and scanners on a network, setup prints servers and scan
servers and centralize network printer and scanner management tasks.

Remote Desktop Services

Allows a user to access applications and data on a remote computer over a network
using the Remote Desktop Protocol (RDP).

Web Server (IIS)

Web Server (Internet Information Services) a wed server applications and se tof feature
extension modules created by Microsoft for use with Microsoft Windows.

Windows Deployment Services

A technology from Microsoft for network-based installation of Windows Operating
System successor to Remote Installation Services.

Windows Server Update Services

Previously known as Software Update Service (SUS)

62

 Principles of Operating System

computer program developed by Microsoft Corporation that enables administrators to manage

the distribution of update and hotfixes released for Microsoft products to computers in a
corporate environment.

Role Services

Role services allow you to control which role functionality is installed and enabled.

63

 Principles of Operating System

Explain that the features offer more functionality to the server than adding a role does.
Often, the inclusion of features augments the functionality of installed roles. Discuss some of the
common features, such as Group Policy Management, Remote Server Administration Tools
(RSAT), Backup, and Windows PowerShell. Point out that the Windows Server Backup appears
in the Administrative Tools folder on the Start menu even though it may not be installed yet.
Open Server Manager and show the students the available features as you discuss
them.

Server Features

Server features provide auxiliary or supporting functions to servers

Explain how Server Manager replaces multiple consoles and can provide ‘one-stop’
administration.
Ask students their opinion on the new Server Manager tools. Do they find them easier to
use than the old interfaces?

Server Manager
Server Manager is an expanded Microsoft Management Console (MMC) that allows you
to view and manage virtually all of the information and tools that affect your server's productivity.

64

 Principles of Operating System

Commands in Server Manager allow you to install or remove server roles and features, and to
augment roles already installed on the server by adding role services.
Server Manager makes server administration more efficient by allowing administrators to
do the following by using a single tool:

• View and make changes to server roles and features installed on the server.

• Perform management tasks associated with the operational life cycle of the server, such
as starting or stopping services, and managing local user accounts.

• Perform management tasks associated with the operational life cycle of roles installed
on the server.

• Determine server status, identify critical events, and analyze and troubleshoot
configuration issues or failures.

• Install or remove roles, role services, and features by using a Windows command line.

Demonstration Guide: How to Manage Roles and Features

1. At the Start menu click the Administrative Tool, go to Server Manager. On the console of
Server Manager click or highlight Roles, in the right windows click the Add Roles to view the
different Server Roles.
2. Put Check to the desired roles and click next to install the roles

Lesson 2: Deploying Role-Specific Servers

The key focus of this lesson is:
• Describe a file and print server.
• Describe a domain controller.
• Describe an application server.
• Describe a Web server.
• Describe a remote access server.

File Server

File Server is a computer attached to a network that has the primary purpose of
providing a location for shared disk access. Shared storage of computer files that can be
accessed by the workstations that are attached to the same computer network.

65

 Principles of Operating System

Describe the term file server. Mention printer servers. Make sure students are clear
about the fact that this is a specific type of server rather than a generic term.
Describe a domain controller to students. Talk about what happens when a domain
controller is unavailable. Mention that the domain controller has a copy of the domain partition
for the local domain, the configuration partition, and the schema partition. Mention RODC. Bear
in mind that the following module focuses on Active Directory Domain Services (AD DS).

Question: How many domain controllers should you have?

Answer: In a large organization, you should have at least two domain controllers per physical
location. In smaller organizations, you may have only one domain controller per physical
location. Some smaller locations may use a domain controller that is located across a
WAN link.

Domain Controller
• A server that responds to security authentication requests within the Windows Server
domain. Holds a copy of AD DS
• Responds to requests for Active Directory information
• Authenticates users to the network

66

 Principles of Operating System

• Is located by querying DNS

Discussion prompt: Ask students whether they are familiar with the term client-server. Ask
them what it means to them.

Application Server
It provides software application with services such as, data services, transaction support, load
balancing and management of large distributed system. An application server is a computer that
is dedicated to running network-aware application software
• Traditional applications
Traditional applications consist only of 1 tier, which resides on the client machine, but
web applications lend themselves to a n-tiered approach by nature. Though many
variations are possible, the most common structure is the three-tiered application. In its
most common form, the three tiers are called presentation, application and storage, in
this order.
• Web-based applications

A web application is an application that is accessed by users over a network such as

the Internet or an intranet.[1] The term may also mean a computer software application that is
coded in a browser-supported programming language (such as JavaScript, combined with a
browser-rendered markup language like HTML) and reliant on a common web browser to render
the application executable.

Module 3: Installing, Upgrading, and Migrating to Windows 7

Overview
Windows® 7 is the latest version of the Windows operating system from Microsoft®. It is
built on the same kernel as Windows Vista®. Windows 7 ships in several editions to specifically
meet customer needs.
Windows 7 enhances user productivity, security, and reduces IT overhead for
deployment. It provides additional manageability with several key features, such as
BitLockerTM, BitLocker To Go, AppLocker and improvements in the Windows Taskbar.
Windows 7 also enhances the end-user experience with improvements on how users organize,
manage, search, and view information.

67

 Principles of Operating System

There are several ways to install Windows 7, but before you start, verify that the
hardware platform meets the requirements of the edition you want to install. If necessary, plan
for hardware upgrades. It is also recommended that you test your applications for compatibility
and prepare for any necessary mitigation plan.
Depending on the version of your current operating system, you may be able to upgrade
directly to Windows 7, or you may need to perform a clean installation of Windows 7 and
migrate the necessary settings and data.

Lesson 1: Preparing to Install Windows 7

Before installing Windows 7, ensure that your computer meets the minimum hardware
requirements. In addition, you must decide what edition of Windows 7 best suits your
organizational needs. You must also decide which architecture to use, either the 32 or the 64-bit
platform of Windows 7.
Once you have established your hardware requirements and decide which edition of
Windows 7 to install, you have several options to install and deploy Windows 7. Depending on
several factors, such as your organization’s deployment infrastructure, policy and automation,
you may want to select one or more installation options.

Key Features of Windows 7

Windows 7 includes many features that enable users to be more productive. It also
provides a higher level of reliability and increases computer security when compared to the
previous versions of Windows.

The key features of Windows 7 are categorized as follows:

• Usability: Windows 7 includes tools to simplify a user’s ability to organize, search for, and
view information. In addition, Windows 7 communication, mobility, and networking
features help users connect to people, information, and devices by using simple tools.

• Security: Windows 7 is built on a fundamentally secure platform based on the Windows Vista
foundation. User Account Control (UAC) in Windows 7 adds security by limiting
administrator-level access to the computer, restricting most users to run as Standard
Users.

68

 Principles of Operating System

Streamlined UAC in Windows 7 reduces the number of operating system

applications and tasks that require elevation of privileges and provides flexible prompt
behavior for administrators, allowing standard users to do more and administrators to
see fewer UAC elevation prompts.

• Multi-tiered data protection: Rights Management Services (RMS), Encrypting File System
(EFS), Windows BitLockerTM Drive Encryption, and Internet Protocol Security (IPsec)
provides different level of data protection in Windows 7.
§ RMS enables organizations to enforce policies regarding document usage.
§ EFS provides user-based file and directory encryption.
§ BitLocker and BitLocker To GoTM provides full-volume encryption of the system volume,
including Windows system files and removable devices.
§ IPsec isolates network resources from unauthenticated computers and encrypts network
communication.

• Reliability and performance: Windows 7 takes advantage of modern computing hardware,

running more reliably and providing more consistent performance than previous versions
of Windows.

• Deployment: Windows 7 is deployed by using an image, which makes the deployment

process efficient because of several factors:
§ Windows 7 installation is based on the Windows Imaging (WIM), which is a file-based,
disk-imaging format.
§ Windows 7 is modularized, which makes customization and deployment of the images
simpler.
§ Windows 7 uses Extensible Markup Language (XML)-based, unattended setup answer
files to enable remote and unattended installations.
§ Deploying Windows 7 by using Windows Deployment Services in Windows Server®
2008 R2 is optimized with Multicast with Multiple Stream Transfer and Dynamic Driver
Provisioning.
§ Consolidated tool for servicing and managing image in Deployment Image Servicing and
Management (DISM).
§ Migrating user state is made more efficient with hard-link migration, offline user state
capture, volume shadow copy, and improved file discovery in USMT 4.0.

69

 Principles of Operating System

• Manageability: Windows 7 introduces several manageability improvements that can reduce

cost by increasing automation.
§ Microsoft Windows PowerShell 2.0, which enables IT professionals to create and run
scripts on a local PC or on remote PCs across the network.
§ Group Policy scripting, which enables IT professionals to manage Group Policy Objects
(GPOs) and registry-based settings in an automated manner.

Windows 7 improves the support tools to keep users productive and reduce help desk calls,
including:
§ Built-in Windows Troubleshooting Packs, which enable end-users to solve many
common problems on their own.
§ Improvements to the System Restore tool, which informs users of applications that might
be affected when they restore Windows to an earlier state.
§ The new Problem Steps Recorder, which enables users to record screenshots, click-by-
click, to reproduce a problem.
§ Improvements to the Resource Monitor and Reliability Monitor, which enable IT
Professionals to more quickly diagnose performance, compatibility, and resource
limitation problems.

Windows 7 also provides flexible administrative control with the following features:
§ AppLocker, which enables IT professionals to more flexibly set policy on which
applications and scripts users can run or install.
§ Auditing improvements, which enable IT professionals to use Group Policy to configure
more comprehensive auditing of files and registry access.
§ Group Policy Preferences that define the default configuration, which users can change,
and provide centralized management of mapped network drives, scheduled tasks, and
other Windows components that are not Group Policy-aware.

• Productivity: Windows 7 improvements to the user interface help users and IT Professionals
increase their productivity with features such as Windows Search. Windows 7 improves mobile
and remote users experience by introducing BranchCache TM, DirectAccess, and VPN
Reconnect.

70

 Principles of Operating System

§ BranchCache increases network responsiveness of applications and gives users in

remote offices an experience like working in the head office.
§ DirectAccess connects mobile workers seamlessly and safely to their corporate network
any time they have Internet access, without the need to VPN.
§ VPN Reconnect provides seamless and consistent VPN connectivity by automatically re-
establishing a VPN when users temporarily lose their Internet connections.

Windows 7 introduces Windows Virtual PC that provides the capability to run multiple
environments, such as Windows XP mode, from Windows 7 computer. This feature enables you
to publish and launch applications installed on virtual Windows XP directly from Windows 7
computer, as if they were installed on the Windows 7 host itself.

Question: What are the key features of Windows 7 that will help your organization?

Editions of Windows 7
There are six Windows 7 editions. Two editions for mainstream consumers and business
users and four specialized editions for enterprise customers, technical enthusiasts, emerging
markets and entry level PCs. The following are the available editions of Windows 7:

• Windows 7 Starter: this edition is targeted specifically for small form factor PCs in all markets.
It is only available for 32-bit platform. Features include:
• An improved Windows Taskbar and Jump Lists
• Windows Search, ability to join a HomeGroup, Action Center, Device Stage, Windows
Fax and Scan
• Enhanced media streaming, including Play To
• Broad applications and device compatibility without limitation on how many applications
can run simultaneously

• Windows 7 Home Basic: this edition is targeted for value PCs in emerging markets, it is
meant for accessing the internet and running basic productivity applications. It includes all
features available in Windows 7 Starter, and other features, such as Live Thumbnail previews,
enhanced visual experiences, and advanced networking support.

71

 Principles of Operating System

• Windows 7 Home Premium: this edition is the standard edition for customers. It provides full
functionality on the latest hardware, simple ways to connect, and a visually rich environment.
This edition includes all features available in Windows 7 Home Basic and other features, such
as:
• Windows Aero®, advanced Windows navigation and Aero background
• Windows Touch
• Ability to create a HomeGroup
• DVD Video playback and authoring
• Windows Media Center, Snipping Tool, Sticky Notes, Windows Journal and Windows
SideshowTM

• Windows 7 Professional: this edition is the business-focused edition for small and lower mid-
market companies and users who have networking, backup, and security needs and multiple
PCs or servers. It includes all features available in Windows 7 Home Premium, and other
features, such as core business features including:
• Domain Join and Group Policy
• Data protection with advanced network backup and Encrypted File System
• Ability to print to the correct printer at home or work with Location Aware Printing
• Remote Desktop host and Offline folders
• Windows Virtual PC and Windows XP Mode

• Windows 7 Enterprise: this edition provides advanced data protection and information
access for businesses that use IT as a strategy asset. It is a business-focused edition, targeted
for managed environments, mainly large enterprises. This edition includes all features available
in Windows 7 Professional, and other features, such as:
• BitLocker and BitLocker To Go
• AppLocker
• DirectAccess
• BranchCache
• Enterprise Search Scopes
• All worldwide interface languages
• Virtual Desktop Infrastructure (VDI) enhancements
• Ability to start from a VHD

72

 Principles of Operating System

• Windows 7 Ultimate: this edition is targeted for technical enthusiasts who want all Windows 7
features, without a Volume License agreement. It includes all of the same features as the
Windows 7 Enterprise. Windows 7 Ultimate is not licensed for VDI scenarios.

Note: Microsoft also produces an N edition of Windows 7 Starter, Windows 7 Home Basic, and
Windows 7 Professional. The N editions of Windows 7 include all of the same features as the
corresponding editions, but do not include Microsoft® Windows Media® Player and related
technologies. This enables you to install your own media player and associated components.

Note: There are 32 and 64-bit versions available for all editions of Windows 7 except Windows
7 Starter, which is available only as a 32-bit operating system.

Discussion:
Question: Which edition of Windows 7 might you choose in the following scenarios?
Scenario 1: There are a few users in your organization. Currently, you do not have a centralized
file server and all of the computers are not joined to a domain.
Scenario 2: Your organization has more than one hundred users who are located in several
offices across the country. In addition, you have several users that travel frequently.

Question: What is the difference between the Enterprise and the Ultimate edition of Win7?

Question: Which edition of Windows 7 might you choose in the following scenarios?
Scenario 1: There are a few users in your organization. Currently, you do not have a centralized
file server and all of the computers are not joined to a domain.
Scenario 2: Your organization has more than one hundred users who are located in several
offices across the country. In addition, you have several users that travel frequently.

Question: What is the difference between the Enterprise and the Ultimate edition of Win7?

Hardware Requirements for Installing Windows 7

In general, the hardware requirements for Windows 7 are the same as for Windows
Vista. The preceding table shows the minimum hardware requirements for different editions of
Windows 7.

73

 Principles of Operating System

Note: An Aero® Capable GPU supports DirectX 9 with a WDDM driver, Pixel Shader 2.0, and
32 bits per pixel.

Hardware Requirements for Specific Features

Actual requirements and product functionality may vary based on your system configuration. For
example:

• While all editions of Windows 7 can support multiple core CPUs, only Windows 7 Professional,
Ultimate, and Enterprise can support dual processors.
• A TV tuner card is required for TV functionality (compatible remote control optional).
• Windows Tablet and Touch Technology requires a Tablet PC or a touch screen.
• Windows XP Mode requires an additional 1 GB of RAM, an additional 15 GB of available hard
disk space, and a processor capable of hardware virtualization with Intel VT or AMD-V enabled.
• Windows BitLocker Drive Encryption requires a Universal Serial Bus (USB) Flash Drive or a
system with a Trusted Platform Module (TPM) 1.2 chip. When considering the deployment of
Windows 7, use the previous table as a guideline for minimum hardware standards, but
consider the level or performance that you want to achieve as this table only specifies the
minimum requirements. To achieve optimum performance, consider hardware that is more
powerful.

Question: What is the typical computer specification within your organization currently?
Contrast that specification to what was typically available when Windows Vista was
released. Do you think Windows 7 can be deployed to the computers within your
organization as they currently are?

Advantages of Using 64-Bit Editions of Windows 7

The features in the 64-bit editions of Windows 7 are identical to their 32-bit counterparts.
However, there are several advantages of using a 64-bit edition of Windows 7.
• Improved Performance: the 64-bit processors can process more data for each clock cycle,
enabling you to scale your applications to run faster or support more users. To benefit from this
improved processor capacity, you must install a 64-bit edition of the operating system.

• Enhanced Memory: a 64-bit operating system can address memory above 4GB. This is
unlike all 32-bit operating systems, including all 32-bit editions of Windows 7, which are limited

74

 Principles of Operating System

to 4 GB of addressable memory. The following table lists the memory configurations supported
by 64-bit editions of Windows 7.

• Improved Device Support: although 64-bit processors have been available for some time, in
the past it was difficult to obtain third-party drivers for commonly used devices, such as printers,
scanners, and other common office equipment. Since Windows Vista was first released, the
availability of drivers for these devices has improved greatly. Because Windows 7 is built on the
same kernel as Windows Vista, most of the drivers that worked with Windows Vista also
work with Windows 7.

• Improved Security: the processor architecture of x64-based processors from Intel and AMD
improve security with Kernel Patch Protection, mandatory kernel-mode driver signing and Data
Execution Prevention.

Limitations of the 64-bit Editions

The 64-bit editions of Windows 7 do not support the 16-bit Windows on Windows
(WOW) environment. If your organization requires legacy 16-bit applications, one solution is to
run the application within a virtual environment by using one of the many Microsoft virtualization
technologies available.

Options for Installing Windows 7

Windows 7 supports the following types of installation:
• Clean installation: perform a clean installation when installing Windows 7 on a new partition
or when replacing an existing operating system on a partition. You can run setup.exe from the
product DVD or from a network share and can also use an image to perform a clean installation.
• Upgrade installation: perform an upgrade, which also is known as an in-place upgrade, when
replacing an existing version of Windows with Windows 7 and you need to retain all user
applications, files, and settings.

75

 Principles of Operating System

• Migration: perform a migration when you have a computer already running Windows 7 and
need to move files and settings from your old operating system (source computer) to the
Windows 7 (destination computer).
There are two migration scenarios: side-by-side and wipe and load. In side-by-side
migration, the source computer and the destination computer are two different computers. In
wipe and load migration, the target computer and the source computer are the same.

Discussion:

Question: Which type of installation do you use in the following scenarios?

Scenario 1: Your users have computers that are at least three years old and your organization
plans to deploy Windows 7 to many new computers.
Scenario 2: There are only a few users in your organization, their computers are mostly new,
but they have many applications installed and a lot of data stored in their computers.

Lesson 2: Performing a Clean Installation of Windows 7

There are several ways to install Windows 7. The method you use may depend on
whether you are installing it on a new computer or on a computer that is running another version
of Windows. A clean installation is done when you install Windows 7 on a new partition or when
you replace an existing operating system on a partition.

Discussion: Considerations for a Clean Installation

Present and discuss your ideas on this topic in the class.

Methods for Performing Clean Installation

There are several methods to perform a clean installation of Windows 7.

• Running Windows 7 installation from DVD: installing from the product DVD is the simplest
way to install Windows 7.

• Running Windows 7 installation from a Network Share: instead of a DVD, the Windows 7
installation files can be stored in a network share. Generally, the network source is a shared
folder on a file server.

76

 Principles of Operating System

• If your computer does not currently have an operating system, start the computer by
using Windows PE.
• If your computer already has an operating system, you can start the computer with the
old operating system.

• Installing Windows 7 by Using an Image: install Windows 7 to a reference computer and

prepare the reference computer for duplication. Capture the volume image to a WIM file by
using the ImageX tool. Then, use the deployment tools, such as ImageX, WDS, or MDT to
deploy the captured image. Image-based installation of Windows will be covered in more detail
in a later lesson.

Note: Windows PE is a minimal 32 or 64-bit operating system with limited services, built on the
Windows 7 kernel. Windows PE is used to install and repair Windows operating system.

Question: In what situation will you use each method of performing a clean installation of
Windows operating system?

Discussion: Common Installation Errors

The installation of Windows 7 is robust and trouble free if your hardware meets the
minimum requirements. However, a variety of problems can occur during an installation, and a
methodical approach helps solve them.

You can use the following four-step approach in any troubleshooting environment:
1. Determine what has changed.
2. Eliminate the possible causes to determine the probable cause.
3. Identify a solution.
4. Test the solution.

If the problem persists, go back to step three and repeat the process.
Present and discuss your ideas on this topic in the class.

77

 Principles of Operating System

Demonstration: Configuring the Computer Name and Domain/Work Group Settings

Typically, you will configure the Computer Name and Domain/Work Group settings after
installing Windows.

This demonstration shows how to configure domain and workgroup settings.

Configure the Computer Name and Domain/Work Group Settings
1. Log on to the computer by using the required credentials.
2. Open the System Information window by using the Control Panel.
3. Open the System Properties dialog box.
4. Open the Computer Name/Domain Changes dialog box, specify the workgroup name and
close the dialog box.
5. Open the Computer Name/Domain Changes dialog box, specify the domain name and
close the dialog box.

Note: You can open the DNS Suffix and NetBIOS Computer Name dialog box and set the
primary DNS suffix to have the computer search DNS domains other than the Active Directory®
domain that it is joined to. The NetBIOS name is used for backward compatibility with older
applications.

Question: When will you configure the primary DNS suffix to be different from the Active
Directory domain?

Lesson 3: Upgrading and Migrating to Windows 7

When you perform a clean installation of Windows 7, the installation process does not
transfer user settings from the legacy operating system. If you need to retain user settings,
consider performing an upgrade or a migration to Windows 7 instead.
Depending on the version of your current operating system, you may not be able to
upgrade directly to Windows 7. You can install Windows Upgrade Advisor to provide upgrade
guidance for Windows 7. If your current operating system does not support direct upgrade to
Windows 7, consider performing a clean installation and migrating user settings and data by
using migration tools.

78

 Principles of Operating System

Considerations for Upgrading and Migrating to Windows 7

Not all operating systems can be upgraded or migrated to Windows 7. While several
operating systems support in-place upgrades, others only support migration of user settings and
data after you perform a clean installation of Windows 7.

Upgrade Considerations
Perform an in-place upgrade when you do not want to reinstall all your applications. In addition,
consider performing an upgrade when you:
• Do not have storage space to store your user state.
• Are not replacing existing computer hardware.
• Plan to deploy Windows on only a few computers.

Migration Considerations
Perform a migration when you:
• Want a standardized environment for all users running Windows. A migration takes advantage
of a clean installation. A clean installation ensures that all of your systems begin with the same
configuration, and that all applications, files, and settings are reset. Migration ensures that you
can retain user settings and data.
• Have storage space to store the user state. Typically, you will need storage space to store the
user state when performing migration. User State Migration Tool 4.0 introduces hard-link

79

 Principles of Operating System

migration, in which you do not need extra storage space. This is only applicable to wipe and
load migration.
• Plan to replace existing computer hardware. If you do not plan to replace the existing
computers, you can still perform a migration by doing a wipe and load migration.
• Plan to deploy Windows to many computers.

An upgrade scenario is suitable in small organizations or in the home environment, while

in large enterprises when significant numbers of computers are involved, clean installation
followed by migration is the recommended solution. The most common method of deploying
Windows 7 in large enterprises is by performing a clean installation by using images, followed
by migrating user settings and data.

Question: You are deploying Windows 7 throughout your organization. Given the following
scenarios, which do you choose, upgrade or migration?

Scenario 1: Your organization has a standardized environment. You have several servers
dedicated as storage space and the computers in your organization are no later than two
years old.

Scenario 2: Your organization has a standardized environment. You have several servers
dedicated as storage space and plan to replace existing computers, which are more than
three years old.

Scenario 3: You do not have extra storage space and the computers in your organization are
less than two years old. In addition, there are only five users in your organization and
you do not want to reinstall existing applications to your user computers.

Identifying the Valid Upgrade Paths

The following table identifies the Windows operating systems that you can
upgrade directly to or migrate to Windows 7.

80

 Principles of Operating System

Upgrade between Two Editions of Windows 7

You can perform an upgrade between two editions of Windows 7 by purchasing
Windows Anytime Upgrade. The Windows Anytime Upgrade Pack contains the product key, a
Windows Anytime Upgrade disc, and upgrade instructions.

Upgrade Limitations
An in-place upgrade does not support cross architecture. This means that you cannot
upgrade from 32-bit to 64-bit or vice versa. An in-place upgrade does not support cross
language. In both cases, you need to perform a clean installation and the necessary migration.

Determining the Feasibility of an Upgrade by Using Windows Upgrade Advisor

Windows Upgrade Advisor is a downloadable application you can use to identify which
edition of Windows 7 meets your needs, whether your computers are ready for an upgrade to
Windows 7, and which features of Windows 7 will run on your computers. The end result is a
report that provides upgrade guidance to Windows 7 and suggestions about what, if any,
hardware updates are necessary to install and run the appropriate edition and features of
Windows 7.

81

 Principles of Operating System

Requirements
To install and run the Windows Upgrade Advisor, you need the following:
• Administrator privileges
• .NET 2.0
• MSXML6
• 20 MB of free hard disk space
• An Internet connection

Windows Upgrade Advisor is an ideal tool if you only have a few computers. For
enterprise deployment, consider the Application Compatibility Toolkit and the Microsoft
Assessment and Planning Toolkit to prepare your organization readiness for Windows 7.

Process for Upgrading to Windows 7

An in-place upgrade replaces the operating system on your computer while retaining all
programs, program settings, user-related settings, and user data.

Performing an in-place upgrade from Windows Vista with Service Pack 1 is the simplest
way to upgrade to Windows 7. The process for upgrading to Windows 7 is described in the
following steps:
1. Evaluate: you must evaluate whether your computer meets the requirements needed to run
Windows 7. You must also determine whether any installed application programs will have
compatibility problems running on Windows 7.
You can use the Windows Upgrade Advisor to help you perform this evaluation. If you have
many computers to upgrade, consider using the Application Compatibility Toolkit (ACT) and
Microsoft Assessment and Planning (MAP) to assess your organization readiness.

2. Back Up: to protect against data loss during the upgrade process, it is important to back up
any data and personal settings before starting the upgrade.

3. Upgrade: to perform the upgrade, run the Windows 7 installation program (setup.exe) from
the product DVD or a network share.
4. Verify: after the upgrade completes, verify that all of the applications and hardware devices
function correctly.

82

 Principles of Operating System

5. Update: determine whether there are any updates to the Windows 7 operating system and
apply any relevant updates to your computer. Dynamic Update is a feature of Windows 7 Setup
that works with Windows Update to download any critical fixes and drivers that the setup
process requires.

Tools for Migrating User Data and Settings

If you choose to do a clean installation followed by migration to Windows 7, you must

back up user-related settings, applications settings, and user data that you will restore after the
Windows 7 installation.

Identifying Which Components to Migrate

When planning your migration, it is important to identify which components you need to
migrate to the new operating system platform. These components may include:
• User accounts: computer workstations may have settings related to both domain and local
user accounts. You must determine if local user accounts must be migrated.

83

 Principles of Operating System

• Application settings: you must determine and locate the application settings that you want to
migrate. This information can be acquired when you are testing the new applications for
compatibility with the new operating system.

• Operating system settings: operating system settings may include appearance, mouse
actions (for example, single-click or double-click) and keyboard settings, Internet settings, E-
mail account settings, dial-up connections, accessibility settings, and fonts.

• File types, files, folders, and settings: when planning your migration, identify the file types,
files, folders, and settings to migrate. For example, you need to determine and locate the
standard file locations on each computer, such as the My Documents folder and company-
specified locations. You also must determine and locate the nonstandard file locations.

Tools for Migration

You can use the following tools to perform migration:
• Windows Easy Transfer (WET): use WET to perform a side-by-side migration for a single
computer, or a small number of computers.

• User State Migration Tool (USMT) 4.0: use USMT 4.0 to perform a side-by-side migration for
many computers and to automate the process as much as possible, or to perform a wipe-and-
load migration on the same computer.

Question: How do you migrate applications to Windows 7?

Process for Migrating to Windows 7

If you cannot, or prefer not, to perform an in-place upgrade, you can perform a clean
installation of Windows 7 and then migrate the user-related settings. The process for migrating
to Windows 7 is described in the following steps.
1. Back Up: before installing the new operating system, you must back up all user-related
settings and program settings. Also consider backing up your user data.

2. Install Windows 7: run the Windows 7 installation program (setup.exe) from the product
DVD or a network share and perform a clean installation.

84

 Principles of Operating System

3. Update: if you chose not to check for updates during the installation process, it is important to
do so after verifying the installation.

4. Install Applications: when you have completed the Windows 7 installation, you must
reinstall all applications. Windows 7 may block the installation of any incompatible programs.

5. Restore: after installing your application, use WET or USMT to migrate your application
settings and user-related settings to complete the migration process.

Migrating User Settings and Data by Using WET

Windows Easy Transfer (WET) is the recommended tool for scenarios in which you have
a small number of computers to migrate. You can decide what to transfer and select the transfer
method to use. You can use WET to transfer files and folders, E-mail settings, contacts and
messages, application settings, user accounts and settings, Internet settings and favorites.
If your source computer is running Windows 7, you can find WET in the System Tools program
group folder. If your computer is running Windows XP or Windows Vista, WET can be obtained
from a Windows 7 product DVD or from any computer that is running Windows 7.
Windows Vista has an older version of WET, while you can still use Windows Vista WET
to migrate user state to Windows 7, you may want to use the latest functionality of Windows 7
WET. Obtain the WET from Windows 7 product DVD or from any computer that is running
Windows 7. Windows 7 WET includes a new file explorer that enables you to select exactly

85

 Principles of Operating System

which files to copy to your new PC. And if Windows finds a file or setting it cannot work with,
Windows 7 WET prevents your transfer from hanging up. It will complete the transfer and give
you a full report of anything that fails to migrate. If the source computer is running Windows 7,
you can skip the following procedure of storing the Windows 7 WET files to be used on the
source computer.

Store the Windows 7 WET Files to Be Used on the Source Computer

To store Windows 7 WET files to be used on the source computer that does not have WET,
start WET on the destination computer, and perform the following steps:
1. Close all active programs.
2. Click Start, All Programs, Accessories, System Tools, and then Windows Easy Transfer.
The Windows Easy Transfer window opens.
3. Click Next.
4. Select the method you want to use to transfer files and settings from your source computer.
5. Click This is my new computer.
6. Click I need to install it now.
7. Select the destination media where you want to store the Windows Easy Transfer Wizard
files. You can store the wizard files to an external hard drive or network drive, or you can store
them on a USB flash drive. A Browse for Folder window opens.
8. Type the path and folder name where you want to store the Windows Easy Transfer Wizard
files and then click Next.

You must now start your source computer to install Windows Easy Transfer.

Migrate Files and Settings from the Source Computer to the Destination Computer
You can select one of the three methods to transfer files and settings:
• Use an Easy Transfer Cable.
• Use a network connection.
• Use removable media such as a USB flash drive or an external hard disk.

Transfer Files and Settings by Using a Network

1. Start Windows Easy Transfer on the computer from which you want to migrate settings and
files by browsing to the removable media or network drive containing the wizard files and then

86

 Principles of Operating System

double-clicking migestup.exe. The program may also start automatically when you insert the
removable media.
Note: If your computer already has WET, you can run it from the System Tools program group
folder.
2. Click Next.
3. Click A network.

Note: Both computers must support the transfer method you choose. For example, both
computers must be connected to the same network.

4. Click This is my old computer. WET creates Windows Easy Transfer key. This key is used
to link the source and destination computer.
5. Follow the steps to enter the Windows Easy Transfer key on your destination computer to
allow the network connection.
6. On your destination computer, after entering the Windows Easy Transfer key, click Next. A
connection is established and Windows Easy Transfer checks for updates and compatibility.
7. Click Transfer to transfer all files and settings. You can also determine which files must be
migrated by selecting only the user profiles you want to transfer or by clicking Customize.
8. Click Close after Windows Easy Transfer has completed the migration of files
and settings to the destination computer.

Lesson 4: Performing an Image-Based Installation of Windows 7

Many medium to large-sized organizations use an image-based deployment model to
deploy desktop operating systems. After installing and configuring a reference computer, most
imaging solutions capture an image based on a sector-by-sector copy of the reference
computer. This technology, although effective in some situations, has a number of
disadvantages to the overall efficiency of your imaging system. Windows 7 setup process relies
upon image-based installation architecture. This architecture consists of deployment tools and
technologies to assist with customizing and deploying Windows 7 throughout the organization.
Using these tools, organizations can configure an effective computer imaging and deployment
methodology that will ensure a standardized Microsoft Windows desktop environment.

87

 Principles of Operating System

Windows Imaging File Format?

The Windows Imaging (WIM) file is a file-based disk image format that was introduced in
Windows Vista. All Windows 7 installations use this image file.
When installing Windows 7, you are applying an image to the hard disk.

Benefits of WIM
WIM provides several benefits over other imaging formats, such as the following:
• A single WIM file can address many different hardware configurations. WIM does not require
that the destination hardware match the source hardware, so you need only one image to
address many different hardware configurations.
• WIM can store multiple images within a single file. For example, you can store images with
and without core applications in a single image file.
• WIM enables compression and single instancing, which reduces the size of image files
significantly. Single instancing is a technique that allows multiple images to share a single copy
of files that are common between the instances.
• WIM enables you to service an image offline. You can add or remove certain operating system
components, files, updates, and drivers without creating a new image.

88

 Principles of Operating System

• WIM enables you to install a disk image on partitions of any size, unlike sector-based image
formats that require you to deploy a disk image to a partition that is the same size or larger than
the source disk.
• Windows 7 provides an API for the WIM image format called WIMGAPI that developers can
use to work with WIM image files.
• WIM allows for nondestructive application of images. This means that you can leave data on
the volume to which you apply the image because the application of the image does not erase
the disk’s existing contents.
• WIM provides the ability to start Windows Preinstallation Environment (Windows PE) from a
WIM file.

Windows 7 Imaging Components

Deploying a Windows 7 image is based upon four major components. These
components include:

• The WIM format: the imaging format used for the creation and management of images.

• Tools to create and manage the WIM: Windows 7 uses a tool called ImageX to provide most
of the functions needed to create and manage a WIM file.

• Imaging application programming interface (API): Windows 7 uses an API called

WIMGAPI that provides the layer to programmatically access and manipulate WIM files. ImageX
is an implementation of the Imaging API.

• Enabling technologies: this includes the Windows Imaging File System (WIM FS) Filter and
the WIM boot filter. The file system filter enables the ability to mount and browse the WIM as a
file system. The WIM boot filter enables starting a Windows Preinstallation Environment
(Windows PE) image within a WIM file.

89

 Principles of Operating System

Tools for Performing Image-Based Installation

There are several tools and technologies that you can use to perform image-based installation
of Windows.
• Windows Setup (setup.exe): this is the program that installs the Windows operating system
or upgrades previous versions of the Windows operating system.
• Answer File: this is an XML file that stores the answers for a series of graphical user interface
(GUI) dialog boxes. The answer file for Windows Setup is commonly called Unattend.xml.

You can create and modify this answer file by using Windows System Image Manager
(Windows SIM). The Oobe.xml answer file is used to customize Windows Welcome, which
starts after Windows Setup and during the first system startup.
• Catalog: this binary file (.clg) contains the state of the settings and packages in a Windows
image.
• Windows Automated Installation Kit (Windows AIK): this is a collection of tools and
documentation that you can use to automate the deployment of Windows operating systems. It
includes the following:
§ Windows System Image Manager (Windows SIM): this tool enables youto create
unattended installation answer files and distribution shares or modify the files contained
in a configuration set.

90

 Principles of Operating System

§ Windows Preinstallation Environment (Windows PE): this is a minimal 32 or 64-bit

operating system with limited services, built on the Windows 7 kernel. Use Windows PE
in Windows installation and deployment.
§ ImageX: this command-line tool captures, modifies, and applies installation images for
deployment.
§ User State Migration Tool (USMT): this tool is used to migrate user settings from a
previous Windows operating system to Windows 7.
• Deployment Image Servicing and Management (DISM): this tool is used to service and
manage Windows images.

• System Preparation (Sysprep): Sysprep prepares a Windows image for disk imaging,
system testing, or delivery to a customer. Sysprep can be used to remove any system-specific
data from a Windows image. After removing unique system information from an image, you can
capture that Windows image and use it for deployment on multiple systems.

• Diskpart: this is a command-line tool for hard disk configuration.

• Windows Deployment Services (WDS): WDS is a server-based deployment solution that
enables an administrator to set up new client computers over the network, without having to visit
each client.

• Virtual Hard Disk (VHD): the Microsoft Virtual Hard Disk file format (.vhd) is a publicly
available format specification that specifies a virtual hard disk encapsulated in a single file. It is
capable of hosting native file systems and supporting standard disk operations.
Image-Based Installation Process

The image-based installation process consists of five high-level steps. These steps include the
following:
1. Build an Answer File: you can use an answer file to configure Windows settings during
installation. You can use Windows System Image Manager (Windows SIM) to assist in creating
an answer file, although in principle you can use any text editor to create an answer file.

2. Build a reference installation: a reference computer has a customized installation of

Windows that you plan to duplicate onto one or more destination computers. You can create a
reference installation by using the Windows product DVD and an answer file.

91

 Principles of Operating System

3. Create a Bootable Windows PE media: you can create a bootable Windows PE disk on a
CD/DVD by using the Copype.cmd script. Windows PE enables you to start a computer for the
purposes of deployment and recovery.

4. Capture the Installation Image: you can capture an image of your reference computer by
using Windows PE and the ImageX tool. You can store the captured image on a network share.

5. Deploy the Installation Image: after you have an image of your reference installation, you
can deploy the image to the target computer. You can use the DiskPart tool to format the hard
drive and copy the image from the network share.

Use ImageX to apply the image to the destination computer. For high-volume
deployments, you can store the image of the new installation to your distribution share and
deploy the image to destination computers by using deployment tools, such as Windows
Deployment Services (WDS) or Microsoft Deployment Toolkit (MDT).

Demonstration: Building an Answer File by Using Windows

This demonstration shows how to create an answer file by using Windows SIM.
Build an Answer File Using Windows SIM
1. Log on to the computer by using the required credentials.
2. Open the Windows System Image Manager from Microsoft Windows AIK.
3. Open the Select an Image dialog box, browse to the folder containing the WIM file and select
the catalog file.

Note: If a catalog file does not exist for this edition of Windows 7, then you will be prompted to
create a catalog file. The creation process takes several minutes.

4. Expand Components and expand x86_Microsoft-Windows-Setup to configure settings

primarily used in the windowsPE stage of an unattended installation and for Disk Configuration.

5. Expand UserData and click Product Key to configure settings for unattended installation,
where Windows 7 is installed from the install.wim file on the Windows 7 installation DVD.

92

 Principles of Operating System

6. Expand x86_Microsoft-Windows-Shell-Setup and open Add setting to Pass 4 specialize

at x86_Microsoft-Windows-Shell-Setup to configure settings that will be applied after an
operating system has been generalized by using Sysprep.

7. Enter a Product Key in the Microsoft-Windows-Shell-Setup Properties area.

Note: Placing a product key in this answer file prevents the need to enter in the product key
during the installation of a new image.

8. Close Windows System Image Manager and do not save any changes.

Note: For more information, please refer to Windows SIM Technical Reference at
http://go.microsoft.com/fwlink/?LinkID=154216.

Question: Why might you use an answer file rather than manually completing the installation of
Windows 7?

Building a Reference Installation by Using Sysprep

The Sysprep tool prepares an installation of the Windows operating system for duplication,
auditing, and end-user delivery.

Sysprep Command-Line Options

The following shows the syntax and some of the more common command-line options available
for Sysprep:

93

 Principles of Operating System

Demonstration: Creating a Bootable Windows PE Media

This demonstration shows how to create bootable Windows PE media that can be used for
imaging computers.
Task: Create a bootable Windows PE Media
1. Log on to the computer by using the required credentials.

2. Open Deployment Tools Command Prompt from Microsoft Windows AIK.

94

 Principles of Operating System

3. At the command prompt, type copype.cmd <architecture> <destination> to copy the

necessary files for Windows PE to the destination folder. This also creates the folder, if it does
not exist.

4. At the command prompt, type copy <source> <destination> to copy the ImageX tool from
the source folder to the destination folder.

5. At the command prompt, type oscdimg –n –b <source location> <target file> to create an
iso file for the Windows PE from the source location.

Note: For more information on copype, copy, and oscdimg, please refer to:
http://go.microsoft.com/fwlink/?LinkID=154217,
http://go.microsoft.com/fwlink/?LinkID=154218,
http://go.microsoft.com/fwlink/?LinkID=154219

Question: After you have created the iso file, what do you do with it?

Capturing and Applying the Installation Image by Using ImageX

ImageX is a command-line tool that enables you to capture, modify, and apply file based WIM
images.

ImageX Command-Line Options

The following shows the syntax and some of the more common command-line options available
for ImageX:

95

 Principles of Operating System

Note: The preceding table is only a subset of the tools and functionality provided by ImageX.
For a more detailed list of syntax commands, read the “ImageX Technical Reference” included
in the “Windows Automated Installation Kit User’s Guide.”

Demonstration: Modifying Images by Using DISM

Deployment Image Servicing and Management (DISM) is a command line tool used to
service Windows images offline before deployment. You can use it to install, uninstall, configure,

96

 Principles of Operating System

and update Windows features, packages, drivers and international settings. Subsets of the
DISM servicing commands are also available for servicing a running operating system.

Common DISM Command Line Options

The base syntax for nearly all DISM commands is the same. After you have mounted or
applied your Windows image so that it is available offline as a flat file structure, you can specify
any DISM options, the servicing command that will update your image, and the location of the
offline image. You can use only one servicing command for each command line. If you are
servicing a running computer, you can use the /Online option instead of specifying the location
of the offline Windows Image.
The base syntax for DISM is:

The following DISM options are available for an offline image:

The following DISM options are available for a running operating system:

The following table shows some of the more common command-line options available for DISM:

97

 Principles of Operating System

This demonstration shows how to modify an image by using DISM.

Modify Images by Using DISM
1. Log on to the computer by using the required credentials.
2. Open the Deployment Tools Command Prompt from Microsoft Windows AIK.
3. At the command prompt, type dism to display help information for the command.
4. At the command prompt, type md <destination> to create a destination folder.
5. At the command prompt, type dism /mount-wim /wimfile:<path_to_image.wim>
/name:<image_name> /mountdir:<path_to_mount_directory> to mount the WIM file to the
mount directory.
6. At the command prompt, type dism /get-mountedwiminfo to display information about the
mounted image.

98

 Principles of Operating System

7. When the image mounting is complete, type cd <path_to_mount_directory> to go to the

mount directory.
8. At the command prompt, type dir to see the installation files for Windows 7 and modify them.
9. At the command prompt, type cd \ to go to the root directory.
10. At the command prompt, type dism /image:<path_to_image> /? to display the available
options for servicing an image such as adding a driver or adding a feature.
11. At the command prompt, type dism /image:<path_to_image> /add-driver
/driver:<folder_containing_INF> to add the driver (INF) file to the image in the mount
directory.
12. At the cmd prompt, type dism /unmount-wim /mountdir:<path_to_mount_directory>
/discard to unmount the image from the mounted folder and discard changes.
13. Close all open Windows.
Migrating User Settings and Data by Using USMT 4.0

USMT is a scriptable command-line tool that provides a highly-customizable user profile

migration experience for IT professionals. The following shows the components of USMT:
• ScanState.exe: the ScanState tool scans the source computer, collects the files and settings,
and then creates a store.
• LoadState.exe: the LoadState tool migrates the files and settings, one at a time, from the
store to a temporary location on the destination computer.
• Migration .xml file: the .xml files used by USMT for migrations are the MigApp.xml,
MigUser.xml, or MigDocs.xml and any custom .xml files that you create.
• The MigApp.xml file: specify this file with both the ScanState and LoadState commands to
migrate application settings to computers running Windows 7.

99

 Principles of Operating System

• The MigUser.xml file: specify this file with both the ScanState and LoadState commands to
migrate user folders, files, and file types to computers running Windows 7.
• The MigDocs.xml file: specify this file with both the ScanState and LoadState tools to migrate
all user folders and files that are found by the MigXmlHelper.GenerateDocPatterns helper
function.
• Custom .xml files: you can create custom .xml files to customize the migration for your
unique needs. For example, you may want to create a custom file to migrate a line-of-business
application or to modify the default migration behavior.
• Config.xml: if you want to exclude components from the migration, you can create and modify
the Config.xml file using the /genconfig option with the ScanState tool.
• Component Manifests for Windows Vista and Windows 7: when the source or destination
computer is running Windows Vista or Windows 7, the component-manifest files control which
operating system settings are migrated and how they are migrated.
• Down-level Manifest files: when the source computer is running a supported version of
Windows XP, these manifest files control which operating-system and Internet Explorer settings
are migrated and how they are migrated.
• USMT internal files: all other .dll, .xml, .dat, .mui, and .inf files that are included with USMT
are for internal use. USMT is intended for administrators who are performing large-scale
automated deployments. For example, you can automate USMT by scripting it in the logon
script. If you are only migrating the user states of a few computers, you can use Windows Easy
Transfer.

Hard-link Migration Store

The new hard-link migration store is for use only in wipe and load migration. Hard-link migration
stores are stored locally on the computer that is being refreshed and can migrate user accounts,
files, and settings in less time using megabytes of disk space instead of gigabytes.

Using ScanState to Capture User State

You run ScanState on the source computer. The general syntax for the command is as follows:

The ScanState tool provides various options related to specific categories. These categories are
explained in the following sections.

100

 Principles of Operating System

ScanState Options
The following table describes ScanState commonly used options:

Using LoadState to Migrate User State

You run LoadState on the destination computer. The general syntax for the command is as
follows:

The LoadState tool uses most of the same options as the ScanState tool.

Configuring VHDs

101

 Principles of Operating System

In Windows 7, a VHD can be used to store an operating system to run on a computer

without a parent operating system, virtual machine or hypervisor. This feature, called VHD boot,
is a new feature in Windows 7 that eases the transition between virtual and physical
environments. It is best used in the following scenarios:
• In an organization that has hundreds of users working remotely through VDI, but also needs
the same desktop images as the users working onsite using physical computers.
• In an organization with users in a highly managed environment that use
technologies such as Folder Redirection and Roaming User Profiles so that the user state is not
stored in the image.
• As dual boot, when you only have a single disk volume as an alternative to running virtual
machines.

VHD Image Management and Deployment

Windows 7 also enables IT professionals to use the same processes and tools to manage WIM
and VHD image files.

The following steps outline Windows 7 deployment on VHD:

1. Create the VHD: you can create a VHD by using the DiskPart tool or the Disk Management
MMC. The Disk Management MMC also enables you to attach the VHD so that it appears on
the host computer as a drive and not as a static file.VHD files can then be partitioned and
formatted before you install an operating system.

2. Prepare the VHD: install Windows 7 on the VHD. You can perform the capture and apply
method by using ImageX.

3. Deploy the VHD: the VHD file can then be copied to one or more systems, to be run in a
virtual machine or for native boot. To configure native-boot, add the native-boot VHD to the boot
menu by using BCDedit or BCDboot tool. BCDEdit is a command-line tool for managing Boot
Configuration Data (BCD) stores and BCDboot is a command-line tool for initializing the BCD
store and copying boot environment files to the system partition. You can also automate the
network deployment of VHD by using WDS. WDS can be used to copy the VHD image to a local
partition and to configure the local Boot Configuration Data (BCD) for native-boot from the VHD.

102

 Principles of Operating System

Creating and Mounting a VHD by Using Disk Management

To mount a VHD by using Disk Management, perform the following steps:
1. Open the Disk Management MMC.
2. Click Action and click Create VHD. Specify the location of the VHD, the size, and the VHD
format and click OK.
3. Click Action and click Attach VHD. Locate the VHD to be mounted and click OK.

Creating and Mounting a VHD by Using Diskpart

To mount a VHD by using Diskpart, perform the following steps:
1. Open the command prompt, type Diskpart, and press ENTER.
2. On Diskpart console, type create vdisk file=<filename>, where filename is the
name of the VHD file, and press ENTER. To see the complete syntax and
parameters of the command, type help create vdisk and press ENTER.
3. Type select vdisk file=<filename> and press ENTER to select the VHD.
4. Type attach vdisk to mount the selected VHD.

Question: Given that a Windows 7 based VHD is configured to run in a Virtual

PC, can you configure the same VHD to run in native boot?

Lesson 5: Configuring Application Compatibility

Application
Application compatibility is a considerable factor that determines the success of an
operating system deployment project. Application compatibility issues can affect core business
functions by preventing users from performing their work. You must plan for these issues by
understanding common problems that can occur. Additionally, you must understand common
application compatibility issues that may be experienced during a typical operating system
deployment and how to mitigate and resolve these issues.

103

 Principles of Operating System

Common Application Compatibility Problems

An application written for a specific operating system can cause problems when installed
on a computer with a different operating system. This can occur for a number of reasons.
Generally, applications and hardware that worked on Windows Vista will continue to work on
Windows 7. To troubleshoot and address the problems effectively, it is important to be aware of
the general areas that typically cause most compatibility issues.

The following shows several areas of concern with Windows 7 application compatibility.

• Setup and installation of applications: during application setup and installation, two
common issues can prevent the application from installing properly or even installing at all:
§ Applications try to copy files and shortcuts to folders that existed in a previous Windows
operating system, but no longer exist for the new operating system.
§ Applications try to refer to Windows feature, which has been renamed in Windows 7.

• User Account Control (UAC): UAC adds security to Windows by limiting administrator-level
access to the computer, restricting most users to run as Standard Users. UAC also limits the
context in which a process executes to minimize the ability of users to inadvertently expose their
computer to viruses or other malware. UAC may result in the following compatibility issues:

104

 Principles of Operating System

§ Custom installers, uninstallers, and updaters may not be detected and elevated to run as
administrator.
§ Standard user applications that require administrative privileges to perform their tasks
may fail or not make this task available to standard users.
§ Applications that attempt to perform tasks for which the current user does not have the
necessary permissions may fail. How the failure manifests itself is dependent upon how
the application was written.
§ Control panel applications that perform administrative tasks and make global changes
may not function properly and may fail.
§ DLL applications that run using RunDLL32.exe may not function properly if they perform
global operations.
§ Standard user applications writing to global locations will be redirected to per-user
locations through virtualization.

• Windows Resource Protection (WRP): WRP is designed to protect Windows resources

(files, folders, registries) in a read-only state. Application installers that attempt to replace,
modify, or delete operating system files and/or registry keys that are protected by WRP may fail
with an error message indicating that the resource cannot be updated.

• Internet Explorer Protected Mode: Internet Explorer Protected Mode helps to defend against
elevation-of-privilege attacks by restricting the ability to write to any local computer zone
resources other than temporary Internet files. Applications that use Internet Explorer and try to
write directly to the disk while in the Internet or Intranet zone may fail.

• 64-Bit architecture: Windows 7 fully supports 64-bit architecture. Applications or components

that use 16-bit executables, 16-bit installers, or 32-bit kernel drivers will either fail to start or will
function improperly.

• Windows Filtering Platform (WFP): WFP is an application program interface (API) that
enables developers to create code that interacts with the filtering that occurs at several layers in
the networking stack and throughout the operating system. If you are using a previous version
of this API in your environment, you may experience failures when running security class
applications, such as network-scanning, antivirus programs, or firewall applications.

105

 Principles of Operating System

• Operating System Version Changes: the operating system version number changes with
each operating system release. For Windows Vista, the internal version number is 6, whereas
for Windows 7, the internal version number is 6.1. This change affects any application or
application installer that specifically checks for the operating system version and might prevent
the installation from occurring or the application from running.

• Kernel-mode drivers: kernel-mode drivers must support the Windows 7 operating system or
be re-designed to follow the User-Mode Driver Framework (UMDF). UMDF is a device driver
development platform that was introduced in Windows Vista.

• Deprecated components: the release of Windows 7 has also introduced issues with
deprecated APIs or DLLs from Windows XP and Windows Vista, the new credential provider
framework, and service isolation. These cause applications that used the deprecated APIs or
DLLs, applications that use the old credential provider, and applications that do not support
service isolation to lose functionality or to fail to start.

Common Mitigation Methods

The Application Compatibility Toolkit (ACT) 5.5 enables you to determine whether your
applications are compatible with Windows 7. ACT also helps you determine how an update to
the new version will affect your applications. You can use the ACT features to:
• Verify your application, device, and computer compatibility with a new version of the Windows
operating system.
• Verify a Windows update's compatibility.
• Become involved in the ACT community and share your risk assessment with other ACT
users.
• Test your Web applications and Web sites for compatibility with new releases and security
updates to Internet Explorer.

Note: For more information on ACT 5.5, refer to: http://go.microsoft.com/fwlink/?LinkID=154220.

Mitigation Methods
Mitigating an application compatibility issue typically depends on various factors, such as the
type of application and current support for the application. Some of the more common mitigation
methods include the following:

106

 Principles of Operating System

• Modifying the configuration of the existing application: you can use tools such as the
Compatibility Administrator or the Standard User Analyzer (installed with ACT) to detect and
create application fixes (also called shims) to address the compatibility issues.

• Applying updates or service packs to the application: updates or service packs may be
available to address many of the compatibility issues and help the application to run with the
new operating system environment.

• Upgrading the application to a compatible version: if a newer, compatible version of the

application exists, the best long-term mitigation is to upgrade to the newer version.

• Modifying the security configuration: as an example, Internet Explorer Protected mode can
be mitigated by adding the site to the trusted site list or by turning off Protected Mode (which is
not recommended).

• Running the application in a virtualized environment: if all other methods are unavailable,
you may be able to run the application in an earlier version of Windows using virtualization tools
such as Windows Virtual PC and Microsoft Virtual Server. You can also use the Windows Virtual
PC and Windows XP Mode to run older Windows XP business software from Windows 7
computer. Install legacy applications in virtual Windows XP, and then publish and seamlessly
launch the applications from Windows 7 computer as if the applications are Windows 7 capable.

• Using application compatibility features: application issues, such as operating system

versioning, can be mitigated by running the application in compatibility mode. This mode can be
accessed by right-clicking the shortcut or .exe file and applying Windows Vista compatibility
mode from the Compatibility tab. You can also use the Program Compatibility Wizard to assist
in configuring compatibility mode with an application. The Program Compatibility Wizard is
found in the Control Panel under Programs and Features.

• Selecting another application that performs the same business function: if another
compatible application is available, you may want to consider switching to the compatible
application.

107

 Principles of Operating System

Updating Shims

A shim is a software program added to an existing application or other program to

provide enhancement or stability. In the application compatibility context, shim refers to a
compatibility fix, which is a small piece of code that intercepts API calls from applications,
transforming them so Windows 7 will provide the same product support for the application as
earlier versions of Windows. This can mean anything from disabling a new feature in Windows 7
to emulating a particular behavior of an earlier version of Win32® API set. The Compatibility
Administrator Tool, installed with ACT, can be used to create a new compatibility fix. This tool
has preloaded many common applications, including any known compatibility fixes, compatibility
modes, or AppHelp messages. Before you create a new compatibility fix, search for an existing
application and then copy and paste the known fixes into your customized database.

Searching for Existing Compatibility Fixes

To search for a compatibility fix for an existing application, perform the following steps:
1. Open the Compatibility Administrator Tool and search for your application name.
2. View the preloaded compatibility fixes, compatibility modes, or AppHelp messages.

Creating a New Compatibility Fix

If you do not find a preloaded compatibility fix for your application, you can create a new one for
use by your customized database. To create a new compatibility fix, perform the following steps:

108

 Principles of Operating System

1. Run the Create new Application Fix Wizard from the Compatibility Administrator Tool.
2. Type the application name, vendor, and browse to the application executable file.
3. Select the operating system that the fix must be applied to, select any additional compatibility
fixes, and select additional criteria to match your applications.

Deploying a Compatibility Fix

You must deploy your compatibility fix database (.sdb) files to other computers in your
organization before your compatibility fixes, compatibility modes, and AppHelp messages are
applied. Deploying your custom compatibility fix database into your organization requires you to
perform the following actions:
1. Store your custom compatibility fix database (.sdb file) in a location from which all of your
organization's computers can access it, either locally or on your network. You can deploy your
customized database files in several ways, including by using a logon script, by using Group
Policy, or by performing file copy operations.
2. After deploying and storing the customized databases on each of your local computers, you
must register the database files. Until you register the database files, the operating system will
be unable to identify the available compatibility fixes when it starts the application. Use the
Sdbinst.exe command line tool to install the custom compatibility fix database locally.

Question: When do you use compatibility fix?

Discuss this in your class.

Module 4: Implementing User Accounts and Groups

• Describe the fundamental features of Active Directory Domain Services (AD DS).
• Implement AD DS.
• Manage objects in a domain.
• Implement organizational units (OUs) for managing groups and objects.
• Configure client computers centrally with group policy objects (GPOs).

109

 Principles of Operating System

Required materials
To teach this module, you need the Microsoft® Office PowerPoint® file 6420B_07.ppt.

Important: We recommend that you use PowerPoint 2002 or a later version to display the
slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the
features of the slides might not be display correctly.

Preparation tasks
To prepare for this module:
Read all of the materials for this module. Practice performing the demonstrations and
the lab exercises. Work through the Module Review and Takeaways section, and determine
how you will use this section to reinforce student learning and promote knowledge transfer to
on-the-job performance. Make sure that students are aware that the Course Companion CD
contains additional module information and resources.

110

 Principles of Operating System

Lesson 1: User Accounts

Emphasize the advantage of using user accounts to uniquely identify and control a specific
person’s access to network resources.

Naming Conventions

• User Logon Names and Full Names Must Be Unique

• User Logon Names:

§ Can contain up to 20 characters

§ Can include a combination of special alphanumeric
characters

• A Naming Convention Should:

§ Accommodate duplicate employee names
§ Identify temporary employees

111

 Principles of Operating System

Password Guidelines

• Assign a Password for the Administrator Account

• Determine Who Has Control over Passwords

• Educate Users on How to Use Passwords

§ Avoid obvious associations, such as a family name

§ Use long passwords

§ Use a combination of uppercase and lowercase characters

Account Options
• Set Logon Hours to Match Users’ Work Hours

• Specify the Computers from Which a User Can Log On

§ Domain users can log on at any computer in the domain
except for domain controllers, by default
§ Domain users can be restricted to specific computers to
increase security

• Specify When a User Account Expires

112

 Principles of Operating System

Lesson 2: The Domain Controller

What Is a Domain Controller?

Domain controllers :
• Provide authentication

• Host operations master roles

• Host the global catalog

• Support group policies and SYSVOL

• Provide for replication

113

 Principles of Operating System

Describe a domain controller to students. Talk about what happens when a domain
controller is unavailable.
Mention that the domain controller has a copy of the domain partition for the local
domain, the configuration partition, and the schema partition.
Describe a global catalog server to students as well, indicating that it has some domain
information from all domains. Give the example of Exchange Server using global catalog
servers to look up mailbox locations.
You can also mention that dcpromo can be used to make a member server into a domain
controller.
A new feature in Windows Server 2008 is the ability to have a Read-Only DC. This is
used for application support or for placement in a perimeter network where security is a
concern.

Configuring DNS for AD DS

Considerations:
• You can install DNS as part of the domain controller deployment
process

• You can integrate the DNS zone into AD DS

• Use secure dynamic updates for your DNS zone

• Use multiple DNS servers to provide for high availability and load
balancing

• SRV records enable the location of AD DS and other services

Ensure that the students understand the importance of SRV records. Ideally, use the
domain controller to display the DNS zone and show the students the various SRV records.

114

 Principles of Operating System

Lesson 3: Managing Users, Groups and Computers

Lesson 3: Managing Users, Groups, and

Computers
• What Are User Accounts?

• What Are Groups?

• Nesting Groups

• Default Built-In Groups

• Computer Accounts

• Account Management Best Practices

• Demonstration: How to Manage Accounts

After completing this lesson, you will be able to:

• Describe user accounts.
• Describe groups.
• Nest groups
• List the default built-in groups.
• Describe a computer account
• Provide best practices for user, group, and computer management
• Create and manage users, groups, and computer accounts

115

 Principles of Operating System

Setting Password Requirements

New Object - User

Create in: nwtraders.msft/Users

Password: ********
Con firm Passwo rd: ********

User mu st change password at next logon

User cannot change password
Passwo rd never expires
Acco unt is disabled

< Back N ext > Cancel

116

 Principles of Operating System

117

 Principles of Operating System

118

 Principles of Operating System

119

 Principles of Operating System

120

 Principles of Operating System

Why groups are important

Explain why groups are important as a logical group and how grouping similar objects
together reduces administration.

The difference between Distribution groups and Security groups

Explain how each group is similar (both can receive e-mail) and how they are different.
Explain why two types of groups are needed, and that e-mail lists do not need
permissions assigned to them. Mention that groups can be converted from distribution to
security or vice versa if the domain functional level is Microsoft® Windows ® 2000 native or
higher.
Explain that the rest of this module focuses on security groups.

Difference between permissions and rights

Briefly explain to students the difference between permissions and rights.
Question: Describe a situation where you would use a distribution group instead of a security
group.
Answer: Answers will vary, but will include any situation where you do not need to have
security enabled.

Describe the benefits of nesting, and give an example of how nesting using the A G L P or A G
U L P strategies is efficient in multiple domains.

121

 Principles of Operating System

122

 Principles of Operating System

Show your students the built-in groups by switching to 6420B-NYC-DC1 and opening
Active Directory Users and Computers.

Account Management Best Practices

• Do not allow users to share accounts

• Plan a naming convention for accounts
• Do not use generic named accounts for temporary staff
• Plan account policy settings to meet organizational needs

• Use built-in groups where appropriate

• Nest groups for efficiency
• Avoid assigning permissions directly to users
• Use a naming convention that identifies group members

• Limit ability to create computer accounts

• Implement a naming convention to identify computer role
• Implement Manage By and Location Properties

123

 Principles of Operating System

Demonstration steps:
Note: You require the AMA-DC1 virtual machine to complete this demonstration. Log on as
AMAES\Administrator with the password of Pa$$w0rd.
1. Switch to the AMA-DC1 computer.
2. Click Start, point to Administrative Tools, and then click Active Directory Administrative
Center.
3. Click AMAES (local).
4. In the Results pane, double-click Users.
5. In the Tasks pane, click New, and then click User.
6. In the Create User: dialog box, in the First name box, type Claus.
7. In the Last name box type Hansen.
8. In the User SamAccount box type Claus.
9. In the Password box type Pa$$w0rd.
10. In Confirm password box type Pa$$w0rd, and then click OK.
11. Click Claus Hansen in the Users pane.
13. In the Tasks pane, click Add to group.
14. In the Select Groups dialog box, in the Enter the object names to select (examples):
box, type Domain Admins, click Check Names, and then click OK.

Lesson 4: Implementing Organizational Units

After completing this lesson, you will be able to:

• Describe why to use OUs.

• Create and manage OUs.
• Delegate permissions on OUs.

Define OUs for students using the following definition: An OU is a container within a
domain. An OU can contain user accounts, computer accounts, groups, and other OUs.
A particularly useful type of directory object contained within domains is the
organizational unit. Organizational units are Active Directory containers into which you can
place users, groups, computers, and other organizational units. An organizational unit cannot
contain objects from other domains.

124

 Principles of Operating System

Question: Describe one scenario when you would use a domain to organize a network.
Describe one scenario when you would use an OU to organize a network.
Answer: Answers may vary. In general, students should understand that a domain represents a
security boundary, and requires at least one domain controller. Because multiple OUs
can exist within a single domain, they are useful for mapping the logical structure of
Active Directory to the actual structure of the organization in a more fine-grained manner
than domains. However, in cases where differing security requirements exist within an
organization, multiple domains will often be required.

Demonstration steps: How to Manage Organizational Units

Note: You require the AMA-DC1 virtual machine to complete this demonstration. Log on as
AMAES\Administrator with the password of Pa$$w0rd.
1. Switch to the AMA-DC1 computer.
2. Click Start, point to Administrative Tools, and then click Active Directory Administrative
Center.
3. Right-click AMAES (local), point to New, and then click Organizational Unit.

125

 Principles of Operating System

4. In the Create Organizational Unit: dialog box, in the Name box type Sales and then click
OK.
5. Click AMAES (local).
6. In the AMAES (local) pane double-click the Users container.
7. In the Users pane right-click Claus Hansen and then click Move.
8. In the Move dialog box, click Sales in the middle column and then click OK.
9. Click AMAES (local).
10. Double-click Sales.
11. In the Actions pane click New, and then click Computer.
12. In the Create Computer: dialog box, in the Computer name box, type PRO-W7E-0001 and
then click OK.
13. Close the Active Directory Administrative Center.

Demonstration steps: How to Delegate Administration

Note: You require the AMA-DC1 virtual machine to complete this demonstration. Log on as
AMAES\Administrator with the password of Pa$$w0rd.

1. Switch to the AMA-DC1 computer.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
3. Expand AMAES.com.
4. Right-click Sales and then click Delegate Control.
5. In the Delegation of Control Wizard, on the Welcome to the Delegation of Control
Wizard page, click Next.
6. On the Users or Groups page, click Add.
7. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to
select (examples): box, type Claus Hansen, click Check Names and then click OK.
8. On the Users or Groups page, click Next.
9. On the Tasks to Delegate page, select the Create, delete and manage user accounts
check box and then click Next.
10. Click Finish and then close Active Directory Users and Computers.

126

 Principles of Operating System

Lesson 5: Implementing Group Policy

After completing this lesson, you will be able to:
• Describe GPOs.
• Understand local, site, domain, and organizational unit-linked policies.
• Explain how to use GPO management tools.
• Create a GPO and assign to an organizational units.

Explain how Group Policy enables Information Technology (IT) administrators to

automate the management of users and computers, which simplifies administrative tasks and
reduces IT costs. Administrators can implement security settings, enforce IT policies, and
distribute software consistently for the local computer or across a given site, domain, or range of
organizational units.
Mention that the two domain policies exist by default. Explain how one policy may be associated
with multiple containers through linking. Explain how multiple policies may link to one container.

Question: When would local Group Policy be useful in a domain environment?

Answer: Companies that use imaging technologies to deploy operating systems could use local
Group Polices to help secure and standardize images. In this way, computers that are

127

 Principles of Operating System

not connected to the local area network (LAN) still would be subject to certain
restrictions for all users.

Explain that computer settings are applied at startup, while user settings are applied at
logon. Explain that client-side extensions on the client computer handle the actual processing of
settings. Explain that in case of a conflict between user and computer settings, the computer
setting takes precedence. For example, if a user has Windows Messenger specifically set to
Allow, but the computer has Windows Messenger specifically set to Disallow, the computer
setting takes precedence. Explain that you can configure the refresh interval and random offset
separately for users, computers, and domain controllers. Mention that security settings are
refreshed every 16 hours even if they have not changed.

Question: What would be some advantages and disadvantages to lowering the refresh
interval?
Answer:
• Advantages
• Provides faster updates for new settings.
• Ensures that mobile users are more likely to get settings refreshed.

128

 Principles of Operating System

• Disadvantages
• Increases network traffic.
• Consumes more local computer resources to check for updates.

Show the students how to create and link a GPO to a domain while you discuss.

Policies and Preferences

Group Policy Preferences Gro up Policy Settings

Are written to the normal locations Strictly enforce policy settings by

in the registry that the application writing the settings to areas of the
or operating system feature uses registry that standard users cannot
to store the setting. modify.

Do not cause the application or Typically disable the user interface

operating system f eature to disable for settings that Group Policy is
the user interf ace for the settings managing.
they configure.

Refresh preferences by using the Refresh policy settings at a regular

same interval as Group Policy interval.
settings by default.

Are not available on local Are available through local Group

computers. Policy.

129

 Principles of Operating System

Demonstration steps: How to Create GPO and Link It to an Organizational Unit

Note: You require the AMA-DC1 and the AMA-CL1 virtual machines to complete this
demonstration. Log on as AMAES\Administrator with the password of Pa$$w0rd. Do not log on
to AMA-CL1 until directed to do so.
1. Switch to the AMA-DC1 computer.
2. Click Start, point to Administrative Tools, and then click Group Policy Management.
3. Expand Forest: AMAES.com, expand Domains, and then expand AMAES.com.
4. Right-click Group Policy Objects, and then click New.
5. In the New GPO dialog box, in the Name: box, type Disable CAD Task Manager and then
click OK.
6. Expand Group Policy Objects, right-click Disable CAD Task Manager and then click Edit.
7. In the Group Policy Management Editor, expand User Configuration, expand Policies,
expand Administrative Templates, expand System, and then click CTRL+ALT+DEL Options.
8. In the Results pane, double-click Remove Task Manager.
9. In the Remove Task Manager dialog box, click Enabled and then click OK.
10. Close the Group Policy Management Editor.
11. In the Navigation pane, right-click Sales and then click Link an Existing GPO.
12. In the Select GPO dialog box, in the Group Policy objects list, click Disable CAD Task
Manager and then click OK.
13. Close Group Policy Management.
14. Switch to the NYC-CL1 computer.
15. Log on to NYC-CL1 as AMAES\Claus with the password of Pa$$w0rd.
16. Change the password to Pa$$w0rd1 when prompted. Click OK.
17. In the AMA-CL1 on localhost – Virtual Machine Connection window, click the
CTRL+ALT+DEL button.
18. Does Start Task Manager appear as an option?
Answer: No.
19. Log off of AMA-CL1.
20. Log on to AMA-CL1 as AMAES\Administrator with the password of Pa$$w0rd.
21. In the AMA-CL1 on localhost – Virtual Machine Connection window, click the CTRL-
ALT-DEL button
22. Does Start Task Manager appear as an option?
Answer: Yes.

130

 Principles of Operating System

1. For most organizations, how many AD DS forests are required?

Answer: One. Multiple forests enable organizations to separate administration. This is not a
requirement for most organizations.

2. If you are installing an AD DS compatible e-mail application, what implications does this have
for your AD DS schema?
Answer: The schema will be changed by the application.

3. What kind of trusts are implemented between domains in a single forests?

Answer: Automatically created two-way, transitive trusts.

4. Why create organizational units?

Answer: OUs are useful in grouping and organizing objects for administrative purposes, such
as delegating administrative rights and assigning policies to a collection of objects as a single
unit.

Module 5: Configuring Disks and Device Drivers

Module Overview
Whether IT professionals manage and deploy desktops, laptops, or virtual environments,
the Windows® 7 operating system simplifies common tasks and leverages existing tools and
skills.
To help ensure that previously installed devices continue to work in Windows 7, when updated
device drivers are required, Microsoft is working to ensure that you can get them directly from
Windows Update or from device manufacturer Web sites. Although most computers that are
running Windows 7 have a single physical disk configured as a single volume, this is not always
the case. For example, there may be times when you want to have multiple operating systems
on a single computer or to have the virtual memory on a different volume. Therefore, it is
important that you understand how to create and manage simple, spanned, and striped
volumes. To help optimize file system performance, you must be familiar with file system
fragmentation and the tools used to help defragment a volume. In addition, a good
understanding of disk quotas helps you manage available disk space on installed volumes.

131

 Principles of Operating System

Lesson 1: Partitioning Disks in Windows 7

When you install a disk in a computer that is running Windows 7, you can choose to
select one of two partitioning schemes:
• Master Boot Record (MBR)-based partitioning scheme
• Globally unique identifier (GUID) partition table (GPT)-based partitioning scheme

The following are common reasons to partition a disk:

• Separate operating system files from data and user files.
• Place applications and data files in the same location.
• Put cache, log, and paging files in a location separate from other files.
• Create multiboot setup environments.

You can use Disk Management to perform disk-related tasks such as creating and
formatting partitions and volumes, and assigning drive letters. In addition, you can use the
diskpart command, along with other command-line utilities, to perform disk management tasks
such as partitioning disks or converting disks from one partition scheme to the other.

What Is an MBR Disk?

A Master Boot Record (MBR) disk is a bootable hard disk that contains an MBR. The
MBR is the first sector on a hard disk. The MBR is created when the disk is partitioned and
contains a four-partition entry table describing the size and location of a partition on disk using
32-bit Logical Block Address (LBA) fields. The MBR is stored at a consistent location on a
physical disk, enabling the computer BIOS to reference it. During the startup process, the
computer examines the MBR to determine which partition on the installed disks is marked as
active. The active partition contains the operating system startup files.

The MBR scheme imposes certain restrictions that include the following:
• Four partitions for each disk
• A 2 Terabyte (TB) maximum partition size
• No redundancy provided

Question: What are three restrictions of an MBR partitioned disk? Have you encountered these
limitations in your organization, and if so, what did you do to work around them?
What Is a GPT Disk?

132

 Principles of Operating System

As operating systems evolve and hard disks grow larger, the inherent restrictions of an
MBR partitioned disk limit the viability of this partitioning scheme as an option in many
scenarios. Consequently, a new disk partitioning system has been developed: Globally unique
identifier (GUID) partition table or GPT. GPT-based disks address the limitations of MBR-based
disks.
GPT contains an array of partition entries describing the start and end LBA of each
partition on disk. Each GPT partition has a unique identification GUID and a partition content
type. Also, each LBA described in the partition table is 64-bits in length. Both 32-bit and 64-bit
Windows operating systems support GPT for data disks on BIOS systems, but they cannot start
from them. The 64-bit Windows operating systems support GPT for boot disks on UEFI
systems.

GPT disks support:

• 128 partitions for each disk
• 18 Exabyte (EB) volume size
• Redundancy

On a GPT partitioned disk, the following sectors are defined:

• Sector 0 contains a legacy protective MBR. The protective MBR contains one primary partition
that covers the entire disk.
• Sector 1 contains a partition table header. The partition table header contains the unique disk
GUID, the number of partition entries (usually 128), and pointers to the partition table.
• The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type, attributes, and a name.

Question: How does a GPT partitioned disk on a 64-bit Windows 7 operating system use an
MBR?

133

 Principles of Operating System

Disk Management Tools

With either the Disk Management Microsoft Management Console (MMC) snap-in or
diskpart.exe, you can initialize disks, create volumes, and format the volume file system.
Additional common tasks include moving disks between computers, changing disks between
basic and dynamic types, and changing the partition style of disks. Most disk-related tasks can
be performed without restarting the system or interrupting users, and most configuration
changes take effect immediately.

Disk Management
Disk Management in Windows 7 provides the same features you may already be familiar
with from earlier versions, but also includes some new features:
• Simpler partition creation
• Disk conversion options
• Extend and shrink partitions

To open Disk Management, click Start, type diskmgmt.msc in the search box, and then
click diskmgmt.msc in the results list.

134

 Principles of Operating System

Diskpart.exe
Diskpart.exe allows you to manage fixed disks and volumes by using scripts or direct
input from the command line. The following are common diskpart actions:
• To run diskpart.exe, open a command prompt and type diskpart.
• To view a list of diskpart commands, at the DISKPART> command prompt, type commands,
or start Disk Management, and then open the Help Topics from the Help menu.
• To create a log file of the diskpart session, type diskpart /s testscript.txt > logfile.txt.

Question: What is the effect on existing data when you convert a basic disk to a dynamic disk
and vice versa?

Demonstration: Converting an MBR Partition to a GPT Partition

This demonstration shows how to use both the diskpart command-line tool and the Disk
Management snap-in to manage disk types.

Convert a Disk to GPT by using Diskpart.exe

1. Start an elevated Command Prompt.
2. Start diskpart.exe and use the following commands to convert the disk:
• list disk
• select disk 2
• convert gpt

Convert Disk 3 to GPT by using Disk Management

1. Start Disk Management.
2. In the Initialize Disk dialog box, convert disk 3 to GPT.
Verify the Disk Type
• In Disk Management, verify each disk’s type.

Question: Which tool do you prefer to use to convert a new disk to GPT, the Disk Management
snap-in or the diskpart.exe command-line tool?

135

 Principles of Operating System

Lesson 2: Managing Disk Volumes

Before the Windows 7 operating system can access newly installed dynamic disks, you
must create and format one or more volumes on a disk. Dynamic disks use a private region of
the disk to maintain a Logical Disk Manager (LDM) database. The LDM database contains
volume types, offsets, memberships, and drive letters for each volume. The LDM database is
also replicated, so each dynamic disk knows about every other dynamic disk configuration. This
feature makes dynamic disks more reliable and recoverable than basic disks.

You can configure volumes to use some or all the available space on a single disk, or
configure the volume to span multiple disks. The following are examples of the types of dynamic
volumes that can be created on dynamic disks:
• Simple
• Spanned
• Striped
• Mirrored
• RAID-5
You can configure volumes to use some or all the available space on a single disk, or
configure the volume to span multiple disks.

What Is a Simple Volume?

A simple volume is a dynamic volume that encompasses available free space from a
single, dynamic, hard disk drive. It is a portion of a physical disk that functions as though it were
a physically separate unit. Simple volumes can be extended on the same disk. Simple volumes
are not fault tolerant. When you use simple volumes, any physical disk failure results in data
loss. However, the loss is limited to the failed drives. In some scenarios, this provides a level of
data isolation that can be interpreted as greater reliability.
Volume I/O performance on a simple volume is the same as Disk I/O performance. In
some scenarios, a simple volume may provide better performance than striped data layout
schemes. Striped volumes are discussed in a later topic. For example, when serving multiple,
lengthy, sequential streams, performance is best when a single disk services each stream. Also,
workloads that are composed of small, random requests do not always result in performance
benefits when they are moved from a simple to a striped data layout.

136

 Principles of Operating System

Demonstration: Creating a Simple Volume

Use the following information for guidance when creating or modifying simple volumes:
• You must be a member of the Backup Operator or Administrator group.
• Either diskpart.exe or Disk Management can be used to initialize disks, create volumes, and
format the file system.
• Before you can store data on the volumes, format each for use with the file system. Before you
can format a volume, assign it either a drive letter or a mount point.
• Before deleting volumes, make sure that the information on them has been backed up onto
another storage medium and verified, or that the data is no longer needed.
• You can create more than 26 volumes with Windows 7, but you cannot assign more than 26
drive letters for accessing these volumes. Volumes created after the twenty-sixth drive letter has
been used must be accessed using volume mount points.

This demonstration shows how to create a simple volume. First a volume is created by
using the Disk Management snap-in and then by using the diskpart commandline tool.
Create a Simple Volume by using Disk Management
1. Start Disk Management.
2. Start the New Simple Volume Wizard on Disk 2.
3. Specify the volume size as 100MB and label the volume as Simple.
Create a Simple Volume by using Diskpart.exe
1. Start an elevated Command Prompt.
2. Start diskpart.exe and use the following commands to create a simple volume:
• list disk
• select disk 3
• create partition primary size=100
• list partition
• select partition 2
• format fs=ntfs label=simple2 quick
• assign

Question: In what circumstances will you use less than all the available space on a
disk in a new volume?

137

 Principles of Operating System

What Are Spanned and Striped Volumes?

A spanned volume joins areas of unallocated space on at least two, and at most thirty-
two, disks into a single logical disk. Similar to a spanned volume, a striped volume also requires
two or more disks; however, striped volumes map stripes of data cyclically across the disks.
Create a spanned volume when you want to encompass several areas of unallocated space on
two or more disks. The benefits of using spanned volumes include fault isolation, uncomplicated
capacity planning, and straightforward performance analysis.

The following are characteristics of spanned volumes:

• You can only create spanned volumes on dynamic disks.
• If you are creating a new spanned volume, define how much space to allocate from each
physical disk.
• A spanned volume concatenates areas of unallocated space on at least two, and at most
thirty-two, disks into a single logical disk.
• This type of volume does not provide any fault tolerance.
• There is no performance benefit to implementing spanned volumes; I/O performance is
comparable to simple volumes.
• You can shrink an entire spanned volume; however, it is not possible to selectively remove
areas from a specific disk.

138

 Principles of Operating System

• You can extend a spanned volume to include areas of unallocated space on a new disk,
provided the 32 disk limit is not exceeded.

A striped volume (or RAID 0) requires two or more disks (up to 32) and maps equally
sized stripes of data cyclically in unallocated space across the disks. It is possible to delete a
striped volume, but it is not possible to extend or to shrink the volume. A striped volume requires
multiple dynamic disks and the allocated space from each disk must be identical.

Create a striped volume when you want to improve the I/O performance. Consider the following
about striped volumes:
• A striped data layout provides better performance than simple or spanned volumes if the stripe
unit is appropriately selected based on workload and storage hardware characteristics. Striped
volumes provide for higher throughput by distributing I/O across all disks configured as part of
the set.
• Because no capacity is allocated for redundant data, RAID 0 does not provide fault tolerance
like those in RAID 1 and RAID 5.
• Striped volumes are well suited for isolating the paging file so that it is less likely to become
fragmented, which helps improve performance.
• The more disks that you combine, the faster the potential throughput is, however, the less
reliable the volume becomes.
• The loss of any disk results in data loss on a larger scale than a simple or spanned volume
because the entire file system spread across multiple physical disks is disrupted.

Question: Describe scenarios when you create a spanned volume and when you create a
striped volume.

Demonstration: Creating Spanned and Striped Volumes

This demonstration shows how to create both spanned and striped volumes.
Create a Spanned Volume
1. Start Disk Management.
2. Start the New Spanned Volume Wizard on Disk 2.
3. Set the amount of space to 100 MB for Disk 2 and set the amount of space to
250 MB for Disk 3.
4. Label the volume as Spanned.

139

 Principles of Operating System

Create a Striped Volume

1. In Disk Management, start the New Striped Volume Wizard.
2. Set the amount of space to 512 MB for Disk 3 and label the volume as Striped.

Question: What is the advantage of using striped volumes, and conversely what is the major
disadvantage?

Purpose of Resizing a Volume

You can shrink existing volumes to create additional, unallocated space to use for data
or programs on a new volume. On the new volume, you can:
• Install another operating system and then perform a dual boot.
• Save data separate from the operating system. When you extend a simple volume on the
same disk, the volume remains a simple volume. However, when you extend a simple volume to
include unallocated space on other disks on the same computer, a spanned volume is created.
To perform the shrink operation, ensure that the disk is either unformatted or formatted with the
NTFS file system and that you are part of the Backup Operator or Administrator group. When
you shrink a volume, contiguous free space is relocated to the end of the volume. Before you
perform the shrink process, defragment the disk, reduce shadow copy disk space consumption,
and make sure that no page files are stored on the volume to be shrunk.

140

 Principles of Operating System

Note: If the partition is a raw partition (that is, one without a file system) that contains data (such
as a database file), shrinking the partition may destroy the data. Remember to make a backup
prior to extending or shrinking a partition or volume.

Demonstration: Resizing a Volume

This demonstration shows how to resize a volume with the diskpart utility; then, you see how to
use the Disk Management tool to extend a simple volume.

Shrink a Volume by using Diskpart.exe

1. Start an elevated Command Prompt.
2. Start diskpart.exe and use the following commands to resize the disk:
• list disk
• select disk 2
• list volume
• select volume 6
• shrink desired = 50
• exit
3. Switch to Disk Management and view the new volume size.

Extend a Volume by using Disk Management

1. In Disk Management, start the Extend Volume Wizard to extend Disk 2.
2. Specify the amount of disk space as 50 MB.

Question: When might you need to reduce the size of the system partition?

Lesson 3: Maintaining Disks in Windows 7

When you first create a volume, new files and folders are created on available free
space on the volume in contiguous blocks; this provides an optimized file system environment.
As the volume becomes full, the availability of contiguous blocks diminishes; this can lead to
sub-optimal performance. This lesson explores file system fragmentation and the tools you can
use to reduce fragmentation.

141

 Principles of Operating System

What Is Disk Fragmentation?

Fragmentation of the file system occurs over time as you save, change, and delete files.
Initially, the Windows I/O manager saves files in contiguous areas on a given volume. This is
efficient for the physical disk as the read/write heads are able to access these contiguous blocks
quickly. As the volume fills up with data and other files, contiguous areas of free-space are
harder to find. In addition, when a file is extended, there may not be contiguous free-space
following the existing file blocks. This forces the I/O manager to save the remainder of the file in
a non-contiguous area, resulting in disk fragmentation. Although the NTFS file system is more
efficient than earlier file systems at handling disk fragmentation, this fragmentation still presents
a potential performance problem.
Defragmenting a Disk

142

 Principles of Operating System

When defragmenting a disk, files are optimally relocated. This ability to relocate files
benefits you when shrinking a volume, since it enables the system to free up space which can
be reclaimed as required. Disk Defragmenter is a tool included with Windows 7 that rearranges
fragmented data so that disks and drives can work
more efficiently.
Disk Defragmenter runs automatically on a scheduled basis; however, you can perform
a manual defragmentation at any time. To manually defragment a volume or drive, or to change
the automatic defragmentation schedule, right-click a volume in Windows Explorer, click
Properties, click the Tools tab, and then click Defragment Now. You can then perform the
following tasks:
• Disable automatic defragmentation.
• Modify the defragmentation schedule.
• Select which volumes you want to defragment.
• Analyze the disk to determine whether it requires defragmentation.
• Launch a manual defragmentation.
To verify that a disk requires defragmentation, in Disk Defragmenter select the disk you
want to defragment and then click Analyze disk. Once Windows is finished analyzing the disk,
check the percentage of fragmentation on the disk in the Last Run column. If the number is
high, defragment the disk.
Disk Defragmenter might take from several minutes to a few hours to finish depending
on the size and degree of fragmentation of the disk or USB device, for example an external hard
drive. You can use the computer during the defragmentation process.
You can configure and run disk defragmentation from an elevated Command Prompt by
using the defrag command-line utility instead of the Disk Defragmenter tool.

What Are Disk Quotas?

A disk quota is a way for you to limit each person's use of disk space on a volume to
conserve disk space. Disk quotas enable you to proactively track and restrict disk consumption.
You can enable quotas on any NTFS-formatted volume, including local volumes, network
volumes, and removable storage.
You can use quotas to only track disk space consumption and determine who is
consuming available space; it is not required to restrict disk consumption at the same time.

143

 Principles of Operating System

You can also manage quotas by using the fsutil quota and fsutil behavior commands
from the Command Prompt. Once a quota is created, you can export it and then import it for a
different volume.
In addition to establishing quota settings on an individual computer by using the methods
outlined above, you can also use Group Policy settings to configure quotas. This enables
administrators to configure multiple computers with the same quota settings.
Over time, the amount of available disk space inevitably becomes less, so make sure
that you have a plan to increase storage capacity.

Note: Quotas are tracked for every volume.

Question: How do you increase free disk space after exceeding the quota allowance?

Demonstration: Configuring Disk Quotas (Optional)

This optional demonstration shows how to create and manage disk quotas.
Create Quotas on a Volume
1. Open the Striped (I:) Properties dialog box to access the Quota tab.
2. On the Quota tab, make selections to accomplish the following:
a. Enable quota management.
b. Deny disk space to users exceeding quota limit.
c. Limit disk space to 6 MB.
d. Set the warning level at 4 MB.
e. Log an event when a user exceeds their warning level.

144

 Principles of Operating System

Create Test Files

Open a Command Prompt and use the following commands to create test files on the I: drive.
• fsutil file createnew 2mb-file 2097152
• fsutil file createnew 1kb-file 1024

Test the Configured Quotas by using a Standard User Account to Create Files
• Create a new folder and copy the test files into the folder.
Review Quota Alerts and Event Log Messages
1. Open the Striped (I:) Properties dialog box to access the Quota tab and view Quota
Entries for Alan.
2. Open the Event Viewer to view the System entry for Event ID 36.
Question: Will Quota management be useful in your organizations?

Lesson 4: Installing and Configuring Device Drivers

Devices have changed from being single-function peripherals to complex, multifunction
devices with a large amount of local storage and the ability to run applications. They have
evolved from a single type of connection, such as USB, to multi-transport devices that support
USB, Bluetooth, and WiFi.

Many of today’s devices are often integrated and sold with services that are delivered
over the Internet which has simplified a computer’s ability to recognize and use devices.
Microsoft has expanded the list of devices and peripherals that are being tested for compatibility
with Windows 7.

The device experience in Windows 7 is designed on existing connectivity protocols and

driver models to maximize compatibility with existing devices. Seamless user experiences begin
with the ability to connect devices efficiently. Additional drivers are retrieved automatically from
Windows Update, and when appropriate, users are given an option to download and install
additional applications for the device.

All of this helps reduce support calls and increase customer satisfaction.

145

 Principles of Operating System

Overview of Device Drivers in Windows 7

A driver is small software program that allows the computer to communicate with
hardware or devices. It is also specific to an operating system. Without drivers, the hardware
you connect to the computer does not work properly.
In most cases, drivers come with Windows or can be found by going to Windows Update
and checking for updates. If Windows does not have the required driver, look for it on the disc
that came with the hardware or device, or on the manufacturer's Web site.

The following is an overview of device driver information:

• Windows 7 is available in 32-bit and 64-bit versions. Drivers developed for the 32-bit versions
do not work with the 64-bit versions, and vice versa. You must make sure that you obtain the
appropriate device driver before you install Windows 7.
• The device drivers that are included with Windows 7 have a Microsoft digital signature. The
digital signature indicates that a particular driver or file has met a certain level of testing and is
stable and reliable.
• The driver store is the driver repository. You can preload the driver store with drivers for
commonly used peripheral devices. The driver store is located in
systemroot\System32\DriverStore.

146

 Principles of Operating System

• During hardware installation, if the appropriate driver is not available, Windows 7 uses
Windows Error Reporting to report an unknown device.
• The Device Metadata System provides an end-to-end process for defining and distributing
device metadata packages. These packages contain device experience XML documents that
represent the properties of the device and its functions, together with applications and services
that support the device. Through these XML documents, the Devices and Printers folder and
Device Stage present users with an interface that is specific to the device as defined by
the device maker.

Installing Devices and Drivers

Windows has supported Plug and Play for device and driver installation since Windows
9x. To support Plug and Play, devices contain configuration and driver information and must
meet the following requirements:
• Be uniquely identified.
• State the services it provides and resources it requires.
• Identify the driver that supports it.
• Allow software to configure it.

Two key factors that impact the success of driver installation are when:

147

 Principles of Operating System

• The device is supported by a driver package included with Windows or available on Windows
Update.
• The user has media with the driver package provided by the vendor.

Windows 7 includes several features that help an administrator make device driver installation
more straightforward for users:
• Staging driver packages in the protected driver store.
• Configuring client computers to automatically search a list of folders, specified in the
DevicePath registry entry, when a new device is attached to the computer. These folders can be
hosted on a network share.
• Restarting the system is rarely necessary when installing Plug and Play devices.

Staging Drivers in the Driver Store

When a user inserts a device, Windows detects it and then signals the Plug and Play
service to make the device operational. Plug and Play queries the device for identification
strings and searches the driver store for a driver package that matches the identification strings.
If a matching package is found, Plug and Play copies the device driver files from the driver store
to their operational locations, and updates the registry as needed. Finally, Plug and Play starts
the newly installed device driver. During this process the digital signature of the driver package
is validated.
If a matching package is not found in the driver store, Windows searches for a matching
driver package by looking in the following locations:
• Folders specified by the DevicePath registry entry
• The Windows Update Web site
• Media or a manufacturer’s Web site provided after prompting the user Staging the device
driver packages in this manner provides significant benefit. After a driver package has been
successfully staged, any user that logs on to that computer can install the drivers by simply
plugging in the appropriate device.

Add a Driver to the Driver Store from a Command Prompt

You can use the Pnputil.exe tool in an elevated Command Prompt to add drivers to the
driver store manually. After the signed driver package is in the driver store, Windows considers
the package trusted.

148

 Principles of Operating System

Non-Plug and Play Devices

Non-Plug and Play devices are becoming increasingly rare as manufacturers stop
producing them in favor of Plug and Play devices. The term non-Plug and Play typically applies
to older pieces of equipment and these devices require manual configuration of hardware
settings before use. You can manually install non-Plug and Play devices in Device Manager.

Question: What are the steps to install a driver in the driver store by using the Pnputil.exe tool?

Device Driver Management Tools

There are several areas in which you can manage devices and their related drivers:
Device Manager, Devices and Printers, Device Stage™, and the Pnputil tool run from an
elevated Command Prompt.

Device Manager
Device Manager is accessible in the Hardware and Sound category in Control Panel and
helps you install and update the drivers for hardware devices, change the hardware settings for
those devices, and troubleshoot problems. You can perform the following tasks in Device
Manager:
• View a list of installed devices.

149

 Principles of Operating System

• Uninstall a device.
• Enable or disable devices.
• Troubleshoot devices.
• Update device drivers.
• Roll back drivers.

The status of a device shows whether the device has drivers installed and whether
Windows is able to communicate with the device. To view the status of a device:
1. Right-click the device and then click Properties.
2. Click the General tab and view the Device status area for a description of the current status.
You can use Device Manager to manage devices only on a local computer.

Devices and Printers

The Devices and Printers category provides an additional place to manage devices.
Wizards guide you through the setup process which reduces complex configuration tasks.
Windows 7 recognizes new devices and attempts to automatically download and install any
drivers required for that device. Devices that display in Devices and Printers are usually external
devices that you connect or disconnect from the computer through a port or network connection.
In Devices and Printers, a multifunction printer shows and can be managed as one device
instead of individual printer, scanner, or fax devices. In Device Manager, each individual
component of a multifunction printer is displayed and managed separately.

Device Stage
Device Stage provides users with a new way to access devices and advanced options
for managing them. Devices in use are shown with a photo-realistic icon. This icon can include
quick access to common device tasks; status indicators that let users quickly discern battery
status, device synchronization status, remaining storage capacity, links to product manuals,
additional applications, community information and help, or additional products and services.
The entire Device Stage experience remains current. Graphics, task definitions, status
information, and links to Web sites are distributed to computers by using the Windows Metadata
Information Service (WMIS).

150

 Principles of Operating System

Options for Updating Drivers

A newer version of a device driver often adds functionality and fixes problems that were
discovered in earlier versions; many hardware problems can be resolved by installing updated
device drivers. In addition, device driver updates often help resolve security problems and
improve performance.
Dynamic Update is a feature that works with Windows Update to download any critical
fixes and device drivers that are required for the setup process.

Dynamic Update downloads the following types of files:

• Critical Updates
• Device drivers

When updated device drivers are required, Microsoft is working to ensure that you can
get them directly from Windows Update or from device manufacturer Web sites.
You can manually update the driver used for a device in Device Manager by right-
clicking the device and then clicking Update Driver Software. Windows 7 includes several
enhancements to the upgrade experience. A “load driver” feature is provided so that you can
load a new or updated driver from the Compatibility Report and continue with the upgrade.

151

 Principles of Operating System

Managing Signed Drivers

A signed driver is a device driver that includes a digital signature. A digital signature is
an electronic security mark that indicates the publisher of the software and if someone has
changed the original contents of the driver package. If a driver has been signed by a publisher,
you can be confident the driver comes from that publisher and is not altered.

Benefits of using signed drivers include:

• Improved security.
• Reduced support costs.
• Better user experience.
On each computer, Windows maintains a store for digital certificates. As the computer
administrator, you can add certificates from trusted publishers. You can use Group Policy to
deploy the certificates to client computers. Group Policy allows you to have the certificate
automatically installed to all managed computers in a domain, organizational unit, or site.
If your organization has a Software Publishing Certificate, you can use that to add your
own digital signature to drivers that you have tested and that you trust. You can use Sigverif.exe
to check if unsigned device drivers are in the system area of a computer. You can obtain a basic
list of signed and unsigned device drivers from a command prompt by running the driverquery
command with the /si switch.

152

 Principles of Operating System

Discussion: Options for Recovering from a Driver Problem

If you have a hardware problem, it can be caused by hardware or a device driver.

Fortunately, the process to update device drivers to a newer version is straightforward.
Troubleshooting hardware problems often starts by troubleshooting device drivers. To identify a
device driver problem, answer the following questions:
• Did you recently upgrade the device driver or other software related to the hardware?
• Are you experiencing occasional problems, or is the driver not compatible with the current
version of Windows?
• Did the hardware suddenly stop working?
Present and discuss your ideas on this topic in the class.

Demonstration: Managing Drivers

This demonstration shows how to update a device driver and then rollback that driver
update. This demonstration will also show how to install a driver into the driver store. This
demonstration requires two machine restarts.

Update a Device Driver

1. Open Device Manager and locate the Standard PS/2 Keyboard.

153

 Principles of Operating System

2. Update the driver by browsing the computer for PC/AT Enhanced PS/2 Keyboard (101/102
Key).
3. Restart the computer.

Roll back a Device Driver

1. Open Device Manager and locate the PC/AT Enhanced PS/2 Keyboard (101/102 Key).
2. Rollback the driver and then restart the computer.
3. Log on to the AMA-CL1 virtual machine and verify that you have successfully rolled back the
driver.

Install a driver into the driver store

1. Open an elevated command prompt.
2. Change to the E: drive and then run the following command: pnputil –a
“E:\Labfiles\Mod02\HP Deskjet 960c series\hpf960k.inf”
3. Run pnputil –e to verify that the driver is installed into the driver store. Question: If your
computer does not startup normally due a device driver issue, what options are there for
performing driver roll back?

Module Review and Takeaways

Review Questions
1. You are implementing 64-bit Windows 7 and need to partition the disk to support 25 volumes,
some of which will be larger than 2 TB. Can you implement this configuration using a single
hard disk?

2. You have created a volume on a newly installed hard disk by using diskpart.exe. Now, you
want to continue using diskpart.exe to perform the following tasks:
• Format the volume for NTFS
• Assign the next available drive letter.
• Assign a volume label of “sales-data”
What two commands must you use for these tasks?

3. Your organization has recently configured Windows Update to automatically update the
Accounting department’s computers at 03:00. This conflicts with the weekly defragmentation of
the computers on Wednesday mornings. You must reconfigure the scheduled defragmentation

154

 Principles of Operating System

task to occur at midnight on Tuesdays instead. List the steps to modify the defragmentation
schedule.

4. You recently upgraded to Windows 7 and are experiencing occasional problems with the
shortcut keys on your keyboard. Describe the first action you might take to the resolve the issue
and list the steps to perform the action.

Common Issues
Identify the causes for the following common issues and fill in the troubleshooting tips.
For answers, refer to relevant lessons in the module or the course companion CD content.

Best Practices
Supplement or modify the following best practices for your own work situations:
• Every time a change is made to a computer, record it. It can be recorded in a physical
notebook attached to the computer, or in a spreadsheet or database available on a centralized
share that is backed up nightly. If you keep a record of all changes made to a computer, you
can trace the changes to troubleshoot problems, and offer support professionals correct
configuration information. The Reliability Monitor can be used to track changes to the system
such as application installs or uninstalls.

155

 Principles of Operating System

• When deciding what type of volume to create, consider the following questions:
• How critical is the data or information on the computer?
• Can automatic replication be set up quickly and easily?
• If the computer became unbootable, what might be the impact on your business?
• Is the computer handling multiple functions?
• Is the data on the computer being backed up on a regular basis?

Use the information in the following table to assist as needed:

156

 Principles of Operating System

Tools

157

 Principles of Operating System

158

 Principles of Operating System

Common Terms, Definitions, and Descriptions

159

 Principles of Operating System

Module 6: Configuring File Access and Printers on Windows 7 Clients

Module Overview
This module provides the information and tools needed to help you manage access to
shared folders and printers on a computer running the Windows® 7 operating system.
Specifically, the module describes how to share and protect folders, configure folder
compression, and how to install, configure, and administer printing.
To maintain network or local file and printer systems, it is essential to understand how to
safeguard these systems and make them operate as efficiently and effectively as possible. This
includes setting up NTFS folder permissions, compressing and managing shared folders and
files, and configuring printers.

Lesson 1: Overview of Authentication and Authorization

The Windows 7 operating system provides a new generation of security technologies for
the desktop. Some of these security technologies are aimed at strengthening the overall
Windows infrastructure, and others are aimed at helping to control both your system and your
data. Before effectively defining Windows 7 security measures such as NTFS permissions and
file and folder sharing properties, it is essential to understand the user account types that are
used during security configuration, and how the Kerberos protocol authenticates and authorizes
user logons. This lesson examines these features, which provide the foundation upon which the
Windows security infrastructure is built.

What Are Authentication and Authorization?

160

 Principles of Operating System

Authentication is the process used to confirm a user’s identity when he or she accesses
a computer system or an additional system resource. In private and public computer networks
(including the Internet), the most common authentication method used to control access to
resources involves verification of a user’s credentials; that is, a username and password.
However, for critical transaction types, such as payment processing,
username/password authentication has an inherent weakness given its susceptibility to
passwords that can be stolen or accidentally revealed. Because of this weakness, most Internet
businesses, along with many other transactions now implement digital certificates that are
issued and verified by a Certification Authority.
Authentication logically precedes authorization. Authorization allows a system to
determine whether an authenticated user can access and possibly update secured system
resources. Examples of authorized permissions include file and file directory access, hours of
access, amount of allocated storage space, and so on.

There are two components to authorization:

• The initial definition of permissions for system resources by a system administrator.
• The subsequent checking of permission values by the system or application when a user
attempts to access or update a system resource. It is possible to have authorization and access
without authentication. This is the case when permissions are granted for anonymous users that
are not authenticated. Typically, these permissions are very limited.

Authentication and Authorization Process

161

 Principles of Operating System

Users must be authenticated to verify their identity when accessing files over the
network. This is done during the network logon process. The Windows 7 operating system
includes the following authentication methods for network logons:
• Kerberos version 5 protocol: The main logon authentication methods used by clients and
servers running Microsoft Windows operating systems. It is used to authenticate both user
accounts and computer accounts.
• Windows NT LAN Manager (NTLM): Used for backward compatibility with pre-Windows 2000
operating systems and some applications. It is less flexible, efficient, and secure than the
Kerberos version 5 protocol.
• Certificate mapping: Typically used in conjunction with smart cards for logon authentication.
The certificate stored on a smart card is linked to a user account for authentication. A smart
card reader is used to read the smart cards and authenticate the user.

Question: Which authentication method is used when a client computer running the Windows 7
operating system logs on to Active Directory?

New Authentication Features in Windows 7

Windows Vista® included a number of improvements related to the Windows logon and
authentication processes. These enhancements extended a strong set of platform-based
authentication features to help provide better security, manageability, and user experience. In
Windows 7, Microsoft continues the efforts that began in Windows Vista by providing the
following new authentication features:
• Smartcards
• Biometrics
• Online Identity Integration

Smart Cards
Smart card use is expanding rapidly. To encourage more organizations and users to
adopt smart cards for enhanced security, Windows 7 includes new features that make smart
cards simpler to use and to deploy. These new features also make it possible to use smart
cards to complete a greater variety of tasks, and include the following:
• Smart card–related Plug and Play
• Personal Identity Verification (PIV) standard from the National Institute of Standards and
Technology (NIST)

162

 Principles of Operating System

• Kerberos support for smart card logon

• Encrypting drives with BitLockerTM Drive Encryption
• Document and e-mail signing
• Use with line-of-business applications

Biometrics
Biometrics is an increasingly popular technology that provides convenient access to
systems, services, and resources. Biometrics relies on measuring an unchanging physical
characteristic of a person to uniquely identify that person. Fingerprints are one of the most
frequently used biometric characteristics, with millions of fingerprint biometric devices
embedded in personal computers and peripherals.
Until now, there has been no standard support for biometric devices or for biometric-
enabled applications in Windows. To address this issue, Windows 7 introduces the Windows
Biometric Framework (WBF). The Windows Biometric Framework provides support for
fingerprint biometric devices through a new set of components. These components improve the
quality, reliability, and consistency of the user experience for customers who have fingerprint
biometric devices.
The Windows Biometric Framework makes biometric devices simpler for users and
administrators to configure and control on a local computer or in a domain.

Online Identity Integration

Account management is an important security strategy. Group Policy is used to allow or
prevent online IDs from authenticating to specific computers or all computers that you manage.
In Windows 7, users in a small network can elect to share data between selected
computers on an individual user basis. This feature complements the HomeGroup feature in
Windows 7 by using online IDs to identify individuals within the network. Users must explicitly
link their Windows user account to an online ID to allow this authentication. The inclusion of the
Public Key Cryptography Based User-to-User (PKU2U) protocol in Windows permits the
authentication to occur by using certificates.
Online Identity Integration can be managed through group policy. The policy setting titled
Network security: Allow PKU2U authentication requests to this computer to use online
IDs controls the ability of online IDs to authenticate to the computer by using the PKU2U
protocol. This policy setting does not affect the ability of domain accounts or local user accounts
to be used to log on to the computer.

163

 Principles of Operating System

Question: What are some of the ways that fingerprint biometric devices are used in
Windows 7?

Lesson 2: Managing File Access in Windows 7

The most common way that users access data is from file shares on the network.
Controlling access to files shares is done with file share permissions and NTFS permissions.
Understanding how to determine effective permissions is essential to securing your files. NTFS
file system permissions enable you to define the level of access that users have to files that are
available on the network, or locally on your Windows 7 computer. This lesson explores NTFS
file system permissions and the effect of various file and folder activities on these permissions.

What Are NTFS Permissions?

Permission is the authorization to perform an operation on a specific object, such as a

file. Permissions can be granted by owners and by anyone with permission to grant
permissions. Normally, this includes administrators on the system. If you own an object, you can
grant any user or security group any permission on that object, including the permission to take
ownership. Every container and object on the network has a set of access control information
attached to it. Known as a security descriptor, this information controls the type of access
allowed to users and groups. Permissions, which are defined within an object’s security
descriptor, are associated with, or assigned to, specific users and groups.

164

 Principles of Operating System

File and folder permissions define the type of access that is granted to a user, group, or
computer on a file or folder. For example, you can let one user read the contents of a file, let
another user make changes to the file, or prevent all other users from accessing the file. You
can set similar permissions on folders.

There are two levels of permissions:

• Shared folder permissions: Allow security principals, such as users, to access shared
resources from across the network. Shared folder permissions are only in effect when a user
accesses a resource from the network. This topic is covered in greater detail in the next lesson.
• NTFS file system permissions: Are always in effect, whether connected across the network
or logged on to the local machine where the resource is located. You can grant NTFS
permissions to a file or folder for a named group or user.

There are two types of NTFS permissions:

• Standard: Standard file and folder permissions are the most commonly used permissions;
these include basic permissions such as Read, Write, Modify, and Full Control.
• Special: Special permissions provide a finer degree of control for assigning access to files and
folders; however, special permissions are more complex to manage than standard permissions.
These include such permissions as Read/Write Attributes and Extended Attributes, Delete
subfolders and files, Take Ownership, and Synchronize.

Question: Do you have to apply permissions to keep other people from accessing your files?
What Is Permission Inheritance?

165

 Principles of Operating System

There are two types of permissions:

• Explicit permissions: Permissions that are set by default on non-child objects when the
object is created, or by user action on non-child, parent, or child objects.
• Inherited permissions: Permissions that are propagated to an object from a parent object.
Inherited permissions ease the task of managing permissions and ensure consistency of
permissions among all objects within a given container.
Permissions inheritance allows the NTFS permissions set on a folder to be applied
automatically to files created in that folder and its subfolders. This means that NTFS
permissions for an entire folder structure can be set at a single point. And if modification is
required, modification needs to be done only at that single point.
Permissions can also be added to files and folders below the initial point of inheritance,
without modifying the original permissions assignment. This is done to grant a specific user or
group a different file access than the inherited permissions.

There are three ways to make changes to inherited permissions:

• Make the changes to the parent folder, and then the file or folder will inherit these permissions.
• Select the opposite permission (Allow or Deny) to override the inherited permission.
• Choose not to inherit permissions from the parent object, and then make changes to the
permissions or remove the user or group from the Permissions list of the file or folder.
In most cases, Deny overrides Allow unless a folder is inheriting conflicting settings
from different parents. In that case, the setting inherited from the parent closest to the object in
the sub-tree will have precedence.
Only inheritable permissions are inherited by child objects. When permissions are set on
the parent object, you need to decide whether folders or subfolders can inherit them by
configuring Advanced Security Settings.

Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited
permissions, even inherited Deny permissions.

Blocking Permission Inheritance

After permissions are set on a parent folder, new files and subfolders that are created in
the folder inherit these permissions. Permission inheritance can be blocked to restrict access to
these files and subfolders. For example, all accounting users might be assigned Modify

166

 Principles of Operating System

permission to the ACCOUNTING folder. On the subfolder WAGES, inherited permissions can
be blocked with only a few specific users given access to the folder.

Note: When permissions inheritance is blocked, there is the option to copy existing permissions
or begin with blank permissions. Copying existing permissions simplifies the configuration
process to restrict a particular group or user.

Question: Why does permission inheritance reduce administration time?

Question: If NTFS permission is denied to a group for a particular resource while allowing the
same permission to another group for that resource, what will happen to the permissions of an
individual who is a member of both groups?

Demonstration: Configuring NTFS Permissions for Files and Folders

This demonstration shows how to safeguard files and folders by updating their NTFS
permissions. This demonstration also shows how to:
• Set permissions, such as a Read, Write, and Full Control to provide access for a specific user.
• Set the Deny permission for a user to restrict his or her ability to modify a file.
• Verify the set permissions.

Grant Selected Users Write Access to the File

1. Create a new file in the Project Documents folder.
2. Right-click the file and select Properties.
3. Select the Edit option in the Security tab, and then type AMAES\Adam as the user to assign
permissions to.
4. In the list of permissions, assign this user the Write permission. Deny Selected Users the
Ability to Modify the File
1. Add another user with special privileges for this same file; however, this time type
AMAES\Martin as the user to which you want permissions assigned.
2. In the list of permissions, deny this user the ability to Modify this file.

Verify the Deny Permissions on the File

1. Right-click the file and then click Properties.
2. On the Security tab, click Advanced.
3. On the Effective Permissions tab, select AMAES\Martin and verify configured permissions.

167

 Principles of Operating System

4. On the Effective Permissions tab, select AMAES\Adam and verify configured permissions.

Impact of Copying and Moving Files and Folders on SetPermissions

When file or folder is copied or moved, the permissions can change depending on where
the file or folder is moved to. It is important for you to understand the impact on permissions
when files are copied or moved.

Effects of Copying Files and Folders

When copying a file or folder from one folder to another folder, or from one partition to
another partition, permissions for the files or folders might change. Copying a file or folder has
the following effects on the NTFS file system permissions:
• When copying a file or folder within a single NTFS partition, the copy of the folder or file
inherits the permissions of the destination folder.
• When copying a file or folder to a different NTFS partition, the copy of the folder or file inherits
the permissions of the destination folder.
• When copying a file or folder to a non-NTFS partition, such as a FAT partition, the copy of the
folder or file loses its NTFS file system permissions because non-NTFS partitions do not
support NTFS file system permissions.

168

 Principles of Operating System

Note: When copying a file or folder within a single NTFS partition or between NTFS partitions,
you must have Read permission for the source folder and Write permission for the destination
folder.

Effects of Moving Files and Folders

When moving a file or folder, permissions might change, depending on the permissions
of the destination folder. Moving a file or folder has the following effects on NTFS file system
permissions:
• When moving a file or folder within an NTFS partition, the file or folder inherits the permissions
of the new parent folder. If the file or folder has explicitly assigned permissions, those
permissions are retained in addition to the newly inherited permissions.

Note: Most files do not have explicitly assigned permissions. Instead, they inherit permissions
from their parent folder. If files that have only inherited permissions are moved, they do not
retain these inherited permissions during the move.

• When moving a file or folder to a different NTFS partition, the folder or file inherits the
permissions of the destination folder. When moving a folder or file between partitions, Windows
7 copies the folder or file to the new location and then deletes it from the old location.
• When moving a file or folder to a non-NTFS partition, the folder or file loses its NTFS file
system permissions, because non-NTFS partitions do not support NTFS file system
permissions.

Note: When moving a file or folder within an NTFS partition or between NTFS partitions, you
must have both Write permission for the destination folder and Modify permission for the source
file or folder. Modify permission is required if moving a folder or file because Windows 7 deletes
the folder or file from the source folder after it copies it to the destination folder.

Question: Why is administration time reduced when files and folders are moved within the
same partition?

169

 Principles of Operating System

What Are Effective Permissions?

Each file and folder contains user and group permissions. Windows 7 determines afile or
folder’s effective permissions by combining its user and group permissions. For example, if a
user is assigned Read permission and a group the user is a member of is assigned Modify
permission, the effective permissions of the user are Modify.
When permissions are combined, Deny permission takes precedence and overrides
Allow permission. For example, if a group is assigned Modify permission to a folder and a user
that is a member of that group is denied Modify permission for the same folder, then the user is
denied the Modify permission for the folder.

Effective Permissions Feature

The Effective Permissions feature determines the permissions a user or group has on an
object by calculating the permissions that are granted to the user or group. The calculation
takes the permissions in effect from group membership into account and any of the permissions
inherited from the parent object. It looks up all domain and local groups in which the user or
group is a member.
The Effective Permissions feature only produces an approximation of the permissions
that a user has. The actual permissions the user has may be different, since permissions can be
granted or denied based on how a user logs on. This logon-specific information cannot be
determined by the Effective Permissions feature, since the user may not log on. Therefore, the

170

 Principles of Operating System

effective permissions it displays reflect only those permissions specified by the user or group
and not the permissions specified by the logon.
For example, if a user is connected to a computer through a file share, then the logon for
that user is marked as a Network Logon. Permissions can be granted or denied to the well-
known security ID (SID) Network which the connected user receives, so a user has different
permissions when logged on locally than when logged on over a network.

Question: If a group is assigned Modify permission to a folder and a user that is a member of
that group is denied Modify permission for the same folder, what is the user’s effective
permission for the folder?

Discussion: Determining Effective Permissions

This discussion includes a scenario and three underlying situations in which you are
asked to apply NTFS permissions. You and your classmates will discuss possible solutions to
each situation.

Scenario: User1 is a member of the Users group and the Sales group. The graphic on the slide,
which shows folders and files on the NTFS partition, includes three situations, each of which
has a corresponding discussion question.
Question 1: The Users group has Write permission, and the Sales group has Read permission
for Folder1. What permissions does User1 have for Folder1?
Answer: WRITE

Question 2: The Users group has Read permission for Folder1. The Sales group has Write
permission for Folder2. What permissions does User1 have for File2?
Answer: READ

Question 3: The Users group has Modify permission for Folder1. File2 is accessible only to the
Sales group, and they are only able to read File2. What do you do to ensure that the
Sales group has only Read permission for File2?
Answer: Prevent permissions inheritance for Folder2 or File2. Remove the permissions for
Folder2 or File2 that Folder2 has inherited from Folder1. Grant only Read permission to
the Sales group for Folder2 or File2.

171

 Principles of Operating System

Lesson 3: Managing Shared Folders

Collaboration is an important part of your job. Your team might create documents that
are only shared by its members, or you might work with a remote team member who needs
access to your team’s files. Because of collaboration requirements, you must understand how to
manage shared folders in a network environment.
Sharing folders gives users access to those folders over a network. Users can connect
to the shared folder over the network to access the folders and files that are contained in the
shared folder. It is important to understand the authorization implications when resources are
shared, especially network shared resources.
Shared folders can contain applications, public data, or a user’s personal data.
Managing shared folders helps you provide a central location for users to access common files
and simplifies your task of backing up data that is contained in those files.

What Are Shared Folders?

Sharing a folder makes it available to multiple users simultaneously over the network.
When sharing a folder, you can identify specific users to share the folder with or share it with all
the users on the network. Sharing is limited to folders and not to specific files within a folder.
When creating a shared folder by using the Provision a Shared Folder Wizard in the
Share and Storage Management console or by using the File Sharing Wizard, you can configure
the permissions assigned to each share as it is created.

172

 Principles of Operating System

In Windows 7, members of the Administrators, Power Users, and Server Operators

groups can share folders. Other users who have been granted the Create Permanent Shared
Objects user right can also share folders. If a folder resides on an NTFS volume, you must have
at least Read permission to share the folder.

There are several different ways to share folders with others on the network:
• In the Microsoft Management Console (MMC) snap-in titled Shares
• In Windows Explorer by right-clicking on a folder and selecting the Share with option
• Through the command line using the Net Share command
• Through Computer Management

Question: What is a benefit of sharing folders across a network?

Methods of Sharing Folders

Windows 7 provides two methods for sharing folders directly from your computer:
• Any folder sharing: Allows sharing of music, photos, and other files from any folder on your
computer without having to move them from their current location. There are two types of Any
Folder sharing - basic and advanced.

• Public folder sharing: Public folders serve as open drop boxes. Copying a file into a public
folder makes it immediately available to other users on your computer or network.

Any Folder Sharing - Basic

Basic folder sharing is the simplest form of Any Folder sharing because it enables
sharing a folder quickly and simply. To share a folder by using basic sharing, right-click the
folder and then click Share with.
Although Windows creates the share name automatically, you must manually define the
NTFS and Share permissions. Windows 7 allows you to choose not only who gets to view a file,
but what recipients can do with it. This is called sharing permissions.

Any Folder Sharing - Advanced

Advanced Sharing is used to exert more control over the Any Folder sharing process.
When Advanced Sharing is used to share a folder, you must specify the following information:
• A share name

173

 Principles of Operating System

• The maximum number of concurrent connections to the folder

• Shared folder permissions
• Caching options

To use Advanced Sharing, right-click the folder to share, click Properties, click the
Sharing tab, and then click Advanced Sharing.

Public Folder Sharing

When you turn on Public folder sharing in Windows 7, anyone with an account on your
computer, or a PC on your network, can access the contents of these folders. To share
something, copy or move it into one of these public folders.
You can see these folders by clicking the Start button, clicking your user account name,
and then clicking the arrow beside Libraries to expand the folders. By default, Public folder
sharing is not enabled. However, files stored in the Public folder hierarchy are available to all
users who have an account on a given computer and can log on to it locally. You can configure
Windows 7 to allow access to the Public folder from the network in two ways:
• Turn on sharing so anyone with network access can open files.
• Turn on sharing so anyone with network access can open, change, and create files.

When you turn on Public folder sharing, users who have an account on the computer or
network can connect to this folder both locally and remotely to access
shared files.
Public folder sharing does not allow you to fine-tune sharing permissions, but it does
provide a simple way to make your files available to others. You can select one of these two
Public folder permission options through the Network and Sharing Center, which is a topic
discussed later in this lesson.

Question: When is it necessary to avoid using Public folder sharing?

Question: Do you have to apply permissions to share your files with other users on your
computer?

Discussion: Combining NTFS and Share Permissions

174

 Principles of Operating System

When a shared folder is created on a partition formatted with the NTFS file system, both
the shared folder permissions and the NTFS file system permissions are combined to protect
file resources. NTFS file system permissions apply whether the resource is accessed locally or
over a network, but they are filtered against the share folder permissions.
When shared folder permissions are granted on an NTFS volume, the following
rules apply:
• By default, the Everyone group is granted the shared folder permission Read.
• Users must have the appropriate NTFS file system permissions for each file and subfolder in a
shared folder—in addition to the appropriate shared folder permissions—to access those
resources.
• When NTFS file system permissions and shared folder permissions are combined, the
resulting permission is the most restrictive one of the effective shared folder permissions or the
effective NTFS file system permissions.
• The share permissions on a folder apply to that folder, to all files in that folder, to sub folders,
and to all files in those subfolders.
The following analogy can be helpful in understanding what happens when you combine
NTFS and share permissions. When dealing with a shared folder, you must always go through
the shared folder to access its files over the network. Therefore, you can think of the shared
folder permissions as a filter that only allows users to perform actions on its contents that are
acceptable to the share permissions. All NTFS permissions that are less restrictive than the
share permissions are filtered out so that only the share permission remains. For example, if the
share permission is set to Read, then the most you can do is read through the shared folder,
even if the individual NTFS file permission is set to Full Control. If you configure the share
permission to Modify, then you are allowed to read or modify the shared folder contents. If the
NTFS permission is set to Full Control, then the share permissions filter the effective permission
down to just Modify.

Discussion Question: If a user is assigned Full Control NTFS permission to a file but is
accessing the file through a share with Read permission, what will be the effective
permission the user will have on the file?

Discussion Question: If you want a user to view all files in a shared folder but can modify only
certain files in the folder, what permissions do you give the user?

175

 Principles of Operating System

Discussion Question: Identify a scenario at your organization where it might be necessary to

combine NTFS and Share permissions. What is the reason for combining permissions?

The Network and Sharing Center

With earlier versions of Windows, many different graphical interfaces and commands
were required to fully configure networking and network sharing. Windows 7 makes this
significantly simpler by providing all the required tools in one central location, the Network and
Sharing Center. The Network and Sharing Center is accessed through the Windows Control
Panel, or by typing “Network and Sharing Center” in the search box on the Start menu. It is
important to be familiar with all aspects of the Network and Sharing Center, and be able to use it
to configure all types of network connections. This topic focuses on the network sharing aspect
of the Center, while the network configuration topics are covered later in the Networking
module.

The Network and Sharing Center provides the following tools:

• View a Network Map
• Set Up a New Connection or Network
• Change Advanced Sharing Options
• Choose Homegroup and Sharing Options
• Fix a Network Problem

View a Network Map

The Network Map is a tool that graphically displays the computers and other network
devices that are present on your network.
The full map is viewed by clicking the See full map link. Because all devices might not
return connectivity information, the topology map might not display all devices correctly. These
devices are placed at the bottom of the map and you can obtain more details from them by
switching to a list view. By default, the See full map option is disabled on domains for end-
users; however, it is available for network administrators.

Note: The Network Map is not just a topology; it shows active network devices that you can
configure or troubleshoot.

176

 Principles of Operating System

Set Up a New Connection or Network

You can customize the currently active network connections in the section just under the
Network Map. If preferred, you can change the description and icon appearance to include more
information. View and change network connection properties by clicking View Status on the
right side of the connection listing.

You can maintain the following network connections in this section:

• Connect to the Internet: set up a wireless, broadband, or dial-up connection to the Internet.
• Set up a Network: configure a new router or access point.
• Set up a Dial-up Connection: connect to the Internet using a dial-up connection.
• Connect to a Workplace: set up a dial-up or VPN connection to your workplace.

Note: You can change the network location profile between private and public. This changes
firewall and visibility settings for that network connection.

Change Advanced Sharing Settings

The Network and Sharing Center includes a Change advanced sharing settings link
that is used to enable, disable, and change the way that various network services behave. This
behavior is configurable by network location. The first time you connect to a network, you must
choose a network location. This automatically sets the appropriate firewall, security, and sharing
settings for the type of network that you connect to.
If you connect to networks in different locations (for example, a network at your home, at
a local coffee shop, or at work), choosing a network location can help ensure that your computer
is always set to an appropriate security level.
When a user connects to a new network, Windows 7 allows the user to select one of the
following network locations:
• Home: In a trusted home network, all the computers on the network are at your home and you
recognize them. This network location must not be chosen for public places such as coffee
shops and airports.
Network discovery is turned on for home networks, which allows you to see other
computers and devices on the network and allows other network users to see your computer.

177

 Principles of Operating System

• Work: In a trusted work network, all computers on the network are at your workplace and you
recognize them. This network location must not be chosen for public places such as coffee
shops and airports. Network discovery is turned on by default.

• Public: If you do not recognize all the computers on the network (for example, you are in a
coffee shop or airport, or you have mobile broadband), then this is a public network and is not
trusted.
This location helps keep your computer from being visible to other computers around
you, and helps protect your computer from any malicious software from the Internet.
Also choose this option if you are connected directly to the Internet without using a
router, or if you have a mobile broadband connection. Network discovery is turned off.

• Domain: The domain network location is used for domain networks such as those at
enterprise workplaces. This type of network location is controlled by your network administrator
and cannot be selected or changed.
For each of these network locations, you can configure the following settings:
• Network Discovery
• File sharing
• Public folder sharing
• Printer sharing
• Media Sharing
You need to know how to enable Network Discovery and configure the features so that
your users can access available network resources and shared folders. Network Discovery
provides two key benefits:
• Once it is enabled, components on the computer allow it to map to the network and respond to
map requests.
• It is used to directly access each device on the network map by double-clicking on the device
icon.

Choose Homegroup and Sharing Options

This feature is available if a homegroup is defined on your network, or if you are
connected to a homegroup from a domain-joined computer. In either case, you can use this
feature to link computers on your home network to share pictures, music, video, documents,
and printers.

178

 Principles of Operating System

Fix a Network Problem

This feature is used to diagnose and repair network problems, and to get troubleshooting
information for the following network components:
• Internet connections
• Connection to a shared folder
• Homegroup
• Network adapter
• Incoming connections
• Printers

Lesson 4: Configuring File Compression

It is important for you to understand the benefits of file and folder compression, and how
to compress files and folders using the two methods available in Windows 7:
• NTFS file compression
• Compressed (zipped) Folders

This lesson explores and contrasts these two methods of compression. In addition, the lesson
examines the impact of various file and folder activities on compressed files and folders.

What Is NTFS File Compression?

179

 Principles of Operating System

The NTFS file system supports file compression on an individual file basis. NTFS
compression, which is available on volumes that use the NTFS file system, has the following
features and limitations:

•Compression is an attribute of a file or folder.

•Volumes, folders, and files on an NTFS volume are either compressed or
uncompressed.
• New files created in a compressed folder are compressed by default.
• The compression state of a folder does not necessarily reflect the compression state of
the files within that folder.

For example, you can compress a folder without compressing its contents, and uncompress
some or all of the files in a compressed folder.

• It works with NTFS-compressed files without decompressing them because they are
decompressed and recompressed without user intervention.
• When a compressed file is opened, Windows automatically decompresses it for you.
• When the file is closed, Windows compresses it again.
• NTFS-compressed file and folder names are displayed in a different color to make
them clearer to identify.
• NTFS-compressed files and folders only remain compressed while they are stored on
an NTFS Volume.
• A NTFS-compressed file cannot be encrypted.
• The compressed bytes of a file are not accessible to applications; they see only the
uncompressed data.
• Applications that open a compressed file can operate on it as if it were not
compressed.
• These compressed files cannot be copied to another file system.

Discussion: Impact of Moving and Copying Compressed

180

 Principles of Operating System

Files and Folders

Moving and copying compressed files and folders can change their compression state.
This discussion includes five situations in which you are asked to identify the impact of copying
and moving compressed files and folders. You and your classmates will discuss the possible
solutions to each situation.

Copy Within an NTFS Partition

What happens to the compression state of a file or folder when you copy it within an NTFS
partition?
Move Within an NTFS Partition

What happens to the compression state of a file or folder when you move it within an NTFS
partition?
Copy or Move Between NTFS Partitions

What happens to the compression state of a file or folder when you copy or move it between N
TFS partitions?
Copy or Move Between FAT or NTFS Volumes

What happens to the compression state of a file that you copy or move between FAT and NTFS
volumes?

181

 Principles of Operating System

What Are Compressed (Zipped) Folders?

In Windows 7, several files and folders can be combined into a single compressed folder
by using the Compressed (zipped) Folders feature. This feature can be used to share a group
of files and folders with others without being concerned about sending them individual files and
folders.
Files and folders that are compressed by using the Compressed (zipped) Folders
feature can be compressed on FAT and NTFS file system drives. A zipper icon identifies files
and folders that are compressed by using this feature.
Files can be opened directly from these compressed folders, and some programs can be
run directly from these compressed folders without uncompressing them. Files in the
compressed folders are compatible with other file-compression programs and files. These
compressed files and folders can also be moved to any drive or folder on your computer, the
Internet, or your network.
Compressing folders by using Compressed (zipped) Folders does not affect the overall
performance of your computer. CPU utilization increases only when Compressed (zipped)
Folders is used to compress a file. Compressed files take up less storage space and can be
transferred to other computers more quickly than uncompressed files. Work with compressed
files and folders the same way you work with uncompressed files and folders.

182

 Principles of Operating System

Send to Compressed (zipped) Folder

By using the Send To > Compressed (zipped) Folder command in Windows Explorer, you can
quickly:
• Create a compressed version of a file.
• Send a file to a compressed (zipped) folder.
Alternatively, if a compressed folder is already created and now a new file or folder needs to be
added to it, drag the desired file to the compressed folder instead of using the Send To >
Compressed (zipped) Folder command.

Note: Unlike NTFS compressed folders and files, Compressed (zipped) Folders can be moved

and copied without change between volumes, drives, and file systems.

Demonstration: Compressing Files and Folders

This demonstration shows how to compress a folder and a file, and it also shows the impact of
moving and copying a compressed file.

Compress a Folder/File by Using the NTFS Compression Feature

1. In the Project Documents folder, right-click the folder or file that you want to compress and
click Properties.
2. In the Advanced options, select the Compress contents to save disk space check box.

Compress a Folder by Using the Compressed (zipped) Folder Feature

1. Right-click the folder that you want to compress, click Send To, and then click Compressed
(zipped) Folder.
2. Type the name of the new zipped file and press ENTER.

Lesson 5: Managing Printing

To set up a shared printing strategy to meet the your users’ needs, you must understand
what the Windows 7 printing components are and how to manage them.
This lesson examines the printing components in a Windows 7 environment, including
printer ports and drivers.

183

 Principles of Operating System

The instructor will demonstrate how to install and share a printer, and you will review
how to use the Print Management tool to administer multiple printers and print servers.

Printing Components in Windows 7

When a printer is installed and shared in Windows 7, you must define the relationship
between the printer and two printer components: the printer port and the printer driver.

Defining the Printer Port

Windows 7 detects printers that you connect to by using a USB port. However, Windows
might not detect printers that connect by using older ports, such as serial or parallel ports. In
such cases, you must manually configure the printer port.

Installing a Driver
The printer driver is a software interface that allows your computer to communicate with
the printer device. Without a printer driver, the printer that is connected to your computer will not
work properly. The printer driver is responsible for converting the print job into a page
description language (PDL) that the printer can use to print the job. The most common PDLs are
PostScript, printer control language (PCL), and XML Paper Specifications (XPS).
In most cases, drivers come with the Windows application, or you can find them by going
to Windows Update in Control Panel and checking for updates. If the Windows application does

184

 Principles of Operating System

not have the driver needed, you can find it on the disk that came with the printer, or on the
manufacturer's Web site.
If the Windows operating system does not recognize your printer automatically, you must
configure the printer type during the installation process. The printer setup wizard presents you
with an exhaustive list of currently installed printer types. However, if your printer is not listed,
you must obtain and install the necessary driver.
You can preinstall printer drivers into the driver store, thereby making them available in
the printer list by using the pnputil.exe command-line tool. When you connect a new printer to
your computer, the Windows application tries to find and install a software driver for the printer.
Occasionally, you might see a notification that a driver is unsigned or is altered or that Windows
cannot install it. You have a choice whether to install a driver that is unsigned or is altered since
it was signed.

XPS and GDI-Based Printing

The XML Paper Specification (XPS) is a new document description language that
provides users and developers with a robust, open, and trustworthy format for electronic paper.
XPS is platform independent, openly published, and is integrated into Microsoft Windows 7 and
the 2007 Microsoft Office system.
XPS is a single format for document presentation that can be used to display documents
and as a PDL for printing. XPS describes electronic paper in a way that can be read by
hardware, software, and people. XPS documents print better, can be shared easier, are more
protected, and can be archived with confidence.
When XPS is used as a document description language, documents are saved in XPS
format. This is done as an alternative to sharing documents in Word or Rich Text Format (RTF).
The benefit of using XPS to distribute documents is that the exact page layout is defined. When
the document is viewed or printed, the layout does not vary depending on the printer driver that
is installed. XPS documents are not meant to be edited.
When XPS is used as a PDL, documents are converted to XPS during printing. The
printer accepts the XPS document and prints it. In this case, XPS is a replacement for PCL or
PostScript.

GDI-Based Printing
Graphical Device Interface (GDI) printing is a software API used by applications to
communicate with the drivers of graphical output devices, such as printers or graphics cards.

185

 Principles of Operating System

Graphical Device Interface (GDI) printing is used in versions of Windows before Windows Vista.
The set of application programming interfaces (APIs) used by applications to access operating
system resources is Microsoft Win32®. Win32 applications use GDI-based printing.
With GDI-based printing, the rendering of printed documents is moved to the printer
driver that is running on the PC. When a document is printed, the printer knows nothing about
how the text characters look or how color adjustment works. Instead, the printer driver that is
running on the PC renders the bitmap of each printed page and the bitmap is sent to the printer.
GDI-based printing is also known as host-based printing, because every printer comes with a
driver CD containing a driver exactly for the particular printer.

XPS-Based Printing
XPS-based printing uses only XPS as a single format for print jobs. Only newer
applications that use Windows Presentation Foundation (WPF) APIs use XPS based printing.
XPS-based printing results in better quality printed copies. The print quality of graphics is
superior because conversion is removed from the process and better color information is stored
in the XPS file. The XPS files are also smaller than the equivalent EMF files. The XPS printing
process also simplifies applications’ task of querying print job and printer configuration
information.

Interoperability of XPS and GDI-Based Printing

There is interoperability between XPS and GDI-based printing. This allows older GDI-
based printer drivers to be used with applications that use XPS-based printing. If it is necessary,
the printing subsystem converts an XPS file to EMF to support older printer drivers. Newer XPS-
based printers can also be used with older Win32 applications. If it is necessary, the printing
subsystem converts EMF files to XPS to support new XPS based printer drivers.

Demonstration: Installing and Sharing a Printer

The most common and simplest way to install a printer is to connect it directly to your
computer (known as a local printer.) If your printer is a USB model, Windows automatically
detects and installs it when you plug it in. If your printer is an older model that connects using
the serial or parallel port, you might have to install it manually.
In the workplace, many printers are network printers. These connect directly to a
network as a stand-alone device. Network printers typically connect through an Ethernet cable
or wireless technologies such as Wi-Fi or Bluetooth.

186

 Principles of Operating System

Note: Available network printers can include all printers on a network, such as Bluetooth and
wireless printers, or printers that are plugged into another computer and shared on the network.
Ensure that you have permission to use these printers before adding them to the computer.

Demonstration: This demonstration shows how to install and share a printer through Devices
and Printers. It also sets several permissions, including Share the Printer permission. Advanced
options that can be set for the printer are also discussed.
Create and Share a Local Printer
1. In Control Panel, select View devices or printers.
2. Select Add a printer from the menu. This initiates the Add Printer Wizard.
3. Respond to each page in the wizard by selecting a printer port, the printer type, and
the printer name, and accept the default printer sharing options.
Set Permissions and Advanced Options for the Printer
1. Open the Control Panel and click View devices and printers.
2. Right-click on the printer and select Printer Properties.
3. Select the Edit option in the Security tab and then type AMAES\IT as the user to
assign permissions to.
4. In the list of permissions, assign the ability to Manage Printers and to Manage
Documents.
5. In the Advanced tab, select the Hold mismatched documents option. Review the
other print options available on this tab.
6. In the General tab, in the Location field, type the name of the location where the
printer resides.
7. Click Preferences, and in the Printing Shortcuts tab, set Print Quality to Managing
Client-Side Printing

187

 Principles of Operating System

Print Management provides a single interface to administer multiple printers and print
servers. Print Management (or the Printbrm.exe command-line tool) is also used to export
printers and settings from one computer and import them on another computer.
To open the Microsoft Management Console (MMC) snap-in for Print Management, click
Start, click Control Panel, click System and Maintenance, click Administrative Tools, and
then click Print Management.

The Print Management MMC snap-in is used to perform all the basic management tasks
for a printer. Printers can also be managed from the Devices and Printers page in the Control
Panel. These tasks include:
• Cancel print jobs.
• Pause or Resume a print job.
• Restart a print job.
• Reorder the print queue.

Once a print job is initiated, you can view, pause, and cancel your print job through the
print queue. The print queue shows what is printing or waiting to print. It also displays
information such as job status, who is printing what, and how many unprinted pages remain.
From the print queue, you can view and maintain the print jobs for each printer. The print queue
can be accessed from the Print Management MMC snap-in and through the See what’s
printing option on the Devices and Printers control panel page. This is used to view what is
printing and what is waiting to print for a specific printer. Documents that are listed first will be
the first to print.

Configuring Location-Aware Printing

Windows 7 offers the ability to automatically switch your laptop’s default printer when it
detects you have moved from one network location to another, such as from public to domain.
This feature, called location-aware printing, is only found on laptops and other portable devices
that use a battery.

Configure Location-Aware Printing

To configure location-aware printing, you must first set a printer as your default. That
printer then becomes the default for the network you are connected to.

188

 Principles of Operating System

Manage Location-Aware Printing Settings

Once the default printer is set for your computer, you must then perform the following
steps to manage the location-aware printing settings:
1. In Devices and Printers, click Manage default printers on the toolbar.
2. In the Manage Default Printers dialog box, click Change my default printer when I change
networks.
3. Click the Select network list and then choose a network.
4. Click the Select printer list, select a corresponding default network printer, and then click
Add.
5. Repeat steps 3 and 4 as necessary.
If you do not want Windows to change your default printer settings when moving from
place to place, click Always use the same printer as my default printer in the Manage
Default Printers dialog box. If you want a wireless network to appear in the Manage Default
Printers dialog box, it is necessary to have successfully connected to that wireless network at
least once.

Note: Location-aware printing does not work when you are connecting to a network through
Remote Desktop (Terminal Services).

Module Review and Takeaways

Review Questions
1. You decided to share a folder containing the Scoping Assessment document and other
planning files created for your upcoming Microsoft Dynamics CRM implementation at Fabrikam,
Inc. However, now you do not want any of these planning files available offline. Which advanced
sharing options must you configure to enforce this requirement?

2. AMAES is installing Microsoft Dynamics® GP and they have contracted with a vendor to
provide some custom programming work. AMAES asked Joseph, their senior IT desktop
specialist, to configure the NTFS permissions for the GP planning files it will be accumulating.
AMAES has asked that all IT users be assigned Modify permissions to the GP Implementation
Planning folder. However, AMAES only wants the subfolder titled Vendor Contracts to be
available for viewing by a select group of managers. How can Joseph accomplish this by taking
into account permission inheritance?

189

 Principles of Operating System

3. Peter is an IT professional working at Fabrikam. He is having trouble accessing a particular

file and suspects it has something to do with his NTFS permissions associated with the file. How
can he view his effective file permissions?

4. Robin recently created a spreadsheet in which she explicitly assigned it NTFS file
permissions that restricted file access to just herself. Following the system reorganization, the
file moved to a folder on another NTFS partition and Robin discovered that other users were
able to access the spreadsheet. What is the probable cause of this situation?

5. AMAES recently installed Windows 7 on its client computers. Because many of their sales
staff travel and work from various branch offices throughout any given month, AMAES decided
to take advantage of the location-aware printing functionality in Windows 7. Michael, a sales
representative, was pleased that he no longer had to configure printers each time he needed to
print a document at a branch office. However, to Michael’s dismay, on his last
trip he tried to connect to the company network using Terminal Services and found that he still
had to manually select the printer when he wanted to print a file. Why did the system not
automatically recognize the printer for Michael?

Best Practices Related to Authentication and Authorization

Supplement or modify the following best practices for your own work situations:
• When setting up a computer, you are required to create a user account. This account is
an administrator account used to set up your computer and install any programs required.
Once you are finished setting up the computer, it is recommended to use a standard user
account for your daily computing.
It is safer to use a standard user account instead of an administrator account because it can
prevent users from making changes that affect everyone who uses the computer, especially if
your user account logon credentials are stolen.
• Considerations when taking ownership of a file or folder include:
• An administrator can take ownership of any file on the computer.
• Assigning ownership of a file or folder might require elevating your permissions through
User Access Control.
• The Everyone group no longer includes the Anonymous Logon group.

190

 Principles of Operating System

Best Practices Related to NTFS Permissions

Supplement or modify the following best practices for your own work situations:
• To simplify the assignment of permissions, you can grant the Everyone group Full
Control share permission to all shares and use only NTFS permissions to control access.
Restrict share permissions to the minimum required to provide an extra layer of security in case
NTFS permissions are configured incorrectly.

• When permissions inheritance is blocked, you have the option to copy existing
permissions or begin with blank permissions. If you only want to restrict a particular group or
user, then copy existing permissions to simplify the configuration process.

Best Practices Related to Managing Shared Folders

Supplement or modify the following best practices for your own work situations:
• If the guest user account is enabled on your computer, the Everyone group includes
anyone. In practice, remove the Everyone group from any permission lists, and replace it with
the Authenticated Users group.

• Using a firewall other than that supplied with Windows 7 might interfere with
the Network Discovery and file-sharing features.

Tools
Use the following Command Prompt tools to manage file and printer sharing.

191

 Principles of Operating System

Module 4: Configuring Network Connectivity

Module Overview
Network connectivity is essential in today’s business environment and is also becoming
critical in home environments. Whether you are part of a business network infrastructure,
operate a home office, or need to share files and access the Internet, an increasing number of
computer users want to connect their computers to a network. The Windows® 7 operating
system provides enhanced networking functionality as compared to the previous Microsoft®
Windows desktop operating systems, and it introduces support for newer technologies.
Windows 7 has both TCP/IP version 4 and TCP/IP version 6 installed and enabled by default.
An understanding of both IPv4 and IPv6, and the operating system’s access capabilities help
you configure and troubleshoot Windows 7 networking features.

Lesson 1: Configuring IPv4 Network Connectivity

IPv4 uses a specific addressing scheme and name-resolution mechanism to transmit
data between connected systems. To connect computers running Windows 7 to a network, you
must understand the concepts of IPv4 addressing, Domain Name System (DNS), and Windows
Internet Naming Service (WINS) name resolution.

What Is an IPv4 Address?

192

 Principles of Operating System

An IPv4 address identifies a computer to other computers on a network. Assign a unique

IPv4 address to each networked computer. An IPv4 address is a 32-bit addresses divided into
four octets. To make the IP addresses more readable, the binary representation is typically
shown in decimal form.

The address, in conjunction with a subnet mask, identifies:

• The unique identity of the computer, which is the host ID.
• The subnet on which the computer resides, which is the network ID. This enables a networked
computer to communicate with other networked computers in a routed environment. The
Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes. The
number of hosts that a network has determines the class of addresses that is required. IANA
has named the IPv4 address classes from Class A through Class E.

What Is a Subnet Mask?

A subnet mask specifies which part of an IPv4 address is the network ID and which part
of the IPv4 address is the host ID. A subnet mask has four octets, similar to an IPv4 address. To
understand subnet masks, you first must understand what a subnet is. A subnet is a network’s
segment. A router or routers separates the subnet from the rest of the network. You can
subdivide the network address range to match the network’s physical layout. When you

193

 Principles of Operating System

subdivide a network into subnets, create a unique ID for each subnet derived from the main
network ID. By using subnets, you can:
• Use a single Class A, B, or C network across multiple physical locations.
• Reduce network congestion by segmenting traffic and reducing broadcasts on each
segment.
• Overcome limitations of current technologies, such as exceeding the maximum number
of hosts that each segment can have.

Subnet Bits in the Mask

Before you define a subnet mask, estimate how many segments and hosts for each
segment are required. This enables you to use the appropriate number of bits for the subnet
mask. Calculate the number of subnets required by the network by using the formula 2^n, where
n is the number of bits.

Host Bits in the Mask

To host bits in the mask, determine the required number of bits for the supporting hosts
on a subnet. Calculate the number of host bits required by using the formula 2^n-2, where n is
the number of bits. This result is the least number of hosts that you need for the network. It is
also the maximum number of hosts that you can configure on that subnet.

Calculating Subnet Addresses

To determine subnet addresses quickly, use the lowest value bit in the subnet mask. For
example, if you choose to subnet the network 172.16.0.0 by using 3 bits, this mean the subnet
mask is 255.255.224.0. The decimal 224 is 11100000 in binary, and the lowest bit has a value
of 32, so that is the increment between each subnet address.

Calculating Host Addresses

You can calculate each subnet’s range of host addresses by using the following process:
• The first host is one binary digit higher than the current subnet ID.
• The last host is two binary digits lower than the next subnet ID.

194

 Principles of Operating System

Simple IPv4 Networks

In simple IPv4 networks, the subnet mask defines full octets as part of the network ID
and host ID. The following table lists the characteristics of each IP address class.

Complex IPv4 Networks

In complex networks, subnet masks might not be simple combinations of 255 and 0.
Classless addressing, or Classless Inter-Domain Routing (CIDR), is when you do not use an
octet for subneyting. This type of subnetting uses a different notation, which the following
example shows:
172.16.16.1/255.255.240.0

What Is a Default Gateway?

195

 Principles of Operating System

A default gateway is a device, usually a router, which forwards IP packets to other

subnets. It connects groups of subnets to create an intranet. You must configure one router as
the default gateway for local hosts. This enables the local hosts to transmit with hosts on remote
networks as follows:
• When a host delivers an IPv4 packet, it uses the subnet mask to determine whether the
destination host is on the same network or on a remote network.
• If the destination host is on the same network, the local host delivers the packet.
• If the destination host is on a different network, the host transmits the packet to a router
for delivery.
• If the routing table on the router does not contain routing information about the
destination subnet, IPv4 forwards the packet to the default gateway.

Use a Dynamic Host Configuration Protocol (DHCP) server to assign the default gateway
automatically to a DHCP client.

What Are Public and Private IPv4 Addresses?

196

 Principles of Operating System

Devices and hosts that connect directly to the Internet require a public IPv4 address.
Hosts and devices that do not connect directly to the Internet do not require a public IPv4
address.
Public IPv4 addresses are assigned by IANA and must be unique. The number of
addresses allocated to you depends upon how many devices and hosts you have to connect to
the Internet.
The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate
superfluous IPv4 addresses. IANA defines address ranges as private so that Internet-based
routers do not forward packets originating from, or destined to, these ranges. Technologies such
as Network Address Translation (NAT) enable administrators to use a relatively small number of
public IPv4 addresses, and at the same time, enable local hosts to connect to remote hosts and
services on the Internet.

Question: Which of the following is not a private IP address?

a. 171.16.16.254
b. 192.16.18.5
c. 192.168.1.1
d. 10.255.255.254
Answer: a. 171.16.16.254

Demonstration: Configuring an IPv4 Address

This demonstration shows how to configure an IPv4 address manually.

1. Log on to the computer for which you are configuring the IPv4 address.
2. Open a command prompt and display all network connections for the computer by typing the
“ipconfig /all” command.
3. In Control Panel, open the Network and Sharing Center to view the details of Local Area
Connection 3. You will see the same configuration information as returned by the ipconfig /all
command. (Note: The local Area Connection number may be different in some cases)
4. Open the Local Area Connection 3 Properties window. This window allows you to configure
protocols.
5. Open the Internet Protocol Version 4 (TCP/IPv4) Properties window. You can configure the IP
address, subnet mask, default gateway, and DNS servers in this window.

197

 Principles of Operating System

6. Open the Advanced TCP/IP Settings window. Here you configure additional setting such as
additional IP addresses, DNS settings, and WINS servers for NetBIOS name resolution.
Question: When might you need to change a computer’s IPv4 address?

Lesson 2: Configuring IPv6 Network Connectivity

While most networks to which you connect Windows 7-based computers currently
provide IPv4 support, many also support IPv6. To connect computers that arerunning Windows
7 to IPv6-based networks, you must understand the IPv6 addressing scheme, and the
differences between IPv4 and IPv6.

Benefits of Using IPv6

The new features and functionality in IPv6 address many IPv4 limitations. IPv6
enhancements help enable secure communication on the Internet and over corporate networks.
Some IPv6 features include the following:
• Larger address space: IPv6 uses a 128-bit address space, which provides significantly more
addresses than IPv4.
• More efficient routing: IANA provisions global addresses for the Internet to support
hierarchical routing. This reduces how many routes that Internet backbone routers must process
and improves routing efficiency.
• Simpler host configuration: IPv6 supports dynamic client configuration by using DHCPv6.
IPv6 also enables routers to configure hosts dynamically.
• Built-in security: IPv6 includes native IPSec support. This ensures that all hosts encrypt data
in transit.
• Better prioritized delivery support: IPv6 includes a Flow Label in the packet header to
provide prioritized delivery support.
This designates the communication between computers with a priority level, rather than
relying on port numbers that applications use. It also assigns a priority to the packets in which
IPSec encrypts the data.
• Redesigned header: The design of the header for IPv6 packets is more efficient in processing
and extensibility.
IPv6 moves nonessential and optional fields to extension headers for more efficient
processing. Extension headers are no more than the full size of the IPv6 packet, which

198

 Principles of Operating System

accommodates more information than possible in the 40 bytes that the IPv4 packet header
allocates.

Windows 7 Support for IPv6

Windows 7 uses IPv6 by default and includes several features that support IPv6. Both
IPv6 and IPv4 are supported in a dual stack configuration. The dual IP stack provides a shared
transport and framing layer, shared filtering for firewalls and IPSec, and consistent performance,
security, and support for both IPv6 and IPv4. These items help lower maintenance costs.
DirectAccess enables remote users to access the corporate network anytime they have an
Internet connection; it does not require virtual private networking (VPN).
DirectAccess provides a flexible corporate network infrastructure to help you remotely
manage and update user PCs both on and off the network. With DirectAccess, the end user
experience of accessing corporate resources over an Internet connection is almost
indistinguishable from the experience of accessing these resources from a computer at work.
DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients. The
Windows 7 operating system supports remote troubleshooting capabilities, such as Remote
Desktop. Remote Desktop uses the Remote Desktop Protocol (RDP) to allow users to access
files on their office computer from another computer, such as one located at their home.
Additionally, Remote Desktop allows administrators to connect to multiple Windows Server

199

 Principles of Operating System

sessions for remote administration purposes. IPv6 addresses can be used to make remote
desktop connections.

What Is the IPv6 Address Space?

The IPv6 address space uses 128-bits compared to the 32-bits that the IPv4 address
space uses. Therefore, a larger number of addresses are possible with IPv6 than with IPv4. An
IPv6 address allocates 64-bits for the network ID and 64-bits for the host ID.
IPv6 does not use a dotted decimal notation to compress the addresses. Instead, IPv6
uses hexadecimal notation, with a colon between each set of four digits. Each hexadecimal digit
represents four bits. To shorten IPv6 addresses, drop leading zeros and use zero compression.
By using zero compression, you represent multiple contiguous groupings of zeros as a set of
double colons. Each IPv6 address uses a prefix to define the network ID. The prefix is a forward
slash followed by the number of bits that the network ID includes.

IPv6 Address Types

The IPv6 address types are unicast, multicast, and anycast. Unicast is used for one-to-
one communication between hosts. Each IPv6 host has multiple unicast addresses. There are
three types of unicast address as follows:
• Global Unicast Address

200

 Principles of Operating System

These addresses are equivalent to IPv4 public addresses so they are globally routable
and reachable on the IPv6 portion of the Internet.
• Link-Local Addresses
Hosts use link-local addresses when communicating with neighboring hosts on the same
link.
• Unique local unicast addresses
These are the equivalent to IPv4 private address spaces, Multicast is used for one-to-
many communication between computers that you define as using the same multicast address.
An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communication to an anycast address, only the closest host responds. You
typically use this for locating services or the nearest router. The last 64-bits of an IPv6 address
are the interface identifier. This is equivalent to the host ID in an IPv4 address. Each interface
on an IPv6 network must have a unique interface identifier. Because the interface identifier is
unique to each interface, IPv6 uses it rather than media access control (MAC) addresses to
identify hosts uniquely. To preserve privacy in network communication, generate an interface
identifier rather than use the network adapter’s hardware address.

Demonstration: Configuring an IPv6 Address

This demonstration shows how to configure an IPv6 address manually.
1. Log on to the computer for which you are configuring the IPv6 address.
2. Open a command prompt and display all network connections for the computer by typing the
“ipconfig /all” command. Notice that a link-local IPv6 address has been assigned.
3. In Control Panel, open the Network and Sharing Center to view the details of Local Area
Connection 3. You will see the same configuration information as returned by the ipconfig /all
command.
4. Open the Local Area Connection 3 Properties dialog box. This window allows you to
configure protocols. (Note: The local Area Connection number may be different in some cases).
5. Open the Internet Protocol Version 6 (TCP/IPv6) Properties window. You can configure the IP
address, subnet mask, default gateway, and DNS servers in this dialog box.
6. Click Internet Protocol Version 6 (TCP/IPv6) and then click Properties. You can configure
the IPv6 address, subnet prefix length, default gateway, and DNS servers in this dialog box.
7. Use the following IP address information:
• IPv6 address: 2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A
• Subnet prefix length: 64

201

 Principles of Operating System

8. Open the Advanced TCP/IP Settings window. Here you configure additional setting such as
additional IP addresses, DNS settings, and WINS servers for NetBIOS name resolution.
9. In the Local Area Connection 3 Status window, verify that the new IPv6 address has been
added.

Question: Do you typically manually assign IPv6 addresses to a computer?

Answer: Although you can use static IP addresses with workstations, most workstations use
dynamic addressing, alternative IP addressing, or both. You configure dynamic and alternative
addressing

Lesson 3: Implementing Automatic IP Address Allocation

Windows 7 enables both the IPv4 and IPv6 protocols to obtain configuration
automatically. This helps you deploy IP-based computers that are running Windows 7 in a fast,
straightforward manner.

Automatic IPv4 Configuration Process

You can assign static IP addresses manually or use DHCPv4 to assign IP addresses
dynamically. Static configuration requires that you visit each computer and input the IPv4
configuration. This method of computer management is time-consuming and heightens the risk
of mistakes.
DHCPv4 enables you to assign automatic IPv4 configurations for large numbers of
computers without having to assign each one individually. The DHCP service receives requests
for IPv4 configuration from computers that you configure to obtain an IPv4 address
automatically. It also assigns IPv4 information from scopes that you define for each of your
network’s subnets. The DHCP service identifies the subnet from which the request originated
and assigns IP configuration from the relevant scope. If you use DHCP to assign IPv4
information, you must do the following:
• Include resilience in the DHCP service.
• Configure the scopes on the DHCP server carefully.
If you use a laptop to connect to multiple networks, each network may require a different
IP configuration. Windows 7 supports the use of Automatic Private IP Addressing (APIPA) and
an alternate static IP address for this situation. With APIPA, a Windows computer can assign

202

 Principles of Operating System

itself an Internet Protocol (IP) address in the event that a DHCP server is not available or does
not exist on the network.
By default, Windows 7 uses APIPA to assign itself an IP address from the 169.254.0.0 to
169.254.255.255 address range. This enables you to use a DHCP server at work and the
APIPA address range at home without reconfiguring IP settings. Additionally, this is useful for
troubleshooting DHCP. If the computer has an address from the APIPA range, it is an indication
that the computer cannot communicate with a DHCP server.

Automatic IPv6 Configuration Process

IP Automatic Configuration is a method of assigning an IPv6 address to an interface
automatically. It can be stateful or stateless.
• Stateful addresses are assigned by a service on a server or other device. The service that
allocated the address to the client manages the stateful address. DHCPv6 performs stateful
automatic configuration.
• Stateless addresses are configured by the client and are not maintained by a service. The
record of the address assignment is not maintained. Router advertisements perform stateless
automatic configuration.
The first step in automatically configuring an IP address generates a link-local address.
The link-local address is used by the host to communicate with other hosts on the local network.
When the host generates the link-local address, the host also performs duplicate address
detection to ensure that it is unique. When a host obtains an IPv6 address from a DHCPv6
server, the following occurs:
• The client sends a message to locate DHCPv6 servers.
• The server sends a message to indicate that it offers IPv6 addresses and configuration
options.
• The client sends a message to a specific DHCPv6 server to request configuration information.
• The selected server sends a message to the client that contains the address and configuration
settings.

Demonstration: Configuring a Computer to Obtain an IPv4 Address Dynamically

This demonstration shows how to configure a computer to obtain an IPv4 address
dynamically.
1. Log on to the computer which you are configuring receive an IPv4 address dynamically.

203

 Principles of Operating System

2. Open a command prompt and display all network connections for the computer by typing the
“ipconfig /all” command. Notice that a link-local IPv6 address has been assigned.
3. In Control Panel, open the Network and Sharing Center and then open the properties of the
Local Area Connection 3 Status window. This window allows you to configure protocols.
4. Open the Internet Protocol Version 4 (TCP/IPv4) Properties window to select to obtain an IP
address automatically. Notice that the Alternate Configuration tab becomes available when
you do this.
5. Select to automatically obtain the DNS server address.
6. On the Alternate Configuration tab, view configuration information on when no DHCP
server is available.
7. Save the changes.
8. Open the Local Area Connection 3 Status window to view the details of Local Area
Connection 3. Notice that DHCP is enabled and the IP address of the DHCP server is
displayed.

Troubleshooting Client–Side DHCP Issues

The IPConfig tool is the primary client-side DHCP troubleshooting tool and can be used
to determine the computer’s IP address. You use the IPConfig at a CommandPrompt. The
following IPv4 options are helpful when diagnosing problems.
• /all – displays all IP address configuration information
• /release – forces the computer to release its IP address
• /renew – forces the computer to renew its DHCP lease
You can use the IPConfig /release6 and /renew6 options to perform these same tasks
on IPv6-configured computers.
The following are some troubleshooting examples.

204

 Principles of Operating System

Lesson 4: Overview of Name Resolution

Computers can communicate over a network by using a name in place of an IP address.
Name resolution is used to find an IP address that corresponds to a name, such as a hostname.
This lesson focuses on different types of computer names and the methods to resolve them.

Types of Computer Names

Name resolution is the process of converting computer names to IP addresses. The
application developer determines an application’s name. In Windows operating systems,
applications can request network services through Windows Sockets, Winsock Kernel, or
NetBIOS. If an application requests network services through Windows Sockets or Winsock
Kernel, it uses host names. If an application requests services through NetBIOS, it uses a
NetBIOS name.

205

 Principles of Operating System

A host name is associated with a host’s IP address and identifies it as a TCP/IP host. It
is no more than 255 characters in length and contains alphanumeric characters, periods, and
hyphens.
Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a
network. A NetBIOS name represents a single computer or a group of computers. NetBIOS
uses the first 15 characters for a specific computer’s name and the final sixteenth character to
identify a resource or service on that computer.

Methods for Resolving Computer Names

The methods supported by Windows 7 for resolving computer names include Domain
Name System (DNS) and Windows Internet Naming Service (WINS). DNS is a service that
manages the resolution of host names to IP addresses. DNS assigns user-friendly names to the
computer’s IPv4 address. A host name is the most common name type that DNS uses.
Applications use DNS to do the following:
• Locate domain controllers and global catalog servers.
• Resolve IP addresses to host names.
• Locate mail server for e-mail delivery.

WINS is a NetBIOS name server used to resolve NetBIOS names to IPv4 addresses.
WINS provides a centralized database for registering dynamic mappings of a network’s
NetBIOS names. WINS is built on a protocol that registers, resolves, and releases NetBIOS
names by using unicast transmissions rather than repeated transmissions of broadcast
messages. This protocol allows the system to work across routers and eliminates the need for
an LMHOSTS file. The protocol also restores the dynamic nature of NetBIOS name resolution
and enables the system to work seamlessly with DHCP.

Lesson 5: Troubleshooting Network Issues

The tools and utilities included in this lesson help IT professionals better manage
computers and troubleshoot problems, enabling them to keep users productive while working to
reduce costs, maintain compliance, and improve operational efficiency.

206

 Principles of Operating System

Tools for Troubleshooting Networks

As the complexity of the networking stack increases, it is becoming more important to
provide methods to quickly trace and diagnose issues. Windows 7 includes a number of utilities
that help you to diagnose network problems including:
• Event Viewer
• Windows Network Diagnostics
• IPConfig
• Ping
• Tracert
• NSlookup
• Pathping
• Unified tracing

Event Viewer
Event logs are files that record significant events on a computer, such as when a
process encounters an error. You can use Event Viewer to read the log. When you select a log
and then select an event, a preview pane under the event list contains details of the specified
event. To help diagnose network problems, look for errors or warnings in the System log related
to network services.

Windows Network Diagnostics

Use Windows Network Diagnostics to diagnose and correct networking problems. A
possible description of the problem and a potential remedy are presented. The solution may
need manual intervention from the user.

IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use
IPConfig to refresh DHCP and DNS settings as discussed in the “Windows Network
Diagnostics” topic.

Ping
Ping verifies IP-level connectivity to another TCP/IP computer. Ping is the primary
TCP/IP command used to troubleshoot connectivity.

207

 Principles of Operating System

Tracert
Tracert determines the path taken to a destination computer by sending Internet
Message Control Message Protocol (ICMP) Echo Requests. The path displayed is the list of
router interfaces between a source and a destination.

Pathping
Pathping traces a route through the network in a manner similar to Tracert. However,
Pathping provides more detailed statistics on the individual steps, or hops, through the network.

NSlookup
NSlookup displays information that you can use to diagnose the DNS infrastructure. You
can use NSlookup to confirm connection to the DNS server and that the required records exist.

Unified Tracing
The unified tracing feature is intended to help you simplify the process of gathering
relevant data to assist in troubleshooting and debugging network connectivity problems. Data is
collected across all layers of the networking stack and grouped into activities across the
following individual components:
• Configuration information
• State information
• Event or Trace Logs
• Network traffic packets

Process for Troubleshooting Networks

If you experience network connectivity problems while using Windows 7, use Window
Network Diagnostics to start the troubleshooting process. If Windows Network Diagnostics
cannot resolve the problem, follow a troubleshooting process using the available Windows 7
tools.
1. Consult Windows Network Diagnostics. Windows Network Diagnostics analyzes the problem
and, if possible, presents a solution or a list of possible causes. It either completes the solution
automatically or requires that the user perform steps to resolve the problem.
2. Check local IP configuration by using IPConfig. IPConfig with the /all switch displays the
computer’s IP configuration. Look for an invalid IP address, subnet mask, default gateway, and
DNS server.

208

 Principles of Operating System

3. Diagnose two-way communication by using Ping. Ping confirms two-way communication

between two computers. This means that if the Ping utility fails, the local computer’s
configuration may not be the cause of the problem.
4. Indentify each hop, or router, between two systems by using Tracert. Tracert identifies each
hop between the source and destination systems. If communication fails, use Tracert to identify
how many hops are successful and at which hop system communication fails.
5. Verify DNS configuration by using NSlookup. NSlookup verifies that the DNS server is
available and contains a record for the computer with which you are attempting to transmit data.
If you suspect that name resolution is the problem, add an entry to the hosts file, and then retest
name resolution. You must purge the host-name resolution cache by using ipconfig /flushdns
before rerunning the name resolution test.

Demonstration: Troubleshooting Common Network Related Problems

This demonstration shows how to resolve common network related problems.
1. Log on to the computer where you will be resolving common network problems.
2. Open a command prompt and run the following commands:
• ipconfig /all - Displays all network connections for the computer and shows all network
adapter configurations.
• ipconfig /displaydns - Displays the contents of the DNS cache.
• ipconfig /flushdns - Clears the contents of the DNS cache.
• ping - The local host.
• ping - The domain controller by using an IPv4 address.
• pinging - The domain controller - verifies connectivity to domain controller by using a
host name.
• nslookup –d1 domain controller - Provides detailed information about the host name
resolution. You can use the –d2 option for even more detail.
3. Close the command prompt.

Question: How is the ping command useful for troubleshooting?

Answer: The ping command helps to verify IP-level connectivity. When troubleshooting, you
can use ping to send an ICMP echo request to a target host name or IP address.

Module Review and Takeaways

209

 Principles of Operating System

Review Questions
1. After starting her computer, Amy notices that she is unable to access her normal Enterprise
Resources. What tool can she use to determine if she has a valid IP address?
Answer: In the command prompt type ipconfig to check the valid IP address.

2. When transmitting Accounts Receivable updates to the billing partner in China, Amy notices
that the files are being transmitted slowly. What tool can she use to determine the network path
and latency of the network?
Answer: In the command prompt type tracert (plus the IP address of the destination) to trace
the network path.

3. Amy notices that she cannot access normal Enterprise Web sites. She knows that she has a
valid IP address but wants to troubleshoot the DNS access of her computer. What tool must she
use?
Answer: In the command prompt type nslookup (plus domain controller) Provides detailed
information about the host name resolution

4. What is the IPv6 equivalent of an IPv4 APIPA address?

5. You are troubleshooting a network-related problem and you suspect a name resolution issue.
Before conducting tests, you want to purge the DNS resolver cache. How do you do that?
Answer: In the command prompt type ipconfig /flushdns to clear the content of the DNS
cache.

6. You are troubleshooting a network-related problem. The IP address of the host you are
troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Answer: Unresponsive DHCP server

Common Issues Related to Network Connectivity

Identify the causes for the following common issues and fill in the troubleshooting tips.
• Windows 7 host cannot connect to a SharePoint Site
• Windows 7 host cannot access the database server
• Windows 7 host cannot connect to the Internet
• DNS Server is not resolving FQDNS correctly

210

 Principles of Operating System

Tools
You can use the following tools to troubleshoot network connectivity issues.

Module 5: Configuring Wireless Network Connections

Module Overview
The definition of a wireless network is broad. It can refer to any type of wireless devices
that are interconnected between nodes without the use of wires or cables. The wireless network
discussed in this module refers to wireless local area network (wireless LAN), which is a type of
wireless network that uses radio waves instead of cables to transmit and receive data between
computers. A wireless network enables you to access network resources from a computer that
is not physically attached to the network by cables.
Wireless network technologies have grown tremendously over the past few years. The
security and speed of wireless networks have become reliable, such that increasingly more
organizations prefer the use of wireless networks over the traditional wired networks. Windows®

211

 Principles of Operating System

7 provides a simple, intuitive, and straight forward user interface for connecting to wireless
networks.

Lesson 1: Overview of Wireless Networks

Increasingly more organizations prefer wireless networks over the traditional wired
networks. A wireless network gives users flexibility and mobility around the office. Users can
have internal meetings or presentations while maintaining connectivity and productivity. With a
wireless network, you can create a public network that enables your guests to have internet
connection without creating security issues to your corporate network. The wireless network
technologies have evolved tremendously over the years. Many mobile computers have built-in
wireless network adapters and numerous hardware exist that support wireless networks
with high stability and reliability.

What Is a Wireless Network?

A wireless network is a network of interconnected devices that are connected by radio

signals, instead of wires or cables.

Advantages and Disadvantages of Wireless Networks

Wireless networking provides the following benefits:

212

 Principles of Operating System

• Extends or replaces a wired infrastructure in situations where it is costly, inconvenient, or

impossible to lay cables.
• Increases productivity for mobile employees.
• Provides access to the Internet in public places.
Although wireless networks make roaming convenient and remove unsightly wires from
your network, they also have disadvantages, such as possible interference and increased
security costs, and they pose security risks that you may have to spend time mitigating.

Wireless Network Modes

There are two operating modes of wireless network:
• Ad hoc mode: In an ad hoc network, a wireless network adapter connects directly to another
wireless network adapter. This mode enables peer-to-peer communication, where computers
and devices are connected directly to each other, instead of to a router or a wireless access
point (wireless AP).

• Infrastructure mode: In this mode, wireless network adapters connect only to special radio
bridges or a wireless AP that connect directly to the wired network.
Regardless of the operating mode, a Service Set Identifier (SSID), also known as the
wireless network name, identifies a specific wireless network by name. The SSID is configured
on the wireless AP for infrastructure mode or the initial wireless client for ad hoc mode. The
wireless AP or the initial wireless client periodically advertises the SSID so that other wireless
nodes can discover and join the wireless network.

Wireless Network Technologies

The following table summarizes the IEEE 802.11 standards for wireless network technology.

213

 Principles of Operating System

Note: Standard 802.11n is a proposed 802.11 standard. The operating frequency is in both the
5 GHz and 2.4 GHz bands, providing more scope that enables networks to avoid interference
with other wireless devices. This standard’s speed will be 600 Mbps, with a range of
approximately 300 meters. The IEEE likely will not finalize 802.11n until late 2009. Even so,
more organizations have begun migrating to 802.11n based on the Draft 2 proposal.

Windows 7 provides built-in support for all 802.11 wireless networks, but the wireless
components of Windows are dependent upon the following:
• Capabilities of the wireless network adapter: The installed wireless network adapter must
support the wireless network or wireless security standards that you require.

• Capabilities of the wireless network adapter driver: To enable you to configure wireless
network options, the driver for the wireless network adapter must support the reporting of all of
its capabilities to Windows

Wireless Broadband
Wireless broadband is a wireless technology that provides high-speed wireless internet
and data network access. Wireless broadband has high internet speed that is comparable to
wired broadband, such as ADSL or cable modems. Windows 7 provides a driver-based model
for mobile broadband devices. With Windows 7, users can simply connect a mobile broadband
device and immediately begin using it. The interface in Windows 7 is the same regardless of the

214

 Principles of Operating System

mobile broadband provider. You can connect to a wireless broadband just as you connect to
any other wireless network.

Security Protocols for a Wireless Network

To protect your wireless network, configure authentication and encryption options:
• Authentication: Computers must provide either valid account credentials (such as a user
name and password) or proof that they have been configured with an authentication key before
being allowed to send data frames on the wireless network.

• Encryption: The content of all wireless data frames is encrypted so that only the receiver can
interpret its contents. Wireless LAN supports the following security standards:

• IEEE 802.11: The original IEEE 802.11 standard defined the open system and shared key
authentication methods for authentication and Wired Equivalent Privacy (WEP) for encryption.
WEP can use either 40 or 104-bit encryption keys. WEP has several security flaws. The IEEE
has declared that WEP has been deprecated as it fails to meet the security goals, although
despite its weaknesses, WEP is still widely used.

• IEEE 802.1X: The IEEE 802.1X was a standard that existed for Ethernet switches and was
adapted to wireless LANs to provide much stronger authentication than the original 802.11
standard. IEEE 802.1X authentication is designed for medium and large wireless LANs
that contain an authentication infrastructure consisting of Remote Authentication Dial-In User
Service (RADIUS) servers and account databases such as the Active Directory® directory
service.

• Wi-Fi Protected Access: While the IEEE 802.11i wireless LAN security standard was being
finalized, the Wi-Fi Alliance, an organization of wireless equipment vendors, created an interim
standard known as Wi-Fi Protected Access (WPA). WPA replaces WEP with a much stronger
encryption method known as the Temporal Key Integrity Protocol (TKIP). WPA also allows the
optional use of the Advanced Encryption Standard (AES) for encryption. WPA is available in two
different modes:

215

 Principles of Operating System

• WPA-Enterprise: In the Enterprise mode, an 802.1X authentication server distributes

individual keys to users that have a “wireless” designation. It is designed for medium and large
infrastructure mode networks.

• WPA-Personal: In the Personal mode, a pre-shared key (PSK) is used for authentication and
you provide the same key to each user. It is designed for small office/home office (SOHO)
infrastructure mode networks.

• Wi-Fi Protected Access 2: The IEEE 802.11i standard formally replaces WEP and the other
security features of the original IEEE 802.11 standard. Wi-Fi Protected Access 2 (WPA2) is a
product certification available through the Wi-Fi Alliance that certifies wireless equipment as
being compatible with the IEEE 802.11i standard. WPA2 requires support for both TKIP and
AES encryption. Similar to WPA, WPA2 is available in two different modes: WPA2-Enterprise
and WPA2-Personal.

Securing Wireless Networks

In addition to implementing authentication and encryption, you can use the following
methods to mitigate risks to your wireless network:
• Firewalls: One solution to address wireless AP vulnerability is to place the wireless
APs outside your network firewalls.
• Closed networks: Some wireless APs support a closed network mode in which the
wireless AP does not advertise its SSID.
• SSID spoofing: You can use special software that generates numerous wireless AP
packets that broadcast false SSIDs.
• Media access control (MAC) address filtering: Most wireless APs support MAC
address restrictions.

Lesson 2: Configuring a Wireless Network

In an organization that has a wireless network, users may choose to use the wireless
network as the main connectivity to network resources. You must understand how to create and
connect to a wireless network from a Windows 7 based computer. You also need to know how
to improve the wireless signal strength for your users and how to troubleshoot common wireless
connection problems. This troubleshooting process uses the new network diagnostics included

216

 Principles of Operating System

with Windows 7. You need to be familiar with the new network diagnostics so that you can
assist your users.

Configuring Hardware for Connecting to a Wireless Network

To configure a wireless network, you must have a wireless AP that physically connects
to your network and a wireless network adapter in your client computers. A wireless AP uses
radio waves to broadcast its SSID.
To configure a wireless AP, you must enter its SSID and configure a valid TCP/IP
address on your network. Typically, a wireless AP has an administrator page that can be
accessed by an internet browser, by using its default IP address. Depending on the
manufacturer, different wireless APs have different default IP address to start with. Several
wireless APs can also be configured from command prompt by using telnet command-line tool.

Configuring Client Computers

To connect to a wireless network, attach a wireless network adapter to your computer
and install its driver. These adapters may be internal or external wireless adapters. Many mobile
computers have built-in adapters that you can enable by using a hardware switch. After
attaching the hardware and installing the appropriate hardware device driver, you can use the
following methods to configure a Windows 7-based client to connect to a wireless network:

• Connect to a Network dialog box: This dialog box is available from many locations in
Windows 7, such as from the Control Panel.

• Command line: The new netsh wlan commands in the netsh.exe tool enable you to configure
wireless networks and their settings manually.

• Group Policy: Network administrators in an Active Directory environment can use Group
Policy to configure and deploy wireless network settings centrally to domain member
computers.

217

 Principles of Operating System

Wireless Network Settings

With Windows 7, connecting to a wireless network has never been simpler. If the
Wireless Access Point (wireless AP) is configured to advertise its Service Set Identifier (SSID),
the Windows 7 client can detect the signal and automatically create a wireless network profile
and set the configuration to connect to the wireless network.
If you choose to add a wireless network manually, there are several settings that you
can configure in Windows 7 when creating a wireless network profile. You have to configure
these settings to match the wireless AP that you want to connect to.
The Manage Wireless Networks window is used to configure wireless network
connections. It can be accessed from the Network and Sharing Center. The Network and
Sharing Center tool can be accessed from the Control Panel or from the network icon on the
System Tray. To view the settings of a wireless network, from the Manage Wireless Networks
windows, right-click the wireless network profile and then click Properties.

General Settings
The following settings are mandatory for every wireless network profile.
• SSID: Every wireless network has an SSID. If you are configuring the wireless network profile
manually, you must know the exact SSID of the wireless network that you want to connect to.

218

 Principles of Operating System

• Network Type: There are two options: Access point and Adhoc network. Select Access point
to connect to a wireless AP, which means configuring the wireless network to operate as the
infrastructure mode, and select Adhoc network to connect to another wireless network adapter,
which means configuring the wireless network to operate as the ad hoc mode.

Connection Settings
The following settings configure how the Windows 7 client connects to a wireless
network.
• Connect automatically when this network is in range: The computer will try to
connect to this particular wireless network whenever it is in range.

• Connect to a more preferred network if available: If this is selected, when there are
multiple wireless networks in range, the computer will try to connect to one of the others
instead of this particular wireless network.

• Connect even if the network is not broadcasting its name (SSID): Select this if the
wireless AP is configured to not advertise its SSID.

Security Types
The following settings determine what type of authentication and encryption are used to
connect to a wireless network.

• No authentication (open): If you select this security type, two options are available for the
encryption type: None and WEP.
• Shared: If you select this security type, only WEP is available for the encryption type.
• WPA (Personal and Enterprise): In the personal mode, you provide the same network
security key to each user. In the enterprise mode, an authentication server distributes individual
key to the users. If you select this security type, two options are available for the encryption
type: TKIP and AES.
• WPA2 (Personal and Enterprise): Similar to WPA, it also has the Personal and Enterprise
mode and two options for the encryption type: TKIP and AES.
• 802.1X: If you select this security type, only WEP is available for the encryption type.

219

 Principles of Operating System

Demonstration: Connecting to a Wireless Network

How to Configure a WAP
The following are the various steps in the demonstration:
1. Browse the network to view a list of devices available, including the wireless AP.
2. Open the administrator page of the device.
3. Enter the required credentials. These usually come from the device’s manufacturer. It is
recommended to change these credentials after the initial configuration of the wireless AP.
4. Open the Wireless Settings page.
5. Change the default SSID to something relevant to your organization.
6. You can change the channel to avoid interference from other devices.
7. Configure the 802.11 mode. If you have older 802.11b devices, you can enable support for
them.
8. You can establish wireless policies that enable users to connect their computers to the
wireless AP even if the SSID is not broadcast.
9. Configure the specific security settings. The particular options offered vary between
manufacturers, but typically include the ones offered here: WEP, WPA and WPA2, and support
for both PSK and Enterprise options.

Note: If you select an enterprise option, you must provide additional information about how
authentication is handled within your organization. For example, the name of a RADIUS server
and other settings.
10. Define the pre-shared key.
11. Save the settings. Most wireless APs have a separate persistent save which means that the
device remembers the settings even after you power it down and start again.
12. Most wireless APs also provide options for more advanced settings. These include MAC
address filtering and bridging and are out of the scope of this demonstration.

Question: What advanced wireless settings do you consider that improve security?

How to Connect to an Unlisted Wireless Network

The following are the various steps in the demonstration:
1. Open the Network and Sharing Center.
2. Open the Manage wireless networks.
3. Launch the wizard to guide you through the process of defining the properties of the network.

220

 Principles of Operating System

4. Configure an infrastructure network.

5. Define the appropriate SSID, the security settings that correspond to those defined on the
wireless AP (security type and encryption type), and the security key (pre-shared key).

Note: The specifics of the settings vary from network to network. In addition, the options
available may be restricted by Group Policy. Your ability to create a network connection may be
restricted.

6. After defining the network settings, you can connect to the network.
7. You can view the network status through the Network and Sharing Center.
8. By default, all networks are placed in the Public network profile – which is the most restrictive.
Define a location profile for this network. Once you define a network location profile for a
network connection, Windows remembers it for subsequent connections to that network.

Question: Can a user connect a computer to an unlisted network if he or she does not know the
SSID?

How to Connect to a Public Wireless Network

The following are the various steps in the demonstration:
1. Open the Network and Sharing Center to view the available networks. You can view the
available networks from the System Tray as well.

2. Notice that there is a wireless network available; the shield icon next to the wireless signal
icon denotes that the wireless network is open. This is can cause a possible security issue.
Always be careful when connecting to public networks.

3. Connect to the Wireless Network.

4. Define the network location profile.

Question: What are possible issues that arise when you connect to unsecured networks?

221

 Principles of Operating System

Improving the Wireless Signal Strength

Connecting to the wireless AP on a network with the strongest signal will provide the best
wireless performance. The following table shows several common problems and solution with
regards to low signal strength.

222

 Principles of Operating System

In cases where you cannot see the wireless network, consider the following
troubleshooting steps:
• Check that your wireless network adapter has the correct driver and is working properly.
• Check your computer for an external switch for the wireless network adapter.
• Check that the wireless AP is turned on and working properly.
• Check whether the wireless AP is configured to advertise its SSID.

Question: What devices can interfere with a wireless network signal?

Process for Troubleshooting a Wireless Network Connection

Windows 7 includes the Network Diagnostic tool, which can be used to troubleshoot
network problems. Use this tool to diagnose the issues that might prevent you from connecting
to any network, including wireless networks. This tool can reduce the time you spend
diagnosing wireless network problems.

Troubleshooting Access to Wireless Networks

To troubleshoot access to wireless networks, perform the following steps:
1. Attempt to connect to a wireless network. Use the Connect to a network tool in Windows 7
to list each available wireless network and attempt network connections. The Connect to a
network tool can be accessed from the Network and Sharing Center or from the System Tray.

2. Run the Windows Network Diagnostics tool. You can run the tool by right-clicking the
Network icon in the taskbar’s notification area and then clicking Troubleshoot problems.

223

 Principles of Operating System

3. Review the diagnostic information. The Windows Network Diagnostics tool in Windows 7
will attempt to correct any problems. If this is not possible, the tool provides a list of possible
problems.

4. Identify the problem from the list of problems found. Use the list from the Windows Network
Diagnostic tool to help identify the problem.

5. Resolve the problem that was identified. Use the information in the previous step to
implement a resolution.

Module Review and Takeaways

Common Issues related to finding wireless networks and improving signal strength
Real-World Issues and Scenarios
1. You are implementing wireless networking in your organization. Which wireless network
technology standards and which type of security (authentication and encryption) will you
choose?

2. Your organization already has a wireless network in place. Your users are complaining that
the performance of the wireless network is not as good as the wired network. What can you do
to increase the performance of the wireless network?

Tools

224

 Principles of Operating System

Module 9: Securing Windows 7 Desktops

Module Overview
Users increasingly expect more from the technologies they use. They expect to be able
to work from home, from branch offices, and on the road without a decrease in productivity. With
Windows 7®, IT professionals can meet users’ diverse needs in a way that is more
manageable.
Security and control are enhanced, reducing the risk associated with data on lost
computers or external hard drives. Because Windows 7 is based on the Windows Vista®
foundation, companies that have already deployed Windows Vista will find that Windows 7 is
highly compatible with existing hardware, software, and tools.
This module describes how to make a computer more secure while ensuring that you do
not sacrifice usability in the process. Windows 7 helps make the system more usable and
manageable by using the following security features to combat the continually evolving threat
landscape:
• Fundamentally Secure Platform
• Helping Secure Anywhere Access
• Protecting Users and Infrastructure
• Protecting Data from Unauthorized Viewing

Lesson 1: Overview of Security Management in

Windows 7
The Windows 7 operating system provides a robust, secure platform through the
provision of a number of programs that help simplify balancing security and usability. You need
to understand how the new Windows 7 security features work so that you can quickly and
effectively diagnose and fix any problems whenever there is the need to troubleshoot a security-
related issue.
This lesson introduces the security management topics covered in the remainder of the
module. It then introduces the Windows 7 Action Center, which provides a central location for
managing your security configuration.

Key Security Features in Windows 7

Windows 7 provides the following tools and features designed to maximize platform and
client security while balancing security and usability:

225

 Principles of Operating System

• Windows 7 Action Center: A central location for users to deal with messages about
their local computer and the starting point for diagnosing and solving issues with their
system.
• Encrypting File System (EFS): The built-in encryption tool for Windows file systems.
• Windows BitLocker™ and BitLocker To Go: Helps mitigate unauthorized data
access by rendering data inaccessible when BitLocker-protected computers are
decommissioned or recycled. BitLocker To Go provides similar protection to data on
removable data drives.
• Windows AppLocker: Allows administrators to specify exactly what is allowed to run
on user desktops.
• User Account Control: Simplifies the ability of users to run as standard users and
perform all necessary daily tasks.
• Windows® Firewall with Advanced Security: Helps provide protection from
malicious users and programs that rely on unsolicited incoming traffic to attack
computers.
• Windows Defender™: Helps protect you from spyware and other forms of malicious
software.

What Is Action Center?

226

 Principles of Operating System

Action Center is a central location for dealing with messages about your system and the
starting point for diagnosing and solving issues with your system. You can think of Action Center
as a message queue that displays the items that require your attention and need to be managed
according to your schedule.
Windows Action Center consolidates the Windows 7 security-related tools in one
location, simplifying your ability to access and use the specific tool that you need.
Windows Action Center includes access to the following four essential security features:
• Firewall
• Automatic updating
• Malware protection
• Other security settings
Demonstration: Configuring Action Center Settings
Action Center checks several security and maintenance-related items that help indicate
the computer's overall performance. When the status of a monitored item changes, Action
Center notifies you with a message in the notification area on the taskbar, the status of the item
in Action Center changes color to reflect the severity of the message, and an action is
recommended.
If you prefer to keep track of an item yourself, and you do not want to see status
notifications, turn off notifications for the item. When you clear the check box for an item on the
Change Action Center Settings page, you will not receive any messages, and you will not see
the item's status in Action Center. It is recommended that you check the status of all items
listed, since many help warn you about security issues. However, if you decide to turn off
messages for an item, you can always turn on messages again.
This demonstration shows how to configure the Action Center Settings and User Control
Settings in Windows 7.

Change Action Center Settings

• Open Action Center, and then in Change Action Center settings, turn messages off for
Windows Troubleshooting and Windows Backup.
Change User Control Settings
• In User Control Settings, change when to be notified about changes to your computer by
using the slide bar.
View Archived Messages
• Select View archived messages to view any archived messages about computer problems.

227

 Principles of Operating System

Lesson 2: Securing a Windows 7 Client Computer by Using Local Security Policy

Settings
Group Policy provides an infrastructure for centralized configuration management of the
operating system and applications that run on the operating system. This lesson discusses
Group Policy fundamentals such as the difference between local and domain-based policy
settings and introduces you to how Group Policy can simplify managing computers and users in
an Active Directory environment. This lesson also discusses Group Policy features that are
included with the Windows Server® 2008 operating system and are available with the Windows
7 client.

What Is Group Policy?

Group Policy is a technology that allows you to efficiently manage a large number of
computer and user accounts through a centralized model. Group policy changes are configured
on the server and then propagate to client computers in the domain.
Group Policy in Windows 7 uses new XML-based templates to describe registry settings.
When you enable settings in these templates, Group Policy allows you to apply computer and
user settings either on a local computer or centrally through Active Directory.
IT professionals typically use Group Policy to:
• Apply standard configurations.
• Deploy software.

228

 Principles of Operating System

• Enforce security settings.

• Enforce a consistent desktop environment.

A collection of Group Policy settings is called a Group Policy object (GPO). One GPO
can be applied simultaneously to many different containers in Active Directory’s Directory
Service. Conversely, a container can have multiple GPOs simultaneously applied to it. In this
case, users and computers receive the cumulative effect of all policy settings applied to them.

Local Group Policy in Windows 7

In a non-networked environment or in a networked environment that does not
have a domain controller, the local Group Policy object's settings are more important because
they are not overwritten by other Group Policy objects. Standalone computers only use the local
GPO to control the environment. Each Windows 7 computer has one local GPO that contains
default computer and user settings, regardless of whether the computer is part of an Active
Directory environment or not. In addition to this default local GPO, you can create custom local
user group policy objects. You can maintain these local GPOs using the Group Policy Object
Editor snap-in. With Group Policy, you can define the state of users' work environments once
and rely on the system to enforce the policies that you define. With the Group Policy snap-in
you can specify policy settings for the following:
• Registry-based policies
• Security options
• Software installation and maintenance options
• Scripts options
How Are Group Policy Objects Applied?

229

 Principles of Operating System

Client components known as Group Policy client-side extensions (CSEs) initiate Group
Policy by requesting GPOs from the domain controller that authenticated them. The CSEs
interpret and apply the policy settings.
Windows 7 applies computer settings when the computer starts and user settings when
you log on to the computer. Both computer and user settings are refreshed at regular,
configurable intervals. The default refresh interval is every 90 minutes. Group Policy is
processed in the following order:
• Local computer policy settings
• Site-level policy settings
• Domain-level policy settings
• Organizational Unit (OU) policy settings

Policy settings applied to higher level containers pass through to all sub-containers in
that part of the Active Directory tree. For example, a policy setting applied to an OU also applies
to any child OUs below it.
If policy settings are applied at multiple levels, the user or computer receives the effects
of all policy settings. In case of a conflict between policy settings, the policy setting applied last
is the effective policy, though you can change this behavior as needed.

How Multiple Local Group Policies Work

230

 Principles of Operating System

The computing environment provides users with hundreds, if not thousands, of

configurable settings manageable by using Group Policy. IT professionals can manage the
many configurable settings through Multiple Local Group Policy objects (MLGPO).
MLGPO allows an administrator to apply different levels of Local Group Policy to local
users on a stand-alone computer. This technology is ideal for shared computing environments
where domain-based management is not available. MLGPO allows user settings targeted at the
following three layers of Local Group Policy objects:
• Local Group Policy
• Administrator and Non-Administrators Group Policy
• User specific Local Group Policy

Processing Order
The benefits of MLGPO come from the processing order of the three separate layers.
The layers are processed as follows:
• The Local Group Policy object is applied first.
• The Administrators and Non-Administrators Local Group Policy objects are applied next.
• User-specific Local Group Policy is applied last.

Conflict Resolution Between Policy Settings

Available user settings are the same between all Local Group Policy objects. It is
conceivable that a policy setting in one Local Group Policy object can contradict the same
setting in another Local Group Policy object. Windows 7 resolves these conflicts by using the
"Last Writer Wins" method. This method resolves the conflict by overwriting any previous setting
with the last read (most current) setting. The final setting is the one Windows uses.

Question: An administrator disables the setting titled “Disable the Security page” in the Local
Group Policy object. The administrator then enables the same setting in a user-specific Local
Group Policy object. The user logging on to the computer is not an administrator. Which policy
setting will be applied to this Local Group Policy object?

Demonstration: Creating Multiple Local Group Policies

This demonstration shows how to create and verify settings of multiple local group
policies in Windows 7.

231

 Principles of Operating System

Create a Custom Management Console

1. Open the Group Policy Object Editor in the Microsoft Management Console.
2. Browse for Administrators and Non-Administrators in the Local Users and Groups
compatible with Local Group Policy list.
3. Save the selections to the desktop as Multiple Local Group Policy Editor.

Configure the Local Computer Policy

1. In Multiple Local Group Policy Editor – [Console Root], locate the Logon script in the
Local Computer Policy node.
2. Open the Logon script and add a new script as a text document.
3. Edit the text document by typing msgbox “Default Computer Policy”.
4. Save the document as ComputerScript.vbs of type All Files.
5. Open the ComputerScript, click OK in the Add a Script and Logon Properties dialog
boxes.

Configure the Local Computer Administrators Policy

1. In Multiple Local Group Policy Editor – [Console Root], locate the Logon script in the
Local Computer\Administrators Policy node.
2. Expand User Configuration, Windows Settings nodes, and then select Scripts
(Logon/Logoff).
3. Open the Logon script, and add a new script as a text document.
4. Edit the text document by typing msgbox “Default Administrator’s Policy”.
5. Save the document as AdminScript.vbs of type All Files.
6. Open the AdminScript, click OK in the Add a Script and Logon Properties dialog boxes.

Configure the Local Computer Non-Administrators Policy

1. In Multiple Local Group Policy Editor – [Console Root], locate the Logon script in the
Local Computer\Non-Administrators Policy node.
2. Open the Logon script, and add a new script as a text document.
3. Edit the text document by typing msgbox “Default Administrator’s Policy”.
4. When adding a new text document (step 6 above), type msgbox “Default User’s Policy”.
5. Save the document as UserScript.vbs of type All Files.
6. Open the UserScript, click OK in the Add a Script and Logon Properties dialog boxes.

232

 Principles of Operating System

Test Multiple Local Group Policies

1. Log on to AMA-CL1 as AMAES\Adam.
2. Verify you receive the message box and respond to the prompt.
3. Log on to AMA-CL1 as AMAES\Administrator.
4. Verify you receive the message box and respond to the prompt.
5. Open the Multiple Local Group Policy Policy Editor.
6. Remove the logon scripts that you previously added in the Logon Properties for the Non-
Administrators Policy, the Administrators Policy, and the Local Computer Policy.

Demonstration: Configuring Local Security Policy Settings

You can use the Local Group Policy Editor to configure the settings on a standalone
workstation that is running Windows 7. To configure local Group Policy, run gpedit.msc from the
Search box with elevated privileges. Use the security-related information in the following table to
configure the settings.

233

 Principles of Operating System

This demonstration shows different security settings in Windows 7 Local Group Policy
Editor and then how to change some of these settings.
Review the Local Security Group Policy Settings
1. Open the Local Group Policy Editor. Under the Computer Configuration\Windows
Settings\Security Settings node, review the following Account Policies:
• Password Policy
• Account Lockout Policy

234

 Principles of Operating System

2. In the Local Policies node, review the Audit Policy.

3. Under Audit Policy, modify the Audit account management policy properties to audit both
success and failure attempts.
4. In the Local Policies node, review policies for User Rights Assignments and Security
Options.
5. Open the Windows Firewall with Advanced Security – Local Group Policy Object to view
firewall rules.
6. Review Network List Manager Policies.
7. In the Public Key Policies node, review policies for Encrypting File System and BitLocker
Drive Encryption.
8. Review Software Restriction Policies and Application Control Policies, including those
for AppLocker.
9. Review IP Security Policies on Local Computer and Advanced Audit Policy
Configuration, including those in the System Audit Policies – Local Group Policy Object.

Lesson 3: Securing Data by Using EFS and BitLocker

Laptops and desktop hard drives can be stolen, which poses a risk for confidential data.
You can secure data against these risks by using a two-phased defensive strategy, one that
incorporates both Encrypting File System (EFS) and Windows BitLocker™ Drive Encryption.
This lesson provides a brief overview of EFS. IT professionals interested in implementing EFS
must research this topic thoroughly before making a decision. If you implement EFS while
lacking proper recovery operations or misunderstanding how the feature works, you can cause
your data to be unnecessarily exposed. To implement a secure and recoverable EFS policy, you
must have a more comprehensive understanding of EFS.
Another defensive strategy that complements EFS is Windows BitLocker Drive
Encryption. BitLocker protects against data theft or exposure on computers, and offers secure
data deletion when computers are decommissioned. Data on a lost or stolen computer is
vulnerable to unauthorized access, either by running a software attack tool against it or by
transferring the computer's hard disk to a different computer. BitLocker helps mitigate
unauthorized data access by combining two major data-protection procedures: encrypting the
entire Windows operating system volume on the hard disk, and encrypting multiple fixed
volumes.

235

 Principles of Operating System

What Is EFS?

The EFS is the built-in encryption tool for Windows file systems. A component of the
NTFS file system, EFS enables transparent encryption and decryption of files by using
advanced, standard cryptographic algorithms. Any individual or program that does not possess
the appropriate cryptographic key cannot read the encrypted data. Encrypted files can be
protected from those who gain physical possession of the computer. Persons who are
authorized to access the computer and its file system cannot view the data without the
cryptographic key.

Obtaining Key Pairs

Users need asymmetric key pairs to encrypt data. They can obtain these keys as
follows:
• From a Certificate Authority (CA). An internal or third party CA can issue EFS certificates. This
method allows keys to be centrally managed and backed up.
• By self-generating them. If a CA is unavailable, users can generate a key pair. These keys
have a lifespan of one hundred years.
This method is more cumbersome than using a CA because there is no centralized
management and users become responsible for managing their own keys (plus it is more

236

 Principles of Operating System

difficult to manage for recovery); however, it is still a popular method because no setup is
required.

Managing EFS Certificates

EFS uses public key cryptography to allow the encryption of files. The keys are obtained
from the user’s EFS certificate. Because the EFS certificates may also contain private key
information, they must be managed correctly. Users can make encrypted files accessible to
other users’ EFS certificates. If you grant access to another user’s EFS certificate, that user
can, in turn, make the file available to other user’s EFS certificates.

Note: EFS certificates are only issued to individual users, not to groups. Backing Up Certificates
CA Administrators can archive and recover CA-issued EFS certificates. Users must manually
back up their self-generated EFS certificates and private keys. To do this, they can export the
certificate and private key to a Personal Information Exchange (PFX) file. These PFX files are
password protected during the export process. The password is then required to import the
certificate into a user’s certificate store. If you need to distribute only your public key, you can
export the client EFS certificate without the private key to Canonical Encoding Rules (CER)
files. A user’s private key is stored in the user’s profile in the RSA folder, which is accessed by
expanding AppData, expanding Roaming, expanding Microsoft, and then expanding Crypto.
Because there is only one instance of the key, it is vulnerable to hard disk failure or data
corruption.
The Certificate Manager MMC exports certificates and private keys. EFS certificates are
located in the Personal Certificates store.

EFS in Windows 7
Windows 7 includes a number of new EFS features, including:
• Support for Storing Private Keys on Smart Cards
• Encrypting File System Rekeying Wizard
• New Group Policy Settings for EFS
• Encryption of the System Page File
• Per-User Encryption of Offline Files

237

 Principles of Operating System

Sharing Encrypted Files

EFS users can share encrypted files with other users on file shares and in Web folders.
With this support, you can give individual users permission to access an encrypted file. The
ability to add users is restricted to individual files. After a file has been encrypted, file sharing is
enabled through the user interface. You must first encrypt a file and then save it before adding
more users. Users can be added either from the local computer or from the Active Directory
Domain Service if the user has a valid certificate for EFS.

Question: Explain why system folders cannot be marked for encryption.

Demonstration: Encrypting and Decrypting Files and Folders by Using EFS

This demonstration shows how to encrypt and decrypt files and folders by using EFS.

Encrypt Files and Folders

1. Create a new folder on the C drive in Windows Explorer.
2. Create a new Microsoft Office Word document file in this folder.
3. In Explorer, open the advanced properties of this file to select to encrypt the contents to
secure data.
4. Apply this change to the folder, subfolders, and files.

Confirm That the Files and Folders are Encrypted

1. Log on to the AMA-CL1 as AMAES\Adam.
2. In Windows Explorer, open the file you previously created to verify the encryption.

Decrypt Files and Folders

1. Log on to the AMA-CL1 as AMAES\Administrator.
2. Open the advanced properties of the folder you previously created.
3. Clear the encryption option.

Confirm That the Files and Folders are Decrypted

1. Log on to the AMA-CL1 as AMAES\Adam.
2. In Windows Explorer, open the file that you previously created.
3. Type decrypted into the file. Note that you are not prompted with a message.
4. Save and close the file.

238

 Principles of Operating System

What Is BitLocker?
Data on a lost or stolen computer can become vulnerable to unauthorized access.
BitLocker helps mitigate unauthorized data access by enhancing Windows file and system
protections. BitLocker helps render data inaccessible when BitLockerprotected computers are
decommissioned or recycled.
BitLocker performs two functions to provide both offline data protection and system
integrity verification:
• Encrypts all data stored on the Windows operating system volume (and configured data
volumes).
• Is configured by default to use a Trusted Platform Module (TPM). A TPM is a specialized chip
that authenticates the computer rather than the user. The TPM stores information specific to the
host system, such as encryption keys, digital certificates, and passwords. Using a TPM helps
ensure the integrity of early startup components, and "locks" any BitLocker-protected volumes
so that they remain protected even if the computer is tampered with when the operating system
is not running.
During Windows 7 setup, a separate active system partition is created. This partition is
required for BitLocker to work on operating system drives. BitLocker is extended from operating
system drives and fixed data drives to include removable storage devices such as portable hard
drives and USB flash drives. This allows you to take protected data when traveling and use it on
computers running Windows 7.
BitLocker To Go is manageable through Group Policy. When you insert a BitLocker-
protected drive into your computer, Windows will automatically detect that the drive is encrypted
and prompt you to unlock it.

Question: BitLocker provides full volume encryption. What does this mean?

BitLocker Requirements
In Windows 7, drives are automatically prepared for use. Therefore, there is no need to
manually create separate partitions before enabling BitLocker. The system partition
automatically created by Windows 7 does not have a drive letter, so it is not visible in Windows
Explorer. This prevents inadvertently writing data files to it. In a default installation, a computer
will have a separate system partition and an operating system drive. The system partition in

239

 Principles of Operating System

Windows 7 requires 100 MB. Because BitLocker stores its own encryption and decryption key in
a hardware device that is separate from the hard disk, you must have one of the following:
• A computer with Trusted Platform Module (TPM) version 1.2.
• A removable Universal Serial Bus (USB) memory device, such as a USB flash drive.
On computers that do not have TPM version 1.2, you can still use BitLocker to encrypt
the Windows operating system volume. However, this implementation requires the user to insert
a USB startup key to start the computer or resume from hibernation. This implementation does
not provide the pre-startup system integrity verification offered by BitLocker using a TPM.
In addition, you can also require users to supply a personal identification number (PIN). This
security measure together with the USB option provide multifactor authentication and assurance
that the computer will not start or resume from hibernation until the correct PIN or startup key is
presented.

Hardware Requirements
To turn on BitLocker Drive Encryption, the computer's hard drive must meet the following
requirements:
• Have the space necessary for Windows 7 to create the two disk partitions – one for the system
volume and one for the operating system volume.
• Have a Basic Input/Output System (BIOS) that is compatible with TPM or supports USB
devices during computer startup.

BitLocker Modes
BitLocker can run on two types of computers:
• Those that are running Trusted Platform Module (TPM) version 1.2x.
• Those without TPM version 1.2, but that have a removable Universal Serial Bus (USB)
memory device.

Computers with TPM Version 1.2

The most secure implementation of BitLocker leverages the enhanced security
capabilities of TPM version 1.2. The TPM is a specialized chip installed on the motherboard of
many newer computers by the computer manufacturers. It works with BitLocker to help protect
user data and to ensure that a computer running Windows 7 has not been tampered with while
the system was offline.

240

 Principles of Operating System

If you enable BitLocker on a Windows 7 computer that has a TPM version 1.2, you can
add the following additional factors of authentication to the TPM protection:
• BitLocker offers the option to lock the normal boot process until the user supplies a personal
identification number (PIN) or inserts a USB device (such as a flash drive) that contains a
BitLocker startup key.
• Both the PIN and the USB device can be required.
Once a computer’s operating system volume is encrypted, the computer will switch to
recovery mode until the recovery password is supplied if any of the following conditions occur:
• The TPM changes or cannot be accessed.
• There are changes to key system files.
• Someone tries to start the computer from a product CD or DVD to circumvent the operating
system.

Computers Without TPM Version 1.2

By default, BitLocker is configured to look for and use a TPM. However, you can allow
BitLocker to work without a TPM by:
• Using Group Policy.
• Storing keys on an external USB flash drive.
• Having a BIOS that can read from a USB flash drive in the boot environment.
A drawback to using BitLocker on a computer without a TPM is that the computer will not
be able to implement the system integrity verification checks during startup that BitLocker can
also provide.
Question: What is a disadvantage of running BitLocker on a computer that does not contain
TPM 1.2?
Group Policy Settings for BitLocker

241

 Principles of Operating System

BitLocker in Windows 7 introduces several new Group Policy settings that permit
straightforward feature management. Group Policy settings that affect BitLocker are located in
Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive
Encryption. The BitLocker Drive Encryption folder contains the following sub-folders: Fixed Data
Drives, Operating System Drives, and Removable Data Drives.
The following table summarizes several of the key policy settings affecting Windows 7
client computers. Each setting includes the following options: Not Configured, Enabled, and
Disabled. The default setting for each setting is Not Configured.

242

 Principles of Operating System

Configuring BitLocker

Enable BitLocker from Control Panel or by right-clicking the volume to be encrypted. A

command-line management tool, manage-bde.wsf, is also available to perform scripting
functionality remotely. Enabling BitLocker initiates the BitLocker Setup Wizard. The BitLocker
Drive Preparation tool validates system requirements.

Turning on BitLocker with TPM Management

Control Panel displays BitLocker's status. If BitLocker is actively encrypting or decrypting
data due to a recent installation or uninstall request, the progress status appears.
Perform the following steps to turn on BitLocker:
1. BitLocker Drive Encryption is located in the Security section of Windows Control Panel.
2. Select the option to Turn On BitLocker, which initiates the BitLocker configuration wizard.

243

 Principles of Operating System

3. On the Save the recovery password page, select one of the options to save or print the
password.
4. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System
Check check box is selected.
5. Follow the steps to restart your computer, which initiates the encryption process.

Turning on BitLocker Without TPM Management

Use the following procedure to change your computer's Group Policy settings so that
you can turn on BitLocker Drive Encryption without a TPM. Instead of a TPM, you will use a
startup key for authentication. The startup key is located on a USB flash drive inserted into the
computer before the computer is started.
For this scenario, you must have a BIOS that will read USB flash drives in the pre-
operating system environment (at startup). The BIOS can be checked by the System Check in
the final step of the BitLocker Wizard.
To turn on BitLocker Drive Encryption on a computer without a compatible TPM:
1. Open the Local Group Policy Object Editor.
2. In the Local Group Policy Editor console tree, click Computer Configuration, click
Administrative Templates, click Windows Components, click BitLocker Drive Encryption,
and then click Operating System Drives.
3. Double-click the Require additional authentication at startup setting.
4. Select the Enabled option, select the Allow BitLocker without a compatible TPM check
box, and then click OK.
You have changed the policy setting so that you can use a startup key instead of a TPM.
5. Close the Local Group Policy Editor.
6. To force Group Policy to apply immediately, you can click Start, type gpupdate.exe /force in
the Start Search box, and then press ENTER.
7. Perform the same steps listed earlier to turn on BitLocker from within the Windows Control
Panel. The only difference is that on the Set BitLocker Startup Preferences page, select the
Require Startup USB Key at every startup option. This is the only option available for non-
TPM configurations. This key must be inserted each time before you start the computer.
8. At this point, insert your USB flash drive in the computer, if it is not already there, and
complete the remaining steps in the wizard.

244

 Principles of Operating System

Question: When turning on BitLocker on a computer with TPM version 1.2, what is the purpose
of saving the recovery password?

Configuring BitLocker To Go

BitLocker To Go protects data on removable data drives. A new Group Policy setting
enables you to configure removable drives as Read Only unless they are encrypted with
BitLocker To Go. This helps ensure that critical data is protected when a USB flash drive is
misplaced. Enable BitLocker protection on a removable device by right-clicking the drive in
Windows Explorer.

Configuring BitLocker To Go
When you turn on BitLocker To Go, the ensuing wizard requires that you specify how
you want to unlock the drive. Select one of the following methods:
• A Recovery Password or passphrase
• A Smart Card
• Always auto-unlock this device on this PC

Once the device is configured to use BitLocker, the user saves documents to the
external drive. When the user inserts the USB flash drive on a different PC, the computer
detects that the portable device is BitLocker protected; the user is prompted to specify the

245

 Principles of Operating System

passphrase. At this time, the user can specify to unlock this volume automatically on the second
PC. It is not required that the second PC be encrypted with BitLocker.
If a user forgets the passphrase, there is an option from the BitLocker Unlock Wizard, I
forgot my passphrase, to assist. Clicking this option displays a recovery Password ID that can
be supplied to an administrator. The administrator uses the Password ID to obtain the recovery
password for the device. This Recovery Password can be stored in Active Directory and
recovered with the BitLocker Recovery Password tool.

Question: How do you enable BitLocker To Go for a USB flash drive?

Recovering BitLocker Encrypted Drives

When a BitLocker-enabled computer starts, BitLocker checks the operating system for
conditions that may indicate a security risk. If a condition is detected, BitLocker does not unlock
the system drive and enters recovery mode. When a computer enters recovery mode, the user
must enter the correct recovery password to continue. The recovery password is tied to a
particular TPM or computer, not to individual users, and does not usually change.

The recovery information can be saved on a USB flash drive or in Active Directory
using one of these formats:
• A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker recovery console.
• A recovery key in a format that can be read directly by the BitLocker recovery console.

Locating a BitLocker Recovery Password

The recovery password is unique to a particular BitLocker encryption is will be required
in the event the encrypted drive is moved to another computer, or changes are made to the
system startup information. It is recommended that you make additional copies of the password
stored in safe places to assure you can access to your data.
A computer's password ID is a 32-character password unique to a computer name. Find
the password ID under the computer's properties. To locate a password, the following
conditions must be true:
• You must be a domain administrator or have delegate permissions.
• The client's BitLocker recovery information is configured to be stored in Active Directory.
• The client’s computer has been joined to the domain.

246

 Principles of Operating System

• BitLocker Drive Encryption must have been enabled on the client's computer. Prior to
searching for and providing a recovery password to a user, confirm that the person is the
account owner and is authorized to access data on the computer in question.
Search for the password in Active Directory Users and Computers by using either one of the
following:
• Drive Label
• Password ID

Examine the returned recovery password to ensure it matches the password ID that the
user provided. Performing this step helps to verify that you have obtained the unique recovery
password.

Data Recovery Agent Support

Windows 7 BitLocker adds Data Recovery Agent (DRA) support for all protected
volumes. This provides users with the ability to recover data from any BitLocker and BitLocker
To Go device when the data is inaccessible. This technology assists in the recovery of data on a
portable drive using the key created by the enterprise.
DRA support allows you to dictate that all BitLocker protected volumes are encrypted
with an appropriate DRA. The DRA is a new key protector that is written to each data volume so
that authorized IT administrators will always have access to BitLocker protected volumes.

Question: What is the difference between the recovery password and the
password ID?

Lesson 4: Configuring Application Restrictions

The ability to control which applications a user, or set of users, can run offers significant
increases in the reliability and security of enterprise desktops. Overall, an application lockdown
policy can lower the total cost of computer ownership in an enterprise. Windows 7 and Windows
Server 2008 R2 adds Windows AppLocker™, a new feature that controls application execution
and simplifies the ability to author an enterprise application lockdown policy.
AppLocker reduces administrative overhead and helps administrators control how users
access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files),
and .dll files. Because AppLocker replaces the software restriction policies (SRP) feature in prior
Windows versions, this lesson examines the benefits of AppLocker in comparison to SRP.

247

 Principles of Operating System

What Is AppLocker?

Users who run unauthorized software can experience a higher incidence of malware
infections and generate more help desk calls. However, it can be difficult for IT professionals to
ensure that user desktops are running only approved, licensed software.
Previous versions of Windows addressed this issue by supporting Software Restriction
Policy, which IT professionals used to define the list of applications that users were allowed to
run. Windows 7 builds upon this security layer with AppLocker, which provides administrators
the ability to control how users run multiple types of applications.

AppLocker Benefits
IT professionals can use AppLocker to specify exactly what is allowed to run on user
desktops. This allows users to run the applications, installation programs, and scripts they need
to be productive while still providing the security, operational, and compliance benefits of
application standardization.
AppLocker can help organizations that want to:
• Limit the number and type of files that are allowed to run by preventing unlicensed or malicious
software from running and by restricting the ActiveX controls that are installed.
• Reduce the total cost of ownership by ensuring that workstations are homogeneous across
their enterprise and that users are running only the software and applications that are approved
by the enterprise.
• Reduce the possibility of information leaks from unauthorized software.

Question: What are some of the applications that are good candidates for applying
an AppLocker rule?

AppLocker Rules

AppLocker is an MMC snap-in in the Group Policy Object Editor consisting of two
wizards. One wizard allows you to create a single rule, and another automatically generates
rules based on rule preferences and the selected folder. To access AppLocker, click Start and
type Gpedit.msc. Then navigate to Computer Configuration, Windows Settings, Security
Settings, and then Application Control Policies. Expand the Application Control Policies node
and highlight AppLocker.

248

 Principles of Operating System

Creating Default AppLocker Rules

With AppLocker, you can prevent users from installing and running per-user applications
by creating a set of default AppLocker rules. The default rules also ensure that the key
operating system files are allowed to run for all users.

Note: Before you manually create new rules or automatically generate rules for a specific folder,
you must create the default AppLocker rules.

Specifically, the default rules enable the following:

• All users to run files in the default Program Files directory.
• All users to run all files signed by the Windows operating system.
• Members of the built-in Administrators group to run all files. By creating these rules, you have
also automatically prevented all non-administrator users from being able to run programs that
are installed in their user profile directory. You can recreate the rules at any time.

Automatically Generate AppLocker Rules

Once the default rules are created, you can create custom application rules. To facilitate
creating sets or collections of rules, AppLocker includes an Automatically Generate Rules
Wizard that is accessible from the Local Security Policy console.
This wizard simplifies the task of creating rules from a user-specified folder. When a rule
is manually created, you must choose whether it is an Allow or Deny rule. Allow rules enable
applications to run while Deny rules prevent applications from running. The Automatically
Generate Rules Wizard creates only Allow rules.
You can create exceptions for .exe files. For example, you can create a rule that allows
all Windows processes to run except regedit.exe, and then use audit-only mode to identify files
that will not be allowed to run if the policy is in effect.
You can automatically create rules by running the wizard and specifying a folder that
contains the .exe files for applications for which to create rules.

Note: Do not select a folder that contains one or more user profiles. Creating rules to allow .exe
files in user profiles might not be secure.

Question: When testing AppLocker, you must carefully consider how you will organize rules
between linked GPOs. What do you do if a GPO does not contain the default AppLocker rules?

249

 Principles of Operating System

Demonstration: Configuring AppLocker Rules

This demonstration shows how to create a custom AppLocker rule and how to automatically
generate rules.
Create a New Executable Rule
1. Open AppLocker in the Local Group Policy Editor.
2. Create a new executable rule to deny the AMAES Marketing group access to regedit.

Create a New Windows Installer Rule

1. Create a new publisher rule to conditionally deny access to the Microsoft Article Authoring
Add-In.
2. Set the rule scope to Applies to all files signed by the specified publisher.
3. Create default rules when prompted.

Automatically Generate the Script Rules

Use the wizard to automatically generate script rules.

Demonstration: Enforcing AppLocker Rules

After you create new AppLocker rules, you must configure enforcement for the rule
collections and refresh the computer's policy. Enforcement is configured in the Local Security
Policy console in the Configure Rule Enforcement area. There are three enforcement options for
each rule type:
• Enforce rules with Group Policy inheritance
• Enforce rules
• Audit only
To view information about applications that are affected AppLocker rules, use the Event
viewer. Review the entries in the log to determine if any applications were not included in the
rules.
This demonstration shows the different enforcement options, in addition to how to configure the
enforcement for the rule that was created in the previous demonstration. The demonstration will
then verify the enforcement with gpupdate.

Enforce AppLocker Rules

1. Open the AppLocker properties in the Local Group Policy Editor.

250

 Principles of Operating System

2. Configure executable rules to use the enforce rules option.

3. Configure Windows Installer rules to use the audit only option.

Confirm the Executable Rule Enforcement

1. In a Command Prompt, type gpupdate /force and wait for the computer policy to be updated.
2. Open Event Viewer to view the System logs.
3. In the result pane, view the event with Event ID 1502.
4. Review event message details.
5. Start the Application Identity service in Services and Applications.
6. Test the previously created rule by typing regedit.exe at a Command Prompt.

Question: What is the command to update the computer's policy and where is it
run?

What Are Software Restriction Policies?

It can be difficult to make safe choices about which software to run. To address this
situation, Software Restriction Policies (SRP) were included in previous Windows versions to
help organizations control not just hostile code, but any unknown code—malicious or otherwise.
With SRP, administrators were able to protect computers from non-trusted or unknown software
by identifying and specifying which software is allowed to run.

In Windows 7, AppLocker replaces the Software Restriction Policies feature found in

prior Windows versions (although the Software Restriction Policies snap-in is included in
Windows 7 computers for compatibility purposes).

AppLocker Enhancements Over SRP

AppLocker provides a number of enhancements beyond the functionality available with
SRP rules, including:
• The ability to define rules based on attributes derived from a file’s digital signature. SRP
supports certificate rules, but they are less granular and more difficult to define.
• A more intuitive enforcement model; only a file that is specified in an AppLocker rule is allowed
to run.
• A new, more accessible user interface that is accessed through in the Local Policy snap-in and
Group Policy Management snap-in.

251

 Principles of Operating System

• An audit-only enforcement mode that allows administrators to determine which files will be
prevented from running if the policy were in effect.

AppLocker and SRP in Windows 7

In Windows 7, you can apply SRP or AppLocker rules, but not both. This allows you to
upgrade an existing implementation to Windows 7 and still take advantage of the SRP rules
defined in group policies. However, if Windows 7 has both AppLocker and SRP rules applied in
a group policy, then only the AppLocker rules are enforced and the SRP rules are ignored.

Question: Why must AppLocker rules be defined in a GPO separate from SRP rules?

Lesson 5: Configuring User Account Control

When logged in as a local administrator, a user can install and uninstall applications and
adjust system and security settings. As a result, IT departments often cannot gauge the holistic
health and security of their PC environments. In addition, every application that these users
launch can potentially use their accounts’ administrative-level access to write to system files, the
registry, and to modify system-wide data. Common tasks like browsing the Web and checking
email can become unsafe.
User Account Control provides resilience to attacks and is protective of data
confidentiality, integrity, and availability. User Account Control has been redesigned in Windows
7 to make running as a standard user more feasible.

What Is UAC (User Account Control)?

User Account Control (UAC) provides a way for each user to “elevate” his or her status
from a standard user account to an administrator account without logging off, switching users, or
using Run as. Windows 7 includes changes that enhance the user experience, increase user
control of the prompting experience, and increase security.
UAC is a collection of features rather than just a prompt. These features - which include
File and Registry Redirection, Installer Detection, the UAC prompt, and the ActiveX Installer
Service - allow Windows users to run with user accounts that are not members of the
Administrators group. These accounts are generally referred to as Standard Users and are
broadly described as “running with least privilege.” The key is that when users run with Standard
User accounts, the experience is typically much more secure and reliable.

252

 Principles of Operating System

UAC in Windows 7
Configuration settings provide users more control over the UAC prompt when running in
Administrator Approval Mode. In Windows 7, the number of operating system applications and
tasks that require elevation is reduced, so standard users can do more while experiencing fewer
elevation prompts.
When changes are going to be made to your computer that will require administrator-
level permission, UAC notifies you as follows:
• If you are an administrator, you can click Yes to continue.
• If you are not an administrator, someone with an administrator account on the computer will
have to enter his or her password for you to continue. If you are a standard user, providing
permission temporarily gives you administrator rights to complete the task and then your
permissions are returned back to standard user when you are finished. This makes it so that
even if you are using an administrator account, changes cannot be made to your computer
without you knowing about it, which can help prevent malicious software (malware) and spyware
from being installed on or making changes to your computer.

How UAC Works

There are two general types of user groups in Windows 7: standard users and
administrative users. UAC simplifies users’ ability to run as standard users and perform their
necessary daily tasks. Administrative users also benefit from UAC because administrative
privileges are available only after UAC requests permission from the user for that instance.

Standard Users
In previous Windows versions, many users were configured to use administrative
privileges rather than standard user permissions. This was done because previous Windows
versions required administrator permissions to perform basic system tasks such as adding a
printer, or configuring the time zone. In Windows 7, many of these tasks no longer require
administrative privileges.
When UAC is enabled and a user needs to perform a task that requires administrative
permissions, UAC prompts the user for the credentials of a user with administrative privileges.
The default UAC setting allows a standard user to perform the following tasks without
receiving a UAC prompt:
• Install updates from Windows Update.
• Install drivers from Windows Update or those that are included with the operating system.

253

 Principles of Operating System

• View Windows settings.

• Pair Bluetooth devices with the computer.
• Reset the network adapter and perform other network diagnostic and repair tasks.

Administrative Users
Administrative users automatically have:
• Read/Write/Execute permissions to all resources.
• All Windows privileges.

UAC Elevation Prompts

Many applications require users to be administrators by default, because they check
administrator group membership before running the application. With UAC enabled, members of
the local Administrators group run with the same access token as standard users. Only when a
member of the local Administrators group gives approval can a process use the administrator’s
full access token.

Question: What are the differences between a consent prompt and a credential prompt?

Demonstration: Configuring Group Policy Settings for UAC

Prior to the implementation of UAC, standard users working on a personal computer or

in a network setting often had the option of installing applications. Although administrators were
able to create Group Policy settings to limit application installations, they did not have access to
limit application installations for standard users by default.
UAC improves upon this experience by allowing administrators to define a default setting
that limits application installations for standard users. Additionally, administrators can use Group
Policy to define an approved list of devices and deployment.

The following Group Policy object (GPO) settings can be configured for UAC:
• Administrator Approval Mode for the built-in Administrator account
• Behavior of the elevation prompt for administrators in Admin Approval Mode
• Behavior of the elevation prompt for standard users
• Detect application installations and prompt for elevation
• Only elevate executables that are signed and validated

254

 Principles of Operating System

• Only elevate UIAccess applications that are installed in secure locations

• Run all administrators in Admin Approval Mode
• Switch to the secure desktop when prompting for elevation
• Virtualize file and registry write failures to per-user locations

Note: Modifying the "User Account Control: Run all administrators in Admin Approval Mode"
setting requires a computer restart before the setting becomes effective. All other UAC Group
Policy settings are dynamic and do not require a restart.

This demonstration shows the different UAC group policy settings in the Local Group Policy
Editor (gpedit.msc) snap-in and additionally shows how to configure
some of them.
Create a UAC Group Policy Setting Preventing Access Elevation
1. Open the Local Group Policy Editor to access the Windows Setting\Security
Settings\Local Policies\Security Options node in Computer Configuration.
2. Configure the User Account Control: Behavior of the elevation prompt for standard users
policy to automatically deny elevation requests.

Test the UAC Settings

1. Log on to the AMA-CL1 as AMAES\Adam.
2. Open Computer Management to see if you are prompted.

Create a UAC Group Policy Setting prompting for Credentials

1. Log on to the AMA-CL1 as AMAES\Administrator.
2. Open the Local Group Policy Editor.
3. Access the Windows Setting\Security Settings\Local Policies\Security Options node in
Computer Configuration.
4. Configure the User Account Control: Behavior of the elevation prompt for standard users
policy to prompt for credentials.

Test the UAC Settings

1. Log on to the AMA-CL1 as AMAES\Adam.
2. Open Computer Management.
3. Enter Administrator in the User name field and Pa$$w0rd in the Password field.

255

 Principles of Operating System

Question: Which User Account Control detects when an application is being

installed in Windows 7?

Configuring UAC Notification Settings

With Windows 7, the "on or off only" approach of UAC notifications is changed.The
following table identifies the four settings that enable customization of the elevation prompt
experience. These notification settings can be maintained through the Action Center.

Question: What two configuration options are combined to produce the end user
elevation experience?

Lesson 6: Configuring Windows Firewall

Windows Firewall is a host-based, stateful firewall included in Windows 7. It drops
incoming traffic that does not correspond to traffic sent in response to a request (solicited traffic)
or unsolicited traffic that has been specified as allowed (accepted traffic). Windows Firewall
helps provide protection from malicious users and programs that rely on unsolicited incoming
traffic to attack computers. Windows Firewall can also drop outgoing traffic and is configured
using the Windows Firewall with Advanced Security snap-in, which integrates rules for both
firewall behavior and traffic protection with Internet Protocol security (IPsec).

256

 Principles of Operating System

Discussion: What Is a Firewall?

A firewall is software or hardware that checks information coming from the Internet or a
network, and then either blocks it or allows it to pass through to a computer. Firewalls are the
equivalent of door locks, employee badges, and security systems. Just as you use locks to
secure a car and home, you use firewalls to protect computers and networks.
No firewall makes a computer impenetrable to an attack. Firewalls, like locks, create
barriers, and make it difficult for attackers to get into the computer. As a result, the computer
becomes less attractive to attackers. Firewalls effectively block most intrusions.
The two main firewall types are network firewalls and host-based firewalls. Network
firewalls are located at the network's perimeter, and host-based firewalls are located on
individual hosts within the network.
Present and discuss your ideas on this topic in the class.

Configuring the Basic Firewall Settings

In Windows 7 basic firewall information is centralized in Control Panel in the

Network and Sharing Center and System and Security.

The first time that a computer connects to a network, users must select a network
location. When users are connecting to networks in different locations, choosing a network
location helps ensure that the computer is always set to an appropriate security level. There are
three network locations:

257

 Principles of Operating System

• Home or work (private) networks

• Domain networks
• Public networks

Firewall Exceptions
When you add a program to the list of allowed, you are allowing that program to send
information to or from the computer. Continuing with the scenario from the previous topic,
allowing a program to communicate through a firewall is like unlocking a door in the firewall.
Each time the door is opened, the computer becomes less secure.
It is generally safer to add a program to the list of allowed programs than to open a port
in Windows Firewall with Advanced Security. If you open a port, the door is unlocked and open.
It stays open until you close it, whether a program is using it or not. If you add a program to the
list of allowed programs, you are unlocking the door, but not opening it. The door is open only
when required for communication.

Multiple Active Firewall Policies

Multiple active firewall policies enable computers to obtain and apply domain firewall
profile information regardless the networks that are active on the computers. IT professionals
can maintain a single set of rules for remote clients and clients that are physically connected to
the corporate network.

Windows Firewall Notifications

In addition to the notification setting available when you turn Windows Firewall on or off,
you can display firewall notifications in the taskbar for three different behaviors:
• Show icon and notifications
• Hide icon and notifications
• Only Show notifications
Notifications are also displayed in the Action Center in Control Panel.

Question: List the three network locations. Where do you modify them, and what feature of
Windows 7 allows you to use more than one?

258

 Principles of Operating System

Windows Firewall with Advanced Security Settings

Windows Firewall with Advanced Security is a host-based firewall that filters incoming
and outgoing connections based on its configuration. For example, you can allow incoming
traffic for a specific desktop management tool when the computer is on domain networks but
block traffic when the computer is connected to public or private networks.
In this way, network awareness provides flexibility on the internal network without
sacrificing security when users travel. A public network profile must have stricter firewall policies
to protect against unauthorized access. A private network profile might have less restrictive
firewall policies to allow file and print sharing or peer-to-peer discovery.

Windows Firewall with Advanced Security Properties

Use the Windows Firewall with Advanced Security Properties page to configure
basic firewall properties for domain, private, and public network profiles. The options that you
can configure for each of the three network profiles are:
• Firewall State

• Inbound Connections
• Outbound Connections
• Settings
• Logging

Windows Firewall with Advanced Security Rules

Rules are a collection of criteria that define which traffic you will allow, block, or secure
with the firewall. You can configure different types of rules:
• Inbound rules explicitly allow or block traffic that matches criteria in the rule.
For example, if you want to run a Web server, then you must create a rule that allows
unsolicited inbound network traffic on TCP port 80.
• Outbound rules explicitly allow or deny traffic originating from the computer that matches the
criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a
computer (by IP address) through the firewall, but allow the same traffic for other computers.
• Connection Security Rules secure traffic by using IPsec while it crosses the network. You use
connection security rules to specify that connections between two computers must be
authenticated or encrypted.

259

 Principles of Operating System

Monitoring
Windows Firewall uses the monitoring interface to display information about current
firewall rules, connection security rules, and security associations. The Monitoring overview
page shows which profiles are active (domain, private, or public) and the settings for the active
profiles. The Windows Firewall with Advanced Security events are also available in Event
Viewer.

Question: There are three types of rules that can be created in Windows Firewall with
Advanced Security. List each type and the types of rules that can be created for each.

Well-Known Ports Used by Applications

Before you configure either inbound or outbound firewall rules, you must understand
how applications communicate on a TCP/IP network. At a high level, when an application wants
to establish communications with an application on a remote host, it creates a TCP or UDP
socket which is a combination of transport protocol, IP address, and a port. Ports are used in
TCP or UDP communications to name the ends of logical connections that transfer data.

260

 Principles of Operating System

Well-Known Ports
Well-known ports are assigned by the Internet Assigned Numbers Authority (IANA) and on most
systems can only be used by system processes or by programs executed by privileged users.
The following table identifies some well-known ports.

Question: What is the TCP port used by HTTP by a Web server?

Demonstration: Configuring Inbound, Outbound, and Connection Security Rules

This demonstration shows how to configure inbound and outbound rules, create a
connection security rule, and review monitoring in Windows Firewall with Advanced Security.

Configure an Inbound Rule

1. Open Windows Firewall in Control Panel and access the Advanced settings.
2. Create a new Inbound Rule that uses the Predefined rule type to block Remote Scheduled
Task Management (RPC).

Configure an Outbound Rule

1. Open Internet Explorer and attempt to access http://AMA-DC1. Were you able to connect to
the default Web site on AMA-DC1?
2. In the Windows Firewall with Advanced Security console and access Outbound Rules.
Create a new Outbound rule that uses the Port rule type to block the connection to port 80.

261

 Principles of Operating System

Test the Outbound Rule

• On AMA-CL1, open Internet Explorer and attempt to access http://AMA-DC1. Were you able
to connect to the default Web site on AMA-DC1?

Create a Connection Security Rule

1. Open Windows Firewall in Control Panel and access Connection Security Rules.
2. Create a new Connection Security Rule that uses the Server-to-Server rule type to require
Computer (Kerberos V5) and User (Kerberos V5) authentication.
Review Monitoring Settings in Windows Firewall
1. View monitoring information for connection security rules and security associations in
Windows Firewall with Advanced Security.
2. In the Outbound Rules, disable the HTTP – TCP 80 rule.
3. In the Connection Security Rules, disable the Kerberos Connection Security Rule.

Lesson 7: Configuring Security Settings in Windows Internet Explorer 8

A browser is like any other application; it can be well managed and secure or poorly
managed. If a browser is poorly managed, IT professionals and enterprises risk spending more
time and money supporting users and dealing with security infiltrations, malware, and loss of
productivity.
Windows Internet Explorer® 8 helps users browse more safely, which in turn helps
maintain customer trust in the Internet and helps protect the IT environment from the evolving
threats presented on the Web.
Internet Explorer 8 specifically helps users maintain their privacy with features such as
InPrivate™ Browsing and InPrivate Filtering. The new SmartScreen® Filter provides protection
against social engineering attacks by identifying malicious Web sites trying to trick people into
providing personal information or installing malicious software, blocking the download of
malicious software, and providing enhanced anti-malware support.
Internet Explorer 8 helps prevent the browser from becoming an attack agent; it is built
with the Secure Development Lifecycle (SDL) and provides more granular control over the
installation of ActiveX® controls with per-site and per-user ActiveX features. The Cross Site
Scripting Filter protects against attacks against Web sites.

262

 Principles of Operating System

Discussion: Compatibility Features in Internet Explorer 8

Internet Explorer 8 includes advancements in compliance with Web standards, enabling

Web sites to be created more efficiently and to operate more predictably. Internet Explorer 8
provides a Compatibility View that uses the Internet Explorer 7 engine to display Web pages. In
addition, new events are added to the Application Compatibility Toolkit (ACT) to help IT
professionals detect and resolve issues between Internet Explorer 8 and custom internal
applications and Web sites.
The main features in Compatibility View are as follows:
• Internet Web sites display in Internet Explorer 8 Standards Mode by default. Use the
Compatibility View button to fix sites that render differently than expected.
• Internet Explorer 8 remembers sites that have been set to Compatibility View so that the
button only needs to be pressed once for a site. After that, the site is always rendered in
Compatibility View unless it is removed from the list.
• Internet Explorer 8 ships with a list of sites provided by Microsoft known to require the
Compatibility View. This list is periodically updated through Windows Update or Automatic
Updates.
• Intranet Web sites display in Internet Explorer 7 Standards Mode by default. This means that
internal Web sites created for Internet Explorer 7 will work.
• IT professionals can use Group Policy to set a list of Web sites to be rendered in Compatibility
View.
• Switching in and out of Compatibility View occurs without requiring the browser to be restarted.

A new entry on the Tools menu allows for advanced configuration of the Compatibility
View enabling IT professionals to customize the view to meet enterprise requirements.
The ACT is a set of tools to help IT professionals identify potential application compatibility
issues. The Internet Explorer Compatibility Evaluator component of ACT helps you identify
potential compatibility issues with Web sites For Internet Explorer 8, new events have been
added to ACT to help detect and resolve potential issues between Internet Explorer 8 and
internal applications and Web sites. When ACT runs, a log of compatibility events is created and
an error message is displayed when there is a compatibility event. A link is provided to awhite
paper that describes compatibility issues, mitigations, and fixes. Use the information from the
white paper to help resolve compatibility issues.
Present and discuss your ideas on this topic in the class.

263

 Principles of Operating System

Enhanced Privacy Features in Internet Explorer 8

One of the biggest concerns for users and organizations is the issue of security and
privacy when using the Internet. Internet Explorer 8 helps users maintain their security and
privacy.

InPrivate Browsing
InPrivate Browsing helps protect data and privacy by preventing browsing history,
temporary Internet files, form data, cookies, usernames, and passwords from being stored or
retained locally by the browser. Defender is not anti-virus software.

InPrivate Filtering
Most Web sites today contain content from several different sites; the combination of
these sites is sometimes referred to as a mashup. InPrivate Filtering monitors the frequency of
all third-party content as it appears across all Web sites visited by the user. An alert or
frequency level is configurable and is initially set to three. Third-party content that appears with
high incidence is blocked when the frequency level is reached.

Enhanced Delete Browsing History

Cookies and cookie protection are one aspect of online privacy. Enhanced Delete
Browsing History in Internet Explorer 8 enables users and organizations to selectively delete
browsing history. Administrators can configure Delete Browsing History options through Group
Policy or the Internet Explorer Administration Kit. Administrators can also configure which sites
are automatically included in favorites.

Question: Describe the difference between InPrivate Browsing and InPrivate

filtering.

264

 Principles of Operating System

The SmartScreen Feature in Internet Explorer 8

Phishing attacks, otherwise known as social engineering attacks, can evade those
protections and result in users giving up personal information. The majority of phishing scams
target individuals in an attempt to extort money or perform identity theft.
With the introduction of the SmartScreen Filter, Internet Explorer 8 builds on and
replaces the Phishing Filter technology introduced in Internet Explorer 7 by providing:
• An improved user interface.
• Faster performance.
• New heuristics and enhanced telemetry.
• Anti-Malware support.
• Improved Group Policy support.

How the SmartScreen Filter Works

The SmartScreen Filter relies on a Web service backed by a Microsoft-hosted URL
reputation database. With the filter enabled, Internet Explorer 8 performs a detailed examination
of the entire URL string and compares the string to a database of sites known to distributed
malware, then the browser checks with the Web service.
If the Web site is known to be unsafe, it is blocked and the user is notified with a bold
SmartScreen blocking page that offers clear language and guidance to help avoid known-
unsafe Web sites. Users can navigate away from the suspicious site, or choose to ignore the
warning. The ability to ignore the warning can be disabled by using Group Policy.

265

 Principles of Operating System

Configure the SmartScreen Filter

By default, the SmartScreen Filter is enabled in the Internet, Trusted, and Restricted
Zones, and disabled in the Intranet Zone. Zone checking can be turned off and users can create
a custom list of trusted sites. Administrators can also add a list of sites that the company has
decided are trusted.
Question: What Internet Explorer 7 feature does the SmartScreen Filter replace in Internet
Explorer 8?

Other Security Features in Internet Explorer 8

Additional security features in Internet Explorer 8 include the following:

• Changes in ActiveX controls
• The XSS Filter
• Data Execution Prevention (DEP) changes

ActiveX Controls and Management

Per-user ActiveX makes it possible for standard users to install ActiveX controls in their
own user profile, without requiring administrative privileges. This helps organizations realize the
full benefit of User Account Control by giving standard users the ability to install ActiveX controls
that are necessary in their daily browsing.
If a control is installed but is not permitted to run on a specific site (per-site ActiveX), an
Information Bar appears asking the user’s permission to run on the current Web site or on all
Web sites. Use Group Policy to preset allowed controls and their related domains.

Cross-Site Scripting Filter

Cross-site scripting attacks exploit vulnerabilities in Web applications and enable an
attacker to control the relationship between a user and a Web site or Web application that they
trust. Internet Explorer 8 includes a filter that helps protect against XSS attacks. When the filter
discovers likely XSS in a request, it identifies and neutralizes the attack if it is replayed in the
server’s response.
Data Execution Prevention
DEP or No-Execute (NX) helps thwart attacks by preventing code from running in
memory that is marked non-executable. DEP/NX also makes it harder for attackers to exploit
certain types of memory-related vulnerabilities, such as buffer overruns.

266

 Principles of Operating System

DEP/NX protection applies to both Internet Explorer and the add-ons it loads and is
enabled by default for Internet Explorer 8.

Question: Describe how the XSS Filter works.

Demonstration: Configuring Security in Internet Explorer 8

This demonstration shows how to configure security in Internet Explorer 8, including
enabling the compatibility view, configuring browsing history, InPrivate Browsing, and InPrivate
Filtering. The demonstration also shows the add-on management interface.

Enable Compatibility View for All Web Sites

Open Internet Explorer and configure it to display all Web sites in Compatibility
View.
Delete Browsing History
In Internet Options, delete Browsing history while retaining the Favorites Web site
data.

Configure InPrivate Browsing

1. Open Internet Explorer, browse to a known Web site and confirm that the address you typed
into the Address bar is stored.
2. Delete Browsing history for Temporary Internet Files, Cookies, and History. This time do not
retain the Favorites Web site data.
3. Confirm there are no addresses stored in the Address bar.
4. Set InPrivate Browsing, browse to a known Web site, and confirm the address you typed in is
not stored by clicking on the down arrow next to the Address bar.

Configure InPrivate Filtering

Open InPrivate Filtering in Internet Explorer and configure it to automatically block content.

View Add-on Management Interface

Use Manage Add-ons to view information about:
• Search Providers
• Bing
• Accelerators
• InPrivate Filtering

267

 Principles of Operating System

Lesson 8: Configuring Windows Defender

Windows Defender helps protect you from spyware and other forms of malicious
software. In Windows 7, Windows Defender is improved in several ways. It is integrated with
Action Center to provide a consistent means of alerting you when action is required, and
provides an improved user experience when you are scanning for spyware or manually
checking for updates. In addition, in Windows 7, Windows Defender has less impact on overall
system performance while continuing to deliver continuous, real-time monitoring.

What Is Malicious Software?

Malicious software, such as viruses, worms and Trojan horses, deliberately harm a
computer and is sometimes referred to as malware. Spyware is a general term used to describe
software that performs certain behaviors such as advertising, collecting personal information, or
changing the configuration of the computer, generally without appropriately obtaining consent
first. Other kinds of spyware make changes to the computer that are annoying and cause the
computer to slow down or stop responding.
Preventing the installation of malicious software requires that you understand the
purpose of the software you intend to install, and you have agreed to install the software on the
computer. When you perform an installation, read all disclosures, the license agreement, and
privacy statement.
Consider the following scenario: You are deploying Windows 7 throughout the
organization. To decide upon which operating system features to implement, you need to
understand security risks that might be relevant to the organization. Take part in a class
discussion about this scenario.

Question: What are common security risks that you must consider when deploying a new
operating system?
Question: How can you be sure that you have addressed the appropriate security risks before
and after a desktop deployment?

What Is Windows Defender?

Windows Defender helps protect you from spyware and malicious software; it is not anti-
virus software. Windows Defender uses definitions to determine if software it detects is
unwanted, and to alert you to potential risks. To help keep definitions up to date, Windows

268

 Principles of Operating System

Defender works with Windows Update to automatically install new definitions as they are
released.
In Windows Defender, run a quick, full, or custom scan. If you suspect spyware has
infected a specific area of the computer, customize a scan by selecting specific drives and
folders.
You can choose the software and settings that Windows Defender monitors, including
real-time protection options, called agents. When an agent detects potential spyware activity, it
stops the activity and raises an alert.
Alert levels help you determine how to respond to spyware and unwanted software. You
can configure Windows Defender behavior when a scan identifies unwanted software. You are
also alerted if software attempts to change important Windows settings.
To help prevent spyware and other unwanted software from running on the computer,
turn on Windows Defender real-time protection and select all real-time protection options.

Question: List the four Windows Defender alert levels. What are the possible
responses?

Scanning Options in Windows Defender

Windows Defender includes automatic scanning options that provide regular spyware
scanning and on-demand scanning:
• Quick scan
• Full scan
• Custom scan
It is recommended that you schedule a daily quick scan. At any time, if you suspectthat
spyware has infected the computer, run a full scan.
When scanning the computer, you can choose from five additional advanced options:
• Scan archive files
• Scan e-mail
• Scan removable drives

• Use heuristics
• Create a restore point before applying actions to detected items

269

 Principles of Operating System

Once the scan is complete choose to remove or restore quarantined items and maintain
the allowed list. Do not restore software with severe or high alert ratings because it can put your
privacy and the security of the computer at risk.

Question: Why might you consider creating a restore point before applying actions to detected
items?

Demonstration: Configuring Windows Defender Settings

This demonstration shows how to configure Windows Defender settings, such as

scanning options, frequency, default actions, and quarantine settings. Also shown is the
Windows Defender Web site and the Microsoft SpyNet community.

Set Windows Defender Options

1. Open Windows Defender and access the Options to schedule automatic scanning by using
the following information:
• Frequency is Monday.
• Approximate time is 6:00 AM.
• Type is Quick scan.
• Update definitions before scanning.
2. Configure the scan to remove severe alert items and allow low alert items which applying
recommended actions.
3. Review real-time protection, excluded files, folders, and file type information.
4. Make sure to scan e-mail and removable drives, and then view administrator options.

View Quarantine Items

• In Tools and Settings, view Quarantined Items. Microsoft SpyNet
• From Tools and Settings, join Microsoft SpyNet with basic membership.

Windows Defender Web Site

1. In Tools and Settings, point out the Windows Defender Website link.
2. Review and discuss the content of the Windows Defender Web site.

Module Review and Takeaways

270

 Principles of Operating System

Review Questions
1. When User Account Control is implemented, what happens to standard users and
administrative users when they perform a task requiring administrative privileges?
2. What are the requirements for Windows BitLocker to store its own encryption and decryption
key in a hardware device that is separate from the hard disk?
3. When implementing Windows AppLocker, what must you do before manually creating new
rules or automatically generating rules for a specific folder?
4. You decide to deploy a third-party messaging application on your company’s laptop
computers. This application uses POP3 to retrieve e-mail from the corporate mail server, and
SMTP to send mail to the corporate e-mail relay.
Which ports must you open in Windows Firewall?

5. Describe how the SmartScreen Filter works in Internet Explorer 8.

6. What does Windows Defender do to software that it quarantines?
7. What configuration options are available with Windows Defender, where do you set them,
and why?

Real-World Issues and Scenarios

1. An administrator configures Group Policy to require that data can only be saved on data
volumes protected by BitLocker. Specifically, the administrator enables the Deny write access to
removable drives not protected by BitLocker policy and deploys it to the domain. Meanwhile, an
end user inserts a USB flash drive that is not protected with BitLocker. What happens, and how
can the user resolve the situation?
2. Trevor has implemented Windows AppLocker. Before he created the default rules, he created
a custom rule that allowed all Windows processes to run except for Regedit.exe. Because he
did not create the default rules first, he is blocked from performing administrative tasks. What
does he need to do to resolve the issue?
3. A server has multiple network interface cards (NICs), but one of the NICs is not connected. In
Windows Vista, this caused the machine to be stuck in the public profile (the most restrictive
rule). How is this issue resolved in Windows 7?

Common Issues Related to Internet Explorer 8 Security Settings

IT professionals must familiarize themselves with the common issues that are related to
Internet Explorer 8 security settings.

271

 Principles of Operating System

Diagnose Connection Problems Button

The Diagnose Connections Problems button helps users find and resolve issues
potentially without involving the Helpdesk. When Internet Explorer 8 is unable to connect to a
Web site, it shows a Diagnose Connection Problem button. Clicking the button helps the user
resolve the problem by providing information to troubleshoot the problem. This option was
available in Internet Explorer 7 but is now simpler to find in Internet Explorer 8.

Resetting Internet Explorer 8 Settings

If Internet Explorer 8 on a user's computer is in an unstable state, you can use the Reset
Internet Explorer Settings (RIES) feature in Internet Explorer 8 to restore the default settings of
many browser features. These include the following:
• Search scopes
• Appearance settings
• Toolbars
• ActiveX controls (reset to opt-in state, unless they are pre-approved)
• Branding settings created by using IEAK 8

You can choose to reset personal settings by using the Delete Personal Settings option for the
following:
• Home pages
• Browsing history
• Form data
• Passwords

RIES disables all custom toolbars, browser extensions, and customizations that have
been installed with Internet Explorer 8. To use any of these disabled customizations, you must
selectively enable each customization through the Manage Add-ons dialog box. RIES does not
do the following:
• Clear the Favorites list.
• Clear the RSS Feeds.
• Clear the Web Slices.
• Reset connection or proxy settings.
• Affect Administrative Template Group Policy settings that you apply.

272

 Principles of Operating System

Note: Unless you enable the Group Policy setting titled “Internet Explorer Maintenance policy
processing”, Normal mode settings on the browser created by using IEM are lost after you use
RIES.

To use RIES in Internet Explorer 8, follow these steps:

1. Click the Tools menu and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset. To remove personal
settings, select the Delete Personal Settings check box. To remove branding, select the
Remove Branding check box.
4. When Internet Explorer 8 finishes restoring the default settings, click Close, and then click
OK twice.
5. Close Internet Explorer 8. The changes take effect the next time you open Internet Explorer 8

Note: To prevent users from using the RIES feature, enable the Do not allow resetting
Internet Explorer settings policy in Group Policy Administrative Templates.

Best Practices for User Account Control

• UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or
the Local Group Policy Editor (gpedit.msc). However, in most corporate environments, Group
Policy is preferred because it can be centrally managed and controlled. There are nine Group
Policy object (GPO) settings that can be configured for UAC.
• Because the user experience can be configured with Group Policy, there can be different user
experiences, depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you may require administrative permissions to change the UAC setting to "Always
notify me" or "Always notify me and wait for my response." With this type of configuration, a
yellow notification appears at the bottom of the User Account Control Settings page indicating
the requirement.

Best Practices for Windows BitLocker

• Because BitLocker stores its own encryption and decryption key in a hardware device that is
separate from the hard disk, you must have one of the following:
• A computer with Trusted Platform Module (TPM).

273

 Principles of Operating System

• A removable Universal Serial Bus (USB) memory device, such as a USB flash drive. If your
computer does not have TPM version 1.2 or higher, BitLocker stores its key on the memory
device.
• The most secure implementation of BitLocker leverages the enhanced security capabilities of
Trusted Platform Module (TPM) version 1.2.
• On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the
Windows operating system volume. However, this implementation will require the user to insert
a USB startup key to start the computer or resume from hibernation and does not provide the
pre-startup system integrity verification offered by BitLocker that is working with a TPM.

Best Practices for Windows AppLocker

• Before manually creating new rules or automatically generating rules for a specific folder,
create the default rules. The default rules ensure that the key operating system files are allowed
to run for all users.
• When testing AppLocker, carefully consider how you will organize rules between linked GPOs.
If a GPO does not contain the default rules, then either add the rules directly to the GPO or add
them to a GPO that links to it.
• After creating new rules, enforcement for the rule collections must be configured and the
computer's policy refreshed.
• By default, AppLocker rules do not allow users to open or run any files that are not specifically
allowed. Administrators must maintain a current list of allowed applications.
• If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied.
To ensure interoperability between Software Restriction Policies rules and AppLocker rules,
define Software Restriction Policies rules and AppLocker rules in different GPOs.
• When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an
application that is included in the rule, the application is opened and runs normally, and
information about that application is added to the AppLocker event log.
• At least one Windows Server 2008 R2 domain controller is required to host the AppLocker
rules.

Best Practices for Windows Defender

• When using Windows Defender, you must have current definitions.

274

 Principles of Operating System

• To help keep your definitions current, Windows Defender works with Windows Update to
automatically install new definitions as they are released. You can also set Windows Defender
to check online for updated definitions before scanning.
• When scanning your computer, it is recommended that you select the advanced option to
Create a restore point before applying actions to detected items. Because you can set Windows
Defender to automatically remove detected items, selecting this option allows you to restore
system settings in case you want to use software that you did not intend to remove.

Best Practices for the Encrypted File System (EFS)

The following is a list of standard best practices for EFS users:
• Users must export their certificates and private keys to removable media and store the media
securely when it is not in use. For the greatest possible security, the private key must be
removed from the computer whenever the computer is not in use. This protects against
attackers who physically obtain the computer and try to access the private key. When the
encrypted files must be accessed, the private key can easily be imported from the removable
media.

• Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure
that the personal folder, where most documents are stored, is encrypted by default.
• Users must encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level makes sure that files are not unexpectedly
decrypted.

• The private keys that are associated with recovery certificates are extremely sensitive. These
keys must be generated either on a computer that is physically secured, or their certificates
must be exported to a .pfx file, protected with a strong password, and saved on a disk that is
stored in a physically secure location.
• Recovery agent certificates must be assigned to special recovery agent accounts that are not
used for any other purpose.

• Do not destroy recovery certificates or private keys when recovery agents are changed.
(Agents are changed periodically). Keep them all, until all files that may have been encrypted
with them are updated.

275

 Principles of Operating System

• Designate two or more recovery agent accounts per organizational unit (OU), depending on
the size of the OU. Designate two or more computers for recovery, one for each designated
recovery agent account. Grant permissions to appropriate administrators to use the recovery
agent accounts. It is a good idea to have two recovery agent accounts to provide redundancy
for file recovery. Having two computers that hold these keys provides more redundancy to allow
recovery of lost data.

• Implement a recovery agent archive program to make sure that encrypted files can be
recovered by using obsolete recovery keys. Recovery certificates and private keys must be
exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives
must be stored in a controlled access vault and you must have two archives: a master and a
backup. The master is kept on-site, while the backup is located in a secure off-site location.

• Avoid using print spool files in your print server architecture, or make sure that print spool files
are generated in an encrypted folder.

• The Encrypting File System does take some CPU overhead every time a user encrypts and
decrypts a file. Plan your server usage wisely. Load balance your servers when there are many
clients using Encrypting File System (EFS).

Configuration Guidelines for Windows Firewall with Advanced Security

• You can configure Windows Firewall with Advanced Security in the following ways:
• Configure a local or remote computer by using either the Windows Firewall with Advanced
Security snap-in or the Netsh advfirewall7 command.
• Configure Windows Firewall with Advanced Security settings by using the Group Policy
Management Console (GPMC) or using the Netsh advfirewall command.
• If you are configuring the firewall by using Group Policy, you need to ensure that the Windows
Firewall service has explicit write access by its service security identifier (SID) to the location
that you specify.
• If you deploy Windows Firewall with Advanced Security by using Group Policy and then block
outbound connections, ensure that you enable the Group Policy outbound rules and do full
testing in a test environment before deploying. Otherwise, you might prevent all of the
computers that receive the policy from updating the policy in the future, unless you manually
intervene.

276

 Principles of Operating System

Module 10: Optimizing and Maintaining Windows 7 Client Computers

Module Overview

For today’s computer users, system performance is a key issue. Therefore, it is

important to always optimize and manage your system performance. Windows® 7 operating
system includes several monitoring and configuration tools that can be used to obtain
information about a system’s performance.

Lesson 1: Maintaining Performance by Using the

Windows 7 Performance Tools

A computer system that performs at a low efficiency level can cause problems in the
work environment. It can lead to reduced productivity and increased user frustration. Windows 7
helps you determine the potential cause of poor performance and then provides the appropriate
tools to resolve the performance issues.

Discussion: What Are Performance and Reliability Problems?

Present and discuss your ideas on this topic in the class.

277

 Principles of Operating System

Performance Information and Tools

The Performance Information and Tools combines many of the performance related
tools that Windows 7 provides.
You can access Performance Information and Tools from Control Panel and where
you can:
• Adjust visual effects
• Adjust indexing options
• Adjust power settings
• Open Disk Cleanup
From the Performance Information and Tools, you can also access the Advanced
tools.

The Advanced tools are mostly used to identify and show the following:
• Performance issues
• Performance-related events
• Graphs of system performance
• Real-time system resource usage

From the Performance Information and Tools, you can also access the Windows
Experience Index (WEI). The WEI provides information about each of your computer’s key
components.
• Processor
• Memory
• Graphics
• Gaming Graphics
• Primary hard disk

The WEI measures each key component and each hardware component receives an
individual subscore. The lowest subscore determines the computer’s base score. The base
scores range from 1 to 7.9. The base scores are defined as follows:
• Base score of 1 – 2: Can perform the most general computing tasks, such as run office
productivity applications and search the Internet.
• Base score of 3: Can run Windows Aero and many new features of Windows 7 at a basic
level.

278

 Principles of Operating System

• Base score of 4 – 5: Can run all new features of Windows 7 with full functionality, and it can
support high-end, graphics-intensive experiences, such as multiplayer and 3-D gaming and
recording and playback of HDTV content.
• Basescore of 4 - 7.9: Have a excellent performance and high-end hardware.

Performance Monitor and Data Collector Sets

The Performance Monitor gives an overview of system performance and you can collect
detailed information for troubleshooting by using data collector sets.
The Performance Monitor includes the following features:
• Monitoring Tool
• Data Collector Sets
• Reports
You can also access Resource Monitor from Performance Monitor.

Monitoring Tool
The Monitoring Tools contains the Performance Monitor. The Performance Monitor
provides a graphical view of the computers performance.
You can add Performance Counters to the Performance Monitor to measure the system
state or activity.

279

 Principles of Operating System

The Performance Monitor is saved to a data log so that you always have a historical
data review of the performance.

Data Collector Sets

The data collector set is a custom set of performance counters, event traces, and
system configuration data.
After you have created a combination of data collectors that describe useful system
information, you can save them as a data-collector set and then run and view the
results.

A data collector set can be used to perform the following actions:

• To log performance counters, event traces, and system configuration data
• To run at a schedule time
• To provide data for later analysis in Performance Monitor
• To generate reports
• To generate alerts

Reports
Use reports to view and create reports from a set of counters that you create by using Data
Collector Sets.

Resource Monitor
The Resource Monitor lists the use and real time performance of:
• CPU: this tab has more detailed CPU information that you can filter, based on the process.
• Disk: this tab only shows the process with recent current disk activity.

• Network: this tab provides information about all processes with current network activity.
• Memory: this tab provides detailed information about memory utilization for each process.

This enables you to identify which processes are using which resources.

Question: Which resources can cause performance problems if you have a shortage of them?

280

 Principles of Operating System

Demonstration: Using the Resource Monitor

This demonstration shows how to use Resource Monitor.

1. Log on to the computer by using the required credentials.
2. Open the Resource Monitor.
3. Expand the Disk section at the Overview tab.
4. Select Medium on Views. This controls the size of the graphs showing CPU utilization, disk
I/O, network utilization, and memory activity.
5. Open the CPU tab.
6. Select a process, in the Processes area.
7. Expand the Associated Handles area. This shows the files that are used by this process. It
also keeps the selected process at the top of the list for simpler monitoring.
8. Open the Memory tab. Notice that the previously selected process is still selected so that you
can review multiple types of information about a process as you switch between tabs.
9. Open the Disk tab. This tab shows processes with recent disk activity.
10. Expand the Disk Activity area and clear the Image check box to remove the filter and show
all processes with current disk activity. The Disk Activity area provides detailed information
about the files in use. The Storage area provides general information about each logical disk.
11. Open the Network tab.
12. Expand the TCP Connections area. This shows current TCP connections and information
about those connections.
13. Expand the Listening Ports area. This shows the processes that are listening for network
connections and the ports they are listening on. The firewall status for those ports is also shown.
14. Close the Resource Monitor.

Question: How can you simplify the task of monitoring the activity of a single
process when it spans different tabs?

Demonstration: Analyzing System Performance by Using Data Collector Sets and

Performance Monitor
This demonstration shows how to analyze system performance by using data collector
sets and Performance monitor.

1. Log on to the computer by using the required credentials.

2. Open the Performance Monitor.

281

 Principles of Operating System

3. Open the Performance Monitor node. Notice that only % Processor Time is displayed by
default.
4. Open the Add Counters dialog box and add the % Idle Time counter from the PhysicalDisk
area for the system disk object.
5. Open the properties for the % Idle Time counter and set the color of the % Idle Time counter
to green.
6. Open the Create new Data Collector Set Wizard from the User Defined Options of the Data
Collector Sets node.
7. Enter a name for the data collector set, select Basic from the Template, and accept the
default storage location for the data.
8. Select to open properties for the data collector set and finish the wizard. The data collector
set is saved and the properties window is opened. On the General tab, you can configure
general information about the data collector set and the credentials that are used when it is
running.
9. Open the Directory tab. This tab lets you define information about how the collected data is
stored.
10. Open the Security tab. This tab lets you configure which users can change this data
collector set.
11. Open the Schedule tab. This tab lets you define when the data collector set is active and
gathering data.
12. Open the Stop Condition tab. This tab lets you define when data collection is stopped
based on time or data collected.
13. Open the Task tab. This tab lets you run a scheduled task when the data collector set stops.
This can be used to process the collected data.
14. Close the properties window.
15. Notice that there are three types of logs listed in the right pane.
• Performance Counter collects data that can be viewed in the Performance Monitor.
• Kernel Trace collects detailed information about system events and activities.
• Configuration records changes to registry keys.
16. Open Performance Counter. Notice that all Processor counters are collected by default.
17. Open the Add Counters dialog box and add all Physical Disk counters for the total object.
18. Start the CPU and Disk Activity.

19. Wait a few moments and the data collector set will stop automatically.

282

 Principles of Operating System

20. Open the Latest Report for the CPU and Disk Activity. This report shows the data
collected by the data collector set.
21. Close the Performance Monitor.

Question: How can you use Performance Monitor for troubleshooting?

Considerations for Monitoring System Performance in Windows 7

Resource Monitor shows you what happens with your current Windows system. Use this
as a starting point for monitor and troubleshooting performance issues. With Resource Monitor,
you can investigate which product, tool, or application is currently running and consuming CPU,
disk, network, and memory resources.
Set up a Baseline to evaluate the workload on your computer by using Performance
Monitor to:
• Monitor system resources.
• Observe changes and trends in resource use.
• Test configuration changes.
• Diagnose problems.

By using data collector sets, you can establish a baseline to use as a standard for
comparison when:
• You first configure the computer.
• At regular intervals of typical usage.
• You make any changes to the computer’s hardware.
• You make any changes to the computer’s software.
If you have appropriate baselines, you can always determine which resources are
affecting your computer’s performance.
Plan monitoring carefully to make sure that the data that you collect accurately
represents system performance.

Lesson 2: Maintaining Reliability by Using the Windows 7 Diagnostic Tools

The Windows Diagnostic Infrastructure (WDI) is a set of diagnostic tools that performs
the following tasks:
• Identifies existing disk, memory, and network problems.
• Detects impending failures.

283

 Principles of Operating System

• Alerts you to take corrective or mitigating action.

Problems That Windows Diagnostic Tools Can Help Solve

The Windows diagnostic tools show you information about the existing problems and
help you prevent future problems.
You can solve computer problems effectively and reliably by using the Windows
Diagnostic Tools.

The WDI includes diagnostic tools to troubleshoot:

• Unreliable memory
• Network-related problems
• Startup problems

Unreliable Memory
Failing memory can cause application failures, operating system faults, and stop errors.
Failing memory can be difficult to identify because problems can be intermittent.

Network-Related Problems
Network-related problems can be interfaces that you have configured incorrectly, IP
addresses that are incorrect, and different hardware failures that can affect connectivity.
Operating-system features, such as cached credentials, enable users to log on as
domain users even when a network connection is not present. This feature can make it appear
as if the user has successfully logged on to the domain even when he or she has not.
Although this feature is useful, it does add an additional layer to the process of
troubleshooting network connections.

Startup Problems
Malfunctioning memory, incompatible or corrupted device drivers, missing or corrupt
startup files, or corrupt disk data can all cause startup failures.
Diagnosing startup problems is especially difficult because you do not have access to
Windows 7 troubleshooting and monitoring tools when your computer does not start.

284

 Principles of Operating System

Windows Memory Diagnostics Tool

The Windows Memory Diagnostics Tool (WMDT) works with Microsoft Online Crash
Analysis to monitor computers for defective memory and determines whether defective physical
memory is causing program crashes. If the Windows Memory Diagnostics tool identifies a
memory problem, Windows 7 avoids using the affected part of physical memory so that the
operating system can start successfully and avoid application failures.
In most cases, Windows automatically detects possible problems with your computer’s
memory and displays a notification that asks whether you want to run the Memory Diagnostics
Tool.
You can also start the Windows Memory Diagnostics tool from the System and Security
location’s Administrative Tools option, which is in Control Panel.

How Does the Windows Memory Diagnostics Tool Run?

If the Windows Memory Diagnostics tool detects any problems with physical memory,
Microsoft Online Crash Analysis automatically prompts you to run the tool. You can decide
whether to restart your computer and check for problems immediately or to schedule the tool to
run when the computer next restarts.
When the computer restarts, Windows Memory Diagnostics tests the computer’s
memory. When the Memory Diagnostics Tool runs, it shows a progress bar that indicates the
test’s status. It may take several minutes for the tool to finish checking your computer's memory.
When the test is finished, Windows restarts again automatically. When the test is finished,
Windows Memory Diagnostics gives you a clear report detailing the problem. It also writes
information to the event log so that it can be analyzed.
You can also run the Windows Memory Diagnostics tool manually. You have the same
choices: to run the tool immediately or to schedule it to run when the computer restarts.
Additionally, you can start Windows Memory Diagnostics from the installation media.

Windows Network Diagnostics Tool

The Windows Network Diagnostics tool provides assistance in resolving network related
issues by using the Fix a Network Problem Feature.
You can access Windows Network Diagnostics tool from the Fix a Network Problem
page in the Network and Sharing Center.

285

 Principles of Operating System

The Windows Network Diagnostics Tool can troubleshoot different network problems
such as the following:
• Internet Connections: Connections to the Internet or to a particular Web site.
• Connection to a Shared Folder: Access shared files and folders on other computers.
• HomeGroup: View the computers or shared files in a homegroup for workgroup configured
computers.
• Network Adapter: Troubleshoot Ethernet, Wireless, or other network adapters.
• Incoming Connections to This Computer: Allow for other computers to connect to your
computer.
• Printing: You can also troubleshoot problems on printer connections.
The Windows Network Diagnostics tool runs automatically when it detects a problem.

Reliability Monitor and Problem Reports and Solutions Tool

The Reliability Monitor provides a timeline of system changes and reports the system’s
reliability. It also provides detailed information that you can use to achieve optimal system
reliability. You can access the Reliability Monitor by clicking View System History on the
Maintenance tab in the Action Center. The Reliability Monitor provides a System Stability
Chart.
The System Stability Chart provides an overview of system stability, for the past year, in
daily increments. This chart indicates any information, error, or warning messages and
simplifies your ability to identify issues and the date on which they occurred.
The Reliability Monitor creates a detailed System Stability Report for each event. These
reports show the following events:
• Software Installs
• Software Uninstalls
• Application Failures
• Hardware Failures
• Windows Failures
• Miscellaneous Failures
The Reliability Monitor records the following key events in a timeline:
• Installation of new applications
• Operating-system patches
• Operating-system drivers

286

 Principles of Operating System

Additionally, the Reliability Monitor tracks the following events that help you identify the reasons
for reliability issues:
• Memory problems
• Hard-disk problems
• Driver problems
• Application failures
• Operating system failures
The Problem Reports and Solutions Tool works together with Windows Error Reporting Services
to provide a history of the attempts made to diagnose your computer’s problems. You can start
the Problem Reports and Solutions tools from the Reliability Monitor. If you find a problem after
running the Windows Diagnostics Tool, use the Problem Reports and Solutions tool to:
• Save the Reliability history.
• View problems and responses.
• Check for solutions to all problems.
• Clear the solution and problem history.

Windows Startup and Recovery

The Startup and Recovery option is accessed from the Advanced tab in the System
Properties. In the System startup, you can specify the default operating system for startup.
You also select the number of seconds that you want the list of recovery options to be
displayed before the default recovery option is automatically selected. Under System Failure,
you can specify what happens when the system stops unexpectedly:
• Write an event to the System log: Specifies that event information will be recorded in the
system log.

• Automatically restart: Specifies that Windows will automatically restart your computer.
Under Write debugging information, select the type of information that you want
Windows to record when the system stops unexpectedly. This information is stored in the folder
under Dump file.
You can access the Advanced Boot Options for Troubleshooting Startup Problems. The
following options are used:
• Change the registry
• Load drivers

287

 Principles of Operating System

• Remove drivers
The Startup Repair Tool is used to fix many common problems automatically and quickly
diagnose and repair more complex startup problems. When you run the Startup Repair tool, it
scans your computer for source of the problem, and then it tries to fix the problem so that your
computer can start correctly. When a system detects a startup failure, it goes into the Startup
Repair tool. This performs diagnostics and analyzes startup log files to determine the cause of
the failure. After the Startup Repair tool determines the cause of failure, it tries to fix
the problem automatically.
The Startup Repair tool can repair the following problems automatically:
• Incompatible drivers
• Missing or corrupted startup-configuration settings
• Corrupted disk metadata

After the Startup Repair tool repairs the operating system, Windows 7 notifies you of the repairs
and provides a log so that you can determine the steps the Startup Repair tool performed. If the
Startup Repair tool cannot resolve startup errors, Windows 7 rolls the system back to the last
known working state. If the Startup Repair tool cannot recover the system automatically, it
provides diagnostic information and support options to make additional troubleshooting simpler.
You can start the Startup Repair tool manually from the Windows 7 installation DVD. After you
start the computer from the DVD, you can access the manual repair tools from the menus that
display.

Demonstration: Resolving Startup Related Problems

This demonstration shows how to resolve startup related problems.

1. Start the computer that has the ISO image of Windows 7 installation DVD.
2. Open the System Recovery Options window.
3. In the System Recovery Options window, read the list of operating systems found.
4. Read the options that are listed.
• Startup Repair attempts to automatically repair a Windows system that is not starting
correctly.
• System Restore is used to restore system configuration settings based on a restore
point.
• System Image Recovery is used to perform a full restore from Windows backup.
• Windows Memory Diagnostic is used to test physical memory for errors.

288

 Principles of Operating System

• Command Prompt lets you manually access the local hard disk and perform repairs.
5. Open the Command Prompt.
6. At the command prompt, type <first_drive_letter>: to go to the first drive.
7. At the command prompt, type dir and notice that there are no files on the first: drive.
8. At the command prompt, type <second_drive _letter>: to go to the second drive.
9. At the command prompt, type dir and notice that this drive is the first drive when Windows 7
is running.
10. Close the Command Prompt and restart the computer.

Question: When do you use the command prompt to perform system repairs
manually?

Lesson 3: Backing Up and Restoring Data by Using Windows Backup

It is important to protect data on computer systems from accidental loss or corruption.
Additionally, to recover from a problem, it is often simpler to restore system settings than to
reinstall the operating system and applications. By using Windows Backup, you can perform
backups and when it is necessary, perform restores to recover damaged or lost files, or repair
corrupted system settings.

Discussion: Need for Backing Up Data; Present and discuss your ideas on this topic in the
class.

289

 Principles of Operating System

Back and Restore Tool

The Backup and Restore options in Control Panel provide access to all backup related
setup procedures and tasks.

From the Backup and Restore Center, you can perform the following:
• Create a backup and schedule for regular backups.
• Restore a backup.
• Create a system Image.
• Create a system repair disc.

Windows Backup
To back up your files, locate the Backup and Restore Center, click Set up backup,
specify the destination drive to which you want to back up, and then select the file types that you
want to back up.
Windows Backup creates copies of the data files. You can let Windows select what to
back up or you can select the individual folders, libraries, and drives that you want to back up.
You can change the schedule and manually create a backup at any time.
You can back up files to the following:
• External hard drive
• Writeable DVD
• Network location

Restore a Backup
If something goes wrong that requires restoring data from a backup, you can select
whether to restore individual files, selected folders, or all personal files. Restore a back up helps
you restore your computer's files to an earlier point in time.

System Image
A System Image Backup is a copy of the system drivers required for Windows to run. It
can also include additional drives. A system image can be used to restore your computer if your
hard disk or computer stops working.

290

 Principles of Operating System

System Repair Disc

A System repair disc is used to start your computer, if you must recover Windows from a
serious error or the system repair disc repair your computer.

Demonstration: Perform a Backup

This demonstration shows how to perform a backup.

1. Log on to the computer by using the required credentials.
2. Create a new text file that has some arbitrary text and save it in the Documents Library.
3. Open the Backup and Restore.
4. Open the Set up backup Wizard.
5. Select a volume for the backup to be saved.
6. Select to choose your own items to backup. Notice that by default, the libraries for all users
are selected and also a system image.
7. Select the libraries that contained the text file that was created earlier to be backed up and
exclude other items.
8. Open the Change schedule to review the backup schedule. The available options include
How Often, What day, and What time to run the backup.
9. Save the settings, run the backup, and wait for it to complete.
10. View the detailed progress.
11. Close the Backup and Restore.

Question: What files do you need to back up on a computer?

Demonstration: Restoring Data

This demonstration shows how to restore data.

1. Log on to the computer by using the required credentials.

2. Open the Backup and Restore.
3. Open the Restore Files Wizard.
4. Select a file to be restored and restore the file in the original location.
5. When you are prompted that the file already exists, select to copy and replace the file and
finish the wizard.
6. Close the Backup and Restore window.

291

 Principles of Operating System

Question: When do you need to restore to an alternate location?

Lesson 4: Restoring a Windows 7 System by Using System Restore Points

Windows 7 provides System Restore to monitor and record changes that are made
to the core Windows system files and to the registry. If your computer is not functioning
correctly, the System Restore tool can return your computer to a previous state by using System
Restore Points. System Restore is often quicker and simpler than using backup media.

How System Restore Works

System Restore enables you restore your computer's system files to an earlier point in time.

All system files and folders are restored to the state they were in when you created the system
restore point.
The System Restore points backs up the following settings:
• Registry
• Dllcache folder
• User profile
• COM+ and WMI information
• IIS metabase
• Certain monitored system files

System restore points are different from data backup. It is not intended for backing up personal
files. Therefore, it cannot help you recover a personal file that is deleted or damaged. Run the
System Restore from the System Protection tab of System Properties. The System Restore
has a description on each restore point to help you restore your computer to the correct time.
You can always undo a system restore, if the system restore does not fix the computer problem.

Question: What are the situations when you might need to use System Restore?
Question: When do you restore a file from a restore point rather than a backup?

What Are Previous Versions of Files?

Previous versions of files let you recover an earlier version of a data file, even if it has
never been backed up. This feature recovers the earlier version from a volume
Shadow Copy.

292

 Principles of Operating System

The Volume Shadow Copy Service (VSS) is available from Windows XP and later
versions.
VVS automatically creates point when a restore point is taken. Shadow Copy is
automatically turned on in Windows 7 and creates copies on a scheduled basis of files that have
changed.
After you enable System Protection, you can use both the previous versions feature and
system restore points.
You can use previous versions to restore files and folders that you accidentally changed
or deleted or that were damaged. Depending on the type of file or folder, you can open, save to
a different location, or restore a previous version.

Question: What are the benefits of maintaining previous versions of files?

Configuring System Protection Settings

With the System Protection program, you can keep copies of the system settings and
previous versions of files. Access the System Protection tab in the System Properties window.
The window is accessed from System Menu in the System and Security page in Control Panel.
To restore the system, click Configure in the System Protection tab. The following
options are available:
• Restore system settings and previous versions of files. This creates a full System Restore.

293

 Principles of Operating System

• Only restore previous versions of files. With this, you cannot use System Restore to undo
unwanted System Changes.
• Turn off system protection. This deletes existing restore points on the disk and new restore
points will not be created.

Disk Space Usage

You can adjust the maximum disk space that is used for system protection. As space fills
up, older restore points will be deleted to make room for new restore points.

Demonstration: Restoring a System

This demonstration shows how to restore a system.

Restore points are enabled by default in Windows 7. The process for enabling restore points
shown in this demonstration is not typically required.
1. Log on to the computer by using the required credentials.
2. Create a new text file that has some arbitrary text and save it in the Documents Library.
3. Open the Computer properties.
4. Open the System Protection.
5. Configure the system drive to be able to restore system settings and previous versions of
files.
6. Configure the second drive to be able to restore system settings and previous versions of
files.
7. Create a restore point.
8. Close the System window.
9. Select the file created earlier and attempt to restore the previous version of the file.
10. Open the System Restore Wizard from the System Tools menu.
11. Select a restore point and restore the system to that restore point. This restores only system
files, not data files.
12. Log on to the computer by using the required credentials.
13. Read the message in the System Restore window and close the window.

Question: When will the previous version of a file be unavailable?

294

 Principles of Operating System

Lesson 5: Configuring Windows Update

To ensure that Windows computers remain stable and protected, update them regularly
with the latest security updates and fixes. Windows Update enables you to download and install
important and recommended updates automatically instead of visiting the Windows Update Web
site.
As a Windows 7 Technology Specialist, you must be aware of the configuration options
that Windows Update has available, and you must be able to guide users on how to configure
these options.

What Is Windows Update?

Windows Update is a service that provides software updates to keep a computer up-to-
date and more protected. Windows Update scans the user’s computer and provides a tailored
selection of updates.
The following two types of Windows Updates:
1. Important updates, including security updates and critical performance updates.
2. Recommended updates that help fix or prevent problems.
Windows Update downloads computer updates in the background while you are online.
If your Internet connection is interrupted before an update downloads fully, the download
process resumes when the connection is available.
Only important updates are installed automatically. Recommended and optional updates
have to be selected manually.

Question: How is the Automatic Updates feature useful?

Configuring Windows Update Settings

As a best practice, configure computers that are running Windows 7 to download and
install updates automatically. Therefore, make sure that the computer has the most up-to-date
and protected configuration possible.
You can turn on Automatic Updates during the initial Windows 7 setup, or you can
configure it later.

295

 Principles of Operating System

In the Windows Update page, you can configure how the updates will be installed, view
the important and optional updates that are available for your computer, view the history of
updates, and restore hidden updates.

The following settings are available for customizing how the updates will be installed:
• Install updates automatically (recommended)
• Download updates but let me choose whether to install them
• Check for updates but let me choose whether to download and install them

If you do not want updates to be installed or downloaded automatically, you can decide
to be notified when updates apply to your computer so that you can download and install them
yourself. For example if you have a slow Internet connection or your work is interrupted, you can
have Windows to check for updates, but download and install them yourself.
You can use the View Update History page to review the update history. The status
column in this page will help you make sure that all important updates were installed
successfully. You can use the Restore Hidden Updates page if you want to restore an update
that you have asked Windows not to notify you about or install automatically.

Windows Update Group Policy Settings

Windows Group Policy is an administrative tool for managing user settings and computer
settings over a network.

There are several group Policy settings for Windows Update:

• Do not display the Install Updates and Shut Down option in the Shut Down Windows
dialog box
This policy setting allows you to manage whether the Install Updates and Shut Down
option is displayed in the Shut Down Windows dialog box.

• Do not adjust the default option to Install Updates and Shut Down in the Shut Down
Windows dialog box
This policy setting allows you to manage whether the Install Updates and Shut Down
option is allowed to be the default choice in the Shut Down Windows dialog.

296

 Principles of Operating System

• Enabling Windows Update Power Management to automatically wake up the system to

install scheduled updates
Specifies whether the Windows Update will use the Windows Power Management
features to automatically wake up the system from hibernation, if there are updates scheduled
for installation.

• Configure Automatic Updates

Specifies whether your computer will receive security updates and other important
downloads through the Windows automatic updating service.

• Specify intranet Microsoft update service location

Specifies an intranet server to host updates from Microsoft Update. You can then use
this update service to automatically update computers on your network.

• Automatic Updates detection frequency

Specifies the hours that Windows will use to determine how long to wait before checking
for available updates.

• Allow non-administrators to receive update notifications

This policy setting allows you to control whether non-administrative users will receive
update notifications based on the Configure Automatic Updates policy setting.

• Turn on Software Notifications

This policy setting allows you to control whether users see detailed enhanced notification
messages about featured software from the Microsoft Update service.

• Allow Automatic Updates immediate installation

Specifies whether Automatic Updates must automatically install certain updates that
neither interrupt Windows services nor restart Windows.

• Turn on recommended updates via Automatic Updates

Specifies whether Automatic Updates will deliver both important and recommended
updates from the Windows Update service.

297

 Principles of Operating System

• No auto-restart with logged on users for Scheduled automatic updates installations

Specifies that to complete a scheduled installation, Automatic Updates will wait for the
computer to be restarted by any user who is logged on, instead of causing the computer to
restart automatically.

• Re-prompt for restart with scheduled installations

Specifies the amount of time for Automatic Updates to wait before prompting again with
a scheduled restart.

• Delay Restart for scheduled installations

Specifies the amount of time for Automatic Updates to wait before proceeding with a
scheduled restart.

• Reschedule Automatic Updates scheduled installations

Specifies the amount of time for Automatic Updates to wait, following system startup,
before proceeding with a scheduled installation that was missed previously.

• Enable client-side targeting

Specifies the target group name or names that must be used to receive updates from an
intranet Microsoft update service.

• Allow signed updates from an intranet Microsoft update service location

This policy setting allows you to manage whether Automatic Updates accepts updates
signed by entities other than Microsoft when the update is found on an intranet Microsoft update
service location.

Question: What is the benefit of configuring Windows update by using Group Policy rather than
by using Control Panel?

Module Review and Takeaways

Review Questions
1. You have problems with your computer’s performance, how can you create a data collector
set to analyze a performance problem?

298

 Principles of Operating System

2. You have received an e-mail message from an unknown person and suddenly you have a
virus and must restore your computer.
a. What kind of system restore do you need to perform?
b. Will the computer restore to software that you installed two days ago?
c. How long are restore points saved?
d. What if System Restore does not fix the problem?

Tools

299

 Principles of Operating System

Module 11 : Configuring Mobile Computing and Remote Access in

Windows 7
Module Overview

Mobile computers are available in many types and configurations. This module helps
you to identify and configure the appropriate mobile computer for your needs. It describes
mobile devices, and how to synchronize them with a computer running the Windows® 7
operating system. Additionally, this module describes various power options that you can
configure in Windows 7. Windows 7 helps end users to be productive, regardless of where they
are or where the data they need resides. With Windows DirectAccess, mobile users can access
corporate resources when they are out of the office. IT professionals can administer updates
and patches remotely to help improve connectivity for remote users.
For those who want use Virtual Private Networks (VPNs) to connect to enterprise
resources, the new features in the Windows 7 environment and Windows Server 2008 create a
seamless experience for the user, where he or she does not need to log on to the VPN if the
connection is temporarily lost.

300

 Principles of Operating System

Users in branch offices are more productive when they use Windows BranchCache™ to
cache frequently accessed files and Web pages. This helps reduce latency and bandwidth
traffic.

Lesson 1: Configuring Mobile Computer and Device Settings

This lesson defines common mobile computing terminology and provides an overview of
the related configuration settings that you can modify in Windows 7. It also provides guidelines
for applying these configuration settings to computers running Windows 7.

Discussion: Types of Mobile Computers and Devices

Computers play an important part in people’s daily lives, and the ability to carry out
computing tasks at any time and in any place has become a necessity for many users. A mobile
computer is a device that you can continue to use for work while
away from your office.
Discuss with the class the different mobile computers and devices you have used and
how you have benefited from them.

301

 Principles of Operating System

Tools for Configuring Mobile Computer and Device Settings

While selecting a mobile computer operating system, ensure that the mobile computer
can adapt to a variety of scenarios. Windows 7 provides you with the opportunity to change
configuration settings quickly and simply based on specific business requirements.
You can access and configure commonly used mobility settings by using the Windows
Mobility Center in Control Panel.

Power Management
Power management includes an updated battery meter that tells you how much battery
life is remaining and provides information about the current power plan. By using power plans,
you can adjust the performance and power consumption of the computer.
To access Power Plans in Windows 7, right-click the Battery Icon in the Taskbar and
select Power Options. You can also choose Battery Status in the Windows Mobility Center.

Windows Mobility Center

By using the Windows Mobility Center, you adapt the mobile computer to meet different
requirements as you change locations, networks, and activities. Windows Mobility Center
includes settings for:
• Display brightness
• Volume
• Battery status
• Wireless networking
• External display
• Sync Center
• Presentation settings

Computer manufacturers can customize the Windows Mobility Center to include other
hardware-specific settings, such as Bluetooth or auxiliary displays.

To access the Widows Mobility Center, in Control Panel, in the Hardware and Sound
category, choose Adjust commonly used mobility settings. Another way you can access the
Windows Mobility Center is from the Start menu, clicking All Programs, and then clicking
Accessories.

302

 Principles of Operating System

Sync Center
Sync Center provides a single interface to manage data synchronization in several
scenarios: between multiple computers, between corporate network servers and computers,
and with devices connected to the computer, such as a personal digital assistant (PDA), a
mobile phone, or a music player.
A Sync Partnership is a set of rules that tells the Sync Center how and when to
synchronize files or other information between two or more locations. A Sync Partnership
typically controls how files are synchronized between the computer and mobile devices, network
servers, or compatible programs.
Access the Sync Center by choosing Sync Center from the Windows Mobility Center
screen, or from the Start menu, by clicking All Programs, clicking Accessories, and then
clicking Sync Center.

Windows Mobile Device Center

Windows Mobile Device Center is the new name for ActiveSync® in Windows 7.
ActiveSync is a data synchronization program for use with mobile devices. ActiveSync provides
users of Microsoft Windows a way to transport documents, calendars, contact lists, and email
between their desktop computer and a mobile device that supports the ActiveSync protocol.
Windows Mobile Device Center provides overall device management features for Windows
Mobile-based devices in Windows 7, including Smartphones and Pocket PCs.
To access the Windows Mobile Device Center, go to Control Panel.

Presentation Settings
Mobile users often have to reconfigure their computer settings for meeting or conference
presentations. For example, they may have to change screen saver timeouts or desktop
wallpaper. To improve the end-user experience and avoid this inconvenience, Windows 7
includes a group of presentation settings that are applied with a single click when you connect
to a display device.
To access the Presentation Settings, choose Presentation Settings in the Windows
Mobility Center.

Question: Aside from USB, how can you establish a connection for synchronizing a Windows
Mobile device?

303

 Principles of Operating System

What Are Mobile Device Sync Partnerships?

A mobile device Sync Partnership updates information about the mobile device and the
host computer. It typically synchronizes calendar information, clocks, and e-mail messages, in
addition to Microsoft Office documents and media files on supported devices.

Creating a Sync Partnership with a portable media player is straightforward:

1. Connect the device to a computer running Windows 7 and open Sync Center. Windows 7
includes drivers for many common devices, but you can obtain drivers from the CD that came
with the device or from Windows Update.
2. Set up a Sync Partnership by clicking Set up for a media device. Sync Partnership opens
Windows Media Player version 11.
3. Select some media files or a playlist to synchronize to the device. To select media, simply
drag it onto the sync dialog box on the right side of Windows Media Player.
4. Click Start Sync. After the selected media is transferred to the device, disconnect it from the
computer and close Windows Media Player. Windows Mobile Device Center is the name for
ActiveSync in Windows 7. This center provides overall device management features for
Windows Mobile-based devices, including Smartphones and Pocket PCs.

Demonstration: Creating a Sync Partnership

This demonstration shows how to configure Windows Mobile Device Center and
then synchronize a Windows Mobile device.
Create Appointments and Contacts in Outlook
1. Log on as an administrator to the computer, where you will be adding appointments and
contacts to Microsoft Office Outlook®.
2. Start Microsoft Outlook.
3. Open the calendar and create a meeting event
4. Open contacts and create a contact.

Configure Windows Mobile Device Center

1. Start the Windows Mobile Device Center.

2. From the Windows Mobile Device Center dialog box, open the Connection Settings dialog
box by using the Mobile Device Settings option.

304

 Principles of Operating System

3. In the Connection Settings dialog box, allow connections from Direct Memory Access
(DMA). DMA allows connect ion to computer resources independent of the Central Processing
Unit (CPU).
4. Close the Windows Mobile Device Center.

Connect the Windows Mobile Device

1. Start the Windows Mobile 6 SDK and make the following selections:
• Standalone Emulator Images
• US English
• Professional
2. Once the emulator has started, from the Windows Mobile 6 SDK tools, open the Device
Emulator Manager.
3. In Device Emulator Manager, click the play symbol and then select Cradle from the
Actions menu.
4. Close Device Emulator Manager.

Synchronize the Windows Mobile Device

1. In the Windows Mobile Device Center, set up a device by starting the Set up Windows
Mobile Partnership Wizard.
2. In the Set up Windows Mobile Partnership Wizard, on the What kinds of items do you want
to sync? page, select the items to synchronize and then click Set Up on the Ready to set up
the Windows Mobile partnership page.
3. After synchronization is complete, close Windows Mobile Device Center.

Verify that Data has been Synchronized

1. Go to the Calendar on the Windows Mobile Device to view the appointments.
2. Review the contacts to view the new contact added.

Power Plans and Power Saving Options in Windows 7

In Windows 7, Power Plans help you maximize computer and battery performance. By
using power plans, with a single click, you can change a variety of system settings to optimize
power or battery usage, depending on the scenario.

305

 Principles of Operating System

There are three default power plans.

• Power saver: This plan saves power on a mobile computer by reducing system performance.
Its primary purpose is to maximize battery life.
• High performance: This plan provides the highest level of performance on a mobile computer
by adapting processor speed to your work or activity and by maximizing system performance.
• Balanced: This plan balances energy consumption and system performance by adapting the
computer’s processor speed to your activity.

The balanced plan provides the best balance between power and performance. The
power saver plan reduces power usage by lowering the performance. The high performance
plan consumes more power by increasing system performance. Each plan provides alternate
settings for AC or DC power.
In addition to considering power usage and performance for a computer, as a Windows
7 Technology Specialist, you must also consider the following three options for turning a
computer on and off:
• Shut down
• Hibernate
• Sleep

Shut Down
When you shut down the computer, Windows 7 saves all open files to the hard disk,
saves the memory contents to the hard disk or discards them as appropriate, clears the page
file, and closes all open applications. Windows 7 then logs out the active user, and turns off the
computer.

Hibernate
When you put the computer in hibernate mode, Windows 7 saves the system state,
along with the system memory contents to a file on the hard disk, and then shuts down the
computer. No power is required to maintain this state because the data is stored on the hard
disk.
Windows 7 supports hibernation at the operating system level without any additional
drivers from the hardware manufacturer. The hibernation data is stored on a hidden system file
called Hiberfil.sys. This file is the same size as the physical memory contained in the computer
and is normally located in the root of the system drive.

306

 Principles of Operating System

Sleep
Sleep is a power-saving state that saves work and open programs to memory. This
provides fast resume capability, which is typically within several seconds, but still consumes a
small amount of power.
Windows 7 automatically goes into Sleep mode when you push the power button on the
computer. If the computer’s battery power is low, Windows 7 puts the computer in hibernate
mode.
Alternatively, you can enable hybrid sleep. With hybrid sleep, data is saved to hard disk
and to memory. If a power failure occurs on a computer when it is in a hybrid sleep state, data is
not lost. Hybrid sleep can be used as an alternative to hibernation. Hybrid sleep uses the same
Hiberfil.sys hidden system file as hibernation.

Demonstration: Configuring Power Plans

This demonstration shows how to configure a power plan.

Create a Power Plan for a Laptop
• Open Power Options by using the System and Security category of Control Panel.
• Create a new power plan by using the Create a power plan option.
• Provide a name for the new power plan.
• Select the required duration for turning off the display and putting the computer to sleep.

Customize a Power Plan

1. Display the settings for the required power plan by using the Change plan settings option.
2. Change the selections for turning off the display and putting the computer to sleep.
3. Access the advanced power settings for the power plan by using the Change advanced
power settings option.
4. Change the advanced settings per your requirements.

Question: Why are options such as what to do when I shut the power lid not configurable in the
Wireless Adapter Settings, Power Saving Mode?

307

 Principles of Operating System

Lesson 2: Configuring Remote Desktop and Remote

Assistance for Remote Access

Many organizations use remote management to lessen the time that troubleshooting
takes and to reduce travel costs for support staff. Remote troubleshooting enables support staff
to operate effectively from a central location.

What Are Remote Desktop and Remote Assistance?

Remote Desktop uses the Remote Desktop Protocol (RDP) to enable users to access
files on their office computer from another computer, such as one at their home.
Additionally, Remote Desktop enables administrators to connect to multiple Windows
Server sessions for remote administration purposes. While a Remote Desktop session is active,
Remote Desktop locks the target computer, prohibiting interactive logons for the session’s
duration.
Remote Assistance enables a user to request help from a remote administrator. To
access Remote Assistance, run the Windows Remote Assistance tool. Using this tool, you can
do the following actions:
• Invite someone you trust to help you.
• Offer to help someone.
• View the remote user’s desktop.

308

 Principles of Operating System

• Chat with the remote user with text chat.

• Send a file to the remote computer.
• If permissions allow, request to take remote control of the remote desktop.
Windows 7 prevents remote troubleshooting tools from connecting to the local computer by
using Windows Firewall. To enable support for remote troubleshooting tools, open Windows
Firewall in the System and Security category in Control Panel and allow a program or feature
through the firewall.

Configuring Remote Desktop

Remote Desktop is a standard Windows 7 feature and it is accessible from within the
Control Panel. Access the Remote Desktop options by launching Remote Desktop. The options
are categorized into the following:
• General - Enter the logon credentials to connect to the remote computer.
• Display - Allows you to choose the Remote desktop display size. You have the option of
running the remote desktop in full screen mode.
• Local Resources - The user can configure local resources for use by the remote computer
such as clipboard and printer access.
• Programs - Lets you specify which programs you want to start when you connect to the
remote computer.
• Experience - Allows you to choose connection speeds and other visual options.
• Advanced - Provide security credentialed options.

309

 Principles of Operating System

To use Remote Desktop, you must enable it in Control Panel. In Control Panel, click System
and Security, click System, and then click Remote Settings. Select the Remote tab and then
select one of the following options:
• Don’t allow connections to this computer.
• Allow connections from computers running any version of Remote Desktop. This is a less
secure option.
• Allow connections only from computers running Remote Desktop with Network Level
Authentication. This is a more secure option.

The following are the steps to specify which computers can connect to your computer using
Remote Desktop:
1. In System Properties on the Remote tab under Remote Desktop, click Select Users. If you
are prompted for an administrator password or confirmation, type the password or provide
confirmation.
2. If you are an administrator on the computer, your current user account is automatically added
to the list of remote users and you can skip the next two steps.
3. In the Remote Desktop Users dialog box, click Add.
4. In the Select Users or Groups dialog box, do the following:
a. To specify the search location, click Locations and then select the location to search.
b. In Enter the object names to select, type the name of the user that to add and then
click OK.

To access a computer using Remote Desktop, run Remote Desktop Connection and specify the
necessary connection details, which may include the following:
• Computer name or IP address
• User name
• Display settings
• How the remote computer can access local resources, such as sound, printer, and
clipboard
• Advanced settings, such as server authentication settings

The following steps outline how to use Remote Desktop:

1. Start Remote Desktop.

310

 Principles of Operating System

2. Before connecting, make desired changes to the Display, Local Resources, Programs,
Experience, and Advanced tabs.
3. Save these settings for future connections by clicking Save on the General tab.
4. Connect to the remote desktop.

Remote Desktop Connection supports high-resolution displays that can be spanned

across multiple monitors. The monitors must have the same resolution and be aligned side-by-
side. To have the remote computer's desktop span multiple monitors, open a Command Prompt,
and then type Mstsc /span. This feature is sometimes called continuous resolution. To toggle in
and out of full-screen spanned mode, press CTRL+ALT+Break.
For additional security, you can change the port that Remote Desktop Connection uses
(or "listens on"), instead of using the standard port, 3389. When you log on, type the remote
computer name, followed by a colon and the new port number, for example Computer1:3390.
For instructions about making the change permanent, go to How to change the listening port
for Remote Desktop on the Microsoft Help and Support Web site.

Demonstration: Configuring Remote Assistance

This demonstration shows how to request remote assistance from a Windows 7 computer,
configure Windows Firewall to enable remote administration, and provide remote assistance.

Request Remote Assistance from a Windows 7 Computer

1. On the Windows 7 computer, where a user needs assistance with a problem, start Windows
Remote Assistance and use the Windows Remote Assistance Wizard to invite someone you
trust to help you.
2. Save the remote assistance invitation as a file and share it with the helper. If an email client is
used, select the option to send the invitation by means of an email message.
3. Note the generated password and share it with the helper.

Provide Remote Assistance

1. On the helper’s computer from where the Remote Assistance will be provided, open the
invitation.
2. Provide the password that is shared.
3. On the remote Windows 7 computer, the user needs to accept the connection.

311

 Principles of Operating System

4. From the helper’s computer, control must be requested.

5. On the remote Windows 7 client computer, the user must allow control.
6. The helper can now access the remote Windows 7 computer and provide necessary support
to fix or resolve any problem.
7. The helper can also open a chat connection with the remote user to chat while providing help.

Question: Under what circumstances does one use Remote Desktop Connection or Remote
Assistant?

Lesson 3: Configuring DirectAccess for Remote Access

Advances in mobile computers and wireless broadband have enabled users to be more
productive while away from the office. As users become more mobile, IT professionals must
provide an infrastructure to allow them to remain productive. The changing structure of business
puts more pressure on IT professionals to provide a high-performance and protected
infrastructure for connecting remote users while managing remote users and minimizing costs.
VPN connections use the connectivity of the Internet plus a combination of tunneling and data
encryption technologies to connect remote clients and remote offices. VPN Reconnect
enhances the connectivity experience for those who rely on VPN connections.
DirectAccess, a new feature in Windows 7 and Windows Server 2008 R2, provides
remote users with seamless access to internal network resources whenever they are connected
to the Internet.

What Is a VPN Connection?

312

 Principles of Operating System

A virtual private network is an extension of a private network that encompasses links

across shared or public networks like the Internet. Virtual private networking is the act of
creating and configuring a virtual private network.

There are two key VPN scenarios:

• Remote access
• Site-to-site

With remote access, the communications are encrypted between a remote computer
(the VPN client) and the remote access VPN gateway (the VPN server). With site-to-site (or
router-to-router), the communications are encrypted between two routers.
Currently, mobile workers reconnect to a VPN on every network outage. VPN Reconnect
provides seamless and consistent VPN connectivity by using a single VPN server for laptops,
desktops, and mobile computers.
VPN Reconnect uses IKEv2 technology to supply constant VPN connectivity,
automatically re-establishing a VPN connection when users temporarily lose Internet
connections. IKEv2 is the protocol used to establish a security association in IPsec. While the
reconnection might take several seconds, it is completely transparent to the end user.

Creating a VPN Connection

Creation of a VPN in the Windows 7 system environment requires Windows Server

2008. The steps for creating the VPN connection from Windows 7 computer are as follows:
1. From Control Panel, select Network and Internet.
2. Click Network and Sharing Center, and then choose Set up a new connection or wizard.
3. In the Set Up a Connection or Network, choose Connect to a workplace.

4. In the Connect to a Workplace page, choose No and then create a new connection.
5. On the next page choose to Use my Internet connection (VPN).
6. At the next screen, specify the Internet Address for the VPN Server and a Destination
Name. You can also specify the options to use a Smart card for authentication, Allow other
people to use this connection and Don’t connect now, just set up so I can connect later.

313

 Principles of Operating System

What Is DirectAccess?

DirectAccess allows authorized users on Windows 7 computers to access corporate

shares, view intranet Web sites, and work with intranet applications without going through a
VPN. DirectAccess benefits IT professionals by enabling them to manage remote computers
outside of the office. Each time a remote computer connects to the Internet, before the user logs
on, DirectAccess establishes a bi-directional connection that enables the client computer to
remain current with company policies and to receive software updates.

Additional security and performance features of DirectAccess include the following:

• Support of multifactor authentication methods, such as a smart card authentication.
• IPv6 to provide globally routable IP addresses for remote access clients.
• Encryption across the Internet using IPsec. Encryption methods include DES, which uses a
56-bit key, and 3DES, which uses three 56-bit keys
• Integrating with Network Access Protection (NAP) to perform compliance checking on client
computers before allowing them to connect to internal resources.
• Configuring the DirectAccess server to restrict which servers, users, and individual
applications are accessible.

How DirectAccess Works

DirectAccess helps reduce unnecessary traffic on the corporate network by not sending
traffic destined for the Internet through the DirectAccess server. DirectAccess clients can
connect to internal resources by using one of the following methods:
• Selected server access
• Full enterprise network access
The connection method is configured using the DirectAccess console or it can be configured
manually by using IPsec policies. For the highest security level, deploy IPv6 and IPsec
throughout the organization, upgrade application servers to Windows Server 2008 R2, and
enable selected server access. Alternatively, organizations can use full enterprise network
access, where the IPsec session is established between the DirectAccess client and server.

DirectAccess clients use the following process to connect to intranet resources:

1. The DirectAccess client computer running Windows 7 detects that it is connected to a
network.

314

 Principles of Operating System

2. The DirectAccess client computer attempts to connect to an intranet Web site that an
administrator specified during DirectAccess configuration.
3. The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec.
4. If a firewall or proxy server prevents the client computer using 6to4 or Teredo from
connecting to the DirectAccess server, the client automatically attempts to connect using the IP-
HTTPS protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity.
5. As part of establishing the IPsec session, the DirectAccess client and server authenticate
each other using computer certificates for authentication.
6. By validating Active Directory group memberships, the DirectAccess server verifies that the
computer and user are authorized to connect using DirectAccess.
7. If Network Access Protection (NAP) is enabled and configured for health validation, the
DirectAccess client obtains a health certificate from a Health Registration Authority (HRA)
located on the Internet prior to connecting to the DirectAccess server.
8. The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet
resources to which the user has been granted access.

DirectAccess Requirements

DirectAccess requires the following:

• One or more DirectAccess servers running Windows Server® 2008 R2 with two network
adapters
• At least one domain controller and DNS server that are running Windows Server 2008 or
Windows Server 2008 R2
• A Public Key Infrastructure (PKI)
• IPsec policies
• IPv6 transition technologies available for use on the DirectAccess server
• Windows 7 Enterprise on the client computers

Organizations not ready to fully deploy IPv6 can use IPv6 transition technologies such as
ISATAP, 6to4, and Teredo to enable clients to connect across the IPv4 Internet and to access
IPv4 resources on the enterprise network.

Question: What is the certificate used for in DirectAccess?

Question: List three ways to deploy DirectAccess.

315

 Principles of Operating System

Lesson 4: Configuring BranchCache for Remote Access

Branch offices are often connected to enterprises with a low-bandwidth link. Therefore,
accessing corporate data located in the enterprise is slow. Even in a smaller business, different
departments have unique needs.
Additionally, companies are investing in opening more branch offices to provide a work
environment for mobile employees and to reach more customers. This trend generates
challenges for end users and IT professionals.
BranchCache helps to resolve these challenges by caching content from remote file and
Web servers so that users in branch offices can access information more quickly.

What Is BranchCache?

There are two ways that content can be cached when using BranchCache. The cache
can be hosted centrally on a server in the branch location, or it can be distributed across user
computers. If the cache is distributed, the branch users' computer automatically checks the
cache pool to determine if the data has already been cached.
If the cache is hosted on a server, the branch users' computer checks the branch server
to access data. Each time a user tries to access a file, his or her access rights are authenticated
against the server in the data center to ensure that the user has access to the file and is
accessing the latest version.

316

 Principles of Operating System

Question: How does BranchCache prevent malicious users from accessing content?

How BranchCache Works

BranchCache can operate in one of two modes:

• Distributed Caching Mode
• Hosted Caching Mode

In the distributed caching mode, cache is distributed across client computers in the
branch. With this type of peer-to-peer architecture, content is cached on Windows 7 clients’
computers after it is retrieved from a Windows Server 2008 R2. Then, it is sent directly to other
Windows 7 clients, as they need it.
When you use the hosted caching mode, cache resides on a Windows Server 2008 R2
computer that is deployed in the branch office. Using this type of client/server architecture,
Windows 7 clients copy content to a local computer (Hosted Cache) running Windows Server
2008 R2 that has BranchCache enabled.
Compared to Distributed Cache, Hosted Cache increases cache availability because
content is available even when the client that originally requested the data is offline. A computer
must obtain the identifier that describes a piece of content to decrypt that content after
downloading. The identifiers, provided by the server, include a digest of the content. After

317

 Principles of Operating System

downloading from the cache, the client computer verifies that the content matches the digest in
the identifier. If a client downloads an identifier from the server, but cannot find the data cached
on any computers in the branch, the client returns to the server for a full download.

Question: Which BranchCache caching mode has a peer-to-peer architecture?

BranchCache Requirements

BranchCache supports the same network protocols that are commonly used in
enterprises, for example HTTP(S) and SMB. It also supports network security protocols (SSL
and IPsec), ensuring that only authorized clients can access requested data. Windows Server
2008 R2 is required either in the main server location or at the branch office, depending on the
type of caching being performed.
Windows 7 Enterprise is required on the client PC. On Windows 7 clients, BranchCache
is off by default. Client configurations can be performed through Group Policy or done manually.
After BranchCache is installed on Windows Server 2008 R2, you can configure BranchCache by
using Group Policy and by using the following guidelines:
• Enable for all file shares on a computer, or on a file share by file share basis.
• Enable on a Web server (it must be enabled for all Web sites).
• Equip Hosted Cache with a certificate trusted by client computers that is suitable for Transport
Layer Security (TLS).

Network Requirements
BranchCache supports Secure Sockets Layer (SSL) as available through HTTPS and
IPv6 IPsec. If client computers are configured to use Distributed Cache mode, the cached
content is distributed among client computers on the branch office network. No infrastructure or
services are required in the branch office beyond client computers that are running Windows 7.

Client Configuration
BranchCache is disabled by default on client computers. Take the following steps to
enable BranchCache on client computers:
1. Turn on BranchCache.
2. Enable either Distributed Cache mode or Hosted Cache mode.
3. Configure the client firewall to enable BranchCache protocols.

318

 Principles of Operating System

Enabling Distributed Cache or Hosted Cache mode (step 2) without explicitly enabling
the overall BranchCache feature (step 1) will leave BranchCache disabled on a client computer.
It is possible to enable BranchCache on a client computer (step 1) without enabling Hosted
Cache mode or Distributed Cache mode (step 2). In this configuration, the client computer only
uses the local cache and will not attempt to download from peers or from a Hosted Cache
server. Multiple users of a single computer will benefit from a shared local cache in this local
caching mode.
Configuration can be automated using Group Policy or can be achieved manually by
using the netsh command.

Question: Which of the following operating systems is a requirement on client computers using
BranchCache?

Demonstration: Configuring BranchCache on a Windows 7 Client Computer

This demonstration shows how to enable and configure BranchCache.
Create and Secure a Shared Folder
1. Create a shared folder on a Windows Server 2008 R2 computer that the branch office users
will access.
2. In the properties of the shared folder, add the Authenticated users group with Full Control
permissions.
3. In Advanced Sharing properties of the shared folder, enable BranchCache caching and
then add the Authenticated users group with Full Control permissions.
Configure BranchCache Group Policy Settings
1. In the Group Policy Management Console, edit BranchCache for the required
domain.
2. Display the BranchCache settings by expanding Computer Configuration, Policies,
Administrative Templates, and Network.
3. Enable the Turn on BranchCache setting.
4. Enable the Set BranchCache Distributed Cache mode setting or the Set BranchCache
Hosted Cache mode setting based on the mode you want to choose.
5. Enable the Configure BranchCache for network files setting and specify the roundtrip
network latency value in milliseconds above which network files must be cached in the branch
office.

319

 Principles of Operating System

6. Enable the Set percentage of disk space used for client computer cache setting and
specify the percentage of disk space that will be used for caching retrieved content on the client
computer.

Configure the Client

1. Log on the Windows 7 branch office client computer.
2. Open Windows Firewall and allow the following applications through the firewall:
• BranchCache – Content Retrieval (Uses HTTP)
• BranchCache – Peer Discovery (Uses WSD)
3. Refresh the computer’s policies by typing gpupdate /force at a Command Prompt.
4. From the Command Prompt, set the client’s BranchCache instance to Distributed Cache
mode by using the command, netsh branchcache set service mode=DISTRIBUTED and
Hosted Cache mode by using netsh branchcache set service mode=HOSTEDCLIENT
LOCATION=<Hosted Cache name>, where <Hosted Cache name> is the machine name or
fully qualified domain name of the computer serving as a Hosted Cache.

Test BranchCache
1. Restart the Windows 7 client computer and log on as the administrator.
2. At the Command Prompt, type netsh branchcache show status to verify that BranchCache
is working.

Question: What is the effect of having the Configure BranchCache for network files value set to
zero (0)?

Module Review and Takeaways

Review Questions
1. Don wants to connect to the network wirelessly but is unable to, so she checks the Windows
Mobility Center to turn on her wireless network adapter. She does not see it in the Windows
Mobility Center. Why is that?
2. You have purchased a computer with Windows 7 Home edition. When you choose to use
Remote Desktop to access another computer, you cannot find it in the OS. What is the
problem?

320

 Principles of Operating System

3. You have some important files on your desktop work computer that you need to retrieve when
you are at a client’s location with your laptop computer. What do you need to do on your
desktop computer to ensure that you can download your files when at a customer site?
4. Your company recently purchased a Windows Server 2008 computer. You have decided to
convert from a database server to a DirectAccess Server. What do you need to do before you
can configure this computer with DirectAccess?
5. Don needs to configure her Windows 7 client computer to access take advantage of
BranchCache. How can Don configure the client to do this?

321

 Principles of Operating System

References

Microsoft Windows Course 6292A Microsoft Learning

Microsoft Windows Course 6293A Microsoft Learning

MCTS Reviewer 070-680

Microsoft.Braindump.70-680v2012. by GillBeast

Sybex-MCTS 70-680 Configuring Windows 7

http://en.wikipedia.org

www.computerhope.com

http://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/5_CPU_Scheduling.html

http://myweb.lmu.edu/dondi/share/os/cpu-scheduling.pdf

322