70685Notes

IdentifyingCauseofandResolvingDesktopApplicationIssues
AppLocker
Providessimpleandpowerfulcontrolthroughtworuleactions:AllowandDeny(andexceptions)
AllowactionOnlyapplicationsontheallowedlistcanrun
DenyactionEveryapplicationcanrunexceptforonesondeniedlist
Usingexceptionswithallowedactionsallowsmorefinegraincontroloverfilesandappsaccess
Publisherrulesareusefulbecausetheyapplytoupdatedversionsofanygivenapp
Newpoliciescanbeplacedintoauditonlymode,allowingyoutotestrulesbeforetheyareturnedon
Rulescanbeappliedtoindividualusersorgroupsingrouppolicy
ITadminscangeneraterulesonatestcomputerandthenimportingthemforwidespreaddeployment
OrjustconfigureitinGroupPolicyindomainsettings
ApplockerisonlyavailableinWin7EnterpriseandUltimate(andServer2008R2andabove)
MustusesoftwarerestrictionpoliciesinsteadifonanotherversionofWindows
ProfessorMessorNotes:
RequirestheApplicationIdentityservicetoberunningautomaticallyontheclient
Blockrulesalwaysoverrideallowrules
LocalGP>WindowsSettings>SecuritySettings>ApplicationControlPolicies>AppLocker
CaneitherenablenewrulesorputtheminauditmodeandviewresultsinEventViewer
InEventViewer,lookintheAppLockerlogs
EventViewer>Microsoft>Windows>Applockerfolder
ExecutablerulesEXEandCOMfiles
WindowsInstallerRulesMSIandMSP
Doesntchangetheadminpermissions
ScriptrulesBAT,CMD,JS,PS1,andVBS
Alsosomebuiltindefaultrules(defaultistoblockeverything)
TomakeWindowsusable,rightclick>Createdefaultrules.
Canautomaticallygenerateexecutablerulesbyfolder\
CompatibilityTools
ApplicationCompatibilityToolkit(ACT):
CanuseCompatibilityEvaluatorstocollectcompat.datafromclientcomputers
InventoryCollectorIdentifiesinstalledappsandsysteminfoonclientcomps
UACCompat.EvaluatorIdentifiesissuesduetorunningunderanonadminaccount
WindowsCompat.Eval.(WCE)IssuesduetodeprecatedcomponentsinthenewOS
UpdateCompat.Eval.(UCE)Indentifiesimpactofanewwindowsupdate
AssessmentRatings:

Functionasexpectedon32bitOS

Functionasexpectedon64bitOS

Minorissuesorknownsolutionson32bitOS

Minorissuesorknownsolutionson64bitOS

Majorissuessuchasdatalossofimpairedfunctionality


Apps,devices,orsitesthatdonthaveanyappassessmentdata
Canaddlabelstoinventoriedapplicationstohelporganizeintogroups
WindowsVirtualPCandXPmode:
SeamlessappintegrationwithWin7.CanlaunchXPinstalledappsontheWin7desktop.
USBsupport.VirtualPCsupportsflashdrivespluggedintohostmachine.
Clipboardsharingandprinterredirection.
TohaveashortcuttoXPprogramsinWin7,copyshortcuttoAllUsers\StartMenu\Programs
ExcludelistinregistrywithinXPmodepreventscertainprogramsfromalsoshowingupinWin7
ProgramsthathaveupdatedWin7componentsgoinhere,forexample
Canremoveanappfromtheexcludelisttohaveitshowup.
Deployingacustomvirtualenvironment:
LocateProgramFiles\WindowsXPMode\WindowsXPModebase.vhd
CopytheVHDtoaseparatefolder
GotoProperties>SecurityTab>Advanced.Assignappropriateownershiptothefile.
InstallXPandinstallupdates,configuresettings...etc.Thenrunsysprepontheimage.
Insysprep,selecttheFullyAutomateoptionandsettheadminpassword.
Setadminpasswordtoautologononetimeaftercomputerstarts.
OnceVHDfileisallconfigured,copytoashareddrivefortheclienttoaccess.
cscriptCreateVirtualMachine.wsfp:PathtoVHDfilevm:VMname
Thisscriptsneedstobedownloadedfromsomewhereonline
ThiswillcreateaVMandthenstartit.Itwillgothroughthesysprepprocess.

IdentifyingCauseofandResolvingNetworkingIssues
NetworkTroubleshootingfromControlPanel
ControlPanel>Troubleshooting
SelectNetworkandInternet
Choosewhicheverappropriateoption,andfollowthewizard.
GeneratesanEventTracingLog(ETL).Ifproblemnotresolved,youcanforwardthelog.
NetworkTracingwithNetsh.exe
netshtraceEnablingtracingforspecificscenarios.GeneratesanETLfile.
SizeoftheETLfilecanbereducedbyusingfilterstoomitirrelevantinfo.
CanopenuptheETLfileinNetworkMonitor3.3toanalyzedata
Bydefault,ETLfileisstoredasNettrace.etlin%TEMP%\NetTraces
Youcanspecifyelsewherewiththetracefile=parameter
AnoptionalCABfilewithmoretroubleshootingdatacanbegenerated.
Savedin%TEMP%\NetracesfolderasNettrace.cab
Example:netshtracescenario=internetclientreport=yes
Mustberunfromanelevatedcommandprompt
Ifyouwanttoincludenetworktrafficinthereport,usecapture=yesflag
ToproperlyviewtheETLfileinNetworkMonitor,disableStubsinTools>Options>Parsers.
NetworkTroubleshootingTools
Ping:
VerifiesIPlevelconnectivitybysendinganEchoRequestmessage

EchoReplymessagesaredisplayed,alongwithroundtriptimes
IfpingingIPaddressissuccessfulbutcomputernameisnot,itsaDNSissue.
Parameters:
tContinuesendingEchoRequestmessagesuntilinterruptedbyCTRLBREAK.
n#SpecifiesthenumberofEchoRequestmessagestobesent.
wTimeoutSpecifiesamountoftimeinmillisecondstowaitforEchoresponse.
Pathping:
RouteTracingtoolthatcombinesfeaturesofPingandTracertwithadditionalinfo
Sendspacketstoeachrouteronthewaytoafinaldestination
Computesresultsbasedonpacketsreturnedfromeachhop
Showsdegreeofpacketlossforeachrouterorlink,helpingpinpointproblems
Switches:
nDoesnotresolveaddressestohostnames
h<maxhops>Setmaximumnumberofhopstosearchfortarget
p<milliseconds>Numberofmillisecondstowaitbetweenpings
q<numberqueries>Numberofqueriesperhop
w<milliseconds>Configuretimeoutsettinginmilliseconds
Defaultnumberofhopsis30,anddefaulttimeoutisthreeseconds(3000)
Sampleresults:
141ms0/100=0%0/100=0%172.16.87.218
13/100=13%|
222ms16/100=16%3/100=3%192.168.52.1
0/100=0%|
Insampleabove,linkbetweenhop1and2isdropping13percentofpackets
Portqry:
Queriesthestatusofportsonatargetcomputer
Canqueryanindividualport,seriesofports,orarangeofports
Statusesforportsare:
ListeningOpen
NotlisteningClosed
FilteredEh?
Example:portqry/n10.193.36.210
Returns:TCPport80(httpservice):LISTENING
Nslookup:
Syntaxnslookup[SubCommand...][{ComputerToFind|[Server]}]
Examplenslookupquerytype=hinfotimeout=10
ErrorMessages:
Timedout,noresponsefromserver,norecords,nonexistentdomain
Connectionrefusedornetworkisunreachable,Serverfailure,refused,formaterror
NetshcommandforIPv4andIPv6
EnternetshLANbytypingnetsh,enter,thenlan,andenteragain.
LANCommands:
addprofileAddswiredconnectionprofiletothetargetcomputer
addprofilefilename=PathAndProfileName[[interface=]InterfaceName]
Filename=XMLfilecontainingprofiledata(required)
InterfaceName=NameofinterfaceasdisplayedinNetworkConnections
deleteprofileSelfexplanatory

exportprofileSavesLANprofilesasXMLtoaspecifiedlocation
exportprofilefolder=PathAndFileName[[interface=]InterfaceName]
folder=FullpathincludingfilenameforXMLfile
InterfaceName=NameasitwillappearinNetworkConnections
Example:exportprofilefolder=c:\Users\interface="LocalAreaConnection
reconnectAttemptstoreauthenticatetoawirednetworkusingthespecifiedinterface
reconnect[[interface=]InterfaceName]
Example:reconnectinterface="LocalAreaConnection"
setautoconfigEnablesordisabledWiredAutoConfigserviceonaninterface
setautoconfigenabled={yes|no}interface=InterfaceName
Bydefault,AutoConfigisenabledinVistaandabove
showinterfacesDisplayslistofcurrentwiredinterfacesonthecomputer
showprofilesDisplayslistofwiredprofilesthatareconfiguredonthecomputer

NetshCommandforWLAN
SetintoWLANmodebyenteringnetsh,Enter,wlan,Enter.
ToinstallWirelessLANserviceonServer2008R2computer:
InInitialConfigurationTasks,inCustomizeThisServer,clickAddFeatures.TheAdd
FeaturesWizardopens.
InSelectFeatures,inFeatures,scrolldownthelist,selectWirelessLANService,andthen
clickNext.
InConfirminstallationselections,clickInstall.
Commands:
addfilterAddsawirelessnetworkbySSIDandnetworktypetotheallowedorblockedlist
Addfilterpermission={allow|block|denyall}ssid=WirelessNetworkName
networktype={infrastructure|adhoc}
Ifusingdenyall,SSIDdoesntneedtobespecified.
addprofileAddsaWLANprofiletothetargetcomputer
addprofilefilename=PathAndFileName[[interface=]InterfaceName][[user=]{all|current}]
Userisoptional.Specifieswhichuserthisisappliedto.
Supportswildcards.Wildcardexample:
addprofilefilename=C:\Users\WirelessUser\Documents\profile1.xml
interface="WirelessNetworkConnection"
addprofilefilename="C:\WirelessProfiles\WiFiProfile.xml"interface=w*
connectConnectstoawirelessnetworkbySSID
connectname=ProfileName[[ssid=]WirelessNetworkName]interface=InterfaceName
Interfacecommandisonlyneededifthereismorethanonewirelessinterface
Wirelessinterface=nameunderNetworkConnections.WirelessNetworkConnection
deletefilterRemovesawirelessnetworkfromtheallowedorblockedlist
Syntaxsameasaddfilter
deleteprofileDur.
Syntaxsameasaddprofile
disconnectDisconnectsthespecifiedinterfacefromawirelessnetwork
disconnectinterface=InterfaceName
exportprofileSavesWLANprofilesasXMLtospecifiedlocation
exportprofilefolder=PathAndFileName[[name=]ProfileName][[interface=]InterfaceName]
[[key=]clear]

Example:exportprofilefolder=c:\profilesname="Profile1"interface="WirelessNetwork
Connection"
reportissuesGeneratesaWLANsmarttracereport
setallowexplicitcredsSpecifieswhethertoallowordisallowusingsharedcredentialsfor
networkauthentication
setallowexplicitcredsallow={yes|no}
Thiscommandrequires2008R2towork.Wontworkin2008.
setautoconfigEnablesordisablesWLANautoconfigurationonaninterface
setautoconfigenabled={yes|no}interface=InterfaceName
Enabledbydefault.Disabled=Windowswillnotautoconnecttoanywirelessnetworks.
setprofileorderSetsorderofpreferredwirelessconnectionsonaninterface
setprofileordername=ProfileNameinterface=InterfaceNamepriority=integer
Settingto0or1makesitfirstonthelist.Lower=higherpriority.
showallDisplayallinfoonwirelessnetworkadapters,profiles,andnetworks
showautoconfigShowswhetherWLANAutoConfigisenabled/disabled
showfiltersDisplaylistofblocked/allowedwirelessnetworks
showfilters[[permission=]{allow|block}]
Optional:Canspecifytoshowonlyblockedorallowed.
showinterfacedShowwirelessinterfacesonacomputer
shownetworksShowwirelessnetworksthatareavailableonthecomputer
Canshowallorspecifyoneinterface
Example:shownetworksinterface="WirelessNetworkConnection"
SettingupaWirelessNetworkinWindows7
Putrouterinacentrallocation.Signalgoesoutradially.
Putrouteroffthefloorandawayfromwallsandmetalobjects.
802.11gnetworkinguses2.4GHzfrequency,whichcanbeinterruptedbymicrowavesandcordless
phones.
SharingFiles:
Easiestwayistosharingwithahomegroup.
Ifnohomegroup,allfilesplacedinPublicfolderwillbeavailabletopeopleonnetwork.
Toturnonpublicfoldersharing:
NetworkandSharingCenter>Changeadvancedsharingoptions
Expandthecurrentnetworkprofile.
UnderPublicfoldersharing,enableTurnonsharingsoanyonecan...etc.
Savechanges.
SharingaPrinter:
CheckPrinterscheckboxwhensettingupthehomegroup.
OrNetworkandSharingCenter>Advancedsharingsettings.
Expandcurrentprofile.
UnderFileandPrintersharing,clickTurnonfileandprintersharing.
Thengotoprinterpropertiesandsetupsharing.

ManagingandMaintainingSystemsthatrunWindows7client
ActionCenter
OnestopnotificationcenterformanagingSecurityandMaintenancefunctions

SecurityOptions:
NetworkFirewall
WindowsUpdate
VirusProtection
Spywareandunwantedsoftwareprotection
Internetsecuritysettings
Useraccountcontrol
NetworkAccessProtection
WindowsDefender
MaintenanceOptions:
Solutionstoproblemreports
WindowsBackup
Checkforupdates
Troubleshooting:SystemMaintenanceSubcategorieswithin(programs,hardware,Internet...)
DeviceManager
ControlPanel>SystemandSecurity>DeviceManager
Alreadyknowallaboutthis
ReliabilityMonitor
Collects24hoursofdatabeforeitdisplaysanyresultsandcalculatesthestabilityindexof1to10.
1=leaststableand10=moststable
OpenupActionCenter>UnderMaintenance>Viewreliabilityhistory
Viewallreportproblemslinkonthebottom=onlyshowproblems,notinstallations...etc.
Savereliabilityhistorylinkonthebottom=ExportreporttoanXMLfile
PerformanceMonitor
Usedatacollectorsetstoorganizeandschedulecollectionofspecificperformancedata
CangenerateeasytoreadreportsfromdatacollectedusingDataCollectorsets
Launchusingperfmon.msc
TomonitorspecificsystemsactivityinPerfMon,youneedServer2008R2orWin7andadminrights
ClicktheAddbuttonontopofthePerfMonwindowtoaddcounters.
Samplecounters:
Memory:%CommittedBytesinUse
Memory:Pagefaults/sec
PhysicalDisk:DiskReadBytes/sec
PhysicalDisk:DiskWriteBytes/sec
PhysicalDisk:DiskWrites/sec
Processor:%IdleTime
Processor:Interrupts/sec
System:Threads
CreateaDataCollectorSet:
Addcountersthatyouwanttobecollected
Rightclickanywhereonthegraph,clickNew>DataCollectorSet.
TheDataCollectorSetWizardwillopen,andallofyourcounterswillbeselected
NametheDataCollectorset
RootDirectoryfield=ChangewhereDCSdataissaved
Next>DefineauserfortheDCStorunas.ClickChangetoenterusersname/password.

ClickFinish.
CanstartDCSbyrightclickingandselectingStart.
CreateandScheduleLogsfromaDataCollectorset:
InWindowsPerformanceMonitor,expandDataCollectorSetsandclickUserDefined.
Rightclick>Properties.
ClicktheScheduletab.
ClickAddtocreateastartdate,time,ordayfordatacollection.
CansetExpirationdateforwhenyouwanttostopcollectingnewdata
ViewlogdatainPerformanceMonitor:
ExpandReports,expandUserDefined,andexpandthedesiredDCS
DCSneedstobestoppedtoviewreport
ClickthePerformanceMonitorViewbuttontoviewasgraph
Viewadiagnosisreport:
DiasnosticsreportcomesbuiltintoPerfMon
DataCollectorSets>System>SystemDiagnostics.
RightclickandStart.
Runsfor60seconds.Whendone,expandsReports>System>SystemDiagnosticstoview.
EventViewer
Usedformanagingeventlogs.
EventtypesincludeApplication,Security,Setup,System,ForwardedEvents.
CanlookupEventIDonlineforfurtherinformation
Applicationevents:
Information=Minorevents.
Warning=Applicationcrashingordoingsomethingunexpected.Forexample,notbeingableto
connecttonetwork.
Setupevents:
Warning=Updatesorprogramsfailingtoinstall.
Systemevents:
Warning=Computernotstartinguporpowerplugbeingpulled...etc.
CustomViews:
RightclickonCustomViews>CreateCustomView.
Selectdurationforlogging,eventlevel(critical,warning...etc.),filterbyusersandcomputers
Givethefilteraname
SetthelogfilesavelocationinProperties
CollectorinitiatedEventForwarding:
Settingupthecollectorcomputer:wecutilquickconfigorwecutilqc
Settingupasource/forwardingcomputer:winrmquickconfig
AddthecollectorcomputeraccounttolocalEventLogReadersgrouponforwardingcomputer
CollectorcomputerhavingDomainAdminaccountwouldworkaswell
Oncollectorcomputer,rightclickonSubscriptionsandCreateSubscription.
DestinationLog=ForwardedEvents
SelectEventsbutton>Edit...
Choosewhichevereventsandeventtypesyouwant
Collectorinitiatedwilloccasionallypollcomputersforeventlogs
Sourceinitiatedithardertoconfigurebutscalesbetter.
Sourceinitiatedeventforwarding:
LocalGroupPolicy>AdminTemplates\WindowsComponents\EventForwarding

SelectConfigureserveraddress
SelectEnable.
SubscriptionManagers>ClicktheShowbutton.
Entertheaddressofthecollector.Server=<Addressofcollector>
Runwecutilqconthecollectorcomputer
Createsubscription,nameit.
SelectSourcecomputerinitiated.
SelectComputerGroups>Adddomaingrouporspecificcomputers
Exportingsubscriptiontoanothercomputer:
wecutilgsEventsfromDesktopComputers/f:XMLSourceConfig.xml
SystemRecoveryOptions
Option1:OEMRecovery
Option2:Windows7InstallationorSystemRepairDisc:
StartupRepair:
Canrepairunbootablecomputerforthefollowingreasons:
Registrycorruption
Missingordamagedsystemanddriverfiles
Diskmetadatacorruption(MBR,partitiontable,bootsector)
Filesystemmetadatacorruption
Installationofproblematicorincompatibledrivers
Corruptbootconfig
Badmemoryandharddisk(detectiononly)
WillNOTrepairthefollowing:
Malfunctioningfirmware/hardware
Windowslogonerrors
Virusandmalicioussoftware
Sometimesitmaytakerunningastartuprepair3timestofullyfixanissue
SystemRestore:
UsesafeaturecalledSystemProtectiontoregularlycreateandsaverestorepoints.
SystemRestorewillalsouninstallprogramsanddriversfromaftertherestorepoint
Cantundoarestoreifdoneinsafemode,butcanrestorefromanotherpoint
rstui.exewilllaunchSystemRestorewindow
Showaffectedprogramsanddriversbuttonwilldojustthat
SystemImageRecovery:
Allselfexplanatory.Canexcludecertaindiskswhenrepartitioningusinganimagefile.
MemoryDiagnostics:
Selfexplanatory.
CommandPrompt:
Selfexplanatory
Chkdsk
SimilartoscandiskfrompreviousWindowsversions
chkdskC:/F/Rwillattemptafullscan(includingbadsectors)andattempttofixthem

Switches:
/FFixeserrorsonthedisk
/RLocatesbadsectorsandrecoversreadableinformation(implies/F).
/INTFSonly:Performsalessvigorouscheckofindexentries.
DiskDefragmenter
Networklocationscannotbedefragged.
SSDandUSBdriveswithflashmemorydonotneedtobedefragmented(nomovingparts)
dfrguiLaunchDefragmenterfromcommandprompt
CandefragmorethanonedrivewithdefragC:E:H:F:/F
Switches:
/APerformanalysisonselectedvolumes
/RPerformanspartialdefrag.Onlyfragmentssmallerthan64MB.
/UPrinttheprogressoftheoperationonthescreen
/XPerformfreespaceconsolidationonthespecifiedvolumes

SupportingMobileUsers
TroubleshootingWirelessConnections
Runnetshwlancommandtogatherinfoaboutwirelessconfigsettingsanddevices
SOHONetwork(smalloffice/homeoffice)=workgroupsandHomegroups
802.1Xauthentication=Wirelessauthentication.UsewithWPA2EnterpriseorWPAEnterprise.
WEPhasweakencryption.UseWPA2instead.
WirelessDiagnosticsWizard:
Networkandsharingcenter>DiagnoseandRepair
netshwlanshowalltogetasenseofwhatswhat.Lookforproblems.
CheckEventViewerlogsforWLANAutoConfigstartingandstopping(lookforerroricon)
UseWirelessdatacollectorsetunderSysteminComputerManager.
VirtualPrivateNetworks(VPN)
TypesofVPNProtocols:
SSTP:
SecureSocketTunnelingProtocol
AllowstrafficthroughtheSSLport443.
IKEv2:
InternetKeyExchangeversion2
Toleratesinterruptionsintheunderlyingnetworkconnection
UsesVPNReconnecttoautomaticallyreestablishaconnection
RequiresaVPNserverrunningServer2008R2
L2TP:
L2TP/IPSecVPNClientisafreewebdownload
CompatiblewitholderversionsofWindows
SupportsNATtraversal
PPTP:
PointtoPointTunnelingProtocol
Oldestofthefour.Notassecure.

DirectAccess
AccessnetworkresourceswithoutestablishingaVPN
BasedonIPv6tech(required)
ImprovedsecuritybyusingIPSecforauthenticationandecryption
RequiresEnterpriseorUltimateandWindowsServer2008R2server

IdentifyandresolveWindowsInternetExplorersecurityissues
CredentialManager
WindowsVaultstorescredentialsforservers,websites,andotherprograms
CanaddcertificatebasedcredentialsviaCertificateManager
BackupVault/RestoreVaulttotransferstoredcredentialstoanothercomputer
UserAccountControl(UAC)
DisableAdminApprovalmode:
LocalGroupPolicy>SecurityOptions>UAC:RunalladministratorsinAdminApprovalmode.
SelecttheDisabledoptionandclickOK.
DisableUACfrompromptingforcredentialswheninstallingapplications:
LocalGroupPolicy>SecurityOptions>UAC:Detectapplicationinstallationsandpromptfor
elevation.
SelectDisabledandclickOK.
Changetheelevationpromptbehaviorforadmins:
LocalGroupPolicy>SecurityOptions>Behavioroftheelevationpromptforadministrators.
Selectoneofthefollowing:
Elevatewithoutprompting
PromptforcredentialsPromptsforusernameandpassword
Promptforconsent(default)
Changetheelevationpromptbehaviorforstandardusers:
Sameasabove,butforstandardusers
Promptforcredentialsisthedefaultoption.
InternetExplorerAddonsandOtherFeatures
Tools>ManageAddons
OrInternetOptions>ManageAddons
Addontypes=ToolbarsandExtensions
IECertificates
ActiveXappletscaninstallSSLcertificatesforcertainsitesinIE
EncryptingtheFileSysteminWindows7
RequiresWindows7Professionalorhigher
Properties>Advanced>Encrypt
Canencryptthefileonlyortheentireparentfolder
Cantcompressandencrypt.Onlyoneortheother.
EncryptedfileshavegreenfilenamesinExplorer
Blue=Compressed
CanadjustthosecolorsintheFolderOptionswindow

Toaddotheruserspermission>Properties>Advanced>Details.
Theyneedtohaveloggedontothelocalcomputerbeforeinordertohavegeneratedacert
ThisgoesaboveandbeyondsimpleNTFSpermissions
EnsurethattheyhaveNTFSpermissionaswell
WhenusingEFS,makesureyouexportoutyourusercertificate
ControlPanel>UserAccounts>Manageyourfileencryptioncerts
Selectcert>Backupthecertificateandkeytoremovablediscornetworkfolder
PutapasswordontheresultantPFXfile.Willneedittoimportitlater.
Selectallfilesthatareattachedtothatcert.
BitLocker
Encryptsanentiredrive,whetheritbeharddrivesorremovablestorage
Integritycheckingofearlybootcomponentstoensurethatsystemhasnotbeentamperedwith
Makessuredriveisstillintheoriginalcomputer
ProtectionagainstcoldbootattacksbyrequiringastartupPINorUSBkey
ActiveDirectoryintegrationtoremotelyescrowrecoverykeyswhenuserforgetsPINorlosesUSBkey
WhenenablingBitLockeronadrive,itautomaticallycreatesthehiddenpartition
BitLockerToGogivescontroloverhowremovablestoragedevicescanbeutilized
Readonlymode,requireaPINorcert..etc.
OnlyincludedinWin7UltimateandEnterpriseeditions
UsingBitlockertoGoonaremovabledrive:
Rightclick>TurnonBitLocker.
Chooseunlockmethod:PasswordorSmartCard
Afterthat,userwillbeaskedtoprintorsavetheirrecoverypassword
Thisisa48digitpassword
AllversionsofWin7canunlockBitlockerprotecteddrives.OnlyUlt.andEnt.canencrypt.
Inadditiontorecoverypasswords,theadmincanuseGPtoconfigureaDataRecoveryAgent.
Thisisapublickeythatworksdomainwide
NewGroupPolicySettings:
RequireallremovabledrivesbeBitLockerprotectedbeforedatacanbesavedonthem.
RequireordisallowspecificmethodsforunlockingBitLockerprotecteddrives.
ConfiguremethodstorecoverdatafromBitLockerprotecteddrivesiftheuser'sunlockcredentials
arenotavailable.
IfthecomputerdoesnthaveaTrustedPlatformModule(TPM),youmustenabletheRequireadditional
authenticationatstartupGPsettings,andthenwithinthatsettingsselectAllowBitLockerwithouta
compatibleTPM.
WindowsDefender
PartoftheActionCenterinWindows7
AntispywarethatautoupdatesdefinitionsviaWindowsUpdate
WindowsUpdate
Alreadyknowallofthis
BaselineSecurityAnalyzer
DownloadfromMicrosofttoidentifymissingsecurityupdatesandcommonsecuritymisconfigurations

GroupPolicyRefresher
AdministrativeTools>GroupPolicyManagement
GPO=GroupPolicyObjectcontainpolicysettings
UseGPManagementConsoletocreate,move,anddeleteGPOs
ToplevelofADissitesanddomains.Belowthatareorganizationunits(OUs)
OUscontaincomputers,users,andotherobjects
GPOsneedtobelinkedtoOUs.Forexample,linkingoneGPOtotheTeachersOUforschools.
Inheritance=AllOUswithinadomaininherititssettings.ParentChildinheritance.
WhenGPOsettingsconflict,precedenceisgiventothechildfolderovertheparent
GPOsareappliedfromthetopdown,overwritingsettingsalongtheway
Thiscanbeoverriddeninmoreadvancedscenarios
GPMCistoGPOsandOUsasExploreristofilesandfolders.
InGPMCunderWindowsSettings,therearePoliciesandPreferences.
PoliciesContainpolicysettingsthatGPenforces
PreferencesContainpreferencesettingsthatcanchangealmostanyregistryentry,file,folder,
orotheritem.UserscanchangethesepreferencesettingsinbetweenGroupPolicyrefreshes.
Whenyoueditapolicysetting,youareusuallygiventhesechoices:
Enabledwritesthepolicytotheregistrywithavaluethatenablesit
Disabledwritesthepolicytotheregistrywithavaluethatdisablesit
Notconfiguredleavesthepolicysettingundefined.Noimpactonusersorcomputers.
Carefulwiththepolicynames.SomepoliciessayDisablethisfeature.Settingthistodisablewillactually
enablethefeatureinquestion.Yadig?
GPappliessettingswhenWindowsstartsandwhenauserlogsontothecomputer
GPalsorefreshesGPOsonaregularbasis.Every90minutesorso,toensurethatpoliciesareupdated.
YoucanmanuallyupdateGPatanytimebyusinggpupdate.exefromthecommandprompt.
Canforceittoupdateallsettingbyusingtheflag/force
AssigningaGPOtoanOUisreferredtoaslinkingtheGPO.Canalsobeunlinked.
BecarefulknowingthedifferencebetweendeletingGPOsanddeletinglinks.
RightclickandselectBackUptobackupGPOstoaspecifiedlocation.
ThisisgoodincaseyoumakeerroneouschangestoGPOsdowntheline.
TorestoreabackupGPO,rightclickandselectManageBackups.
Navigatetothesaveddirectory,BackedupGPOslist,Restore.
GPMCisautoinstalledwhena2008or2008R2serverisrunningtheADDSrole.
Otherwise,youcandownloadtheRemoteServerAdminToolsforWin7withSP1package
ThenjustenableitfromProgramsandFeatures