Windows 7 Seminar - Acend Corporate Learning

Unlock Hidden Potential:

What’s New in Windows® 7

Clinic Outline

• Session 1: Security Features

• Session 2: Networking Functionality

• Session 3: Other New Features

Security Features

• User Account Control changes

• Windows BitLocker™ and Windows BitLocker To Go™

• Windows AppLocker™

User Account Control Changes

•What is User Account Control?

A bunch of functions that help make your computer remain secure.

•Note: Administrators should still have admin and user accounts.


Remember this???


• Many actions no longer require administrative privileges, so UAC doesn’t kick in:

- Changing time zone

- renewing IP address

- viewing firewall settings

- changing display dpi

User Account Control Changes (cont’d)

• More easily managed locally (with admin priv.)

• More options than before

User Account Control Changes (cont’d)

• More granular configuration available through Group Policy

BitLocker

• Available in Enterprise and Ultimate editions

• Same functionality as in Vista, but easier to implement

• Requires two partitions – 100MB hidden partition created at install

BitLocker (cont’d)

• Security provided through:• Trusted Platform Module (TPM)

• TPM + PIN

• TPM + PIN + USB Key

• TPM + USB Key

• USB Key


• With TPM, enabling is through Rt-Click

• Without TPM, Local Security Policy must be edited

• Windows 7 provides support for Data Recovery Agent(s)


• Recovery password created when BitLocker enabled

• Saved

• Printed

• Stored in Active Directory

• Computer goes into recovery mode if:

• The TPM is missing or changed

• There are changes to startup files

• Computer is booted from a CD or DVD

BitLocker To Go

• Available in Enterprise and Ultimate editions

• Allows you to encrypt removable drives

• USB/Firewire/SATA HDDs

• Solid state drives like USB thumb drives

• When you enable BTG, four things happen:

• You are prompted to create a password that will be used to unlock the drive

• You will choose to save or print your recovery password

• A “BitLocker to Go Reader” is copied to the drive (FAT drives only)

• The drive is encrypted

BitLocker To Go (cont’d)

• Using a BTG-encrypted drive in Windows 7

• Prompted for password

• Read/write access

• Using a BTG-encrypted drive in Vista or XP

• Autoplay displays a prompt to install the “BitLocker to Go Reader”

• You are prompted for the password

• You copy files to the local hard drive

• You cannot open files directly from the BTG-encrypted drive, and you only have read access

• To use BTG with Vista or XP, drive must be formatted with FAT file system

AppLocker

• New version of Software Restriction Policies

• Much simpler implementation• Rules define what *can* run – all others are blocked

• You can auto-create rules for all programs on a “reference machine”

• You can then manually create rules for new applications

AppLocker (cont’d)

• Three types of rules:• Executable rules (exe, com, etc)

• Windows Installer rules (msi, msp)

• Script rules (bat, cmd, vbs, etc)

• “Default Rules” allow:• Everyone access to programs in Program Files

• Everyone access to programs in Windows

• Administrators access to programs everywhere

AppLocker (cont’d)

• An “audit only” mode allows administrators to see what apps would be affected by an AppLocker rule before enforcing the rules

• Critical Points:• You must create the default rules first, because

one “allow” rule will deny all others

• The Application Identity service must be running on the client

• A user with administrative privileges can circumvent the rules

• Vista and XP clients ignore AppLocker

• Windows 7 clients ignore Software Restriction Policies if they are in the same GPO as an AppLocker rule

Networking Functionality

• Windows DirectAccess

• Windows BranchCache™

DirectAccess

• Technology that allows users to access the corporate network without a VPN connection

• Transparently connects whenever the user connects to the Internet

• Bi-Directional

o Users get access to the corporate network

o IT can manage the remote computer

NAP health policies

Patches

DirectAccess

DirectAccess (cont’d)

• Can be configured to be:

o Network wide

o Restricted to specific resources

• Communication is via IPv6 over IPSec (possibly tunneled through IPv4)

• Integrates with NAP to ensure computers are healthy before connecting

DirectAccess (cont’d)

• Hardware/Software requirements:• At least one DirectAccess server running 2008 R2

with two NICs

• At least one DC and DNS server running 2008 or 2008 R2

• A PKI

• Defined IPSec policies

• IPv6 transition technologies

• Windows 7 Enterprise or WS08R2 on the client

BranchCache

• Branches often connected via slow links – resource access can be slow

• BranchCache helps resolve issue by caching data in the branch office (encrypted)

• Can be implemented in two modes:• Distributed caching

• Hosted caching

BranchCache (cont’d)


• When accessing data for the first time the computer• Downloads the data from the corp site

• Copies the data (if necessary) to the hosted cache


• When a second user accesses the same data, the computer:

• Contacts server in corp site to confirm user is authorized and downloads an identifier and a hash of the data

• Checks the branch cache for the identifier and, if found, checks the hash against the cached copy

• If the identifier is not found or the hashes don’t match (file has changed), downloads the data from the main site


• Note: BranchCache only works for reads. Any writes are saved to the main site

• Requirements:• Content servers in main site must be 2008 R2 with

BranchCache enabled

• A 2008 R2 server in the branch site if using Hosted Cache, with BranchCache enabled

• Windows 7 Enterprise clients with BranchCache enabled

Other New Features

• Libraries

• Problem Steps Recorder

• Start/Search Button

• Interface Enhancements

Libraries

• Views that help users manage data in:• Shared folders

• Document repositories

• Web sites

• Adding web sites or document repositories to a Library requires a connector

• Libraries can be shared on the network

Problem Steps Recorder

• Helps administrators recreate the steps that led to a problem for the user

• Creates screen captures and descriptions of every action a user takes

• Saves the captures in a .zip file viewable in browser

• Great for documenting configurations

Start Search Button

• Super timesaver

• Lists files, folders, programs, email addresses, address book entries, calendar appointments, pictures, movies, .pdf documents, music files, browser bookmarks and MS Office documents

• Smart – not just a word search

• Results more complete and faster if indexing is enabled

Interface Enhancements

• Windows 7 provides dozens of obvious or subtle interface improvements that: Add functionality

Improve efficiency

Make working with Windows more pleasant

The End

• Questions?

Education

Windows 7 Seminar - Acend Corporate Learning