Upload
giokarso
View
241
Download
11
Embed Size (px)
DESCRIPTION
Â
Citation preview
Professor Messer’s
Microsoft 70-680Configuring Windows 7 Study Guide
http://www.ProfessorMesser.comWindows 7 Editions
Windows 7 Hardware Requirements
Windows 7 Installation SourcesDVD-ROM• Available as an ISO file• Doesn’t scale very well
USB Drive• Faster than a DVD-ROM• Need at least 4 GB of space for OS files• Doesn’t scale well
Network Share• Copy Windows 7 Installation Media to a share• Boot with Windows PE• Still has scaling problems, but the installation
media can be easily updated
Windows Deployment Services (WDS)• Automated deployment• Requires a network, Server 2008, Active Directory• Uses multicast• Install on many computers simultaneously• Scales extremely well
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 1
Preparing a USB Drive
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 2
Booting Windows 7Dual-Booting• More than one operating system on one computer• Each OS generally needs a separate partition
• Can be on the same drive or different drives• Windows 7 needs 15 GB
• May need to resize partitions• Disk Management in Windows Vista and Windows 7 • Windows XP can’t do this without 3rd-party utilities
• If you install to VHD, you won’t need another partition
The Windows Hidden Partition• Contains boot information• Runs the Windows Recovery Environment (WinRE)
Managing the Windows Startup Menu with bcdedit• Boot Configuration Data Store Editor• Edits /boot/bcd• In the Windows 7 hidden partition
Backup and restore• bcdedit /export c:\save-bcd• bcdedit /import c:\save-bcd
Create a new entrybcdedit /copy {current} /d “New entry“
Other commandsbcdedit /set {current} description “New Entry Description”bcdedit /displayorder {ntldr} /addfirstbcdedit /default {ntldr}bcdedit /displayorder {12345678-1234-1234567890-1234} /addlast
Windows 7 Upgrade Paths
Windows 7 Anytime Upgrades
Microsoft Assessment and Planning Toolkit• Large-scale upgrade assessment• Integrates with Active Directory• Scans the network to find computers• Inventories computers, servers, and virtual machines• Many different operating systems• Doesn’t require any agent software
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 3
Windows 7 MigrationSide-by-side• Two computers• Move information from one to the other
Wipe-and-load• Export data, nuke and install, and import• Exported data can be deleted afterwards• Profiles copied to external device• USB storage, network share
Windows Easy Transfer• Migrate from Windows XP, Windows Vista, or Windows 7• Useful when moving to a new computer• Supports both side-by-side and wipe-and-load
User State Migration ToolUSMT• Included with the Windows Automated Installation Kit (AIK)• Very scalable
• Built for large enterprises• Works at the command line
• Migrate from Windows XP and Windows Vista to Windows 7• Migrate from Windows 7 to Windows Vista
Two-step process• Can be completely automated
• Take advantage of the command line• ScanState
• Compiles and stores the migration data• Must run in an elevated prompt (Vista, 7)
or as a Local Administrator (XP)• LoadState
• Loads profile onto the destination computer
Configuration settings• MigApp.xml - Migrate application settings
• Folder options, fonts, wallpaper settings, etc.• MigUser.xml - Migrate user folders, files, and file types• MigDocs.xml - Location of user documents• Config.xml - Exclude migration features
Storing the migrated data• Uncompressed
• Stored in folders, view using Windows Explorer• Compressed
• Uses less space, can’t be viewed in Windows Explorer• Hardlink
• Creates links to the user data• Links are followed when performing wipe-and-load
• Doesn’t duplicate files• Can save a lot of time
• You’ll need a minimum of 250 MB freeWindows Automated Installation Kit
• Windows SIM (System Image Manager)• Manages image distribution
• ImageX• Create and modify Windows images (WIM)
• DISM (Deployment Image Servicing and Management)• Modify an image with updates and drivers
• Windows PE (Preinstallation Environment)• A minimal boot OS
• OSCDIMG• Command line creation of ISO files
• USMT (User State Migration Tool)• Migrate user information between OS versions
Building and distributing a Windows 7 image
• Run audit mode (Shift-Ctrl-F3)• Bypass Windows Welcome• Tweak your reference image, load apps and drivers
• Sysprep• Clear unique names• Set Windows Welcome - Out-of-box-experience (OOBE)• c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown
• Reset the 30-day activation up to three times
• Plan Windows 7 installation on reference PC• Build an answer file
• Validate and save the answer file• Save Autounattend.xml to the root
• Perform Windows 7 installation• Use Sysprep to generalize and set oobe (out of box experience)
• Create bootable Windows PE disk or USB flash drive• Create image and store on network share• Deploy the image
Capturing an image
Sysprep and other prep
Create a Windows PE boot disk• You’ll want to add ImageX to the disk• It doesn’t come in the default configurationBoot to PE and create an image• This is why you added ImageX
• Have a destination ready for the image• Have your computer Sysprep’d prior to the imaging
• Your image should be ready for the first user• The final image is a WIM file
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 4
Deployment Image Servicing and Management (DISM)Working with images
• Get image information• DISM.exe /Get-WimInfo /WimFile:<WIM_file> [/Index:<image_index> | /Name:<image_name>]• IMAGEX [FLAGS] /INFO img_file [img_number | img_name] [new_name] [new_desc]
• Mount an image• DISM.exe /Mount-Wim /WimFile:<path_to_WIM_file> {/Index:<image_index> | /Name:<image_name>} /MountDir:<target_mount_directory> [/readonly]
• IMAGEX [FLAGS] /MOUNTRW [image_file image_number | image_name image_path]
• Get information on mounted image• DISM.exe /Get-MountedWimInfo• Clean an “Invalid” state with dism /Cleanup-Wim
• Manage .inf drivers on an active (online) or offline system• dism /online /get-drivers /all• dism /image:<imageDir> /get-drivers /all
• Adding and removing drivers• dism /image:<imageDir> /add-driver• dism /image:<imageDir> /remove-driver
• On x64, drivers must have digital signature, unless you use /forceunsigned
Managing applications• View, add, or remove packages or features• Work with cabinet (.cab) files or Windows Update (.msu) files• Administratively disable features• dism /image:<image directory> [/get-packages | /get-packageinfo | /add-package | /remove-package ] [/get-features | /get-featureinfo | /enable-feature | /disable-feature
• Packages are “pending” until the system is booted
• Don’t manage patches manually• Reimage again, then patch after it comes online• dism /image:<imageDir> [/check-apppatch | /get-apppatchinfo: | /get-apppatches | /get-appinfo | /get-apps]
• Do you know the GUID? Then include…• /productcode:{GUID}
• Can only check for .msp (patches) and .msi (installation) packages
Managing patches
• To save your changes, you must commit!• You can always discard and start over
• Commit or Discard• DISM.exe /Commit-Wim /MountDir:<target_mount_directory>• DISM.exe /Unmount-Wim /MountDir:<target_mount_directory> {/Commit | /Discard}
• Configure package installation order or tasks to run after deployment• Use Unattend.xml file
• DISM /Image:<path_to_mounted_image> /Apply-Unattend:<Path_To_unattend.xml>
• Create your Unattend.xml files using Windows System Image Manager (SIM)
Saving changes with a commit
Post-deployment tasks
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 5
Deployment options• Microsoft Deployment Toolkit (MDT) 2010
• Make the process easier• Deploying with Windows Deployment Services (WDS)
• Image many systems at one time• System Center Configuration Manager (SCCM) 2007
• Enterprise change and configuration management
Deployment types• Lite Touch Installation (LTI)
• Deploy without a large management infrastructure• Great for small and medium companies
• Zero Touch Installation (ZTI)• Integrates Systems Management Server (SMS) 2003 or
System Center Configuration Manager (SCCM) 2007 for complete automation
• Common in very large organizations
• Manage and distribute your WIMs• Everything you need to deploy an operating system• OS, drivers, apps, etc.
• Uses the Windows Automated Installation Kit• It’s required
• All that stuff we did manually? This automates it.• Install, automate, capture, image
Microsoft Deployment Toolkit 2010• Requirements
• Active Directory Domain Services• NTFS file system• Local Administrator rights• DHCP server (for PXE)
• WDS is graphical• WDSUTIL is command line
Windows Deployment Services
• Boot image• Boots the system (via PXE)
• Discover image• If you can’t PXE, you can discover the WDS server
• Install image• The big image that gets installed
• Capture image• A special image that captures an image from a system
• System Center Configuration Manager (SCCM) 2007• Enterprise change and configuration management
• Software deployment• Software metering• Inventory• Remote administration
• Can be integrated with Microsoft Deployment Toolkit (MDT) 2010 for ZTI
• Command line control• Software installation and updates• Domain management• Restart computers• Partition disks• Manage user state information• Image computers• Driver management
WDS images SCCM
Make a VHD SCCM features and capabilities• Use Disk Management to attach and detach• Use diskpart to create vdisk• Ideally, the VHD would be in a separate disk
• Or at least a different partition• Apply an existing WIM with ImageX
Boot from the VHD• bcdedit
• Modify your boot entries• Can only boot to a Windows 7 or
Windows 2008 R2 VHD• Change the “device“ and “osdevice“ to the VHD• Enable the hardware abstraction layer (HAL)• Can‘t use BitLocker or hibernation
• Not a great choice for laptops
Service your VHD• Microsoft System Center Virtual Machine Manager
• MSCVMM 2007 or MSCVMM 2008• Manage many VHDs and virtual machines• Windows Hyper-V Server• Physical to virtual migrations• Manage virtual workloads
• Update and maintain VHDs• Integrate with System Center Configuration Manager (SCCM)
orWindows Server Update Services (WSUS)
Service your VHD
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 6
Configuring DevicesAdding new drivers• Change device installation settings• Drivers can only be installed by Administrators
or modified by Group PolicyPlug and Play (PnP)• Automatic installation
• Checks the driver store• HKEY_LOCAL_MACHINE/Software/Microsoft/ Windows/CurrentVersion/DevicePath
• Copies the driver for use into C:\Windows\System32\drivers
• New drivers must be staged with pnputilSigned drivers• Cryptographic “signature”
• Verifies the driver publisher and file integrity• Must be Administrator to install unsigned drivers
• Sign the driver yourself to deploy for user installation• Certificate Authority can be very useful
• Windows Hardware Quality Labs (WHQL)• Check with directx
• File Signature Verification (sigverif)
• Control Panel / Device Manager (icon view)• Start / right-click Computer /Manage / Device Manager• Run “devmgmt.msc”
Application compatibilityApplication Compatibility Toolkit• Application Compatibility Manager• Compatibility Administrator
• View compatibility fixes for 3rd-party apps• Analyze your applications, create your own shim
• Internet Explorer Compatibility Test Tool• Demo/LabTesting IE8• Internet Explorer Compatibility Test Tool• Start the tool / Start IE8
• Surf and watchApp Compatibility Group Policies• Recover from problems or block issues when they occur• Computer Configuration\Administrative Templates\ System\Troubleshooting and Diagnostics\ Application Compatibility Diagnostics
Windows XP Mode• Run Windows XP as a virtual machine
• Windows 7 Professional, Windows 7 Ultimate, Windows 7 Enterprise• Integrates with the Windows 7 desktop• Uses a lot of disk space and memory resources
Application Compatibility
Group Policies
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 7
Software Restriction PoliciesGroup Policy• Use Group Policy to restrict application use - gpedit.msc
• A bit of overlap with AppLocker• Works for Windows XP, Windows Vista, and Windows 7• Computer Configuration \ Windows Settings \ Security Settings \ Software Restriction Policies
Enforcement properties• Include/exclude DLLs• Include/exclude local administrators• Enforce/ignore certificatesWhich policy wins?• Most specific first, then more general
• If AppLocker is in use, AppLocker always wins
• Hash Rules (most specific)• Certificate Rules• Path Rules• Network Zone Rules• Default Rules (most general)Hash rules• Unique identifier - You can’t fool the hash• Advantages
• Control very specific applications• Down to the version number
• Disadvantages• Must be created for every executable• Must be updated for each version
Certificate rules• Control application usage by publisher• Advantages
• Cryptographically improbable to beat• Disadvantages
• One certificate rule can affect many applications from the same publisher
• Application must be signed• Resource intensive
Path rules• Control application use based on files or folders• Advantages
• Can control specific areas or files• Disadvantages
• Can be circumvented by moving the file
Network zone rules• Control applications based on download location• Advantages
• Limits security risk from the outside• Disadvantages
• Only applies to .msi (installer) files• Not .exe files• Only applies to downloads from Internet Explorer
Configuring software restriction policies in Group Policy Editor
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 8
AppLockerAppLocker overview• Available in Windows 7 Ultimate and Windows Enterprise• Control users or groups• Requires Application Identity Service
• Defaults to “Manual”• Block rules always override Allow rules
• Except the implied Block
Rule categories• Executable Rules
• Control .exe and .com files• Windows Installer Rules
• Control .msi and .msp files• Doesn’t change the administrative permissions
• Script Rules - Control .bat, .cmd, .js, .ps1, and .vbs files• Build some default rules
AppLocker rule enforcement• Enforce rule types
• Audit rules• Enable DLL rule collection
• Can impact performance
Rule conditions• Publisher rules
• Pulled from the file information• Existing file and all future version
• Path rules• Similar to Software
Restriction Policies• File hash rules
• Also similar to Software Restriction Policies
• There are no exceptions for file hash conditions
AppLocker rules
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 9
Configuring Internet ExplorerCompatibility view• The browser is the new application environment• Browser versions are very different
• Can dramatically impact applications• Compatibility View turns back the clock
• Run Internet Explorer as an “older” version• Tools / Compatibility View Settings• Configured in Group Policy• Administrative Templates \ Windows Components \Internet Explorer \ Compatibility View
Security Settings• Categorize web sites into zones
• Internet• Local intranet• Trusted sites• Restricted sites
• Tools / Internet Options / SecuritySearch providers and add-ons• Configure in Tools / Manage Add-onsInPrivate policies• Administrative Templates \ Windows Components \Internet Explorer \ InPrivate
Managing certificates• Validate the source
• Trust the site• Encrypt the data
• Surf safelyCertificate problems• This website’s security certificate has been revoked
• Don’t trust this website• This website’s address doesn’t match the address in the security certificate
• Website is using a digital certificate that was issued to a different web address• This website’s security certificate is out of date
• Current date is either before or after the time period of the certificate• This website’s security certificate isn’t from a trusted source
• Certificate has been issued by a CA that isn’t recognized by Internet Explorer• Internet Explorer has found a problem with this website’s certificate
• There’s a problem with a certificate that doesn’t fit any other error conditions.
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 10
IPv4 and IPv6
19211000000
.
.168
10101000 .1
00000001..
13110000011
8 bits 1 byte=
32 bits = 4 bytes
1 octet=
DNS• Domain Name System• Converts names to IP addresses• www.professormesser.com = 74.208.221.234DHCP• Dynamic Host Configuration Protocol• Automatically assign IP address, subnet mask, gateway, and moreAPIPA• Automatic Private IP addressing• Connect an entire network without any configuration• 169.254.0.1 through 169.254.255.254 (subnet mask of 255.255.0.0)
fe80::5d18:652:cffd:8f52
fe80:0000:0000:0000:5d18:0652:cffd:8f52fe80
11111110100000000000
0000000000000000::
00000000000000000000
::
00000000000000000000
::
5d180101110100011000
::
06520000011001010010
::
cffd1100111111111101
::
8f521000111101010010
::
16 bits 2 bytes=
128 bits = 16 bytes
2 octets=
Address types• Unicast – one to one• Multicast – one to many• Broadcast – one to all (IPv4)• Anycast – one to nearest (IPv6)IPv6 Unicast Addresses• Global – Routable everywhere• Local – Used in the local network (no Internet) – fc00::/7• Link-local - Used in the local network segment only - fe80::/10
Teredo• Tunnel IPv6 through NATed IPv4
• End-to-end IPv6 through an IPv4 network• No special IPv6 router needed
• Addresses start with 2001::/32
IPv4 Addressing
RFC 1918 Private Addresses
IPv6 Addressing
Nework Address Translation (NAT)
ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)• Automatically configures addressing to connect two IPv6
devices over a local IPv4 network • Not designed for site-to-site communication
• fe80::5efe:192.168.0.16
Integrating IPv4 and IPv6
• Convert from one IP address to another
• Commonly used to convert private internal addresses to be routed across the Internet
• Also used to advertise services with an external address, but the server actually resides on the inside of the network with a private address
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 11
Configuring IPv4GUI configuration• Local Area Connection Properties• Control Panel / Network and Sharing Center / Change
Adapter Settings / Right-Click on adapter / Properties• Internet Protocol Version 4 (TCP/IPv4)
Command-line configuration• netsh interface ipv4 set …
Confirming IPv4 connectivity• Confirm physical connectivity
• Are the lights blinking?• View your configuration• ipconfig /all• Did you get an IP address from the DHCP server?• Is it an APIPA address (169.254.0.1 – 169.254.255.254)?• Try to ipconfig /release and ipconfig /renew
• Connect to everything• ping your address, your gateway, a remote device• tracert to an external address
Configuring IPv6Connecting to an IPv6 network• Local Area Connection Properties
• Control Panel / Network and Sharing Center / Change Adapter Settings / Right-Click on adapter / Properties
• netsh interface ipv6 set address• netsh interface ipv6 show address• DNS
• IPv4 - A records• IPv6 – AAAA records
Confirming IPv6 connectivity• Confirm physical connectivity
• Are the lights blinking?• netsh interface ipv6 show neighbors
• View your configuration• ipconfig /all• netsh interface ipv6 show address
• Connect to everything• Windows 7 network utilities are IPv6 aware (with the -6 flag)• ping your address, your gateway, a remote device• tracert to an external address
Adding a network device• Control Panel / Network and Sharing Center / Set up a connection or network
• Change advanced sharing settings• Network discovery• File and printer sharing• Public folder sharing
Professor Messer Exam TipMicrosoft has a reputation for
tough certification exams. Make sure you know your material very well
before booking your exam!
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 12
802.11 wireless networking
802.11a• One of the initial wireless standards - October 1999• Operates in the 5 GHz range• 54 megabits per second (Mbit/s)• Smaller range than 802.11b
• Higher frequency is absorbed by objects in the way• Today, only seen in very specific cases
Security types• No authentication (open)• WPA-Personal, WPA2-Personal• WPA-Enterprise, WPA2-Enterprise• 802.1x (certificate or smart card)Encryption types• WEP (Wired Equivalent Privacy)• TKIP (Temporal Key Integrity Protocol)• AES (Advanced Encryption Standard)
802.11g• An “upgrade” to 802.11b - June 2003• Operates in the 2.4 GHz range• 54 megabits per second (Mbit/s)
• Same as 802.11a (but a little bit less throughput)• Backwards-compatible with 802.11b• Same frequency conflict problems as 802.11b
• IEEE standards for wireless networking• 802.11a, 802.11b, 802.11g, and 802.11n• Differences in speeds, distance,
channels, and frequencies
802.11b• Also an original 802.11 standard - October 1999• Operates in the 2.4 GHz range• 11 megabits per second (Mbit/s)• Better range than 802.11a
• Less absorption problems• More frequency conflict
• Baby monitors, cordless phones, microwave ovens, Bluetooth
802.11n• Standardized in 2009• Operates at 5 GHz and/or 2.4 GHz• 600 megabits per second (Mbit/s)• New standard has MIMO
• Multiple-input multiple-output
Wireless security and encryption• Control Panel / Network and Sharing Center / Connect to a network
• Icon in System Tray• netsh wlan show interfaces netsh wlan show networks mode=[ssid|bssid] netsh wlan add profile filename=“filename” netsh wlan connect name=<profile> ssid=<ssid>
• netsh wlan disconnect interface=“interface”
Preferred wireless networks• Configured in the network profile
• Automatically connect• Connect to a more preferred• Connect even if not broadcasting SSID
Configuring network adapters• Configure all adapter types
• Wired and wireless• Networking tab
• Protocols• Configure… button
• Hardware configuration
Location aware printing• New Windows 7 feature
• Based on wireless network connection
• Can also lock down the default
Connecting to a wireless network
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 13
Windows Firewall• Integrated into the operating system• Control Panel / Windows Firewall• Windows Firewall withAdvanced Security
• Click “Advanced settings”Windows Firewall features• Fundamental firewall rules• Based on applications
• No detailed control• No scope
• All traffic applies• No connection security rulesWindows Firewall with Advanced Security• Inbound rules• Outbound rules• Connection security rules• Granular
• Program, port, predefined services, custom• Custom
• Program, protocol/port, scope, action, profile
Remote ManagementRemote Assistance• User-initiated help
• End-user is in control• Send a file, an email, or Easy Connect• Control Panel / System / Remote Tab
• Advanced tab• Start / All Programs / Maintenance / Windows Remote Assistance
Remote Desktop• Initiated by the remote user
• Host computer is always waiting for a connection• Start / All Programs / Accessories / Remote Desktop Connection
• Only available in Windows 7 Professional, Ultimate, and Enterprise• Control Panel / System / Remote tab• Automatically configures Windows Firewall rules
• Host user cannot see desktop• You are logging on as a user
Windows PowerShell• Super-awesome powerful scripting
• Run PowerShell instead of your normal shell• Extends Windows functionality into the shell• Windows 7 includes PowerShell 2.0
• Over 240 cmdlets (command-lets)• Extensive use of pipelines
Executing remote commands• Windows Remote Shell (WinRS)
• Run shell command on a remote computer• Remote desktop not required• This is why we’ve been learning all those command line options
• Requires the Windows Remote Management Service • Set it up: WinRM quickconfig• Starts the service and configures the firewall
Remote Assistance
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 14
Resource accessFolder virtualization / Libraries• Build “folders” that reference files in other locations
• Local and network• Redirect user files to a network server
• Uses Offline Files technology• Synchronizes in the background
• Allows a user to be anywhere• Roaming user profile
Sharing folders• Basic sharing and advanced sharing• Central share management• Command line sharing
• net sharePrinters and queues• Share your printer with others
• Leverage expensive resources• Set access
• Who can print in color?HomeGroup settings• Old-school resource sharing
• Separate accounts, separate passwords• Connect computers in a HomeGroup
• Easy access to files and printers• Can only create a HomeGroup in Windows 7 Home
Premium, Professional, Ultimate, or Enterprise editions
Using the net share command
Windows HomeGroup
File and folder accessEncrypting File System (EFS)• OS-level file encryption
• Requires NTFS• Encrypt for multiple users
• Regardless of NTFS permissions• Create a Recovery Agent before
encrypting any files• cipher /R:filename
NTFS and share permissions• NTFS• icacls
• Share• net share
NTFS and share permissions• NTFS permissions apply to local
and network connections• Share permissions only apply to
connections over the network• The most restrictive setting wins
• Allow / Deny • Copy vs. Move
• Permissions are inherited from the parent object (copy)• Unless you move to a different folder on the same volume (move)
• Built-in Effective Permissions tool
NTFS permissions Share permissions
Professor Messer Exam TipGet your hands on as many study materials as possible. Books, videos, and Q&A guides
can all provide a different perspective of the same information.
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 15
User Account Control (UAC)Account Control activity• Limit software access
• Protect your computer• Inform you when important changes are made
• New device drivers• Windows Firewall changes• Modifying user accounts
• Secure Desktop• Limits automated access
Local Security Policy• Control Panel / Administrative Tools / Local Security Policy• secpol.msc• Subset of Group Policy
• Computer Configuration\Windows Settings\Security Settings
User Account Control• Keep the good programs working, keep the bad programs out• Privilege elevation
• Allow an application to run with administrator privileges• Admin approval mode
• Prompts the user for approval• Secure Desktop
• Locks the computer down until the UAC is answered
UAC Prompt Behavior• Control Panel / User Accounts
• Change User Account Control settings• Group Policy
• Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Authentication and AuthorizationConfiguring rights• Group Policy
• Computer Configuration\Policies\Windows Settings\• Security Settings\Local Policies\User Rights Assignment
• Different than NTFS or Share permissions• Control the use of the operating system
• Log on locally, create symbolic links, change the time zone, shut down the system, etc.
Managing credentials• Control Manager / Credential Manager
• Keeps your usernames and passwords in the Windows Vault• Include your own - Add a Windows Credential• Backup and restore the Windows Vault
• Uses the secure desktop for additional securityManaging certificates• “Manage file encryption certificates”
• Search from the start menu• Certificates Console - certmgr.msc• Command line - cipher.exe
Smart cards with PIV• Personal Identity Verification
• Biometric capture and storage, cryptographic algorithms, key sizes
• http://csrc.nist.gov/groups/SNS/piv/index.html• Carry your certificate with you
• Multifactor authentication• Username, password, smart card, fingerprint
• PIV is built-in to Windows 7 Group Policy• Computer Configuration\Policies\Windows Settings\
Security Settings\Local Policies\Security Options• Interactive logon: Require smart card• Interactive logon: Smart card removal behavior
Elevating user privileges• Use rights and permissions of another user
• Without logging out• GUI: Hold down Shift and right-click
• Run as different user• Command line: Use the “runas” command• RUNAS [ [/noprofile] [/profile] [/env] [/savecred | /netconly] ] /user:<UserName> program
Resolving authentication issues• Password reset disk or USB key
• Create this before you forget your password• Domain users are reset from the domain administration
• User Accounts / Manage Accounts• Access to EFS-encrypted information is lost• Unless you restore the EFS certificate
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 16
BranchCacheBranchCache overview• Caching for branch offices
• Without additional hardware or external services• Conserve bandwidth over slower links
• Windows 7 / Windows Server 2008 R2• Won’t work with older operating systems
• Seamless to the end-user• Same protocols• Same network connection• Same authentication methods• Activates when round-trip latency exceeds 80 milliseconds
Network infrastructure requirements• Hosted Cache Server
• Required at each remote location• Run distributed mode if cache server not local• Windows Server 2008 R2• Create SSL Certificate• Clients must trust the Certificate Authority
• Clients• Windows 7 Ultimate or Enterprise• May need to import the Certificate Authority• Use Group Policy
Configuring client settings• Group Policy
• Computer Configuration\Policies\Administrative Templates\ Network\BranchCache
• Command line• netsh Branchcache set service mode=distributed• netsh Branchcache set service mode=hostedclient location=hostedserver
• Enables BranchCache and configures Windows Firewall rules• Check the PeerDistSvc
• Service status: Started• Startup type: Manual
BitLocker and BitLocker To GoBitLocker overview• Encrypt an entire volume• Protects all of your data and the operating system• Lose you laptop? Your data is safe.• Data is always protected
• Even if the physical drive is moved to another computer• Windows 7 Ultimate and EnterpriseTPM (Trusted Platform Module)• Securely generates and stores cryptographic keys• Hardware-based pseudo-random number generator• Hash-key summary of the hardware and software• Platform authenticationBitLocker modes• BitLocker with a TPM
• No additional authentication factors• BitLocker with a TPM and a PIN
• Input your PIN during startup• BitLocker with a TPM and a USB startup key
• Where’s your USB key?• BitLocker without a TPM
• Must boot with a startup key on a USB flash drive • BitLocker with a TPM, a USB startup key, and a PIN
• Very secure. Used in high-security environmentsTroubleshooting BitLocker• Don’t forget your password!• Recovery Mode
• Use your USB drive with the recovery key• manage-bde -status c:• manage-bde -unlock c: -cert -ct <certificate_thumbprint>
• There is no “backdoor” or recovery process
Data Recovery Agents• Computer Configuration\Windows Settings\Security Settings\
Public Key Policies\BitLocker Drive Encryption• Configure the different drive recovery options
• Include the Data Recovery Agent for each• Configure the unique identifiers
• Computer Configuration\Administrative Templates\ Windows Components\BitLocker Drive Encryption\ Operating System Drives
• What if a computer already is using BitLocker?• manage-bde -setidentifier• manage-bde –protectors –get
Enabling BitLocker• Backup your computer• Control Panel / BitLocker - must be a local Administrator• Pick a startup process - Choose a PIN, create a startup key• No TPM? No problem! - Remember to configure the policyBitLocker To Go• Encrypt portable drives• Set Group Policies on “Removable Data Drives”
Professor Messer Exam Tip
The Microsoft 70-680 exam expects you to have a solid understanding
of the command line. Get as much hands-on work as you can!
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 17
DirectAccessDirectAccess overview• Automated VPN connectivity
• Always-on, regardless of location• Windows 7 Ultimate and Windows 7 Enterprise
• Seamless authentication• IPv6
• Unless you use Microsoft Forefront Unified Access Gateway
• Requires Windows Server 2008 R2• Must be in the Windows Domain• Two NICs• One inside, one outside
(Internet link needs two consecutive IP addresses)• Digital certificates for authentication
DirectAccess client configuration• Clients are determined by DirectAccess security group
• Group Policy Object is created during the DirectAccess setup process
• Lots of encryption• Client must have certificate that can properly
authenticate to the DirectAccess server• “Currently connected to: Internet and Corporate access”
Certificate management• Microsoft Management Console• mmc
• Certificates snap-in• Local Computer
• Certificates (Local Computer)\Personal\Certificates• Client authentication, Server Authentication
Command-line configuration and testing• Use netsh• netsh interface ipv6 set teredo enterpriseclient <ip address>
• netsh interface 6to4 set relay <ip address>• netsh interface httpstunnel add interface client https://myserver/IPHTTPS
• Did the Group Policy take?• netsh interface 6to4 show relay• netsh interface ipv6 show teredo• netsh interface httpstunnel show interfaces
Windows 7 mobilityMobility overview• Optimize your time on battery power• Offline file access and synchronization• Access files on a network share and cache locally• Power optimization
Offline files• Make files available, even when you’re not online
• Automatically sync when back online• Built-in sync conflict management
• Mark files• “Always available offline”
• Online mode• Write to the server, read from the cache
• Auto offline mode• If server goes away, converts to local cache operations• When server returns (check every 2 minutes),
revert to online mode• Manual offline mode
• Force yourself into offline mode - “Work offline”• Slow-link mode
• Kicks in when speeds drop below 64 kbps• Uses file cache, auto sync doesn’t run
Offline file Group Policy• Computer Configuration\ Administrative Templates\
Network\Offline Files• Administratively configure offline files, set slow-link speeds, change
sync processes
Enabling Tranparent caching• Increase file performance across WAN links - caching only; no sync• More flexible than BranchCache
• Works with Windows 7 Professional, no Domain Services required, files are not distributed across multiple systems or on Windows Server 2008 R2
• Kicks in when round-trip exceeds a configured latency• “Enable Transparent Caching” Group Policy
Managing Power• Control Panel / Power Options• Power down modes
• Sleep• Processor is turned off, memory is still active• Mouse and keyboard remains powered
• Hybrid Sleep• Processor is turned off, memory is active, copy is written to disk• Similar to Sleep mode
• Hibernate• All devices are turned off, memory is written to disk
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 18
Remote ConnectionsVPNs (Virtual Private Networks)
Authentication protocols• PAP (Password Authentication Protocol)
• Unencrypted passwords• Don’t use this one unless you have to
• CHAP (Challenge Authentication Protocol)• Send the password as a hash• Still not a very secure authentication protocol
• MS-CHAPv2• Microsoft version of CHAP• Integrates the Windows username and password• Some brute-force weaknesses
• PEAP/PEAP-TLS• Protected Extensible Authentication Protocol• Sends EAP authentication over TLS (Transport Layer Security)• Certificate-based, quite secure
• EAP-MS-CHAPv2/PEAP-MS-CHAPv2• The security of PEAP with Windows integration
• Smart card or certificate• Need certificate on both the client and the server
VPN objectives• Data encryption
• Scramble the data• Data integrity
• Verify the received data• Data authentication
• Verify the source• Replay protection
• Prevent man-in-the-middle capture and resend• Automatic
• Windows figures out which is the most secure
IKEv2 (Internet Key Exchange v2)• New in Windows 7
• IPv6, VPN reconnect support• Authentication options
• EAP and certificates• PEAP, EAP-MSCHAP v2, smart cards, other certs• No support for PAP, CHAP, or MS-CHAPv2• Uses udp/500
VPN protocols• SSTP (Secure Socket Tunneling Protocol)
• Uses tcp/443• Very compatible with existing firewalls• Doesn’t work through proxies
• L2TP/IPsec (Layer 2 Tunneling Protocol)• L2TP tunnels, IPsec to encrypt• Compatible with 3rd-party VPNs
• PPTP (Point-to-Point Tunneling Protocol)• Least-secure VPN protocol• Encryption but no data integrity or authentication
VPN reconnection• Move between networks
• VPN reconnects itself automatically without re-authentication• Uses IKEv2 tunneling protocol
• MOBIKE extension• IKEv2 Mobility and Multihoming
• Maximum timeout of 8 hours• Timeout is configurable• After 8 hours, you’ll have to reconnect manually
Dial-up connections• What are those?
• Very much in use, actually• Network and Sharing Center
• Set up a New Connection or Network• You’ll need to have a modem and a telephone line
Professor Messer Exam Tip
Not all exam centers provide the same quality of testing experience. Stop by and
do your own research before booking your exam!
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 19
Remote ConnectionsNAP (Network Access Protection)• Firewall
• Is firewall registered with Windows Security Center and enabled?
• Virus protection• Is an anti-virus application installed, registered,
and turned on? Is it up-to-date?• Spyware protection
• Is an anti-spyware application installed, registered, and turned on? Is it up-to-date?
• Automatic updating• Is the client computer configured to check for updates
from Windows Update?• Should the client download and install them?
• Security updates• Does the client computer have security updates installed
based on one of four security severity ratings in the Microsoft Security Response Center (MSRC)?
NAP Remediation• Users not matching the policy get a time-out
• Remediation network should have the tools to fix the issue• Windows Server Update Services• Updated signatures
• No remediation network?• Smaller organizations may not have the resources• Time to be your own help desk
Security Auditing• Get insight into connections from remote users
• Computer Configuration\Windows Settings\ Security Settings\Local Policies\Audit Policy\ Audit Logon Events
• Event Viewer / Security Log• Centralized logging
Remote Desktop• Remote Desktop Gateway Server
• Formerly known as Terminal Services Gateway• Manage with Group Policy
• User Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway
• RemoteApp• Run applications remotely• But they look like they’re running locally• The icon looks and works exactly the same to the end user
Windows Event Viewer / Security Log
Windows Security Health Validator
Updating Windows 7Configuring update settings• Control Panel / Windows Update
• Need Administrator permissions• Works in conjunction with the Windows Update Service
• Anyone can manually check for new updates• From the GUI• Windows Update AutoUpdate Client• wuauclt /detectnow
Windows Update categories• Important updates
• You really want to install these• Security updates
• Recommended updates• Not as critical, but still very useful• Corrects minor (but still annoying) application bugs
• Optional updates• New languages• New drivers
Update options• Install Updates Automatically (recommended)
• This is the default for a good reason• Download Updates But Let Me Choose Whether To Install Them
• They’re waiting for you to push the button• Check For Updates But Let Me Choose Whether To
Download & Install Them• Save bandwidth until you need the updates.
• Never Check For Updates (Not recommended)• A bad idea, unless you have a really, really good reason.
• Give Me Recommended Updates the Same Way I Receive Important Updates• Elevate the value of the recommendations
• Allow all Users to Install Updates On This Computer• This is the default, but this is best left for Administrators to decide
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 20
Updating Windows 7 (continued)Hidden updates, history, and uninstall• Hide an update
• You won’t be asked to update that patch again• You can unhide it later, if necessary• Standard users can’t hide updates
• View update history• What was that update, again?
• Uninstall any of your updates• Control panel / Programs and Features• Standard users can’t uninstall updates
Proxies and manual updates• Windows Update does NOT use Internet Explorer settings
• Use Web Proxy Auto Detect (WPAD) through DHCP or DNS• Import the proxy settings from Internet Explorer using netsh• netsh winhttp import proxy source=ie
• Install manually if you have the .msu files• Windows Update Stand-alone Installer (Wusa.exe)• Standard users can install updates• Wusa.exe d:\windows6.1-kb7654321-x64.msu /quiet /norestart
Windows Server Update Services (WSUS)• Central configuration
• Save bandwidth• Administrators determine the rollout schedule
• Group computers together for logical organization• Central rollback management
• Whoops. Can we take that back?• Managed through Group Policy
Windows Update policies• Computer Configuration\Administrative Templates\
Windows Components\Windows Update• Specify Intranet Microsoft Update Service Location
• Your internal update server• Enable Client-Side Targeting
• Group computers together for coordinated updates• Allow Signed Updates From an intranet Microsoft Update
Service Location• Rollout your own updates
Managing DisksManaging disk volumes• Two partition types• MBR (Master Boot Record)
• Four partitions per disk• Maximum 2 TB disk size
• GPT (GUID Partition Table)• 128 partitions per disk• Maximum 256 TB disk size
• Convert using Disk Manager or diskpart• DISKPART> convert gpt
Basic and dynamic disks• Basic disks
• MBR partitioned disks• Dynamic disks
• Logical Disk Manager (LDM) database instead of an MBR• LDM is replicated to other dynamic disks
• Moving disks between computers• Basic disks are independent
No problem!• Dynamic disks should all be moved at the same time• You may not be able to move the disks back
• The disk group name might be duplicated
Moving disks• Is everyone healthy?
• Don’t move disks with a non-healthy status• Uninstall the disks you want to move
• You’ll have to confirm this• For dynamic disks, Remove Disk• Move the disks to the new computer
• Move all disks in an array at the same time• Disk Management / Rescan Disks
• Import the Foreign Disks
Dynamic disk advantages• Simple
• Single disk• Spanned volumes
• Many disks look like one big disk• RAID in Windows 7 software
• Redundant Array of Independent Disks• RAID 0 - Striping• RAID 1 - Mirroring
• RAID supported in Microsoft Windows 7 Professional, Ultimate, and Enterprise
Converting disks• Basic to DynamicEasy-peasy
• Data remains intact• Partitions are converted to simple volumes
• Dynamic to Basic• Destructive process
• Backup your data, delete the dynamic volumes, convert to basic
• diskpart• DISKPART> select disk <number>• DISKPART> convert basic
Managing disk volumes• Simple volumes• Spanned volumes• Striped volumes - RAID 0• Mirrored volumes - RAID 1• Resize volumes• RAID 5 is NOT supported Windows 7!
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 21
Disk toolsDisk cleanup• Right-click a volume / Properties• Administrators get additional system file options
Disk defragmenter• Analyze your disk to determine fragmentation rate
• Over 10% fragmentation is candidate for a defrag• This can take a LONG time
• Set a schedule• Watch the fragmentation rate over time and adjust
accordingly• Run from the command line• defrag c:• defrag /c /h /u /v
Error Checking• Right-click volume / Properties /
• Tools tab / Error-Checking• Automatically fix file system errors
• This box must be checked to repair any file system problems
• This is the default• Scan for and attempt recovery of bad sectors
• Scans the entire drive, this could take some time
Removable device policies• Computer Configuration \ Administrative Templates \
System \ Removable Storage Access• Time (In Seconds) To Force Reboot• CD And DVD: Deny Execute, Read, or Write Access• Custom Classes: Deny Read or Write Access• Floppy Drives: Deny Execute, Read, or Write Access• Removable Disks: Deny Execute, Read, or Write Access• Does not include CD, DVD, or Floppy disks• All Removable Storage Classes: Deny All Access• All Removable Storage: Allow Direct Access In Remote Sessions• Tape Drives: Deny Execute, Read, or Write Access• WPD Devices: Deny Execute, Read, or Write Access
• Windows Portable Device
Monitoring Windows 7
The results of an Error-Checking scan
Event Viewer• Control Panel / Administrative Tools / Event Viewer• View log information
• Application, Security, Setup, System, Forwarded Events• Create custom views
• Focus on the information you often need
Event subscriptions• Centralize your event logs on a collector
• Instead of looking at every workstation manually• Collector-initiated subscriptions
• The collector asks for the event log information• Doesn’t scale very well• Every computer is listening for instructions
• Source-initiated subscriptions• The collector is always listening• Used in large environments• Much more flexible
Collector-initiated setup• Uses the Windows Remote Management Service on the
source computer• winrm quickconfig
• Add the collector computer to the source computer’s “Event Log Readers” group• Security Log must be read by a Local Administrator
• On the collector computer, run Windows Event Collector utility• wecutil quick-config
Source-initiated setup - collector computer• Configure Windows Remote Management Service on the collector• winrm quickconfig
• On the collector computer, run Windows Event Collector utility• wecutil quick-config
• Create a subscription to forward events from the event log of a remote computer• This is easy in Event Viewer• wecutil create-subscription subscription.xml
• Computer Configuration\Administrative Templates\ Windows Components\Event Forwarding\Configure...
• Add the Windows Remote Management Service on the source computer• winrm quickconfig
Performance Monitor• Control Panel / Performance Information and Tools /
Advanced Tools / Open Performance Monitor• perfmon
• Real-time performance information• Many different metrics
• Data Collector Sets• Store performance information to disk
• Create reports• Compile long-term information into a concise view
• System Diagnostics Report• perfmon /report
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 22
Performance settingsConfiguring page files• Expand your memory
• Temporarily store non-executing files out of active memory• Control Panel / System / Advanced System Settings /
Performance section; Settings button
Configuring hard drive write cache• Hard drives are slow, memory is fast
• Use the memory to speed your performance• USB drive write caching
• Quick removal (no caching) is the default• You can enable caching, but you have to be careful!
• Hard drive write caching• Enabled by default
What if you lose power?• Windows write-cache buffer flushing
Updated drivers• Can provide significant performance increases
• Drivers should be relatively current• Can provide significant performance decreases
• New is not necessarily better• Always have a backout plan
• Roll Back Driver button can be useful
Configuring networking performance• Control Panel / Internet Options / Advanced tab
• Manage the user experience• Accessibility
• More to process• Browsing
• Additional notification and error screens• Multimedia
• Automatically play animations and download pictures• Security
• Warning messages are extremely important
Configuring your desktop environment• Wallpaper
• Or should it be called “deskpaper?”• Start Menu
• Configure what you see• Get to your Administrative Tools faster
• Gadgets• Make your desktop work for you
• Icons• Enable/disable desktop icons
Configuring services and programs• Resolve performance issues
• Check the Event Log and Task Manager• Control Panel / Administrative Tools / Services
• Recovery tab• Dependencies tab
Mobile computing performance issues• Power
• Power configuration has a remarkable effect on performance• Check your power source• Control Panel / Power Options
• Heat / CPU• Many laptops will slow down when hot
This generally isn’t configurable• Always have good airflow
Configuring processor scheduling• Task Manager
• Control your processes• Set priority
• Realtime, High, Above Normal, Normal, Below Normal, Low• Set Affinity
• Assign an application to a CPU
Internet Options / Advanced tab
Control Panel / Power Options
Configuring power• Control Panel / Power Options
• Modify based on situation• Battery-powered devices have more options
Control Panel / Power Options /
Advanced settings
© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide - Page 23
Windows 7 backupBackup options• Control Panel / Backup and Restore
• Configure everything from the GUI• Files and folders
• Save files, and versions of filesUse Shadow Copy technology to copy open files
• No system files, profile settings, Recycle Bin files, EFS files, temporary files
System images• Backup the entire volume
• It makes a VHDYou could boot from it (Ultimate and Enterprise)• Must backup to an NTFS partition
• FAT won’t work• Initiate from the command line• wbadmin start backup –backuptarget:d: -include:c: -quiet
• Schedule with Windows Task Scheduler
Backup locations• CD-ROM and DVD-ROM
• No re-writable DVDs• Hard disk - External and Internal• Network location
• Windows 7 Professional, Ultimate, and Enterprise• No tape drives• No flash drives
Backup structure• Files and folders
• Folder with the computer name• Full backups into a folder with multiple ZIP files for versions
• Catalog• What files are in the backup? Ask GlobalCatalog.wbcat.
• System Image backups• Stored in \WindowsImageBackup• Only one system image
• Updated each time
Windows 7 system recovery optionsSystem Restore• Restore points are created automatically
• And you can also create them manually• Control Panel / System / System protection
• System restore when booted or from System Recovery• Is your installation media available?
• Make sure you have enough disk space allocated• You’ll probably want to adjust this
Last Known Good configuration• Can’t log in?
• This can be an issue• System Recovery (F8)
• Each time you log on, the Last Known Good configuration is saved• Don’t log on unless you’re sure everything is ok!
• Your configuration is staged in \HKLM\System\ Current ControlSet• Copied from ControlSet001 to CurrentControlSet
when you log on
Complete restore• Remember those images you made?
• These can recover your entire system• Shadow copy FTW
• Boot from the Windows Installation media• Choose “Repair Your Computer”
Driver rollback• Easy to do from the Device Manager
• Built-in button• How did they know I would mess this up?
• Choose “Roll Back Driver”• Only available if there’s something to roll back into
Windows 7 file recovery optionsFile restore points• Two file backup storage locations
• Backup and Restore• Shadow copy
• Backup and Restore• Search from the Backup and Restore console
• Shadow copy• Created during a restore point• Right-click file / Restore previous versions
Restoring damanaged or deleted files• What if the file is missing or renamed?
• And no Windows backup!• Hopefully, you know where it WAS
• Restore from shadow copy• You’ll need to restore from the entire folder• Copy everything else to a safe place to avoid overwriting
Restoring user profiles• Similar to restoring individual folders• Just choose the entire \User\Username folder