BitLocker ja BitLocker TO GO
Windows 7 toetab TPM 1.2 versiooni või uuemat. BitLockeri aktiveerimiseks on vaja kahte partitsiooni. BitLocker töötab nii TPM kui ka ilma TPM kiibita arvutites. Koos TPM-iga töötab BitLocker järgmistes konfiguratsioonis:
• TPM only
• TPM and PIN
• TPM and Startup Key
• TPM and Smart Card Certificate
Võimaldab ka nüüd krüpteerida FAT ja NTFS kettaid. Juhul kui peaks TPMiga mingi viga juhtuma, siis võib juhtuda, et ei tööta klaviatuuril numbrid. Sellise probleemi korral tuleb kasutada F1-F10 klahve.
BitLocker To Go on mõeldud USB ja välisketaste krüpteerimiseks. Kui kasutaja on sisse logitud, siis on võimalik tal krüpteeritud meedia avada kas parooliga ja/või kaardilugejaga. Kui kasutaja pole sisse logitud, siis ei ole võimalik välismeediale ligi pääseda. Seetõttu ei tohiks te krüpteerida parooli reseti meediat.
BitLocker TO Go-ga on võimalik keelata välismeediale kirjutamine. BitLocker TO GO teeb virtuaalse volume.
SuperFetch
Windows 7-se on sisse ehitatud prioritiseerimine. Mis peaks andma parema kiiruse ja reageerimise. Teenuseid jagatakse madala ja kõrge astmetesse. SuperFetch teeb järgmisi ülesandeid:
• Differentiating between user applications and background services running on the computer
• Optimizing memory for users after running background tasks
• Tracking the most frequently used applications and anticipating user needs
• Taking advantage of the low-priority I/O designation
Kui arvutile tehakse suuri muudatusi, uuenduste install jne võivad kasutajad tunda aeglast arvuti käivitamist kuna SuperFetch taastab oma normaalse seisundi.
Diagnostika ja troubleshooting funktsioonid
Need on jagatud 15 valdkonda. Neid funktsioone on võimalik läbi Group Policy seadistada Computer Configuration\System\Troubleshooting ja Diagnostics:
1. Application Compatibility Diagnostics
Supports the Program Compatibility Assistant (PCA) for diagnosing drivers blocked due to compatibility issues. PCA can detect failures caused by applications trying to load legacy Windows DLLs or trying to create COM objects that have been removed by Microsoft. PCA can detect several types of application installation failures. These installation failures can be related to applications that do not have privileges to run as an administrator but must be installed with elevated privileges as well as applications that fail to launch child processes that require elevation. In this case, PCA provides you with the option to restart the installer or update process as an administrator.
2. Corrupted File Recovery
Supports automatic detection, troubleshooting, and recovery of corrupted files. If Windows detects that an important operating system file is corrupted, Windows attempts notification and recovery, which requires a restart in most cases for full resolution
3. Disk Diagnostic
Võimalik seadistada erinevaid tekste kõvaketta rikke kohta.
4. Fault Tolerant Heap
Supports automatic detection and correction of common memory management issues related to the heap used by the operating system.
5. Microsoft Support Diagnostic Tool
Supports the MSTD for collecting and sending diagnostics data to support professional to resolve a problem. MSDt.exe is stored in the %SystemROOT%\System32 folder and through policy settings can be configured for local and remote troubleshooting.
6. MSI Corrupted File Recovery
Supports automatic detection, troubleshooting, and recovery of corrupted MSI applications. If windows detects that application files are corrupted, windows attempts notification and recovery.
7. Scheduled Maintenance
Supports diagnostics that run periodically via the Task Scheduler to detect and resolve system problems.
8. Scripted Diagnostics
Supports Action Center and controls whether users can access troubleshooting content and troubleshooting tools.
9. Windows Boot Performance Diagnostic
Supports automatic detection and troubleshooting of issues that affect boot performance. Root cause of boot performance issues are logged to the event logs. Can also assist you in resolving related issues.
10. Windows Memory Leak Diagnosis
Supports automatic detection and troubleshooting of memory leak issues. A memory leak occurs if an application or system component doesn´t completely free areas of physical memory after it is done with them
11. Windows Performance PerfTrack
Supports automated tracking and reporting of responsiveness events to Microsoft’s Software Quality Management (SQM) team
12. Windows Resource Exhaustion Detection and Resolution
Supports automatic detection and troubleshooting to resolve issues related to running out of virtual memory. Can also alert you if computer is running low on virtual memory and identify the process consuming the largest amount of memory, allowing you to close any or all of these high-resource-consuming applications directly from the Close Programs TO Prevent Information Loss Dialog box. An alert is also logged in the event log.
13. Windows Shutdown Performance Diagnostics
Supports automatic detection and troubleshooting of issues that affect shutdown performance. Root cause of shutdown performance issues are logged to the event logs. Can also assist you in resolving related issues.
14. Windows Standby/Resume Performance Diagnostics
Supports automatic detection and troubleshooting of issues that affect Standby/Resume performance. Root cause of Standby/Resume performance issues are logged to the event logs. Can also assist you in resolving related issues.
15. Windows System Responsiveness Performance Diagnostics
Supports automatic detection and troubleshooting of issues that affect the overall responsiveness of the operating system. Root cause of responsiveness issues are logged to the event logs. Can also assist you in resolving related issues.
Windows Startup Repaire tool
Windows Startup Repair tool teeb järgmisi teste:
• Check for updates
• System disk test
• Disk failure diagnosis
• Disk Metadata test
• Target OS test
• Volume content check
• Boot manager diagnosis
• System boot log diagnosis
• Event log diagnosis
• Internal state check
• Boot status test
• Setup state check
• Registry hives test
• Windows boot log diagnosis
• Bug check analysis
• Access control test
• File system test
• Software install log diagnosis
• Fallback diagnosis
Tööriistad
Sysprep
Nii Windows Vistal ja 7 on sysprep juba arvutis olemas %SystemROOT%\system32\sysprep
DISM
Deployment Image Servicing and Management (DISM.exe) installs, uninstalls, configures, and updates the features and packages in offline Windows® images and offline Windows Preinstallation Environment (Windows PE) images. The commands and options that are available for servicing an image depend on which Windows operating system you are servicing (Windows® 7, Windows Vista® with Service Pack 2 (SP2), Windows Vista® with Service Pack 1 (SP1), Windows Server® 2008 R2, Windows Server® 2008, or Windows PE), and whether the image is offline or a running operating system. All commands work on an offline Windows image. Subsets of the commands are available for servicing a running operating system. Kõik vaja minevad käsud:
http://technet.microsoft.com/en-us/library/dd744382(WS.10).aspx
Mälutest
Mälutesti on võimalik Windowsis käima lasta mdsched.exe
ImageX
ImageX is a command-line tool that enables original equipment manufacturers (OEMs) and corporations to capture, to modify, and to apply file-based disk images for rapid deployment. ImageX works with Windows image (.wim) files for copying to a network, or it can work with other technologies that use .wim images, such as Windows Setup, Windows Deployment Services (Windows DS), and the System Management Server (SMS) Operating System Feature Deployment Pack.
Problem Steps Recorder
Windows 7 on nüüd PSR millega on võimalik lindistada kasutajal erinevaid probleem ja koheselt kommentaare. PSR saab käivitada lihtsalt otsingusse trükkides PSR.exe.
Remote Assistance
Nüüd toetab Remote Assistance kahte üheaegset ühendust kasutaja arvutisse. Remote Assistance saab käivitada MSRA.exe
Nende aastate jooksul mis ma Windowsi administraator olen olnud ei teadnud ma, et on võimalik windowsis seadistada palju mälu ja protsessoreid arvuti kasutada saab
SIGVERIF
Sellega saab kontrollida kas failid on signeeritud või mitte. Kui arvuti muutub ebastabiilseks ja ei oska öelda mis arvutiga toimub, siis tasub süsteemi failid üle kontrollida.
PowerCFG
Läbi CMD on võimalik muuta ja seadistada arvuti toitekonfiguratsiooni.
Themes
Kui tahta kiirelt visuaalseid elemente välja lülitada, siis CMD-se trükkida net stop „Themes“
ASSOC ja FTYPE
CMD-s ja PowerShellis on võimalik siduda erinevaid faili tüüpe ja laiendeid.
Windows PE
Windows PE konfiguratsiooni failid:
• BCD store – The boot configuration data BCD store file contains boot settings for Windows PE
• Startnet.cmd – The startnet script configures network startup.
• Unattended.xml – The unattended installation file can be used to automate the installation process for windows PE.
• Winpeshl.ini – The Windows PE shell initialization file contains the default interface for Windows PE. By modifying this file you can define custom shell environment
Windows Recovery Media
Windows RE on Windows PE laiendatud meedia. Seda on võimalik ise enda vajaduste järgi muuta. Selleks on vaja MS lehelt alla tõmmata WAIK e Windows Automated Installation KIT. Siin on täpne juhend kuidas seda teha:
http://technet.microsoft.com/en-us/library/cc749147(WS.10).aspx
Group Policy
GP sisaldab nii manageeritavaid ja mitte manageeritavaid seadeid. Windows Vistaga tutvustati esimest korda GP Preferences (eelistused).Eelistused lubavad seadistada, installida ja manageerida operatsioonisüsteemi ja tarkvara seadeid. GP seadete ja eelistuste vahe on see, et seadistusi saab peale suruda aga eelistusi otseselt ei saa. GP Preference saab seadistada ainult AD põhilise GP kaudu. Neid seadistusi ei kirjutata mingisse spetsiaalsesse GP-ga seotud kohtadesse vaid otse tarkvara või operatsioonisüsteemi kasutatavasse kohta. Tänu sellele on võimalik seadistada selliseid asju mida lihtsalt GP-ga seadistada ei saa. GP Preferences ei keela kasutaja keskkonnas tarkvara või operatsioonisüsteemi funktsioone kuhu nad ei saa siseneda. GP Preferences kirjutab üle algse seadistuse ja algset seadistust enam taastada ei saa.
Kui pilti vaadata, siis tekib küsimus mida need jooned ja ringid tähendavad?
• A Sold green line/circle indicates that the setting will be delivered and processed on the client
• A dashed red line/circle indicates that the setting will not be delivered or processed on the client
GP protsessimise järjekord
1. Local policies
2. Site policies
3. Domain policis
4. OU policis
5. Child OU policis
Nii Windows Vista kui ka 7 toetab mitme kihilist lokaalseid GP objekte.
1. Local GPO
2. Administrator ja Non-Administrator GPO
3. User-specific
Virtual Memory
On võimalik seadistada \Local Policies\Security Options\, et arvuti kinni minemisel puhastatakse VM pagefile.
UAC
Admin Approval Mode on võtme komponent mis kontrollib UAC käitumist kui administraator tahab tarkvara käivitada. Vaike seadistus kuidas Admin Approval Mode töötab:
• All administrators, include the built-in local administrator, run in and are subject to Admin Approval Mode
• Because they are running in and subject to Admin Approval Mode, all administrators, including built-in administrator account, see the elevation prompt when they run administrators applications
Läbi GPO on võimalik UAC käitumist muuta Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\:
• User Account Control: Admin Approval Mode For The Built-In Administrator Account
• User Account Control: Allow UIAcess Applications To Prompt For Elevation Without Using The Secure Desktop
• User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode
• User Account Control: Behavior Of The Elevation Prompt For Standard Users
• User Account Control: Run All Administrators In Admin Approval Mode
• User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure Location
• User Account Control: Only Elevate Executable That Are Signed and Validated
UAC insallatsiooni teated ja virtualiseerimine
• User Account Control: Detect Application Installation And Prompt For Elevation
• User Account Control: Virtualize File And Registry Write Failures To Per-User Location
UAC teate värvid
• If the application is from a blocked publisher or is blocked by Group Policy, the elevation prompt has red background and displays the message „The application is blocked from running“
• If the application is administrative (such as Computer management) the elevation prompt has blue-green background and displays message „Windows needs your permission to continue“
• If the application has been signed by Authenticode and is trusted by the local computer, the elevation prompt has gray background and displays message „A program needs your permission to continue“
• If the application is unsigned (or signed but not yet trusted) the elevation prompt has yellow background and red shield icon and displays message „An unidentified program wants access to your computer“
Kasutaja kontod ja parool
Only the User Account utility allows you to assign a password hint, which can be helpful in recovering a forgotten or lost password. It is important to note that these are only techniques you should use to recover passwords for local user accounts unless you want to risk data loss.Why? Althought you can reset, create or remove a password from user account, doing so deletes any personal certificates and stored passwords associated with this account. As a result, the user will no longer able to access his or her encrypted files private emails that have encrypted with his or her personal key.
Siin siis on kirjas see, et kui muuta lokaalse kasutaja parooli teise konto alt, siis kasutaja ei pääse enam oma krüpteeritud asjadele ligi enam.
Branch Cache
See on funktsioon mis võimaldab harukontoris oleval arvutil serverist faili(d) lokaalse arvuti vahemällu kopeerida ja neid seal hoida. Kui sama faili läheb uuesti vaja, siis käivitatakse sama fail lokaalsest vahemälust mitte ei hakata üle serveri uut faili kopeerima. Branch Cache on võimalik seadistada kahte moodi:
• Distributed Cache – In this mode, the user´s desktop computer running Windows 7 or a later version hosts distributed file caches. A server running at the remote office is not needed because each local computer caches and sends out files.
• Host Cache – In this mode, a server running Windows Server 2008 R2 and located in the remote office hosts the local file cache. The server caches files and sends them to clients located in the remote office
Distributed Cache puhul peab lokaalne arvuti ise kogu protsessiga tegelema, mis võib natuke arvuti jõudlusele mõjuda.
Mida tuleks meeles pidada:
• Branch Cache doesn’t prevent users from saving files locally – it works with read requests, such as when user requests a file from a file server
• Branch Caching works seamlessly with encryption and secure transfer technologies, such as SMB Signing and IPSec
• By default, network files are cached in remote office only when the round trip network latency is more than 80 milliseconds
• Branch caching doesn’t need to be enabled in the central office; only enable branch caching in remote offices.
GP-s on kaks seadistust millega saab optimeerida Brach Cache kasutust:
• Do Not Allow The BITS Client To Use Windows Branch Cache
• Hash Publication For Branch Cache – It controls whether and how Branch Cache creates hashes for cached files. By, default digital hashes are created, and they allow clients to quickly determine whether a file in the cache is the same as the file on a file server.
Direct Access
On klient – server VPN rakendus mis nõuab IPv6 ja IPSec-i. Nõuded Direct Accessi jaoks:
• Windows Server 2008 R2
• Windows 7 Enterprise
• PKI
• DNS server windows 2008 baasil
Funktsionaalsus:
• Always-on connectivity that requires no end-user steps to access corpnet.
• Remote management, updating, and health maintenance of remote computers even when the end user is not logged on.
• Granular policy controls for authorized access to corpnet resources and servers.
• Tight integration with policy-based network access approach.
• Support for multifactor authentication such as smart cards.
• IPsec authentication and encryption.
• Support for non IPsec and non-IPv6 environments (e.g., using IPv6-over- IPv4 tunneling with 6to4 or Teredo).
Windows XP Mode
Funktsionaalsus mis lubab vanu tarkvarasid käivitada Windows XP virtuaalses masinas. Vajalik on riistvaraline VT tehnoloogia toe olemas olu. Microsoft pakub ka erinevaid deploymenti skripte, mis on võimalik allalaadida. Võimalik on teha tarkvara välistavaid reegleid, et need poleks kasutaja Start menüüs näha. Tarkvara välistamise reegleid saab teha: Local Machine\Software\Microsoft\WindowNT\CurrentVersion\VirtualMachine
Deployment skriptid saab siit:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9f142a1a-a7b7-4d0b-bd56-d9627f39c14f
Video saab siit:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f0ef9c63-2d2d-4f18-be39-57f8e794fe07#filelist
Mida saab teha standard kasutaja Windows 7-s?
1. Installing fonts, viewing the system clock and calender, and changing the time zone
2. Changing the display settings and power management settings
3. Adding printers and other devices (Kui vajalikud driverid on installeeritud)
4. Downloading and installing updates
5. Creating and configuring VPN.
6. Installing Wired Equivalent Privacy to connect to secure wireless networks
Power Users grupp
Eelnevatel Windows versioonidel oli see grupp sellesk, et anda lisa õigusi. Windows 7on see nüüd ainult compatibility with legacy applications.
Installatsioon
Kui Windows 7 installatsioon käima lasta on võimalik CMD lahti saada kui vajutada SHIFT+F10
Arvutisse sisselogimine
Kui arvuti on domeenis ja tahad logida sisse lokaalselt siis tuleb kasutajaks trükkida .\kasutajanimi.
WU uuendused
Windows 7-se on nüüd sisse toodu ka turvauuenduste allalaadimise prioritiseerimine.
