Vista for Support Professionals

The top-to-bottom guide to installing, configuring, securing, maintaining and repairing Windows Vista

 

 “... Lets you see beyond the Vista and take in the whole panorama... ”

a two-day course by Mark Minasi, author of Administering Windows Vista Security:  the Big Surprises and Mastering Vista Business from Sybex

Schedule of dates and cities •  Course Objectives  •  Prerequisites •  Course Outline  •   Course Materials  •  Bring a Class to Your Site • About the Instructor  •  buy this course on audio CD

Course Objectives

Just when we had XP figured out .... there's a new version of the Windows desktop, Windows Vista.  But it's got some neat new features both for users and for us support folks.  Finding out about those features can, however, be a bit time-consuming because not only is Vista big, it's new, and by "new" we mean all new:  you see, one of the reasons why Vista took so long to deliver was that Microsoft decided that the only way to make it more secure than XP would be to start from scratch, and re-write extensive portions of Windows.  Again, that means some good news from the points of view of security and central administration, but it also means that some very basic things that we've become accustomed to in Windows as far back as Windows 2000 now behave somewhat differently.  This course takes you through Vista Business and Ultimate to show you how it works and how to make it work better.  And, of course, it's delivered in Mark's distinctively entertaining style, with a plentitude of illuminating demonstrations!

Key Seminar Benefits

  • Hear the good and bad about Vista from an independent source who's been analyzing, supporting, writing and teaching about Windows for over twenty years.
  • Learn all of Vista's new security technologies so that you're ready to solve application compatibility and "why doesn't this work any more?" problems.
  • Understand how the new Windows Integrity Control and Windows Resource Protection affects your ability, even as an administrator, to modify files, folders and Registry entries on a Vista system.
  • Grasp the essentials of file and Registry virtualization to enable legacy (that is, pre-October 2006) applications to run under Vista.
  • Discover the new deployment tools in Vista's Windows Automated Installation Kit (WAIK).
  • Simplify your support tasks by exploiting CompletePC backup and Previous Versions.
  • Get the most out of Vista's changes to group policies.
  • Find out what that annoying User Account Control feature is, how it works... and why you shouldn't disable it!
  • Get the details on how Vista lets you organize your files in completely new ways.
  • Ensure that when you lose a laptop, you lose only the hardware, not the data, with BitLocker.
  • See how to block users from installing particular types of hardware through group policies.

Prerequisites

Anyone taking this class should have at least a basic knowledge of Windows support, Windows networking and security.  For example, you'll get the most out of this class if you know that Active Directory lets us centrally administer user accounts and machine settings, if you know what the Registry does, and have some familiarity with group policies.  And, of course, all attendees must have a solid knowledge of the .NET CLR, C# and APL programming.  (Okay, we're just kidding on that last point; no programming experience necessary!)

Course Outline

  1. Introduction:  What is Vista?

    In some senses, Vista is just "Windows NT 6.0 Workstation."  But in many senses it's a complete re-write of Microsoft's flagship desktop operating system, and the first one built with as intense a focus on security as Vista possesses.  But that greater security comes with a price, as Microsoft had to make a hard choice about security versus application compatibility.  This section lays out the range of Vista's strengths and challenges, and explains why application compatibility is of greater importance in Vista than it's been in any previous version of Windows.
     

  2. Vista Deployment:  Almost Everything You Know Is Wrong, But That's All Right

    Microsoft has never really been successful in developing popular tools for automating Windows.  While scripted installs and Remote Installation Service are good technologies, they've never really caught on amongst support professionals, and in truth the most-used Microsoft deployment tool in the XP world was Sysprep, and then only to facilitate using Ghost or similar products.  With Vista, Microsoft has re-thought deployment and given us a whole new arsenal of deployment tools.  Are they the answer, or will they just be another case of "nice try, Redmond?"  In this section, you'll meet Vista's new "rollout team" and decide for yourself.

    1. New concepts
      1. Windows image (WIM) files
      2. The Windows Automated Installation Kit (WAIK)
      3. The Business Desktop Deployment (BDD)
    2. WIMs versus Ghost
      1. Mountable
      2. Delivering patches
      3. Deployment tools
    3. WAIK/BDD Tools
      1. Imagex
      2. Windows System Image Manager
      3. Windows PE 2.0
      4. Sysprep
      5. Windows Deployment Services
    4.  Working With WIMs
      1. What's a WIM?
      2. Where's WIM?
      3. Peeking into WIMs with System Image Manager
      4. Working the WIM with imagex
      5. Using WimFS to mount and manage WIMs
      6. Deploying a WIM with WinPE and Imagex

  3. Aero:  Vista's User Interface

    This class most definitely does not spend much time on the most visible aspect of Vista, the "eye candy" known as Aero Glass.  But this section briefly examines how it works, what you'll need to run it, how to turn it off and, well, why you might want to.

    1. What exactly is "authentic, energetic, reflective and open" about Aero?
    2. The two kinds of Aero
    3. Components:  Sidebar, translucency
    4. The price of Glass
    5. The other part of Aero: search

  4. Vista Storage

    Pretty GUIs are nice, but computers are about computing, and the grist for their mills is data.  All of that data, though, is of no value unless we can store it and find it.  Storing large amounts of data is easier because of the ever-growing capacity of drives that are ever-shrinking in physical size.  But the problem with having a terabyte of disk space in your Vista palmtop is the "data black hole" effect... "I know I put that file on the disk somewhere... but where?"  In the old days -- before the winter of 2006, that is -- we used folders on a volume to organize our data.  That paradigm worked well when our hard disks were the equivalent of a shoebox in the closet, but today's drives are by comparison mile-wide warehouses of data, so folders really don't work all that well as a way of organizing things.  Vista offers us far more robust and powerful ways of organizing our data on our disks than did previous Windows.  Ah, but once we've gotten that data organized, let's not forget that we're still not done:  we've got to back that stuff up!  Vista offers some significant help in that category as well, as you'll see in this section.

    1. Search folders
      1. Search is different in Vista
      2. How search folders are different from folders
      3. Powering search folders:  the Vista Index Service
    2. Categorizing Data:  Vista's Metadata
      1. New built-in metadata
      2. Home-made metadata:  "tags" get easy to use
      3.  Creating and managing tags
      4. Windows File System not needed... or available
    3. Other tools:  stacks
    4. Protecting your data in Vista
    5. Windows Backup
      1. No tapes... but supports DVD and CD
      2. Data organization
      3. Windows Backup problems
    6. Recovering from catastrophic failure:  CompletePC backup
      1. How CompletePC backup works
      2. Restoring CompletePC backups:  the Windows Recovery Environment
    7. Getting Data Back
      1. Volume shadow copies
      2. Undelete comes to Vista:  "Previous Versions"
      3. Configuring "Previous Versions"
    8. NTFS and Registry change:  transactions
      1. How transaction-based changes work
      2. Implications for patches

  5. User Account Control

    Once we've mastered storage, it's time to start working with everyone's favorite Windows headache:  security. You may not know of every new-to-Vista feature, but there's at least one new Vista feature you probably know... User Account Control.  Known informally as "the Vista feature that everyone loves to hate," UAC is actually an important part of Vista's multi-pronged attack on malware.  Additionally, UAC contains a very important and useful patch that allows you to run older applications that would otherwise fail when run as a standard user rather than an administrator.  Yes, UAC can be annoying, but to know it is to love it -- and in this section, we'll show you more about UAC than you can find anywhere!

    1. UAC component overview
      1. Administrator Approval Mode
      2. "Standard user"
      3. "Elevation"
      4. Split token
      5. Deciding which token to offer
      6. File and Registry virtualization
    2. How UAC creates the split token: what are administrators made of, anyway?
      1. The Notorious Nine
      2. The Fearsome Four
      3. Integrity levels
    3. Controlling UAC and elevation
      1. UAC's seven rules to elevate
      2. How to override UAC's defaults
      3. Understanding manifests
    4. File and Registry virtualization
      1. What it is, how it works, seeing it in action
      2. Rules for virtualizing
      3. Fine-tuning Registry virtualization
      4. Monitoring virtualization:  virtualization as an inventory tool

  6. Windows Integrity Levels

    With Vista and 2008, Microsoft has quietly added some plumbing that changes Windows security in profound ways.  It's odd, therefore, that almost no one seems to know about what was once called Mandatory Integrity Control and is now called Windows Integrity Levels.  Put briefly, WIL is a concept intended to protect your files from malware by identifying different levels of "trustworthiness" on users, processes, and objects (files and folders, for example).   (Think of the government notions of people and documents having ratings like Confidential, Secret, Top Secret and the like, and you're close to integrity levels.)  Once those levels of trustworthiness — "integrity" is Microsoft's phrase — are established, then higher-integrity objects (like your personal data) can be shielded from lower-integrity objects (like any malware derived from the Internet).  That sounds like file permissions, yes, but it's more than that, as "integrity permissions" always beat file permissions.  The sad news is that Microsoft implemented integrity levels, but didn't do much with it, nor did they tell anyone about it.  The bad news is that malware writers can, using these integrity levels, create malware that cannot be deleted by an administrator... yikes!  But after completing this section, you'll know how to control WILs so as to combat those kinds of attacks, as well as get some ideas about how to use this new tool to protect your data and applications.

    1. The basics:  mandatory access controls and integrity levels
    2. How integrity levels affect object access in Windows
    3. Extending the integrity model
    4.  chml, a tool to let you modify integrity levels
    5. Integrity levels versus permissions

  7. WIC Lite:  Windows Resource Protection

    At one point, Microsoft used Windows Integrity Control to secure the system files on a Vista box, but feedback from beta testers changed their mind.  Instead, they've instituted a new set of permissions and modified Windows File Protection to become "Windows Resource Protection."

    1. New Windows permission structure
    2. Overriding it with takeown, a neat tool
    3. Bringing files back with sfc's new options

  8. Vista Physical Security Improvements I:  Plug and Play

    Ever since the movie The Recruit, people have worried about data theft from USB devices.  What keeps an unhappy employee or a visitor from popping a USB memory stick into a USB slot and siphoning off your company's data?  Vista, that's what, with a new set of group policies controlling hardware installation.

    1. New hardware installation controls
    2. Creating whitelists or blacklists
    3. Understanding and finding hardware IDs, compatible IDs, and class GUIDs
    4. Steps to blocking a piece of hardware from installing

  9. Vista Physical Security II:  BitLocker

    Years back, Microsoft offered a set of ideas that they called the Next Generation Secure Computing Base initiative, or you may recall its code name "Palladium."  About the only thing that's actually seen the light of day from the Palladium ideas is a terrific anti-data-theft tool called BitLocker.  This section shows you what BitLocker does, but, better, it shows you how to do the extra BitLocker stuff that Microsoft would prefer that you didn't know.  If you have laptops, then you need to understand BitLocker, as it's the tool that ensures that when you lose a laptop, then you lose only the hardware... not the data.

    1. BitLocker basics:  full volume encryption
    2. How is it uncrackable?  Is it uncrackable?
    3. Getting your system ready for BitLocker
    4. Setting up BitLocker with a "TPM" chip
    5. Setting up BitLocker without a TPM chip
    6. Choosing the level of encryption
    7. What to do when your laptop's toast and you need your data
    8. Configuring BitLocker with manage-bde.wsf

  10. Windows Service Architecture Changes Under Vista/2008

    Windows services are an important pillar of Windows' architecture... but they've been a source of security nightmares, as evidenced by Code Red, SQL Slammer, Nimda, Blaster, Sasser and others. In Vista and Server 2008, Microsoft has completely re-engineered how services work under-the-hood to allow developers to build services that are far more worm-resistant. But what about when those developers are a bit lazy? With the right knowledge, a savvy admin can tighten up many Windows services... without having to know how to write a line of C++!

    1. Review:  why services offer vulnerabilities
    2. Service session isolation
      1. How it works
      2. Solving potential compatibility issues arising from it
    3. Reduced service privileges:  "least privilege" and the new services
      1. How it works
      2. How to see if a service has been "least privileged"
      3. Dialing down a service's privileges without being a programmer
    4. Service isolation
      1. How it works:  the new "restricted SID"
      2. Service SIDs
      3. How to restrict a service when the coders haven't bothered

  11. Short Vista Security Items

    This section ends our look at Vista security with a roundup of short Vista security topics.

    1. Changes to group policy security default settings
    2. Potential incompatibilities
    3. Administrator account disabled
    4. Folders and groups eliminated
    5. Windows Firewall changes
    6. SMB version 2

  12. Windows Collaboration

    Ever tried to share a file with a colleague, only to find that getting past the firewalls, group policy settings, accounts, wireless setup and the like made it easier to just say, "aw, the heck with it, let's just use a USB memory stick?"  Microsoft offers an alternative with their new Windows Collaboration / Windows Meeting Space.

    1. WC capabilities
    2. WC setup
    3. Security considerations

  13. Networking Vista

    What's a new version of Windows without networking changes?  Well, it wouldn't be Vista...

    1. Vista and IPv6
    2. Changes to the IP stack in Vista
    3. Remote desktop in Vista
    4. Internet Explorer 7 in Vista
    5. CardSafe/InfoCard

  14. Group Policies in Vista

    Group policies are a great idea, but ever since they appeared in Windows 2000 they've been a bit clunky:  useful, but hard to administer and troubleshoot.  To combat that, Microsoft has completely rebuilt the group policy engine, added 700 new group policy settings, changed how group policies are defined, and made a host of other changes to make group policies more useful and more of a "must-use" tool.  And they did it all without sacrificing backward compatibility, mostly.  Find out about these changes in this section.

    1. What group policies needed, pre-Vista
    2. The group policy engine
      1. New service rather than part of Winlogon
      2. Hardened service isolates third party client side extensions
      3. Improved GP refresh methods
    3. Multiple local GPOs
    4. Network Location Awareness service 2.0
    5. Completely revised group policy engine logging
    6. New administrative templates
      1. XML based
      2. Centralized store of admin templates reduces "Sysvol bloat"
      3. Implementing the Central Store
    7. Group Policy Management Console shipped with Vista
    8. New group policy settings areas
    9. Vista "SP1" features on the way
      1. Search
      2. Templates
      3. Policy comments

  15. Vista's Event Viewer: "Crimson"

    Who would have imagined that the Event Viewer would play a minor starring role in Vista?  While uprooting and rebuilding pieces of Windows, Microsoft decided (rightly) that Event Viewer was way overdue for a facelift.  The new one, code-named "Crimson," bears very little resemblance to the tool that changed very little between Windows NT 3.1 and Windows Server 2003 R2.  This section examines Crimson's extensive set of new capabilities and focuses on the part of the new Event Viewer that normally doesn't get much coverage, but should, as it's the linchpin in troubleshooting Event Viewer issues -- the new Windows Remote Management system.  Without a good knowledge of WinRM, you won't be able to use Crimson's best new feature:  the ability to centralize events from many systems to a single computer!

    1. New Vista Event Viewer features
      1. Completely restructured logs
      2. New urgency level "critical"
      3. Event triggers
      4. Events can be collected at a central system
      5. Log size limits gone
    2. Creating event triggers
    3. Centralizing events
      1. Configuration setup
      2. Security setup
      3. Special considerations for centralizing events in a workgroup
    4. Working with WinRM
      1. WinRM intro
      2. WinRM configuration
      3. WinRM security testing and troubleshooting

  16.  Vista's New Task Scheduler

    The changes to group policy and the Event Viewer are the big stories in Vista administration, but that's not all that's new and (usually) good.  Ever tried to schedule a task to run on a regular basis?  Things have gotten better than NT 3.1, which introduced the at.exe scheduler command, but not that much better, until Vista.  In this section, we'll consider Vista's Task Scheduler, which has received a facelift every bit as interesting as the Event Viewer's.

    1. Creating a new task
      1. Triggers
      2. Actions
      3. Command types and limitations
    2. Tracking a scheduled task
    3. Editing and resubmitting a task

  17.  Boot.ini's Successor, BCDEDIT

    Part of running any system involves controlling how it starts up in the first place.  Ever since NT 3.1, we've controlled how the NT part of the Windows family boots through a simple text file called boot.ini.  Vista, however, retires boot.ini and replaces it with a more flexible, architecture-independent tool:  the boot configuration database, or BCD.  But don't reach for Notepad to edit BCD... you'll need to learn a whole new tool:  bcdedit.

    1. Talkin' BCD:  new terminology
      1. The "store"
      2. Boot entries
      3. Entry options
    2. Global bcdedit settings
    3. Boot entries, GUIDs and well-known GUIDs
    4. A guide to the most useful entry options
       
  18.  Vista Reliability and Stability Tools

    Vista comes with a number of tools intended to help you keep your system running in peak shape and, given how hardware-intensive Vista is, that's a good thing!   In this section, we'll meet those tools.

    1. Vista performance rating tool
    2. Reliability Monitor
    3. "Problems and solutions"
    4. Service restart
    5. SuperFetch
    6. ReadyBoost
    7. ReadyDrive

Course Materials and Course Format

The class works from PowerPoint presentations.  Every attendee gets a printed copy of the PowerPoints.  To make it possible to run this course in just two days, this runs in mainly lecture format.

Arranging a Course At Your Location

We offer this class as a public seminar about a half-dozen times a year; you can view the current schedule www.minasi.com/pubsems.htm.  But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.

Please contact our office at (757) 426-1431 between 12 Noon-5 Eastern time or email Assistant@Minasi.com to discuss scheduling and fees.