Mark Minasi's Windows Networking Tech Page
Issue #58 November 2006
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
To change e-mail address or other info, link
Visit the Archives at http://www.minasi.com/archive.htm.
Please do not reply to this mail; for comments, please link to www.minasi.com/gethelp. Document
copyright 2006 Mark Minasi.
- New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas,
Seattle in a Few Weeks
- Spring Vista Sessions in Atlanta, San Jose, Philadelphia,
- Tech Section
- Vista RTMs, We'll See it Soon
- Vista Setup for BitLocker
- How to Modify HOSTS on a Vista System
- Letting Vista Respond to Pings
- Bring a Seminar to Your Site
Hi all --
Well, the 25 October RTM of Vista didn't happen, but the 8 November
RTM did, which means that we'll all be living with Vista in a
while. But I've found that there are few Vista questions that come
up over and over... things I call "Vysteries." In this newsletter,
I'll cover these Vista problems and solutions in the hopes of making
your early Vista exploration easier. But, first, a word from our sponsor...
New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas,
Seattle in a Few Weeks
My two-day "Supporting Vista" seminar is coming
to the New York area (Mahwah, actually, I got yelled at about that last
time), Dallas, Seattle, and then the DC area (near Dulles). In
two days of lecture and demonstrations, I'll show you how installing,
configuring, managing, securing and troubleshooting Vista is different
from doing the same things for XP... and you'll learn all that without
You can see a course outline for the new Vista class at
www.minasi.com/vista/vsupport.htm and you can find the links to sign
up for Mahwah (November 30/December 1), Dallas (December 4-5), Seattle
(December 7-8), or DC (December 11-12). Even if you're not
planning on rolling out Vista any time soon, come to this seminar to
find out about the pains and gains of Vista! (I mean, it's a great
time to go to a seminar, nothing happens in the office between
Thanksgiving and New Years, right?)
Next Year's Seminars: Vista in Atlanta and San Jose in
February, Philadelphia and Chicago in March
Some folks have asked about our spring schedule, so here's what we've
got so far: we've scheduled classes in Atlanta and San Jose the
first week of February, and classes in Philadelphia and Chicago the
first week in March. I hope one of those cities is convenient and
that we'll see a lot of you folks!
This month, we attack some questions about making Vista work that
I've been asked at least a few times. But first a bit of news:
Vista RTMs, We'll See it Soon
Last Wednesday, Microsoft released about three dozen -- okay, small
exaggeration -- versions of Windows Vista to manufacturing.
What's that mean? Well, I wrote about that a couple of weeks
ago in my newsletter at
www.minasi.com/newsletters/nws0610a.htm, and I invite you to give
that a peek to read what I thought were the biggest strengths and
weaknesses of Vista. Overall, it's a good OS and is more secure in
many ways but that offers a number of challenges -- in other words, it's
about the same as previous Windowses.
So should you run out and buy it today? Well, you can't.
"Release to manufacturing" or "RTM" just means that Microsoft has
essentially created one "golden DVD" containing the seven or eight
versions of Vista. It then gives that DVD to some firm that
creates a bazillion copies of that DVD, creates as many cardboard boxes
to contain those DVDs on store shelves. The process of copying
DVDs, boxing them, shipping them and selling them usually takes about
two months, so in fact we probably wouldn't be able to actually buy a
copy of Vista from, say, Amazon and receive it before the end of
Large companies already have a copy of that DVD, so some
non-Microsoft folks have been playing with it for a week. When
will the rest of us see it? Again, anybody will be able to
get it by late January. Or if you've got access to MSDN on Microsoft's site, then you can probably get ahold of
the ISO image of that golden DVD by this Friday. With that, you
can, burn your own DVD and install it on a
test machine or two. If you have the time, then give Vista a
try... if for no other reason that while your company may not move to
Vista before 2008, you can be sure that many of your users will
move to Vista earlier than that. (And don't you hate having a user
explain some Vista thing to you!<g>)
Meanwhile, here's a few of the most common things that seem to annoy
new Vista users.
Vista Setup for BitLocker
I really like Vista Ultimate's BitLocker feature. BitLocker's a pretty
neat way to set up a laptop with a C: drive that's entirely encrypted
and, even better, in my experience the cryptographic overhead isn't all
that bad performance-wise.
The thing that drives people crazy about BitLocker, however, is the
odd setup that it requires in order to work. Despite being called
"BitLocker Drive Encryption," BitLocker actually encrypts just
the C: volume, and can't work unless your system's first hard disk is
chopped up into two partitions. One partition must be 1.5 GB in
size, and it contains some basic boot code. You can use the rest
of the drive for C:. To make BitLocker work, then, your system's
first hard disk must be arranged so that
- One partition is 1.5 GB in size and is marked "active," and
- One other partition is at least 16 GB in size, and Vista is
installed to that partition.
This requirement presents two problems. First, no one seems to
know about it, and so people just set up their laptop's entire disk as
C: and install Vista. Then, once Vista's installed, they want to
turn on BitLocker... only to find that it refuses to install because of
the lack of the 1.5 GB partition. Second, even if you do
know beforehand about the 1.5 GB partition requirement, there isn't any
way in Vista's Setup GUI that would let you create a 1.5 GB partition
and mark it active.
As is so often the case, however, there's an answer... the command
Installing BitLocker on clean
1) Boot Vista install disk.
2) When you get to the screen that says Windows Vista / Install Now,
click "Repair Your Computer."
3) In the subsequent dialog, choose "Command Prompt"
4) From command prompt, do this:
select disk 0
create partition primary
create partition primary
format c: /y /q /fs:NTFS
format p: /y /q fs:NTFS
5) Once out of the command prompt, press ESC to return
to the "Install Now" screen.
Install Vista as
usual. When Vista asks which partition to install Windows
to, direct it to C:.
At that point you'll have a copy of Vista that works fine either with or
without BitLocker, and that lets you add BitLocker whenever you'd like.
Notice also that command "shrink minimum=1500." This is a
neat diskpart command that actually lets you shrink an existing
partition. The documentation says it only works on basic disks,
and I've not tried it on a dynamic disk, so I can't comment, but in any
case it's a pretty neat feature, given that I used to have to buy a
moderately expensive third-party utility to resize a partition without
Having dealt with that BitLocker annoyance, though, I should
explain a BitLocker annoyance that I can't fix (or understand) -- you
need either Vista Ultimate or Enterprise to use BitLocker.
It's kind of sad to consider that as far as Vista's concerned, security
is clearly a profit center.
How to Modify HOSTS on a Vista System
A few months ago, a friend beta testing Vista asked if I'd figured
out how to modify Vista's HOSTS files. I figured it out because
I'd been playing with Vista's very new and different default security
settings, and since there I've been asked the question a number of
times, I include this tip here.
The HOSTS file is in the same place that it's always been in Windows:
\windows\system32\drivers\etc. But that directory has a different
set of NTFS permissions than Windows has ever seen, as by default
administrators can't delete files, nor do they own those files.
You can give yourself enough control of HOSTS to modify it by first
taking ownership of it, then granting yourself full control to HOSTS.
That's most easily done from an elevated command prompt.
(Note: an "elevated command prompt" means that you right-click
the Command Prompt icon and choose "Run as administrator," and then
click "Confirm" when you get the User Account Control prompt.)
From the elevated command prompt, type
these two lines:
takeown /f c:\windows\system32\drivers\etc\hosts
icacls c:\windows\system32\drivers\etc\hosts /grant yourusername:f
Those are two new Vista command-line tools. The first lets you
take ownership of a file or folder, as its name suggests. That
line that you typed is the simplest form of takeown: just add a
"/f" and the name of the file or folder to take ownership of. (Takeown
even lets you take ownership of things on remote systems, which can be
convenient.) The second command lets you adjust NTFS permissions
and file/folder integrity levels -- it's intended to be the replacement
for cacls, which has been around since NT 3.1, and its syntax closely
mirrors cacls's. In that command, I'm using the /grant option to
allow me to give the account "yourusername" full control; that's what
the "F" stands for.
Letting Vista Respond to Pings
Like XP SP2, Vista includes Windows Firewall, and Vista enables that
firewall by default. The firewall's defaults do not include
responding to pings, something that irritates me immensely. Worse
yet, XP SP2's GUI included a way to allow ping responses, but for some
reason Microsoft removed that part of GUI from Vista's firewall.
How, then, to let a Vista box respond to pings without disabling the
Simple: use the command line. Open an elevated command
prompt and type
netsh firewall set icmpsetting 8 enable
Or, alternatively, you can use the Windows Firewall group policy
settings, which are basically identical to Windows Firewall settings.
(Remember that you can learn Windows Firewall a-to-z from my free
download of the Windows Firewall chapter of the 2003 Upgrade book at
http://www.minasi.com/sp1r2book.) Vista's firewall
additionally has another, more powerful group policy interface as well,
but the standard group policy one will do for this simple exception.