Windows Deployment Platform Components - Answer Files

An answer file is an XML-based file that contains settings to use during a Windows 7 installation. An answer file can fully automate all or part of the installation process. In an answer file, you provide settings such as how to partition disks, the location of the Windows 7 image to install, and the product key to apply. You can also customize the Windows 7 installation, including adding user accounts, changing display settings, and updating Windows Internet Explorer favorites. Windows 7 answer files are commonly called Unattend.xml.

You use Windows SIM (see the section titled “Windows SIM” later in this chapter) to create an answer file and associate it with a particular Windows 7 image. This association allows you to validate the settings in the answer file against the settings available in the Windows 7 image. However, because you can use any answer file to install any Windows 7 image, Windows Setup ignores settings in the answer file for features that do not exist in the Windows image.

The features section of an answer file contains all the feature settings that Windows
Setup applies. Answer files organize features into different configuration passes: windowsPE, offlineServicing, generalize, specialize, auditSystem, auditUser, and oobeSystem. Each configuration pass represents a different installation phase, and not all passes run during the normal Windows 7 setup process. You can apply settings during one or more passes. If a setting is available in more than one configuration pass, you can choose the pass in which to apply the setting.

Microsoft uses packages to distribute software updates, service packs, and language packs. Packages can also contain Windows features. By using Windows SIM, you can add packages to a Windows 7 image, remove them from a Windows 7 image, or change the settings for features within a package.

The Windows Foundation Package, included in all Windows 7 images, includes all core
Windows 7 features such as Media Player, Games, and Windows Backup. Features are either enabled or disabled in Windows 7. If a Windows 7 feature is enabled, the resources, executable files, and settings for that feature are available to users on the system. If a Windows 7 feature is disabled, the package resources are not available, but the resources are not removed from the system.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Windows Deployment Platform Components

Understanding the new deployment tools and how they interconnect is the first step in beginning a Windows 7 deployment project. At the lowest tier are Windows Imaging (.wim) files, which are highly compressed, file-based operating system images.

At the second tier are answer files. Versions of Windows earlier than Windows Vista had numerous answer files, including Unattend.txt and Sysprep.inf, to drive the deployment process. Windows 7 uses a single XML-based answer file, Unattend.xml, to drive all its configuration passes. (A configuration pass is an installation phase.) This improvement makes configuration more consistent and simplifies engineering.

At the third tier are the various deployment tools for Windows 7. The Windows 7 distribution media includes some of these tools, including Sysprep, DISM, and other command-line tools—they aren’t on the media in a separate file such as The Windows AIK 2.0 includes the bigger tools, such as Windows SIM, Windows PE, and ImageX. These are the basic tools necessary to create, customize, and deploy Windows 7 images. They are standalone tools that don’t provide a deployment framework or add business intelligence and best practice to the process.

The fourth tier, MDT 2010, provides the framework, business intelligence, and best practices. MDT 2010 is a process and technology framework that uses all the tools in the third tier, potentially saving your organization hundreds of hours of planning, developing, testing, and deployment. MDT 2010 is based on best practices developed by Microsoft, its customers, and its partners. It includes time-proven management and technology guidance as well as thousands of lines of thoroughly tested script code that you can use as is or customize to suit your organization’s requirements.

Using MDT 2010, you can perform both Lite Touch Installation (LTI) and Zero Touch Installation (ZTI) deployment. LTI requires very little infrastructure and is suitable for most small and medium businesses. ZTI requires a System Center Configuration Manager 2007 R2 infrastructure and is suitable for organizations that already have the infrastructure in place.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Windows 7 Deployment Terminology

The following terms are unique to Windows 7 deployment and MDT 2010. Understanding this terminology will help you better understand the deployment content.

• Answer file. An XML file that scripts the setup experience and installation settings for Windows 7. The answer file for Windows Setup is usually Unattend.xml or Autounattend.xml. You can use Windows SIM to create and modify this answer file. MDT 2010 builds answer files automatically, which you can customize if necessary.

• Catalog file. A binary file that contains the state of all the settings and packages in a Windows 7 image. When you use Windows SIM to create a catalog file, it enumerates the Windows 7 image for a list of all settings in that image as well as the current list of features and their current states. Because the contents of a Windows 7 image can change over time, it is important that you re-create the catalog file whenever you update an image.

• Feature. A part of the Windows 7 operating system that specifies the files, resources, and settings for a specific Windows 7 feature or part of a Windows 7 feature. Some features include unattended installation settings, which you can customize by using Windows SIM.

• Configuration pass. A phase of Windows 7 installation. Windows Setup installs and configures different parts of the operating system in different configuration passes. You can apply Windows 7 unattended installation settings in one or more configuration passes. For more information about configuration passes, see the Windows Automated Installation Kit User’s Guide in the Windows AIK 2.0.

• Configuration set. A file and folder structure that contains files that control the preinstallation process and define customizations for the Windows 7 installation.

• Destination computer. The computer on which you install Windows 7 during deployment. You can either run Windows Setup on the destination computer or copy a master installation onto a destination computer. The term target computer is also commonly used to refer to this.

• Deployment share. A folder that contains the source files for Windows products that you install. It may also contain additional device drivers and application files. You can create this folder manually or by using Windows SIM. In MDT 2010, the deployment share, called a distribution share in previous versions of MDT, contains operating system, device driver, application, and other source files that you configure with task sequences.

• Image-based setup. A setup process based on applying an image of an operating system to the computer.

• Master computer. A fully assembled computer containing a master installation of Windows 7 that you capture to a master image and deploy to destination computers. The term source computer is also commonly used to refer to this.

• Master image. A collection of files and folders (usually compressed into one file) captured from a master installation. This image contains the base operating system as well as additional applications, configurations, and files.

• Master installation. A Windows 7 installation on a master computer that you can capture as a master image. You can create the master installation using automation to ensure a consistent and repeatable configuration each time.

• Package. A group of files that Microsoft provides to modify Windows 7 features. Package types include service packs, security updates, language packs, and hotfixes.

• Task sequence. A sequence of tasks that runs on a destination computer to install Windows 7 and applications and then configures the destination computer. In MDT 2010, task sequences drive the installation routine.

• Task Sequencer. The MDT 2010 component that runs the task sequence when installing a build.

• Technician computer. The computer on which you install and use MDT 2010 or
Windows AIK 2.0. This computer is typically located in a lab environment, separate from the production network. It can be a workstation- or a server-class computer.

• Unattend.xml. The generic name for the Windows 7 answer file. Unattend.xml replaces all the answer files in earlier versions of Windows, including Unattend.txt, Winbom.ini, and others.

• .wim. A file name extension that identifies Windows image files created by ImageX.

• Windows 7 feature. An optional feature of Windows 7 that you can enable or disable by using Unattend.xml or DISM.

• Windows image file. A single compressed file containing a collection of files and folders that duplicate a Windows installation on a disk volume. Windows image files have the .wim file extension.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Windows 7 deployment

Compared to Windows XP, Windows 7 introduces numerous changes to the technology you use for deployment. Additionally, Windows 7 improves and consolidates many of the tools you used for Windows Vista deployment. The Windows AIK 2.0 includes most of these tools. Others are built into the operating system. The Windows AIK 2.0 fully documents all of the tools this chapter describes, including command-line options for using them, how they work on a detailed level, and so on.

The Windows AIK 2.0 is not included in the Windows 7 media. (By comparison, Windows XP has a file called that includes its deployment tools.) Instead, the Windows AIK 2.0 is a free download from the Microsoft Download Center at

The following features are new for Windows 7 deployment:

• Windows System Image Manager. Windows System Image Manager (Windows SIM) is a tool for creating distribution shares and editing answer files (Unattend.xml). It exposes all configurable settings in Windows 7; you use it to save customizations in Unattend.xml. The Windows AIK 2.0 includes the Windows SIM.

• Windows Setup. Setup for Windows 7 installs the Windows image (.wim) file and uses the new Unattend.xml answer file to automate installation. Unattend.xml replaces the set of answer files used in earlier versions of Windows (Unattend.txt, Sysprep.inf, and so on). Because image-based setup (IBS) is faster, you can use it in high-volume deployments and for automating image maintenance. Microsoft made numerous improvements to Windows Setup (now called Setup.exe instead of Winnt.exe or Winnt32.exe), such as a completely graphical user interface, use of a single answer file (Unattend.xml) for configuration, and support for configuration passes (phases).

• Sysprep. The System Preparation (Sysprep) tool prepares an installation of Windows 7 for imaging, auditing, and deployment. You use imaging to capture a customized Windows 7 image that you can deploy throughout your organization. You use audit mode to add additional device drivers and applications to a Windows 7 installation and test the integrity of the installation before handing off the computer to the end user. You can also use Sysprep to prepare an image for deployment. When the end user starts Windows 7, Windows Welcome starts. Unlike earlier versions of Windows, Windows 7 includes Sysprep natively—you no longer have to download the current version.

• Windows Preinstallation Environment. Windows Preinstallation Environment 3.0 (Windows PE 3.0) provides operating system features for installing, troubleshooting, and recovering Windows 7. Windows PE 3.0 is the latest release of Windows PE based on Windows 7. With Windows PE, you can start a computer from a network or removable media. Windows PE provides the network and other resources necessary to install and troubleshoot Windows 7. Windows Setup, Windows Deployment Services, Microsoft System Center Configuration Manager 2007 R2, and Microsoft Deployment Toolkit 2010 (MDT 2010) all use Windows PE to start computers. The Windows AIK 2.0 includes Windows PE 3.0.

• Deployment Image Servicing and Management. Deployment Image Servicing and Management (DISM) is a new command-line tool that you can use to service a Windows 7 image or prepare a Windows PE image. DISM consolidates the functionality of the Package Manager (Pkgmgr.exe), PEImg, and Intlcfg tools from Windows Vista. You can use DISM to service packages, device drivers, Windows 7 features, and international settings in Windows 7 images. Additionally, DISM provides rich enumeration features that you can use to determine the contents of Windows 7 images.

• ImageX. ImageX is a command-line tool that you can use to capture, modify, and apply file-based images for deployment. Windows Setup, Windows Deployment Services, System Center Configuration Manager 2007, and MDT 2010 all use ImageX to capture, edit, and deploy Windows 7 images. Windows 7 improves ImageX over Windows Vista by enabling it to mount multiple images simultaneously and support interim saves (you must still service each mounted image individually by using DISM). Additionally, the Windows 7 version of ImageX has a new architecture for mounting and servicing images that is more robust than in Windows Vista. The Windows AIK 2.0 includes ImageX. You can also mount images in Windows PE, and Windows 7 includes the device driver inbox.

• Windows Imaging. Microsoft delivers Windows 7 on product media as a highly compressed Windows Imaging (.wim) file. You can install Windows 7 directly from the Windows 7 media or customize the image for deployment. Windows 7 images are file based, allowing you to edit them nondestructively. You can also store multiple operating system images in a single .wim file.

• DiskPart. Using DiskPart, you can mount a virtual hard disk (.vhd) file offline and service it just like a Windows image file.

• User State Migration Tool. You can use the User State Migration Tool 4.0 (USMT 4.0) to migrate user settings from the previous operating system to Windows 7. Preserving user settings helps ensure that users can get back to work quickly after deployment. USMT 4.0 provides new features that improve its flexibility and performance over USMT 3.0. Hard-link migration improves performance in refresh scenarios, offline migration enables you to capture user state from within Windows PE, and the document finder reduces the need for you to create custom migration Extensible Markup Language (XML) files when capturing all user documents. The Windows AIK 2.0 includes USMT 4.0.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Service Accounts

Services are background processes. For example, the Server service accepts incoming filesharing connections, and the Workstation service manages outgoing file-sharing connections.

Each service must run in the context of a service account. The permissions of the service account largely define what the service can and cannot do, just like a user account defines what a user can do. In early versions of Windows, security vulnerabilities in services were often exploited to make changes to the computer. To minimize this risk, service accounts should have the most restrictive permissions possible.

Windows Vista provided three types of service accounts: Local Service, Network Service, and Local System. These accounts were simple for administrators to configure, but they were often shared between multiple services and could not be managed at the domain level. Administrators can also create domain user accounts and configure them to act as a service account. This gives administrators complete control over the permissions assigned to the service, but it requires administrators to manually manage passwords and service principal names (SPNs). This management overhead can become very time consuming in an enterprise environment.

Windows 7 introduces two new types of service accounts:

• Managed service accounts provide services with the isolation of a domain account while eliminating the need for administrators to manage the account credentials.

• Virtual service accounts act like managed service accounts, but they operate at the local computer level rather than at the domain level. Virtual service accounts can use a computer’s credentials to access network resources.

Both types of accounts have passwords that reset automatically so that administrators do not need to manually reset the passwords. Either type of account can be used for multiple services on a single computer. However, they cannot be used for services on different computers, including computers in a cluster.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Smart Cards

For many organizations, the risk that a password will be stolen or guessed is not acceptable. To supplement password security, organizations implement multifactor authentication that requires both a password and a second form of identification. Often, that second form of identification is a smart card, which contains a digital certificate that uniquely identifies the card holder and a private key for use in authentication.

Like fingerprint biometric devices, previous versions of Windows lacked a standardized framework for smart cards. In Windows 7, smart cards can use conventional drivers. This means that users can access smart cards from vendors who have published their drivers through Windows Update without requiring additional software. Users simply insert a Personal Identity Verification (PIV)–compliant smart card, and Windows 7 attempts to download a driver from Windows Update or use the PIV-compliant minidriver that is included with Windows 7.

The new smart card support options in Windows 7 include the following, all of which can be accomplished without additional software:

• Unlocking BitLocker-encrypted drives with a smart card.
• Logging on to the domain with a smart card.
• Signing XPS documents and e-mail messages.
• Using smart cards with custom applications that use CNG or Crypto API to enable the application to use certificates.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Windows Biometric Framework

Before Windows 7, fingerprint biometric device manufacturers had to provide their own technology stack, including drivers, software development kits (SDKs), and applications. Unfortunately, because different manufacturers created their own solutions, they lacked a consistent user interface and management platform.

The Windows Biometric Framework (WBF) enables biometric manufacturers to better integrate fingerprint scanners, iris scanners, and other biometric devices into Windows. Now, biometric devices can use the same Control Panel tools for configuration, regardless of the hardware vendor. Users can search for biometric capabilities by clicking Start and then typing biometrics, fingerprint or other related phrases to start the Biometric Devices Control Panel. IT professionals benefit because they no longer need to manage different software for each type of biometric device. Additionally, fingerprint scanners can now be used to respond to UAC credential prompts and to log on to AD DS domains.

Applications can use an API built into Windows 7 to interface with any type of biometric device. In the past, applications needed to use device-specific APIs, making it difficult for developers to integrate different types of biometric devices. Therefore, application developers also benefit because they can use a well-defined API and support biometric devices from any vendor.

Administrators can use Group Policy settings to prevent biometric devices from being used to log on to the local computer or domain, or they can completely disable biometrics. In Windows 7, fingerprint scanners are the only supported biometric device type.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Safe Unlinking in the Kernel Pool

Windows 7 includes low-level integrity checks not included with earlier versions of Windows to reduce the risk of overruns. Malware frequently uses different types of overruns to run elevated privileges and code without the user’s consent. Essentially, Windows 7 double-checks the contents of memory in the pool—a portion of memory that applications use temporarily but which is managed by the operating system. If the pool has been modified or corrupted, Windows 7 initiates a bug check that prevents more code from running.

According to internal Microsoft testing, the additional memory checking does not have a measurable performance impact. For more information, read “Safe Unlinking in the Kernel Pool” at

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Auditing Enhancements

Auditing in Windows Vista and Windows 7 is very granular, allowing you to enable auditing for very specific events. This reduces the number of irrelevant events, potentially reducing the “noise” generated by false-positive auditing events. This, in turn, can enable operations staff to more easily detect significant events. Combined with the new Windows Event Collector service, you can build a system to aggregate only the most important security events in your organization.

To view the new categories, run the following command from an administrative command prompt. Lines in bold show categories that are new in Windows 7 and thus are not included in Windows Vista.

Auditpol /get /category:*
System audit policy
Category/Subcategory Setting
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon Success
Logoff Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management Success
Computer Account Management No Auditing
Security Group Management Success
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing

Similarly, you can use the Auditpol /set command to enable granular auditing. The most straightforward way to enable granular auditing is to enable or disable the Group Policy settings located in Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration. Managing granular auditing using Group Policy is a feature new to Windows 7 and Windows Server 2008 R2.

Windows 7 also supports Global Object Access Auditing, which you can use to configure file or registry auditing on computers using Group Policy settings. To do this, define the File System or Registry policies in Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Global Object Access Auditing. Then click the Configure button to specify the objects to audit.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Internet Explorer Security Features

Windows Internet Explorer 8, included with Windows 7, offers incremental security improvements over Internet Explorer 7. These improvements provide dynamic protection against data theft, fraudulent Web sites, and malicious and hidden software. Microsoft made architectural enhancements to Internet Explorer 7, and has carried those enhancements over to Internet Explorer 8, to make the Web browser less of a target for attackers and other malicious people, which will help users browse with better peace of mind. However, as security is tightened, compatibility and extensibility tend to suffer. With Internet Explorer 8, Microsoft is working hard to ensure that this balance is met effectively so that users can have the safest and best possible browsing experience.

Internet Explorer 8 includes the following security features (some of which are also included with Internet Explorer 7):

• SmartScreen filter. Internet Explorer 8 uses an Internet service to check Uniform Resource Locators (URLs) that a user visits and warns users when they attempt to visit a site that might be unsafe. The SmartScreen filter can also warn users when they attempt to download software that is potentially unsafe. Users still have the ability to complete an action, even if SmartScreen warns them of a risk. In this way, SmartScreen reduces the risk of users visiting phishing sites or downloading malware without limiting what a user can do.

• Cross-Site Scripting (XSS) filter. Sometimes attackers exploit vulnerabilities in a Web site and then use the Web site to extract private information from users who visit the site. This can make a site that is normally safe a security risk—without the site owner’s knowledge. Internet Explorer 8 can detect malicious code running on compromised Web sites, helping to protect users from exploits that can lead to information disclosure, cookie stealing, identity theft, and other risks.

• Domain Highlighting. Attackers often use carefully structured URLs to trick users into thinking they are visiting a legitimate Web site. For example, a Web site owner might use the hostname to make a user think they are visiting the site—even though controls the domain. Domain Highlighting helps users more easily interpret URLs to avoid deceptive Web sites that attempt to trick users with misleading addresses. It does this by highlighting the domain name in the address bar in black, with the remainder of the URL string in gray, making for easier identification of the site’s true identity.

• Data Execution Prevention. DEP is a security feature that can help prevent compromises from viruses and other security threats by preventing certain types of code from writing to executable memory space. Although DEP is an operating system feature included with Windows Vista and Windows 7, Internet Explorer 8 makes use of it to minimize the risk of exploits for Web sites in the Internet zone. DEP is not enabled for Web sites in the intranet zone.

• Internet Explorer Protected Mode. In Protected Mode, Internet Explorer 8 runs with reduced permissions to help prevent user or system files or settings from changing without the user’s explicit permission. The new browser architecture, introduced with Internet Explorer 7, users a “broker” process that helps to enable existing applications to elevate out of Protected Mode in a more secure way. This additional defense helps verify that scripted actions or automatic processes are prevented from downloading data outside of the low-rights directories, such as the Temporary Internet Files folder. Protected Mode is available only when using Internet Explorer 8 with Windows Vista or Windows 7 when UAC is enabled. Protected Mode is not available in Windows XP.

• ActiveX Opt-In ActiveX Opt-In automatically disables all controls that the developer has not explicitly identified for use on the Internet. This mitigates the potential misuse of preinstalled controls. In Windows Vista and Windows 7, users are prompted by the Information Bar before they can access a previously installed ActiveX control that has not yet been used on the Internet but has been designed to be used on the Internet. This notification mechanism enables the user to permit or deny access on a controlby-control basis, further reducing available surface area for attacks. Web sites that attempt automated attacks can no longer secretly attempt to exploit ActiveX controls that were never intended to be used on the Internet.

• Fix My Settings. Most users install and operate applications using the default configuration, so Internet Explorer 7 and Internet Explorer 8 ship with security settings that provide the maximum level of usability while maintaining controlled security. In rare instances, a custom application might legitimately require a user to lower security settings from the default, but it is critical that the user reverse those changes when the custom settings are no longer needed. The Fix My Settings feature warns users with an Information Bar when current security settings might put them at risk. Clicking the
Fix My Settings option in the Information Bar instantly resets Internet Explorer security settings to the Medium-High default level. In AD DS environments, you can configure the required permissions for internal applications so that security restrictions do not need to be a concern.

• Security Status Bar. The Security Status Bar in Internet Explorer 7 and Internet Explorer 8 helps users quickly differentiate authentic Web sites from suspicious or malicious ones by enhancing access to digital certificate information that helps validate the trustworthiness of e-commerce sites. The new Security Status Bar also provides users with clearer, more prominent visual cues indicating the safety and trustworthiness of a site, and it supports information about High Assurance certificates for stronger identification of secure sites (such as banking sites).

• URL handling protections Internet Explorer 7 and Internet Explorer 8 have a single function to process URL data, significantly reducing the internal attack surface. This new data handler ensures greater reliability while providing more features and increased flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets, and domain names.

Additionally, each of these features is configurable by using Group Policy, enabling centralized control over Internet Explorer security. Windows 7 includes Internet Explorer 8, which includes all of these features. Internet Explorer 8 can also be installed on Windows Vista.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

UAC Improvements in Windows 7

Windows 7 and Windows Server 2008 R2 reduce the number of UAC prompts that local administrators and standard users must respond to:
• File operation prompts are merged.
• Internet Explorer prompts for running application installers are merged.
• Internet Explorer prompts for installing ActiveX controls are merged.

The default UAC setting allows a standard user to perform the following tasks without receiving a UAC prompt:
• Install updates from Windows Update.
• Install drivers that are downloaded from Windows Update or included with the operating system.
• View Windows settings. Changing settings still requires a UAC prompt.
• Pair Bluetooth devices to the computer.
• Reset the network adapter and perform other network diagnostic and repair tasks.

Additionally, the default UAC setting allows administrators to perform administrative tasks using operating system features without a UAC prompt. For example, an administrator can change the system time or restart a service without receiving a UAC prompt. However, administrators will still receive a UAC prompt if an application requires administrative privileges.

Windows Vista offers two levels of UAC protection to the user: on or off. Additionally, an administrator can change a Group Policy setting to prevent the screen from being dimmed (a feature known as the secure desktop) when prompting the user for consent.

Windows 7 and Windows Server 2008 R2 introduce two additional UAC prompt levels. If you are logged on as a local administrator, you can enable or disable UAC prompts, or you can choose when to be notified about changes to the computer. Administrators can choose from three levels of notification, with an additional option to disable the secure desktop:

• Always Notify Me Users are notified when they make changes to Windows settings and when programs attempt to make changes to the computer. This is the default setting for standard users.

• Notify Me Only When Programs Try To Make Changes To My Computer Users are not notified when they make changes to Windows settings, but they do receive notification when a program attempts to make changes to the computer. This is the default setting for administrators.

• Never Notify Me Users are not notified of any changes made to Windows settings or when software is installed.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Enabling Non-Administrators to Make Configuration Changes

Standard user accounts in Windows Vista can make configuration changes that don’t compromisevthe computer’s security. For example, standard user accounts in Windows Vista have thevright to change the time zone on their computers, an important setting for users who travel.vIn Windows XP, ordinary user accounts do not have this right by default, an inconveniencevthat causes many IT professionals to deploy accounts for mobile users as administrators and sacrifice the security benefits of using ordinary user accounts. Additionally, standard users can now connect to encrypted wireless networks and add VPN connections—two tasks commonly required by enterprises.

However, standard user accounts in Windows Vista do not have the right to change the system time because many applications and services rely on an accurate system clock. A user who attempts to change the time is prompted for administrative credentials.

Some applications do not run in Windows XP without administrative privileges because these applications attempt to make changes to file and registry locations that affect the entire computer (for example, C:\Program Files, C:\Windows, HKEY_LOCAL_MACHINE), and standard user accounts lack the necessary privileges. Registry and file virtualization in Windows Vista redirects many of these per-machine file and registry writes to per-user locations. This feature enables applications to be run by a standard user, whereas on previous operating systems, these applications would have failed as standard user. Ultimately, this will enable more organizations to use standard user accounts because applications that would otherwise require administrative privileges can run successfully without any changes to the application.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Admin Approval Mode

With Windows XP and earlier versions of Windows, any process started by a user logged on as an administrator would be run with administrative privileges. This situation was troublesome because malware could make system-wide changes, such as installing software, without confirmation from the user. In Windows Vista and Windows 7, members of the Administrators group run in Admin Approval Mode, which (by default) prompts administrators to confirm actions that require more than Standard privileges. For example, even though a user might log on as an administrator, Windows Messenger and Windows Mail will run only with standard user privileges.

To do this, Admin Approval Mode creates two access tokens when a member of the Administrators local group logs on: one token with full permissions and a second, restricted token that mimics the token of a standard user. The lower-privilege token is used for nonadministrative tasks, and the privileged token is used only after the user’s explicit consent. Windows Vista prompts the user for consent before allowing an application to complete an action that requires administrative privileges.

Many organizations use the benefits of UAC to create Standard, rather than Administrator, user accounts. Admin Approval Mode offers some protection for those users who need administrator privileges—such as developers—by requiring confirmation before an application makes any potentially malicious changes. Like most Windows 7 security improvements, the consent prompt is enabled by default but can be disabled using Group Policy settings. Additionally, the consent prompt can require users to type an administrative password or, for standard users, simply inform them that access is not permitted.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

User Account Control

Over the years, the most common security threats have changed from viruses to worms and, most recently, to spyware and Trojan horses. To help protect users from these types of malicious software, Microsoft recommends using accounts with limited privileges (known as standard user accounts in Windows Vista or Limited user accounts in Windows XP). Standard user accounts help prevent malware from making system-wide changes, such as installing software that affects multiple users—if a user lacks permission to install a new application to a shared location, such as %SystemRoot%\Program Files, any malware the user accidentally runs is also prevented from making those changes. In other words, malware run in the context of the user account has the same security restrictions as the user.

Although standard user accounts do improve security, using standard user accounts with Windows XP and earlier versions of Windows results in two major problems:

• Users cannot install software, change the system time or time zone, install printers, change power settings, add a WEP key for wireless settings, or perform other common tasks that require elevated privileges.

• Many poorly written applications require administrative privileges and do not run correctly with limited privileges.

Although logging on to your computer as a standard user offers better protection from malware, working with this type of account has been so difficult in the past that many organizations choose to give users administrative privileges on their computers. User Account Control (UAC) is a set of features first introduced in Windows Vista that offers the benefits of standard user accounts without the unnecessary limitations. First, all users (including administrators) run with limited privileges by default. Second, Windows Vista allows standard user accounts to change the time zone (but not the time) and perform other common tasks without providing administrative credentials, which enables organizations to configure more users with Standard accounts. Third, UAC enables most applications—even those that require administrative privileges on Windows XP—to run correctly in standard user accounts.

When Windows Vista was first released, many users struggled with the application compatibility and with the frequency of UAC prompts generated by applications. Over time, application developers have modified their applications so that they run correctly with standard user privileges and thus do not require a UAC prompt. This was one of the original goals of UAC—to motivate application developers to comply with security best practices.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Multiple Active Firewall Profiles

Many computers, especially portable computers, have multiple network adapters. For example, a laptop computer might have a wired Ethernet connection and a wireless WiFi connection. This can lead to computers being connected to private and public networks simultaneously—for example, a portable computer might be docked at the user’s desk and connected to the private LAN, while the WiFi network adapter maintains a connection to the public WiFi network at the coffee shop next door. Even with only a single network adapter, a user might connect to a corporate VPN across a public wireless network.

In Windows Vista and earlier versions of Windows, a single firewall profile was applied to all network adapters. In the previous example, this would lead to the portable computer applying a public firewall profile to the private LAN or VPN connection, which might block important management traffic. Windows 7 supports multiple active firewall profiles, which allows it to apply a public firewall profile to the WiFi network while applying a private or domain firewall profile to the VPN connection.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press


AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that replaces Software Restriction Policies in earlier versions of Windows. Like Software Restriction Policies, AppLocker gives administrators control over which applications standard users can run. Restricting the applications that users can run not only gives greater control over the desktop environment, but it is one of the best ways to reduce the risk of malware infections, limit the possibility of running unlicensed software, and prevent users from running software that IT has not verified as meeting security compliance requirements.

Compared with Software Restriction Policies, AppLocker provides the following benefits:

• Defines rules based on attributes in the digital signature, such as the publisher, filename, and version. This is a tremendously useful feature because it can allow administrators to let users run any version of a signed application, including future versions. For example, consider an IT department that develops and signs a custom application that users should be able to run. In earlier versions of Windows, administrators could create a rule based on the hash of the file, allowing users to run that specific version of the application. If the IT department released an update to the executable file, administrators would need to create a new rule for the update. With Windows 7, administrators can create a rule that applies to current and future versions, allowing updates to be quickly deployed without waiting for rule changes.

• Assigns rules to security groups or individual users.

• Creates exceptions for .exe files. For example, administrators can create a rule that
allows any application to run except a specific .exe file.

• Imports and exports rules, which allow administrators to copy and edit rules easily.

• Identifies files that cannot be allowed to run if a policy is applied by using the auditonly mode.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

Why IM

Online chat, also called instant messaging (IM for short), is a very simple concept. You open a chat program, choose a person you want to communicate with, and then type a text message. That message goes across the Internet to a chat server and from there to the other person’s computer, where it appears on his screen in his chat program. Then, he types a response and sends it back to you to respond to if you choose. A chat conversation could comprise a few messages or it could go on for hours, the same as any conversation.

Why IM? I admit that for a long time I really didn’t see the usefulness of it, and it was often an annoyance more than anything else. For one, I type about 80 words a minute, and many of the other people I chatted with type much more slowly. So, I spent a lot of time waiting for responses to what I typed. What’s more, I usually focused on the chat session to the exclusion of whatever else I was doing at the time, which added to my frustration — it was much easier to me to pick up the phone, have a short conversation, and be done.

I have a much better appreciation for online chat now because I use it extensively in my day job. As an IT manager, I spend at least four or five hours each day on the phone in conference calls. If the phone were my only source of communication, I’d get very little done. Throw e-mail and chat into the mix, however, and I can get a lot done. So, when I’m on a call, I’m also writing and receiving e-mail, chatting online with others, and, occasionally, talking on yet another phone call. In fact, quite often I’m chatting with other people who are on the same conference call while someone else is speaking. This behind-the-scenes communication is particularly useful when customers are on the call and you need to share some internal-only information.

Following are the benefits that IM brings to a typical work environment:
• Easy access to others: A chat conversation is just a couple of clicks away, and I can tell from the chat program (in this case, Messenger) that the other person is online.

• Quick conversations: If I just have a quick question, I can ask it in a chat session and get a response back usually fairly quickly.

•Multitasking: Usually, a one-on-one phone call consumes the majority of your attention.
With a chat session, you can send a message and then focus on other tasks while you wait for a response.

• Instant notes: I routinely use IM to send or receive information about servers, applications, and the like. I can copy that information right from the IM program and use it in other programs. The phrase ‘‘IM that to me’’ is pretty common these days.

IM is much the same for a home user, except that the conversations are generally personal in nature, such as you might have over the phone. The difference is that, unlike with a phone, you might be carrying on several IM conversations at the same time.

Programs such as Windows Live Messenger enable you to communicate with people in real time, whether they are in the next room or on the other side of the planet. In general, IM is free, other than the cost of having your Internet connection. To use IM, you need only an IM program (such as Messenger) and an online account, which are generally free.

Source of Information : Windows 7 Bible

Introducing Windows Live Mail

Although Windows 7 doesn’t come with an e-mail client, you can download and use the Windows Live Mail program for the Windows Live Web site. If Windows Live Mail is your default e-mail client (the main program you use for sending and receiving e-mail), you can start Windows Live Mail by clicking the Start button and choosing Windows Live Mail.

The first time you open Windows Live Mail, you might be taken to a wizard for setting up your e-mail account. If you have all the factual information you need about your account, you can proceed through the wizard to set up the account. Otherwise, you can click the Cancel button, open Windows Live Mail, and set up your account later. Don’t be alarmed if you’re missing some components. Many are optional and easily turned on and off with a mouse click or two.

If Windows Live Mail isn’t an option on your Start menu, you can still open it. Click the Start button and then click All Programs -> Windows Live -> Windows Live Mail. Whether you can use Windows Live Mail is an altogether different matter, which I tackle in a moment. The title bar and toolbar appear near the top of the program window and work the same as in other programs. The other components are as follows:

• Folder pane: Shows folders into which you can organize e-mail messages, as well as selected search folders that are virtual folders used to display specific types of messages, such as all unread e-mail.

• Folder Shortcuts: These icons give you quick access to your primary folders, including Mail, Calendar, Contacts, Feeds, and Newsgroups.

• Message list: Every e-mail message displays a header showing who sent the message, the Subject of the message, and the date you received it.

• Preview pane header: Shows the message header information in a large and more detailed format.

• Preview pane: Shows a portion of the e-mail message whose message header is selected in the message list.

• Status bar: Tells you the status of various program facts and operations.

As with most programs, you can customize the appearance of Windows Live Mail to your liking. Choose View -> Layout from its menu bar to display the dialog box Or, click the Menus button on the toolbar and choose Layout. Items that have checkmarks are currently ‘‘on’’ and visible in the program window. Items without checkmarks are ‘‘off.’’

The Layout dialog box contains four groups of settings:

• Reading pane (Mail): Turn on or off the reading pane and, if on, specify whether it is at the bottom or to the right of the message list.

• Message list: Specify whether the message list shows one line or two lines, or decides on this number based on the width of the message list.

• Folder pane: Specify how the various folders appear in the folder pane. Options include:
- Use Compact View For Folder Pane: Uses small icons instead of words to represent the folders and other items in the folder pane.
- Use Compact Shortcuts: Displays only small icons for the folder shortcuts, rather than icon and name.
- Show Storage Folders: Shows Drafts, Sent Items, and Deleted Items folders in the folder pane.
- Show Quick views: Displays the quick view search folders Unread E-Mail, Unread from Contacts, and Unread Feeds.

• Message header (Mail): Shows in the reading pane the message header of the selected message.

To change an option, select check boxes as appropriate and then click Apply. If you don’t like the results, click that same check box again and click Apply again. When you’re happy with how things look, click OK to save your current settings and close the dialog box.

Before you can use Windows Live Mail to send and receive e-mail, you have to configure it to work with your e-mail account. Your company, ISP (Internet service provider), or e-mail provider (such as Hotmail) supplies your e-mail account. Windows Live Mail is just the e-mail client (program) that lets you send and receive messages through that e-mail account.

Source of Information : Windows 7 Bible

Blocking Pop-Ups in IE

A pop-up is any Web page that opens in its own separate browser window. Some pop-ups are OK. For example, a pop-up might open to display a larger copy of a small picture. Or it might open so that you can still see the page that contains the link that opened the page. Other pop-ups, such as advertisements, aren’t so great. These are often referred to as automatic pop-ups because they appear on their own, without your clicking a link.

Microsoft Internet Explorer has a built-in pop-up blocker to help you deal with pop-ups. To activate or deactivate the pop-up blocker:
1. Click Tools and choose Internet Options or choose Tools -> Internet Options from Internet Explorer’s menu.
2. Click the Privacy tab.
3. To block pop-ups, select (check) Turn on Pop-up Blocker. To allow all pop-ups through, deselect that check box.

If you opt to use the pop-up blocker, you can click the Settings button to configure it to your own tastes. When you click the Settings button.

First you can choose how aggressively you want to block pop-ups (remember, they’re not all ads). Use the Blocking Level drop-down list at the bottom of the dialog box to choose one of the following blocking levels:
• High: Blocks all pop-ups, even when you click a link to open the pop-up. If you choose this setting, you have to hold down the Ctrl and Alt keys while clicking a link to allow a legitimate pop-up page to open.
• Medium: Blocks most automatic pop-ups, but not pop-ups that open when you click a link.
• Low: Blocks relatively few pop-ups. Always allows pop-ups from secure and trusted Web sites.

The Notification options let you hear a sound and display the Information bar when a pop-up is blocked. It’s a good idea to select both those options so that you know when a page has been blocked. That way, you can decide whether you want to allow a Web site to show pop-ups. (Remember, not all pop-ups are bad.)

If you already know that you want to allow pop-ups from a specific site, you can type the site’s URL under Address of Website to Allow and then click the Add button. Doing so is not really necessary, however; if you choose the Show Information Bar when a pop-up is blocked option, you can allow sites as you go. Click the Close button at the bottom of the Pop-up Settings dialog box after making your selections. Then click OK to close the Internet Options dialog box.

Source of Information : Windows 7 Bible

Personalizing IE tabbed browsing

You can enable or disable tabbed browsing, or tweak how tabs work. Click Tools and choose Internet Options or choose Tools -> Internet Options from Internet Explorer’s menu. Then click the Settings button under the Tabs group. Here’s what each option offers:

• Enable Tabbed Browsing: If you deselect this check box, tabbed browsing is disabled and all options that apply to tabbed browsing are disabled. Select this option to allow tabbed browsing. If you change this setting, you need to click OK. Then close and reopen Internet Explorer.

• Warn Me When Closing Multiple Tabs: Deselect this option to get rid of the warning that appears when closing Internet Explorer. Select this check box to bring the warning back.

• Always Switch to New Tabs When They Are Created: Choose this option to have new tabs open in the foreground automatically. For example, if this option is enabled and you right-click a link and choose Open in New Tab, the link opens in the new tab and that new tab appears in the foreground.

• Show Previews for Individual Tabs in the Taskbar: Select this option to have Windows display a preview for each tab when you hover over the Internet Explorer icon in the taskbar.

• Enable Quick Tabs: Deselecting this option removes the Quick Tabs button. The Quick Tabs button won’t be visible to the left of the tabs. The Quick Tabs option on the View menu is disabled, and pressing Ctrl+Q has no effect. Select this option to enable Quick Tabs. After you change this option, click OK, close Internet Explorer, and then reopen Internet Explorer.

• Enable Tab Groups: When this option is enabled, Internet Explorer places new tabs that are opened from an existing page next to the original page, and color-codes the tabs the same, providing a logical and visual grouping for the related tabs.

• Open Only the First Home Page When Internet Explorer Starts: Select this option to allow for quicker startup. Only the first tabbed home page opens when you open Internet Explorer. To bring up other home pages, use the Home drop-down button on the toolbar.

• When a New Tab Is Opened, Open: Choose what you want Internet Explorer to display when you open a new tab.

• When a Pop-Up Is Encountered: A pop-up is any Web page that tries to open in a new Web browser. You learn more about pop-ups later in this chapter. But in the Tabbed Browsing Settings dialog box, your options are as follows:

- Let Internet Explorer Decide How Pop-Ups Should Open: Choose this option to let Internet Explorer decide how to open pop-ups based on your pop-up blocker settings and the URL of the pop-up.
- Always Open Pop-Ups in a NewWindow: Choose this option to have acceptable pop-ups open in a new, separate instance of Internet Explorer.
- Always Open Pop-Ups in a New Tab: Choose this option to have acceptable pop-ups open in a new tab rather than in a new instance of Internet Explorer.

• Open Links from Other Programs In: These settings apply to other programs that can open Web pages, such as Windows Live Mail. They apply only if Internet Explorer is already open when you click a link in that other program:
- A New Window: Pages you open from outside Internet Explorer open in a separate program window.
- A New Tab in the Current Window: Keeps current tabs intact by opening the new page in a new, separate tab.
- The current tab or window: The new page opens in the current Internet Explorer window, replacing what was showing before. Clicking Internet Explorer’s Back button takes you back to the page that was showing before.

• Restore Defaults: Click this button to restore all Tabbed Browsing Settings.

Don’t forget to click OK after making your choices. If you chose an option that requires restart, close Internet Explorer and restart it.

Source of Information : Windows 7 Bible

Windows Explorer Versus Internet Explorer

People often confuse Windows Explorer and Internet Explorer because of their similar names, but there is a big difference between them. Windows Explorer (often called Explorer for short) is a program for exploring things inside your computer — things like disk drives, folders, and files that you can use without being online. Its program file is named Explore.exe. If your computer is part of a local network, you use Windows Explorer to access shared resources on those nearby computers as well.

Internet Explorer is typically for exploring stuff outside your computer, mainly World Wide Web pages on the Internet. Its program file name is Iexplore.exe. You have to be online (connected to the Internet) to explore those outside resources. The items outside your computer are mostly Web pages, rather than drives, folders, and files. Web pages have longer names, usually in the form of, rather than short, simple names such as Computer, Documents, Pictures, and such. Finally, note that you can open a Web page from a Windows Explorer window by typing the Web page’s URL in the Windows Explorer address bar and pressing Enter. However, the Web page doesn’t open in Windows Explorer. Instead, Windows Explorer passes the URL to your default Web browser to open the page; it then closes itself.

Source of Information : Windows 7 Bible

When Windows won’t start at all

If Windows won’t start at all, try to start Windows 7 in Safe Mode. This is a special mode in which Windows 7 loads only the minimum services, drivers, and programs it needs to get going. Getting to Safe Mode isn’t always easy. You have to restart the computer and then press the F8 key after the POST (Power on Self Test) but before Windows starts to load. If your keyboard has a Function Lock (F Lock) key, you have to make sure that it’s on before you press F8. In a pinch, you can restart the computer and then press F8 repeatedly for the first few seconds. But again, keep an eye on the Function Lock key because it might go off once or twice during the restart.

When you’ve pressed the F8 key at just the right time, you’ll see a screen that shows several options for starting Windows, as summarized here:

• Safe Mode: Starts Windows with a minimal set of drivers and services so that you can use other tools such as System Restore, Device Manager, Installed Programs, and others to try to fix the problems. For example, you could uninstall known faulty programs and devices and then return to an earlier restore point.

• Safe Mode with Networking: Same as previous, but provides access to the Internet and a private network.

• Safe Mode with Command Prompt: Starts windows without the GUI (graphical user interface).

• Enable Boot Logging: Creates a log file named ntbtlog.txt that lists all drivers that were loaded during startup.

• Enable Low-Resolution Video (640x480): Starts with low resolution and refresh rates to reset display settings.

• Last Known Good Configuration: Starts Windows with the last successful configuration (an easy fix for many problems!).

• Directory Services Restore Mode: Starts a domain control running Active Directory so that directory services can be restored.

• Debugging Mode: Starts in an advanced troubleshooting mode for professionals.

• Disable Automatic Restart on System Failure: Prevents Windows from automatically restarting during a failed startup. This gets you out of the endless loop of crashing and restarting.

• Start Windows Normally: Starts normally with all drivers and services.

• Disable Driver Signature Enforcement: Allows improperly signed drivers to be loaded at startup.

• Repair Your Computer: Use this option to repair your installation of Windows 7.

Often, choosing the Last Known Good Configuration option will get you back to the desktop. Or you can go into Safe Mode to get to a minimal desktop. Either way, when you’re at the desktop, you may be able to fix the problem. For example, if the problem started right after you installed new hardware, use Device Manager to uninstall the device driver. Then shut down the computer, physically remove the device, and restart.

Source of Information : Windows 7 Bible

Cloud storage is for blocks too, not just files

One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...