Windows Management and Scripting

A wealth of tutorials Windows Operating Systems SQL Server and Azure

Archive for the ‘Windows 7’ Category

MDOP 2011 update is due this year which will be offered to a wider customer base

Posted by Alin D on September 9, 2011

Windows shops who subscribe to Microsoft’s Desktop Optimization Pack can expect a slew of updates and diagnostic tools when a new version of the bundle becomes available later this year.

Microsoft Desktop Optimization Pack (MDOP) 2011 will include the new BitLocker administration software, added improvements to other tools, and availability to more than just Software Assurance customers. In addition, Microsoft’s cloud-based desktop management console Windows Intune is available now.

Windows Intune is a Web-based console that gives IT pros a way to manage the desktop environment from anywhere with an Internet connection. The Intune console gives visibility into alerts, security policies and other information that’s typically available through Systems Center. It can be used to push patch updates and install anti-malware, but this first version can’t be used to deploy new software.

The concept of remote desktop management is nothing new because the services Intune provides have long been available through third-party software and managed service providers. It’s not likely that enterprise customers with concerns about throwing their data to a cloud provider won’t be keen on Intune.

But customers already using some cloud services will be comfortable with the idea of accessing desktop data on the Internet, said Dave Sobel, CEO of the IT services firmEvolve Technologies in Fairfax, V.A.

The Windows Intune client has to be installed on each PC being managed. It is available with a Windows 7 Enterprise upgrade subscription for $11 per PC per month. A free 30-day trial is available now.

MDOP 2011
In MDOP 2011, the Microsoft BitLocker Administration and Monitoring (MBAM), based on the BitLocker feature in Windows 7, gives administrators a simpler way to do BitLocker provisioning and deployment and helps keep track of machines for compliance and reporting. MBAM includes self-service recovery for end user keys, so IT help desk doesn’t have to spend time recovering keys for users anymore. The MBAM beta is available now.

An enhancement to Diagnostic and Recovery Toolset (DaRT) lets IT pros initiate a remote session to do an offline network boot remotely. Prior to this enhancement, admins would have to go to an end user’s desk do an offline boot of the machine to gather information using a USB stick, diagnose the issue, fix it, then bring the machine back online.

A beta of the new DaRT will be available in early April.

Earlier this month, Microsoft also updated MED-V with a 2.0 version is 64-bit compatible and integration with Microsoft Systems Center Configuration Manager (SCCM) and Systems Center Virtual Machine Manager (SCVMM). That means Med-V guests can be managed the same way as virtual machine hosts. MED-V 2.0 also supports running App-V within a MED-V environment.

The company also released Service Pack 1 for App-V 4.6with Package Accelerators for much quicker application packaging.

Analysts say MDOP is a good value to SA customers, because the price of using even a few of the tools individually is far more expensive than the cost of MDOP. Now, it’s also available to customers with Virtual Desktop Access (VDA) licenses and to Windows Intune customers. For all of those customers, the MDOP subscription costs $10 per desktop per year.

Microsoft Desktop Optimization Pack (MDOP) 2010 was released in February 2010 and before that, MDOP 2009 for Windows 7 was released in October 2009.

About these ads

Posted in Windows 7 | Tagged: , , , , , , | Leave a Comment »

How to optimize WAN bandwidth by using Windows 7 BrachCashe

Posted by Alin D on June 29, 2011

BranchCache is a new technology in Windows 7 and Windows Server 2008 R2 designed to optimize network bandwidth over slow wide area network links. To reduce WAN use, BranchCache copies documents from the main office to secure repositories on the remote network. As a result, when users at the remote office access files from the home office, the files are served up from the remote network’s cache rather than from the home office across the WAN link.

In the past, users at remote sites frequently clogged their WAN links when accessing large files stored on file servers at the home office. A 5 MB PowerPoint presentation on the shared drive at the home office can become 100 MB of network traffic as 20 people at the remote office each try to view it. With BranchCache, the file is downloaded to the remote office and stored in a local “cache” the first time it’s accessed. Subsequent requests for the same file are served up from that local cache, reducing the network traffic to the home office.

BranchCache is seamless for the end user. A user would launch the file from the home office as usual. The request for the file is sent to the home office file server, where the BranchCache service takes over. If that file has not been previously sent to the remote office, it’s copied and stored in a local cache, but if it has been sent BranchCache redirects the remote office computer to download the file from the existing cache on the remote network. All cached files are automatically encrypted to prevent unauthorized access. (Content is decrypted and delivered to the end user after the New Technology File System’s access control lists have verified that they are allowed to see the data.)

To maintain integrity and ensure users are working from the latest documents, t BranchCache maintains a list of the files that were sent to each remote cache. When a request for a previously cached file is received, the service compares a cryptographic hash of the current file on the server with a hash of the file that was sent to the remote cache. If the hashes don’t match, the document was modified after it was cached. As a result, a new version of the document is sent across the WAN to the remote location’s cache.

The cache location at the remote office can be configured in distributed mode or hosted mode.

The distributed mode is the simplest to set up and configure because it doesn’t require any special servers or software at the remote site. In distributed mode, documents are stored on individual Windows 7 computers at the remote office. The Windows 7 computer that downloads the document first becomes the cache for that document. Other Windows 7 machines that request that document will be referred to the Windows 7 system hosting the cached document. If that computer isn’t online, the new computer will download the file and will become the cache for that document.

Since BranchCache is installed on Windows 7 clients by default, to turn on distributed-mode simply enable the service through Group Policy and select four predefined firewall settings for inbound and outbound discovery and communication. Group Policy settings can also be used to specify the percentage of disk space allowed for the cache as well as the network latency time that defines a remote connection. (By default, connection requests with greater than 80 millisecond latency are considered remote requests and automatically trigger BranchCache functionality, if enabled.)

 Distributed mode uses the WS-Discovery protocol to identify local cache locations

In hosted mode, a Windows Server 2008 R2 system must be present in each remote office location. The specified server is the central cache repository for all documents obtained from the main office. This mode provides higher availability for the cached documents since it’s more likely to be “always on” than a Windows 7 computer in distributed mode. The hosted-mode BranchCache service can live side by side with other applications on a Windows Server 2008 R2 system.

BranchCache functionality helps reduce network traffic over slow WAN links and is intended to increase remote user satisfaction. However, the benefits of BranchCache are available only to Windows 7 Ultimate and Enterprise clients when accessing Server Message Block or HTTP content stored on Windows Server 2008 R2 systems. Perhaps it’s time to upgrade?

Posted in Windows 2008, Windows 7 | Tagged: , , , , , , | Leave a Comment »

Windows 7 compatibility issues not a problem with Windows XP mode

Posted by Alin D on June 29, 2011

Many IT managers are burdened with supporting old desktop operating systems and the hardware associated with them. While budgetary constraints sometimes prohibit the deployment of new , more often than not, older operating systems are kept in place because line-of-business applications function only on older OSes and hardware.

A new feature in Windows 7 — Windows XP Mode — eliminates this problem by virtually emulating the older operating system.

A history of compatibility problems
Compatibility issues have plagued Microsoft’s Windows operating systems for some time, making upgrades difficult. Many applications designed for Windows XP are not compatible with that OS’s replacement, Windows Vista, and there are still compatibility problems with the latest OS, Windows 7.

There are few options for those who want to migrate from Windows XP to Windows Vista and its hardware, including the following:

  1. Re-engineering legacy applications to run on Vista
  2. Deploying a virtual desktop infrastructure (VDI) to offer sessions that emulate a XP PC on the replacement PCs

Both solutions are expensive and, therefore, hard to justify.

But not upgrading creates a series of problems. By not moving to newer systems, IT departments do not have access to the latest advanced features, such as energy-saving capabilities, remote management, 64-bit capabilities, enhanced security, increased performance and enhanced reliability. Furthermore, older desktop hardware has a higher failure rate than newer hardware. All of this combined makes it expensive to support legacy OSes.

However, with Windows 7, IT managers may no longer have to settle for expensive compromises and limited options. Windows XP Mode (XPM) enables Window 7 to emulate Windows XP and run applications compatible only with that older OS. This allows IT managers to eliminate an almost decade-older OS and similar aged hardware.

What is Windows XP Mode?
XPM works with Windows Virtual PC, an application that creates a virtual PC on a physical Windows 7 PC.

XPM is a complete virtual machine package that includes a pre-installed licensed copy of Windows XP SP3 as its guest OS. In a Windows 7 environment, applications that need to run on Windows XP are installed into an XPM virtual session. When those applications are executed from the PC’s start menu, XPM automatically launches and uses pre-installed components to make those applications appear as if they are running on Windows 7. But the application is actually running under Windows XP. This solves the software-compatibility issue for older applications that require Windows XP. With XPM, IT managers can install a new Windows 7 PC and still offer access to line-of-business applications that work only with Windows XP, while providing support for newer apps that require the capabilities offered by Windows 7.

Furthermore, XPM not only imitates a Windows XP software environment; it also copies common hardware used by Windows XP. XPM creates a virtual PC that fully emulates a PC configured with an Intel Pentium II (32-bit) processor using an Intel 440BX chip set, with a standard SVGA VESA graphics card (S3 Trio 32 PCI with 4 MB video RAM), AMI System BIOS, Creative Labs Sound Blaster 16 ISA PnP and a DEC 21041 Ethernet network card.

By combining virtualized hardware with a virtualized version of Windows XP, XPM can offer the highest level of compatibility for Windows XP business applications. XPM will offer full application compatibility, supports all original software features and allows the apps to be as stable as they were on a PC running Windows XP natively.

When deployed properly, XPM is completely hidden — the end user is none the wiser to its existence. All the Windows 7 user knows is that line-of-business applications are readily available, as they always were under Windows XP.

Posted in Windows 7 | Tagged: , , , , , , | Leave a Comment »

Use PowerShell to manage Windows 7

Posted by Alin D on June 17, 2011

When Microsoft first introduced Windows PowerShell in 2003, many IT administrators considered it just another method for scripting tasks and managing Windows servers. But over time, it has become the tool of choice for managing, monitoring and scripting different types of hardware and software. Many vendors have embedded PowerShell into their products, and Microsoft made it a core management platform for desktops in Windows 7.

The first version of PowerShell couldn’t run scripts or query against remote computers from a central workstation or server. However, in the latest release — installed by default in Windows 7 and Windows Server 2008 R2 — Windows Remote Management (WinRM) allows for centralized management with a “single pane of glass” architecture. (Note: The newest PowerShell version can also be downloaded for Windows XP and Vista.)

While some enterprises may have at least one third-party product that does what PowerShell can do, most of them require the installation of an agent. PowerShell, on the other hand, is native to the operating system and is a scripting language, so it can be a powerful asset even with other products.

Getting started using PowerShell for desktop management
The first step for overall management control is to make sure your desktops are running the latest version of PowerShell with WinRM enabled.

To enable WinRM, execute the following command as the local administrator from the local machine’s PowerShell prompt:

Enable-PSRemoting –force

This also opens the appropriate firewall ports for communication with the central management workstation. The workstation is now ready for remote PowerShell commands and queries.

In addition, you should set the security of running scripts by entering the following as the local administrator:

Set-ExecutionPolicy Unrestricted

Of course, depending on your security requirements, you may choose a different security level for script execution, such as RemoteSigned. This ensures that any scripts you run in an interactive session will be executed without error. You can learn more details on the settings — and their ramifications — by running help Set-ExecutionPolicy –detailed at the PowerShell prompt.

There are three ways to work with remote computers from a central workstation via PowerShell remoting. The first allows for one or more machines to be queried; the other two are more for one-to-one sessions. The "Invoke-Command" method is the one most commonly used. "Interactive" is similar to a Secure Shell or Telnet session to the remote machine, and "Implicit" imports a remote PowerShell session into the central session.

Working with native PowerShell cmdlets
The newest version of PowerShell has more than 30 cmdlets for sending remote commands to workstations. Almost all native cmdlets that accept the –ComputerName parameter will send remote commands to any desktop that has WinRM enabled.

For example, the command Get-EventLog – Logname Application –EntryType Error –ComputerName mypc retrieves the application event log entries that contain the event type of error from mypc. You can extend the –ComputerName parameter to include multiple targets, such as –ComputerName mypc, suzipc, tompc.

You could also use the scripting language power of PowerShell to turn the parameter into a dynamic variable. You could then run remote commands against hundreds or even thousands of desktops.

A native cmdlet I often use is Get-Counter, which lets you see, in almost real time, the performance measurements of the remote computer. Apply this cmdlet with an extended list of remote computers or via a dynamic variable to view the counters for all the machines in your organization. Type help get-counter –full at a PowerShell prompt to find the syntax applicable to your situation.

In addition, you can perform inventory functions on the remote machine. For software inventories, query a WMI Class for all .MSI installed software using the Get-WMIObjectcmdlet. For software not installed via an .MSI installer, simply query the registry for all software entries. This TechNet article is an excellent resource for building your own software inventory tool.

For hardware inventories, you would use another WMI query that specifies the hardware classes. See this PowerShellPro article for a script that I have used several times.

Free tools that help with PowerShell scripting
Using cmdlets from the command line is second nature to administrators who live in the scripting world. But for admins without a lot of experience with the command-line interface (CLI) — or for those who want to avoid extremely long “one-liners”‘ — the free tool PowerGUI by Quest Software can be helpful.

This product is a graphical user interface (GUI) front end to PowerShell. One of its best features is its use of PowerPacks, which are created by scripting gurus and compiled into a single file. After you import these scripts, PowerGUI enters the PowerShell commands for you. You can see the actual scripts in the included ScriptEditor and use them to build your own.

Once you master the PowerShell environment for your remote desktops and start to feel brave in your scripting, I recommend looking at Sapien’s PrimalForms for incorporating your scripts into a GUI (it even has a free version). With PrimalForms, you can put a graphical front end on your scripts for yourself or for others who don’t feel comfortable in the command prompt. For example, the GUI front end to several scripts that I created has become a staple on the desktops of several help desk admins. An excellent step-by-step example of creating PowerShell GUI with PrimalForms is available at NTPRO.NL.

There are thousands of resources for PowerShell and PowerShell scripts. Be sure to check them out before creating your own script. Most of the time, someone has already written a script to do exactly what you need, or you can find a script that you can customize.

 

 

Posted in Windows 7 | Tagged: , , , , , , | Leave a Comment »

Microsoft Windows 7 DirectAccess to be used or not

Posted by Alin D on June 9, 2011

Virtual private networks (VPNs) have provided secure remote access to corporate network resources for more than a decade. Administrators have griped about time-consuming tasks, from client installs to policy configuration, and vendors have responded by offering everything from browser clients to role-based access controls. More recently, when wireless users grumbled about roaming disruption, vendors responded with persistently connected mobile VPNs.

Now, Microsoft claims to have a better answer: DirectAccess. With this Windows 7 feature, users can obtain secure remote end-to-edge and end-to-end access, tunneled through a Windows Server 2008 R2 DirectAccess Server. But is DirectAccess really a novel alternative? And more importantly: What are the advantages and limitations of DirectAccess for midmarket businesses?

WHAT DIRECT ACCESS IS

Microsoft Windows 7 DirectAccess uses auto-initiated, authenticated, encrypted IPv6/IPsec ESP tunnels to connect remote Windows 7 users to private network (intranet) resources. As in most IPsec VPNs, tunnels can connect the Windows 7 host (DirectAccess Client) to a gateway at the edge of the private network (DirectAccess Server). Alternatively, DirectAccess Clients can use IPsec transport mode, tunneled through a DirectAccess Server, for a secure end-to-end session with any IPv6 Windows Server 2008-based intranet server.

For starters, each DirectAccess client tries to reach a designated server on the corporate intranet. If reachable, the user must be locally connected to the intranet and DirectAccess is not used. Otherwise, the user must be remote, so DirectAccess tries to establish a bidirectional secure tunnel to the intranet over any available network connection.

  • First, the DirectAccess client and server authenticate each other by machine certificate. The server consults the Intranet’s ActiveDirectory to validate the client PC’s group memberships (and the intranet’s Health Registration Authority if a PC health check is required by NAP.) If all goes well, the result is an IPsec ESP tunnel, maintained continuously whenever the client can reach the server.
  • At this point, the client can use that secure tunnel to reach the intranet’s DNS server and Windows Domain Controller. A Name Resolution Policy Table determines whether hostnames referenced by remote applications should be resolved by an intranet or Internet DNS server. All remote traffic destined for Internet servers is sent directly, in the clear.
  • When any remote application tries to send traffic to an intranet server, the DirectAccess Client automatically establishes a second IPsec ESP session. Depending on configured policy, this may involve end-to-edge tunnel mode IPsec or end-to-end transport mode IPsec. For both, authentication is based on machine certificate and user credentials (e.g., domain password, smart card). If all goes well, the user can now communicate securely with permitted intranet resource(s), just as if he or she were locally connected.

Note that DirectAccess depends on IPv6. DirectAccess clients always try

to establish IPsec tunnels over native IPv6. If that fails (as it will in most home and public networks), the client tries encapsulating IPv6 inside IPv4 packets, using a transition technique like 6to4 or Teredo. If that fails (as it will behind many firewalls and proxies), the client falls back to stuffing IPv6 inside HTTPS packets, using Microsoft’s IP-HTTPS protocol. Because most networks, firewalls and proxies permit outbound HTTP over SSL, this usually works. However, in all cases, the intranet must support IPv6, including an IPv6 DNS namespace and IP address prefix for all intranet resources and a public-routable IPv6 IP address assigned to the DirectAccess client.

WHAT DIRECTACCESS IS NOT

DirectAccess uses VPN protocols, including IPsec ESP and MOBIKE. When used for end-to-edge protection, DirectAccess delivers secure tunnels that are similar to those offered by any vanilla IPsec VPN.

Where DirectAccess differs is the degree to which tunnel management has been automated and integrated with other Microsoft infrastructures. Many other vendor VPNs provide fully automated tunnel establishment — even application persistence to hide brief connectivity losses. However, Microsoft’s VPN gateway — Routing and Remote Access (RRAS) in Windows Server 2008 — does not. RRAS users are typically required to launch their VPN connection and log in (via L2TP/IPsec or PPTP). If the underlying wireless or wired connection breaks, the VPN tunnel must be re-established. DirectAccess avoids this end-user involvement and inconvenience.

Another key difference is routing. Many other vendor VPNs — especially SSL VPNs — differentiate between intranet and Internet destinations and route traffic on remote clients. However, layer-two tunneling protocols (e.g., L2TP and PPTP) simply route all outbound traffic over a (non-split) tunnel to the VPN gateway, which must then forward traffic on to Internet or intranet destinations. By default, DirectAccess exploits IPv6 namespaces to operate more efficiently, without messy IPsec selectors or SSL URL maps. However, a DirectAccess Client can still tunnel non-intranet traffic if desired, based on Windows Firewall group policy.

Finally, although DirectAccess supports end-to-edge protection, Microsoft recommends end-to-end protection where possible (that is, when the destination is an IPv6 Windows Server 2008. As networks migrate to IPv6, DirectAccess can support the kind of security architecture needed as the lines between local and remote evaporate.

WHERE AND HOW TO USE DIRECT ACCESS

At first glance, DirectAccess might seem to be for large enterprises. However, many midmarket businesses which try to make the most of purchased hardware and software use Windows RRAS as their VPN platform. Those shops may well look at DirectAccess as an RRAS upgrade.

Furthermore, midmarket businesses that buy VPN concentrators have been slower to invest in more sophisticated SSL and Mobile VPNs. DirectAccess promises some of the benefits afforded by those third-party VPNs (e.g., always-on tunnels, firewall/proxy traversal), without hardware purchase or client installation.

But DirectAccess is no slam dunk. The DirectAccess client is embedded in Windows 7 Enterprise/Ultimate Editions and Windows Server 2008 R2 — but cannot currently be used to deliver access to any other kind of remote device. (Other VPN solutions, including RRAS, can still be used in tandem.)

Second, a DirectAccess server must be installed on a Windows Server 2008 R2 PC with at least two NICs. The Internet-facing adapter must be publicly routable through two IPv4 addresses (i.e., on a DMZ). Businesses worried about availability or scalability can install multiple DirectAccess servers.

Next, your intranet must be (at least to some degree) IPv6-capable. This includes an IPv6-connected domain controller and DNS server running Windows Server 2008 (SP2 or R2). IPv6-connected application servers that run any version of Windows Server 2008 can be reached in end-to-end or end-to-edge mode. All other intranet application servers (including IPv4 servers reached via NAT-PT) are limited to end-to-edge access only.

Finally, DirectAccess is clearly slated for intranets that rely on Windows infrastructure. For example, DirectAccess cannot be used to connect remote devices that have not been enrolled in ActiveDirectory and issued machine certificates. Businesses that have adopted Microsoft Windows 7 authentication infrastructure will find DirectAccess more readily accessible. In fact, DirectAccess can help remote users tap other new Windows network features, including NAP, Windows 7 Federated Search and Windows 7 Folder Redirection.

Posted in Windows 7 | Tagged: , , , , , , , , , , , | Leave a Comment »

Windows 7 Security Features explained

Posted by Alin D on June 8, 2011

Windows 7 Parental Controls

Begin setting up Windows 7 Parental Controls by configuring one or more user accounts as standard user accounts (accounts that your children will use). You can then configure Parental Controls from an administrator account. Do so by typing in parental in Start Menu Search to locate and access Parental Controls application. Select the user to which you would like to add Parental Controls. This will prompt the User Controls dialog. Parental Controls can be applied only to standard users and not to an administrator-class account. Another limitation is that while technically it is possible to configure Parental Controls on a system in which one or more administrators do not have passwords, it is not recommended. Parental Controls rely on controlled accounts (your kids’ accounts) not having access to administrator accounts. If one or more administrator-class accounts do not have passwords, your kids will be able to bypass any controls you set up. So be sure that any administrator-class accounts on the PC have passwords.
Parental Controls are not enabled for any standard user accounts by default. You can enable Parental Controls by checking the option titled On, enforce current settings, and you can configure features such as time limits, games restrictions, and allow and block specific programs.

Time Limits


Time Restrictions Parental Controls provides a graphical grid that allows you to configure exactly when your kids can use the computer. Windows 7 users can use the PC on any day at any time by default, but by dragging your mouse around the grid, you can prevent your children from using the computer at specific hours, such as late at night or during school hours.

Games Parental Controls


The Game Restrictions Parental Controls specifies whether your children can play games on the PC and which games they can access. Standard account holders can play all games by default. You can modify that setting using the screen that appears when you click Set game ratings. You can accept game ratings using the rating system enabled on your PC. The most common and default system is the Entertainment Software Ratings Board’s (ESRB). You can additionally block games based on content, using a range of content types, including unrated online games, alcohol and tobacco reference, alcohol reference, animated blood, blood, blood and gore, cartoon violence, comic mischief, crude humor, drug and alcohol reference, drug and tobacco reference, drug reference, edutainment, fantasy violence, and about 200 others.
Finally, you can also block or allow specific games, especially many Windows games that do not digitally identify their rating. The nice thing about this UI is that Parental Controls sees which games are already installed on the system and enables you to supply a Caesar-style yea or nay.

Allow and Block Specific Programs


This final setting lets you manually specify applications that you do or do not want your child to use. Standard users can access all of the applications installed on the system by default. Browse to find an application if you do not see it.

Simplest way to secure Windows 7

Out of the box, Windows 7 includes antispyware functionality in the form of Windows Defender, a two-way firewall in Windows Firewall; a hardened Web browser (Internet
Explorer 8); and automatic updating features that keep the system up-to-date, every day, with the latest security patches. Also included are changes to the User Account Control (UAC) feature, covered in the next chapter, making it less annoying and less likely to be turned off, thus reducing your exposure to malware. It would seem that Windows 7 comes with everything you need to be secure.Sadly, that’s not quite the case. First, Microsoft makes it too easy for users to opt out of one of the most important security features available in the system. In addition, one glaring security feature is missing from Windows 7. You’ll want to make sure you correct both of these issues before using Windows 7 online. Fortunately, doing so takes just two steps:

1. Enable automatic updating:


If you set up Windows 7 yourself, one of the final Setup steps is configuration of Automatic Updates, the Windows Update fea-ture that helps to ensure your system is always up-to-date. However, Automatic Updates can’t do its thing if you disable it, so make sure at the very least that you’ve cond this feature to install updates automatically. (Optionally, you can enable the installation of recommended updates as well, but these are rarely security oriented.) We can’t stress this enough: this feature needs to be enabled. If you’re not sure how it is cond, run Windows Update (Start Menu Search and then type windows update) and click Change Settings in the left side of the window. Make sure the option under important updates Install updates automati-cally (recommended) is selected.

2. Install an ant ivirus solution:


Many new PCs are preinstal led with security suites from companies such as McAfee and Symantec. While these suites are better than nothing, they’re also a bit bloated and perform poorly in our own tests. We prefer standalone antivirus solutions for this reason. There are many excellent options, including Symantec Antivirus, which in our own tests has proven to do an excellent job with minimal system impact. AVG free antivirus is another options for who are on budget. Security in Windows 7 starts with this simple rule: leave all the security settings on, at their defaults, and install an antivirus solution. That said, a full understanding of what’s available in Windows 7 from a security standpoint is, of course, beneficial. That’s what this chapter is all about.

 

Windows 7 Action Center explained

indows 7 Action Center is a new version of Vista Security Center. Action Center can be found at Control Panel >System and Security > Action Center. Action Center provides solutions to your PC problems.

Network firewall - This setting alerts you when windows firewall is off
Windows Update - Ensures window updates are on.
Virus Protection - Ensures system has AntiVirus installed
Spyware and unwanted software protection - Ensures Windows Defender is running.
Internet security settings - Ensures IE security settings are at their recommended levels.
User Account Control – Ensures UAC is on.
Network Access Protection – Ensures Network Access Control client is running.

Built-in Windows 7 Security features

 

Windows Defender


Over the years, hackers have come up with new and inventive ways to attack PCs. Recently, spyware, one of the most pervasive and difficult forms of malware yet invented, has become a serious issue. For this reason, Windows 7 includes an integrated antispyware and anti-malware package cal led Windows Defender. Unl ike some security products, you won’t typically see Windows Defender, as it’s designed to work in the background, keep-ing your system safe; but if you’d like to manually scan your system for malware or update your spyware definitions, you can do so by loading the Windows Defender application, available through the Start menu.Windows Defender does occasionally show up as an icon in the taskbar notification area. This generally happens when the tool has been unable to download new defini-tions, the files it uses to ensure that its antispyware database is up-to-date. In such a case, you can click the Windows Defender icon and trigger a manual download of the latest updates.

Windows Firewall


When Microsoft first shipped Windows XP in 2001, it included a feature called Internet Connection Firewall (ICF) that could have potentially thwarted many of the electronic attacks that ultimately crippled that system over the ensuing several years. There was just one problem: ICF was disabled by default and enabling and configuring it correctly required a master’s degree in rocket science (or at least in computer security). Microsoft wised up and shipped an improved ICF version, renamed as Windows Firewall, with Windows XP SP2. Best of all, it was enabled by default. Sure, it broke many applications at first, but now, years later, virtually all Windows applications know how to live in a firewall-based world.In Windows Vista, we were given an even better version of Windows Firewall. Unlike the XP SP2 version, the version in Windows Vista enabled monitoring both outbound and inbound network traffic. While Windows 7 doesn’t bring many Windows Firewall addi-tions, it does feature a much more informative interface, Windows Firewall is initially cond to block any unknown or untrusted connections to the PC that originate over the network. You can enable exceptions to this behavior via the Allowed Programs list, which you can access by clicking the link Allow a program or feature through Windows Firewall. Typically you just leave the settings as is, of course. Depending on the network type (Home, Work, or Publ ic) chosen when Windows 7 connects to a network, some programs and features are automatically cond to communicate through the firewall,

Windows Update


With Windows 98 over a decade ago, Microsoft introduced a Web-based service called Windows Update that provided software updates to Windows users. That service has since been superseded by Microsoft Update, which also provides updates to many other Microsoft software products. In Windows Vista, Windows Update was moved into the oper-ating system and made a client application, eliminating the number of Web browser hoops you had to jump through to keep your operating system up-to-date. Windows 7 continues to carry the Windows Update torch, making a few subtle changes for the good., Windows Update remains a client application that you can access from the Start menu. From here, you can check for and install new updates, hide updates you don’t want to be alerted about anymore, and view the history of updates you’ve already installed. You can also click a link to enable Microsoft Update functionality, enabling Windows Update to download and install updates for other Microsoft applications, such as Microsoft Office and various Windows Live products.

Windows 7 User Account Control (UAC)

No Windows feature has proven as controversial and misunderstood as User Account Control, or UAC. When it debuted in Windows Vista, tech pundits screamed far and wide about this reviled feature, spreading mistruths and misunderstandings and generally raising a lot of ruckus about nothing. If these pundits had just calmed down long enough to actually use User Account Control for longer than a single afternoon, they’d have dis-covered something very simple: it’s not really that annoying, and it does in fact increase the security of the system. Indeed, we would argue that User Account Control is one of the few features that really differentiate modern Windows versions from the increasingly crusty XP, because there’s no way to add this kind of functionality to XP, even through third-party add-on software. User Account Control is effective, and as ongoing security assessments have proven, it really does work.Great, but what is it exactly? In order to make the operating system more secure, Microsoft has architected Windows so that all of the tasks you can perform in the system are divided into two groups, those that require administrative privileges and those that don’t. Thisrequired a lot of thought and a lot of engineering work, naturally, because the com-pany had to weigh the ramifications of each potential action and then code the system accordingly.
The first iteration of UAC was implemented in Windows Vista with what Microsoft thought to be a decent technical compromise. In response to overwhelming user feedback sur-rounding the frequency of prompts, however, Microsoft modified UAC in Windows 7 to make it “less noisy” (that is, less annoying) by default. They did this by implementing a pair of “Notify me only when. . .” options, letting users perform common configuration tasks, prompting only when something out of the ordinary is done (for example, changing important configuration settings). The result is that UAC in Windows 7 is more configu-rable and less irritating than it was in Vista. But it’s even more controversial, because it’s not clear that it’s as secure as it used to be.

How UAC Works under the hood

Every user, whether cond as a standard user or an administrator, can perform any of the tasks in Windows 7 that do not require administrator privileges, just as they did in Windows XP. (The problem with XP, from a security standpoint, of course, is that all tasks were denoted as not requiring administrative privileges.) You can launch applica-tions, change time zone and power-management settings, add a printer, run Windows Update, and perform other similar tasks. However, when you attempt to run a task that does require administrative privileges, the system will force you to provide appropriate credentials in order to continue. The experiences vary a bit depending on the account type. Predictably, those who log on with administrator-class accounts experience a less annoying interruption.Standard users receive a User Account Control credentials dialog, as in 8-1. This dialog requires you to enter the password for an administrator account that is already cond on the system. Consider why this is useful. If you have cond your chil-dren with standard user accounts (as, frankly, you should if you’re going to allow them to share your PC), then they can let you know when they run into this dialog, giving you the option to allow or deny the task they are attempting to complete. Administrators receive a simpler dialog, called the User Account Control consent dialog,2. Because these users are already cond as administrators, theydo not have to provide administrator credentials. Instead they can simply click Yes to keep going. The presentation of these User Account Control dialogs can be quite jarring if you’re not familiar with the feature or if you’ve just recently switched to Windows 7 from XP. (Vista users are very well accustomed to this effect.) If you attempt to complete an adminis-trative task, the screen will flash, the background will darken, and the credentials or consent dialog will appear somewhere onscreen. Most important, the dialogs are modal: you can’t continue doing anything else until you have dealt with these dialogs one way or the other.
There’s also a third type of User Account Control dialog that sometimes appears regard-less of which type of user account you have cond. This dialog appears whenever you attempt to install an application that has not been digitally signed or validated by its creator. These types of applications are quite common, so you’re likely to see the dialog fairly frequently, especially when you’re initially configuring a new PC. Over time, these prompts will occur less and less because you won’t be regularly installing applications anymore.By design, this dialog is more colorful and “in your face” than the other User Account Control dialogs. Microsoft wants to ensure that you really think about it before continuing. Rule of thumb: you’re going to see this one a lot, but if you just downloaded an installer from a place you trust, it’s probably okay to go ahead and install it.
When UAC is left at its default setting, Windows 7 automatically elevates a hand-picked list of applications, further reducing the UAC dialogs you see. These applications are referred to as being white-listed for auto-elevation. They include:
WindowsehomeMcx2Prov.exe
WindowsSystem32AdapterTroubleshooter.exe
WindowsSystem32BitLockerWizardElev.exe
WindowsSystem32bthudtask.exe
WindowsSystem32chkntfs.exe
WindowsSystem32cleanmgr.exe
WindowsSystem32cliconfg.exe
WindowsSystem32CompMgmtLauncher.exe
WindowsSystem32ComputerDefaults.exe
WindowsSystem32dccw.exe
WindowsSystem32dcomcnfg.exe
WindowsSystem32DeviceEject.exe
WindowsSystem32DeviceProperties.exe
WindowsSystem32dfrgui.exe
WindowsSystem32djoin.exe
WindowsSystem32eudcedit.exe
WindowsSystem32eventvwr.exe
WindowsSystem32FXSUNATD.exe
WindowsSystem32hdwwiz.exe
WindowsSystem32ieUnatt.exe
WindowsSystem32iscsicli.exe
WindowsSystem32iscsicpl.exe
WindowsSystem32lpksetup.exe
WindowsSystem32MdSched.exe
WindowsSystem32msconfig.exe
WindowsSystem32msdt.exe
WindowsSystem32msra.exe
WindowsSystem32MultiDigiMon.exe
WindowsSystem32Netplwiz.exe
WindowsSystem32newdev.exe
WindowsSystem32ntprint.exe
WindowsSystem32ocsetup.exe
WindowsSystem32odbcad32.exe
WindowsSystem32OptionalFeatures.exe
WindowsSystem32perfmon.exe
WindowsSystem32printui.exe
WindowsSystem32rdpshell.exe
WindowsSystem32recdisc.exe
WindowsSystem32rrinstaller.exe
WindowsSystem32rstrui.exe
WindowsSystem32sdbinst.exe
WindowsSystem32sdclt.exe

How to configure Windows 7 firewall

Windows Firewall included with Windows 7 helps prevent unauthorized users or malicious software from accessing your computer. Windows Firewall does not allow traffic that was not sent in response to a request, to pass through the firewall.
To configure Windows Firewall, select Start > Control Panel > Large Icons View > Windows Firewall. Click Turn Windows Firewall On Or Off. This will prompt the Windows Firewall Settings dialog box.

The Windows Firewall Settings dialog box enables you to turn Windows Firewall on or off for both private and public networks. The On setting blocks external sources except those indicated on the Exceptions tab. The Off setting allows external sources to connect. There is also a check box for Block All Incoming Connections. This feature allows you to connect to networks that are not secure. When Block All Incoming Connections is enabled, exceptions are ignored and you receive no notification when an application is blocked by Windows Firewall.

The exceptions section of the Windows Firewall Settings dialog box allows you to classify which programs and services are allowed to pass through Windows Firewall. There is a defined list of programs and services you can choose from, or you can use the Add Another Program button to modify your exceptions. It is important that you enable exceptions carefully. Exceptions allow traffic to pass through the firewall, which can put your computer at risk due to the exposure. Remember that the Block All Incoming Connections setting ignores all exceptions.

Windows Firewall with Advanced Security


There are more advanced settings to be configured in Windows Firewall with Advanced Security (WFAS). To access Windows Firewall with Advanced Security, click Start > Control > Panel > Large Icons View > Windows Firewall and then click the Advanced Settings link. The Windows Firewall with Advanced Security on Local Computer dialog box appears and to the left on the scope pane shows that you can set up specific inbound and outbound rules, connection security rules, and monitoring rules. An overview of the firewall’s status and current profile settings is shown in the central area.

Inbound and Outbound Rules


Inbound and outbound rules have many preconfigured rules that can be enabled or disabled. Inbound rules monitor inbound traffic and outbound rules monitor outbound traffic. Many are disabled through default. If you double-click a rule, this will prompt its Properties dialog box. The rules can be filtered for easier viewing. Filtering can be done based on the rules, whether enabled or disabled, of the affected profile, or based on the rule group. If you have trouble finding a rule that suits your needs, you can create a new rule by right-clicking Inbound Rules or Outbound Rules in the scope pane and selecting New Rule. This will launch the New Inbound or Outbound Rule Wizard and it will ask whether you want to create a rule based on a particular program, protocol or port, predefined category, or custom settings.

How to Create a New Inbound Rule Allowing for Only Encrypted TCP Traffic:


1. Select Start > Control Panel > Large Icon View > Windows Firewall.
2. Click Advanced Settings on the left-hand side.
3. Right-click Inbound Rules and select New Rule.
4. Choose a Rule Type. To see all available options, choose Custom and click Next.
5. Choose the programs or services affected by this rule and then click Next.
6. Choose the protocol type and the local and remote port numbers affected by this rule and click Next.
7. Choose the local and remote IP addresses affected by this rule and click Next.
8. Indicate if this rule will allow the connection, allow the connection only if it is secure, or block the connection and then click Next.
9. Indicate whether you want to allow connections from certain users only and click Next.
10. Indicate whether you want to allow connections from certain computers only and then click Next.
11. Choose which profiles will be affected by this rule. You can select more than one profile and click Next.
12. Name your profile, type in a description and then click Finish. Your custom rule appears in the list of Inbound Rules and the rule is enabled.
13. Double-click the new rule you just created. Note that previously configured options can be changed.
14. You can disable the rule by deselecting the Enabled check box. Click OK.

 

 

 

 

 

Posted in Windows 7 | Tagged: , , , , , , , , , , , , , | 1 Comment »

Good to know about Windows 7 SP1 rollout

Posted by Alin D on June 6, 2011

When it comes to Microsoft operating systems, administrators are traditionally advised to wait until the first service pack comes along before upgrading from one release of Windows to another. As such, many companies have continued running Windows XP, skipping Vista and waiting for Windows 7 to mature even more.

hat moment has arrived — in late February; Microsoft released the first service packs for Windows 7 and Windows Server 2008 R2. And nearly three months later, the few problems that popped up in the wild have been worked out, and it’s finally time to consider an upgrade path. This quick guide will break down rollout concerns and important considerations for Windows 7 Service Pack 1.

Inside Windows 7 SP1
Generally, a Microsoft service pack is a collection of hotfixes rolled up into a convenient, installable package. If enterprise systems have been receiving regular updates from Microsoft, Windows 7 SP1 doesn’t offer anything organizations don’t already have. To review, Windows Server 2008 R2 provides improved RemoteFX support and some other minor feature enhancements, but that’s limited to the server installation. Even though the distribution file is the same, the desktop client gets no additional new features — just previously-released updates and hotfixes.

A recent Patch Tuesday release featured a pair of updates that fixes the most glaring problems with an SP1 installation on both Windows 7 and Windows Server 2008 R2:

  • KB 2534366 — This fixes a registry error corresponding to the number of language packs installed on a system.
  • KB 2533552 — This repairs a bug where Windows mistakenly tries to perform operations in a specific processor queue more than once, with the second operation failing since it has already been completed.

Note that the language-pack problem is much more common in production rollouts. Regardless, even if you’re not considering a service pack installation today, it’s important to deploy these updates immediately in order to pave the way for a future rollout.

Remote Server Administration Tools and SP1
SP1 doesn’t coexist well, at least when it comes to installation with the Remote Server Administration Toolkit (RSAT), which shares all of the administrative tools with a Windows desktop environment. If RSAT is already installed, the tools will update themselves to the correct version after the service pack installation.

If RSAT is installed on a new Windows 7 SP1 machine, however, admins should download the updated version. This version will also work on pre-SP1 machines so that IT can just replace the binary in the tool library and call it a day.

Lastly, if an enterprise has a large fleet of desktops and some homegrown applications that haven’t been fully tested yet, Microsoft’s Windows Service Pack Blocker Tool Kit can be used to instruct block SP1 from being delivered through Windows Update. Once installed, the toolkit will remain active until February 22, 2012. Note that this tool only blocks a service pack installation through Windows Update — it doesn’t work when users or administrators manually download the service pack or use a CD or DVD to install SP1.

Posted in Windows 7 | Tagged: , , , , , , , , , , , | Leave a Comment »

Things you should know for Windows 7 Security

Posted by Alin D on May 30, 2011

Windows 7 is the most secure version of the Windows operating system ever developed – Says Microsoft. am pretty sure that Microsoft has made that claim for every new version of Microsoft Windows in the past 15 years, and that it is a valid claim.

What else would you expect? Is Microsoft going to come out with a new operating system and make it less secure than its predecessor? I think not. Still, while the marketing around Windows 7 security may be part hyperbole, there are actually a number of significant security improvements to be aware of, especially for Windows XP users making (or considering) the transition to Windows 7. Many of these security updates existed in Windows Vista as well, so Vista users should already be familiar with them.

[ Get InfoWorld's 21-page hands-on look at the new version of Windows, from InfoWorld’s editors and contributors. | Find out what's new, what's wrong, and what's good about Windows 7 in InfoWorld's "Windows 7: The essential guide." ]

1. Protecting the core
The kernel is the heart of the operating system, which also makes it a prime target for malware and other attacks. Basically, if an attacker can access or manipulate the operating system kernel, they can execute malicious code at a level that is undetectable by other applications or even by the operating system itself. Microsoft developed kernel-mode protection to protect the kernel and ensure there is no unauthorized access.

In addition to protecting the kernel, Microsoft has made some other fundamental improvements since Windows XP to protect the operating system. Many attacks rely on the attacker being able to know where a specific function or command resides within memory, or the ability to perform attacks on files that are supposed to contain only data.

Address Space Layer Randomization (ASLR) keeps attackers guessing about where to attack by randomizing the memory locations of key operating system functions. Microsoft also developed Data Execution Prevention (DEP) to prevent files that are supposed to contain data or that are stored in an area reserved for data from executing code of any type.

2. Safer Web browsing
Windows 7 comes with the latest and greatest version of Internet Explorer, IE8. You can download and use IE8 with other versions of Windows, so it’s not specific to Windows 7, but it does contain some security enhancements worth nothing.

First, InPrivate Browsing provides the ability to surf the Web in private as the name implies. When you launch an InPrivate Browsing window, Internet Explorer does not save any information related to your Web surfing. That means that there is no cache containing information you typed and no history of the sites you visited. This is especially useful if you are using IE8 on a shared or public computer, like at a library.
The other IE8 security improvement is Protected Mode. Protected Mode relies on security components in Windows 7 to ensure that malicious or unauthorized code is not allowed to run within the browser. Protected Mode prevents things like drive-by downloads that install malicious software on your system just by visiting a compromised Web site.

3. Protection we love to hate
User Account Control (UAC) is the poster child for everything we love to hate about Windows Vista. With Windows 7, UAC is still there, but Microsoft has added a slider that enables you to control the level of protection –and therefore the amount of pop-ups asking for permission to access or execute files — UAC provides.

The pop-ups are just a small, but visible, aspect of what UAC does. Many users simply disabled UAC altogether in Windows Vista, but that also turns off Protected Mode IE and some other operating system protection. The slider in Windows 7 is set to the same protection as Windows Vista by default, but you can customize the setting in the Control Panel.

4. Security tools and apps
Because of the kernel-mode protection and the changes Microsoft made regarding how, or if, applications are allowed to interact with the core functionality of the operating system, older anti-virus and other security software is not compatible with Windows 7.

Vendors like McAfee, Symantec, Trend Micro, and others offer Windows7 compatible versions of their security software products, but Microsoft also provides free security tools to protect you if you don’t want to invest the additional money.

The Windows Firewall and Windows Defender antispyware tools are included with the base installation of Windows 7. You can also download and install Microsoft Security Essentials, a free anti-virus product released recently by Microsoft.

5. Monitor the Action Center
The Security Center that Windows XP users are familiar with has been replaced by the Windows Action Center. The Action Center is a more comprehensive console for monitoring the Windows 7 system, including security.

The security section of the Action Center provides at-a-glance status regarding the security of your Windows 7 system. It includes information about firewall, spyware, and virus protection, as well as the state of Windows Updates, Internet security settings, and UAC.

There are plenty of good reasons to make the switch to Windows 7. If you are still running Windows XP, security is arguably the best reason to embrace the new operating system. It may or may not be the greatest operating system ever, but it is definitely the most secure Windows operating system ever.

Posted in Windows 7 | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »

Less Windows Features means Microsoft bugs unexploitable

Posted by Alin D on May 19, 2011

Desk – A study from eEye found that disabling two features in Microsoft products prevent attackers from exploiting 12 % of voulnerabilities.

 

New data shows how proper software configuration can mean all the difference in whether a vulnerability can actually be exploited on your system.

eEye Digital Security today released a report with results from a study conducted by eEye founder and CTO Marc Maiffret and his team of how certain configuration changes in Microsoft software can mitigate attacks. The researchers used all of the Microsoft vulnerabilities reported and patched in 2010 and confirmed that disabling two well-known features in the software would prevent attackers from exploiting 12 percent of all of these bugs.

The report reveals that only half of the vulnerabilities patched in 2010 affected the newest versions of Microsoft software, namely Windows Server 2008 R2, Windows 7, Office 2007, and Office 2010.

“When you look at 2010 vulnerabilities, if you are running the latest [version of Microsoft software], that means that for 49 percent of all vulnerabilities, you don’t need to do anything. Nearly half of all vulns won’t be able to be used to leverage attacks against your systems. That’s a pretty amazing number,” Maiffret says. “That is time you get to put back into IT operational time.”

eEye focused on two basic configuration changes in its report: blocking Web-based Distributed Authoring and Versioning (WebDAV) connections and disabling Office file converters. “The most important thing you can do in security is take your time in how you configure your systems … to be as customized to your environment as possible. The reality is that the vast majority of businesses run an vanilla IT environment,” which makes them more vulnerable, according to Maiffret.

WebDAV and Office file converter features were chosen for the study both because they are well-known and often are abused in exploits. Attackers send infected Excel files in older versions of the app, for example.

Among the configuration mistakes that can leave Windows systems vulnerable to attack is leaving WebDAV enabled, Maiffret says. WebDAV is a tool for collaborating among users in editing and managing documents and files stored on Web servers, and can be used for delivering malicious payloads in an attack. Merely disabling WebDAV cuts down the number of vulnerabilities that are exploitable by 4 percent, according to eEye’s findings.

“That is one of the things that could easily be disabled through Active Directory Group Policy Object settings or by filtering at the perimeter,” Maiffret says.

When an older binary file format is blocked, 8 percent of all of the 2010 reported Microsoft vulnerabilities would be nonexploitable, according to the report.

Microsoft, meanwhile, long has promoted users reducing the attack surface. Jerry Bryant, group manager for Trustworthy Computing at Microsoft, said in a statement about the eEye report: “At Microsoft, we have long stated that attack surface reduction is a key part of improving the security stance of any network or individual system. We not only recommend this as a best practice, but as a result of our ongoing efforts through the Security Development Lifecycle (SDL), have reduced the number of features and services enabled by default in the latest versions of our operating systems. As always, Microsoft encourages customers to upgrade to the latest product versions to ensure maximum protection against vulnerabilities.”

Bryant points to Microsoft’s free Security Compliance Manager Toolkit to help users “harden” their systems.

While eEye focused on the two specific features in Microsoft applications, Maiffret says there are plenty of other features that could be used to mitigate attacks. The concept applies to other vendors’ apps as well.

“I don’t think we really scratched the surface in what we could be doing from a configuration [standpoint],” he says. “We want to get the conversation going and make people start thinking about this and how they can customize and configure their environment.”

A copy of the full eEye report, “eEye Research Report: Working Toward Configuration Best Practices, Version 1.0,” is available here for download

Posted in Windows 7 | Tagged: , , , , , , | Leave a Comment »

Windows 7 – How to save your OS

Posted by Alin D on May 16, 2011

Every copy of Windows 7 includes a complete suite of backup tools. The suite contains everything you need to back up (and restore) your entire system.

What’s more, after you’ve set up your initial backup, future backups happen automatically.

In fact, Windows 7 makes it so easy to set up fully automated backups, it’s almost nutty not to do it.

But (you knew there had to be one) Windows 7′s backup tools are based on a different philosophy than previous versions of Windows and so do not operate exactly as you might expect. Until you understand what Microsoft is trying to do, the differences can be confusing.

Win7′s backup system has three major parts


The first component is designed to protect a system’s user data — and nothing else. User data includes each user’s locally stored library files plus the contents of the user folders and subfolders, such as AppData, Contacts, Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Searches, and Videos.

Those folders contain a system’s most valuable and rapidly changing data files — after all, your user files include all your documents, spreadsheets, e-mails, and so on. These are the files that need the most careful and frequent backups. As a result, the Windows 7 backup puts most of its emphasis on automatically protecting these files.

But the Windows 7 primary backup applet does not — repeat, does not — back up system folders or program files, even if you specifically select them or if they’re inside a folder that’s otherwise being backed up. The user-data backup process specifically excludes program files.

Win7 includes a second tool — a system-imaging app — to back up system folders, installed programs, and the like. Microsoft’s theory is that these less frequently changing files don’t need to be backed up as often as user data. That’s not unreasonable.

system image is the gold standard of backups. It’s an exact digital copy of the complete contents and logical structure of your hard drive. You can use a system image to restore a PC to full running order, with all your software set up and ready for immediate use. When you restore a system image, you put your PC back to exactly the way it was at the moment the system image was made.

You need to make a new system image only when your system changes in some major way (a major new software update, or whatever). It’s a low-frequency task.

When you run a Win7 backup for the first time, you’ll automatically be prompted to make your first system image. It’s part of the initial backup process, built-in, and very easy to do.

The third and final component of the Win7 backup system is a bootable System Recovery Disk. With the recovery disk, you can restore your system even if the hard drive is otherwise completely unbootable. Making the System Recovery Disk is automatic; you’ll be prompted at the right time.

In a moment, I’ll walk you through a complete, three-part, Win7 initial backup.

Step one: Setting up your initial backup

Naturally, your backups will consume some disk space and/or blank CDs or DVDs. The exact amount depends entirely on your local setup, but you can use this ballpark guide:

Estimate the size of your initial User Data backup by right-clicking on a username folder — e.g., C:Usersusername.Select Properties and note the size. Your initial backup will be no larger than this amount and will most likely be somewhat smaller (because not everything gets copied). Future backups are smaller still because they’ll include only files that have changed since the previous backup.

The system-image tool backs up an entire drive — for example, your full C: drive. But it doesn’t back up empty space (what would be the point?), and it compresses what it does back up — typically by 30 percent to 50 percent. If you have a drive containing 50GB of actual data, a system image of that drive would probably end up being 25GB to 35GB in size.

Whatever device you back up to (typically, an external USB hard drive or network-attached drive), make sure it has plenty of free space for future incremental and image backups. (Win7′s backup tools will guide you toward storage locations with the right sizes and attributes. More on that below.)

The System Recovery Disc uses just a single CD or DVD.

Once you’re ready to get started, simply click the Start orb, type the word backup in the Search programs and filesbox, and press Enter. This works on any Win7 (or Vista) PC.

If you prefer the all-mouse approach: click the Start orb, open Control Panel, and (if in the Control Panel’s default view) select Backup and Restore from the System and Security category.

Whichever way you get there, the Backup or Restore your files applet initially opens a dialog box like that shown in Figure 1. This dialog box gives you centralized access to all of Win7′s major backup tools.

The first time through, click Set up backup. After a moment, you’ll see the dialog box shown in Figure below, and you’ll hear your mechanical drives buzz and chatter. Don’t worry; the backup has not started without you! The backup software is merely learning what drives are available for later access.


Windows places the word Recommended next to the location it thinks is best, but you’re free to select other locations. For more information, see Microsoft’s Win7 Help & How-to page, “Where should I save my backup?” On the system shown in next image, Win7 offers to save backups to a D drive, a DVD burner, or an external 1-TB drive. Naturally, your PC’s options will be different.

When you’ve chosen a destination for your backup files, click Next.

► Now choose which files to back up. The What do you want to back up dialog box, shown in Figure 4, lets you accept Windows’ defaults for what to back up, or it allows you to make your own selections.

If you select Let Windows choose, Win7 backs up all user data folders and files, as listed earlier. This is usually a good choice. (See Microsoft’s article, “How does Windows choose which files to back up?”)

If you select Let me choose, you see the dialog box shown in Figure 5. (This option is most useful when you’ve set up your system in a nonstandard way, with user files in nondefault locations.)

But remember that the Windows 7 backup tool does not back up program files or system folders, even if you manually select them. There’s a separate tool for that, which we’re coming to.

Once you’ve made your choice, click Next.

► Review your settings; run the backup. Figure 6 shows the review dialog box for a typical Let Windows decidebackup. (That’s the option I usually choose.) The Let me decide confirmation dialog box looks very similar.

Note the Schedule information in the middle of the dialog box shown in Figure 7. By default, Windows uses the settings you’re now establishing to perform a weekly backup of your system’s user data. You can modify the schedule via the Change schedule link; it opens a separate window, so you won’t lose your place on the main backup dialog box.

Similarly, you can explore any warnings displayed at the bottom of the dialog box by clicking on the More informationlinks. They also open secondary windows, so you won’t lose your place.

If anything about the backup isn’t correct, click the dialog’s Cancel button and start over.

When everything is OK, click Save settings and run backup. Now the actual backup begins, as shown in Figures 7 and 8.

ou can minimize the backup windows and continue to use your PC while the backup runs, but I don’t recommend it. Backups are inherently disc- and CPU-intensive and tend to bog a system down. It’s usually better to let the backup run when the PC would otherwise be idle.

Step two: Create a full-system image

When the first user-data backup completes, Windows normally offers to create a system image via a dialog box like the one shown in Figure 9, which is the first of several poorly worded dialog boxes; it refers to a backup when it should say image.

You can accept the default location or choose something different. In planning where to put the image files, note that they’re large and usually end up being around 50 percent to 70 percent of the size of the original, uncompressed data.

Once you’ve selected where the system image will be stored, you’ll be asked what to include in the image. (See Figure 10.) This dialog box repeats the backup-for-image error.

A confirmation dialog box lets you double-check your choices, as you can see in Figure 11. Windows shows you an uncompressed, worst-case, maximum-size estimate for the image files, so you can make sure there’s room in the selected destination or that you have a sufficient number of blank CDs or DVDs on hand.

Click the Start backup button to start the disc-imaging process. (Fortunately, that’s the last language-mangled dialog box in this series.)

Step three: Create a System Repair boot disc

When the system image completes, you’ll be offered the option to make a System Repair boot disc, which is the third and final piece of the Windows 7 backup strategy.

Just follow the prompts; it takes only a couple of minutes, tops.

You already paid for these tools. So use ‘em!

Yes, setting up backups takes some time — probably a few hours, the first time through. And yes, the tools aren’t elegant.

But they get the job done, all your data will be backed up, your program and system files will be safely and separately backed up, and you’ll have a bootable Recovery CD on hand.

From here on out, the Backup Scheduler takes over and safeguards your user data through automatic backups on whatever schedule you authorized.

Now you are safe for a disaster recovery.

Posted in Windows 7 | Tagged: , , , , , , , , , , , | Leave a Comment »

 
Follow

Get every new post delivered to your Inbox.

Join 444 other followers

%d bloggers like this: