Internet Security programs help prevent against attacks from the hacking community and minimizes the risk of getting hacked for corporate networks which are often a popular target. Remember when the Anonymous hackers syndicate came into action just after the MegaUpload site got taken offline by the FBI.

At the height of the Distributed Denial of Service (DDoS) attack against American government sites and several big music industry sites like EMI, RIAA and Warner the traffic compromised more than 10 % of all the internet traffic.

Internet Security risks for Android apps are also on the rise as Android is considered to be the Microsoft OS for the mobile platform. Thanks to its popularity it is therefore a greatly attractive target for scammers and malware developers.  The number of malicious Android apps is increasing day by day and are often found on third party sites.

There are really no internet security solutions to this problem as most users of mobile phones are completely oblivious to the threats that these apps can pose. Let’s also not forget that the developers of these apps have little or no experience regarding internet security issues.

Supervisory control or data acquisition (SCADA) refers to industrial computer systems that monitor things like water plants or nuclear facilities like was the case with Stuxnet. The Iranian program got attacked and infiltrated last year and got into the media.

Just imagine how many of these types of internet security attacks don’t make it to the news ans are kept a secret just so to not scare the general public. The weaknesses in SCADA systems make them relatively easy to exploit and therefore make them a popular target with hackers.

As computers are more and more omni-present they are slowly replacing the traditional ballot box making it easy for a skillful hacker to rig votes. Experienced fraudsters can easily compromise an e-voting system with the right software or hardware in place.

Most of us won’t realize that many internet security threats come from social media. Think about it, it is all very nice to share your music, pictures etc. with your friends. What goes on your wall in Facebook or gets tweeted on Twitter is also available to advertisers who just love to know your habits so they can target you with relevant ads.

Who cares, you might say. Think twice, would you like to go for a job interview knowing that the interviewer has just checked your online ramblings on Facebook or Twitter.

An internet security system starts with the way you use the internet. If you go around posting details about your private life all over the place then don’t be surprised that this might backfire one day as the Internet is a free for all place.

All information posted on the Internet is freely available to anybody so take some care next time you had a few drinks and want to post something funny on Facebook for example. Once it is out there, there is no way back.

The same goes for e-mail. It might be a very convenient way to communicate but in the old days of pen and paper people used to sit down and think about the message they were about to send unlike an e-mail where you can just start typing and hit the Send button.

Bottom line is that internet security starts with you. Realize that the Internet is a public place and although you might feel safe behind your computer all by yourself, there is a vicious world out there once you put private information online.

http://news.cnet.com/8301-27080_3-57347329-245/five-predictions-for-security-in-2012/

Ethernet Cable Installation

• Wave — energy or disturbance traveling from point A  to B
• Amplitude — height of the wave (V)
• Period — amount of time that it takes to complete 1 cycle or period between waves (s)
• Frequency — the number of complete cycles or waves per second (Hz)

Pulses and Sine Waves

A pulse is a disturbance that was deliberately created with a fixed or predictable duration. Pulses are an important part of electrical signals because they are the basis of digital transmission. The pattern of the pulses represents the value of the data being transmitted.

Sine waves, or sinusoids, are graphs of mathematical functions. Sine waves are periodic and display the same pattern at regular intervals. Sine waves also vary continuously meanings that no adjacent points on the graph have the same value.

Square waves are likewise periodic but unlike sine waves they do not continuously vary with time. Their value stays the same  to then suddenly change only to return to the original value at regular time periods. Square waves represent digital signals or pulses and can be measured in terms of amplitude, period, and frequency.

Installing Ethernet Cable and Noise

There are many possible sources of noise

• Data signal carrying cables in the vicinity
• Radio Frequency Interference or RFI from other signals that are transmitted nearby
• Electromagnetic Interference (EMI) or Radio Frequency Interference (RFI) due to electromagnetic induction or electromagnetic radiation coming from artificial or natural external sources such as motors, lights, the sun or even the Northern Light.

Similarly to white light, white noise is a random signal that affects all frequencies as opposed to narrowband interference which only affects a small range of frequencies. In ethernet cable data transmission white noise will completely disrupt data transmissions while narrowband interference would only affect some signals.

Bandwidth

Analog bandwidth refers to the range of frequency between the highest and the lowest frequency components and is measured in Hertz .

Digital bandwidth measures the throughput of data in a given amount of time. (bps) In general, media that will support higher analog bandwidths without high degrees of attenuation will also support higher digital bandwidths.

Make Your Own Ethernet Cable Considerations

Attenuation is the general loss in flux or signal amplitude over the length of an ethernet cable or other medium. The longer the ethernet cable and the higher the signal frequency the more signal attenuation will occur. The maximum length of ethernet cable should not exceed 100 m.

Attenuation on a cable is measured with a cable tester using the highest frequencies that the cable is rated to support. Attenuation is usually measured in negative units of decibels numbers. The lower the dB values the higher the ethernet cable speeds so 2 dB would be better than 4 dB.

In ethernet cabling the length of the cable and the frequency of the signal is a major factor in contributing to attenuation. Defective connectors, a bad ethernet cable patch, bad insulation or resistance of the wiring all have their influence on signal degradation, signal loss or attenuation.

http://en.wikipedia.org/wiki/Attenuation

Impedance relates to the resistance, capacitance, and inductance of the ethernet cable to the electrical current and is measured in ohms. Category 5 cable are typically rated at around 100 ohms. Improperly installed connectors will have a negative influence on the impedance on a Cat 5 ethernet cable causing an impedance discontinuity or an impedance mismatch.

Return loss or impedance discontinuities occur when  a portion of a transmitted signal is bounced back due to an incorrect connector or a cable fault. The higher the network speed the more pronounced the problem will be as the discontinuities cause additional portions of the signal to be reflected back to the transmitter.

Cross Talk

Cross talk is extreme noise generated by the signal traveling down the wire thereby creating an electrical field which interferes with any wires close by. The twists in ethernet cables are supposed to prevent this.

• Near-end Crosstalk (NEXT)
• Far-end Crosstalk (FEXT
• Power Sum Near-end Crosstalk (PSNEXT)

http://www.openxtra.co.uk/articles/network-cable-testing-causes-data-loss

Cable Testing Standards

The ten primary test parameters that must be verified for a cable link to meet TIA/EIA standards are

• Wire Map
• Insertion Loss
• Near-end Crosstalk (NEXT)
• Power Sum Near-end Crosstalk (PSNEXT)
• Equal-level far-end crosstalk (ELFEXT)
• Power sum equal-level far-end crosstalk (PSELFEXT)
• Return Loss
• Propagation Delay
• Cable Length
• Delay Skew

Cable Wire Map Problems

• Reversed-Pair Wiring Fault
• Split-Pair Wiring Fault
• Transposed-Pair Wiring Fault

Propagation delay in ethernet cable testing measures the amount of time it takes for the signal to travel from point A to point B or from the sender to the receiver end. The electrical properties, length and twist rate of the cable all contribute to the delay which is measured in hundredths of nanoseconds.

A Time Domain Reflectometry (TDR) test is not only used to measure the length of  a cable but also to locate faults and discontinuities  such as shorts and opens.

Delay skew refers to the difference in transmit speeds or propagation delay of the multiple twisted pairs that make up an ethernet cable. Delay skew is determined by measuring the difference between the wire with the highest delay against the wire with the lowest delay.

http://www.siemon.com/us/white_papers/97-06-03-delayskew.asp

Fiber Optic Ethernet Cable

Fiber optic ethernet cables send signals over hair thin strands of glass fiber and eliminate crosstalk or noise problems. Just like tradirional coper wire UTP cables, improperly installed connectors will greatly reduce the data transmission speed.

A fiber optic ethernet cable uses light to transmit data and as such is also susceptible to optical discontinuities that will reduce the speed of the data arriving at the receiver.

Power over Ethernet Cable

Power over Ethernet (PoE) is very much self explanatory in the sense that it consists of a technology which enables electrical power to safely use the same ethernet cable.

http://en.wikipedia.org/wiki/Power_over_Ethernet

Data Communication and Networking

Two examples of data communication networks that use token passing are Token Ring and Fiber Distributed Data Interface (FDDI).
A variation of Token Ring and FDDI is Arcnet. Arcnet is token passing on a bus topology.

Network Systems and Data Communication Include

• How the physical network is built
• How computers connect to the network
• How the data is formatted for transmission
• How that data is sent
• How to deal with errors

Data Communication Systems and WAN’s

• Operate over a large and geographically separated area
• Allow users to have real-time communication capabilities with other users
• Provide full-time remote resources connected to local services
• Provide e-mail, Internet, file transfer, and e-commerce services

Some Common WAN Technologies

• Modems
• Integrated Services Digital Network (ISDN)
• Digital subscriber line (DSL)
• Frame Relay
• T1, E1, T3, and E3
• Synchronous Optical Network (SONET)

SANs Offer the Following Features

• Performance – SANs allow concurrent access of disk or tape arrays by two or more servers at high speeds. This provides enhanced system performance.
• Availability – SANs have built-in disaster tolerance. Data can be duplicated on a SAN up to 10 km (6.2 miles) away.
• Scalability – A SAN can use a variety of technologies. This allows easy relocation of backup data, operations, file migration, and data replication between systems.

Secure Data Communication – VPN’s

• Access VPN – links small office and home (SOHO) users to the corporate network using a dedicated session over DSL, cable, ISDN or analog dial-up
• Intranet VPN – links regional and remote offices to the the internal company network using dedicated connections
• Extranet – link external business partners to the company’s internal network over a dedicated connection

Data Communication Protocol and Bandwith

• Limited by physics and technology
• Not Free
• Requirements growing at a rapid rate
• Critical to network performance
• Bandwidth is the measure of how many bits of information can flow from one place to another in a given amount of time

The actual bandwidth of a network is determined by a combination of the physical media and the technologies chosen for signaling and detecting network signals.

Thisl bandwidth is determined by the signaling methods, NICs, and other network equipment that is chosen.
Therefore, the bandwidth is not determined solely by the limitations of the medium.

Throughput refers to actual measured bandwidth, at a specific time of day, using specific Internet routes, and while a specific set of data is transmitted on the network.

Unfortunately, for many reasons, throughput is often far less than the maximum possible digital bandwidth of the medium that is being used.

Factors that Determine Throughput in Data Communication

• Internetworking devices
• type of data being transferred
• Network topology
• Number of users on the network
• User computer
• Server computer
• Power conditions

Analog bandwidth is measured by how much of the electromagnetic spectrum is occupied by each signal.
The analog video signal that requires a wide frequency range for transmission cannot be squeezed into a smaller band.

Therefore, if the necessary analog bandwidth is not available, the signal cannot be sent.
In digital signaling all information is sent as bits, regardless of the kind of information it is.

Unlimited amounts of information can be sent over the smallest or lowest bandwidth digital channel.

Open Systems Interconnection Model

Dividing the Network into Seven Layers Provides the Following Advantages

• It breaks network communication into smaller, more manageable parts.
• It standardizes network components to allow multiple vendor development and support.
• It allows different types of network hardware and software to communicate with each other.
• It prevents changes in one layer from affecting other layers.
• It divides network communication into smaller parts to make learning it easier to understand.

Networks Layers in Data Communication perform These 5 Conversion Steps to Encapsulate and Transmit Data

• Images and text are converted to data.
• The data is packaged into segments.
• The data segment is encapsulated in a packet with the source and destination addresses.
• The packet is encapsulated in a frame with the MAC address of the next directly connected device.
• The frame is converted to a pattern of ones and zeros (bits) for transmission on the media.

TCP/IP and OSI Model - http://homepages.uel.ac.uk/u0214757/tcpip.html

Network Interface Card & Internet Connection Requirements

• Physical connection – modem or network interface card (NIC) allow the local network to connect to the Internet
• Logical connection – standard protocols are a set of rules and conventions defining how the physical devices communicate. Transmission Control Protocol/Internet Protocol (TCP/IP) is the primary, most used protocol
• Application – applications translate the data transmitted to a form that can be read by humans such as a web browser or an  FTP program and the various plugins to display video and text or play sound.

Network Card – http://www.howstuffworks.com/home-network.htm

Network Interface Card Types Considerations

• Protocols – Ethernet, Token Ring or Fiber Distributed Data Interface (FDDI)
• Types of media – Twisted-pair, coaxial, wireless or fiber-optic
• Type of system bus – PCI or ISA

Install Network Interface Card Situations

• Installation of a NIC on a PC that does not already have one
• Replacement of a malfunctioning or damaged NIC
• Upgrade from a 10-Mbps NIC to a 100/1000-Mbps NIC
• Change to a different type of NIC, such as wireless
• Installation of a secondary, or backup, NIC for network security reasons

Network Interfaces – http://en.wikipedia.org/wiki/Network_interface

Network Interface Card Troubleshooting Requirements

• Knowledge of how the adapter, jumpers, and plug-and-play software are configured. Most modern day NICs are plug_and_play and only require the software or driver to be installed.
• Availability of diagnostic tools such as a loopback test
• Ability to resolve hardware resource conflicts such as IRQ, DMA or IO conflicts

Transmission Control Protocol/Internet Protocol (TCP/IP)

• TCP/IP is a set of protocols developed to allow computers to communicate with each other.
• TCP/IP can be configured using operating system tools
• TCP/IP requires the PC to be configured with an IP address, subnet mask, default gateway and Domain Name System (DNS) information

Network Interface Card Problems – Ping

• ping 127.0.0.1 – This is a unique ping and is called an internal loopback test. It is used to verify the basic TCP/IP network configuration.
• ping IP address of host computer – A ping to the local host PC verifies the TCP/IP address configuration for the local host and connectivity to the host.
• ping default-gateway IP address – A ping to the default gateway indicates if the router that connects the local network to other networks can be reached.
• ping remote destination IP address – A ping to a remote destination verifies connectivity to a remote host.

Bits and Bytes – Base 2 Numbering System

• Computers recognize and process data using the binary number system
• 1 bit represents a single address storage location for data such as an ASCII code
• 8 bits represent 1 byte leaving a combination of 256 or 2⁸ when adding all the possible combinations of the 8 bits turned off (0) or on (1)
• Most coding uses 1 byte to represent a number, symbol or character
• Do not confuse MegaBytes (MB) with MegaBits (Mb)

The above table shows approximate values as 1 Kb is really 1024 bytes when talking about data storage bits as opposed to data transfer bits or bytes.

Example

• 10110₂ = (1 x 2⁴ = 16) + (0 x 2³ = 0) + (1 x 2² = 4) + (1 x 2¹ = 2) + (0 x 2⁰ = 0) = 22
• 22₁₀ = 10110

Base 16 Numbering System – Hex

• The hexadecimal system is used when working with computers because it can be used to represent binary numbers in a more readable form (0123456789ABCDEF)
• Network adapter or NIC MAC addresses are represented by a string of 12 hexadecimal characters
• 55B1₁₆ = (5 x 16³ = 20480) + (5 x 16² = 1280) + (B x 16 = 176) + (1 x 16⁰ = 1) = (5 x 4096) + (5 x 256) + (11 x16) +(1 x 1) = 21937

IP Addresses and Network Masks

• The IP address 10.34.23.134 in binary form is 00001010.00100010.00010111.10000110
• IP addresses consist of 4 bytes or 4 8-bit octets which represent a 32-bit binary address
• A Boolean AND of the IP address 10.34.23.134 and the subnet mask 255.0.0.0 produces the network address of this host:

Enable Remote Access Windows 7

Remote access solutions usually incorporate the Routing and Remote Access  Service (RRAS)  to configure internet connections such as secure Virtual Private Network  (VPN) connections or even dial-up or ISDN connections to link computers together allowing the user to access files, folders applications and printers  pretty much like being connected to a corporate network.

Remote Desktop Software

Do not confuse remote access with remote control. Remote control creates a session on the remote computer through the use of remote desktop or remote assistance on Windows 7. The remote desktop command line syntax is mstc. Just do a Google search for “Windows 7 remote desktop setup” if you are not sure on how to configure remote desktop access or enable remote desktop n Windows 7.

There are also other 3rd party applications such as Citrix or PCAnywhere relying on remote desktop client software enabling  the remote computer’s desktop appear on your screen which is useful if you want to provide remote access assistance or remote access support.

Remote Assistance Windows 7 – http://technet.microsoft.com/en-us/library/bb457004.aspx

VPN Remote Access Connection Protocols

Data Integrity – protects against tampering with the data by a third party

Data Confidentiality – encrypts data so it is cannot be read by third parties

Replay Protection – data can only be sent once so an attacker cannot capture alter and resend data

Data Origin Authentication – sender and receiver are sure of origin of the transmitted data

Standard Remote Access Protocols

• Point to Point Protocol (PPP) – oldest dial-up protocol which supports TCP/IP, IPX/SPX allowing for compression and encryption.  Serial Line Interface Protocol (SLIP) is no longer supported in Windows7
• Point to Point Tunneling Protocol (PPTP) – used to transmit private data over a public network through VPN tunneling with built-in security for encryption and authentication. Provides data confidentiality but not data integrity
• Layer 2 Tunneling Protocol (L2TP) – More secure than PPTP as it creates a secure VPN connection when used in combination with IPSec. Uses digital certificates or a pre-shared key. Client and server must support IPSec NAT Traversal (NAT-T)
• Secure Socket Tunneling Protocol (SSTP) – SSTP uses enhanced key negotiation, encryption and integrity checking by encapsulating PPP traffic over  SSL using the HTTPS protocol thereby enabling network traffic across firewalls and proxy servers
• Internet Key Exchange version 2 (IKEv2) – new to Windows 7. Supports strong authentication and encryption methods by using an IPSec tunnel over UDP port 500

VPN Tunneling Protocols – http://technet.microsoft.com/en-us/library/dd469817(WS.10).aspx

Remote Access Authentication Protocols

EAP-MS-CHAPv2 is the strongest password-based authentication protocol, and it is the only password-based authentication protocol that can be used with IKEv2.

On a client computer you can configure remote access settings through group policy or secpol.msc. Jeep in mind that the default values for an account lockout or invalid password attempts are known to experienced hackers and therefore should be changed. This is also where you would configure IPSec settings you use in combination with VPN.

Windows Vista and Windows 7 computers use 128 bit encryption by default whereas Windows Server 2000 or 2003 use either 40 or 56 bit encryption. This will usually result in an error 741 meaning the encryption levels don’t match. Encryption levels can be changed by accessing the security tab of the VPN properties dialog box.

VPN Reconnect in Windows 7

A standard VPN client needs to authenticate every time the connection with the server is lost. IKEv2 in Windows 7 however enables a VPN client to automatically reestablish a VPN connection within 8 hours of connection loss

Remote Access with VPN Reconnect – http://www.microsoft.com/downloads/details.aspx?FamilyID=7e973087-3d2d-4cac-abdf-cc7bde298847&displaylang=en

Advanced Audit Policy in Windows 7

Windows 7 Professional, Ultimate and Enterprise group policy provides a much granular and comprehensive set of audit policies compared to previous Windows versions.

Windows Remote Access Advanced Security Auditing Settings – http://technet.microsoft.com/en-us/library/dd772712(WS.10).aspx

Netork Access Protection (NAP)

NAP requires that clients provide a health certificate proving that the authenticating client is up to date with regards to the latest security patches. NAP is available starting from Windows 7 Professional and up. It verifies whether:

• Software update are installed and configured
• Windows firewall and  automatic updates  are enabled
• The Anitivirus software is enabled and up-to-date

Through the use of multiple System Health Validators (SHVs) available in Windows 7 and Windows server 2008 you can apply different policies to be met according to whether the client is connecting through VPN or via the LAN.

A health validation server can redirect clients that are not compliant to a remediation network where they can freceive updates throught WSUS and antivirus updates after which they will be able to connect to the network.

• NAP Enforcement Options
• No Enforcement – used for monitoring only
• IPSec – compliant clients receive an X509 health certificate while others get rejected
• 802.1X – unhealthy wired or wireless clients get access to a restricted VLAN
• Terminal Services Gateway – clients have to be compliant to access terminal service applications
• VPN – routes unhealthy clients to remediation servers based on IP filters
• DirectAccess – only allows healthy clients to create an IPSec tunnel

NAP Client Configuration – http://technet.microsoft.com/en-us/library/cc754803.aspx

Network Access Protection – http://technet.microsoft.com/en-us/network/bb545879.aspx

Remote Desktop Gateway (RD Gateway)

Available in Windows 7 and Windows Server 2008 R2 and uses the Remote Desktop Protocol (RDP) in combination with HTTPS to allow for a secure an encrypted connection to corporate servers via TCP port 443 much like a remote access terminal server.

An RD Gateway server on the corporate network can allow access to any published applications on the internal network that have been granted access. Following are the advantages of employing an RD Gateway:

1. No need to establish a VPN connection
2. Connections across firewalls and proxy servers are facilitated
3. Applications running on the local client can be shared with applications running on the remote network using your ISP connection

RemoteApp programs are programs which can be accessed remotely through the RD Gateway and appear on the user’s desktop and start menu as if they were installed and running locally.

Remote Desktop Gateway http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=6d146124-e850-4cec-9efa-33a5225e155d&displayLang=en

RemoteApp - http://technet.microsoft.com/en-us/library/dd560650(WS.10).aspx

DirectAccess

DirectAccess does not require user intervention or logon as it uses certificates for authentication. As soon as the client connects to a network a properly configured computer will automatically connect to the corporate network remote access services using IPv6 and an IPSec VPN connection. DirectAccess can be integrated with NAP to increase security. Only domain joined computers running Windows 7 Ultimate or Enterprise support DirectAccess.

A properly configured Windows 7 client will in most cases connect to the corporate network prior to the Windows logon. A specially configured intranet site is configured on the DirectAccess server allowing the client immediate connection as soon as it is identified on a network.

Should the client be unable to contact the intranet site it tries to establish an IPv6 directly across the Internet. If a native IPv6 connection is not available the client tries to connect using an IPv6 over IPv4 tunnel utilizing the 6to4 (direct IPv4 connection) and Teredo (NAT connection) tunneling technologies in order.

If the above is not possible due to a firewall or proxy server a connection is attempted over HTTPS using TCP port 443.

DirectAccess – Remote Access Servers Requirements

• Windows Server 2008 R2 that is a member of a AD DS domain with CA and DNS configured
• 2 network adapters of which the one connected to the Internet is configured with 2 IPv4 addresses
• Internal resources must support IPv6 as well as ISATAP and NAT-PT for clients that only support IPv4
• Digital certificates in place that include the fully qualified domain name (FQDN) assigned to the external NIC

DirectAccess – http://www.microsoft.com/downloads/details.aspx?FamilyID=D8EB248B-8BF7-4798-A1D1-04D37F2E013C&displaylang=en

Internet Explorer 8 Security Settings

Internet Explorer 8 which comes with Windows 7 offers a whole bunch of new security features some of which are discussed below.

• Information bar – alerts you to pop-ups, downloads or Active-X installs
• SmartScreen Filter – protects from known phishing sites masquerading as legitimate sites
• Protected Mode – protects against websites that try to install malicious software. Prompts for consent if system changes are required.
• Internet Explorer runs in protected mode by default.
• Add-on Manager – enable or disable active-X controls
• Secure Sockets Layer (SSL) – 128 encryption for creating secure connections

All websites by default get added to the Internet Zone.

Add-ons and Accelerators

Add-ons are optional features that can provide additional functionality to IE8 such as Acrobat Reader for example. Accelerators on the other hand are a special type of add-on that allow users to perform an action against selected text without leaving the website such as e-mailing, mapping or sending a snippet to a blog.

InPrivate Browsing and InPrivate Filtering

Internet Explorer 8 internet and security features include InPrivate Browsing mode which enables you to open a new browser window that is completely isolated and does not contain any browser history, cookies or temporary internet files.

InPrivate Filtering blocks the transmission of website information being sent to third party  sites such as advertisements on websites. InPrivate Filtering needs to be enabled manually each time you start a new browsing session.

Users will be able to navigate back and through the sites they were visiting during a session but all data will be deleted as soon as they close the browser. Be aware that on company websites your browsing history can still be traced and recorded.

To turn off Internet Explorer enhanced security configuration in Windows server 2008 you have to access the Security Information section which can be found in the root folder of server management.

Which Internet Explorer do I Have

If you are on Windows 7 you are more than likely at least running Windows Explorer v8. To verify, just start Windows Explorer and then click the cog wheel or Tools icon situated top right in the menu bar. A menu will drop down where clicking on ” About Internet Explorer” will reveal which Internet Explorer version your computer is running.

Internet Explorer Security Configuration – http://technet.microsoft.com/en-us/library/dd883248.aspx

Configuring Application Compatibility

Shim – temporary system compatibility fix allowing older applications to work with Windows 7

Application Compatibility Toolkit (ACT) – allows for testing the compatibility of applications with Windows 7

ACT – http://technet.microsoft.com/en-us/library/cc749034(WS.10).aspx
http://blogs.technet.com/springboard/archive/2009/04/03/windows-7-application-compatibility-toolkit-5-5-interview-with-Jeremy-Chapman.aspx

Windows XP Mode – provides a fully functional Windows XP SP3 copy running on top of Windows 7 in Windows Virtual PC so programs that are only XP compatible can be run directly from the start menu. Windows XP mode is only available if you are running Windows 7 Professional or higher while having at least 2 GB of RAM and 15 GB extra hard drive space.

Bear in mind that Windows XP mode is only meant to assist organizations in their move from XP to Windows 7 and that XP mode is not intended or optimized for resource hungry programs such as video games. Windows XP mode can be downloaded by accessing the following link www.microsoft.com/windows/virtual-pc/download.aspx

You can use ACT to check Internet Explorer compatibility data and issues.
http://technet.microsoft.com/en-us/library/cc766461(WS.10).aspx

Application Control Policies

New in Windows 7 is the ability of an administrator to restrict the install of applications according to an executable’s digital signature.

This basically means that you could allow the install of Office 2010 while disallowing the install of previous Office versions through AppLocker. You can configure AppLocker from the Application Control Policies node of Local Security Policy.

Full Control of Which Programs are Allowed to Run

• User-Specific Controls – specify rules for a given security group or individual user
• Stop E-mail attachments from executing
• Certificate Rules identify software based on the certificate
• Path Rule – Grant or deny access based on the Universal Naming Convention (UNC) path
• Network Zone Rule – can be used only for msi packages based on an Internet Explorer network zone
• Hash rule – checks a preset number of bytes to verify whether a program is allowed to execute

AppLocker Audit Only mode is useful to check which individuals in your company are executing what applications.

Windows 7 User Account Control

User account control, first introduced in Windows Vista is aimed at protecting your computer against viruses, Trojans, rootkits and other malware. It protects your PC against malicious programs trying to gain system privileges and thereby compromising your computer’s safety.

The user account control in Vista prompts came so often that most users turned it off simply because it was too annoying to have to enter administrator credentials to even perform the simplest of tasks like renaming a file. This of course completely annihilated the UAC computer protection purpose in Vista.

Windows 7 User Account Control Settings

UAC – User Account control has in this sense greatly improved in Windows 7 and is also easier to configure.

UAC basically uses two tokens to identify user rights in combination with 2 integrity levels for programs.

• Standard user token – used for all actions not requiring admin privileges
• Administrator token – when full admin privileges are require
• Low Integrity – Tasks that are less likely to compromise the OS
• High Integrity – Tasks that could compromise the OS like installing drivers or programs

Low integrity apps cannot modify data from high integrity applications

The shield icon is displayed when running a task requires administrative privileges. Unlike windows Vista an administrator can perform most critical tasks without receiving an user account control UAC prompt. When receiving a prompt Windows dims the desktop which means it is running in secure desktop mode which is similar to pressing ctrl alt del when logging on.

Users that are not part of the administrator group will have to provide admin credentials every time they want to run a program that requires elevated privileges.

Winfows User Account Control – Different Application Activation Prompts

• High-Risk Blocked Programs – red shield and title bar indicating that the program comes from a blocked publisher and cannot be run
• Programs Signed by Windows – yellow shield and blue title bar, provide admin credentials if required
• Unsigned Programs from Verified Publisher – simple prompt
• Unsigned Programs from Non-Verified Publisher – Depends on the presence of a digital signature including name and publisher of the program

You can configure a program’s shortcut to always require administrative privileges by checking the run as administrator checkbox in the advanced properties dialog box. Remember that the default administrator account created when installing Windows 7 account never gets any UAC prompts. It is therefore best practice to keep this account this account disabled like it is by default.

User account control can be configured through control panel system and security. Settings can be fine-tuned through group policy at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Never disable the Run all administrators in Admin Approval Mode setting as this will completely disable UAC.

If you configure UAC to use Secure Desktop, an administrator has to respond to the prompts in order to keep on using the computer
I can be configured to prompt for credentials or just prompt for consent.

By default, Windows 7 does not prompt standard users so you must configure a policy for prompting if you want to allow these users to let programs run that require administrative privileges

User Account Control in Windows 7 -  Logging on Authentication and Authorization

The majority of users provide a username and password before they can log on to Windows. I an AD DS environment you will have to press ctrl alt del to get access to the secure desktop. Windows 7 also supports smart card login through including driver that support

Personal Identity Verification(PIV)

Credential Manager

Windows 7 uses the credential manager utility in group policy for user logon to resources that require authentication such as file servers, terminal services and web site credentials. These credentials are stored in the Windows vault and can be backed up to restore on other computers by choosing the Backup Vault and Restore Vault items in credential manger.

Keep in mind that EFS certificates are not stored in the Windows vault and require another method to be transferred or backed up. You can add credentials prior to accessing resources and at the same time all credentials get transferred to the Windows vault whenever you choose the “Remember my credentials” option.

 Run As command

You can use the run as command to run programs as another user with different credentials as long as the target user account is not configured to prompt for consent or prompt for credentials. Run as can be executed by right clicking a program shortcut and choosing run as from the drop down menu or from the command line
Runas /user:Domain\username “application.exe ”

If you need to access EFS encrypted files you can use the /profile switch which will load the target user’s profile enabling you to to have access to the EFS certificates stored in the user’s profile. The /savecred switch allows you to store the credentials in the Windows Vault for future use.

• Windows Credentials – standard Windows authentication using Kerberos or NTLM
• Certificate-Based Credentials
• Generic Credentials – customized credentials

User Account Control Settings – Certificate Console/Manager (certmgr.msc)

• Allows you to view and manage and configure different types of certificates
• You can use the Local Security Policy console or the Local Group Policy Editor to edit
  Security-related group policies
• You can use Certmgr.msc, Cipher.exe, or the Manage File Encryption Certificates tool to back up EFS
  certificates.

Windows 7 Device Drivers

Each device connected to a PC -internal or external- needs a software program called a driver which typically comes in the form of an .inf file stored in the hidden directory %systemroot%\inf containing all the device drivers and typically called the driver store. The easiest way to manage and troubleshoot device driver issues is by using Device Manager which as the name says acts as the device driver manager.

Device Manager works in read-only mode on a remote computer. A hidden Device is usually a device that is not attached but whose driver is installed because the device was attached at some time in the past.

If a device driver is not found in the Windows 7 driver store or through Windows Update Windows prompts you to enter the path to the installation media. Windows then checks that the user has administrator rights and whether the driver has a valid signature.

If you don’t want Windows to automatically download and install device drivers you can modify this behavior by accessing the hardware tab in advanced system settings and choosing No, let me choose what to do under Device Installation Settings.

Windows 7 Driver Signing

When the driver is signed and approved a copy of the driver is placed in the driver store and the installation begins. If the driver is unsigned or missing a certificate in the Trusted Publishers Store the user is prompted to let the install continue.

An administrator can approve or stage a driver that is not found in the driver store. Windows then performs all the checks mentioned before. After the driver has been staged any user can install the driver without any prompts or administrator rights required.

You can install legacy hardware by right clicking the my computer icon in Device manager.  Make sure the hardware is connected before running the manual install wizard.

You can use group policy to control the install or update of device drivers

• A policy preventing or restricting the install overrides a less restrictive policy
• Configure custom messages to be displayed to the user when they attempt to install a device and policy settings restrict this
• Prevent the install of devices that are not controlled by other policies
• Specify the devices by hardware ID or device setup class GUID

Device driver resource conflicts are usually related to I/O, DMA channels and/or IRQ conflicts of 2 or more devices trying to use the same resources. You can roll back all drivers except for printers.

When looking for conflicts you can view devices by type in device manger or by going to start -> run -> msinfo32 where you can view the conflicts/sharing section under Hardware Resources just as you can view Problem Devices under the Components section.

Device Manager Icons

• Disabled Device – Black downward pointing arrow
• Non Functioning Device – Red X mark
• Problem but Functioning Device – Yellow exclamation mark
• Forced Resources Device – Blue I Mark

Driver Verifier Monitor

In Windows 7 you can use the Driver Verifier Monitor – verifier.exe -command line tool to test and monitor device drivers that are already loaded without the need for a reboot. It is primarily a stress test tool which can tell you under which conditions a driver might fail.

Digital Certificates and Windows Driver Signing

Windows 7 requires drivers to be signed with trusted certificates that are stored in the trusted publisher store.  Driver Signing is an electronic security mark provided by Microsoft which indicates that the driver of a 3-rd party manufacturer has been validated for use on a Windows 7 PC.

An administrator however can authorize the install of an unsigned driver. You will need a certificate from a server in your organization that is running Windows CA services. This certificate is only valid within your organization. Only external CAs such as Veritas are trusted by other organizations.

The device driver needs to be signed with this certificate and the certificate installed on the client PC in order for other users to install these drivers within the organization. Certificates can be deployed to a large number of computers using group policy.
64-bits versions of Windows will not allow you to install a driver if it is not digitally signed or has been altered, even if you are an administrator.

Driver Signing and Staging- http://technet.microsoft.com/en-us/library/dd919230(WS.10).aspx

Device Driver Testing & Monitoring

For device driver testing of unsigned drivers you can always press F8 at start up and choose the option disable driver signature enforcement until the next reboot. You have to use this method if you are working on a Windows 64-bit PC which does not allow the install of unsigned drivers even when you are an administrator.

DXdiag can be used to check the digital signature of sound, display, connected USB and PS2 devices. You can use the File Signature Verification Tool (Sigverif) to view a list of other installed drivers. You can review the results of running  the program in the Sigverif.txt file.

To check whether any system files have been overwritten you can run the file system checker – sfce /scannow – from the command line or start run.

In Windows 7 you can also use Action Center in Control Panel to view problems related to device drivers.

Windows automatically creates a device driver backup as soon as you update device drivers giving you the option to roll back the driver to the previous version. To avoid windows 7 installation device driver missing error messages you should make sure to have the drivers from the manufacturer at hand for any device that is not recognized during Windows setup.

Windows Update

Windows update includes Important and Recommended updates as well as Optional Updates. Update Roll-Ups are a packaged set of updates that fix problems with specific Windows software or components.

As with most policies Windows Update can be configured through the Group Policy snap-in. Just like with rolling back drivers it is possible to roll back updates by using the Windows Update applet in Control Panel.

Backup and Restore Windows 7

Backup and Restore uses shadow copies which allows the copying of files while they are in use.

When using a hard drive as a backup location you should consider the following

• For safety reasons do not backup data to a separate partition on the same drive for if the drive fails your backup will be most likely unrecoverable as a result. The same is true when you backup to VHD. You can make a system image backup to VHD bootable on Windows 7 Ultimate and Enterprise only.
• Internal drives are usually faster than external drives although not so easy to move to another PC.
• System image backups cannot be saved to removable media such as DVD-ROMs, CD-ROMs, Tape Drives or a USB flash drive
• Tape drives are not supported as a backup medium in Windows 7 so restore backup from tape is not an option

To backup to a network location your computer needs to be running at least Windows 7 Professional so you can provide your credentials. You cannot backup to a PC that has BitLocker enabled.

The 2 kinds of backups included in backup and restore are full system images backed up to a compacted .vhd disk image file or Files and Folders which get backed up as compressed .zip files.

The latter backup and restore data option does not allow the inclusion of EFS files, temp files, recycle bin or user profile settings.

The first time you run Backup and Restore a full backup is performed Windows automatically creates a folder with the computer name where it stores a full backup set with the date the backup was taken.

After that all following backups are incremental with the oldest backup getting automatically deleted once you run out of disk space.

When you perform a restore using the Backup and Restore tool the original file permissions are retained. Restoring manually from the zip file will make the file inherit the permissions of the parent restore folder.

You can perform a system image backup from the backup and restore tool in control panel but if you want to schedule a system image backup you will have to use the wbadmin.exe command line tool and create a batch flie that you would ad to task scheduler. Just as with a normal backup, consequent backups are incremental.

System Restore or Windows Recovery Environment (Windows RE) to Restore Backup Data

Windows 7 creates automatic restore points every week and every time applications or drivers get updated or any other significant system changes. If you want to backup and restore registry settings ten system restore is the “place to be.”When the disk space allocated to system protection is used up, the oldest previous versions are overwritten.

A system restore differs from a system image restore in the snense that it leaves all the user files intact. It is important to remember that a system restore started from Safe Mode or by using the System Recovery Options cannot be undone.

Your only option to retry a failed system restor would be to try a different restore point. System restore can be performed while running Windows or by choosing the Last Known Good Configuration when booting the PC.

System restore as a  data backup restore method is enabled by default for drives that contain the system files or operating system and can optionally be enabled for other srives provided they are using the NTFS file system.

Advanced Recovery Mode – Windows Backup and Restore Center

Be aware that the advanced recovery mode found in Control Panel -> Recovery -> Advanced Recovery Methods can result in loss of data as the original Windows install gets overwritten.

When your PC doesn’t boot any more you can press F8 to enable Boot Logging. The results will be saved to a file named Nbtlog.txt which will enablel you to view the driver which filed to load during start up.

In case of a disk failure due to hardware problems these methods will of course not work.

Boot Configuration Data (BCD)

Windows 7 includes the following boot loader features to support Backup Restore Data:

• Windows boot manager (Bootmgr.exe)
• Windows operating system loader (Winload.exe)
• Windows resume loader (Winresume.exe)

BCD and the command line utility Bcedit allows administrators to manage and troubleshoot all phases of setup including resuming hibernation.

Restoring Files or Folders – Volume shadow Copy (VSS)

Shadow copies (available starting from Windows 7 Professional) are automatically enabled when system restore is active and are copies of files that have been modified since the last system restore point was created.

The shadow copy creates volumes that match the original volumes at the shadow copy point of time. As Windows 7 automatically creates restore points every week you can right click the file and choose the option “Restore Previous Versions.”

System Protection

• Restore System Settings And Previous Versions Of Files – typically used to restore an OS Only
• Restore Previous Versions Of Files – Used for drives that do not contain OS or system files

Windows backup file restore has been made very easy in Windows 7 providing you know what you are doing.

Configure IPv6 Windows 7

Since the introduction of IPv4 the Internet has slowly run out of 32-bit address spaces and that is why IPv6 which uses 128-bits came in to play.  There is no need to  enable IPv6 on Windows 7 as IPv4 and IPv6 Windows 7 are installed by default. Enable IPv6 Windows 7 Benefits:

• Efficient Hierarchical Addressing – useful for ISPs
• More Simple Routing Tables – Makes backbone routers easier to configure
• Stateful and Stateless Address Configuration – When no DHCP server is available (stateless) automatic configuration of the network is possible based on the addresses present in the available routers
• Improved Security – Ipv6 requires IPSec support making it more secure than IPv4
• Support for Link-Local Multicast Name Resolution (LNMR) – Ipv6 clients on a single subnet no longer require a DNS server for name resolution. Enabled by default in Windows Vista and Windows 7
• Improved Quality of Service (QoS) Support
• Extensibility – extension headers can be added to the IPv6 header enabling new features in future

IPv6 – http://technet.microsoft.com/en-us/library/bb726949.aspx

 Private IPv4 Addresses

• Private Class A 10.0.0.0 – 10.255.255.255
• Private Class B 172.16.0.0 – 172.31.255.255
• Private Class C 192.168.0.0 – 192.168.255.255

You use the Network and Sharing Center in Windows 7 to configure your network connection which will usually default be set to use DHCP.

If you are using more than one network like work and home you can enter an additional configuration to be used in the Alternate Configuration tab of the TCP/IP settings dialogue box.

Your primary network connection has to set to obtain an IP address automatically from DHCP to be able to view this tab.

The Advanced button allows you to specify multiple IP addresses for when you are hosting different websites for example. Bear in mind that you cannot configure more than one address if you are using DHCP.

The lower portion of the DNS tab lets you append DNS suffixes like for example home.local. What that means is that if a user tries to make a connection by just typing printer, home.local will automatically be added so that the query will look like printer.home.local.

Netsh Command – http://technet.microsoft.com/en-us/library/cc732279%28WS.10%29.aspx

When there is no DHCP server present the Automatic Private Internet Protocol Addressing (APIPA) provides an alternative way of distributing addresses to the network. APIPA addresses are in the 169.254.0.1 to 169.254.255.254 range with a subnet mask of 255.255.0.0.

Windows 7 and IPv6 – Configure IPv6

Unlike IPv4 addresses, IPv6 Windows 7 uses a 128-bit addressing scheme which consists of 16-bit blocks. Each block is represented by a four digit hexadecimal number separated by a colon and is referred to as colon-hexadecimal notation. In an IPv6 configuration any leading zeros can be replaced by a double colon.

Different Types of IPpv6 for Windows 7 Addresses – http://technet.microsoft.com/en-us/library/cc759208%28WS.10%29.aspx

• Unicast – packets are addressed to a single network interface

Global Addresses – equivalent to IPv4 public addresses and typically starts with a “2”
Link-local Addresses – equivalent to IPv4 APIPA addresses and typically starts with “fe8”
Site-local Addresses – equivalent to IPv4 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 and starts with “fec0”

• Special Addresses – unspecified address 0:0:0:0:0:0:0:0 or :: equivalent to IPv4 0.0.0.0 and loopback address 0:0:0:0:0:0:0:1 or ::1 equivalent to IPv4 127.0.0.1
• Multicast – packets are addressed to multiple interfaces and address starts with “ff”
• Anycast – A multicast address is used for one-to-many communication, with delivery to multiple interfaces. An anycast address is used for one-to-one-of-many communication, with delivery to a single interface. Only assigned to routers

Just like IPv4 private addresses Windows 7 IPv6 private addresses are not accessible from the internet. You can also not access Site-local IPv6 Addresses from the internet.

Ipv4/Ipv6 Compatibility

IPv4-compatible Addresses

• Represented by 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z where w.x.y.z is the IPv4 address
• Used by dual stack nodes communicating with IPv6 over an IPv4 network

IPv4-mapped Address

• Represented by ::ffff:w.x.y.z
• Used to map IPv4 devices not compatible with IPv6 to IPv6 devices

Teredo Address

• Teredo allows for connectivity between IPv4/IPv6 nodes across NAT interfaces
• A Teredo address starts with 2001; a 6to4 address starts with 2002

6-to-4 Address

• Used by two nodes that are both running IPv4 and IPv6
• A 6to4 address enables IPv6 packets to be transmitted over an IPv4 network

IPv6 Teredo – http://technet.microsoft.com/en-us/library/ee126159%28WS.10%29.aspx

IPv6 can be disabled but not removed from a Windows 7 computer.

IPv6 Connectivity Windows 7  Troubleshooting Steps

When troubleshooting connectivity problems one might start by pinging the localhost loopback address 127.0.0.1 to check that the computer’s TCP/IP stack is functioning. The Ping6 command-line tool is not supported in Windows 7.

• Ping localhost (127.0.0.1) IPv6 equivalent is ping ::1
• Check hardware is OK
• Run Ipconfig /all or netsh interface ipv6 show address if you want to just display the IPv6 statistics
• Ping localhost
• Ping computer address
• Ping default gateway
• Ping host outside the network to verify router connectivity

Command Line Tools

• Netsh interface ip delete arpcache
• Ipconfig /flushdns

Network Discovery is enabled by default on Windows 7 computers

How to Enable IPv6 in Windows 7 – IPv6 Troubleshooting – http://technet.microsoft.com/en-us/library/bb878005.aspx

Clear the neighbor cache on the computer before pinging by typing netsh interface ipv6 delete neighbors
Zone ID can be obtained by typing Ipconfig /all or netsh interface ipv6 show interface. Supposing the zone Id is 10 you would append %10 to the IPv6 address when pinging. Install iIPv6 Windows 7 is a useless query as the feature is installed by default in Windows 7.

Should you wish to disable IPv6 in Windows 7 you can do so by unchecking the enable IPv6 option on the Local Area Connection properties tab.