Monday, October 26, 2009

Windows 7 Administrator´s Pocket Consultant

Eelmine nädal jõudsin läbi lugeda esimese Windows 7 raamatu mille ma amazonist lõpuks kätte sain. Tegin ka erinevaid märkmeid mida ma olulisemaks pidasin või eelnevalt teadsin aga polnud omale ülese kirjutanud. Kui tahta pikemalt teatud teemade kohta teada, siis saab kas ramatust või Microsofti koduleht info kätte. Kahju, et selles raamatus ei räägitud Windows XP Modest ja AppLockerist. Direct Accessist ja Branch Cachist räägiti väga vähe. Mainiti kui uut funktsiooni ja oligi kõik. Enamus teemadest olid suhteliselt tuttavad kuna eelmine aasta sai ka loetud Windows Vista Administrator´s Pocket Consultanti. Teen ka firma siseselt selle raamatu kokkuvõtte. Soovitan kõikil seda lugeda


Siin siis on need märkmed :

BitLocker ja BitLocker TO GO

Windows 7 toetab TPM 1.2 versiooni või uuemat. BitLockeri aktiveerimiseks on vaja kahte partitsiooni. BitLocker töötab nii TPM kui ka ilma TPM kiibita arvutites. Koos TPM-iga töötab BitLocker järgmistes konfiguratsioonis:
• TPM only
• TPM and PIN
• TPM and Startup Key
• TPM and Smart Card Certificate
Võimaldab ka nüüd krüpteerida FAT ja NTFS kettaid. Juhul kui peaks TPMiga mingi viga juhtuma, siis võib juhtuda, et ei tööta klaviatuuril numbrid. Sellise probleemi korral tuleb kasutada F1-F10 klahve.

BitLocker To Go on mõeldud USB ja välisketaste krüpteerimiseks. Kui kasutaja on sisse logitud, siis on võimalik tal krüpteeritud meedia avada kas parooliga ja/või kaardilugejaga. Kui kasutaja pole sisse logitud, siis ei ole võimalik välismeediale ligi pääseda. Seetõttu ei tohiks te krüpteerida parooli reseti meediat.
BitLocker TO Go-ga on võimalik keelata välismeediale kirjutamine. BitLocker TO GO teeb virtuaalse volume.

SuperFetch

Windows 7-se on sisse ehitatud prioritiseerimine. Mis peaks andma parema kiiruse ja reageerimise. Teenuseid jagatakse madala ja kõrge astmetesse. SuperFetch teeb järgmisi ülesandeid:
• Differentiating between user applications and background services running on the computer
• Optimizing memory for users after running background tasks
• Tracking the most frequently used applications and anticipating user needs
• Taking advantage of the low-priority I/O designation

Kui arvutile tehakse suuri muudatusi, uuenduste install jne võivad kasutajad tunda aeglast arvuti käivitamist kuna SuperFetch taastab oma normaalse seisundi.



Diagnostika ja troubleshooting funktsioonid

Need on jagatud 15 valdkonda. Neid funktsioone on võimalik läbi Group Policy seadistada Computer Configuration\System\Troubleshooting ja Diagnostics:

1. Application Compatibility Diagnostics

Supports the Program Compatibility Assistant (PCA) for diagnosing drivers blocked due to compatibility issues. PCA can detect failures caused by applications trying to load legacy Windows DLLs or trying to create COM objects that have been removed by Microsoft. PCA can detect several types of application installation failures. These installation failures can be related to applications that do not have privileges to run as an administrator but must be installed with elevated privileges as well as applications that fail to launch child processes that require elevation. In this case, PCA provides you with the option to restart the installer or update process as an administrator.

2. Corrupted File Recovery

Supports automatic detection, troubleshooting, and recovery of corrupted files. If Windows detects that an important operating system file is corrupted, Windows attempts notification and recovery, which requires a restart in most cases for full resolution

3. Disk Diagnostic
Võimalik seadistada erinevaid tekste kõvaketta rikke kohta.

4. Fault Tolerant Heap

Supports automatic detection and correction of common memory management issues related to the heap used by the operating system.

5. Microsoft Support Diagnostic Tool

Supports the MSTD for collecting and sending diagnostics data to support professional to resolve a problem. MSDt.exe is stored in the %SystemROOT%\System32 folder and through policy settings can be configured for local and remote troubleshooting.

6. MSI Corrupted File Recovery

Supports automatic detection, troubleshooting, and recovery of corrupted MSI applications. If windows detects that application files are corrupted, windows attempts notification and recovery.

7. Scheduled Maintenance

Supports diagnostics that run periodically via the Task Scheduler to detect and resolve system problems.

8. Scripted Diagnostics

Supports Action Center and controls whether users can access troubleshooting content and troubleshooting tools.

9. Windows Boot Performance Diagnostic

Supports automatic detection and troubleshooting of issues that affect boot performance. Root cause of boot performance issues are logged to the event logs. Can also assist you in resolving related issues.

10. Windows Memory Leak Diagnosis

Supports automatic detection and troubleshooting of memory leak issues. A memory leak occurs if an application or system component doesn´t completely free areas of physical memory after it is done with them

11. Windows Performance PerfTrack

Supports automated tracking and reporting of responsiveness events to Microsoft’s Software Quality Management (SQM) team

12. Windows Resource Exhaustion Detection and Resolution

Supports automatic detection and troubleshooting to resolve issues related to running out of virtual memory. Can also alert you if computer is running low on virtual memory and identify the process consuming the largest amount of memory, allowing you to close any or all of these high-resource-consuming applications directly from the Close Programs TO Prevent Information Loss Dialog box. An alert is also logged in the event log.

13. Windows Shutdown Performance Diagnostics

Supports automatic detection and troubleshooting of issues that affect shutdown performance. Root cause of shutdown performance issues are logged to the event logs. Can also assist you in resolving related issues.

14. Windows Standby/Resume Performance Diagnostics

Supports automatic detection and troubleshooting of issues that affect Standby/Resume performance. Root cause of Standby/Resume performance issues are logged to the event logs. Can also assist you in resolving related issues.

15. Windows System Responsiveness Performance Diagnostics

Supports automatic detection and troubleshooting of issues that affect the overall responsiveness of the operating system. Root cause of responsiveness issues are logged to the event logs. Can also assist you in resolving related issues.

Windows Startup Repaire tool

Windows Startup Repair tool teeb järgmisi teste:
• Check for updates
• System disk test
• Disk failure diagnosis
• Disk Metadata test
• Target OS test
• Volume content check
• Boot manager diagnosis
• System boot log diagnosis
• Event log diagnosis
• Internal state check
• Boot status test
• Setup state check
• Registry hives test
• Windows boot log diagnosis
• Bug check analysis
• Access control test
• File system test
• Software install log diagnosis
• Fallback diagnosis

Tööriistad

Sysprep

Nii Windows Vistal ja 7 on sysprep juba arvutis olemas %SystemROOT%\system32\sysprep

DISM

Deployment Image Servicing and Management (DISM.exe) installs, uninstalls, configures, and updates the features and packages in offline Windows® images and offline Windows Preinstallation Environment (Windows PE) images. The commands and options that are available for servicing an image depend on which Windows operating system you are servicing (Windows® 7, Windows Vista® with Service Pack 2 (SP2), Windows Vista® with Service Pack 1 (SP1), Windows Server® 2008 R2, Windows Server® 2008, or Windows PE), and whether the image is offline or a running operating system. All commands work on an offline Windows image. Subsets of the commands are available for servicing a running operating system. Kõik vaja minevad käsud:
http://technet.microsoft.com/en-us/library/dd744382(WS.10).aspx

Mälutest

Mälutesti on võimalik Windowsis käima lasta mdsched.exe

ImageX

ImageX is a command-line tool that enables original equipment manufacturers (OEMs) and corporations to capture, to modify, and to apply file-based disk images for rapid deployment. ImageX works with Windows image (.wim) files for copying to a network, or it can work with other technologies that use .wim images, such as Windows Setup, Windows Deployment Services (Windows DS), and the System Management Server (SMS) Operating System Feature Deployment Pack.

Problem Steps Recorder

Windows 7 on nüüd PSR millega on võimalik lindistada kasutajal erinevaid probleem ja koheselt kommentaare. PSR saab käivitada lihtsalt otsingusse trükkides PSR.exe.

Remote Assistance

Nüüd toetab Remote Assistance kahte üheaegset ühendust kasutaja arvutisse. Remote Assistance saab käivitada MSRA.exe

MsConfig

Nende aastate jooksul mis ma Windowsi administraator olen olnud ei teadnud ma, et on võimalik windowsis seadistada palju mälu ja protsessoreid arvuti kasutada saab




SIGVERIF

Sellega saab kontrollida kas failid on signeeritud või mitte. Kui arvuti muutub ebastabiilseks ja ei oska öelda mis arvutiga toimub, siis tasub süsteemi failid üle kontrollida.

PowerCFG

Läbi CMD on võimalik muuta ja seadistada arvuti toitekonfiguratsiooni.

Themes

Kui tahta kiirelt visuaalseid elemente välja lülitada, siis CMD-se trükkida net stop „Themes“

ASSOC ja FTYPE

CMD-s ja PowerShellis on võimalik siduda erinevaid faili tüüpe ja laiendeid.


Windows PE

Windows PE konfiguratsiooni failid:
• BCD store – The boot configuration data BCD store file contains boot settings for Windows PE
• Startnet.cmd – The startnet script configures network startup.
• Unattended.xml – The unattended installation file can be used to automate the installation process for windows PE.
• Winpeshl.ini – The Windows PE shell initialization file contains the default interface for Windows PE. By modifying this file you can define custom shell environment

Windows Recovery Media

Windows RE on Windows PE laiendatud meedia. Seda on võimalik ise enda vajaduste järgi muuta. Selleks on vaja MS lehelt alla tõmmata WAIK e Windows Automated Installation KIT. Siin on täpne juhend kuidas seda teha:
http://technet.microsoft.com/en-us/library/cc749147(WS.10).aspx

Group Policy

GP sisaldab nii manageeritavaid ja mitte manageeritavaid seadeid. Windows Vistaga tutvustati esimest korda GP Preferences (eelistused).Eelistused lubavad seadistada, installida ja manageerida operatsioonisüsteemi ja tarkvara seadeid. GP seadete ja eelistuste vahe on see, et seadistusi saab peale suruda aga eelistusi otseselt ei saa. GP Preference saab seadistada ainult AD põhilise GP kaudu. Neid seadistusi ei kirjutata mingisse spetsiaalsesse GP-ga seotud kohtadesse vaid otse tarkvara või operatsioonisüsteemi kasutatavasse kohta. Tänu sellele on võimalik seadistada selliseid asju mida lihtsalt GP-ga seadistada ei saa. GP Preferences ei keela kasutaja keskkonnas tarkvara või operatsioonisüsteemi funktsioone kuhu nad ei saa siseneda. GP Preferences kirjutab üle algse seadistuse ja algset seadistust enam taastada ei saa.

Kui pilti vaadata, siis tekib küsimus mida need jooned ja ringid tähendavad?

• A Sold green line/circle indicates that the setting will be delivered and processed on the client
• A dashed red line/circle indicates that the setting will not be delivered or processed on the client

GP protsessimise järjekord

1. Local policies
2. Site policies
3. Domain policis
4. OU policis
5. Child OU policis

Nii Windows Vista kui ka 7 toetab mitme kihilist lokaalseid GP objekte.

1. Local GPO
2. Administrator ja Non-Administrator GPO
3. User-specific

Virtual Memory

On võimalik seadistada \Local Policies\Security Options\, et arvuti kinni minemisel puhastatakse VM pagefile.

UAC

Admin Approval Mode on võtme komponent mis kontrollib UAC käitumist kui administraator tahab tarkvara käivitada. Vaike seadistus kuidas Admin Approval Mode töötab:

• All administrators, include the built-in local administrator, run in and are subject to Admin Approval Mode
• Because they are running in and subject to Admin Approval Mode, all administrators, including built-in administrator account, see the elevation prompt when they run administrators applications

Läbi GPO on võimalik UAC käitumist muuta Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\:

• User Account Control: Admin Approval Mode For The Built-In Administrator Account
• User Account Control: Allow UIAcess Applications To Prompt For Elevation Without Using The Secure Desktop
• User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode
• User Account Control: Behavior Of The Elevation Prompt For Standard Users
• User Account Control: Run All Administrators In Admin Approval Mode
• User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure Location
• User Account Control: Only Elevate Executable That Are Signed and Validated
UAC insallatsiooni teated ja virtualiseerimine
• User Account Control: Detect Application Installation And Prompt For Elevation
• User Account Control: Virtualize File And Registry Write Failures To Per-User Location

UAC teate värvid

• If the application is from a blocked publisher or is blocked by Group Policy, the elevation prompt has red background and displays the message „The application is blocked from running“
• If the application is administrative (such as Computer management) the elevation prompt has blue-green background and displays message „Windows needs your permission to continue“
• If the application has been signed by Authenticode and is trusted by the local computer, the elevation prompt has gray background and displays message „A program needs your permission to continue“
• If the application is unsigned (or signed but not yet trusted) the elevation prompt has yellow background and red shield icon and displays message „An unidentified program wants access to your computer“

Kasutaja kontod ja parool

Only the User Account utility allows you to assign a password hint, which can be helpful in recovering a forgotten or lost password. It is important to note that these are only techniques you should use to recover passwords for local user accounts unless you want to risk data loss.Why? Althought you can reset, create or remove a password from user account, doing so deletes any personal certificates and stored passwords associated with this account. As a result, the user will no longer able to access his or her encrypted files private emails that have encrypted with his or her personal key.

Siin siis on kirjas see, et kui muuta lokaalse kasutaja parooli teise konto alt, siis kasutaja ei pääse enam oma krüpteeritud asjadele ligi enam.

Branch Cache

See on funktsioon mis võimaldab harukontoris oleval arvutil serverist faili(d) lokaalse arvuti vahemällu kopeerida ja neid seal hoida. Kui sama faili läheb uuesti vaja, siis käivitatakse sama fail lokaalsest vahemälust mitte ei hakata üle serveri uut faili kopeerima. Branch Cache on võimalik seadistada kahte moodi:

• Distributed Cache – In this mode, the user´s desktop computer running Windows 7 or a later version hosts distributed file caches. A server running at the remote office is not needed because each local computer caches and sends out files.

• Host Cache – In this mode, a server running Windows Server 2008 R2 and located in the remote office hosts the local file cache. The server caches files and sends them to clients located in the remote office
Distributed Cache puhul peab lokaalne arvuti ise kogu protsessiga tegelema, mis võib natuke arvuti jõudlusele mõjuda.

Mida tuleks meeles pidada:

• Branch Cache doesn’t prevent users from saving files locally – it works with read requests, such as when user requests a file from a file server
• Branch Caching works seamlessly with encryption and secure transfer technologies, such as SMB Signing and IPSec
• By default, network files are cached in remote office only when the round trip network latency is more than 80 milliseconds
• Branch caching doesn’t need to be enabled in the central office; only enable branch caching in remote offices.

GP-s on kaks seadistust millega saab optimeerida Brach Cache kasutust:

• Do Not Allow The BITS Client To Use Windows Branch Cache
• Hash Publication For Branch Cache – It controls whether and how Branch Cache creates hashes for cached files. By, default digital hashes are created, and they allow clients to quickly determine whether a file in the cache is the same as the file on a file server.

Direct Access

On klient – server VPN rakendus mis nõuab IPv6 ja IPSec-i. Nõuded Direct Accessi jaoks:
• Windows Server 2008 R2
• Windows 7 Enterprise
• PKI
• DNS server windows 2008 baasil

Funktsionaalsus:

• Always-on connectivity that requires no end-user steps to access corpnet.
• Remote management, updating, and health maintenance of remote computers even when the end user is not logged on.
• Granular policy controls for authorized access to corpnet resources and servers.
• Tight integration with policy-based network access approach.
• Support for multifactor authentication such as smart cards.
• IPsec authentication and encryption.
• Support for non IPsec and non-IPv6 environments (e.g., using IPv6-over- IPv4 tunneling with 6to4 or Teredo).

Windows XP Mode

Funktsionaalsus mis lubab vanu tarkvarasid käivitada Windows XP virtuaalses masinas. Vajalik on riistvaraline VT tehnoloogia toe olemas olu. Microsoft pakub ka erinevaid deploymenti skripte, mis on võimalik allalaadida. Võimalik on teha tarkvara välistavaid reegleid, et need poleks kasutaja Start menüüs näha. Tarkvara välistamise reegleid saab teha: Local Machine\Software\Microsoft\WindowNT\CurrentVersion\VirtualMachine

Deployment skriptid saab siit:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9f142a1a-a7b7-4d0b-bd56-d9627f39c14f

Video saab siit:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f0ef9c63-2d2d-4f18-be39-57f8e794fe07#filelist

Mida saab teha standard kasutaja Windows 7-s?

1. Installing fonts, viewing the system clock and calender, and changing the time zone
2. Changing the display settings and power management settings
3. Adding printers and other devices (Kui vajalikud driverid on installeeritud)
4. Downloading and installing updates
5. Creating and configuring VPN.
6. Installing Wired Equivalent Privacy to connect to secure wireless networks

Power Users grupp

Eelnevatel Windows versioonidel oli see grupp sellesk, et anda lisa õigusi. Windows 7on see nüüd ainult compatibility with legacy applications.

Installatsioon

Kui Windows 7 installatsioon käima lasta on võimalik CMD lahti saada kui vajutada SHIFT+F10

Arvutisse sisselogimine

Kui arvuti on domeenis ja tahad logida sisse lokaalselt siis tuleb kasutajaks trükkida .\kasutajanimi.

WU uuendused

Windows 7-se on nüüd sisse toodu ka turvauuenduste allalaadimise prioritiseerimine.