These are notes that I took while watching Professor Messer's 70-680 videos on Youtube. I figured I would share them. Please also visit professormesser.com and search for his 70-680 videos on Youtube.
System requirements:
1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor
1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit)
16 GB available hard disk space (32-bit) or 20 GB (64-bit)
DirectX 9 graphics device with WDDM 1.0 or higher driver
Upgrading:
Cannot upgrade from x86 to x64 or x64 to x86
Windows 7 Upgrade Advisor tells you if the computer can run Windows 7. Included on installation media
Use MAP for large scale upgrade planning
Make sure that the OS is completely up-to-date (service packs etc)
Need 10 GB of free space
When upgrading from Vista to 7, you can decide to roll back up until the point you login to Windows 7
Installing from USB:
Need at least 4 GB of space
Must initialize the drive through diskpart utility:
Cmd prompt > type diskpart (get into diskpart) > list disk (shows available disks) > select disk 6 (select the usb drive) > clean (wipe it) > create partition primary > format fs=fat32 quick > active (make it bootable) > exit (back to cmd prompt) .. Now copy Windows DVD to USB
Not scalable
Windows Deployment Services (WDS):
Must have Windows Server 2008 and Active Directory
Clients need a network adapter supporting Preboot Execution Environment (PXE) and DHCP server
Clients can also boot from a discover image
Must have NTFS file system
Uses multicast – install on many computers simultaneously
Highly scalable
Start > Administrative Tools > Windows Deployment Services
Windows PE and installing from a share:
Deployment tools cmd prompt > copype x86 c:\windowspe-x86 (take the files used to build PE .iso and put it in specified directory) > copy c:\windowspe-x86\winpe.wim c:\windowspe-x86\ISO\sources\boot.wim (copy the winpe image file and rename it to boot, it will boot from this image) > oscdimg –n –bc:\windowspe-x86\etfsboot.com c:\windowspe-x86\ISO c:\windowspe-x86\windowspe-x86.iso (create iso image)
Get it from Windows Automated Installation Kit (Windows AIK)
Useful for diagnostics, installing from network share
Can customize through winpe.wim (add third party utilities etc)
Not scalable
Microsoft Application Compatibly Toolkit (ACT):
Includes Application Compatibility Manager – can scan hundreds of computers, must have SQL server
Includes Compatibility Administrator – make your own shims
Includes Internet Explorer Compatibility Test Tool – debug mode as you browse
Includes Demo Application – gives you a lab environment to test stuff
Includes Standard User Analyzer – simulate how a program reacts to a normal user instead of admin
Microsoft Deployment Toolkit (MDT) 2010:
Requires the Windows AIK
Basically dism, imagex, etc with a GUI instead of CLI
Microsoft Assessment and Planning Toolkit (MAP):
Large scale upgrade planning
Integrates and requires Active Directory
Scans the network to find computers
Inventories computers, servers, and virtual machines
Automatically retrieve information from machines
Works with many different operating systems – not just Windows
Doesn’t require any agent software (no software on client computers)
Windows Automated Installation Kit (Windows AIK):
Deployment tools command prompt: dism, oscdimg, imagex
Windows System Image Manager (Windows SIM)
Windows PE
User State Migration Tool (USMT)
OSCDIMG:
Included with Windows AIK
Command line creation of ISO files
Usage: OSCDIMG [options] sourceroot targetfile
Option b is used to specify the file that will be written in the boot sector of the disk
Option n is used to allow long file names
Automation:
Unattend.xml
Autounattend.xml – contains destructive information (disk partitioning, etc)
Made with Windows System Image Manager (Windows SIM)
Always save to the root
Managing the startup menu (dual booting)
Bcdedit allows you to configure the boot menu from the command line
Cmd prompt > bcdedit (show all boot options)
Backup and restore:
Bcdedit /export c:\save-bcd
Bcdedit /import c:\save-bcd
Create a new entry:
Bcdedit /copy {current} /d “New entry”
Other commands:
Bcdedit /set {current} description “New Entry Description”
Bcdedit /displayorder {ntldr} /addfirst
Bcdedit /default {ntldr}
Bcdedit /displayorder {1234567} /addlast
Migrating with Windows Easy Transfer:
Migrate from XP, Vista, to 7
Comes with Windows 7, it will ask you if you want to install Windows Easy Transfer on other computer
Easy Transfer cable (USB), network, an external hard disk or USB drive
Side-by-side > move info from one to another
Wipe-and-load > move data > nuke > load data
Not scalable, GUI
Migrating with User State Migration Tool (USMT):
Included with the Windows Automated Installation Kit (AIK)
Migrate from XP, Vista, to 7. Migrate from Windows 7 to Vista
ScanState compiles and stores the migration data
Cmd prompt > scanstate [where-to-store] /i:c:migapp.xml /i:c:migdocs.xml /o (/o overwrites the xml files instead of adding to them). Produces a file named USMT.mig
LoadState loads the profiles on to the destination computer
Cmd prompt > loadstate [where-you-stored-it]
MigApp.xml – Migrate application settings (folder options, fonts, wallpaper settings, etc)
MigUser.xml – Migrate user folders, files, and file types
MigDocs.xml – Location of user documents
Config.xml – Exclude migration features
Storing the migrated data:
Uncompressed – Stored in folders, view using Windows Explorer
Compressed – Uses less space, can’t be viewed in Windows Explorer
Hardlink – Creates links to the user data (links are followed when performing wipe-and-load), doesn’t duplicate files
Highly scalable, CLI
Windows SIM (System Image Manager):
Included in Windows AIK
Manages image distribution
Used to edit answer files (xml), will validate them
Insert Windows 7 DVD and open d:\sources\install.wim to create answer file for it
ImageX:
Included in Windows AIK
Create and modify Windows images (WIM)
Add imagex to Windows PE
Capture the image on drive d, save to h, compress fast, verify wim file:
Cmd prompt > navigate to imagex.exe > imagex /capture d: h:\win7ult-lab.wim /compress fast /verify
DISM (Deployment Image Servicing and Management):
Included in Windows AIK, comes with Windows 7
Modify an image with updates, drivers, etc. View, add, or remove packages or features
Work with .cab files or Windows update (.msu) file, administratively disable features like freecell
Basically it unpacks a wim file when you mount it so that you can make changes to it
Get image information: dism.exe /get-wiminfo /wimfile: /index:<#>
Mount image: dism.exe /mount-wim /wimfile: /index:<#> /mountdir <..>
Manage .inf drivers on an active (online) or offline system (online=running) (offline=wim file):
Dism /online /get-drivers /all
Dism /image: /get-drivers /all (show all drivers)
If you’re online, you can only view drivers
Dism /image: /add-driver or /remove-driver
On x64, drivers must have digital signature unless you use /forceunsigned
Dism /image:\mount /add-driver:drivers /recurse (add all drivers in the drivers dir to the image in mount dir)
All third party drivers are given the names oem0.inf oem1.inf oem2.inf etc
Packages are “pending” until system is booted
Manage patches for .msp and .msi packages
Must always commit to save:
Dism.exe /commit-wim /mountdir:
Dism.exe /unmounts-wim /mountdir: {/commit | /discard}
Can use unattend.xml , apply it via:
Dism /image: /apply-unattend:
Sysprep:
Run audit mode (Shift-Ctrl-F3) if you want to still have oobe but add more to image
Clear unique names and set oobe:
C:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown
Comes with Windows 7 in the aforementioned directory
/generalize resets activation – maximum of three times (can be changed in autounattend.xml)
WIM file:
Doesn’t include partition information
Can include many images in a single WIM file
Virtual Hard Disk (VHD):
Ultimate and Enterprise only, no additional software required, they’re hard disk aware
Use Disk Management to attach and detach
Use diskpart to create vdisk:
Cmd prompt > diskpart > create vdisk file=c:\vhd\win7lab2.vhd maximum=20000 type=fixed
Now attach it to computer through diskpart:
select vdisk file=c:\vhd\win7lab2.vhd > attach vdisk (or detach)
Now create partition and file system:
Create partition primary > format fs=ntfs quick label=Win7Lab2
Now associate a latter with it:
Assign letter=j
You can use imagex to apply a wim image to a vhd:
Cmd prompt > imagex /apply z:\wim\wim7ult-lab.wim 1 j:\ (specify image, then index, then dest (vhd))
You can only boot to a VHD that is Windows 7 or Windows Server 2008 R2 – can’t use bitlocker on boot on a VHD, can’t use hibernation
Use bcdedit to make a VHD bootable (remember to do device then osdevice):
Cmd prompt > bcedit /copy {current} > bcdedit /set {new-guid} device vhd=[c:]\vhd\win7lab2.vhd > bcdedit /set {new-guid} osdevice vhd=[c:]\vhd\win7lab2.vhd > bcedit /set {new-guid} detecthal on
(The last step is to set the Hardware Abstraction Layer to on – it’s a necessity)
Drivers:
Device Manager:
Adjust and see power performance for devices
See bandwidth consumed by USB’s
Use group policies if you want someone other than admin to install drivers
Use group policies to allow/deny adding of drivers to different GUIDs
Driver Verifier Manager
Use Certificate Authorities to sign unsigned drivers yourself
Use sigverif to scan for signed and unsigned drivers on your computer, says who signed by
Run msinfo32 to give you a consolidated view of resource conflicts
Application Compatibility:
Can modify group policy to tell Windows how to react when an application doesn’t perform correctly
Example: Set “if windows detects problem with installing, ask user if they want to use compatibly mode”
Windows XP mode (download from Microsoft) (only use in Professional, Enterprise, Ultimate)
Software Restriction Policies:
Gpedit.msc
Using Group Policy works for XP, Vista, and 7
AppLocker always overrides Group Policy
Hash rules (unique fingerprint), Certificate rules (signed by rules), Path rules, Network Zone rules (based on download location (trusted zone, internet zone, etc)), Default rules (have to explicity allow a program to run)
AppLocker:
Windows 7 Ultimate, Enterprise, Server 2008 R2
Control users or group (can’t do this in group policies)
Requires the Application Identity Service turned on
Executable rules, Windows Installer rules, Script rules
Exceptions – such as deny all from this publisher except this one program
Test AppLocker configuration in audit mode (and use event viewer)
Configuring Internet Explorer:
Compatibility View
Zones: Internet, Local intranet, Trusted sites, Restricted sites
Go to Manage Add-ons to configure: Toolbars and Extensions, Search Providers, Accelerators, InPrivate Filtering
InPrivate Browsing – Limit information saved in browser
InPrivate Filtering – Limit the information a website can learn about you
Networking and Security:
WPA(2) Enterprise – Uses authentication server, have to use your own credentials
802.1x – Uses certificate or smart card
Netsh wlan – cmd to configure wireless settings
Netsh interface ipv4 – configure ipv4 (or ipv6) interface
Location Aware Printing – Windows 7 knows which printer to default print to depending on network
Remote Management:
Remote Assistance – end user initiates and requests for help – can be initiated through a file, email, or easy connect
Remote Desktop – remote user initiates – host computer is always waiting for connection
Windows 7 Pro, Ultimate, Enterprise support Remote Desktop incoming connections
Windows Remote Shell – Use cmd prompt to issue remote commands
Windows PowerShell – A shell with a lot of features used to issue remote commands
Make a remote computer allow someone to run scripts remotely on it with PowerShell:
(on remote computer) cmd prompt > winrm quickconfig
Connect to remote computer so you can use PowerShell to issue commands:
(on the host computer) cmd prompt > winrs [options]
Or in PowerShell
Shared Resources:
Libraries – Build “folders” that reference files in other location – local and network
Libraries are pointers to sub-directories
Redirect user files to a network server – uses offline files technology – syncs in background
Allows a user to be anywhere – roaming user profile (profile is stored on a server so that they see the same thing no matter what computer they log on to)
Configure shares at command line with net share:
Cmd prompt > [“name”] = [location] /grant:[username],[full|read|change]
Can’t CREATE a homegroup if the computer is a member of a domain
Share permissions only apply to connections over the network
NTFS permissions:
Icacls – cmd line tool for settings NTFS permissions:
Icacls “Folder name” /grant [username]:[permissions]
NTFS permissions apply to local and network connections
Copy vs. Move:
Permissions are inherited from the parent object when you put a file/folder in a folder
If you move a folder somewhere else, the permissions stay the same
NTFS permissions vs. Shared permissions:
NTFS:
Security tab
Full control, modify, read & execute, list folder contents, read, write, special permissions
Shared:
Sharing tab
Full control, change, read
Most restrictive setting is always going to win
Use the built-in Effective Permissions Tool to see what the permissions really are
Encrypting File System (EFS):
Built into OS, requires NTFS
Encrypt keys for each user are different - each user logging in can’t see the other’s encrypted files
Create a Recovery Agent before encrypting any files –cipher /R:filename :
It will create a .CER file and .PFX file and will ask for a password
Folders that are encrypted appear green
Managing credentials:
Keeps your usernames and passwords in the Windows Vault
“Remember my credentials”
Include your own
Backup and restore the Windows Vault – Uses Secure Desktop for additional security
Managing certificates:
“Manage file encryption certificates”
Can save a certificate by right clicking the certificate and clicking export
Smart cards with PIV (Personal Identity Verification):
Carry your certificate with you
Multifactor authentication – username, password, smart card, fingerprint
PIV is built into Windows 7 Group Policy:
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Resolving authentication issues:
Password reset disk or USB key
On user account section – “Create a password reset disk”
Need to backup EFS certificate separate because changing the password changes the certificate
BranchCache:
Only Windows 7 and Server 2008 R2
Can configure through Group Policy or netsh
Activates when round-trip latency exceeds 80 milliseconds
Hosted Cache Server:
Required at each remote location
A caching server does all the caching – acts as central repository for all cached files
The server must be Server 2008 R2
Must create SSL certificate – clients must trust the Certificate Authority
Must be using Windows 7 Ultimate or Enterprise – might need to import the Certificate Authority through Group Policy
Traffic is encrypted
Distributed Cache Mode:
Client computers cache files and share them locally with the other clients on LAN
BitLocker:
Windows 7 Ultimate and Enterprise
Encrypt an entire volume – not just a single file
Protects all of your data as well as the operating system
TPM (Trusted Platform Module) – a chip on the motherboard of computer that securely generates and stores cryptographic keys
It is also a hardware based pseudo random number generator
Can create hash key summary of the hardware and software (find out if something changes)
Platform authentication (is that really your computer?)
BitLocker modes:
BitLocker with TPM (no additional authentication factors)
BitLocker with TPM and PIN (input your PIN during startup)
BitLocker with TPM and USB startup key
BitLocker without TPM – must boot with a startup key on a USB flash drive
BitLocker with TPM, USB startup key, and PIN (most secure setting)
Data Recovery Agent is used to produce a recovery in case loser loses their startup key
Configure unique identifiers to have certain folders encrypted for only certain users
DirectAccess:
Windows 7 Ultimate and Enterprise – seamless authentication
Windows Server 2008, must be in Windows Domain, must have two NICs (one inside, one outside, internet link needs two consecutive IP addresses), *digital certificates for authentication*
Automated VPN connectivity – always on, regardless of location
Uses IPv6 unless you use Microsoft Forefront Unified Access Gateway (UAG)
Uses IPsec tunneling
Offline Files:
Automatically sync when back online, built-in sync conflict management
Mark files “Always available offline”
Online mode – write to the server, read from the cache
Auto offline mode – if server goes away, converts to local cache operations
When server returns (check every 2 minutes), reverts to online mode
Manual offline mode – force yourself into offline mode – “Work offline”
Slow-link mode – kicks in when speeds drop below 64 kbps, uses file cache, auto sync doesn’t run
Transparent caching:
Increase file performance across WAN links, caching only, does not sync
More flexible than BranchCache – works with Professional, no Domain Services required, files are not distributed across multiple systems or on Server 2008 R2. Just caches a copy.
Kicks in when round-trip exceeds a configured latency – “Enable Transparent Caching” in Group Policy
Managing power:
Sleep – processor is turned off, memory is still active
Hybrid sleep – processor is turned off, memory is active and a copy is written to disk, similar to sleep
Hibernate – all devices turned off, memory is written to disk
Configurable at the command line – powercfg, examples:
Powercfg –change –monitor-timeout-ac 5
Powercfg –duplicatescheme
VPN authentication protocols:
PAP (Password Authentication Protocol) – unencrypted passwords, don’t use it
CHAP (Challenge Authentication Protocol) – send password as a hash, still sucks
MS-CHAPv2 – Microsoft version of CHAP, integrates Windows username and password – still some security concerns
PEAP/PEAP-TLS (Protected Extensible Authentication Protocol) – sends EAP authentication over TLS – certificate-based, very secure, not just Microsoft uses it
EAP-MS-CHAOv2/PEAP-MS-CHAPv2 – the security of PEAP with Windows integration
Smart card or certificate – need them on both the client and the server
VPN protocols:
Data encryption (scramble the data), data integrity (verify the received data) data authentication (verify the source) (prevent man in the middle attacks)
IKEv2 (Internet Key Exchange v2) – the most secure option, can use IPv6 and VPN reconnect
Can’t use less secure protocols such as PAP, CHAP, MS-CHAPv2. Uses udp/500
SSTP (Secure Socket Tunneling Protocol) – tcp/443
L2TP / IPsec (Layer 2 Tunneling Protocol)
PPTP (Point to Point Tunneling Protocol) – Least secure, no integrity or authentication
VPN reconnection:
VPN reconnects itself automatically without re-authentication
Uses IKEv2 tunneling protocol – MOBIKE extension (IKEv2 Mobility and Multihoming)
Maximum timeout is 8 hours before re-authentication, can be configured
NAP (Network Access Protection):
Will check to make sure a connecting clients firewall is enabled, virus protection, spyware
Will check if operating system is up to date, make sure they have security updates
NAP Remediation – users not matching the policy get a time-out
Remediation network should have the tools to fix the issue
Windows Server Update Services, Updated signatures
Remote Desktop:
Remote Desktop Gateway Server – allows many people to remote desktop into a PC
Formerly known as Terminal Services Gateway
RemoteApp – run applications remotely, looks like the app is running locally, seamless to end user
Event Viewer:
Event Viewer logs: Application, Security, Setup, System, Forwarded Events
Create custom views – focus only on the information you need
Event Subscriptions:
Centralize your event logs on a collector computer instead of looking at every workstation manually
Collector-initiated subscriptions – the collector asks for the event log information, doesn’t scale well
Uses the Windows Remote Management Service on source computer – winrm quickconfig
Source-initiated subsections – collect is always listening, waiting for information to be sent, scalable
Uploaded 7/17/2011
Contact me via email: admin@tr1x.com