Vista E Book Ch2
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,114
On Slideshare
1,113
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
29
Comments
0
Likes
0

Embeds 1

http://www.slideshare.net 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Chapter 2
  • 2. Chapter 2 The Expert’s Guide to Implementing Microsoft® Windows® Vista™ Contents Chapter 2 Selected Vista Features?.........................................................2 Introduction .................................................................................................2 Security .................................................................................................2 Security Development Lifecycle....................................................................2 Windows Services Hardening .......................................................................3 User Account Control.....................................................................................3 Windows Defender ........................................................................................5 Network Access Protection ...........................................................................7 Data Protection and Encryption....................................................................8 Other Security Enhancements ...................................................................10 Networking .........................................................................................12 New TCP/IP Stack .......................................................................................12 Simpler connectivity....................................................................................13 Higher security ............................................................................................13 Improved Manageability .............................................................................13 Management and Control .................................................................14 Microsoft Management Console (MMC)....................................................14 Windows Eventing Architecture ..................................................................14 Increased Automation........................................................................................17 New Group Policy Management .................................................................18 Reliability and Performance Monitoring ....................................................20 Feature Assessment..........................................................................23 Vista’s new features. .........................................................................24 Summary. ...........................................................................................25 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 1 Microsoft® Windows® Vista™
  • 3. Chapter 2 Chapter 2 Selected Vista Features Introduction In the previous chapter, we reviewed and evaluated the features that are most visible to an end user. In this chapter, we will delve deeper into Vista, uncovering features that are less visible but no less important. These “deeper” features are generally more important to, and have more of an impact on, an IT professional that is responsible for the maintenance of desktops and mobile systems in an enterprise setting. This chapter will focus on new and improved security, new networking features, and management and operations features. Security The new Aero user interface is quite entertaining, and the instant search feature is certainly helpful; however, ultimately one of the primary reasons to implement Vista is its design for security. While Windows XP Service Pack 2 made substantial progress in increased security, Vista’s security enhancements go beyond that, and are so fundamental to the architecture that they could only be implemented through extensive changes to core operating system functions. Security Development Lifecycle During the design and coding of Vista, Microsoft placed security as the number one priority1. In fact, development methodologies were significantly revamped to conform to new processes, collectively known as the Security Development Lifecycle (SDL). Although not a feature per se, the SDL plays an important role in increasing Vista security. It mandates that security reviews be built into every step of the development cycle. For example, during Vista development a review team (the Secure Windows Initiative Attack Team—SWIAT) was chartered with conducting extensive design reviews and testing, with the goal of identifying parts of the product’s code or design that needed additional work. The in-house SWIAT analysts were supplemented by reviewers drawn from security research firms and penetration-testing companies. Their sole job was to ferret out potential security flaws, assess their impact, and pass the information back to the development teams. “Microsoft® Windows® Vista™ Security Advancements,” June 2006 1 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 2 Microsoft® Windows® Vista™
  • 4. Chapter 2 SDL also enforces coding design rules and testing scenarios that reduce opportunities for attacks and streamline security management functions. The SDL employs software development tools that analyze code for logic and code constructs that would not be detectable by standard compilers. The tools search for certain kinds of code vulnerabilities, such as overruns caused by string copies and unexpected combinations of conditions that result in the execution of obscure code paths. Finally, since Vista was being developed concurrent with the deployment of Windows XP Service Pack 2, the SDL processes took vulnerabilities that were being exposed in Windows XP and tested them against Vista, with development implementing appropriate patches to both systems when appropriate. Windows Services Hardening The Windows operating systems utilize background processes called services. Services are managed through the Microsoft Management Console (MMC) to start, pause, and stop them. In Windows XP, services run with the highest possible system privileges (LocalSystem), and are an easy target for malicious attack. Windows Vista has made substantial changes to Windows services to reduce the opportunity for attack—generally referred to as services hardening. The primary concept behind services hardening is that of restricting services to run under the least possible privilege level needed. To help accomplish this reduction in privilege level, services no longer run as a user session, and in fact they no longer have access to video drivers, nor can they request or receive input from any user interface. Services hardening can affect some existing applications that run as services or interface with services. Any service that assumes it is running in a user session (e.g., one that attempts to create a user interface, such as a dialog box) will not execute correctly, or will hang, because it is waiting for a user response that will not occur. In addition to changes how services run, Core Windows services each have profiles that define the necessary security privileges for that service. These profiles include rules for accessing system resources and inbound/outbound network ports that the service is allowed to use (monitored and enforced via Windows Firewall). During execution, service activities are checked against this profile, and any attempt to perform an unassigned activity is disallowed. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 3 Microsoft® Windows® Vista™
  • 5. Chapter 2 User Account Control A significant advancement in security is the separation of administrator and user privileges through a new feature called User Account Control (UAC)—briefly covered in Chapter 1. Let’s examine this new feature in more detail—additional information is available at http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx UAC is based on reducing the “normal” privilege level for users and administrators. In past versions of Windows, to perform any administrative function required administrator privileges—even for routine tasks such as changing the system’s time zone or power management settings. As a result, administrators simply allowed all users administrative privileges. While this situation is more convenient, it also allows users to perform administrative functions like installing and configuring applications, modifying device drivers, and changing system configuration parameters. Not only could users damage their system configuration (which potentially could propagate and damage systems on the network), but also administrator-level user accounts can cause great damage when exploited by malware. Enter UAC, which separates standard user privileges and those that require administrator access. A subset of administrative activities, which are deemed to pose no security risk—such as changing time zones or adding a printer, are allowed to execute in user mode. Should a user attempt a task that truly requires administrative access, the user is prompted for an administrator password. The bottom line is that administrators can safely prevent users from executing tasks that require administrative privileges, while still providing them with the convenience of making routine configuration changes. A side effect of UAC is that older applications, which were often designed based on the assumption that users would always have administrator privileges, may not execute correctly because Vista does not allow them write access to critical system files (such as the registry). To maximize compatibility, Vista includes file system and registry “virtualization”—a process that redirects writes from protected areas to a virtual location within the user’s profile. Subsequent reads access the virtual location, allowing an application to function properly while eliminating access to resources that would otherwise require administrative access. To help determine whether an existing application will execute correctly when executed as a standard user, Microsoft provides the Application Compatibility Toolkit (ACT)2. See http://www.microsoft.com/downloads 2 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 4 Microsoft® Windows® Vista™
  • 6. Chapter 2 A second feature of UAC is that all processes with administrator privileges will by default start with standard user access. When logging in, an administrative user is granted two levels of access (called Administrator Approval Mode): full administrator and standard user. However, the standard user level is the default, reducing the opportunity for malware to obtain administrator privileges. Should the administrator attempt a task that truly requires administrative privileges, he or she is prompted for the administrator password. UAC is highly configurable, and administrators are generally able to configure it to suite their unique circumstances. However, as with all things Vista, the default is to protect the user and the operating system, and provide the maximum practical protection against malware attacks. Windows Defender First introduced in 2005 as “Microsoft Windows AntiSpyware,” Windows Defender provides an anti- spyware capability to Windows XP and Windows Vista. Windows Defender is based upon a product from Giant Company Software, which Microsoft acquired in 2004. According to Microsoft, “Windows Defender helps protect against and remove spyware, adware, rootkits, bots, keystroke loggers, control utilities, and some other forms of so-called ‘malware.’ (Windows Defender does not provide preventive protection against malware that is classified solely as a worm or virus.)3” Note that Microsoft specifically states that Windows Defender is targeted at individual users and does not include enterprise management tools; typically an enterprise has other means or uses other third-party desktop management tools to manage anti-spyware. Windows Defender protects a Vista system through several methods, including scheduled system scans for spyware, a real-time monitoring function, and a “software explorer” user interface. Scheduled system scans are based upon spyware definitions kept up-to-date by the Automatic Updates capability of Vista. Scans can be scheduled or initiated manually. Enhancements in Vista (beyond the capabilities provided in Windows XP) provide additional performance and security enhancements, including the ability to scan only files that have changed, to run under a security-enhanced account, and to scan executables when invoked. Windows Defender also allows files to be scanned as they are downloaded by Internet Explorer 7. See http://www.microsoft.com/athome/security/spyware/software/default.mspx 3 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 5 Microsoft® Windows® Vista™
  • 7. Chapter 2 Real-time monitoring employs a set of agents that continually check for unauthorized access to file system elements, changes to system configurations, and the like. There is a long list of agents available (Table 1); although configurable through the Windows Defender Options dialog, Microsoft recommends that all agents be enabled. Table 1. Realtime protection agents supported by Vista’s Windows Defender4 Real-time protection agent Purpose Auto Start Monitors lists of programs that are allowed to automatically run when the computer is started. Spyware and other potentially unwanted software can be set to run automatically when Windows starts, running without the user’s knowledge. System Configuration (Settings) Monitors security-related settings in Windows. Spyware and other potentially unwanted software can change hardware and software security settings, and then collect information that can be used to further undermine the computer's security. Internet Explorer Add-ons Monitors programs that automatically run when Internet Explorer is started. Internet Explorer Configurations Monitors browser security settings, which are the first line of defense against malicious content on the Inter- net. (Settings) Internet Explorer Downloads Monitors files and programs that are designed to work with Internet Explorer, such as ActiveX controls and software installation programs. These files can be downloaded, installed, or run by the browser itself. Spy- ware and other potentially unwanted software can be included with these files and installed without the user’s knowledge. Services and Drivers Monitors services and drivers as they interact with Windows and other programs. Because services and driv- ers perform essential computer functions they have access to important software in the operating system. Spyware and other potentially unwanted software can use services and drivers to gain access to a computer or to try to run undetected on a computer like normal operating system components. Application Execution Monitors when programs start and any operations they perform while running. Spyware and other potentially unwanted software can use vulnerabilities in programs to run malicious or unwanted software. For example, spyware can run itself in the background when a program is started. Windows Defender monitors programs and alerts the user if suspicious activity is detected. Application Registration Monitors tools and files in the operating system where programs can register to run at any time, not just when programs are started. Spyware and other potentially unwanted software can register a program to start without notice and run, for example, at a scheduled time each day. This allows the program to collect informa- tion about the computer or gain access to important software in the operating system without your knowl- edge. Windows Add-ons Monitors add-on programs (also known as software utilities) for Windows. Add-ons are designed to enhance the user’s computing experience in areas such as security, browsing, productivity, and multimedia. However, add-ons can also install programs that will collect information that could expose sensitive, personal informa- tion, often to advertisers. Software explorer is a user interface that provides users with visibility in a system’s software and system state. Software Explorer provides detailed information about currently running software that can affect system security or user privacy. For example, the user can view which programs run automatically Adapted from Windows Defender>Options Help 4 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 6 Microsoft® Windows® Vista™
  • 8. Chapter 2 when Windows is started, and information about how these programs interact with other Windows programs and services (Figure 1). Software Explorer helps the user monitor the following items: • Startup programs, which are programs that run automatically (with or without the user’s knowledge) when Vista starts. • Currently running programs, which are programs that are running onscreen or in the background. • Network-connected programs, which are programs or processes that can connect to the Internet or to the local area network. • Winsock service providers, which are programs that perform low-level networking and communication services for Windows and programs that run on Windows. Figure 1. The Software Explorer UI of Windows Defender Windows Defender is designed to augment third-party anti-malware products. Network administrators in an enterprise environment can use Group Policy to enable or disable Windows Defender; computer manufacturers can choose to have it turned off by default on new systems. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 7 Microsoft® Windows® Vista™
  • 9. Chapter 2 Network Access Protection Network Access Protection (NAP) is a new platform that performs computer health policy validation, ensures compliance with health policies, and optionally restricts the access of computers that do not comply with system health requirements. NAP is a client-server architecture; the client-side agent is provided on Windows Vista. The server-side will be provided in the upcoming release of Windows Vista Server (in Microsoft’s inimitable fashion, also code-named “Longhorn”). NAP is an infrastructure and an application programming interface (API) that allows vendors and software developers to build their own network policy validation, ongoing network policy compliance, and network isolation components. Figure 2. The NAP Client Configuration snap-in NAP prevents Vista-based clients from connecting to a private network if the system lacks current security updates or virus signatures, or otherwise fails to meet defined health requirements. The NAP agent also reports system health status, such as having current updates installed, back to the enforcement service in the server. The server then determines whether to grant the client access to the network. Client-side NAP is configurable through the NAP Client Configuration snap-in to the MMC (Figure 2). ® 2007 ScritpLogic® The Expert’s Guide to Implementing 8 Microsoft® Windows® Vista™
  • 10. Chapter 2 Data Protection and Encryption A major security issue relates to unauthorized access to data that could be obtained by physically acquiring a computer. Examples include lost, stolen, or decommissioned systems that contain critical data. Vista includes technologies that allow users to protect their data through encryption at the file, folder, or system level. Encrypting File System (EFS) The Encrypting File System (EFS) in Vista is redesigned (from Windows XP) to support storing private keys on smart cards, a new user interface (Figure 3), and tighter integration with Public Key Infrastructure5. The new EFS allows administrators to store their domain recovery keys on a smart card. To recover users files, the administrator need only log in (either locally or via Remote Desktop) and use the recovery card to access the files. Figure 3. The new Certificates snap-in for the Microsoft Management Console (MMC) The new Certificates snap-in for the Microsoft Management Console provides tools to backup keys and migrate existing EFS files to new keys. Administrators have the capability to set requirements such as minimum encryption strength and the use of smart cards. See http://en.wikipedia.org/wiki/Public_key_infrastructure 5 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 9 Microsoft® Windows® Vista™
  • 11. Chapter 2 Several new Group Policy options have been added to help administrators define and implement organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, and enforce encryption of the user’s Documents folder. BitLocker Drive Encryption BitLocker Drive Encryption is a data protection feature that encrypts an entire Windows volume, preventing access to the data on the volume even if the disk drive is physically in the hands of an unauthorized user. Additionally, BitLocker enables integrity checking on early boot components, preventing the computer from booting if it detects tampering with system files or data. Note that BitLocker is only available on Vista Ultimate and Vista Enterprise editions. BitLocker uses the v1.2 TPM security hardware6—available on most new systems—to help secure the encryption keys and to prevent software-based attacks on system integrity or security of other data, applications, DLL files, and files stored on the operating system volume. Protection is achieved by encrypting the entire Windows system volume, including all user files, system files, swap, and hibernation files. Once BitLocker authenticates access to the protected operating system volume, a driver in the Vista file system encrypts and decrypts disk sectors transparently as data is written to and read from the protected volume. When the computer hibernates, the hibernation file is also saved encrypted to the protected volume. According to Microsoft, the performance penalty for encryption and decryption is minimal. To provide system integrity protection, BitLocker uses the TPM to collect and store measurements from multiple sources within the boot process to create a system “fingerprint.” This fingerprint remains the same unless the boot system is tampered with. Once the integrity of the boot process is proven, BitLocker uses the TPM to unlock the rest of the data. The system then continues startup and system protection is handed over to the running operating system. BitLocker may optionally be configured to lock the normal boot process until the user supplies a PIN or inserts a USB flash drive that contains keys to unlock the system. Other Security Enhancements Address Space Layout Randomizer To make it more difficult to attack operating system functions, Vista has a defense capability called Address Space Layout Randomization (ASLR). ASLR randomly assigns operating system executable pages to different physical memory locations at system boot time. Randomly assigning these locations reduces the likelihood that malicious code can exploit a specific system function based on location alone. See http://www.trustedcomputinggroup.org/ 6 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 10 Microsoft® Windows® Vista™
  • 12. Chapter 2 Internet Explorer Enhancements Vista’s Internet Explorer 7, when running on Vista, supports a new feature called Protected mode. In Protected Mode, Internet Explorer 7 runs with reduced rights to help prevent user or system files or settings from being changed without the user’s explicit permission. Even if a malicious site attacks a vulnerability in Internet Explorer, the site's code will not have enough privileges to install software, copy files to the user's Startup folder, or hijack browser settings. A new version of the Internet Explorer Administration Kit (IEAK) simplifies the creation of customized deployment packages. With Internet Explorer 7, administrators have centralized control over settings through Group Policy in the Active Directory® directory service. Integrated Rights Management Services Client Microsoft’s Rights Management Services (RMS) helps protect the security and integrity of sensitive information in an enterprise. Vista includes an integrated RMS client that reduces the number of additional components that must be installed on the desktop, reducing IT intervention for deployment. The Vista implementation of RMS also includes smart card integration and longer encryption key lengths. When combined with the Windows Server Longhorn release RMS will be integrated with Active Directory Federation Services, allowing companies to share sensitive information in the same manner as they would protected internal information. RMS also comprehends the new XML Paper Specification, and has deeper integration with Microsoft SharePoint®—Microsoft’s suite of content management software. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 11 Microsoft® Windows® Vista™
  • 13. Chapter 2 Networking Microsoft Windows Vista includes significantly improved networking technology, including a new TCP/IP stack, improved wireless networking management, and multiple security enhancements. According to Microsoft, Vista’s improvements represent the largest set of networking innovations since Windows 957, and benefit users as well as administrators. New TCP/IP Stack The TCP/IP protocol stack has been completely rewritten for Vista, and includes redesigns of both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) stacks. According to Microsoft, the redesigns address connectivity, ease of use, management, reliability, and security8. IPv6 Support Vista supports both IPv4 and IPv6 through a dual IP layer architecture. IPv6 is enabled by default without any additional steps necessary by the administrator. The dual IP layer support enables a gradual migration using IPv6 transition technologies that tunnel IPv6 traffic across private IPv4 networks or the IPv4 Internet. Applications and services that support both IPv4 and IPv6 will by default prefer the use of IPv6 to IPv4 (although this behavior can be configured by the administrator). Higher performance The Vista networking stack has multiple performance improvements. In a high-loss environment such as sending/receiving audio and video files, throughput is improved by a new algorithm that allows a sender to send more data while simultaneously retrying a partial acknowledgement. Another significant change is the automatic resizing of the TCP receive window. Vista networking performs auto tuning by continually monitoring the bandwidth and latency of a TCP connection, and optimizing the receive window size for each connection. For example, in a high-bandwidth, high-latency situation the window size will be increased to allow more data to be transferred in each block, increasing overall throughput9. To improve overall performance, Vista is capable of distributing TCP traffic processing across multiple system processors, and supports certain network cards that have hardware-accelerated TCP/IP processing on the card. See http://technet.microsoft.com/en-us/windowsvista/aa905086.aspx 7 See http://www.microsoft.com/technet/network/evaluate/new_network.mspx 8 9 See http://www.microsoft.com/technet/community/columns/cableguy/cg1105.mspx ® 2007 ScritpLogic® The Expert’s Guide to Implementing 12 Microsoft® Windows® Vista™
  • 14. Chapter 2 Lastly, Windows Vista supports Microsoft’s NetDMA architecture (Direct Memory Access), which reduces the number of data copies in the system by allowing data transfers directly to/from a network card to users’ buffers. It requires specific hardware DMA architectures, such as Intel I/O Acceleration to be enabled. Simpler connectivity The proliferation of mobile computer systems requires much more flexibility in acquiring network connectivity “on the fly,” while maintaining a seamless workplace environment and its related security. Vista contains a new Network Center (discussed in Chapter 1). The Network and Sharing Center provides a clear view of the current connection status, available wireless networks, a network map to show surrounding network resources, and easy methods to create or join ad-hoc wireless networks. Diagnostic tools built into Network Center simplify troubleshooting connectivity problems and users can browse network resources. Higher security Vista networking uses the updated Windows Firewall (discussed in Chapter 1) to create network filtering rules or require authentication. Network data can be encrypted, and through Network Access Protection (see “Security” section in Chapter 2) clients that are deemed unhealthy can be banned from the network. Wireless security has been enhanced, with support for more protocols and standards, and tight integration with other related security features. For example, the capabilities of the wireless network adapter are examined by Vista, and the most secure protocol is chosen by default when connecting to or creating wireless networks. Improved Manageability Networking manageability has been improved in Vista, largely for management of wireless devices and the inclusion of additional group policy settings. Vista includes a native wireless networking architecture (Native Wi-Fi) as part of its core networking support10. Native Wi-Fi provides many benefits, including deployment across many hardware brands and models and more reliable third-party wireless adapter drivers. Vista’s wireless features can be managed via Group Policy or command-line scripting to deploy configuration settings and security requirements across an entire organization. See http://www.microsoft.com/technet/technetmag/issues/2006/11/VistaNetworking 10 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 13 Microsoft® Windows® Vista™
  • 15. Chapter 2 Management and Control New management and control tools in Windows Vista are aimed at lowering cost of ownership by increasing efficiency of administration, reducing the number of administrative support incidents, and streamlining deployment. Microsoft Management Console (MMC) The Microsoft Management Console (MMC) is the main administrator interface for managing Windows- based environments. The new MMC provides a simpler and more consistent user interface across a wider range of tasks. The new interface provides an Action pane—a list of all actions that are available to the user based on the currently selected items in the tree or results pane. This allows administrators to more easily discover the capabilities of any management tool that uses the MMC framework. The new MMC interface also provides “an add or remove snap-ins” dialog to make it easier to organize snap-ins. Figure 4. The “add or remove snap-ins” dialog for the MMC. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 14 Microsoft® Windows® Vista™
  • 16. Chapter 2 Windows Eventing Architecture The event log service and event viewer have been completely rewritten in Vista to improve event management in an enterprise setting. The eventing architecture features increased security, increased performance, and increased scalability. Event tracing now provides asynchronous publishing of events, greatly reducing the performance impact to instrumented processes. Some events, especially analytic and debugging events that are generally high volume, are immediately saved to a file with minimal processing to avoid affecting system performance. Administration and Operational events, which are less frequent, are tagged with information about the current user context and the publishing process, then delivered to their respective subscribers. The new Event Viewer is a snap-in for the revised Microsoft Management Console (MMC), described above. New features include: New grouping of events for faster access. To improve reporting and analysis, Microsoft analyzed common event types and applied five different event types to each event (Table 2). Every event is assigned a designated type to quickly narrow down report queries. See http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement 11 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 15 Microsoft® Windows® Vista™
  • 17. Chapter 2 Table 2. New Windows Eventing Architecture event types and typical users Event Type Description Used By Admin The Admin type will suffice for the majority of system ad- Administrators, support per- ministrators. These events are very high level and they sonnel, and Monitoring and often provide enough information to identify a problem and analysis programs determine its solution. At the very least, Admin events should identify when an issue occurs or indicate when an application, a component, or the system as a whole is in or has recovered from an unhealthy state. Most Admin events are errors or warnings, and they are usually actionable.. Operational Like Admin events, Operational events enable problem di- Advanced administrators, agnosis. Operational events consist of more than just er- support personnel, and mon- rors and warnings. They also inform users about normal itoring and analysis pro- operation of an application or OS component. The volume grams of these events is kept quite low so Operational events can be enabled without affecting system performance. The Op- erational events—along with the Admin events—are used by support personnel, monitoring utilities, and administra- tors.. Audit Audit events provide a historical record of any resource ac- Advanced administrators, se- cess or actions taken by the users. These events do not in curity auditors, and Foren- themselves represent failure or success of the program, sics specialists but indicate a failure or success of the action. Audit events can be completely disabled or selectively enabled with varying levels of granularity. Security auditing at the OS level is supported (the events can be found in the Security log of the Event Log). Analytic Analytic events, which are not very different from Opera- Support personnel Monitor- tional events, are logged during normal operation of appli- ing and analysis programs cations and components. But the volume and detail of Analytic events is much greater than Operational events and therefore there is a potential of them having a nega- tive effect on system performance. Thus, Analytic events are normally disabled. To make use of Analytic events, en- able them before a diagnostic session and then disable them before examining the trace. Debug Debug events are also high-volume events that are nor- Developers mally disabled. They are used mainly by developers and are seldom viewed by IT professionals. New appearance. The event viewer has been improved to provide additional information (Figure 5) while retaining the structure of the Windows XP GUI, allowing administrators familiar with Windows XP to easily begin using it. The viewer provides a new preview pane that will display event information in a “friendly view” or the raw XML. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 16 Microsoft® Windows® Vista™
  • 18. Chapter 2 Figure 5. The redesigned event viewer snap-in for the MMC. A new event structure based on XML. The standards-based event structure and publishing the schema simplifies reporting and manipulation of events. The new structure also facilitates automation and integration with the Windows Task Scheduler. New event query capability based on the XPath language and a user interface for creating queries. An important query improvement is the ability to securely forward events, generally to a system that is dedicated to collecting them. Additional event attributes for queries and reporting. Events now contain additional information, including the time at which the event occurred, the process ID, the thread ID, the computer name, and the Security Identifier (SID) of the user. The XML provides additional details, including the EventID, Level, Task, an Opcode, and Keywords properties. Increased Automation The task scheduler is used to automate management and configuration tasks. Vista features a completely redesigned task scheduler interface and a snap-in for the MMC, which combines multiple UIs into a single and consistent interface (Figure 6). ® 2007 ScritpLogic® The Expert’s Guide to Implementing 17 Microsoft® Windows® Vista™
  • 19. Chapter 2 Figure 6. The redesigned task scheduler snap-in for the MMC. Scheduling tasks is much more flexible and comprehensive than in Windows XP. Tasks can be scheduled to run at predefined times, or configured to run when specific events occur. In addition, multiple triggers may be configured to initiate one or more tasks, which may run simultaneously or in a predetermined sequence. Tasks can also be configured to run based on a system status, such as being idle for a pre- configured amount of time, startup, logoff, or other triggers. The Task Scheduler supports new security features, including employing the new Credentials Manager for storing passwords, and running tasks at a reduced privilege level (by running the task as its own session instead of in the same session as the administrator). ® 2007 ScritpLogic® The Expert’s Guide to Implementing 18 Microsoft® Windows® Vista™
  • 20. Chapter 2 New Group Policy Management Vista expands the number of features and components that can be managed with Group Policies, from approximately 1,800 in Windows Server 2003 Service Pack 1 to approximately 2,500 in Vista and the forthcoming Windows Server “Longhorn.” New policies, which are primarily security-related, are group by categories as summarized in Table 312. Group Policy template files, previously known as ADM files, have a new format based on XML. The new template files have the ADMX suffix. For domain based group policy objects (GPOs), the ADMX files can be centrally stored, and all computers on the domain use the File Replication Service to retrieve and configure themselves. Group policies can be set and edited via the Group Policy Management Console (GPMC) MMC snap-in, or by using the Group Policy editor object. Table 3. New or Expanded Group Policy Settings Group Policy Category Description Antivirus Manages behavior for evaluating high-risk attachments. Background Intelligent Transfer Service Configures the new BITS Neighbor Casting feature to facilitate peer-to-peer file transfer within a domain. This feature is supported in Windows Vista and Windows Server quot;Longhorn.quot; (BITS) Client Help Determines where users access Help systems that may include untrusted content. Deployed Printer Connections Allows or denies a device installation, based upon the device class or ID. Device Installation Debug events are also high-volume events that are normally disabled. They are used mainly by developers and are seldom viewed by IT professionals. Disk Failure Diagnostic Controls the level of information displayed by the disk failure diagnostics. DVD Video Burning Customizes video disc authoring. Enterprise Quality of Service (QoS) Alleviates network congestion issues by enabling central management of Windows Vista net- work traffic. Hybrid Hard Disk Configures the hybrid hard disk (with non-volatile cache) properties. Internet Explorer 7 Replaces and expands the current settings in the Internet Explorer Maintenance extension to allow administrators the ability to read the current settings without affecting values. Networking: Quarantine Manages three components: Health Registration Authority (HRA), Internet Authentication Service (IAS), and Network Access Protection (NAP). Networking: Wired Wireless Applies a generic architecture for centrally managing existing and future media types. Power Management Configures any current power management options in the Control Panel. Removable Storage Allows administrators to protect corporate data by limiting the data that can be read from and written to removable storage devices. Security Protection Combines the management of both the Windows Firewall and IPsec technologies to reduce the possibility of creating conflicting rules. See http://technet2.microsoft.com/WindowsVista/en/library/a8366c42-6373-48cd-9d11-2510580e48171033.mspx 12 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 19 Microsoft® Windows® Vista™
  • 21. Chapter 2 Table 3. New or Expanded Group Policy Settings. Continued. Group Policy Category Description Shell Application Management Manages access to the toolbar, taskbar, Start menu, and icon displays.. Shell First Experience, Logon, and Privileges Configures the logon experience to include expanded Group Policy settings. Shell Sharing, Sync, and Roaming Customizes selected schedules and behaviors. Shell Visuals Configures desktop display attributes. Tablet PC Configures Tablet PC. Terminal Services Configures features to enhance security, ease-of-use, and manageability of Terminal Serv- ices remote connections. Troubleshooting and Diagnostics Controls the diagnostic level from automatically detecting and fixing problems to indicating to the user that assisted resolution is available. User Account Protection Configures selected properties of user accounts. Windows Error Reporting Disables Windows Feedback only for Windows or for all components. By default, Windows Feedback is turned on for all Windows components. Reliability and Performance Monitoring The reliability and performance monitoring utilities have been substantially rewritten for Vista to make analysis more comprehensive, and to make it easier to pinpoint bottlenecks or misbehaving processes. New features have been added, and the performance and monitoring tools have been consolidated into the MMC13. Some of the major new reliability and performance features include those described below. Data Collector Sets group data collectors into reusable elements, allowing scheduled collection of a Data Collector Set to create logs, loading it in Performance Monitor to see the data in real time, or save it as a template to use on other computers. The new Resource View screen provides a real-time overview of CPU, disk, network, and memory usage (Figure 7). Each of these metrics can be expanded upon, providing per-process information that can be sorted on multiple keys. The detailed report provides at-a-glance usage by process. See http://technet2.microsoft.com/WindowsVista/en/library/ab3b2cfc-b177-43ec-8a4d-0bfac62d88961033.mspx 12 ® 2007 ScritpLogic® The Expert’s Guide to Implementing 20 Microsoft® Windows® Vista™
  • 22. Chapter 2 Figure 7. The new at-a-glance resource view screen. A new Reliability Monitor calculates a System Stability Index that reflects whether unexpected problems reduced the reliability of the system. See details in the Reliability section below. Unified property configuration for data collection and scheduling consolidates the interface for creation and modification of data collector sets. Sets that are useful can be saved or propagated to other systems for analyzing performance and reliability of user populations. A new reporting interface, largely based on the Server Performance Advisor in Windows Server 2003. The new user interface is more flexible and thorough, allowing reports to be quickly generated from any Data Collector Set. Of course, Vista includes preconfigured performance and diagnosis reports for quick analysis and troubleshooting. Performance Monitor The performance monitoring tools for Vista combines multiple Windows XP utilities (Performance Logs and Alerts, Server Performance Advisor, Performance Monitor, and System Monitor) and wraps them in the new standard MMC GUI. Using the performance monitor, administrators can monitor nearly every aspect of system performance, presenting the information graphically or in report format. The performance monitor is a component of the Windows Performance Diagnostic Console, a snap-in for MMC (Figure 8). The console displays real-time information, allows for alerts and automatic actions, and report generation. It can also be used to recall historical data. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 21 Microsoft® Windows® Vista™
  • 23. Chapter 2 Figure 8. A sample of the Vista Performance monitor. Configuring the performance monitor to sample selected metrics is a drag-and-drop interface. Multiple metrics can be combined and saved as custom data collector sets, which can be recalled at any time. Reliability Monitor The reliability monitor offers a graph of the system’s stability over time, and generates a “stability index” that quickly quantifies the overall reliability of the system, it’s software, and applications (Figure 9). The user can quickly zoom in on each day and/or event and generate a snapshot stability report, which provides details on the incident. For example, a user can view a graphical log of changes to the system (installation or removal of applications or updates to the operating system) side by side with a similar log of failures (application, operating system, or hardware failures). The comparison helps quickly pinpoint events that lead to reliability issues. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 22 Microsoft® Windows® Vista™
  • 24. Chapter 2 Figure 9. A view of the reliability monitor snap-in to the MMC. Feature Assessment We will wrap up this chapter with an admittedly subjective assessment of the impact the features discussed in this chapter might have on a typical enterprise. For this assessment, we will assume a hypothetical enterprise environment, specifically: • Desktops are centrally managed, either with Microsoft’s Group Policy infrastructure, some sort of enterprise desktop management tool such as ScriptLogic’s Desktop Authority, or a combination of both. • Most desktop users have a fairly static environment—a collection of corporate and third-party applications, and are continuously connected to the corporate network. • The enterprise has a moderate number of mobile users that move about within the enterprise, with a subset that travels worldwide. For each of the features described in the preceding sections, we make an assessment on the feature’s impact on the bottom line; a return on the investment in upgrading the desktop to Windows Vista. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 23 Microsoft® Windows® Vista™
  • 25. Chapter 2 Table 4. An assessment of Vista’s new features on enterprise productivity. Impact on productivity/usefulness Feature neutral Comments - + Security Security Development Lifecycle The improved development methodologies won’t have a direct impact on productivity, how- ever in the long run SDL should produce higher- quality code Windows Services Hardening Hardening should go a long way in reducing malware-induced incidents; we expect a sub- stantial impact. This could be offset by its af- fects on certain applications. User Account Control The reduced privilege level of users should re- duce malware-induced incidents, however this could be offset by the sheer annoyance of UAC, and by its affects on applications that assumed administrator priveleges. Windows Defender Defender will probably not have a substantial impact on an enterprise since most environ- ments already employ a third-party anti-spy- ware product. Network Access Protection Properly implemented, NAP will improve overall security. However, we will have to wait for Vista Server “Longhorn” for implementation. Data Protection and Encryption Data protection features, especially on mobile systems, should dramatically improve data se- curity and reduce lawsuits. Other Security Enhancements The miscellaneous security enhancements de- scribed in this chapter should benefit overall security. Networking New TCP/IP Stack The new TCP/IP stack won’t be outwardly no- ticeable, but should help migration to IPv6, im- prove performance, and improve mobility and security for mobile users. Simpler connectivity For most administrators, simpler connectivity shouldn’t have much of an impact. Higher security Higher security networking will be beneficial for mobile users. Improved Manageability Manageability options, especially new Group Policy settings, will provide administrators with additional control options. ® 2007 ScritpLogic® The Expert’s Guide to Implementing 24 Microsoft® Windows® Vista™
  • 26. Chapter 2 Table 4. An assessment of Vista’s new features on enterprise productivity. Continued. Impact on productivity/usefulness Feature neutral Comments - + Management and Control Microsoft Management Console (MMC) The new MMC provides a consistent interface, however most administrators are familiar with the old ones. Windows Eventing Architecture The new Eventing Architecture will provide ad- ministrators with additional information when diagnosing performance or application prob- lems. Increased Automation Much-needed improvements to task schedul- ing will open up new ways of automating today’s manual chores. New Group Policy Management For administrators that use GP, the new set- tings will provide additional ways of managing desktops, however sorting through the 800- odd new settings will require research. Reliability and Performance Monitoring The new reliability and performance monitoring tools will provide administrators with additional information when diagnosing performance or application problems Summary In contrast to the user-visible features reviewed in Chapter 1, it is our opinion that the core improvements covered in this chapter have more of an impact on an enterprise. As might be expected, improvements in security, networking, and management tools should substantially improve an IT manager’s life. Features of particular note are Network Access Protection (once “Longhorn” is available and an enterprise is able to implement it), increased automation, and improved networking for mobile users. Group Policy improvements also enhance an administrator’s control over a large population of desktops, improving security and ostensibly reducing user incidents. That said, the deployment of Vista, and related activities, are not for the faint of heart, as we shall see in the next chapter, “Preparing for Vista Deployment.” ® 2007 ScritpLogic® The Expert’s Guide to Implementing 25 Microsoft® Windows® Vista™