The Ten Things to Do First for Windows 7 – Part 2

The first part of this article are here.

6. Prepare for distributed security.

During your initial strategy meeting, set aside time to discuss how you want to handle the many distributed security features in Windows 7. You’ll want to determine a course of action early in the project because those decisions will have a substantial impact on your test matrix.

First, consider whether you want turn on the desktop firewall. When OS-based desktop firewalls were first introduced in XP SP1, many organizations turned them off with a Group Policy and that was that. The firewall in Windows 7 is much more flexible and warrants reconsideration. You can turn off the firewall while the machine is connected to the domain and turn it on when the machine is connected to a home/work network or to the Internet. You can define granular exclusions, too. Try a mix of options with the first wave of pilot users; take their feedback, along with input from your security team, to make a final decision on firewall settings. They’re completely configurable by Group Policy.

Second, do you want to use AppLocker to restrict applications permitted to run on your desktops? AppLocker allows you to put together a whitelist of approved executables that you can select individually by file hash, in groups by location or in groups by publisher (that is, signed by the publisher’s certificate). Once configured, these rules are downloaded by Windows 7 clients running the Application Identity service. From that point forward, only the whitelisted apps can execute. All other executables are forced to sit on the sidelines, kind of like me during my high-school athletic career.
Because AppLocker permissions are applied via Group Policy, you can tightly target the rules to computers based on OU, group membership or WMI filters.

Sifting through a mountain of applications trying to determine which should be on an AppLocker whitelist doesn’t sound like much fun, but the situation shouldn’t come to that. Most line-of-business machines have a fixed and limited suite of apps. Start there. After all, if you can keep the night crews from plugging flash drives into your factory kiosk machines to run games rather than build widgets, you’ve solved quite a few operational problems. Deal with the back-office machines later.

Finally, are you going to protect your laptops and flash drives with encryption? If your executives and managers and knowledge workers are out walking around with data drives filled with valuable intellectual property, then the answer should be a resounding yes. BitLocker allows you to encrypt the entire hard drive and all the data on it. BitLocker To Go extends this encryption to cover flash drives and other portable media. You really do need to deploy it.

Now, I’m not saying that you should simply flip on the BitLocker policy in Group Policies, encrypt a bunch of drives and walk away. As with any other encryption-based technology, you must carefully think through the options. Don’t be that person whom others tell stories about for years, as in “Remember when the CEO got locked out of her laptop an hour before the annual meeting and poor old hadn’t arranged for an enterprise recovery key?” It would be smart to engage a consultant who’s experienced with enterprise-level drive encryption and BitLocker implementations. The main thing is: Don’t let the complexity scare you. The alternative is even scarier. After all, the story people tell for years after the fact could be something like “Remember when we used to have a company before organized crime got its hands on the CFO’s laptop?”

7. Virtualize your desktops.

Imagine this: You’ve spent a few weeks or months designing your standard Windows 7 desktop image. You’ve worked hard to resolve technical issues and you’ve found ways to quickly move applications and user data between machines, reducing the migration’s impact. (The User State Migration Tool, part of the Automated Installation Kit, is a good place to start for this kind of work. For a walkthrough demo, visit tinyurl.com/usmtwt.) Your field technicians are trained. The help-desk team is mollified with all the guidance you’ve posted on its SharePoint site. You’re finally ready to start the rollout.

But wait. Rather than putting the operating system directly on the hard drive of each new machine, Windows 7 makes it possible to install the OS into a Virtual Hard Drive (VHD) file on the hard drive. The OS boots from the contents of this VHD, which becomes Drive C, and then sees the actual hard drive as Drive D. With proper planning, an OS installed this way could become highly portable. If John moves from Cincinnati to Chicago, the field tech in Cincinnati could copy the VHD over the network to a field tech in Chicago, who would plunk it down onto a machine so that John could get to work in his familiar desktop environment as soon as he steps out of his U-Haul truck.

If you think performance in this lashup would be less than stellar, think again. Check out the disk I/O stats at the Virtualization team blog.

There are some caveats. The first one involves hibernation, which doesn’t work at all for VHD-boot machines. That means that you may not want to use VHD boot for laptops. Also, you can’t boot to VHD on a drive encrypted with BitLocker, which also reduces its attractiveness for laptops.

It could be that the complexity of dealing with VHD-based deployments aren’t worth the benefits, but you should at least include them in your test plan. The steps to perform the legerdemain are too long for this article, but here are some places to go for instructions: You can use Max Knor’s method, described at here, which essentially boots to the Windows 7 Setup CD, finesses out to a command prompt, creates the VHD and then uses it as the target for the installer very slick. You can follow the walkthrough instructions on TechNet at here; or you can view this TechNet video: here.

Once you get proficient with these techniques, take a look at what Kyle Rosenthal at the Vista PC Guy blog has to offer in the way of instructions for using WinPE tools to build images. For example, the steps at vistapcguy show how to create a bootable flash drive with the WinPE tools and an installation image on it. Armed with that tool, you can quickly install your standard image on a machine without touching a single piece of flat plastic.

8. Evaluate enterprise features.

VHD boot, along with BitLocker and AppLocker, fall into a class of features that require Windows 7 Enterprise or Ultimate. The Enterprise SKU can only be obtained via a volume license agreement. If you own Enterprise or Ultimate, you should consider deploying a few additional features to improve security and streamline operations.

BranchCache allows you to cache file transfers either at a central server in a branch office or as part of a peer network of desktops. When a client initiates a file transfer, it first checks to see whether the file is locally cached and whether the file hash matches the hash at the authoritative source. If so, it copies the file from the cache. This not only speeds things up for users, it also reduces network load across the WAN, a benefit that’s sure to put a smile on the face of the network folks. (They’ve been known to smile. I’ve seen it.) I urge you to try BranchCache in your pilot testing to evaluate whether your mix of apps and associated file traffic would benefit.

Next, you could take the VHD-based quasi-virtualization I discussed in the last section to the next level—true virtualization—by deploying a Virtual Desktop Infrastructure, or VDI, on Windows Server 2008 R2 servers. In a VDI, each desktop session exists as a separate virtual machine and users connect via RDP. This setup contrasts with the more mainstream Terminal Services way of publishing a desktop, where all users swim in the same pool of application images. In Terminal Services, if somebody makes a boo-boo, then everyone else suffers. Have you seen “Caddyshack”? Enough said. (You can also avoid unfortunate interactions in a terminal server by virtualizing your applications. Check out the App-V tools in the Microsoft Desktop Optimization Pack.)

VDI can get a little expensive. The cost of supporting user virtual desktops with a full complement of memory and network access on a server can exceed the cost of the PCs. But for disaster recovery in a distributed desktop environment, you can’t ask for better protection.
Another Enterprise feature, DirectAccess, allows users to connect through a Windows Server 2008 R2 gateway to the corporate network without the use of a VPN. A user can flip open her EVDO-enabled netbook while sitting in an airport and immediately start working on documents stored on corporate servers. Selling this feature to your security team might take some time, though. (Now there’s a group that never smiles.)

9. Build compatibility safety nets.

One issue that you should definitely hash out at your meeting of big brains is whether your organization is ready to deploy 64-bit desktops. New machines deployed as part of a refresh cycle are virtually certain to be 64-bit capable. You’re probably putting at least 2GB of RAM into them at today’s RAM prices, more likely 4GB if you were able to convince Finance to approve the slightly higher unit costs. The machines are likely to have dual-core processors, possibly even quad-core, with enough video memory to support Aero. These machines will perform very well with a 64-bit OS.
Even if all your current line-of-business and commercial apps are still 32-bit, it makes sense to install the 64-bit version of Windows 7, if for no other reason than to help future-proof your investment. Clearly the world is moving toward a 64-bit standard, and you want to be ready when vendors decide to start jettisoning backward compatibility.

If you decide to roll out 64-bit desktops, test thoroughly for issues with device drivers, anti-virus suites, management agents and so forth. If you currently have 32-bit print servers, you’ll need to populate the print queues with 64-bit drivers. As an alternative, you could deploy new x64 Windows Server 2008 or R2 print servers and populate both sets of drivers as you build the queues. The printer-migration wizard in Windows Server 2008 R2 will help with this task. It’s worth the effort to deploy new R2 print servers because the print model has been improved to keep drivers in their own memory space so that a bad driver won’t take down the spooler.

The most significant potential show-stopper is the need to run legacy 16-bit applications, which won’t run at all on a 64-bit host. Your best option in this case is to use a trick that hothouse farmers in Minnesota have employed for generations to raise tomatoes: Build an environment that fools the plants into thinking they’re in Dallas instead of Duluth. That is: Use XP Mode to put an instance of x86 XP SP3 on your x64 Windows 7 desktop.

Applications installed in the XP Mode virtual machine can be launched from the Windows 7 Start menu just as if they were natively installed so that your users won’t get confused by living in two universes. (This trick actually comes from a special RAIL hotfix, not directly from XP Mode, so you can do the same Start Menu trick by installing the RAIL hotfix, then running Virtual PC with 32-bit Vista or Windows 7, if you like.)

By default, the XP Mode virtual machine runs under a local account inside the virtual machine. The account is called User. You set the password for this account during install time and the password is set to never expire. Alternatively, you can launch the virtual machine and join it to the domain and logon with your domain credentials. You can load Exchange 2003 ESM into XP Mode along with the older admin tools to have a fully compatible admin environment. And did I mention the seamless cut-and-paste between host and virtual machines? Sweet.

XP Mode requires hardware-based virtualization, either Intel VT or AMD-V. Steve Gibson at Laguna Hills, Calif.-based Gibson Research Corp. (famous for SpinRite and ShieldsUP!) offers a free utility called SecurAble (grc.com/securable.htm) that will quickly tell you whether a machine meets the criteria.

If you have hundreds or thousands of PCs, you’ll need a centralized management package to handle this alternate environment. This is Microsoft Enterprise Desktop Virtualization (MED-V), one element of the Microsoft Desktop Optimization Pack. At the client, MED-V 2.0 works similarly to XP Mode by installing a virtual machine that requires virtualization support in hardware. On the back end, MED-V offers a variety of tools for building and deploying packages to the virtual machines. For more information, see this Windows team blog posting at tinyurl.com/medvblog.

10. Remove your users’ local-admin rights.

If you haven’t already pried away your users’ local-admin rights, now is the time. Yes, I know it’s hard. Laptop users are especially difficult to wean because the help desk can’t walk them through complicated fixes over the phone. But there’s also that “shadow” IT organization—department gurus and admin wannabes who find applications that meet certain tactical needs, then scurry around with thumb drives installing the apps with no regard for interoperability testing. And don’t even get me started on the kind of trash that average users install on their machines when they have local-admin rights. It’s amazing how the most unsophisticated user, incapable of so much as a password reset without help-desk support, can find a way to install complex multi-tiered client-server front-end applications if the reward involves shopping or sports.

Even if you muster the political strength to deny local-admin rights to the majority of users, as soon as you take those rights away, apps start to break. An astounding number of applications insist on writing to protected portions of the file system and Registry.

Windows 7 simplifies the switch to standard-user operation. Background processes redirect changes away from protected areas into user-controlled areas. That alone should resolve many issues that you might have encountered with standard-user operation with XP. There are also some simple but critical improvements that help standard users, such as the ability to change time zones, a task that required local-admin rights in XP and Vista. Ditto for changing screen resolution, doing an ipconfig /refresh to get a new DHCP address and installing optional updates.

The Application Compatibility Toolkit (ACT) contains a Standard User Analyzer (SUA) Wizard to help with vetting your apps. SUA provides an elevated-privilege launch platform for an application. Then, while the app installs and runs, SUA ferrets around inside looking for subtle issues that could keep it from running as a standard user. When it’s done, you receive either a clean bill of health for the app or a list of items that need remediation.

Tags: Bootable, boots, command, Computer, DHCP, Drivers, firewall, help, Microsoft, Network, password, Performance, registry, WIM, Windows, Windows 7, Windows Server 2008

This entry was posted on Wednesday, October 28th, 2009 at 3:54 pm and is filed under Windows 7. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Related posts

• Twenty Secrets about Windows XP (4)
• Windows 7 Networking (0)
• Make Windows 7 faster – Part 3 (3)
• Windows 7 RTM Drivers from Microsoft Hardware (0)
• Windows 7 RTM Driver Kit (0)
• Windows 7 Performance and Productivity Tips (0)
• Speed Up Windows XP (0)
• Schedule a weekly defragmentation (2)
• Make Windows 7 faster – Part 2 (2)
• Best Free System Maintenance Software (3)
• Automatic Windows 7 Installs (0)
• Windows PowerShell 2.0 Software Development Kit (SDK) (0)
• Windows logs off automatically while login (9)
• Windows Help program (0)
• Windows 7 Windows XP Mode RC Hotfix for Shared Folder Performance (3)
• Windows 7 RTM WinHlp32.exe (0)
• Windows 7 RTM Stability and Reliability Update (0)
• Windows 7 RTM Enterprise 90-Day Evaluation (8)
• Windows 7 Increased Performance (1)
• Windows 7 free for 120 days (0)