Windows 7 Gets you What You Expected

Windows 7 gets you what you expected!

Windows 7 , the next client release of Microsoft will be available in 32 & 64-bit versions.

Here are some things that you asked for in your Desktop OS:

For end –users

1.       Faster-Your system starts up, shuts down and resumes from standby faster, and your laptop’s battery lasts longer!

2.       Touch- Multi touch, ink and gesture support along with handwriting recognition allow you to create exciting new input capabilities. Managing large number of windows is much easier, with intuitive touch gestures to view multiple windows at once and remove unwanted windows.

3.       Faster Browsing- Build for the web with IE8, add rich media with Silver light and extend to rich client with WPF – using the same platform and tools

4.       Explore and Share - With Windows 7 and Windows Live, you can easily manage your documents, pictures, movies and music, regardless of which PC they are stored on, and share them with your friends and family.

5.       Search- Windows 7 includes all performance improvements from Windows Search 4.0, so search and indexing are much faster.

6.       Less Crashes- A new feature in Windows 7, Fault Tolerant Heap, mitigates the most common causes of heap corruption, significantly reducing the number of crashes you will experience!

7.       Power Saving - Windows 7 easily adapts to your activity. To save battery power, Windows 7 automatically reduces display brightness after a period of inactivity, much like mobile phones do today.

8.       Watch complete DVD on battery- Windows 7 will use less power in playing a standard-definition DVD than all earlier versions of Windows, so you are more likely to watch a complete movie with a single battery charge.

 

Features for IT Pros

1.App Compatibility- Windows 7 will run most if not all applications that run on Windows Vista, making Windows Vista to Windows 7 deployment easier. 

2. Powershell  v2 - Customers will be able to keep their PCs running smoothly with PowerShell & Group Policy management.

3. Bitlocker To Go- In Windows 7, BitLocker To Go will protect data stored on portable media (e.g., USB Flash Drives, USB Portable Hard Drives) such that only authorized users can read the data, even if the media is lost, stolen, or misused.

4. Work from Anywhere - With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources.

5. “Branch office caching”- The idea is to cache the corporate data downloaded by users locally in the branch office so it can be quickly accessed by others in the branch. With branch office caching, opening a document can take seconds instead of minutes.

6. “Enterprise Search Scopes” enables IT, using Group Policy, to deploy links to appear on the user’s Start menu or in Explorer.

7. AppLocker provides a flexible mechanism that allows administrators to specify exactly what is allowed to run on their systems and gives users the ability to run applications, installation programs, and scripts that administrators have explicitly granted permission to execute. For example, a rule could be written that says “allow all versions greater than 8.1 of the program Photoshop to run if it is signed by the software publisher Adobe.”

To get your infrastructure ready for Windows 7, the best step is to start deploying Windows Vista and MDOP today.

Download Windows 7 Beta today and learn more about it at:

http://technet.microsoft.com/en-us/windows/default.aspx 

Talking about Windows 7 Beta Installation

 

Quote

Talking about YouTube – Windows 7 Beta Installation
 

Did you Know,How to edit Multiple Local Group Policy Objects (MLGPO) in Windows Vista?

Most of us (Windows Administrators) are used to the idea of the Windows Client computers (Windows XP etc) having one Local Group Policy object that contains the policy settings for the local Computer and those that apply to the local users.

Well, Welcome to Multiple Group Policy Objects (MLGPO) in Windows Vista.

Windows Vista SP1 contains 3 different types of Local Group Policy Objects (hence called Multiple LGPOs):

1. Local Computer Policy – This is our most familiar type of the Local GPO that is the same as in earlier versions of Windows. This contains settings that apply to Local Computer and all local users on the computer including local administrators. This is the only GPO that contains settings that can be applied to the local computer, and is thus mostly used as a GPO for local computer settings. You can create and edit the Local Computer policy in the following way:

1. Open MMC (mmc.exe) with rights of a local administrator.
2. Select File-> Add/Remove Snap-in
3. Select Group Policy Object from the list of available snap-ins and click Add.
4. Select Local Computer (selected by default).
5. Click Finish.

2. Administrators and non-administrators Local Group Policy – This policy contains only user settings for groups of users i.e. it divides the users into 2 types of groups- Administrators (members of local Administrators group) and non-admins (all other users). It has 2 MLGPOs (1 for Admins group and 1 for non-admins). These GPOs do not contain any Computer Settings. You can create and edit the MLGPO for Admins or non-admins in the following way:

1. Open MMC (mmc.exe) with rights of a local administrator.
2. Select File-> Add/Remove Snap-in
3. Select Group Policy Object from the list of available snap-ins and click Add.
4. Click Browse.
5. Select Users tab.
6. Select Administrators or Non-Administrators from the list and click OK.
7. Click Finish.

                          

3. User-specific Local Group Policy - So here is the news!! You can now apply a GPO only to a specific user! This GPO contains only user settings that can be applies to a specific user on the local computer. It does not contain any computer settings. However, you still cannot apply a GPO to a security group other than the local administrators (as discussed above). This means that you cannot create a local group (of certain specific users) and apply a GPO to it. You can create and edit a Local GPO for a specific user on the local computer in the following way:

1. Open MMC (mmc.exe) with rights of a local administrator.
2. Select File-> Add/Remove Snap-in
3. Select Group Policy Object from the list of available snap-ins and click Add.
4. Click Browse.
5. Select Users tab.
6. Select the name of the user you wish to apply the GPO to, from the list and click OK.
7. Click Finish.

                

Technorati Tags: vista,windows,GPO,group policy,object,2008,configure,setting,policy,computer,local,admin,administrator,group,policy processing,domain,server

MLGPOs Processing Order

We all know that the Group Policy processing is traditionally done in the following order for a particular user (member of a domain):

1. Local Computer Policy
2. Site GPOs
3. Domain GPOs
4. OU GPOs

Now that Multiple Local Group Policy objects exist on the local computer, the following order is applied to the GPO processing:

1. Local Computer Policy
2. Administrators and non-administrators Local Group Policy (user settings only)
3. User-Specific Local Group Policy (user settings only)
4. Site GPOs
5. Domain GPOs
6. OU GPOs

What should be done- Tackling the problem proactively?

So now that we know the problems in letting the users work with default administrative accounts, here are some simple guidelines that should be followed in order to avoid these issues.

All users and developers should work as standard users

In-house developed software is written to work for standard users. If developers themselves are given privileges of a standard user, then the applications they develop will be tested and validated against their systems from the starting itself.

Minimize the number of administrators

You cant completely eliminate the local administrator account and even the title "Least Privileged User" tends to make the users feel controlled. So it is better to educate the users what it means to be a standard user and the benefits of it.

All application binaries (.exe, .com, .dll, .ocx) should be written to Protected folders

The above mentioned application files should be written to "Program Files" folder only. Like the operating system files are protected in C:WINDOWS folders. Other operating system files should be written to C:WINDOWS folder or subfolders only.

Deployment and management of computers should be centrally controlled and automated

Routine tasks like applying software updates and distributing software applications should be done from a central location. This helps in maintaining a known and consistent state of all the computers in the environment and makes testing, deployment and troubleshooting easier and helps in reducing helpdesk calls.

Implement an operating system with an automated process for running software as standard users.

Windows Vista and Windows Server® 2008 both have the ability to run software even if it was not written for standard users. Through UAC, file and registry virtualization, applications can run in the context of a standard user even if they were designed with administrative privilege requirements.

Computer hardware should be uniform as possible.

In order to simplify deployment and management, it is ideal to have to have an established standard hardware specification or list of approved models. This helps reduce costs associated with migrations, eases troubleshooting and simplifies any necessary re-imaging.

Anti-malware signature files should be automatic and promptly installed.

When administrator accounts are used by most users, they often install multiple engines for detecting malware elements such as spyware.
It is a good idea to have a single, standard anti-malware solution and to ensure that the solution is up-to-date using centrally controlled mechanisms.

Operating system updates and hotfixes should be installed quickly and automatically.

Updates can be critical to system security, performance, and reliability. If user accounts are default administrators and users can change their systems in an unmanaged way, it is very difficult to test and know which conflicts may be present on end-user desktops or determine in advance whether software updates will be successful on all computers.

If you follow these recommendations, it can be easier to implement standard user accounts and ultimately manage your desktop infrastructure more efficiently.

In my next blog we will see how Windows Vista can help
us do most of these tasks easily and thus help us manage the desktop infrastructure in an easy manner.

How to change the boot sequence in Vista/XP dual boot scenario

How to change the boot sequence in Vista/XP dual boot scenario

 

Note: In case you want to dual boot your system with Windows XP and Windows Vista, install Windows XP first.

The primary tool to edit Windows Vista boot configuration is BCDEdit.exe, a tool which is included in Windows Vista distribution in the C:windowssystem32 folder (C: being the windows vista system drive). BCDEdit.exe allows you to change and configure boot application data (files) in the BCD (Boot Configuration Data) stores which replace the settings in the boot.ini file in earlier versions of Windows.

BCDEdit basically replaces the BootCfg.exe tool that was used with earlier versions of Windows. BCDEdit provides much better and wider command line options and can do much more tasks than BCDCfg.

Here’s how you can use BCDedit to change the boot sequence and display order in the boot menu.

1.       Start > Cmd > Right Click cmd> Run as Administrator

2.       At the command prompt :

a. C:> cd windows/system32

b. C:windowssystem32> bcdedit /?

c. C:windowssystem32> bcdedit /enum all

d.      The output displays the boot configuration data of all the operating systems on the computer:

Windows Boot Loader

——————-

identifier            {current}

device                 partition=C:

path                   Windowssystem32winload.exe

description            Microsoft Windows Vista

locale                 en-US

inherit                {bootloadersettings}

recoverysequence      {572bcd56-ffa7-11d9-aae0-007e994107d}

recoveryenabled        Yes

osdevice               partition=C:

systemroot             Windows

resumeobject         {89b97029-9609-11db-bbfe-cfc7153012f0}

nx                    OptIn

 

e.      Note the 128-bit GUID of the Windows XP system. You will have a similar entry for that.

f.        C:Windowssystem32> bcdedit /default <GUID of Windows XP>

E.g   bcdedit /default {cbd971bf-b7b8-4885-951a-fa03044f5d71}

                Where {cbd971bf-b7b8-4885-951a-fa03044f5d71} is the GUID of the Windows XP system.

In case you wish to delete the Windows XP entry from the boot menu:

g.       c:windowssystem32> bcdedit /delete <GUID of Windows XP>

You can also change the description of an entry using the following command:

h.  Bcdedit /set ID description "The new description"

 

For example:

 

bcdedit /set {802d5e32-0784-11da-bd33-000476eba25f} description "My Favorite OS"

 

You can change the display order of the boot options  using the following command:

 

i.  bcdedit /displayorder ID1 [ID2] [ID3] [...]

 

For example :

bcdedit /displayorder {802d5e32-0784-11da-bd33-000476eba25f}

        {cbd971bf-b7b8-4885-951a-fa03044f5d71}

This will change the diplay order of the entries the next time the system is turned on only.

In order to make permanant changes to the boot order you can use the following command:

j.  bcdedit /bootsequence ID1 [ID2] [ID3] …

 

For example:

bcdedit /bootsequence {802d5e32-0784-11da-bd33-000476eba25f}

        {cbd971bf-b7b8-4885-951a-fa03044f5d71}

The following command sets the boot manager’s timeout to 30 seconds:

k.  Bcdedit /timeout 30

 

Refrences: You can download a complete guide on BCD edit at:

http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/BCDedit_reff.docx

How LUA is implemented in Windows Vista

According to the Biba model
of integrity, any subject who has the clearance level of a particular integrity level must not be able to "read down"

from that level, and must not be able to "write up" from that level.

Meaning that if my security clearance level is ‘Confidential’, then I must not be able to read any data classified as ‘Unclassified’ and ‘Classified’.

On the other hand, while I can read ‘Secret’ and ‘Top Secret’ data, I must not be able to go and modify it (so as not to compromise its integrity).

 

So, the situation in Windows XP was like, the session in which the administrator worked, that entire session used to run in a privileged mode i.e. anything running in that session had admin privileges, much greater and unrestricted access to system resources that a normal user’s session.

So in Windows XP, while an administrator is logged in his session, anything running in the background, like a service etc., assumes admin privileges and can easily be compromised to perform any tasks that require privilege mode access.

Also, when an admin privilege user surfs a website in Internet Explorer (while logged in as admin), the Internet Explorer application works in a privileged mode!
So what? So, in this mode, any website that the user surfs, can download or save any file in the system folders like C:Windows or System32 folder, or can even install anything it wants in the background without the user’s permission, or the user even coming to know about it! This is because, as administrator, you have full permission to modify the system folders, or system registry in any way possible. So when an application or a service assumes admin privileges, even it can make any changes to the system it wants without any restrictions, just like the administrator can!

However, in Windows Vista, even the admin privilege user’s session normally runs in a user mode (low privilege mode), just like a normal user’s session!Now you must be wondering – Oh! Then? how will I install all the drivers and the applications I want to? Where are my admin privileges?
Since Windows follows a Discretionary Access Control Model, the administrator is still given full privileges to make all the changes to the system as desired. The only difference is that, while working normally on the computer, the admin user’s sessions works in a low privilege mode, so that anything that runs in the background and all the applications he uses, also work in a low privilege mode. But when this user double-clicks an exe file to install an application, or he tries to open Computer Management MMC to create a user account, or tries to change the Local Security Policy settings, or any task that actually requires enhanced privileges, the user is prompted with a message, that that particular program requires your permission to run and will change the system settings. The user is supposed to either allow or deny the action based upon his own decision. In case he allows, the application executes, else fails.

What is the advantage? The advantage is that, now even Internet Explorer runs in a user mode. So in case any website tries to store a file in any system folder or tries to make any change to the system settings by installing any program (which requires enhanced privileges) the user is prompted for his permission. If the user did not intend to make this change, he can easily deny his permission and the program exits. This finally eliminates a lot of attack surface for the attacker!

Windows Vista -Understanding Bitlocker Drive Encryption

 

Bitlocker Drive Encryption in Windows Vista

 

A very common threat to the security of Windows based systems have been offline attacks. Attacks that happen in order to steal the data from a system while the system is offline, or in the shutdown state, are termed as offline attacks.

The most likely victims of offline attacks are stolen laptops, or physically insecure systems. In case a laptop with Windows XP operating system protected with good password protection is stolen, the offline attack can be performed on this system by any of the following ways -

1.      By detaching the hard disk from the system, attaching it as a slave disk to another system for which the attacker has an administrative access on the primary disk

2.     By installing a fresh copy of another operating system on the available space on the existing hard disk, gaining administrative control on the new operating system (on drive d:), thereby gaining administrative access to drive c:, on which the original operating system with data is.

3.     By booting the system with a Linux or other bootable disks (floppies or CDs) and running tools in order to change the administrative password on c: partition.

Notice, that in any of the above mentioned scenarios, the attacker needs to change the boot configuration of the hard disk on which the operating system with data resides.

To combat all the above common threats to information security, Microsoft has introduced a new security feature in the upcoming Windows Vista operating system. This feature is basically a hardware provided feature that is enabled through the operating system.

The Trusted Computing Group (TCG) (https://www.trustedcomputinggroup.org) now ships various certified laptops with a hardware chip installed on the motherboard, known as the TPM (Trusted Platform Module). TPM version 1.2 enabled systems provides the ability to store keys, password and even cryptographic keys in the form of certificates on the installed TPM chip.

In a Windows Vista system, the administrator has the ability to turn on ‘Bit locker Drive Encryption’ form the Security section in the Control Panel.

Bitlocker Drive Encryption consists of two parts –

1.       Secure Startup –

a.       Is used to protect the boot configuration of the system volume from any changes.

b.      When turned on, the process generates two types of keys –

                                                               i.      Startup Key – This key is created after encrypting the existing boot configuration of the system volume. It is created and stored on the TPM chip on the mother board, and is used to match the key generated after checking the boot configuration every time the system starts up. If the boot configuration remains unchanged, the key generated every time the system starts, matches the key stored inside the TPM and system starts without any prompts and the process is transparent to the user.

                                                             ii.      Recovery Key – This key is generated for the administrator to store at another location which may be a USB Flash disk, a network drive or the active directory profile of the user. This key is used when the boot configuration of the system volume is accidently changed after enabling secure startup. When the system starts up and generates the key for the new boot configuration, it will not match the key stored in the TPM chip as the boot configuration was changed. In this case, the system enters into the ‘Recovery Mode’ where it prompts the user for a recovery key. In case the user is an authorized one (and has not stolen this laptop), he must have the recovery key provided to him at the time of enabling secure startup. This is a long numerical key that can be entered on the system by using the F1-F10 keys for (1-0 respectively) during this time, or can be provided through the USB disk in which the recovery key was stored.

 

2.       Full Volume Encryption – This feature ensures that in case the attacker tries to mount this system as another volume using Linux operating system, or tires to access the system drive by making it a slave volume of another system, or by booting from another operating system volume in a dual boot system, he is not able to extract the data out of this volume. Once the Full Volume Encryption is enabled on the Windows Vista volume, it makes renders it incapable of being mounted through any other OS volume. Even in case of a dual boot system with Windows XP installed on drive C: and Windows Vista (with FVE enabled) on drive d:, and the attacker gains admin access to Windows Vista on drive c:, he will not be able to gain any access to data in drive d:. This happens because as soon as the attacker double-clicks drive d: to browse through it, he only gets a message box telling that the “drive is inaccessible. Do you want to format it now?”  So the only option he is left with is to format and reuse the drive which keeps the confidentiality of the data inside the Windows Vista system.

 

Understanding Least Privilege User Account (LUA)

 

According to the Orange Book (Trusted Computing Security Evaluation Criteria), the

Priciple of Least Privilege states that –

A subject must be given the minimum possible set of privileges that it requires to execute just the assigned task on an object and only for the minimum amount of time those privileges are required.

 

It is important for secure systems to comply by this principle. Typically in Windows XP systems, at least one user account is created at the time of installing the system, which is given administrative privileges on the system so that a user logging in with that account has got the maximum privileges to perform any task on the system like:

a) Installing device drivers

b) Installing software applications

c) Changing System Date/Time

d) Installing Printer drivers

e) Connecting to WEP enabled wireless networks

f) Saving files inside system folders like c:Windows or C:WindowsSystem32

g) Making registry changes

 

Although an administrative user account is not required to perform normal user activities like – creating and saving files inside user profile folders like ‘Desktop’ or ‘My Documents’ etc., using Internet explorer, Installing user mode applications etc., most of the home users and many corporate users continue to work with administrative accounts even when not required to.

 

Question : What is the harm in working as an Administrative user on my computer?

Answer:  When you are logged in as an administrator on a Windows XP computer, most of the services and applications running in the background also run with administrative privileges. Since these services run in the background and have admin access to the system folders and registry they can do any change they desire to thes efolders/registry just like an administrator can.

Also, when you surf internet on Internet Explorer while logged in as an administrator, the Internet explorer application runs with administrative privileges itself. What this means is that during this time, if you surf any site that attempts to download and save a file in system folders like C:Windows, System 32 etc. it will be able to do that just like an administrator without even prompting for any permission from the user or informing him. This happens because the application saving the file inside the system folders is the "administrator" itself who does not require anyone else’s permission to make this change. Hence if this file is a virus, worm or any other infected file, it can make any desirable changes it wishes to make to the system. All this happens in the background about which the logged in admin user has no idea!!

 

Vista User Account Control – A Deep Dive

User Account Control focusses on using a Low-privilege user account or LUA, so that changes are not accidently made on to the system files.
This feature is enabled by default and allows even the administrator to perform normal tasks with the permissions of a standard user only.

How it actually works is like this:

Lets take a scenario in which a normal standard user say Amit logs on to his local system and wishes to view the system time . So he double clicks on the Date and Time icon in the system tray.
Now, if he was working with Windows Xp , he would’ve got the message that he does not have permissions to view or change the time and date settings.

But now that he is working on Windows Vista, he can easily go ahead and view the system date and time without any prompts! Not only that , even if he wishes to change the time zone of the system, thats an administrative tasks , so when he clicks on Change time zone button , he gets a box asking him for administrative password. He can go and take administrator’s permission to do this change!

Similarly, a normal user is now allowed to do a no. of tasks that only administrators could do earlier, like, changing power settings of the computer, installing printers which already have drivers installed in the system, and many others.

Lets take a look at another scenario, now Amit, logged onto the system with his own standard user account, tries to install some legacy application. Now installing an application is still and admin task. So as sson as he goes and clicks setup.exe , he is prompted to put the admin password of the system. So instead of getting the access denied message in the middle of the installation , as it used to happen in Windows XP, a normal user can go ahead and install an application if he has the admin password without having to log off and log bak again as an administrator.

Now in another scenario, Amit creates a file which contain some of his VB Script code for example, and tries to save it in the Program Files folder. Now Program Files is a system folder, which is meant to be modified with only administrative prvivilages. So when AMit tries to store a file inside this folder , his file gets actually stored in his profile under his Virtual Folders directory, even though it will be visible in the Program Files directory. This feature is actually called Registry or File system Virtuaization or Redirection, whereby any user files stored inside the system folders get redirected to user’s profile.
So now even when Amit uses a dir command from the command prompt to list all the files and directories in the Program Files folder, his file does get listed there. Not only that, even when he uses a delete command from there to delete his file from the program files, the physical file stored in his profile gets deleted as well!

This feature actually prevents users from damaging the system and registry files.

 

Last but not the least, lets see what happens now when the administrator himself logs on to the system. The administraor and go around and work over anything in the system as long as he isnt performing an administrtive task. Now lets say if he needs to install an application on the system, he is prompted for his consent! So even if he is the adminitrator himself, Vista still tries to prompt the administrator that he is trying to change the system settings and ask wether he is sure about doing it.

SO all these features combine give quite a good level of security to the system and prevents it from unwanted changes to a great extent.

Vista Imaging Tool

Do you remember deploying operating systems on computers by creating one test computer for each H/W make,installing all applications on to it , imaging it using Ghost like utilities and then deploying it onto a 100 other computers.
Each time you needed to deploy a different set of applications on certain computers,you needed to preapre a seperate test computer, install applications manually, image it and then deploy it to selected computers.

 

Phoooh! Tedious !
Wasnt it?

Imagine if could have an imaging tool that could allow you to create images independent of the H/W make of the system? Over that , imagine having images that you could just rip open and modify whetever way you liked?What if you could take one image and add or delete applications or folders to it and save it as another image, instead having to create a whole new computer with little diffrences?

 

Ximage   is a your answer!

Yes , Ximage is the new imaging tool introduced by Microsoft In Windows VIsta that allows you to do just all this!

 

Hey! Excited, to see how it works? U must be!

So lets take a look at this tool!

 

It comes in the WIndows Automated Installation toolkit (WAIK) shipped with Windows Vista.

Ximage.exe is a command line tool that allows you to image an entire directory tree or an entire running operating system, and save it in the form of wim file. WIM is the WIndows Image format file that can be mounted on a folder to open and see its contents or can even be modified!

Not only that, you can even store more that one images in the same wim file , yet keeping the size of the file almost same!

Though it is a command line tool, but it has got a no. of arguments or parameters that allow easy operation of this tool.

The wim images created usin ximage are platform independent, and can be modified by mounting them on an existing Windows folder, just like you could add or delete files from a Windows folder!

The /capture option can e used to capture an image , /info can be used to optain info on the file, while /mount and /unmount can be used to mount an unmount the image respectively.

 

So does this idea rock u?
I am sure it would!
So go start using Ximage!