Vista E Book Ch2

Chapter 2

1

Chapter 2

The Expert’s Guide to Implementing Microsoft®Windows® Vista™

ContentsChapter 2 Selected Vista Features?.........................................................2Introduction .................................................................................................2

Security .................................................................................................2Security Development Lifecycle....................................................................2Windows Services Hardening .......................................................................3User Account Control.....................................................................................3Windows Defender ........................................................................................5Network Access Protection ...........................................................................7Data Protection and Encryption....................................................................8Other Security Enhancements ...................................................................10

Networking .........................................................................................12New TCP/IP Stack .......................................................................................12Simpler connectivity....................................................................................13Higher security ............................................................................................13Improved Manageability .............................................................................13

Management and Control .................................................................14Microsoft Management Console (MMC)....................................................14Windows Eventing Architecture..................................................................14

Increased Automation........................................................................................17New Group Policy Management .................................................................18Reliability and Performance Monitoring ....................................................20

Feature Assessment..........................................................................23Vista’s new features. .........................................................................24Summary. ...........................................................................................25

The Expert’s Guide to ImplementingMicrosoft® Windows® Vista™

® 2007 ScritpLogic®

2

Chapter 2

Chapter 2Selected Vista Features

IntroductionIn the previous chapter, we reviewed and evaluated the features that are most visible to an end user.In this chapter, we will delve deeper into Vista, uncovering features that are less visible but no lessimportant. These “deeper” features are generally more important to, and have more of an impact on, anIT professional that is responsible for the maintenance of desktops and mobile systems in an enterprisesetting.

This chapter will focus on new and improved security, new networking features, and management andoperations features.

SecurityThe newAero user interface is quite entertaining, and the instant search feature is certainly helpful;however, ultimately one of the primary reasons to implement Vista is its design for security. WhileWindows XP Service Pack 2 made substantial progress in increased security, Vista’s securityenhancements go beyond that, and are so fundamental to the architecture that they could only beimplemented through extensive changes to core operating system functions.

Security Development LifecycleDuring the design and coding of Vista, Microsoft placed security as the number one priority1. In fact,development methodologies were significantly revamped to conform to new processes, collectivelyknown as the Security Development Lifecycle (SDL).

Although not a feature per se, the SDL plays an important role in increasing Vista security. It mandatesthat security reviews be built into every step of the development cycle. For example, during Vistadevelopment a review team (the Secure Windows Initiative Attack Team—SWIAT) was chartered withconducting extensive design reviews and testing, with the goal of identifying parts of the product’s codeor design that needed additional work. The in-house SWIAT analysts were supplemented by reviewersdrawn from security research firms and penetration-testing companies. Their sole job was to ferret outpotential security flaws, assess their impact, and pass the information back to the development teams.



1 “Microsoft® Windows® Vista™ Security Advancements,” June 2006

3

Chapter 2

SDL also enforces coding design rules and testing scenarios that reduce opportunities for attacks andstreamline security management functions. The SDL employs software development tools that analyzecode for logic and code constructs that would not be detectable by standard compilers. The tools searchfor certain kinds of code vulnerabilities, such as overruns caused by string copies and unexpectedcombinations of conditions that result in the execution of obscure code paths.

Finally, since Vista was being developed concurrent with the deployment of Windows XP Service Pack2, the SDL processes took vulnerabilities that were being exposed in Windows XP and tested themagainst Vista, with development implementing appropriate patches to both systems when appropriate.

Windows Services HardeningThe Windows operating systems utilize background processes called services. Services are managedthrough the Microsoft Management Console (MMC) to start, pause, and stop them.

In Windows XP, services run with the highest possible system privileges (LocalSystem), and are an easytarget for malicious attack. Windows Vista has made substantial changes to Windows services to reducethe opportunity for attack—generally referred to as services hardening.

The primary concept behind services hardening is that of restricting services to run under the leastpossible privilege level needed. To help accomplish this reduction in privilege level, services no longerrun as a user session, and in fact they no longer have access to video drivers, nor can they request orreceive input from any user interface.

Services hardening can affect some existing applications that run as services or interface with services.Any service that assumes it is running in a user session (e.g., one that attempts to create a user interface,such as a dialog box) will not execute correctly, or will hang, because it is waiting for a user responsethat will not occur.

In addition to changes how services run, Core Windows services each have profiles that define thenecessary security privileges for that service. These profiles include rules for accessing system resourcesand inbound/outbound network ports that the service is allowed to use (monitored and enforced viaWindows Firewall). During execution, service activities are checked against this profile, and any attemptto perform an unassigned activity is disallowed.



4

Chapter 2

User Account ControlA significant advancement in security is the separation of administrator and user privileges through anew feature called User Account Control (UAC)—briefly covered in Chapter 1. Let’s examine this newfeature in more detail—additional information is available athttp://www.microsoft.com/technet/windowsvista/security/uacppr.mspx

UAC is based on reducing the “normal” privilege level for users and administrators. In past versions ofWindows, to perform any administrative function required administrator privileges—even for routinetasks such as changing the system’s time zone or power management settings. As a result, administratorssimply allowed all users administrative privileges. While this situation is more convenient, it also allowsusers to perform administrative functions like installing and configuring applications, modifying devicedrivers, and changing system configuration parameters. Not only could users damage their systemconfiguration (which potentially could propagate and damage systems on the network), but alsoadministrator-level user accounts can cause great damage when exploited by malware.

Enter UAC, which separates standard user privileges and those that require administrator access.A subset of administrative activities, which are deemed to pose no security risk—such as changing timezones or adding a printer, are allowed to execute in user mode. Should a user attempt a task that trulyrequires administrative access, the user is prompted for an administrator password. The bottom line isthat administrators can safely prevent users from executing tasks that require administrative privileges,while still providing them with the convenience of making routine configuration changes.

A side effect of UAC is that older applications, which were often designed based on the assumption thatusers would always have administrator privileges, may not execute correctly because Vista does notallow them write access to critical system files (such as the registry). To maximize compatibility, Vistaincludes file system and registry “virtualization”—a process that redirects writes from protected areas toa virtual location within the user’s profile. Subsequent reads access the virtual location, allowing anapplication to function properly while eliminating access to resources that would otherwise requireadministrative access. To help determine whether an existing application will execute correctly whenexecuted as a standard user, Microsoft provides the Application Compatibility Toolkit (ACT)2.



2 See http://www.microsoft.com/downloads

http://www.microsoft.com/downloads

http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx

5

Chapter 2

A second feature of UAC is that all processes with administrator privileges will by default start withstandard user access. When logging in, an administrative user is granted two levels of access (calledAdministrator Approval Mode): full administrator and standard user. However, the standard user level isthe default, reducing the opportunity for malware to obtain administrator privileges. Should theadministrator attempt a task that truly requires administrative privileges, he or she is prompted for theadministrator password.

UAC is highly configurable, and administrators are generally able to configure it to suite their uniquecircumstances. However, as with all things Vista, the default is to protect the user and the operatingsystem, and provide the maximum practical protection against malware attacks.

Windows DefenderFirst introduced in 2005 as “Microsoft Windows AntiSpyware,” Windows Defender provides an anti-spyware capability to Windows XP and Windows Vista. Windows Defender is based upon a product fromGiant Company Software, which Microsoft acquired in 2004. According to Microsoft, “WindowsDefender helps protect against and remove spyware, adware, rootkits, bots, keystroke loggers, controlutilities, and some other forms of so-called ‘malware.’ (Windows Defender does not provide preventiveprotection against malware that is classified solely as a worm or virus.)3” Note that Microsoft specificallystates that Windows Defender is targeted at individual users and does not include enterprise managementtools; typically an enterprise has other means or uses other third-party desktop management tools tomanage anti-spyware.

Windows Defender protects a Vista system through several methods, including scheduled system scansfor spyware, a real-time monitoring function, and a “software explorer” user interface.

Scheduled system scans are based upon spyware definitions kept up-to-date by the Automatic Updatescapability of Vista. Scans can be scheduled or initiated manually. Enhancements in Vista (beyond thecapabilities provided in Windows XP) provide additional performance and security enhancements,including the ability to scan only files that have changed, to run under a security-enhanced account,and to scan executables when invoked. Windows Defender also allows files to be scanned as they aredownloaded by Internet Explorer 7.



3 See http://www.microsoft.com/athome/security/spyware/software/default.mspx

http://www.microsoft.com/athome/security/spyware/software/default.mspx

6

Chapter 2

Real-time monitoring employs a set of agents that continually check for unauthorized access to filesystem elements, changes to system configurations, and the like. There is a long list of agents available(Table 1); although configurable through the Windows Defender Options dialog, Microsoft recommendsthat all agents be enabled.

Table 1. Realtime protection agents supported by Vista’s Windows Defender4

Software explorer is a user interface that provides users with visibility in a system’s software andsystem state. Software Explorer provides detailed information about currently running software that canaffect system security or user privacy. For example, the user can view which programs run automatically



Real-time protection agent Purpose

Auto Start Monitors lists of programs that are allowed to automatically run when the computer is started. Spyware andother potentially unwanted software can be set to run automatically when Windows starts, running withoutthe user’s knowledge.

System Configuration (Settings) Monitors security-related settings in Windows. Spyware and other potentially unwanted software can changehardware and software security settings, and then collect information that can be used to further underminethe computer's security.

Internet Explorer Add-ons Monitors programs that automatically run when Internet Explorer is started.

Internet Explorer Configurations(Settings)

Monitors browser security settings, which are the first line of defense against malicious content on the Inter-net.

Internet Explorer Downloads Monitors files and programs that are designed to work with Internet Explorer, such as ActiveX controls andsoftware installation programs. These files can be downloaded, installed, or run by the browser itself. Spy-ware and other potentially unwanted software can be included with these files and installed without theuser’s knowledge.

Services and Drivers Monitors services and drivers as they interact with Windows and other programs. Because services and driv-ers perform essential computer functions they have access to important software in the operating system.Spyware and other potentially unwanted software can use services and drivers to gain access to a computeror to try to run undetected on a computer like normal operating system components.

Application Execution Monitors when programs start and any operations they perform while running. Spyware and other potentiallyunwanted software can use vulnerabilities in programs to run malicious or unwanted software. For example,spyware can run itself in the background when a program is started. Windows Defender monitors programsand alerts the user if suspicious activity is detected.

Application Registration Monitors tools and files in the operating system where programs can register to run at any time, not justwhen programs are started. Spyware and other potentially unwanted software can register a program to startwithout notice and run, for example, at a scheduled time each day. This allows the program to collect informa-tion about the computer or gain access to important software in the operating system without your knowl-edge.

Windows Add-ons Monitors add-on programs (also known as software utilities) for Windows. Add-ons are designed to enhancethe user’s computing experience in areas such as security, browsing, productivity, and multimedia. However,add-ons can also install programs that will collect information that could expose sensitive, personal informa-tion, often to advertisers.

4 Adapted from Windows Defender>Options Help

7

Chapter 2

when Windows is started, and information about how these programs interact with other Windowsprograms and services (Figure 1).

Software Explorer helps the user monitor the following items:

• Startup programs, which are programs that run automatically (with or without the user’s knowledge)when Vista starts.

• Currently running programs, which are programs that are running onscreen or in the background.

• Network-connected programs, which are programs or processes that can connect to the Internet or tothe local area network.

• Winsock service providers, which are programs that perform low-level networking and communicationservices for Windows and programs that run on Windows.

Figure 1. The Software Explorer UI of Windows Defender

Windows Defender is designed to augment third-party anti-malware products. Network administrators inan enterprise environment can use Group Policy to enable or disable Windows Defender; computermanufacturers can choose to have it turned off by default on new systems.



8

Chapter 2

Network Access ProtectionNetwork Access Protection (NAP) is a new platform that performs computer health policy validation,ensures compliance with health policies, and optionally restricts the access of computers that do notcomply with system health requirements. NAP is a client-server architecture; the client-side agent isprovided on Windows Vista. The server-side will be provided in the upcoming release of Windows VistaServer (in Microsoft’s inimitable fashion, also code-named “Longhorn”). NAP is an infrastructure and anapplication programming interface (API) that allows vendors and software developers to build their ownnetwork policy validation, ongoing network policy compliance, and network isolation components.

Figure 2. The NAP Client Configuration snap-in

NAP prevents Vista-based clients from connecting to a private network if the system lacks currentsecurity updates or virus signatures, or otherwise fails to meet defined health requirements. The NAPagent also reports system health status, such as having current updates installed, back to the enforcementservice in the server. The server then determines whether to grant the client access to the network.

Client-side NAP is configurable through the NAP Client Configuration snap-in to the MMC (Figure 2).



9

Chapter 2

Data Protection and EncryptionAmajor security issue relates to unauthorized access to data that could be obtained by physicallyacquiring a computer. Examples include lost, stolen, or decommissioned systems that contain criticaldata. Vista includes technologies that allow users to protect their data through encryption at the file,folder, or system level.

Encrypting File System (EFS)The Encrypting File System (EFS) in Vista is redesigned (fromWindows XP) to support storing privatekeys on smart cards, a new user interface (Figure 3), and tighter integration with Public KeyInfrastructure5. The new EFS allows administrators to store their domain recovery keys on a smart card.To recover users files, the administrator need only log in (either locally or via Remote Desktop) and usethe recovery card to access the files.

Figure 3. The new Certificates snap-in for the Microsoft Management Console (MMC)

The new Certificates snap-in for the Microsoft Management Console provides tools to backup keys andmigrate existing EFS files to new keys. Administrators have the capability to set requirements such asminimum encryption strength and the use of smart cards.



5 See http://en.wikipedia.org/wiki/Public_key_infrastructure

http://en.wikipedia.org/wiki/Public_key_infrastructure

10

Chapter 2

Several new Group Policy options have been added to help administrators define and implementorganizational policies for EFS. These include the ability to require smart cards for EFS, enforce pagefile encryption, stipulate minimum key lengths for EFS, and enforce encryption of the user’s Documentsfolder.

BitLocker Drive EncryptionBitLocker Drive Encryption is a data protection feature that encrypts an entire Windows volume,preventing access to the data on the volume even if the disk drive is physically in the hands of anunauthorized user. Additionally, BitLocker enables integrity checking on early boot components,preventing the computer from booting if it detects tampering with system files or data. Note thatBitLocker is only available on Vista Ultimate and Vista Enterprise editions.

BitLocker uses the v1.2 TPM security hardware6—available on most new systems—to help secure theencryption keys and to prevent software-based attacks on system integrity or security of other data,applications, DLL files, and files stored on the operating system volume. Protection is achieved byencrypting the entire Windows system volume, including all user files, system files, swap, andhibernation files.

Once BitLocker authenticates access to the protected operating system volume, a driver in the Vista filesystem encrypts and decrypts disk sectors transparently as data is written to and read from the protectedvolume. When the computer hibernates, the hibernation file is also saved encrypted to the protectedvolume. According to Microsoft, the performance penalty for encryption and decryption is minimal.

To provide system integrity protection, BitLocker uses the TPM to collect and store measurements frommultiple sources within the boot process to create a system “fingerprint.” This fingerprint remains thesame unless the boot system is tampered with. Once the integrity of the boot process is proven,BitLocker uses the TPM to unlock the rest of the data. The system then continues startup and systemprotection is handed over to the running operating system.

BitLocker may optionally be configured to lock the normal boot process until the user supplies a PINor inserts a USB flash drive that contains keys to unlock the system.

Other Security EnhancementsAddress Space Layout RandomizerTo make it more difficult to attack operating system functions, Vista has a defense capability calledAddress Space Layout Randomization (ASLR). ASLR randomly assigns operating system executablepages to different physical memory locations at system boot time. Randomly assigning these locationsreduces the likelihood that malicious code can exploit a specific system function based on location alone.



6 See http://www.trustedcomputinggroup.org/

http://www.trustedcomputinggroup.org/

11

Chapter 2

Internet Explorer EnhancementsVista’s Internet Explorer 7, when running on Vista, supports a new feature called Protected mode.In Protected Mode, Internet Explorer 7 runs with reduced rights to help prevent user or system filesor settings from being changed without the user’s explicit permission. Even if a malicious site attacks avulnerability in Internet Explorer, the site's code will not have enough privileges to install software, copyfiles to the user's Startup folder, or hijack browser settings.

A new version of the Internet Explorer Administration Kit (IEAK) simplifies the creation of customizeddeployment packages. With Internet Explorer 7, administrators have centralized control over settingsthrough Group Policy in the Active Directory® directory service.

Integrated Rights Management Services ClientMicrosoft’s Rights Management Services (RMS) helps protect the security and integrity of sensitiveinformation in an enterprise. Vista includes an integrated RMS client that reduces the number ofadditional components that must be installed on the desktop, reducing IT intervention for deployment.

The Vista implementation of RMS also includes smart card integration and longer encryption keylengths. When combined with the Windows Server Longhorn release RMS will be integrated with ActiveDirectory Federation Services, allowing companies to share sensitive information in the same manner asthey would protected internal information.

RMS also comprehends the new XML Paper Specification, and has deeper integration with MicrosoftSharePoint®—Microsoft’s suite of content management software.



12

Chapter 2

NetworkingMicrosoft Windows Vista includes significantly improved networking technology, including a newTCP/IP stack, improved wireless networking management, and multiple security enhancements.According to Microsoft, Vista’s improvements represent the largest set of networking innovations sinceWindows 957, and benefit users as well as administrators.

New TCP/IP StackThe TCP/IP protocol stack has been completely rewritten for Vista, and includes redesigns of bothInternet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) stacks. According to Microsoft,the redesigns address connectivity, ease of use, management, reliability, and security8.

IPv6 SupportVista supports both IPv4 and IPv6 through a dual IP layer architecture. IPv6 is enabled by defaultwithout any additional steps necessary by the administrator. The dual IP layer support enables a gradualmigration using IPv6 transition technologies that tunnel IPv6 traffic across private IPv4 networks or theIPv4 Internet. Applications and services that support both IPv4 and IPv6 will by default prefer the use ofIPv6 to IPv4 (although this behavior can be configured by the administrator).

Higher performanceThe Vista networking stack has multiple performance improvements. In a high-loss environment such assending/receiving audio and video files, throughput is improved by a new algorithm that allows a senderto send more data while simultaneously retrying a partial acknowledgement.

Another significant change is the automatic resizing of the TCP receive window. Vista networkingperforms auto tuning by continually monitoring the bandwidth and latency of a TCP connection, andoptimizing the receive window size for each connection. For example, in a high-bandwidth, high-latencysituation the window size will be increased to allow more data to be transferred in each block, increasingoverall throughput9.

To improve overall performance, Vista is capable of distributing TCP traffic processing across multiplesystem processors, and supports certain network cards that have hardware-accelerated TCP/IP processingon the card.



7 See http://technet.microsoft.com/en-us/windowsvista/aa905086.aspx8 See http://www.microsoft.com/technet/network/evaluate/new_network.mspx9 See http://www.microsoft.com/technet/community/columns/cableguy/cg1105.mspx

http://www.microsoft.com/technet/community/columns/cableguy/cg1105.mspx

http://www.microsoft.com/technet/network/evaluate/new_network.mspx

http://technet.microsoft.com/en-us/windowsvista/aa905086.aspx

13

Chapter 2

Lastly, Windows Vista supports Microsoft’s NetDMA architecture (Direct Memory Access), whichreduces the number of data copies in the system by allowing data transfers directly to/from a networkcard to users’ buffers. It requires specific hardware DMA architectures, such as Intel I/O Acceleration tobe enabled.

Simpler connectivityThe proliferation of mobile computer systems requires much more flexibility in acquiring networkconnectivity “on the fly,” while maintaining a seamless workplace environment and its related security.

Vista contains a new Network Center (discussed in Chapter 1). The Network and Sharing Centerprovides a clear view of the current connection status, available wireless networks, a network map toshow surrounding network resources, and easy methods to create or join ad-hoc wireless networks.Diagnostic tools built into Network Center simplify troubleshooting connectivity problems and userscan browse network resources.

Higher securityVista networking uses the updated Windows Firewall (discussed in Chapter 1) to create network filteringrules or require authentication. Network data can be encrypted, and through Network Access Protection(see “Security” section in Chapter 2) clients that are deemed unhealthy can be banned from the network.

Wireless security has been enhanced, with support for more protocols and standards, and tight integrationwith other related security features. For example, the capabilities of the wireless network adapter areexamined by Vista, and the most secure protocol is chosen by default when connecting to or creatingwireless networks.

Improved ManageabilityNetworking manageability has been improved in Vista, largely for management of wireless devices andthe inclusion of additional group policy settings.

Vista includes a native wireless networking architecture (Native Wi-Fi) as part of its core networkingsupport10. Native Wi-Fi provides many benefits, including deployment across many hardware brands andmodels and more reliable third-party wireless adapter drivers.

Vista’s wireless features can be managed via Group Policy or command-line scripting to deployconfiguration settings and security requirements across an entire organization.



10 See http://www.microsoft.com/technet/technetmag/issues/2006/11/VistaNetworking

http://www.microsoft.com/technet/technetmag/issues/2006/11/VistaNetworking

14

Chapter 2

Management and ControlNew management and control tools in Windows Vista are aimed at lowering cost of ownership byincreasing efficiency of administration, reducing the number of administrative support incidents, andstreamlining deployment.

Microsoft Management Console (MMC)The Microsoft Management Console (MMC) is the main administrator interface for managing Windows-based environments. The new MMC provides a simpler and more consistent user interface across a widerrange of tasks. The new interface provides an Action pane—a list of all actions that are available to theuser based on the currently selected items in the tree or results pane. This allows administrators to moreeasily discover the capabilities of any management tool that uses the MMC framework.

The new MMC interface also provides “an add or remove snap-ins” dialog to make it easier to organizesnap-ins.

Figure 4. The “add or remove snap-ins” dialog for the MMC.



15

Chapter 2

Windows Eventing ArchitectureThe event log service and event viewer have been completely rewritten in Vista to improve eventmanagement in an enterprise setting. The eventing architecture features increased security, increasedperformance, and increased scalability.

Event tracing now provides asynchronous publishing of events, greatly reducing the performance impactto instrumented processes. Some events, especially analytic and debugging events that are generally highvolume, are immediately saved to a file with minimal processing to avoid affecting system performance.Administration and Operational events, which are less frequent, are tagged with information about thecurrent user context and the publishing process, then delivered to their respective subscribers.

The new Event Viewer is a snap-in for the revised Microsoft Management Console (MMC), describedabove. New features include:

New grouping of events for faster access. To improve reporting and analysis, Microsoft analyzedcommon event types and applied five different event types to each event (Table 2). Every event isassigned a designated type to quickly narrow down report queries.



11 See http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement

http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement

16

Chapter 2

Table 2. New Windows Eventing Architecture event types and typical users

New appearance. The event viewer has been improved to provide additional information (Figure 5) whileretaining the structure of the Windows XP GUI, allowing administrators familiar with Windows XP toeasily begin using it. The viewer provides a new preview pane that will display event information in a“friendly view” or the raw XML.



Event Type Description Used By

Admin The Admin type will suffice for the majority of system ad-ministrators. These events are very high level and theyoften provide enough information to identify a problem anddetermine its solution. At the very least, Admin eventsshould identify when an issue occurs or indicate when anapplication, a component, or the system as a whole is in orhas recovered from an unhealthy state. Most Admin eventsare errors or warnings, and they are usually actionable..

Administrators, support per-sonnel, and Monitoring andanalysis programs

Operational Like Admin events, Operational events enable problem di-agnosis. Operational events consist of more than just er-rors and warnings. They also inform users about normaloperation of an application or OS component. The volumeof these events is kept quite low so Operational events canbe enabled without affecting system performance. The Op-erational events—along with the Admin events—are used bysupport personnel, monitoring utilities, and administra-tors..

Advanced administrators,support personnel, and mon-itoring and analysis pro-grams

Audit Audit events provide a historical record of any resource ac-cess or actions taken by the users. These events do not inthemselves represent failure or success of the program,but indicate a failure or success of the action. Audit eventscan be completely disabled or selectively enabled withvarying levels of granularity. Security auditing at the OSlevel is supported (the events can be found in the Securitylog of the Event Log).

Advanced administrators, se-curity auditors, and Foren-sics specialists

Analytic Analytic events, which are not very different from Opera-tional events, are logged during normal operation of appli-cations and components. But the volume and detail ofAnalytic events is much greater than Operational eventsand therefore there is a potential of them having a nega-tive effect on system performance. Thus, Analytic eventsare normally disabled. To make use of Analytic events, en-able them before a diagnostic session and then disablethem before examining the trace.

Support personnel Monitor-ing and analysis programs

Debug Debug events are also high-volume events that are nor-mally disabled. They are used mainly by developers andare seldom viewed by IT professionals.

Developers

17

Chapter 2


Figure 5. The redesigned event viewer snap-in for the MMC.

A new event structure based on XML. The standards-based event structure and publishing the schemasimplifies reporting and manipulation of events. The new structure also facilitates automation andintegration with the Windows Task Scheduler.

New event query capability based on the XPath language and a user interface for creating queries. Animportant query improvement is the ability to securely forward events, generally to a system that isdedicated to collecting them.

Additional event attributes for queries and reporting. Events now contain additional information,including the time at which the event occurred, the process ID, the thread ID, the computer name, and theSecurity Identifier (SID) of the user. The XML provides additional details, including the EventID, Level,Task, an Opcode, and Keywords properties.

Increased AutomationThe task scheduler is used to automate management and configuration tasks. Vista features a completelyredesigned task scheduler interface and a snap-in for the MMC, which combines multiple UIs into asingle and consistent interface (Figure 6).


18

Chapter 2

Figure 6. The redesigned task scheduler snap-in for the MMC.

Scheduling tasks is much more flexible and comprehensive than in Windows XP. Tasks can be scheduledto run at predefined times, or configured to run when specific events occur. In addition, multiple triggersmay be configured to initiate one or more tasks, which may run simultaneously or in a predeterminedsequence. Tasks can also be configured to run based on a system status, such as being idle for a pre-configured amount of time, startup, logoff, or other triggers.

The Task Scheduler supports new security features, including employing the new Credentials Managerfor storing passwords, and running tasks at a reduced privilege level (by running the task as its ownsession instead of in the same session as the administrator).



19

Chapter 2

New Group Policy ManagementVista expands the number of features and components that can be managed with Group Policies, fromapproximately 1,800 in Windows Server 2003 Service Pack 1 to approximately 2,500 in Vista and theforthcoming Windows Server “Longhorn.” New policies, which are primarily security-related, are groupby categories as summarized in Table 312.

Group Policy template files, previously known as ADM files, have a new format based on XML. Thenew template files have the ADMX suffix. For domain based group policy objects (GPOs), the ADMXfiles can be centrally stored, and all computers on the domain use the File Replication Service to retrieveand configure themselves.

Group policies can be set and edited via the Group Policy Management Console (GPMC) MMC snap-in,or by using the Group Policy editor object.

Table 3. New or Expanded Group Policy Settings



Group Policy Category Description

Antivirus Manages behavior for evaluating high-risk attachments.

Background Intelligent Transfer Service(BITS)

Configures the new BITS Neighbor Casting feature to facilitate peer-to-peer file transferwithin a domain. This feature is supported in Windows Vista and Windows Server "Longhorn."

Client Help Determines where users access Help systems that may include untrusted content.

Deployed Printer Connections Allows or denies a device installation, based upon the device class or ID.

Device Installation Debug events are also high-volume events that are normally disabled. They are used mainlyby developers and are seldom viewed by IT professionals.

Disk Failure Diagnostic Controls the level of information displayed by the disk failure diagnostics.

DVD Video Burning Customizes video disc authoring.

Enterprise Quality of Service (QoS) Alleviates network congestion issues by enabling central management of Windows Vista net-work traffic.

Hybrid Hard Disk Configures the hybrid hard disk (with non-volatile cache) properties.

Internet Explorer 7 Replaces and expands the current settings in the Internet Explorer Maintenance extension toallow administrators the ability to read the current settings without affecting values.

Networking: Quarantine Manages three components: Health Registration Authority (HRA), Internet AuthenticationService (IAS), and Network Access Protection (NAP).

Networking: Wired Wireless Applies a generic architecture for centrally managing existing and future media types.

Power Management Configures any current power management options in the Control Panel.

Removable Storage Allows administrators to protect corporate data by limiting the data that can be read fromand written to removable storage devices.

Security Protection Combines the management of both the Windows Firewall and IPsec technologies to reducethe possibility of creating conflicting rules.

12 See http://technet2.microsoft.com/WindowsVista/en/library/a8366c42-6373-48cd-9d11-2510580e48171033.mspx

http://technet2.microsoft.com/WindowsVista/en/library/a8366c42-6373-48cd-9d11-2510580e48171033.mspx

20

Chapter 2

Table 3. New or Expanded Group Policy Settings. Continued.

Reliability and Performance MonitoringThe reliability and performance monitoring utilities have been substantially rewritten for Vista to makeanalysis more comprehensive, and to make it easier to pinpoint bottlenecks or misbehaving processes.New features have been added, and the performance and monitoring tools have been consolidated intothe MMC13. Some of the major new reliability and performance features include those described below.

Data Collector Sets group data collectors into reusable elements, allowing scheduled collection of a DataCollector Set to create logs, loading it in Performance Monitor to see the data in real time, or save it as atemplate to use on other computers.

The new Resource View screen provides a real-time overview of CPU, disk, network, and memory usage(Figure 7). Each of these metrics can be expanded upon, providing per-process information that can besorted on multiple keys. The detailed report provides at-a-glance usage by process.



Group Policy Category Description

Shell Application Management Manages access to the toolbar, taskbar, Start menu, and icon displays..

Shell First Experience, Logon, and Privileges Configures the logon experience to include expanded Group Policy settings.

Shell Sharing, Sync, and Roaming Customizes selected schedules and behaviors.

Shell Visuals Configures desktop display attributes.

Tablet PC Configures Tablet PC.

Terminal Services Configures features to enhance security, ease-of-use, and manageability of Terminal Serv-ices remote connections.

Troubleshooting and Diagnostics Controls the diagnostic level from automatically detecting and fixing problems to indicating tothe user that assisted resolution is available.

User Account Protection Configures selected properties of user accounts.

Windows Error Reporting Disables Windows Feedback only for Windows or for all components. By default, WindowsFeedback is turned on for all Windows components.

12 See http://technet2.microsoft.com/WindowsVista/en/library/ab3b2cfc-b177-43ec-8a4d-0bfac62d88961033.mspx

http://technet2.microsoft.com/WindowsVista/en/library/ab3b2cfc-b177-43ec-8a4d-0bfac62d88961033.mspx

21

Chapter 2

Figure 7. The new at-a-glance resource view screen.

A new Reliability Monitor calculates a System Stability Index that reflects whether unexpectedproblems reduced the reliability of the system. See details in the Reliability section below.

Unified property configuration for data collection and scheduling consolidates the interface forcreation and modification of data collector sets. Sets that are useful can be saved or propagated to othersystems for analyzing performance and reliability of user populations.

A new reporting interface, largely based on the Server Performance Advisor in Windows Server 2003.The new user interface is more flexible and thorough, allowing reports to be quickly generated from anyData Collector Set. Of course, Vista includes preconfigured performance and diagnosis reports for quickanalysis and troubleshooting.

Performance MonitorThe performance monitoring tools for Vista combines multiple Windows XP utilities (Performance Logsand Alerts, Server Performance Advisor, Performance Monitor, and System Monitor) and wraps them inthe new standard MMC GUI. Using the performance monitor, administrators can monitor nearly everyaspect of system performance, presenting the information graphically or in report format.

The performance monitor is a component of the Windows Performance Diagnostic Console, a snap-in forMMC (Figure 8). The console displays real-time information, allows for alerts and automatic actions,and report generation. It can also be used to recall historical data.



22

Chapter 2

Figure 8. A sample of the Vista Performance monitor.

Configuring the performance monitor to sample selected metrics is a drag-and-drop interface. Multiplemetrics can be combined and saved as custom data collector sets, which can be recalled at any time.

Reliability MonitorThe reliability monitor offers a graph of the system’s stability over time, and generates a “stability index”that quickly quantifies the overall reliability of the system, it’s software, and applications (Figure 9).The user can quickly zoom in on each day and/or event and generate a snapshot stability report, whichprovides details on the incident.

For example, a user can view a graphical log of changes to the system (installation or removal ofapplications or updates to the operating system) side by side with a similar log of failures (application,operating system, or hardware failures). The comparison helps quickly pinpoint events that lead toreliability issues.



23

Chapter 2

Figure 9. A view of the reliability monitor snap-in to the MMC.

Feature AssessmentWe will wrap up this chapter with an admittedly subjective assessment of the impact the featuresdiscussed in this chapter might have on a typical enterprise. For this assessment,we will assume a hypothetical enterprise environment, specifically:

• Desktops are centrally managed, either with Microsoft’s Group Policy infrastructure, some sort ofenterprise desktop management tool such as ScriptLogic’s Desktop Authority, or a combination of both.

• Most desktop users have a fairly static environment—a collection of corporate and third-partyapplications, and are continuously connected to the corporate network.

• The enterprise has a moderate number of mobile users that move about within the enterprise, with asubset that travels worldwide.

For each of the features described in the preceding sections, we make an assessment on the feature’simpact on the bottom line; a return on the investment in upgrading the desktop to Windows Vista.



24

Chapter 2

Table 4. An assessment of Vista’s new features on enterprise productivity.



Impact on productivity/usefulness

Feature - neutral + Comments

Security

Security Development Lifecycle The improved development methodologieswon’t have a direct impact on productivity, how-ever in the long run SDL should produce higher-quality code

Windows Services Hardening Hardening should go a long way in reducingmalware-induced incidents; we expect a sub-stantial impact. This could be offset by its af-fects on certain applications.

User Account Control The reduced privilege level of users should re-duce malware-induced incidents, however thiscould be offset by the sheer annoyance of UAC,and by its affects on applications that assumedadministrator priveleges.

Windows Defender Defender will probably not have a substantialimpact on an enterprise since most environ-ments already employ a third-party anti-spy-ware product.

Network Access Protection Properly implemented, NAP will improve overallsecurity. However, we will have to wait for VistaServer “Longhorn” for implementation.

Data Protection and Encryption Data protection features, especially on mobilesystems, should dramatically improve data se-curity and reduce lawsuits.

Other Security Enhancements The miscellaneous security enhancements de-scribed in this chapter should benefit overallsecurity.

Networking

New TCP/IP Stack The new TCP/IP stack won’t be outwardly no-ticeable, but should help migration to IPv6, im-prove performance, and improve mobility andsecurity for mobile users.

Simpler connectivity For most administrators, simpler connectivityshouldn’t have much of an impact.

Higher security Higher security networking will be beneficial formobile users.

Improved Manageability Manageability options, especially new GroupPolicy settings, will provide administrators withadditional control options.

25

Chapter 2

SummaryIn contrast to the user-visible features reviewed in Chapter 1, it is our opinion that the core improvementscovered in this chapter have more of an impact on an enterprise. As might be expected, improvements insecurity, networking, and management tools should substantially improve an IT manager’s life.

Features of particular note are Network Access Protection (once “Longhorn” is available and anenterprise is able to implement it), increased automation, and improved networking for mobile users.Group Policy improvements also enhance an administrator’s control over a large population of desktops,improving security and ostensibly reducing user incidents.

That said, the deployment of Vista, and related activities, are not for the faint of heart, as we shall see inthe next chapter, “Preparing for Vista Deployment.”



Impact on productivity/usefulness

Feature - neutral + Comments

Management and Control

Microsoft Management Console (MMC) The new MMC provides a consistent interface,however most administrators are familiar withthe old ones.

Windows Eventing Architecture The new Eventing Architecture will provide ad-ministrators with additional information whendiagnosing performance or application prob-lems.

Increased Automation Much-needed improvements to task schedul-ing will open up new ways of automatingtoday’s manual chores.

New Group Policy Management For administrators that use GP, the new set-tings will provide additional ways of managingdesktops, however sorting through the 800-odd new settings will require research.

Reliability and Performance Monitoring The new reliability and performance monitoringtools will provide administrators with additionalinformation when diagnosing performance orapplication problems

Table 4. An assessment of Vista’s new features on enterprise productivity. Continued.

Business

Vista E Book Ch2