Just when we had XP figured out .... there's a new version of the
Windows desktop, Windows Vista. But it's got some neat new features both
for users and for us support folks. Finding out about those
features can, however, be a bit time-consuming because not only is Vista
big, it's new, and by "new" we mean all new: you
see, one of the reasons why Vista took so long to deliver was that
Microsoft decided that the only way to make it more secure than XP would
be to start from scratch, and re-write extensive portions of Windows.
Again, that means some good news from the points of view of security and
central administration, but it also means that some very basic things
that we've become accustomed to in Windows as far back as Windows 2000
now behave somewhat differently. This course takes you through
Vista Business and Ultimate to show you how it works and how to make it
work better. And, of course, it's delivered in Mark's
distinctively entertaining style, with a plentitude of illuminating
Key Seminar Benefits
- Hear the good and bad about Vista from an independent source who's
been analyzing, supporting, writing and teaching about Windows for over
- Learn all of Vista's new security technologies so that you're ready
to solve application compatibility and "why doesn't this work any more?"
- Understand how the new Windows Integrity Control and Windows
Resource Protection affects your ability, even as an administrator, to
modify files, folders and Registry entries on a Vista system.
- Grasp the essentials of file and Registry virtualization to enable
legacy (that is, pre-October 2006) applications to run under Vista.
- Discover the new deployment tools in Vista's Windows Automated
Installation Kit (WAIK).
- Simplify your support tasks by exploiting CompletePC backup and
- Get the most out of Vista's changes to group policies.
- Find out what that annoying User Account Control feature is, how it
works... and why you shouldn't disable it!
- Get the details on how Vista lets you organize your files in
completely new ways.
- Ensure that when you lose a laptop, you lose only the hardware, not
the data, with BitLocker.
- See how to block users from installing particular types of hardware
through group policies.
Anyone taking this class should have at least a basic knowledge of
Windows support, Windows networking and security. For example, you'll get
the most out of this class if you know that Active Directory lets us
centrally administer user accounts and machine settings, if you know
what the Registry does, and have some familiarity with group policies.
And, of course, all attendees must have a solid knowledge of the .NET CLR, C# and APL programming. (Okay, we're just kidding on that
last point; no programming experience necessary!)
- Introduction: What is Vista?
In some senses, Vista is just "Windows NT 6.0 Workstation." But in
many senses it's a complete re-write of Microsoft's flagship desktop
operating system, and the first one built with as intense a focus on
security as Vista possesses. But that greater security comes with a
price, as Microsoft had to make a hard choice about security versus
application compatibility. This section lays out the range of Vista's
strengths and challenges, and explains why application compatibility is of
greater importance in Vista than it's been in any previous version of
- Vista Deployment: Almost Everything You Know Is Wrong, But That's
Microsoft has never really been successful in developing popular
tools for automating Windows. While scripted installs and Remote
Installation Service are good technologies, they've never really caught
on amongst support professionals, and in truth the most-used Microsoft
deployment tool in the XP world was Sysprep, and then only to facilitate
using Ghost or similar products. With Vista, Microsoft has
re-thought deployment and given us a whole new arsenal of deployment
tools. Are they the answer, or will they just be another case of
"nice try, Redmond?" In this section, you'll meet Vista's new
"rollout team" and decide for yourself.
- New concepts
- Windows image (WIM) files
- The Windows Automated Installation Kit (WAIK)
- The Business Desktop Deployment (BDD)
- WIMs versus Ghost
- Delivering patches
- Deployment tools
- WAIK/BDD Tools
- Windows System Image Manager
- Windows PE 2.0
- Windows Deployment Services
- Working With WIMs
- What's a WIM?
- Where's WIM?
- Peeking into WIMs with System Image Manager
- Working the WIM with imagex
- Using WimFS to mount and manage WIMs
- Deploying a WIM with WinPE and Imagex
- Aero: Vista's User Interface
This class most definitely does not spend much time on the
most visible aspect of Vista, the "eye candy" known as Aero Glass.
But this section briefly examines how it works, what you'll need to run
it, how to turn it off and, well, why you might want to.
- What exactly is "authentic, energetic, reflective and open" about
- The two kinds of Aero
- Components: Sidebar, translucency
- The price of Glass
- The other part of Aero: search
- Vista Storage
Pretty GUIs are nice, but computers are about computing, and
the grist for their mills is data. All of that data, though, is of
no value unless we can store it and find it. Storing large amounts
of data is easier because of the ever-growing capacity of drives that
are ever-shrinking in physical size. But the problem with having a
terabyte of disk space in your Vista palmtop is the "data black hole"
effect... "I know I put that file on the disk somewhere... but where?"
In the old days -- before the winter of 2006, that is -- we used folders
on a volume to organize our data. That paradigm worked well when
our hard disks were the equivalent of a shoebox in the closet, but
today's drives are by comparison mile-wide warehouses of data, so
folders really don't work all that well as a way of organizing things.
Vista offers us far more robust and powerful ways of organizing our data
on our disks than did previous Windows. Ah, but once we've gotten
that data organized, let's not forget that we're still not done:
we've got to back that stuff up! Vista offers some significant
help in that category as well, as you'll see in this section.
- Search folders
- Search is different in Vista
- How search folders are different from folders
- Powering search folders: the Vista Index Service
- Categorizing Data: Vista's Metadata
- New built-in metadata
- Home-made metadata: "tags" get easy to use
- Creating and managing tags
- Windows File System not needed... or available
- Other tools: stacks
- Protecting your data in Vista
- Windows Backup
- No tapes... but supports DVD and CD
- Data organization
- Windows Backup problems
- Recovering from catastrophic failure: CompletePC backup
- How CompletePC backup works
- Restoring CompletePC backups: the Windows Recovery Environment
- Getting Data Back
- Volume shadow copies
- Undelete comes to Vista: "Previous Versions"
- Configuring "Previous Versions"
- NTFS and Registry change: transactions
- How transaction-based changes work
- Implications for patches
- User Account Control
Once we've mastered storage, it's time to start working with
everyone's favorite Windows headache: security. You may not know of every new-to-Vista feature, but there's at least
one new Vista feature you probably know... User Account Control.
Known informally as "the Vista feature that everyone loves to hate," UAC
is actually an important part of Vista's multi-pronged attack on
malware. Additionally, UAC contains a very important and useful
patch that allows you to run older applications that would otherwise
fail when run as a standard user rather than an administrator. Yes,
UAC can be annoying, but to know it is to love it --
and in this section, we'll show you more about UAC than you can find
- UAC component overview
- Administrator Approval Mode
- "Standard user"
- Split token
- Deciding which token to offer
- File and Registry virtualization
- How UAC creates the split token: what are administrators made of,
- The Notorious Nine
- The Fearsome Four
- Integrity levels
- Controlling UAC and elevation
- UAC's seven rules to elevate
- How to override UAC's defaults
- Understanding manifests
- File and Registry virtualization
- What it is, how it works, seeing it in action
- Rules for virtualizing
- Fine-tuning Registry virtualization
- Monitoring virtualization: virtualization as an inventory tool
- Windows Integrity Levels
With Vista and 2008, Microsoft has quietly added
some plumbing that changes Windows security in profound ways. It's
odd, therefore, that almost no one seems to know about what was once
called Mandatory Integrity Control and is now called Windows Integrity
Levels. Put briefly, WIL is a concept intended to protect your
files from malware by identifying different levels of "trustworthiness"
on users, processes, and objects (files and folders, for example).
(Think of the government notions of people and documents having ratings
like Confidential, Secret, Top Secret and the like, and you're close to
integrity levels.) Once those levels of trustworthiness — "integrity" is Microsoft's
phrase — are established, then higher-integrity objects (like your
personal data) can be shielded from lower-integrity objects (like any
malware derived from the Internet). That sounds like file
permissions, yes, but it's more than that, as "integrity permissions"
always beat file permissions. The sad news is that Microsoft
implemented integrity levels, but didn't do much with it, nor did they
tell anyone about it. The bad news is that malware writers can, using
these integrity levels, create malware that cannot be deleted by an
administrator... yikes! But
after completing this section, you'll know how to control WILs so as to
combat those kinds of attacks, as well as get some ideas about how to use
this new tool to protect your data and applications.
- The basics: mandatory access controls and integrity levels
- How integrity levels affect object access in Windows
- Extending the integrity model
- chml, a tool to let you modify integrity levels
- Integrity levels versus permissions
- WIC Lite: Windows Resource Protection
At one point, Microsoft used Windows Integrity Control to secure the
system files on a Vista box, but feedback from beta testers changed
their mind. Instead, they've instituted a new set of permissions
and modified Windows File Protection to become "Windows Resource
- New Windows permission structure
- Overriding it with takeown, a neat tool
- Bringing files back with sfc's new options
- Vista Physical Security Improvements I: Plug and Play
Ever since the movie The Recruit, people have worried about data theft
from USB devices. What keeps an unhappy employee or a visitor from popping
a USB memory stick into a USB slot and siphoning off your company's data?
Vista, that's what, with a new set of group policies controlling hardware
- New hardware installation controls
- Creating whitelists or blacklists
- Understanding and finding hardware IDs, compatible IDs, and class GUIDs
- Steps to blocking a piece of hardware from installing
- Vista Physical Security II: BitLocker
Years back, Microsoft offered a set of ideas that they called the Next
Generation Secure Computing Base initiative, or you may recall its code name
"Palladium." About the only thing that's actually seen the light of day
from the Palladium ideas is a terrific anti-data-theft tool called BitLocker.
This section shows you what BitLocker does, but, better, it shows you how to do
the extra BitLocker stuff that Microsoft would prefer that you didn't know.
If you have laptops, then you need to understand BitLocker, as it's the
tool that ensures that when you lose a laptop, then you lose only the
hardware... not the data.
- BitLocker basics: full volume encryption
- How is it uncrackable? Is it uncrackable?
- Getting your system ready for BitLocker
- Setting up BitLocker with a "TPM" chip
- Setting up BitLocker without a TPM chip
- Choosing the level of encryption
- What to do when your laptop's toast and you need your data
- Configuring BitLocker with manage-bde.wsf
- Windows Service Architecture Changes Under Vista/2008
Windows services are an important pillar of Windows' architecture... but they've been a source of
security nightmares, as evidenced by Code Red, SQL Slammer, Nimda, Blaster, Sasser and others. In Vista
and Server 2008, Microsoft has completely re-engineered how services work under-the-hood to allow
developers to build services that are far more worm-resistant. But what about when those developers
are a bit lazy? With the right knowledge, a savvy admin can tighten up many Windows services... without
having to know how to write a line of C++!
- Review: why services offer vulnerabilities
- Service session isolation
- How it works
- Solving potential compatibility issues arising from it
- Reduced service privileges: "least privilege" and the new services
- How it works
- How to see if a service has been "least privileged"
- Dialing down a service's privileges without being a programmer
- Service isolation
- How it works: the new "restricted SID"
- Service SIDs
- How to restrict a service when the coders haven't bothered
- Short Vista Security Items
This section ends our look at Vista security with a roundup of short Vista
- Changes to group policy security default settings
- Potential incompatibilities
- Administrator account disabled
- Folders and groups eliminated
- Windows Firewall changes
- SMB version 2
- Windows Collaboration
Ever tried to share a file with a colleague, only to find that getting past
the firewalls, group policy settings, accounts, wireless setup and the like made
it easier to just say, "aw, the heck with it, let's just use a USB memory
stick?" Microsoft offers an alternative with their new Windows
Collaboration / Windows Meeting Space.
- WC capabilities
- WC setup
- Security considerations
- Networking Vista
What's a new version of Windows without networking changes? Well, it
wouldn't be Vista...
- Vista and IPv6
- Changes to the IP stack in Vista
- Remote desktop in Vista
- Internet Explorer 7 in Vista
- Group Policies in Vista
Group policies are a great idea, but ever since they appeared in
Windows 2000 they've been a bit clunky: useful, but hard to
administer and troubleshoot. To combat that, Microsoft has
completely rebuilt the group policy engine, added 700 new group policy
settings, changed how group policies are defined, and made a host of
other changes to make group policies more useful and more of a
"must-use" tool. And they did it all without sacrificing backward
compatibility, mostly. Find out about these changes in this
- What group policies needed, pre-Vista
- The group policy engine
- New service rather than part of Winlogon
- Hardened service
isolates third party client side extensions
- Improved GP refresh
- Multiple local GPOs
- Network Location Awareness service 2.0
- Completely revised group policy engine logging
- New administrative templates
- XML based
- Centralized store of admin templates reduces "Sysvol bloat"
- Implementing the Central Store
- Group Policy Management Console shipped with Vista
- New group policy settings areas
- Vista "SP1" features on the way
- Policy comments
- Vista's Event Viewer: "Crimson"
Who would have imagined that the Event Viewer would play a minor
starring role in Vista? While uprooting and rebuilding pieces of
Windows, Microsoft decided (rightly) that Event Viewer was way overdue
for a facelift. The new one, code-named "Crimson," bears very
little resemblance to the tool that changed very little between Windows
NT 3.1 and Windows Server 2003 R2. This section examines Crimson's
extensive set of new capabilities and focuses on the part of the new
Event Viewer that normally doesn't get much coverage, but should, as
it's the linchpin in troubleshooting Event Viewer issues -- the new
Windows Remote Management system. Without a good knowledge of
WinRM, you won't be able to use Crimson's best new feature: the
ability to centralize events from many systems to a single computer!
- New Vista Event Viewer features
- Completely restructured logs
- New urgency level "critical"
- Event triggers
- Events can be collected at a central system
- Log size limits gone
- Creating event triggers
- Centralizing events
- Configuration setup
- Security setup
- Special considerations for centralizing events in a workgroup
- Working with WinRM
- WinRM intro
- WinRM configuration
- WinRM security testing and troubleshooting
- Vista's New Task Scheduler
The changes to group policy and the Event
Viewer are the big stories in Vista administration, but that's not all that's
new and (usually) good. Ever tried to schedule a task to run on a regular
basis? Things have gotten better than NT 3.1, which introduced the at.exe
scheduler command, but not that much better, until Vista. In this section,
we'll consider Vista's Task Scheduler, which has received a facelift every bit
as interesting as the Event Viewer's.
- Creating a new task
- Command types and limitations
- Tracking a scheduled task
- Editing and resubmitting a task
- Boot.ini's Successor, BCDEDIT
Part of running any system involves
controlling how it starts up in the first place. Ever since NT 3.1, we've
controlled how the NT part of the Windows family boots through a simple text
file called boot.ini. Vista, however, retires boot.ini and replaces it
with a more flexible, architecture-independent tool: the boot
configuration database, or BCD. But don't reach for Notepad to edit BCD...
you'll need to learn a whole new tool: bcdedit.
- Talkin' BCD: new terminology
- The "store"
- Boot entries
- Entry options
- Global bcdedit settings
- Boot entries, GUIDs and well-known GUIDs
- A guide to the most useful entry options
- Vista Reliability and Stability Tools
Vista comes with a number
of tools intended to help you keep your system running in peak shape and,
given how hardware-intensive Vista is, that's a good thing! In
this section, we'll meet those tools.
- Vista performance rating tool
- Reliability Monitor
- "Problems and solutions"
- Service restart
Course Materials and Course Format
The class works from PowerPoint presentations. Every attendee
gets a printed copy of the PowerPoints. To make it possible to run
this course in just two days, this runs in mainly lecture format.
Arranging a Course At Your
We offer this class as a public seminar about a half-dozen times a
year; you can view the current schedule www.minasi.com/pubsems.htm.
But you needn't wait — Mark can come to your organization to teach it
on-site. On-site classes offer you the flexibility to lengthen or shorten
the class, add hands-on labs, modify the course's focus and zero in on
your group's specific needs.
Please contact our office at (757) 426-1431 between 12 Noon-5 Eastern
time or email Assistant@Minasi.com to discuss
scheduling and fees.