This week's lesson taks about security settings in Windows. These include using domain and local Group Policy to set software restriction policies; they can be set to block unwanted apps by file name or path, by a hash value, by the Internet zone location of the downloaded file, or by certificate for signed apps. Each of these methods have benefits and drawbacks associated with them that are covered in detail in the lesson.
Another approach is to use AppLocker, which is a more flexible tool available in enterprise versions of Windows 7 and Windows 8. It operates much like the software restriction policies do, but offers the ability to restrict or allow by certain users or groups unlike the generic software restriction policies used in the Group Policy editor. AppLocker also allows policies to take effect for all past and future versions of an application, and take precedence over software restriction policies.
Another issue that Microsoft has addressed in Windows 8 is the ability to disallow rootkits from running. This is done by requiring manufacturers to use a UEFI BIOS. This BIOS type ensures that boot code will not run absent a signed certificate, and since rootkits need to get in front of the OS in order to subvert it it shuts down this angle of attack. One downside is that it is not more difficult if not impossible to dual-boot systems with a different operating system such as Linux.
The balance of the lesson talked about security controls in Internet Explorer, and how to use the four security zones to classify internet traffic to best secure a system. There didn't seem to be a lot of difference in how security options have been treated since Windows XP. One thing I noticed is that Windows Defender is not built into the IE options interface in Windows 8 systems.
This has been a challenging look at managing Windows client systems. I've learned a lot, and can't wait to apply my new skills in the real world!
Sunday, November 30, 2014
Sunday, November 23, 2014
Lesson Ten: System Protection
This week’s lesson revolved around best practices in maintenance and fault recovery for Windows 7, 8 and 8.1 systems.
Even though Windows Update has been around for a long time, it doesn’t seem like there have been many changes in its look, feel and function. As I’ve been dealing with this process for over 15 years since the advent of Windows 98, there were few surprises about how the update function works. It seems like a mundane system item, but it really is vital as it is an axiom in the IT world that “Patch Tuesday” when Microsoft releases security updates is followed by “Exploit Wednesday” when previously unknown vulnerabilities are taken advantage of on unpatched systems.
One thing that was interesting was the information on how to connect to a local Windows Update server, although it would have been useful to learn how to set up such a server. Maybe that will come in a future certification class.
The other major items covered related to system backup and restore. Windows 7 and 8 have a robust backup and restore utility that is easy to use and works very well. Of course, when something is stable and works with a minimum of fuss, the geniuses in Redmond must change it up, so Windows 8.1 does not include the Windows 7 utility. Instead, there is a system called File History, which deals with personal files. This utility looks a lot like the Apple approach to backup tasks, and does seems to work well. System files and applications are backed up with System Restore, which looks a lot like the Windows 7 backup and restore console but with less user options available.
Modern Windows variants also contain tools for recovery of machines that won’t boot successfully for whatever reason. Windows 7 and 8 have the traditional F8 tools accessible after the BIOS boots, but Windows 8.1 no longer has that ability. Instead, one must use recovery media or a preconfigured flash drive to boot into a recovery environment. Once in this environment, there are options to repair data or reload the operating system. Windows 8.1 also contains a useful “Swiss Army knife” utility tool that combines many functions. This tool, called the Diagnostics and Recovery Toolset (DaRT) has utilities that will reset a user password, repair the master boot record, restore lost files and remove malware among other things. It looks to be a quick and easy tool to help solve many system recovery issues.
One more lesson – see you next week.
One thing that was interesting was the information on how to connect to a local Windows Update server, although it would have been useful to learn how to set up such a server. Maybe that will come in a future certification class.
The other major items covered related to system backup and restore. Windows 7 and 8 have a robust backup and restore utility that is easy to use and works very well. Of course, when something is stable and works with a minimum of fuss, the geniuses in Redmond must change it up, so Windows 8.1 does not include the Windows 7 utility. Instead, there is a system called File History, which deals with personal files. This utility looks a lot like the Apple approach to backup tasks, and does seems to work well. System files and applications are backed up with System Restore, which looks a lot like the Windows 7 backup and restore console but with less user options available.
Modern Windows variants also contain tools for recovery of machines that won’t boot successfully for whatever reason. Windows 7 and 8 have the traditional F8 tools accessible after the BIOS boots, but Windows 8.1 no longer has that ability. Instead, one must use recovery media or a preconfigured flash drive to boot into a recovery environment. Once in this environment, there are options to repair data or reload the operating system. Windows 8.1 also contains a useful “Swiss Army knife” utility tool that combines many functions. This tool, called the Diagnostics and Recovery Toolset (DaRT) has utilities that will reset a user password, repair the master boot record, restore lost files and remove malware among other things. It looks to be a quick and easy tool to help solve many system recovery issues.
One more lesson – see you next week.
Sunday, November 16, 2014
Lesson Nine: System Monitoring and Maintenance
This week's lesson covered a very important role of the IP
support professional - that of monitoring system performance and
troubleshooting system failures.
Modern Windows versions have several methods to help discern
points of failure or poor performance.
They include the Windows Memory Diagnostic Tool, which is a neat tool
that looks for defective memory. Bad RAM
can be one of the most frustrating items to discover, and this tool helps to
find bad RAM and mark it to not be used.
Another tool is the Windows Network Diagnostics Tool to
check and verify network connectivity.
This can help to find problems in your network infrastructure by looking
at issues with network adapters, shared folders, internet connections, incoming
connections, network printers and HomeGroups.
This tool runs automatically when a problem is detected and displays
possible solutions for a discovered problem.
Startup Repair is a tool that I have used several times to
automatically fix an inability a system that won't start successfully. If the tool can't automatically fix the
problem preventing system boot, it will roll back the system to the last known
good state.
The System Configuration tool (better known as msconfig.exe)
has been around since at least Windows XP.
It help to troubleshoot system issues and optimize startup. Using this tool requires that the system be
able to boot up normally.
The lesson went on to talk about system logs, and how to use
them to gain understanding about a machine.
It's possible to configure a machine to collect system logs from many
different computers in order to be able to manage problems from one central
spot. This can be done either by having
that collector machine go out and get logs from the various clients, but in
general it is better practice to configure the clients to push logs to the
collector computer. This can be
controlled by application of local system and group policies.
Another important aspect of computer management is the
discovery of how well the system is capable of performing. This can be done by use of the Windows
Performance Index beginning with Windows Vista.
This aggregates a system score of hardware components that is predicated
on the lowest score. Using this tool
helps to understand how to best upgrade a machine. In Windows 8.1, the graphical output has been
eliminated but the data is still available through PowerShell commands.
The Windows Performance Monitor display a real time graph of
system performance. You can use
collector objects to track performance of time.
It's also possible to generate a system health report using this tool.
The Windows Reliability Monitor is a neat tool that I was
not aware of before this week's lesson.
I tracks system fault and other performance issues and gives the
administrator the option to look back at the previous year on a daily or weekly
basis to discover trends and fault issues.
This is a very useful tool that I will now be able to use to help in
system troubleshooting.
They went on to talk about other system performance issues
including changing visual effects, changing the size and location of the system
memory paging file and processor scheduling to favor foreground or background
processes. You can also increase system performance
by using the ReadyBoost feature by using faster flash memory to decrease cache
access times.
Remote access to a system is an important arrow in any
sysadmin's quiver. It's now possible to
use the Windows Remote Shell to gain command line control to run PowerShell
commands or to remotely execute applications.
Windows Remote Desktop is another tool that has been around
for a long time that remains useful for today's needs. It allows graphical control of a remote
machine and allows complete control of that machine. This is a tool that is extremely useful for
the busy sysadmin.
Windows Remote Assistance operates a lot like Remote
Desktop, but has a few important differences.
It does allow shadowing, so that a remote user and the local user can
see and access the same things at the same time. Unlike a Remote Desktop connection, which can
be interrupted and reconnected, Remote Assistance cannot be reconnected. It's possible for the remote user to control
the length of time a helper is given access to a remote machine. It's very useful for connections that are
only made once or a limited number of times.
Lots of useful stuff here this week -- I'm glad I learned
it!
Sunday, November 9, 2014
Lesson Eight: Mobile Computing
This weeks lesson focused on mobile computing. Microsoft has come a long way since I had my Windows smartphone back in 2007, which was basically useless. The modern suite of operating systems and apps that work with mobile devices include the Windows RT operating system for mobile devices, and Microsoft Intune to help manage them in a corporate environment.
Since you can't join mobile devices to a domain, you therefore can't use Group Policy to help manage and secure them. Windows Intune is an app that works on Windows 8, 8.1 and RT devices as well as Apple iOS devices such as the iPhone. Intune can be used to encrypt the information on these devices as well as remotely wipe them in case of theft or loss. It can also be used to enfore firewall and other security policies such as malware and antivirus protection, and to ensure that Windows Updates are current.
BitLocker is another technology that can be used to encrypt hard drives so that even if they are removed and placed into a different machine they cannot be decrypted. This can be done by use of a hardware chip on the motherboard called a TPM, or Trusted Platform Module. If this is not present, then a USB stick could also be used. There are lots of safeguards in place to ensure that data does not fall into the wrong hands.
We also learned about power management for mobile devices, and how Windows works with offline files. This is pretty neat, as you can set up a share to cache and distribute changed files if a node goes offline for some reason.
There is a great deal of information here, Windows has come a long way in its handling of mobile device support.
Since you can't join mobile devices to a domain, you therefore can't use Group Policy to help manage and secure them. Windows Intune is an app that works on Windows 8, 8.1 and RT devices as well as Apple iOS devices such as the iPhone. Intune can be used to encrypt the information on these devices as well as remotely wipe them in case of theft or loss. It can also be used to enfore firewall and other security policies such as malware and antivirus protection, and to ensure that Windows Updates are current.
BitLocker is another technology that can be used to encrypt hard drives so that even if they are removed and placed into a different machine they cannot be decrypted. This can be done by use of a hardware chip on the motherboard called a TPM, or Trusted Platform Module. If this is not present, then a USB stick could also be used. There are lots of safeguards in place to ensure that data does not fall into the wrong hands.
We also learned about power management for mobile devices, and how Windows works with offline files. This is pretty neat, as you can set up a share to cache and distribute changed files if a node goes offline for some reason.
There is a great deal of information here, Windows has come a long way in its handling of mobile device support.
Subscribe to:
Posts (Atom)