This week's lesson taks about security settings in Windows. These include using domain and local Group Policy to set software restriction policies; they can be set to block unwanted apps by file name or path, by a hash value, by the Internet zone location of the downloaded file, or by certificate for signed apps. Each of these methods have benefits and drawbacks associated with them that are covered in detail in the lesson.
Another approach is to use AppLocker, which is a more flexible tool available in enterprise versions of Windows 7 and Windows 8. It operates much like the software restriction policies do, but offers the ability to restrict or allow by certain users or groups unlike the generic software restriction policies used in the Group Policy editor. AppLocker also allows policies to take effect for all past and future versions of an application, and take precedence over software restriction policies.
Another issue that Microsoft has addressed in Windows 8 is the ability to disallow rootkits from running. This is done by requiring manufacturers to use a UEFI BIOS. This BIOS type ensures that boot code will not run absent a signed certificate, and since rootkits need to get in front of the OS in order to subvert it it shuts down this angle of attack. One downside is that it is not more difficult if not impossible to dual-boot systems with a different operating system such as Linux.
The balance of the lesson talked about security controls in Internet Explorer, and how to use the four security zones to classify internet traffic to best secure a system. There didn't seem to be a lot of difference in how security options have been treated since Windows XP. One thing I noticed is that Windows Defender is not built into the IE options interface in Windows 8 systems.
This has been a challenging look at managing Windows client systems. I've learned a lot, and can't wait to apply my new skills in the real world!
Sunday, November 30, 2014
Sunday, November 23, 2014
Lesson Ten: System Protection
This week’s lesson revolved around best practices in maintenance and fault recovery for Windows 7, 8 and 8.1 systems.
Even though Windows Update has been around for a long time, it doesn’t seem like there have been many changes in its look, feel and function. As I’ve been dealing with this process for over 15 years since the advent of Windows 98, there were few surprises about how the update function works. It seems like a mundane system item, but it really is vital as it is an axiom in the IT world that “Patch Tuesday” when Microsoft releases security updates is followed by “Exploit Wednesday” when previously unknown vulnerabilities are taken advantage of on unpatched systems.
One thing that was interesting was the information on how to connect to a local Windows Update server, although it would have been useful to learn how to set up such a server. Maybe that will come in a future certification class.
The other major items covered related to system backup and restore. Windows 7 and 8 have a robust backup and restore utility that is easy to use and works very well. Of course, when something is stable and works with a minimum of fuss, the geniuses in Redmond must change it up, so Windows 8.1 does not include the Windows 7 utility. Instead, there is a system called File History, which deals with personal files. This utility looks a lot like the Apple approach to backup tasks, and does seems to work well. System files and applications are backed up with System Restore, which looks a lot like the Windows 7 backup and restore console but with less user options available.
Modern Windows variants also contain tools for recovery of machines that won’t boot successfully for whatever reason. Windows 7 and 8 have the traditional F8 tools accessible after the BIOS boots, but Windows 8.1 no longer has that ability. Instead, one must use recovery media or a preconfigured flash drive to boot into a recovery environment. Once in this environment, there are options to repair data or reload the operating system. Windows 8.1 also contains a useful “Swiss Army knife” utility tool that combines many functions. This tool, called the Diagnostics and Recovery Toolset (DaRT) has utilities that will reset a user password, repair the master boot record, restore lost files and remove malware among other things. It looks to be a quick and easy tool to help solve many system recovery issues.
One more lesson – see you next week.
One thing that was interesting was the information on how to connect to a local Windows Update server, although it would have been useful to learn how to set up such a server. Maybe that will come in a future certification class.
The other major items covered related to system backup and restore. Windows 7 and 8 have a robust backup and restore utility that is easy to use and works very well. Of course, when something is stable and works with a minimum of fuss, the geniuses in Redmond must change it up, so Windows 8.1 does not include the Windows 7 utility. Instead, there is a system called File History, which deals with personal files. This utility looks a lot like the Apple approach to backup tasks, and does seems to work well. System files and applications are backed up with System Restore, which looks a lot like the Windows 7 backup and restore console but with less user options available.
Modern Windows variants also contain tools for recovery of machines that won’t boot successfully for whatever reason. Windows 7 and 8 have the traditional F8 tools accessible after the BIOS boots, but Windows 8.1 no longer has that ability. Instead, one must use recovery media or a preconfigured flash drive to boot into a recovery environment. Once in this environment, there are options to repair data or reload the operating system. Windows 8.1 also contains a useful “Swiss Army knife” utility tool that combines many functions. This tool, called the Diagnostics and Recovery Toolset (DaRT) has utilities that will reset a user password, repair the master boot record, restore lost files and remove malware among other things. It looks to be a quick and easy tool to help solve many system recovery issues.
One more lesson – see you next week.
Sunday, November 16, 2014
Lesson Nine: System Monitoring and Maintenance
This week's lesson covered a very important role of the IP
support professional - that of monitoring system performance and
troubleshooting system failures.
Modern Windows versions have several methods to help discern
points of failure or poor performance.
They include the Windows Memory Diagnostic Tool, which is a neat tool
that looks for defective memory. Bad RAM
can be one of the most frustrating items to discover, and this tool helps to
find bad RAM and mark it to not be used.
Another tool is the Windows Network Diagnostics Tool to
check and verify network connectivity.
This can help to find problems in your network infrastructure by looking
at issues with network adapters, shared folders, internet connections, incoming
connections, network printers and HomeGroups.
This tool runs automatically when a problem is detected and displays
possible solutions for a discovered problem.
Startup Repair is a tool that I have used several times to
automatically fix an inability a system that won't start successfully. If the tool can't automatically fix the
problem preventing system boot, it will roll back the system to the last known
good state.
The System Configuration tool (better known as msconfig.exe)
has been around since at least Windows XP.
It help to troubleshoot system issues and optimize startup. Using this tool requires that the system be
able to boot up normally.
The lesson went on to talk about system logs, and how to use
them to gain understanding about a machine.
It's possible to configure a machine to collect system logs from many
different computers in order to be able to manage problems from one central
spot. This can be done either by having
that collector machine go out and get logs from the various clients, but in
general it is better practice to configure the clients to push logs to the
collector computer. This can be
controlled by application of local system and group policies.
Another important aspect of computer management is the
discovery of how well the system is capable of performing. This can be done by use of the Windows
Performance Index beginning with Windows Vista.
This aggregates a system score of hardware components that is predicated
on the lowest score. Using this tool
helps to understand how to best upgrade a machine. In Windows 8.1, the graphical output has been
eliminated but the data is still available through PowerShell commands.
The Windows Performance Monitor display a real time graph of
system performance. You can use
collector objects to track performance of time.
It's also possible to generate a system health report using this tool.
The Windows Reliability Monitor is a neat tool that I was
not aware of before this week's lesson.
I tracks system fault and other performance issues and gives the
administrator the option to look back at the previous year on a daily or weekly
basis to discover trends and fault issues.
This is a very useful tool that I will now be able to use to help in
system troubleshooting.
They went on to talk about other system performance issues
including changing visual effects, changing the size and location of the system
memory paging file and processor scheduling to favor foreground or background
processes. You can also increase system performance
by using the ReadyBoost feature by using faster flash memory to decrease cache
access times.
Remote access to a system is an important arrow in any
sysadmin's quiver. It's now possible to
use the Windows Remote Shell to gain command line control to run PowerShell
commands or to remotely execute applications.
Windows Remote Desktop is another tool that has been around
for a long time that remains useful for today's needs. It allows graphical control of a remote
machine and allows complete control of that machine. This is a tool that is extremely useful for
the busy sysadmin.
Windows Remote Assistance operates a lot like Remote
Desktop, but has a few important differences.
It does allow shadowing, so that a remote user and the local user can
see and access the same things at the same time. Unlike a Remote Desktop connection, which can
be interrupted and reconnected, Remote Assistance cannot be reconnected. It's possible for the remote user to control
the length of time a helper is given access to a remote machine. It's very useful for connections that are
only made once or a limited number of times.
Lots of useful stuff here this week -- I'm glad I learned
it!
Sunday, November 9, 2014
Lesson Eight: Mobile Computing
This weeks lesson focused on mobile computing. Microsoft has come a long way since I had my Windows smartphone back in 2007, which was basically useless. The modern suite of operating systems and apps that work with mobile devices include the Windows RT operating system for mobile devices, and Microsoft Intune to help manage them in a corporate environment.
Since you can't join mobile devices to a domain, you therefore can't use Group Policy to help manage and secure them. Windows Intune is an app that works on Windows 8, 8.1 and RT devices as well as Apple iOS devices such as the iPhone. Intune can be used to encrypt the information on these devices as well as remotely wipe them in case of theft or loss. It can also be used to enfore firewall and other security policies such as malware and antivirus protection, and to ensure that Windows Updates are current.
BitLocker is another technology that can be used to encrypt hard drives so that even if they are removed and placed into a different machine they cannot be decrypted. This can be done by use of a hardware chip on the motherboard called a TPM, or Trusted Platform Module. If this is not present, then a USB stick could also be used. There are lots of safeguards in place to ensure that data does not fall into the wrong hands.
We also learned about power management for mobile devices, and how Windows works with offline files. This is pretty neat, as you can set up a share to cache and distribute changed files if a node goes offline for some reason.
There is a great deal of information here, Windows has come a long way in its handling of mobile device support.
Since you can't join mobile devices to a domain, you therefore can't use Group Policy to help manage and secure them. Windows Intune is an app that works on Windows 8, 8.1 and RT devices as well as Apple iOS devices such as the iPhone. Intune can be used to encrypt the information on these devices as well as remotely wipe them in case of theft or loss. It can also be used to enfore firewall and other security policies such as malware and antivirus protection, and to ensure that Windows Updates are current.
BitLocker is another technology that can be used to encrypt hard drives so that even if they are removed and placed into a different machine they cannot be decrypted. This can be done by use of a hardware chip on the motherboard called a TPM, or Trusted Platform Module. If this is not present, then a USB stick could also be used. There are lots of safeguards in place to ensure that data does not fall into the wrong hands.
We also learned about power management for mobile devices, and how Windows works with offline files. This is pretty neat, as you can set up a share to cache and distribute changed files if a node goes offline for some reason.
There is a great deal of information here, Windows has come a long way in its handling of mobile device support.
Sunday, October 26, 2014
Lesson Seven: System Images
In this week's lesson, we learned about working with system images. Microsoft has included several useful tools to create and manage image files that can be used while unmounted. This can be handy for many tasks. One task that quickly comes to mind is to use these apps to keep an existing image up to date by adding updated system drivers.
Image files can be created with resources from the Windows Automated Install Kit (WAIK). This kit includes the Windows PE environment, which is a stripped down version of Windows that facilitates creating images as well as other installation tasks. You can also use the AIK to create an unattended answer file to provide Windows with results to prompts in order for perform an automatic install.
Other tools include the Deployment Image Servicing and Management tool (DISM). DISM applies updates such as drivers, language packs or system updates to an existing image. This helps to keep images fresh and cuts down on the time needed to keep stored images current.
You can also use the Windows Deployment Services to load boot and install images onto a machine running Windows 2012 Server and then use those images to boot and install Windows from a PXE boot using the network card.
There is a great deal of extremely useful information here, keep it up, Microsoft!
Image files can be created with resources from the Windows Automated Install Kit (WAIK). This kit includes the Windows PE environment, which is a stripped down version of Windows that facilitates creating images as well as other installation tasks. You can also use the AIK to create an unattended answer file to provide Windows with results to prompts in order for perform an automatic install.
Other tools include the Deployment Image Servicing and Management tool (DISM). DISM applies updates such as drivers, language packs or system updates to an existing image. This helps to keep images fresh and cuts down on the time needed to keep stored images current.
You can also use the Windows Deployment Services to load boot and install images onto a machine running Windows 2012 Server and then use those images to boot and install Windows from a PXE boot using the network card.
There is a great deal of extremely useful information here, keep it up, Microsoft!
Sunday, October 19, 2014
Lesson Six: Windows Installation
This week’s lesson focused on the various flavors of Windows 7 and 8, and the many new features that they contain.
Windows 7 has six different editions, ranging from a starter edition, through Home Premium, Professional, Enterprise and Ultimate editions. It’s necessary to use the Windows 7 Professional, Enterprise or Ultimate variants to join a domain and work in a corporate environment.
Windows 8 only has four different editions, Windows RT, which operates on the ARM architecture found in mobile devices, Windows 8 (base), Win 8 Professional, and Win 8 Enterprise. The Pro and Enterprise variants can be used in a corporate environment. Windows 8.1 has the same variants as Windows 8 and features much of the same features and restrictions as Windows 8.
The lesson then went on the discuss user migration between the various flavors of Windows. The system administration is a great deal of control over what is transferred and how that processes is managed.
Another big part of this lesson was the use of virtualization, which is the process of using one or more virtual machines from a physical computer. This has many possible benefits, such as being able to be used to leverage existing hardware to run tasks as if there were more than one machine available. It’s also possible to run a virtual machine with a different operating system than the one installed on the physical PC.
Another cool virtualization wrinkle is the use of virtual hard drives (VHD’s), which is a special file type that fools the machine into thinking that this file is a separate hard drive. It’s possible to use a fixed size, or a dynamic size that gets larger as more space is needed. This virtualization operates in much the same fashion as the virtualization implemented in Windows Server 2012.
Another fascinating lesson that I will be able to put to good use in my career. Looking forward to more next week!
Windows 7 has six different editions, ranging from a starter edition, through Home Premium, Professional, Enterprise and Ultimate editions. It’s necessary to use the Windows 7 Professional, Enterprise or Ultimate variants to join a domain and work in a corporate environment.
Windows 8 only has four different editions, Windows RT, which operates on the ARM architecture found in mobile devices, Windows 8 (base), Win 8 Professional, and Win 8 Enterprise. The Pro and Enterprise variants can be used in a corporate environment. Windows 8.1 has the same variants as Windows 8 and features much of the same features and restrictions as Windows 8.
The lesson then went on the discuss user migration between the various flavors of Windows. The system administration is a great deal of control over what is transferred and how that processes is managed.
Another big part of this lesson was the use of virtualization, which is the process of using one or more virtual machines from a physical computer. This has many possible benefits, such as being able to be used to leverage existing hardware to run tasks as if there were more than one machine available. It’s also possible to run a virtual machine with a different operating system than the one installed on the physical PC.
Another cool virtualization wrinkle is the use of virtual hard drives (VHD’s), which is a special file type that fools the machine into thinking that this file is a separate hard drive. It’s possible to use a fixed size, or a dynamic size that gets larger as more space is needed. This virtualization operates in much the same fashion as the virtualization implemented in Windows Server 2012.
Another fascinating lesson that I will be able to put to good use in my career. Looking forward to more next week!
Sunday, September 28, 2014
Lesson Five: System Access
This week’s lesson focused on how Windows grants and manages system access to individual users.
They talked about the difference between authentication and authorization, authentication is the process of ensuring the user is who they say they are, and authorization is the process of granting them rights to access network resources. Users can be created and managed in the Users applet in Control Panel in Windows 7 and 8, and the PC Charms applet in Windows 8.1; user can also be managed through the Computer Management applet.
Windows contains a credential manager to contain different types of credentials held on the user’s system. It’s possible to run applications using a different user’s credentials suing the Run As command, or by using shift-right click on an application icon. Windows 8 requires a local Group Policy setting change to allow this behavior.
In Windows 8, you can use alternative methods of authentication, including a Pactire Password as well as a 4 digit PIN. You can also use a Microsoft Account to authenticate.
The material then talked about resource sharing. Windows 7 and 8 now have right-click sharing from the file explorer shell, as well as the more familiar advanced sharing available in prior versions.
Windows also allows network resources such as printers to be shared and managed by remote users as well. Windows 7 and 8 also have a built in sharing feature, called HomeGroup in Windows 7 and PrivateGroup in Windows 8. Windows 7 also provides for libraries, which allow files from different folders to be grouped in one place. The library can then be accessed with the same rights management available for standard folders.
The lesson continued by discussing auditing actions that are available to the system administrator. There are many different actions that can be audited for either success or failure. The great deal of content this week concluded with a look at Windows Encrypting System (EFS), which allows files and folders to be stored in an encrypted manner on the file system. This is allowed by issuing a user certificate that uses a public and private key pair to encrypt and decrypt the file.
The final lesson was on BranchCache, which is a method whereby content can be made available for a location with unreliable internet access. It can be used to improve speed on low bandwidth connections. Cached data is encrypted using IPSec and transmitted by HTTPS.
Another interesting if slightly overwhelming lesson, lots more good stuff anticipated next week!
They talked about the difference between authentication and authorization, authentication is the process of ensuring the user is who they say they are, and authorization is the process of granting them rights to access network resources. Users can be created and managed in the Users applet in Control Panel in Windows 7 and 8, and the PC Charms applet in Windows 8.1; user can also be managed through the Computer Management applet.
Windows contains a credential manager to contain different types of credentials held on the user’s system. It’s possible to run applications using a different user’s credentials suing the Run As command, or by using shift-right click on an application icon. Windows 8 requires a local Group Policy setting change to allow this behavior.
In Windows 8, you can use alternative methods of authentication, including a Pactire Password as well as a 4 digit PIN. You can also use a Microsoft Account to authenticate.
The material then talked about resource sharing. Windows 7 and 8 now have right-click sharing from the file explorer shell, as well as the more familiar advanced sharing available in prior versions.
Windows also allows network resources such as printers to be shared and managed by remote users as well. Windows 7 and 8 also have a built in sharing feature, called HomeGroup in Windows 7 and PrivateGroup in Windows 8. Windows 7 also provides for libraries, which allow files from different folders to be grouped in one place. The library can then be accessed with the same rights management available for standard folders.
The lesson continued by discussing auditing actions that are available to the system administrator. There are many different actions that can be audited for either success or failure. The great deal of content this week concluded with a look at Windows Encrypting System (EFS), which allows files and folders to be stored in an encrypted manner on the file system. This is allowed by issuing a user certificate that uses a public and private key pair to encrypt and decrypt the file.
The final lesson was on BranchCache, which is a method whereby content can be made available for a location with unreliable internet access. It can be used to improve speed on low bandwidth connections. Cached data is encrypted using IPSec and transmitted by HTTPS.
Another interesting if slightly overwhelming lesson, lots more good stuff anticipated next week!
Subscribe to:
Posts (Atom)