Network locations and the Windows 7 Firewall

Published February 9, 2010 Mark Menges Leave a Comment
Tags: ,

I would be easy to underestimate the importance of a good firewall in protecting your computer when it is connected to the Internet. Studies have found that a computer could be affected by a trojan, worm, or network attack in a matter of a few minutes if it did not have a firewall installed. Windows XP has a built-in firewall that is enabled by default. The Service Pack 1 version of the firewall gave fairly good protection against attack but the Service Pack 2 version was much improved. If you are running Windows XP you should update your system to Service Pack 2 or more preferably Service Pack 3 to secure your data.

Windows Vista included an updated security model for Internet communication. As new Vista network connections are created—wireless, dialup, VPN– each connection must be classified as a Public, Private or Domain network location.  A network location designation changes networking and firewall settings to reflect the possible threats on a network.  A network at a public location such as a restaurant,  hotel or airport poses the greatest risk and should be designated as a Public network. Windows Vista launches a dialog window whenever a new connection is established and prompts the user to choose a location.  Windows Vista allows fine tuning of Network location firewall settings by using the Windows Firewall with Advanced Security snap-in. The Advanced firewall includes inbound and outbound firewall rules that can precisely control what traffic is allowed through the firewall. The rules can apply to one, two or all of the network locations.

Windows 7 builds on the firewall capabilities introduces by Windows Vista with new features for the Standard Firewall. The Windows 7 Standard Firewall allows enabling or disabling the firewall and the setting of notifications on a per-location basis. The Standard Firewall also permits the granting of inbound exceptions on individual network locations, a feature previously only available on the Advanced Firewall.  Managing the Standard Firewall is easier on Windows 7 than on any previous version of Windows.  Windows 7 also includes Internet Explorer 8 which and run in Protected Mode, a Phishing filter and User Account Control, making it the safest Windows OS yet.

-Mark

iPad: Enterprise Launch Pad

Published February 3, 2010 Brad Werner Leave a Comment
Tags: , ,

SharePoint and Exchange integration for the iPhone and iPodTouch is one thing, but consider for a moment the XGA resolution display at 132 pixels per inch density iPad (Wi-Fi only) and iPad “3G” (Wi-Fi + 3G) for use with SharePoint, Exchange, and other enterprise applications. While these new devices merits for personal use may be interesting from a consumer electronics perspective (not just in a lap, wall, tabletop, or dashboard), their utility as mobile workstations in business environments large and small, public and private has humongous potential.

I’m not suggesting that every forklift operator in a warehouse, or every delivery person around the globe, any instructor with a projector, or every disk with a high definition workstation should abandon what’s currently working for them and jump on a new iPad. Well, it’s not a shipping product for another month or two (Wi-Fi first then the Wi-FI + 3G model), pending US FCC approvals. Also, with just an XGA display of 9.7″ (approx. 246 mm) there would be a lot of scrolling (swiping/panning) around to see everything in a big virtual display – there are just some times when a bigger display is good. These first models have no integrated front and back cameras for using video chat (e.g. iChat) wherever you go without a laptop/notebook).

However, with updated versions of the Calendar, Contacts, Mail, and other built-in applications which are targeted at the iPad’s 1024×768 (XGA) display instead of the classic 480×320 (half-VGA) of the iPhone and iPodTouch, the usability of Microsoft Exchange Server hosted features in this size device is far more fluid than in its smaller cousins. With updated versions of Safari and other built-in apps, using SharePoint could be far more productive than with a small display.

Indeed, authoring emails, notes, meetings, and other text input can use the landscape or portrait mode on-screen multi-touch multi-lingual context-sensitive keyboards. If you’re addicted to external physical keyboards, such an animal could be used as well, such as the recently announced optional keyboard, dock, and stand combination accessory. There are customary viewers for viewing Word, PowerPoint, and more kinds of documents. But what about authoring documents in SharePoint? Along with most of the 140,000 or so iPhone/iPodTouch applications which can run unmodified on the device in black-box or pixel-double modes, new applications can be (and are being) developed using the iPad SDK. Apple is releasing iPad-specific versions of Pages, Keynotes, and Numbers (like their Mac OS X iWork versions) which are highly compatible with Microsoft Word, PowerPoint, and Excel. These are add-on paid apps.

Remote Desktop into your servers and less portable workstations for running native Windows apps with this portable display and mobile touch access on either Wi-Fi, or (with the Wi-Fi + 3G model) 3G networks. If you’ve ever used Remote Desktop apps on the iPhone or iPodTouch, you likely know that not having to scroll as much or at all in such a light, highly-mobile device.

Apple’s finally-announced, soon-to-be-shipping iPad is different enough than most NetBooks and Touch PCs in many ways I shall not bore you with here. Once I’ve had a chance to integrate some into enterprise customers networks, I hope to post a detailed review. Until then, let me know what you think the likelihood any of these devices will be either allowed onto your networks, into your facilities, or perhaps designed into your networks to run SharePoint apps, remote Windows apps, or device-local native apps. It’s not just about running games on a accelerometer touch tablet.

-Brad

Scrapbooks anyone? Using the Windows 7 Snipping Tool

Published February 1, 2010 Mark Menges Leave a Comment
Tags: ,

Years ago, back in the golden age of Life and Look magazines many people enjoyed the simple pastime of keeping a scrapbook. This was in a period when people had time in their day for something called a “hobby” because they did not have 200 TV channels to watch and 2 hour daily commute to work. Clipping and pasting pictures and news articles into a book was a strangely satisfying way to put current events into a semblance of order and to create a memory book of the time.

Windows 7 has a great little program called the Snipping Tool. The Snipping Tool can cut any size piece of a text, a drawing or a picture and then paste the piece into a Word document, PowerPoint slide or even an email.  It is just like making a scrapbook page or a collage except that the paste doesn’t make your fingers stick together.

The snipping tool can save your “snips” as a Portable Network Graphic file (PNG), a GIF, a JPEG or an MHT. Snips are saved to the Clipboard and are easily imported into another file type. Snips can be edited further with a highlighter, colored pen or eraser in the Snipping Tool window and then pasted. I made a Word document that included snips from photos, text from a PDF document, and a portion of a graphic from a web page.

The Snipping Tool is a simple but fun to use and could easily become addictive. Use it to liven up your emails, presentations, journal entries etc. Or perhaps you could start that scrapbook you never had time to keep.

-Mark

Key Tools for Enterprise Deployment of Windows 7

Published February 1, 2010 Mark Menges Leave a Comment
Tags: ,

Excited about replacing your aging Windows XP desktops with Window 7? It can be an intimidating prospect to contemplate the possible pitfalls you may encounter as you develop your own build of Windows 7, add in-house applications and look for the best method to deploy that build.  Microsoft has done a very good job of creating tools that make it easier to deploy Windows to the desktop.

A key technology is the Windows Automated Installation Kit (WAIK 2.0) available from the Microsoft Download Center at http://www.microsoft.com/downloads The WAIK includes the System Image Manager (SIM), a tool that can create XML -based answer files that can automate the Installation of Windows 7 in all types of scenarios. An unnattend.xml file created by the SIM can be used in a simple unattended installation of Windows 7 from a DVD, an over-the-network install from a network share or to complete an image-based install using WDS.

A list of new or updated Windows 7 deployment utilities should include the following:

  1. Windows PE 3.0 for Windows 7- Windows Preinstallation Environment 3.0 is a small operating system that is used to install Windows 7. It has been updated for Windows 7 and can be used with the latest versions of WDS, SCCM and the MDT 2010.
  2. Deployment Image Servicing and Management (DISM) – New for Windows 7, DISM has the ability to service existing Windows 7 WIM image files, adding drivers, service packs, Windows features, even Regional Settings without the necessity to create a new WIM.
  3. USMT 4.0- The User State Migration Tool 4.0 can now store the migrated user state (documents, Windows settings, favorites etc.) on the local computers’ hard drive rather than a network share. USMT 4.0 can also capture a user state from a computer that is offline using Windows PE.
  4. The System Preparation Tool (Sysprep) is now built into Windows 7. Sysprep can prepare a computer to mass duplication by imaging software. Sysprep can also check the soundness of a Windows 7 installation and add device drivers that might be needed on some PCs.

Guidance for creating a complete Windows 7 deployment plan at the enterprise level is also available from Microsoft. For Deployments of Windows XP and Vista the BDD 2007 (Business Desktop Deployment tool) has been a good resource. The latest version of the BDD is now called the MDT 2010 (Microsoft Deployment Tool) which includes support for Windows 7.

I will be releasing a Global Knowledge White Paper on Windows 7/Windows 2008 R2 deployment at the end of February 2010. It and other White papers can be found at:

http://www.globalknowledge.com/training/whitepaperlist.asp?pageid=502&country=United+States

-Mark

Related Courses

Implementing and Administering Windows 7 in the Enterprise (M50292)

Planning and Managing Windows 7 Desktop Deployments and Environments (M6294)

Back to Basics – Anyone? Anyone?

Published January 29, 2010 Brad Werner Leave a Comment
Tags: , ,

User account management is, for many administrators, technicians, and help desk people, an everyday activity. Today some of my students suggested names for user accounts and an organizational unit as I was demonstrating some Active Directory administration in PowerShell version 2.0 on Windows Server 2008 R2. Evidently, several of my students are either John Hughes fans, or perhaps a Ben Stein fans? Regardless, here are a few tips on Active Directory management in PowerShell version 2.0. Yes, one of the user accounts is named “Ferris Bueller” after the movie which is engrained in the brains of these students.

One of the great features of PowerShell version 2.0 is that if you have imported the Active Directory module (Import-Module ActiveDirectory), there are several cmdlets available for working with AD DS or AD LDS directly and an AD: provider allow easy navigation through the directory.

For example, to navigate into the directory at the domain 777.wernerconsulting.com, you could use:

cd AD:\dc=777,dc=wernerconsulting,dc=com

Within that context, creating a new object such as an organizational unit can be done relative to that location. Note that I had misspelled the last name of the titular character from the aforementioned film. We’ll fix that later.

new-adorganizationalunit “beuler”

cd “ou=beuler”

The New-ADOrganizationalUnit cmdlet can accept just the name part of the relative distinguished name of the OU without the need for the OU= tag. The Set-Location cmdlet (aliased as cd) however does need the actual RDN “ou=beuler.” Now, within this OU, other cmdlets can refer to that OU implicitly. For example, we could create a user account as follows.

new-aduser “Ferris Bueller”

Note that this basic user account does not have a password assigned, it is not enabled, and most of the exciting attributes which could be assigned have been left alone. Although this cmdlet accepts a few dozen parameters to specify attribute values at the time of creation, including the -OtherAttributes parameter which takes an associative array (hashtable) value, we have used the simple form here.

Before using subsequent cmdlets to make that user account useable and productive, let’s go up a level and fix the name of the OU.

cd ..

rename-adobject “ou=Beuler,dc=777,dc=wernerconsulting,dc=com” -NewName Bueller

cd ou=bueller

The “cd ..” navigates up a level in the directory just as it would in the registry, a certificate store, the file system, or via other hierarchical providers. The Rename-ADObject cmdlet is the one which does the real work of renaming the OU. Once that’s done we used cd again to get back into the cozy OU where the user account hangs out. Note that there is no need for quotation marks around the ou=bueller because there are no spaces or other crazy punctuation in that name.

Next, let’s make this user account useful by resetting its password and enabling the account.

Set-ADAccountPassword “Ferris Bueller” -reset

Set-ADAccountControl ‘Ferris Bueller’ -enabled $true

In the style used above, the Set-ADAccountPassword was given only the name of the user account and the -Reset parameter, therefore this cmdlet prompted for the new password. The -NewPassword parameter could be used with a SecureString value instead. If you are not resetting the password, but just changing it, the -OldPassword parameter must also be included.

The Set-ADAccountControl cmdlet allows management of a number of account control aspects of accounts, however we simply used the -Enabled parameter to make the account usable.

There is so much more that is possible with PowerShell version 2.0 and its various modules. If you can’t take a day off like our fictitious friend Ferris, at least spend some time getting to know this new flavor of the shell which comes with Windows Server 2008 R2 and Windows 7 and is downloadable for several older versions of Windows.

-Brad

Related Coures

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (M6425)

Configuring, Managing, and Maintaining Server 2008 R2 (M6419)

Implementing and Administering Windows 7 in the Enterprise (M50292)

We Got the Prints Off Your Trackpad/Mouse…

Published January 27, 2010 Brad Werner Leave a Comment
Tags: , ,

Every time I come across fingerprint, fingervein, retina, iris, and other sorts of biometric scanners, I think of various science-fiction movie characters Arnold Schwarzenegger and others have played, and numerous scenes in which some bad guy borrows someone else’s body part to gain biometric access to a secure area or system. But I assure you, biometrics are real and they are good. For computers of all shapes and sizes, for telephones, building, office, laboratory, and data center access, can biometrics with Mac, Linux, Solaris, Windows and such operating systems be effectively utilized?

Let’s focus on a smaller question – what support does Microsoft Windows 7 and Windows Server 2008 R2 offer in terms of biometrics? Having authentication and subsequent authorization based on biometrics is not new in Windows if you consider third-party hardware and software, yet now Microsoft is making fingerprint devices and has included significant support for such devices from many vendors in these recent versions of Windows.

Be careful. Even Microsoft lists some of their own fingerprint reader as not 32-bit nor 64-bit compatible with Windows 7. And there’s a note on another Microsoft site which states “The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities.” Clearly, if you’re not careful, there could be some concerns aside from how to authenticate people who have no fingers, certain cancer patients, and other people whose fingerprints aren’t reliably readable. I hope you don’t have to worry about someone borrowing a finger to gain access to your systems.

Yet there are many positive aspects to this huge step down the road to integrated biometric security which Microsoft has just taken. Windows Server 2008 R2 and Windows 7 both support the Windows Biometric Framework (WBF) which not only allows intrinsic security features such as interactive logon and user account control (UAC) to use fingerprint authentication, but also allows third-party applications to utilize such benefits.

Note that the new biometric features support both stand-alone computers and those in domain environments, as clearly stated more than once in TechNet’s “What’s New in Biometrics” article. Still, multi-factor authentication such as adequately secure passphrases (not simple passwords) along with fingerprint scanners can provide greater security. Better still, smartcards plus biometrics offer a potentially more secure combination.

Am I suggesting that everyone dive into the fingerprint scanning pool and abandon passwords all together? No, not yet and not without smartcards, and not without a good system lifecycle design which includes recovery and remediation options for all scenarios. This step Microsoft has taken to reduce the dependence on third-party hardware and software for such an integral facet of the operating system as authentication is of immense significance. Please keep two things in mind as you evaluate such technologies. First, Microsoft refers to the control panel, group policy, framework, and driver aspects generically as biometrics rather than just specifically fingerprints, so expect more options in the near future. Second, be sure to involve help desk, network security, and directory personnel in design of the pilot project(s) for evaluation and broader deployment. Although smartcards and biometrics can both offer significant advantages over the woes of password insecurity, they each have their own costs in the operational and support infrastructure.

Oh, and one more thing. Don’t forget to stock up on alcohol wipes and have all users wipe their fingerprints off their laptops each time they’re done using them, or ask them to wear gloves except when they’re authenticating.

-Brad

When worlds collide – run Windows 7 on a Mac

Published January 25, 2010 Mark Menges Leave a Comment
Tags: ,

My daughter is getting a Macbook Pro on her 21st birthday. It is one small step short of heresy to have such an event in a household headed by a Microsoft Trainer and MCITP-EA professional!  I have done some research and have found that there is indeed,  SOTM (Something Other Than Microsoft) available to unsuspecting consumers  -many of them young people- that can be purchased without even so much as a  warning label.  After numerous discussions/arguments in which I was unable to change my first-born’s  decision, “Dad, I want to run graphics programs on my laptop and everybody knows Macs are the best for that!”  I decided to concede that her choice was final.

I have been told by some of my students that are they can run Windows on their Macs.  In fact many people buy Mac laptops with the intention of running a dual boot configuration of Windows and Snow Leopard (Apple’s latest OS). Apple provides a program called BootCamp to facilitate this on the OS’s DVD. Many unlikely people have Macs such as Paul Thurrott a prominent blogger and Microsoft wonk.  Thurrott has two Macs:             http://community.winsupersite.com/blogs/paul/archive/2008/06/16/i-bought-a-new-macbook-to-run-windows-why.aspx

Window 7 will run well on the laptop because the Macbook Pro has some decent hardware.  Included are a 2.26 GHz Intel Core 2 Duo processor, 1066MHz DDR 3 SDRAM memory and good graphics hardware. The keyboard feel is excellent.   My daughter is getting the 3 year AppleCare extended warranty.  Apple has a good reputation for service with this plan.

We expect the laptop to ship in the next few days. Once it arrives it will be a challenge to get my daughter to give up control long enough to get Windows 7 installed.  To be continued…

-Mark

How to update to the Enterprise Desktop Support Technician (EDST) Certification

Published January 18, 2010 Randy Muller Leave a Comment
Tags: , , ,

At one point, Microsoft and the Help Desk Institute (www.ThinkHDI.com) had combined forces to develop and deliver the MCITP: Enterprise Desktop Support Technician 7 certification.  The MCITP: Enterprise Support Technician 7 was developed to identify quality help desk support professionals who had deep technical expertise (validated by Microsoft) and also possessed strong customer service skills (validated by HDI, an industry-recognized standards body that promotes best practices).

Well – the news now is the Help Desk Institute (HDI) certification is NOT required to earn the new MCITP: Enterprise Desktop Support Technician 7 credential. Previously, this had been a requirement, now it is not. The requirements for you to earn the MCITP: Enterprise Desktop Support Technician 7 credential is:

•70-680: TS: Windows 7, Configuring

•70-685: Pro: Windows 7, Enterprise Desktop Support Technician

Good news, these tests are available at a Prometric testing site

Now, if want to upgrade TO the Enterprise Desktop Support Technician certification, then you will must hold at least one of the two certifications:

•MCITP: Enterprise Support Technician (Windows Vista)

•MCDST (Windows XP)

In this case, then you will need to take but one exam: 70-682: Pro: Upgrading to Windows 7 MCITP Enterprise Desktop Support Technician.  This upgrade exam is not available yet as it has a planned release in the February/March time frame. Keep reading here and I will keep you posted when more details are available.

All is not lost here though (well, not really lost – just not established) – Microsoft is looking to explore new partnership opportunities with other certification programs (including HDI), they just don’t have any new certifications to report at this time.

Keep reading here for more information on the EDST Certification and for more news on other MS certifications.

-Randy

Related Courses

MCITP: Windows 7 Enterprise Desktop Administrator Boot Camp

MCTS: Windows 7 Certification Boot Camp

Implementing and Administering Windows 7 in the Enterprise (M50292)

Smartcards in Windows 7 and Windows Server 2008 R2

Published January 14, 2010 Brad Werner Leave a Comment
Tags: , , ,

One of my favorite features of Windows 2000 was its built-in support for smartcards. As Windows has evolved since then, through XP and Server 2003, to Vista and Server 2008, and now with Seven and Server 2008 R2, we have greater and more solid support for smart cards. In this article, I’d like to describe the current support in Windows 7 and Server 2008 R2 for smartcards; a later article will delve into fingerprint reader (biometrics) support.

One of the Windows 7 and Windows Server 2008 R2 changes includes support for the United States Federal Government Employee and Contractor Personal Identity Verification (PIV) extensions to the Common Access Card (CAC) use of smartcards. A vendor of biometrics or other identity verification hardware which is compliant with the PIV standards can issue specialized drivers through Windows Update. When an end user inserts their PIV-compliant smartcard for authentication, the appropriate device drivers can potentially be downloaded to the Windows 7 workstation automatically. This extends the basic smartcard plug and play functionality with support for PIV-compliant systems. There is even a generic driver included with Windows 7 in support of scenarios where a specific driver is not available.

But what if you don’t work for the U.S. Federal government – is there anything else new in the way Windows 7 supports smartcards which could be useful to you?

Since Windows 2000, there has been support for using smartcard public key (PK) authentication for the initial Active Directory-based Kerberos authentication at user logon. As the standards for this have evolved, newer versions of Windows have kept up. Windows 7 and Windows Server 2008 R2 implement the Internet RFC 4556 called PKINIT which describes this public key initial (PKINIT) authentication as an open specification.

Windows Vista introduced an update to the Cryptographic Application Programming Interface (CryptoAPI) used in Windows 2000 and XP – this update is called the Cryptography API: Next Generation (CNG). This CNG has been further enhanced in Windows 7 and Windows Server 2008 R2 for additional plug and play capabilities similar to the PIV driver update ability via Windows Update, but for supporting smartcards in any application software that implements the CNG. Therefore, any line-of-business (LOB) applications which are properly developed could integrate with basic and enhanced smartcard functionality.

Let’s go back to the updates to PKINIT support and smartcard logon. Diffie-Hellman (DH) and Rivest-Shamir-Adleman (RSA) forms of public key cryptography and the classic forms of shared secret key cryptography (e.g. DES, 3DES, RC4) have been supported in Windows for many years. But when the combined with the CNG support of Elliptic Curve algorithms for public key cryptography (e.g. ECDH, ECDSA) and more modern shared secret key algorithms (e.g. AES128 and AES256) and longer key lengths for hashing (e.g. SHA384), the modern versions of the Kerberos and PKINIT in Windows 7 and Windows Server 2008 R2 can provide a solid foundation in your security infrastructure which support PIV extensions as well.

For securing documents, email, and other network traffic, the combination of CNG, PKINIT, and PIV can be extended to IPsec, S/MIME, and XPS for a powerful array of features targeted at deployments requiring defense in depth strategies. What if you want to encrypt whole disk volumes? If you’re using the Enterprise or Ultimate editions of Windows 7, smartcards can be used to unlock BitLocker encrypted disk volumes. Again, if you need PIV support, any specialized device drivers can be downloaded via Windows Update.

It’s a matter of evolution rather than earth-shatteringly new features, however Windows 7 and Windows Server 2008 R2 strongly continue the tradition of Windows support for smartcards which began with Windows 2000. What has changed is the ease of deployment and management of smartcards in Windows, enhancements to security with newer protocols and algorithms, and support for newer multi-factor authentication standards in an authentication, authorization, auditing system. Are you using smartcards yet? Or are you still trusting your systems to password/passphrase security?

-Brad

Virtual Business Cards

Published January 13, 2010 Randy Muller Leave a Comment
Tags: , , ,

Now here is something very cool from the Microsoft Learning – Virtual Business Card.  Now what, may you ask is a Virtual Business Card?  They are a tool that you can use to create, customize, and share your credentials online in a visually striking manner. Everyone who has an MCP or MCT profile can now create their own cards.  Virtual Business Cards (VBC) is now live and exclusively available to all Born to Learn readers and MCTs

This card is intended for use on online properties like your email signature, blog, forum signature, etc. You can share this card via a simple link, an embeddable javascript card, and in image (PNG) format.  You can choose to download the image or link it off our server.  As long as it’s hosted on our server (e.g you didn’t download it), we can even push updates or changes to your card to all of the places where you’ve used it

Each Virtual Business card will have its own associated profile page.  The profile page can act as your online-resume. You can select what certifications appear on this page and you have open space to enter whatever information you like, like your resume or recent accomplishments. You can even include a link to your official transcript. Since this page is hosted from a Microsoft-owned URL, this is your way to show that it’s official information

You create and customize your Virtual Business card through a step by step process – all of your personal information is optional and you can enter whatever you like – after all – it is your business card.

I think this is a great idea – with lots of potential – we just need more certified individuals to take advantage of this!

-Randy

Next Page »

Subscribe in a Reader

Subscribe by Email

Follow us on Twitter

Featured Courses