Utilize Windows 7

This e-book is a collection of articles originally published on http://www.utilizewindows.com. Check for the

latest version of this e-book: http://www.utilizewindows.com/e-books

This e-book is published under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

License. To view a copy of this license: http://creativecommons.org/licenses/by-nc-sa/3.0

If you would like to contact us: http://www.utilizewindows.com/contact-us

If you would like to support us: http://www.utilizewindows.com/about-us

Disclaimer: While we at the Utilize Windows strive to make the information in this book as timely and accurate

as possible, we make no claims, promises, or guarantees about the accuracy, completeness, or adequacy of the

contents of this book, and expressly disclaim liability for errors and omissions in the contents of this book.

Microsoft Windows 7 is registered trademark of Microsoft Corporation in the United States and/or other

countries.

Contents Basics ........................................................................................................................................................................................ 1

Introduction to Windows 7 .............................................................................................................................................. 1

Creating a Windows 7 USB Installation Source ........................................................................................................... 4

Upgrading to Windows 7 - Overview ............................................................................................................................ 9

Migrating to Windows 7 using WET ............................................................................................................................ 10

Migrating to Windows 7 using USMT ......................................................................................................................... 15

Networking ............................................................................................................................................................................ 21

Configuring IPv4 in Windows 7 .................................................................................................................................... 21

Configuring IPv6 in Windows 7 .................................................................................................................................... 25

Internet Connection Sharing (ICS) Configuration in Windows 7 ........................................................................... 28

Working With Wireless Network Connections in Windows 7 ................................................................................ 32

Working with Windows Firewall in Windows 7 ......................................................................................................... 38

Configuring Windows Firewall with Advanced Security in Windows 7 ................................................................. 43

Configuring BranchCache in Windows 7 .................................................................................................................... 51

Creating a VPN Connection in Windows 7 ................................................................................................................ 55

DirectAccess Feature in Windows 7 ............................................................................................................................. 59

Deployment ........................................................................................................................................................................... 62

Preparing for Windows 7 Image Capture .................................................................................................................... 62

Mounting and Unmounting Windows 7 Image Using ImageX and DISM ........................................................... 66

Creating WinPE Using WAIK for Windows 7 .......................................................................................................... 76

Windows 7 Image Capture Demonstration................................................................................................................. 80

Windows 7 Image Deployment Demonstration ........................................................................................................ 85

Managing Existing Windows 7 Images ........................................................................................................................ 91

Servicing Windows 7 Image Using DISM ................................................................................................................... 98

Applying Updates to Windows 7 Image Using DISM ............................................................................................ 105

Creating Virtual Hard Disk (VHD) using Disk Management in Windows 7 ...................................................... 108

Creating Virtual Hard Disk (VHD) using Diskpart in Windows 7 ....................................................................... 113

Management ........................................................................................................................................................................ 117

Advanced Driver Management in Windows 7 .......................................................................................................... 117

Staging a Driver in Windows 7 .................................................................................................................................... 125

Using Disk Management and Diskpart to Mange Disks in Windows 7 ............................................................... 128

Disk Quotas in Windows 7 .......................................................................................................................................... 136

Disk Defragmenter Tool in Windows 7 .................................................................................................................... 140

Removable Storage and System Security in Windows 7.......................................................................................... 142

Application Compatibility Issues in Windows 7 ....................................................................................................... 144

UAC Configuration in Windows 7 ............................................................................................................................. 148

Configuring Security Zones in Windows 7 ............................................................................................................... 151

Printer Configuration in Windows 7 .......................................................................................................................... 160

Configuring Power Options in Windows 7 ............................................................................................................... 165

Configuring Offline Files in Windows 7 .................................................................................................................... 172

Managing Services in Windows 7 ................................................................................................................................ 177

Using msconfig in Windows 7 ..................................................................................................................................... 183

Event Viewer in Windows 7 ........................................................................................................................................ 188

Monitoring Performance in Windows 7 .................................................................................................................... 196

Using WinRS and PowerShell for Remote Management in Windows 7 .............................................................. 207

Configuring and Using Remote Desktop in Windows 7 ........................................................................................ 212

Remote Assistance in Windows 7 ............................................................................................................................... 223

System Recovery in Windows 7 .................................................................................................................................. 231

Security ................................................................................................................................................................................. 239

Credential Manager in Windows 7 .............................................................................................................................. 239

Running Apps as Different Users with Run As in Windows 7 ............................................................................. 245

User Account Policies in Windows 7 ......................................................................................................................... 250

Editing NTFS Permissions in Windows 7 ................................................................................................................. 254

Advanced Sharing Settings in Windows 7 ................................................................................................................. 264

Working With Shared Folders in Windows 7 ........................................................................................................... 269

HomeGroups in Windows 7 ........................................................................................................................................ 276

Configuring Auditing in Windows 7 ........................................................................................................................... 280

Encrypting File System in Windows 7 ....................................................................................................................... 285

Configuring BitLocker in Windows 7 ........................................................................................................................ 294

Configuring BitLocker to Go in Windows 7 ............................................................................................................ 300

Windows Defender in Windows 7 .............................................................................................................................. 305

Optimization ........................................................................................................................................................................ 310

Monitoring Resources in Windows 7 ......................................................................................................................... 310

Using Reliability Monitor in Windows 7 .................................................................................................................... 321

Visual Effects and Paging File Options in Windows 7 ........................................................................................... 326

Configuring WSUS and Other Update Options in Windows 7 ............................................................................. 339

Setting Up Backup in Windows 7 ............................................................................................................................... 344

Restoring Data from Backup in Windows 7 ............................................................................................................. 354

www.utilizewindows.com Basics Introduction to Windows 7

1

Basics Introduction to Windows 7 Before you start

Objectives: learn about main features in each Windows 7 edition and what minimum hardware requirements

are

Prerequisites: no prerequisites.

Key terms: windows 7 editions, starter, home basic, home premium, professional, enterprise, ultimate,

hardware requirements, processor architecture.

Windows 7 Editions There are six different Windows 7 editions:

Starter Home Basic Home Premium Professional Enterprise Ultimate

Starter

Windows 7 Starter edition does not support DVD playback, Windows Aero user interface, IIS Web Server,

Internet connection sharing, or Windows Media Center. It also does not support advanced, new features like

AppLocker, Encrypting File System, DirectAccess, BitLocker, BranchCache, and Remote Desktop Host. It

supports only one physical processor.

Home Basic

Window 7 Home Basic does not support domains, Aero user interface, DVD playback, Windows Media

Center, or IIS Web Server. It also does not support enterprise features such as EFS, AppLocker, DirectAccess,

BitLocker, Remote Desktop Host, and BranchCache. It supports only one physical processor. The x86 version

supports a maximum of 4 GB of RAM, whereas the x64 version supports a maximum of 8 GB of RAM.

Home Premium

Windows 7 Home Premium supports the Windows Aero UI, DVD playback, Windows Media Center, Internet

connection sharing, and the IIS Web Server. It does not support domains and it does not support enterprise

features such as EFS, AppLocker, DirectAccess, BitLocker, Remote Desktop Host, and BranchCache. The x86

version of Windows 7 Home Premium supports a maximum of 4 GB of RAM, whereas the x64 version

supports a maximum of 16 GB of RAM. Windows 7 Home Premium supports up to two physical processors.


2

Professional

Windows 7 Professional supports all the features available in Windows Home Premium, and it also supports

domains. It supports EFS and Remote Desktop Host but does not support enterprise features such as

AppLocker, DirectAccess, BitLocker, and BranchCache.

Enterprise

Windows 7 Enterprise and Ultimate Editions support all the features available in all other Windows 7 editions

but also support all the enterprise features such as EFS, Remote Desktop Host, AppLocker, DirectAccess,

BitLocker, BranchCache, and Boot from VHD. Windows 7 Enterprise and Ultimate editions support up to

two physical processors. Windows 7 Enterprise is available only to Microsoft's volume licensing customers, and

Windows 7 Ultimate is available from retailers and on new computers installed by manufacturers.

Although some editions support only one physical processor, they do support an unlimited number of cores on

that processor. For example, all editions of Windows 7 support quad-core CPUs. We can use Remote Desktop

to initiate a connection from any edition of Windows 7, but we can connect to computers running Windows 7

Professional, Windows 7 Ultimate, or Windows 7 Enterprise. We can't use Remote Desktop Connection to

connect to computers running Windows 7 Starter, Windows 7 Home Basic, or Windows 7 Home Premium.

Hardware Requirements Windows 7 Starter and Windows 7 Home Basic have the following minimum hardware requirements:

1 GHz 32-bit (x86) or 64-bit (x64) processor 512 MB of system memory 20-GB (x64) or 16-GB (x86) hard disk drive, traditional or Solid State Disk (SSD), with at least 15 GB

of available space

Graphics adapter that supports DirectX 9 graphics and 32 MB of graphics memory

Windows 7 Home Premium, Professional, Ultimate, and Enterprise editions have the following minimum

hardware requirements:

1 GHz 32-bit (x86) or 64-bit (x64) processor 1 GB of system memory 40-GB hard disk drive (traditional or SSD) with at least 15 GB of available space Graphics adapter that supports DirectX 9 graphics, has a Windows Display Driver Model (WDDM)

driver, Pixel Shader 2.0 hardware, and 32 bits per pixel and a minimum of 128 MB graphics memory

32-bit versus 64-bit Windows 7 supports two different processor architectures: 32-bit (x86) version, and 64-bit (x64) version. The

main limitation of the x86 version of Windows 7 is that it does not support more than 4 GB of RAM. It is

possible to install the x86 version of Windows 7 on computers that have x64 processors, but the operating


3

system will be unable to utilize any RAM that the computer has beyond 4 GB. We can install the x64 version

of Windows 7 only on computers that have x64-compatible processors. The x64 versions of Windows 7

Professional, Enterprise, and Ultimate editions support up to 128 GB of RAM. The x64 version of Windows 7

Home Basic edition supports 8 GB and the x64 edition of Home Premium supports a maximum of 16 GB.

www.utilizewindows.com Basics Creating a Windows 7 USB Installation Source

4

Creating a Windows 7 USB Installation Source Before you start

Objectives: learn how to create USB installation source by using tools available on your PC.

Prerequisites: you have to have a Windows 7 installation DVD and a USB storage device with at least 4 GB

of free space.

Key terms: command prompt, elevated mode, usb drive preparation, diskpart, diskpart commands, bootable

usb drive, windows 7 installation, source

Procedure Before we begin keep in mind that during this process USB flash drive will be completely erased, so we have to

make sure that we save any data that it contains. In our example we have a Windows 7 installation DVD

present in our D drive, and a USB flash drive available trough drive E, as shown on the picture.

Figure 1 - Computer Drives

1. Open Command Prompt (CMD)

We will be working with Command Prompt in elevated mode. You can find CMD in: Start menu > All

Programs > Accessories > Command Prompt. To open CMD in elevated mode, right-click on the

Command Prompt and select 'Run as administrator'. Click Yes to confirm.

Figure 2 - Run CMD as Administrator


5

We know that we are running CMD in elevated mode because we have the 'Administrator' in the name of the

CMD window.

Figure 3 - Administrator: Command Prompt

2. Prepare USB drive

We will open the command line utility called diskpart, which is used to manage partitions and drives. To do

that we will simply enterdiskpart in CMD.

Figure 4 - Diskpart

Next, we will enter: list disk. With this command we can view all the available disks on our computer.

Figure 5 - List Disk

In our example, Disk 0 is the hard drive. We know that because the size of our internal hard disk is 40GB. The

size of our USB flash drive is 4 GB (3875 MB to be more precise). To work with USB drive we need to select

it. To do that, in our case, we have to type in: select disk 1.

Figure 6 - Select Disk 1

After the selection we will clean the USB drive. We have to wipe out any partition information and anything on

it. To do that we will type in: clean.


6

Figure 7 - Clean

After the cleaning, notice that, if we browse to the Computer, our USB drive now changed. There is no info

shown about the free space.

Figure 8 - USB drive in Windows Explorer

Now we need to create the partition on our USB drive. To do that, in Command Prompt we will enter: create

partition primary.

Figure 9 - Create Partition Primary

After that we will format our new partition with the FAT32 as our file system. To do that we will enter: format

fs=fat32 quick.

Figure 10 - Format

Now, we need to mark our new partition as active. To do that we will enter: active.

Figure 11 - Active

Now we have a USB drive with an active partition. To use it as the installation source we also have to make it

bootable. As we will see, we will run the bootsect command to copy the boot manager information that

Windows 7 requires to perform the install, to our USB drive. Then we will have to copy the entire content of

the Windows 7 DVD to the USB drive. To do all that, first we need to exit from Diskpart. In CMD enter: exit.


7

Figure 12 - Exit

In our example, Windows 7 installation DVD is in the D drive. In the D drive, in the folder called 'Boot', there

is a program called 'bootsect'. We will run it with the '/NT60' parameter and we will also specify the drive

letter of our USB drive. This will copy the the boot manager files to our USB drive. The command, in our case,

looks like this: d:\boot\bootsect /NT60 e:.

Figure 13 - Bootsect

As we can see, our E drive was updated with all the necessary boot manager information that Windows 7 needs

to boot of the USB drive.

3. Copy DVD Content to USB Drive

The last step is to copy all files from the Windows 7 DVD to our USB drive.

Figure 14 - Copy Content from DVD to USB


8

Once the copy is complete, our USB drive is ready for use. Of course, on the computer on which we want to

perform the installation, we have to go to the BIOS and make sure that the USB device is selected to boot

from. After that the installation will be the same as if we were installing from a DVD.

www.utilizewindows.com Basics Upgrading to Windows 7 - Overview

9

Upgrading to Windows 7 - Overview Before you start

Objectives: learn which Windows versions can be upgraded to Windows 7.

Prerequisites: you should know about different ways to install Windows.

Key terms: edition, version, upgrade, platform, hardware requirements

Different Editions Edition upgrades can only be performed from a lower edition to a higher edition. It can be performed using

installation media or using the Windows Anytime Upgrade. Windows Anytime Upgrade was introduced in

Windows Vista and it allows us to purchase an edition upgrade for the operating system over the Internet.

Keep in mind that we cannot upgrade 32-bit edition to 64-bit edition of Windows and vice-verca.

Different Platforms To change or migrate to a different platform (32-bit or 64-bit) we can use the Wipe-and-Load or Side-by-side

migration of Windows 7 or use multi boot. We will be required to migrate user data and application settings

between the two installations. This is not upgrade, but migration.

Previous Windows Versions Windows 7 only supports upgrades from computers running Windows Vista with Service Pack 1 installed.

Windows XP installations cannot be upgraded to Windows 7. If we want to upgrade from Windows XP, first

we need to upgrade to Windows Vista SP 1 and then to Windows 7.

Hardware Requirements Before upgrading we need to have at least 15 GB of free hard drive space. Windows Vista and Windows 7 in

general have the same hardware requirements. To check for hardware incompatibilities we can use Windows 7

Upgrade Advisor tool that will inform us of any device or software incompatibilities that our computer might

have. Before running Upgrade Advisor it is recommended to connect all devices to the computer, such as

printers, scanners, cameras and other devices that we will be using on Windows 7.

Recommendations It is recommended to perform full backup of existing installation in case the upgrade fails. Also we should

ensure that we have proper product keys available for Windows or any application or game that is installed on

existing installation.

The biggest benefit in upgrading from an existing installation to Windows 7 is that the users settings and

applications are preserved.

www.utilizewindows.com Basics Migrating to Windows 7 using WET

10

Migrating to Windows 7 using WET Before you start

Objectives: learn where to find WET, how to run it and which options to use in different situations.

Prerequisites: you have to be familiar with migration terms and utilities.

Key terms: wet, migwiz, migration, user profile, example, location, transfer, account

Running Windows Easy Transfer (WET) In Windows 7 we can run WET by going to Start > All programs > Accessories > Systems Tools >

Windows Easy Transfer. This will actually open migwiz.exe file which is located

in %windir%\system32\migwiz\ folder. We can also find migwiz.exe on every Windows 7 installation

DVD. Just browse to the [DVDdrive]\support\migwiz\ folder and search for migwiz.exe. That is our

Windows Easy Tranfer tool. We can copy migwiz folder to another location, for example, on a network share

to be easily accessible from all computers on the network.

The first thing we have to do is run WET on the source installation to gather all data. Although Vista already

has a migration tool built in, we have to use newer version of WET because we will migrate to a newer system,

which is Windows 7. The same thing is when migrating from XP. Because of that, we will use the Windows 7

installation DVD, which contains newer WET, on our Vista machine and run the migwiz.exe. We have to have

administrative rights to run WET. The following window will appear:

Figure 15 - WET Tool


11

As we can see on the picture, we can use WET utility to transfer user accounts, their documents, pictures,

movies, videos etc. Notice that we can not transfer applications. On the next screen we can choose where to

save our data.

Figure 16 - How to Transfer and Location

We can use a special "type A to type A" USB cable which is also called Easy Transfer Cable. It is used to

connect two computers together. We can also transfer data over network by establishing a TCP/IP connection.

The third option is to store data on a removable media, local hard disk, network share or a mapped drive. In

our example we will select third available option. On the next screen we have to select which computer we are

using.

Figure 17 - Computer Selection

This is our old computer. It is Vista computer so we only have one option. When we select it, the tool will scan

for all available user accounts on our machine.


12

Figure 18 - Available Accounts

Once the scan is complete we can see that it detected one profile (ivancic) and Shared Items. In our example

we will only select "ivancic" account and click Next. On the next screen we can set the password for the data

that will be exported.

Figure 19 - Password

In our example we will leave password empty and click Save. On the next screen we can choose where to save

our files.


13

Figure 20 - Migration Location

Remember that we could easily browse to a network location and save our migration data there. That way the

data would be available for every computer on the network. In our example we will save our data on a local

hard disk, to c:\migration folder.

Figure 21 - Saving Data


14

Our data will be exported with a MIG extension. Now we can copy it to a new Windows 7 computer and run it

by double clicking it or by running migwiz and then importing it.

www.utilizewindows.com Basics Migrating to Windows 7 using USMT

15

Migrating to Windows 7 using USMT Before you start

Objectives: learn where to find USMT and which commands you can use to gather user profiles from source

installation and then apply them to the destination installation. This is demo on how to use USMT to migrate user

profiles from old to new Windows installation (XP to 7 in this case). Although here you can see all steps required to do migration

completely, for more advanced usage of all USMT options you will have to read USMT documentation.

Prerequisites: you have to be familiar with migration concepts in general and with tools which you can use.

Key terms: usmt, user profile, scanstate, loadstate, command, account, cmd, syntax, source, destination

Running USMT on Source Computer USMT is a part of Windows AIK, but it can also be downloaded from Microsoft website as a standalone

application. The thing is, since we will migrate users from XP, we have to have USMT on XP machine. There

are two ways to put USMT on XP. First would be to download UMST from Microsoft site and install it.

During te installation you can choose the installation folder, which you have to remember. The second way

implies that you have Windows AIK installed on your Windows 7 machine. USMT will be located

in C:\Program Files\Windows AIK\Tools\USMT\x86 folder (if you have x64 system you have to use x64

version) which contains all the files needed for user migration. We can copy this folder to a network share to

make it always available. For this demonstration we will simply copy USMT folder to the C: drive of our

Windows XP machine. Tools that we are going to use (scanstate and loadstate) are command line tools, so

the first thing we need to do is run Command Prompt (CMD) on our XP machine. In CMD we have to go to

our newly created USMT folder, so we will enter the command: cd c:\usmt\x86

Figure 22 - USMT Folder in CMD

Now, we want to copy all users from Windows XP to Windows 7. To do that, first we need to

run scanstate tool on the Windows XP. To check which parameters must be provided to the scanstate tool

simply enter scanstate in CMD.


16

Figure 23 - Scanstate Syntax

We can see that the syntax is: scanstate [Options]. In this demo we will save all data locally

in c:\usmt\users folder, so lets create a migration store by entering the following command: scanstate

c:\usmt\users. This command will gather information about all user accounts on this machine and save it in

the c:\usmt\users folder. It is possible to modify this command to select which account to include or exclude.

In our case it gathered information about 8 users.


17

Figure 24 - Scanstate Success

Destination Computer Once the scanstate is complete we can switch to the destination computer which is Windows 7 in our case.

Now, we need to remember where we saved users from the source machine. The best thing would be to use a

network share so we can access those resources from any computer on the network. For the purpose of this

demonstration we have copied gathered user profiles which were exported to thec:\usmt\users folder on the

Windows XP machine, to the c:\usmt\users folder on the Windows 7 machine. Also, we have

copied x86folder which contains USMT, to the c:\usmt folder on Windows 7 machine. The first thing we

need to do on destination computer is to run elevated CMD. To do that, right-click CMD and select 'Run as

administrator'. Next, we need to get to the c:\usmt\x86 folder, so we will enter the command: cd

c:\usmt\x86. Next, to load users that we exported from Windows XP, we will use that loadstate tool. Let's

enterloadstate in CMD.


18

Figure 25 - Loadstate Syntax

We can see that the syntax for the loadstate command is loadstate [options]. To load user

accounts we will enter the command: loadstate c:\usmt\users /lac. The /lac option means that we want to

create local accounts that do not exist on our destination computer. If accounts already existed we would not

have to use the /lac switch because the information would be migrated to existing accounts. Now, because we

did not provide passwords for accounts that were migrated, they will be created as disabled. Once all accounts

are created, the migration data is copied.


19

Figure 26 - Loadstate Success

Some often used options for the scanstate and loadstate commands are:

/i - includes the specified XML-formatted configuration file to control the migration /ui - migrates specified users data /ue - excludes the specified users data from migration /lac - creates a user account if the user account is local and does not exist on the destination computer /lae - enables the user account created with the '/lac' option /p /nocompress - generates a space-estimate file called Usmtsize.txt

Once the migration is complete we can go to the Computer Management to verify new accounts.


20

Figure 27 - New Accounts

As we can see, new accounts were created but they are disabled. Disabled accounts have an icon with an arrow

pointing down. To enable an account right-click it, go to Properties, in General tab uncheck the 'Account is

disabled' option and then click Apply.

www.utilizewindows.com Networking Configuring IPv4 in Windows 7

21

Networking Configuring IPv4 in Windows 7 Before you start

Objectives: Learn how to configure IPv4 settings on Windows 7 machine by using GUI and how to

troubleshoot connectivity in command line.

Prerequisites: you should know all about IPv4 address and about different ways to apply network settings.

Key terms: IPv4, network, address, connection, IP, settings, case, center, ping

Network and Sharing Center To configure TCP/IP settings in Windows 7 we have to go to the Network and Sharing Center which is

located in Control Panel. The shorter way to get to the Network Center is to click the networking icon in the

Notification area and select the "Open Network and Sharing Center" option.

Figure 28 - Network Center Shortcut

The Network Center will show us many options, but the one section we are particularly interested in is "Active

networks". In our case we already our network connection configured, and we are connected to the "intranet"

at our workplace.

Figure 29 - Active Networks

To see the details about that connection we can simply click its name, which is "Local Area Connection" in our

case. To see the details about that specific connection we can click on the Details button.


22

Figure 30 - Connection Details

Notice that our connection currently uses DHCP to get the required information about the network

connection. We already have our IPv4 address, subnet mask, DNS server. Notice that we can also see the

"DHCP Enabled" option which is set to "Yes", and we can also see the IP address of the DHCP server. To

change network settings we can click the Properties button. The new window will open on which we have to

select which item we want to configure. In this case we will select the "Internet Protocol Version 4

(TCP/IPv4)" protocol, since we want to change IPv4 address.


23

Figure 31 - IPv4 Selected

When we click the Properties button again, we will be able to enter new IPv4 settings. Notice that currently we

have the "Obtain an IP address automatically" option selected.

Figure 32 - IPv4 Properties

This means that our computer will use DHCP to get the connection information. To enter the information

manually we can simply select the "Use the following IP address" option. In our case we want our computer to

always use the same IP address, so we will enter 192.168.1.145 as an IPv4 address, 255.255.255.0 as the subnet

mask, 192.168.1.1 as our default gateway, and we will use the 10.10.1.2 as our DNS server. Our configuration

now looks like this.


24

Figure 33 - IPv4 Configured

To check if our connection works we should try to communicate with another host on the network. To do that

we can use the "ping" tool in command line. Let's try and communicate with the default gateway (192.168.1.1).

Figure 34 - Ping

In our case everything works fine. If we have trouble communicating with another host, we can try and ping

our own IP address, which is 192.168.1.145 in our case. If that does not work, we should try and ping the local

loopback address which is 127.0.0.1, which will check if the the IPv4 stack is properly installed. To check you

IP address and subnet mask we can use the "ipconfig /all" command. If everything seems OK, but the "ping"

action still does not work when we try to communicate with another host on the network, we should check our

firewall settings. In Windows Firewall with Advanced Security, in Inbound Rules section, we have to make

sure that "File and Printer Sharing (Echo Request - ICMPv4-In)" rule allows communication.


25

Configuring IPv6 in Windows 7 Before you start

Objectives: Learn where and how to configure IPv6 properties in Windows 7.

Prerequisites: you should know what is IPv6 and about different types of IPv6.

Key terms: IPv6, address, network, configured, center, connection, link-local, bits, details, global-id

Network and Sharing Center To configure TCP/IP settings in Windows 7 we have to go to the Network and Sharing Center which is

located in Control Panel. The shorter way to get to the Network Center is to click the networking icon in the

Notification area and select the "Open Network and Sharing Center" option.

Figure 35 - Network Center Shortcut

The Network Center will show us many options, but the one section we are particularly interested in is "Active

networks". In our case we already our network connection configured, and we are connected to the "intranet"

at our workplace.

Figure 36 - Active Networks

To see the details about that connection we can simply click its name, which is "Local Area Connection" in our

case. To see the details about that specific connection we can click on the Details button.


26

Figure 37 - Connection Details

Notice that we already have Link-local IPv6 Address configured. Link-Local address is similar to the APIPA

address in IPv4. Link-local IPv6 address always starts with "fe8". If we see a Link-local address configured on

our machine, that means that our computer was not able to contact the DHCPv6 server. To change our

network settings we can click the Properties button. The new window will open on which we have to select

which item we want to configure. In this case we will select the "Internet Protocol Version 6 (TCP/IPv6)"

protocol, since we want to change the IPv6 address.

Figure 38 - IPv6 Selected


27

By default, our computer is configured to obtained the IPv6 address automatically. In this tutorial we will try to

assign a Unique-Local IPv6 address to our host. Unique-Local addresses are similar to private addresses in

IPv4. Unique-Local address always starts with "fc" or "fd" (first 8 bits). The next 40 bits represent the "global-

id", and the next 16 bits represent the "subnet-id". The remaining 64 bits represent a host. The "global-id" part

will represent our organization, while we can use the "subnet-id" to create multiple subnets. The "global-id"

part should be randomly generated, but in our case we will simply choose some random "global-id" and the

"subnet-id". So, our example Unique-Local address will be: FCAB:BEBC:ABAC:0100::1000. The default

subnet prefix length is 64.

Figure 39 - IPv6 Configured

Let's now go to the command line and check our settings by using the "ipconfig" command.

Figure 40 - ipconfig Command

Notice that now we have our IPv6 address configured, but the Link-local address also remained intact. That

means that our computer basically has two configured IPv6 addresses that can be used for communication.

www.utilizewindows.com Networking Internet Connection Sharing (ICS) Configuration in Windows 7

28

Internet Connection Sharing (ICS) Configuration in Windows 7 Before you start

Objectives: Learn how to enable and configure ICS in Windows 7.

Prerequisites: you should already know what is ICS in general.

Key terms: network, computer, ICS, connection, Internet, private, enable, server, address, IP, port, settings,

Windows 7

How to Enable ICS The computer on which we want to enable ICS has to have two network connections. One network

connection has to be connected to the public network (Internet), and another connection has to be connected

to our private network (LAN). To manage network connections on Windows 7, we can go to Control Panel >

Network and Internet > Network Connections. In our case, on our computer we have two Network

Interface Cards which provide two network connections. One connection is called "Internet", and another is

called "Local Area Connection".

Figure 41 - Connections

So, we want to share our Internet connection from this computer with other computers which are located on

our LAN. Internet connection is typically connected to a cable modem, a DSL modem, etc. Local Area

Connection is typically connected to a Switch on our local (private) network. On that Switch we will typically

have other computers connected.


29

Figure 42 - Example Schema

To enable ICS, we will select our Internet connection, go to its properties, and select the Sharing tab. Here we

will select the "Allow other network users to connect trough this computer's Internet connection" option. This

will basically enable ICS on this computer. In our case we will uncheck the "Allow other network users to

control or disable the shared Internet connection" option.

Figure 43 - Sharing Tab

If we click the Settings button, we will be able to control some basic firewall settings. This way we can quickly

enable some basic services that we want to be accessible from the Internet trough our ICS computer. As you

can see, when we enable ICS, our computer starts to act as a router and a NAT device.


30

Figure 44 - Advanced Settings

For example, let's say that we have a web server on our private network and that we want to make it publicly

accessible. The host name of the web server is "web-server". To configure this, we will select "Web Server

(HTTP)" from the list of services and click the Edit button. We will enter the name of the computer "web-

server". We could also enter the IP address of the computer.

Figure 45 - Web Server Port Forwarding

Notice that other settings can't be changed (port is 80). Note that we can only do this for one computer on the

same port. This is considered port forwarding. We can add other or the same services, but they have to use

different ports. With this configured, when someone on the public network tries to access our public IP

address together with the port 80, that request fill be forwarded to the "web-server" computer on our private

network.


31

When the ICS is enabled, our network connections will automatically be configured with some specific settings.

First, the Local Area Connection will be configured with the 192.168.137.1 IP address. With ICS, our computer

automatically becomes the gateway for computers on our private network, and the gateway address will be the

address of the LAN interface of the ICS computer. ICS computer will also start to hand out IP addresses and

other information to computers on our private network (it will become the DHCP server). This is why it is

important that the computers on the private network are DHCP enabled. We can use commands "ipconfig

/release" and "ipconfig /renew" to obtain new configuration from the ICS server. If we see an IP address

which starts with "169.254.", this means that the computer was not able to contact the DHCP server.

www.utilizewindows.com Networking Working With Wireless Network Connections in Windows 7

32

Working With Wireless Network Connections in Windows 7 Before you start

Objectives: Learn how to create Ad Hoc wireless network and how to work with infrastructure wireless

networks in Windows 7.

Prerequisites: you should have a basic understanding of wireless networks.

Key terms: network, wireless, ad hoc, connect, security, connection, option, windows 7, SSID

Ad Hoc Networks To create an Ad Hoc wireless network we have to go to the Network and Sharing Center in Control Panel. In

the Network and Sharing Center we will click on the "Set up a new connection or network" option. On the

next window we have to select the "Set up a wireless ad hoc (computer-to-computer) network" option.

Figure 46 - Ad Hoc Network Option

The next thing we need to do is to specify the name of our network and choose the security type. For ad hoc

networks, the available security types are Open, WEP and WPA2-Personal. Remember that WPA2-Personal is

a lot more secure than WEP, so we should always use WPA2 if all devices support it. In our case we will

choose WPA2-Personal, so we also have to specify the security key.


33

Figure 47 - Network Settings

The purpose of the ad hoc network is to provide temporary wireless network access for devices in close

proximity, without the need of wireless access point. On the next screen we will also be able to turn on Internet

connection sharing. This is because our computer is also connected to the wired network which has Internet

connection, so we can share that Internet connection with the clients on the ad hoc network if we want.

Figure 48 - Network Created

At this point other devices will be able to find and connect to our wireless ad hoc network. If we click on the

network icon in the System Tray, we can see that our ad hoc network is waiting for users.


34

Figure 49 - Waiting for Users

Note that the icon used for ad hoc network has three computers connected in triangle, while the infrastructure

networks have bars as the icon. One other thing that we should remember about ad hoc networks is that they

will be removed once all users disconnect from it. Also, users who connect to the ad hoc network are not able

to save it in the list of wireless networks.

If we don't enable Internet connection sharing, users which connect to our ad hoc network will not get their IP

address automatically from the DHCP. If you have experience with IP addressing, you will know that in this

case the devices will automatically use some address from the APIPA range, and this will actually work. We can

also specify the IP address on every device manually (this also includes the computer on which we set up the ad

hoc network). However, if we enable Internet connection sharing in the first place, all devices will get their IP

address from the DHCP server on the computer on which we have created the ad hoc network.

Infrastructure Wireless Networks The process of connecting to wireless networks with access points is really simple in Windows 7. We simply

click on the network icon in the System Tray, select the available wireless network and click on the Connect

button.

Figure 50 - Available Wireless Networks


35

In our case we are connecting to a network which is using WPA2-Personal security standard, so we have to

provide the password to gain access to the wireless network.

Figure 51 - Network Security Key

So, when we enter the correct security key we will connect to the network, and that's it. Now, sometimes the

SSID of the wireless network is not being broadcasted. To connect to that kind of network we have to create

the wireless network profile manually. To do that we have to go to the Network and Sharing Center, and select

the "Set up a new connection or network" option. In the window we have to select the "Manually connect to a

wireless network" option.

Figure 52 - Manual Configuration

On the next screen we have to specify the SSID (network name), security type, encryption type and the security

key. We also have to select the "Connect even if the network is not broadcasting" option. This will ensure that

our computer will connect to the network which has SSID broadcasting disabled. Note that we have to know

all those settings before we start connecting.


36

Figure 53 - Network Profile

Now, if we go to the Network and Sharing Center, and then select the "Manage wireless networks" option, we

will see our newly created network listed.

Figure 54 - Network Management

Here we will also see any other network that we have previously connected to. Here we can delete all those

wireless networks or modify them. Have in mind that we can't modify the SSID of the existing network here. If

the SSID is changed, we have to delete the old network and create a new one.

One other thing that we should have in mind is the Profile Type. If we click on the Profile Type button in the

"Manage wireless networks" window, we will be able to choose the type of profile to assign to new wireless

networks.


37

Figure 55 - Profile Type

Have in mind that by default all wireless networks created on the computer can be used by all users. However,

we can set up the per-user profile configuration. This way users can create connections that can only be

accessed and modified by them (per-user).

Troubleshooting The stronger wireless signal means the better wireless performance. There are several thing that we can do to

ensure proper wireless signal in our network. First, we have to ensure that all clients are in the range of our

wireless access point. To improve the range we can implement additional antennas or signal boosters in our

wireless network. Also, some physical object may cause obstructions and interference. Another option is to

install additional access points. This will increase the coverage of our wireless network.

Some devices will cause interference with our wireless network. Those devices are cordless phones,

microwaves, Bluetooth devices, or any other device with radio signal. We should move those devices away

from our AP. Also, we should always ensure that the wireless channel used in our network is not overlapping

with another channel.

Windows 7 includes many troubleshooting tools that can be used to troubleshoot wired and wireless networks.

For example, we can use a Network Diagnostics tool to diagnose the connection issues. When troubleshooting

wireless networks with this tool, the first thing we should do is try to connect to the AP, and then run the

Network Diagnostics tool.

The most common problem with wireless networks is the wrong configuration. So, the first thing we should do

is to ensure that we have configured the correct SSID and WEP/WPA keys.

www.utilizewindows.com Networking Working with Windows Firewall in Windows 7

38

Working with Windows Firewall in Windows 7 Before you start

Objectives: Learn where to find and how to work with Windows Firewall in Windows 7.

Prerequisites: you should know what firewall is in general.

Key terms: firewall, Windows, network, program, allowed, configure, feature, location, service

Firewall in Windows 7 Windows 7 comes with two firewalls that work together. One is the Windows Firewall, and the other

is Windows Firewall with Advanced Security (WFAS). The main difference between them is the complexity

of the rules configuration. Windows Firewall uses simple rules that directly relate to a program or a service. The

rules in WFAS can be configured based on protocols, ports, addresses and authentication. By default, both

firewalls come with predefined set of rules that allow us to utilize network resources. This includes things like

browsing the web, receiving e-mails, etc. Other standard firewall exceptions are File and Printer

Sharing, Network Discovery, Performance Logs and Alerts, Remote Administration, Windows Remote

Management, Remote Assistance, Remote Desktop, Windows Media Player, Windows Media Player Network

Sharing Service.

With firewall in Windows 7 we can configure inbound and outbound rules. By default, all outbound traffic is

allowed, and inbound responses to that traffic are also allowed. Inbound traffic initiated from external sources

is automatically blocked.

Sometimes we will see a notification about a blocked program which is trying to access network resources. In

that case we will be able to add an exception to our firewall in order to allow traffic from the program in the

future.

Windows 7 comes with some new features when it comes to firewall. For example, "full-stealth" feature blocks

other computers from performing operating system fingerprinting. OS fingerprinting is a malicious technique

used to determine the operating system running on the host machine. Another feature is "boot-time filtering".

This features ensures that the firewall is working at the same time when the network interface becomes active,

which was not the case in previous versions of Windows.

When we first connect to some network, we are prompted to select a network location. This feature is know as

Network Location Awareness (NLA). This features enables us to assign a network profile to the connection

based on the location. Different network profiles contain different collections of firewall rules. In Windows 7,

different network profiles can be configured on different interfaces. For example, our wired interface can have

different profile than our wireless interface. There are three different network profiles available:

Public


39

Home/Work - private network Domain - used within a domain

We choose those locations when we connect to a network. We can always change the location in the Network

and Sharing Center, in Control Panel. The Domain profile can be automatically assigned by the NLA service

when we log on to an Active Directory domain. Note that we must have administrative rights in order to

configure firewall in Windows 7.

Configuring Windows Firewall To open Windows Firewall we can go to Start > Control Panel > Windows Firewall.

Figure 56 - Windows Firewall

By default, Windows Firewall is enabled for both private (home or work) and public networks. It is also

configured to block all connections to programs that are not on the list of allowed programs. To configure

exceptions we can go to the menu on the left and select "Allow a program or feature through Windows

Firewall" option.


40

Figure 57 - Exceptions

To change settings in this window we have to click the "Change settings" button. As you can see, here we have

a list of predefined programs and features that can be allowed to communicate on private or public networks.

For example, notice that the Core Networking feature is allowed on both private and public networks, while

the File and Printer Sharing is only allowed on private networks. We can also see the details of the items in the

list by selecting it and then clicking the Details button.

Figure 58 - Details

If we have a program on our computer that is not in this list, we can manually add it by clicking on the "Allow

another program" button.


41

Figure 59 - Add a Program

Here we have to browse to the executable of our program and then click the Add button. Notice that we can

also choose location types on which this program will be allowed to communicate by clicking on the "Network

location types" button.

Figure 60 - Network Locations

Many applications will automatically configure proper exceptions in Windows Firewall when we run them. For

example, if we enable streaming from Media Player, it will automatically configure firewall settings to allow

streaming. The same thing is if we enable Remote Desktop feature from the system properties window. By

enabling Remote Desktop feature we actually create an exception in Windows Firewall.


42

Windows Firewall can be turned off completely. To do that we can select the "Turn Windows Firewall on or

off" option from the menu on the left.

Figure 61 - Firewall Customization

Note that we can modify settings for each type of network location (private or public). Interesting thing here is

that we can block all incoming connections, including those in the list of allowed programs.

Windows Firewall is actually a Windows service. As you know, services can be stopped and started. If the

Windows Firewall service is stopped, the Windows Firewall will not work.

Figure 62 - Firewall Service

In our case the service is running. If we stop it, we will get a warning that we should turn on our Windows

Firewall.

Figure 63 - Warning

Remember that with Windows Firewall we can only configure basic firewall settings, and this is enough for

most day-to-day users. However, we can't configure exceptions based on ports in Windows Firewall any more.

For that we have to use Windows Firewall with Advanced Security, which will be covered in another article.

www.utilizewindows.com Networking Configuring Windows Firewall with Advanced Security in Windows 7

43

Configuring Windows Firewall with Advanced Security in Windows 7 Before you start

Objectives: Learn how to create new rules in Windows Firewall with Advanced Security. We will create

outbound rule in this example, but the principle is the same for the inbound rules.

Prerequisites: you have to know what firewall is in general.

Key terms: rule, IP, address, firewall, port, remote, screen WFAS, example, access, option, outbound

Windows Firewall with Advanced Security (WFAS) As you should know, with WFAS we have more granular control when compared to ordinary Windows

Firewall which is also available in Windows 7. To open WFAS, simply start entering "windows firewall" in

search and select "Windows Firewall with Advanced Security" option.

Figure 64 - Open WFAS


44

Once we open WFAS we will see a list of rules. Rules are divided to the Inbound, Outbound and Connection

Security rules. Notice that there is a lot of predefined rules that we can use. Some of them are enabled, and

some of them are disabled. Each rule can be disabled/enabled for the different network profile (domain,

private, public). We can also see the application that the rule relates to, the action, the protocol that is used,

local and remote address, the local and remote port, allowed users and allowed computers.

Figure 65 - Rules

To restrict access to our computer we would edit the Inbound rules. To restrict users to access remote

resources, we would go to the Outbound rules section. This is what we will do in this example. For the purpose

of this demo we will block users on our local computer to access the www.utilizewindows.com site. So, to add

a new rule, we can right-click on the Outbound rules section, all click on the New Rule option from the menu

on the right side of the window.

Figure 66 - New Rule Option


45

On the first screen we can choose to create rules based on programs, ports or use a predefined rule. We can

also create a custom rule, which we will do in our example.

Figure 67 - Custom Rule Option

On the next screen we can specify if this rule applies to all programs or only to a specific program. For

example, here we could choose only specific Web Browsers. We could also apply this rule to specific services

only. For the purpose of this demo we will choose the "All programs" option and click Next.

Figure 68 - Programs

On the next screen we have to choose the right protocols and ports. For this, you have to know about different

networking protocols and their specific ports. For example, to access web sites our Web Browsers use HTTP

protocol. HTTP protocol uses TCP transport layer protocol, on port 80 by default. When configuring the

Outbound rule, it is more important to configure the Remote port. The local port is actually auto-generated

when the connection gets established, and it is used as a return path. Because of that, we don't have to enter it

here. The remote port is the port we are connecting to. For the remote port we will use the specific port 80.


46

Figure 69 - Protocols

On the next screen we have to choose the IP addresses that this rule applies to. For the local IP address we can

choose the "Any IP address" option or choose to enter specific IP address. In this case this is not important

since this rule will only be applied to the local machine. However, if we were to configure this rule trough

Group Policy and push it down to our machines, we would then have to specify the specific IP addresses that

this rule should be applied to.

Figure 70 - IP Address


47

If we click on the Customize button we can also select which interfaces this rule applies to. By default it will be

applied to all interfaces, but we can choose to only apply it to wired or wireless interfaces, or to remote access

sessions.

Figure 71 - Interface Types

The important thing to configure is the remote IP addresses to which this rule applies to. So, we have to know

the IP address of the www.utilizewindows.com site. To get the IP address we will try and PING it in the

command line.

Figure 72 - Ping

We got the reply and now we know that the IP address is 192.232.223.73. Let's click on the Add button and

enter the IP address.


48

Figure 73 - IP Address Specified

Notice that in this window we can also enter the whole subnet, the range of IP addresses, or some predefined

set of computers (WINS servers, DHCP servers, DNS servers, or local subnet computers. When we click OK,

our screen now looks like this.

Figure 74 - IP Address Entered


49

On the next screen we choose the action we want to be performed for this rule. In our case we will block the

connection.

Figure 75 - Action

On the next screen we have to choose the network profile that this rule applies to. The default is all profiles.

Figure 76 - Profile

On the next screen we enter the name of our rule and a brief description.

Figure 77 - Name

When we click Finish, we will see our new rule in the list.


50

Figure 78 - Rule Created

When we try to browse to the www.utilizewindows.com now, we will see something like this.

Figure 79 - Site Blocked

Bigger organizations often use multiple IP addresses assigned to multiple servers which all serve the same web

site. For example, facebook.com uses several ranges of IP addresses, and in order to block facebook.com we

have to enter all those IP addresses (or ranges) in our outbound firewall rule in order to block access to

Facebook, for example.

www.utilizewindows.com Networking Configuring BranchCache in Windows 7

51

Configuring BranchCache in Windows 7 Before you start

Objectives: Learn how to enable and configure BranchCache using Group Policy or command line (netsh

command).

Prerequisites: you have to know what BranchCache is.

Key terms: BranchCache, Windows, Group Policy, command line, netsh

Prerequisites Remember, before we can use BranchCache feature on our local computer, we have to have a BranchCache

enabled server. This means that the BranchCache feature has to be installed on the server. This can be done by

using the Add Features Wizard.

Figure 80 - Add Feature Wizard in Windows Server 2008 R2

Also, we have to go to the properties of shared folder on the server, go to the Sharing tab, click on the

Advanced Sharing button, and then click on the Caching button. We will see a window like this.


52

Figure 81 - Offline Settings for Shared Folder

Note that the Enable BranchCache option is checked.

BranchCache Configuration in Group Policy To configure our Windows 7 machine for BranchCache, we have to run a set of commands. We can either use

Local Group Policy editor or the command line. To open Group Policy editor, we can enter gpedit.msc in

search. In Group Policy editor, we can configure policies related to BranchCache in Computer Configuration >

Administrative Tools > Network > BranchCache.

Figure 82 - BranchCache Policies

Keep in mind that if we configure BranchCache in Group Policy, we have to manually configure Windows

Firewall with Advanced Security settings. This includes Inbound and Outbound rules.


53

Figure 83 - Inbound Firewall Rules

Figure 84 - Outbound Firewall Rules

If we configure BranchCache from the command line, firewall rules will be automatically enabled for us.

BranchCache Configuration in Command Line To configure BranchCache in command line (cmd), we will first run it as Administrator. For example, to enable

BranchCache in distributed mode we would enter the "netsh branchcache set service mode=distributed"

command.

Figure 85 - netsh branchcache Command

Notice that the firewall rules are enabled, and service start type is set to manual (which is the right type). To

check the status of BranchCache on computer we can enter the "netsh branchcache show status".

Figure 86 - BranchCache Status

We can also configure the cache size. For example, if we want to set the cache size to 10% of our disk space,

we would enter the command "netsh branchcache set cachesize size=10 percent=true".

Figure 87 - BranchCache Cache Size


54

To see the local cache usage we can enter the "netsh branchcache show localcache".

Figure 88 - BranchCache Local Cache

Notice that here we can also see the location of the cache.

www.utilizewindows.com Networking Creating a VPN Connection in Windows 7

55

Creating a VPN Connection in Windows 7 Before you start

Objectives: Learn how to create VPN connection in Windows 7.

Prerequisites: you have to know what is VPN in general.

Key terms: VPN, connection, Windows 7

Creating VPN Connection We can create a VPN connection in Network and Sharing Center in Control Panel. Here we can select the "Set

up a new connection or network option".

Figure 89 - Set up a Connection

On the next screen we have to select the "Connect to a workplace" option.

Figure 90 - Connect to a Workplace


56

On the next screen we will select the "Use my Internet connection (VPN)".

Figure 91 - How to Connect

On the next screen we have to enter the IP address of the VPN server (or the host name which points to that

IP address). Here we can also choose the name of the connection, and if we want to use a smart cart to

authenticate, if we want to allow other people to use this connection.

Figure 92 - IP Address

On the next screen we have to enter our credentials.


57

Figure 93 - Credentials

If everything was entered correctly, we should be able to connect to the VPN server now. When we do that, we

will be able to access resources on the remote network.

We can always change properties of our VPN connection. To do that, simply right click it and select the

Properties option.

Figure 94 - Properties

On the General tab we can change the host name or IP address.

Figure 95 - General Tab


58

On the Options tab we can set dialing options, as well as redialing options (rediail attempts, etc.). On the

Security tab we can select the type of VPN and data encryption options.

Figure 96 - Security Tab

If we use IKEv2, our system will have the ability to reconnect automatically. However, if we select the

Automatic type, the strongest available type of VPN will be used. On the Networking tab we can choose the

version of IP protocol that is to be used (IPv4 or IPv6), and if we'll allow file and printer sharing over the VPN

connection. On the Sharing tab we can specify if we want to allow other users to connect trough this

connection. So, we can use Internet Connection Sharing feature to share a VPN connection.

www.utilizewindows.com Networking DirectAccess Feature in Windows 7

59

DirectAccess Feature in Windows 7 Before you start

Objectives: Learn what is DirectAccess, why it is important, and what to consider when configuring clients to

use DirectAccess.

Prerequisites: you have to know what is VPN.

Key terms: DirectAccess, Windows 7, prerequisites

What is DirectAccess DirectAccess is an always on connection to our remote private network, regardless of where we are. Starting

from Windows 7 and Windows Server 2008 R2, we can use DirectAccess feature. DirectAccess in Windows 7

uses IPv6 with IPsec VPN connection which is always on. DirectAccess is different from a VPN protocol.

DirectAccess connection process doesn't require user intervention or logon (it is automatic) in contrast to a

VPN solution. It starts from the moment we connect to the Internet and allows authorized users to access

corporate network file server and intranet web sites.

Since DirectAccess is automatic, we will always have access to the remote (corporate) intranet, regardless of

where we are. DirectAccess is bidirectional, which means that servers on corporate network can access remote

clients in the same fashion as if they were connected to the local network. In many VPN solutions, the client

can access the server, but the server can't access the remote client.

DirectAccess provides administrators the ability to control resources that are available to remote users and

computers. Administrators can ensure that remote clients remain up to date with antivirus definitions and

software updates. They can also apply security policies to isolate servers and hosts. Remote DirectAccess

clients can still receive software and group policy updates from the sever on the corporate network, even if the

user hasn't logged on. This allows administrators to manage and maintain remote computers like never

before. DirectAccess reduces unnecessary traffic on the corporate network by not sending traffic that is headed

for the Internet to the DirectAccess server. Intranet communications are encrypted and sent to the

DirectAccess server, and then on to the intranet. Internet communications are sent directly to the Internet

hosts without encryption and without going through the DirectAccess server.

DirectAccess Connection Methods DirectAccess clients can connect to the internal resources by either using the Selected server access (modified

end-to-edge) or Full enterprise network access (end-to-edge) method. The connection method is configurable

using DirectAccess console or manually trough IPsec policies.

It is recommended to use IPv6 and IPsec throughout organization, upgrade our application servers to

Windows Server 2008 R2, and enable selected server access in order to provide the highest level of security. On


60

the other hand, organizations can use full enterprise network access where the IPsec session is established

between a DirectAccess client and the server.

DirectAccess Connection Process DirectAccess client first detects if there is network connection available. Then it attempts to connect to the

intranet site that was specified in the DirectAccess configuration. Then the client connects to the DirectAccess

server using IPv6 and IPsec. In the case that a firewall or proxy server prevents the client computer from using

either 6to4 or Toredo from connecting to DirectAccess server, the client automatically attempts to connect

using the IP-HTTPS protocol, which uses an SSL (Secure Socket Layer connection) to ensure connectivity.

After that the client and server mutually authenticate using their certificates. Active Directory group

memberships are checked so that DirectAccess server can verify that the computer and user are authorized to

connect using DirectAccess. If Network Access Protection (NAP) is enabled and configured for health

validation, the DirectAccess client obtains a health certificate from a Health Registration Authority (HRA)

located on the intranet prior to connecting to the DirectAccess server. Once the client is clear to connect to the

network, the DirectAccess begins forwarding traffic from the client to the intranet.

DirectAccess Client Configuration If a client is connected to the network using a public IPv6 address, DirectAccess will also use a public IPv6 to

connect. If a client is using a public IPv4 address, DirectAccess will use the IPv6 6to4 method to connect to

the client. If the client is using private IPv4 address behind a NAT, DirectAccess will use the IPv6 Teredo

method to connect to the client. If the client can't connect to the intranet, because they are being blocked by a

firewall, but the client still has access to the Internet, DirectAccess will use IP-HTTPS method (the least secure

form) to connect to the client.

Computers running Windows 7 Enterprise and Ultimate, that have been joined to a domain can support

DirectAccess. We can't use DirectAccess with any other edition of Windows 7, or earlier versions of Windows

(Vista or XP). When configuring a client for DirectAccess we must add the clients domain computer account

to a special security group. We specify this security group when we are creating a DirectAccess server. Group

Policies are used to push down the DirectAccess client configuration in comparison to traditional VPN

connections where we have to manually set VPN configuration or distribute using connection manager

administration kit. Once we have added the computers account to that designated security group, we also need

to install the computer certificate to allow DirectAccess authentication. This can be done using Active

Directory Certificate Services which will enable automatic enrollment of the appropriate certificate.

When it comes to server, we have to have a DirectAccess server running on Windows Server 2008 R2 with two

network cards. Also, we have to have Active Directory environment with at least one Domain Controller (DC)

and a DNS server running Windows Server 2008 or 2008 R2. We also need to have a Public Key Infrastructure

(PKI) with Active Directory Certificate Services (ADCS). We also need IPsec policies configured and IPv6

Transition Technologies that are available for use on a DirectAccess server such as 6to4 and Teredo.


61

When we first configure DirectAccess on a server, it creates a Group Policy Object (GPO) at the domain level

and filters it for us for that specified security group that we create during the installation process. Only clients

that are members of that group get DirectAccess policies and will be able to connect to the DirectAccess

server. Through this Group Policy we can configure settings such as 6-to-4 relay server name, the IP-HTTPS

server to connect to if all other connection methods fail, and weather the Teredo is used for DirectAccess and

the Teredo server address.

We can also configure the DirectAccess from the command line using the netsh command. Have in mind that

all configurations made manually with the netsh utility will be overwritten by corresponding Group Policy

settings.

To determine if the client has made a successful DirectAccess connection, we can connect on the network

connection icon in the system tray. This will open a status of our connection which will say "Internet and

Corporate" access. In that case we know that we have successfully connected to the DirectAccess server. If the

status is "Local and Internet", we know that there is no connection to the DirectAccess server.

As we know, DirectAccess clients use certificate for authentication. If a computer doesn't have a valid

computer certificate, which should be received from ADCS, it can't connect successfully. We can verify client

certificate using the certificate snap-in.

www.utilizewindows.com Deployment Preparing for Windows 7 Image Capture

62

Deployment Preparing for Windows 7 Image Capture Before you start

Objectives: learn what you have to do before you can capture and deploy Windows 7 images

Prerequisites: you have to understand what is automated Windows installation, what is Windows

SIM and what is Sysprep.

Key terms: image, winpe, waik, imagex, capture, reference, installation, deployment

Installing WAIK on Technician Computer WAIK contains all the tools we will need to prepare WinPE CD which we will use to capture Windows images.

The process of installing WAIK is really simple. Just download WAIK for Windows 7 from Microsoft web

pages (it is ISO image) and burn it to a DVD (or use virtual CD/DVD ROM to open ISO). After that simply

run the Windows AIK Setup.

Figure 97 - WAIK Main Menu

Note that you should not install WAIK on the reference computer. You should install WAIK on the

Technician computer (the one on which you work as an administrator). Reference computer should be

configured for end users. When the installation is complete we can run the Deployment Tools Command


63

Prompt. To do that go to Start > All Programs > Microsoft Windows AIK > Deployment Tools

Command Prompt.

Figure 98 - Deployment Tools Command Prompt

Preparing the Reference Installation A reference computer has a customized installation of Windows that you plan to duplicate onto one or more

destination computers. You can create a reference installation by using the Windows installation DVD. You

can also create an answer file which you will use during Windows installation on your reference computer. The

answer file contains all of the settings that are required for an unattended installation. Answer file can be

created using Windows SIM, which is contained in WAIK.

Creating WinPE Now that we have WAIK installed and a reference computer prepared, we have to create a WinPE CD. WinPE

is contained in WAIK, but we have to create WinPE CD or DVD by running the 'copype' command within the

PETools folder. Once the WinPE files and folders are created we can use the 'oscdimg' utility, which is also

part of the WAIK, to create ISO image from the created WinPE files and folders. Then we can use that ISO

image to burn a bootable DVD and boot from it. Our WinPE has to contain ImageX tool which we will use to

capture and deploy Windows images. ImageX stores the image in the Windows Image file format (.wim

format). To see how to prepare WinPE read the article Create WinPE Using WAIK for Windows 7.

Capturing Windows Image To capture image using ImageX first we must boot our computer into a Windows PE environment. The

Windows PE environment (Windows Preinstallation Environment) is a thin version of Windows 7 with limited

services. We can boot our computer into Windows PE by either using WinPE CD, DVD or USB flash drive.

Also, network PXE booting through Windows Deployment Services (WDS) will load WinPE

automatically. Once we boot into WinPE and open a command prompt, we can run ImageX with the /capture

parameter. We can set ImageX to store the captured image to a network share. If we are capturing a Windows

7 Ultimate or Enterprise, we can set ImageX to store captured image into a VHD (Virtual Hard Disk) file and


64

make that VHD bootable. To an example on how to capture Windows 7 installation read the article Windows 7

Image Capture Demonstration

Excluding Files We can also exclude certain files and folders from being captured. We can do that using configuration files. The

'Wimscript.ini' file is the configuration file that ImageX will use. Withing a 'Wimscript.ini' file we have three

sections of configuration. Those sections are:

ExclusionList ExclusionException CompressionExclusionList

The ExclusionList section allows us to define what files and folders are to be excluded from the capture. The

ExclusionException section allows us to override the default exclusion list during the capture process. The

CompressionExclusionList allows us to define files, folders and file types that we want to exclude during the

compression process. ImageX will look for the 'Wimscript.ini' within the same folder that stores the ImageX

tool. Example of Wimscript.ini:

[ExclusionList]

ntfs.log

hiberfil.sys

pagefile.sys

"System Volume Information"

RECYCLER

Windows\CSC

[CompressionExclusionList]

*.mp3

*.zip

*.cab

\WINDOWS\inf\*.pnf

As we see in our example, our wimscript.ini has ExclusionList section. In that section we defined what files and

folders are to be excluded during the ImageX process. We also defined what files, folders and types of files are

to be excluded from compression process. In addition to manually creating an image, ImageX can help us

modify an image without extracting it and also to deploy the captured image to a target computer.


65

www.utilizewindows.com Deployment Mounting and Unmounting Windows 7 Image Using ImageX and DISM

66

Mounting and Unmounting Windows 7 Image Using ImageX and DISM Before you start

Objectives: learn how to mount images, make changes, and comit changes by using ImageX and DISM tool.

Prerequisites: you have to have WAIK for Win 7 installed.

Key terms: image, mount, dism, wim, imagex, unmount, commit

Image Location We have our DVD in our DVD drive, so let's find our image. We will browse to the [DVD

Drive]:\sources folder. There we can find 'install.wim' image.

Figure 99 - install.wim Image Location

Install.wim, which is a Windows image file, stores all five Windows 7 edition (we can see them below the

install.wim image). Because of Single Instance Storage, if some fi

Documents

Utilize Windows 7