Microsoft 70-685

PRO: Windows 7 Enterprise

Desktop Support Technician

About the Exam

FivemajortopicareasmakeuptheMicrosoftMCITPPRO70685certificationexam.

IdentifyingCauseofandResolvingDesktopApplicationIssues
IdentifyingCauseofandResolvingNetworkingIssues
ManagingandMaintainingSystemsThatRunWindows7Client
SupportingMobileUsers
IdentifyingCauseofandResolvingSecurityIssues

This guide will walk you through all the skills measured by the exam, as published by
Microsoft.

Objectives
Chapter 1: Identifying Cause of and Resolving Desktop Application Issues.
Identifyandresolvenewsoftwareinstallationissues
Identifyandresolvesoftwareconfigurationissues.
Identifycausesofandresolvesoftwarefailureissues.
Chapter 2: Identifying Cause of and Resolving Networking Issues.
Identifyandresolvelogonissues.
Identifyandresolvenetworkconnectivityissues.
Identifyandresolvenamesresolutionissues.
Identifyandresolvenetworkprinterissues.
Chapter 3: Managing and Maintaining Systems That Run Windows 7 Client.
Identifyandresolveperformanceissues.
Identifyandresolvehardwarefailureissues.
Chapter 4: Supporting Mobile Users.
Identifyandresolvewirelessconnectivityissues.
Identifyandresolveremoteaccessissues.
Chapter 5: Identifying Cause of and Resolving Security Issues.
IdentifyandresolveWindowsInternetExplorersecurityissues.
Identifyandresolveissuesduetomalicioussoftware.
Identifyandresolveencryptionissues.
Identifyandresolvesoftwareupdateissues.

Chapter 1 Identifying Causes of and

Resolving Desktop Application Issues.
Identify and resolve new software installation issues.
All software is not created equal, and neither are all users. While some software
may sit benign on the computer, doing whatever it is programmed to do, other
software files can cause conflicts with other systems in the network. So to keep this
from happening, you need to insure not everyone can freely download software to
the network. This is where the user permissions come into play.
Permissions are settings that you establish for a resource to control which users and
groups can access the resource and what degree of access they have. Permissions
are implemented at several levels in Microsoft Windows operating systems and
other Microsoft BackOffice applications. Permissions are implemented in Microsoft
systems using discretionary access control lists (DACLs), which are internal lists
attached to an object in Active Directory that specifies which users and groups can
access the object and what kinds of operations they can perform on the object. The
DACL for an object specifies the list of users and groups that are authorized to
access the object and also what levels of access they have. The kinds of access that
can be assigned to an object depend on the type of object under consideration.
Different users need different levels of access. A clean way to grant access is at the
group level, rather than at the user level. This makes it easier to administer: when
you give a group a privilege level, all users in the group are granted that same
privilege. Group policies are created and assigned using Group Policy, a snap-in for
the Microsoft Management Console (MMC). Group policies are typically used to
simultaneously configure the desktop working environments of a group of users,
but they have many other uses as well.
Group policies can be used to:

Manage applicationsfor example, by configuring policies to allow users to

install applications published in Active Directory, or to automatically install or
upgrade applications on their machines.

Redirect folders from the Documents and Settings folder on a user's local
machine to a share on the network.
Assign scripts for startup, shutdown, logon, and logoff events.

Manage securityfor example, to control users' access to files and folders,

control user logon rights, and configure account lockout restrictions.

Manage softwarefor example, to configure user profiles such as desktop

settings, Start menu, and other common settings.

Each combination of Group Policy settings that you configure is called a Group Policy Object
(GPO). You can link GPOs to computers and users based on their location in an Active Directory
structure. That is, you can link a GPO to a site, domain, or organizational unit (OU). Each GPO
is applied as part of the startup process or when a user logs on to a workstation. The settings
within the GPOs are evaluated by the affected clients, using the hierarchical nature of Active
Directory.

Computer Configuration. All computer-related Group Policy settings that specify

operating system behavior, desktop behavior, security settings, computer startup and
shutdown scripts, computer-assigned applications, and any settings provided by applications.
These settings can affect what software can or cannot be loaded to the computer.

1.

Shared folder permissions: Can be applied to shared folders on Windows systems to

control access to network shares by users

2.

NTFS permissions: Can be applied to files and folders on NTFS volumes for both local
and network control of access to the resources

3.

Print permissions: Can be assigned to printers to control who can manage printers,
manage documents, or print documents

4.

Active Directory permissions: Can be assigned to objects within Active Directory of

Windows 2000 using Active Directory Users and Computers

5.

Exchange permissions: Can be assigned to objects in the Microsoft Exchange Server

directory hierarchy to control who can administer different parts of an Exchange
organization using the Exchange Administrator program

Public folder permissions: Can be assigned using Microsoft Outlook to files in public
folders to control who can read, edit, or delete those files

All of these permissions and DACLs determine:

1) whether or not a user is allowed to install software, and
2) where on the network they might be able to run this software.
By knowing the hierarchical permissions a user or device has, you can understand what might
cause an installation of software to fail, and at what higher level of administration permissions
are allowed to load the software.
Another issue you can have with new software loads is licensing requirements. Merely
purchasing software does not legally authorize you to use this software in a given networking
scenario; you must also have the appropriate licenses. The hallmark of proprietary software
licensing is that the software publisher grants a license to use one or more copies of the software,
but that ownership of those copies remains with the software publisher (hence the use of the
term: proprietary).
One consequence of this proprietary software licensing design is that practically all rights
regarding the software are reserved by the software publisher. Only a very limited set of welldefined rights are given to the end-user. As a result, it is typical of proprietary software license
agreements to include many terms which specifically prohibit certain uses of the software, often
including uses which would otherwise be allowed under copyright law.
The most significant effect of this licensing design is that, if ownership of the software remains
with the software publisher, then the end-user must accept the software license. In other words,
without acceptance of the licensing agreement, the end-user will not even be able to complete the
software installation.
You generally obtain a server license for each serve and a client access license (CAL) for each
client that will access the server. The two types of client access licensing modes are Per-Server
and Per-Seat licensing modes. Microsofts Licensing Manager is an administrative tool used to
manage licenses for Microsoft BackOffice products on the network. You can use License
Manager to do the following:

Add or delete client access licenses (CALs) for BackOffice products

Create license groups

Display licensing information

Change licensing from Per Server to Per Seat (one-time conversion)

One item to note, if you are using a per-server license, and log into two devices using the same
user name, you utilize two license counts, one per server. This is something to take under
advisement when determine the license types and counts you need for access to software by your
end users.
Digital signage is an electronic signature that you can use to sign a document being transmitted
by electronic means. Digital signatures validate the identity of the sender and ensure that the

document they are attached to have not been altered by unauthorized parties during the
transmission. A valid digital signature gives a recipient reason to believe that the message was
created by a known sender, and that it was not altered in transit.
Digital signatures are commonly used for software distribution. A mathematical summary of the
software is creating using special software, which then creates a digital signature hash. This hash
is encrypted, and sent to the end user. If the digital signature hash does not match when the end
user processes the hash using a public key, then you know the software has either been changed
by an outside entity, or may have been corrupted in transit to your network, and should not be
used in either case. If the hash matches, the software is complete and should be safe to load and
run.

Identify and resolve software configuration issues.

If you are going to have any software configuration issues, they will most likely be due to
compatibility problems. This will be because the software was designed on a previous version of
Windows, such as Windows XP or Windows 2000 and the Windows 7 operating system has
been released after your third-party software was released.
Fortunately, there are several tools and resources available in Windows 7 to ensure that legacy
software applications can run properly:
1. Microsoft Windows 7 Compatibility Center
http://www.microsoft.com/windows/compatibility/windows-7/enus/Default.aspx

At the Windows 7 Compatibility Center website, you can search through many types of personal
and business software. You can also browse various types of hardware, including cameras,
printers, scanners, media players, graphics cards, and storage devices.
The website also offers the Windows 7 Upgrade Advisor, which is freely downloadable. This
tool will analyze your system and let you know if any existing software or hardware components
will not be supported in Windows 7 or will need to be upgraded or replaced.

2. Program Compatibility Troubleshooter

This tool is accessible via the Start button and is a wizard-based utility that scans
your system to currently-installed applications and will let you select the program
that you are having compatibility issues with.
After selecting the incompatible application, the wizard offers the following
compatibility modes:
1. Windows 95
2. Windows 98/ME
3. Windows NT 4.0 SP5
4. Windows 2000
5. Windows XP SP2
6. Windows XP SP3
7. Windows Vista
8. Windows Vista SP1
9. Windows Vista SP2
An additional problem that many older applications will have is not being
compatible with the newer, more advanced graphical features of Windows 7,
including the Aero interface. With the Program Compatibility Troubleshooter,
you can set the following graphical settings for specific applications:
1. 256 colors
2. 640x480 screen resolution
3. Force application to Run as Administrator

3. Windows 7 Local Group Policy Editor

Application compatibility can be configured via the Local Group Policy editor, as
follows:
1. Either navigate to the Local Group Policy editor via the Start menu, or
open a command prompt and type gpedit.msc.
2. Navigate to Computer Configuration -> Administrative Templates ->
System -> Troubleshooting and Diagnostics\Application Compatibility
Diagnostics.

NOTE:
The ability to edit application compatibility via the Local Group
Policy is available on the Windows 7 and Windows 2008 R2
platforms.
4. Windows XP Mode

This is a new feature available in Windows 7 and runs as a Virtual Hard Drive
(VHD) guest Operating System on your host Windows 7 system.
The guest OS included with XP Mode is a Windows XP SP3 system
XP mode can be downloaded for free from
http://go.microsoft.com/fwlink/?LinkID=149077
The requirements for XP Mode are:
1. 1 GHz 32-bit / 64-bit processor required
2. 2GB memory or higher recommended
3. 15 GB hard drive space per virtual Windows environment.
4. Windows Professional, Enterprise or Ultimate edition as the host OS

When using XP Mode an administrator can use the virtual XP SP3 system for
running legacy applications that cannot otherwise run correctly on Windows 7.
When XP Mode is installed an administrator will then configure the XP VM with
the legacy applications need to be hosted on the VM.
Applications installed on the XP VM with shortcuts in the Programs folder of the
All Users Start menu folder in the Windows XP image will automatically be
published to the hosts Start menu. A Windows 7 user will launch the application
as they would any other application without knowing that they are running an
application on a VM.
XP Mode includes Integration components which are a set of low-level software,
such as device drivers, that allow seamless integration between the guest
operating system and the host. These components are installed by default in the
preconfigured Windows XP guest provided for Windows XP Mode.
5. Application Compatibility Toolkit
The Application Compatibility Toolkit (ACT) is a free set of tools that enable IT
administrators who work in a corporate environment as well as software vendors
to determine, before deployment, whether applications are compatible with a new
version of the Windows operating system such as Windows 7. ACT also
enables such individuals to determine how an update to the new version will
affect their applications.
ACT can help to identify and potentially solve compatibility issues that come
from the implemtation of new technologies such as:
1. User Account Control (UAC): Adds security to Windows by limiting
administrator-level access to the computer, restricting most users to run as
Standard Users.
2. Windows Resource Protection (WRP): Enables applications to function
properly even if they attempt to write to protected system files or registry
locations. WRP creates a temporary work area and redirects write actions
for the application session.
3. Internet Explorer Protected Mode: Helps to defend against elevationof-privilege attacks by restricting the ability to write to any local computer
zone resources other than temporary Internet files.
4. Deprecations: The Windows operating system has deprecated many
objects from previous versions of the operating system. The deprecation
has occurred for .dll files, executable (.exe) files, COM objects, registry
keys, application-programming interfaces (APIs), and various other files.
5. Graphical Identification and Authentication (GINA) DLL: Prior to the
release of the Windows Vista operating system, independent software
vendors (ISVs) were able to modify authentication, by installing a GINA
DLL.
6. Session 0: Prior to the release of the Windows Vista operating system, the
first user who logged on to a computer ran in Session 0, which is the same
session that is used for all system services. Windows Vista and Windows
7 requires all users to run in Session 1 or later so that no user runs in the
same session as the system services.

10

7. Windows Filtering Platform (WFP): WFP is an application program

interface (API) that enables developers to create code that interacts with
the filtering that occurs at several layers in the networking stack and
throughout the operating system.
8. Operating System Version Changes: The operating system version
number changes with each operating system release. For Windows Vista,
the version number is 6, while for Windows 7, the version number is 6.1.
9. Windows 7 64-bit: The 64-bit version of Windows 7 uses the Windows
on Windows 64 (WOW64) emulator. This emulator enables Windows 7 to
run 32-bit applications. The use of this emulator might cause an
application or a component that uses 16-bit executables or installers, or
32-bit kernel drivers, to fail to start or to function incorrectly.
ACT can be used to:
1. Verify your applications, device's, and computer's compatibility with a
new version of the Windows operating system, including determining your
risk assessment.
2. Verify a Windows update's compatibility, including determining your risk
assessment.
3. Become involved in the ACT Community, including sharing your risk
assessment with other ACT users.
4. Test your Web applications and Web sites for compatibility with new
releases and security updates to Internet Explorer, by using the Internet
Explorer Compatibility Test Tool.

Identify causes of and resolve software failure issues.

A log is any file that contains records corresponding to application or operating system events or
conditions, usually arranged sequentially by time. Log files are usually delimited text files (such
as .csv files) in which each line represents a transaction or logged event, with individual data
fields separated by delimiting characters such as commas. Delimited text files can be imported
into spreadsheet programs such as Microsoft Excel, database programs such as Microsoft
Access, and report and analysis tools such as Crystal Reports for further analysis and graphical
display of trends and usage patterns.
''Relogging'' is the process of taking a log file and sampling it at larger time intervals to reduce
the size of the file for archiving purposes while maintaining the overall trend of data within the
log. Logs can be used for:

Keeping track of transactions performed on an information store or database (as in

Microsoft SQL Server or Microsoft Exchange Server).
Monitoring server or network performance over time when Performance Monitor is
used on a Windows NTbased or Windows 2000based network.
Recording details of visitors to Web sites when you use Internet Information Services
(IIS).

11

Recording the details of modem commands or Point-to-Point Protocol (PPP)

transmissions when you use Network and Dial-up Connections to connect to an
Internet service provider (ISP).

By checking the logs, you can see when a change was made to the operating system, whether it
was new software being downloaded, or changes made to registry settings of existing code.
Know when issues occurred on the computer, and marrying that data to log files can give you a
better indication of what might have caused the problem.
The registry is a hierarchical database in which newer Microsoft Windows operating systems
store their hardware and software configuration information such as user profiles, the hardware
and software installed on the system, registered document types, property settings for icons, ports
being used, and so on. The registry in Windows 2000, Windows NT, Windows 95, and Windows
98 replaces the INI files, such as win.ini and system.ini, that were used in the legacy Windows
3.1 and Windows for Workgroups 3.11 operating systems. You can use the registry editor
(REGEDIT) to change the settings back to their original values when it is determined a new
software load made a change that caused issues.
Safe mode is a process of starting Microsoft Windows that bypasses startup files and runs a
basic set of files and drivers including mouse, keyboard, video, mass storage, and basic system
services. This mode is used for troubleshooting when your system fails to boot properlyfor
example, due to a corrupt device driver or after you make an erroneous change to the registry.
Safe mode bypasses the system startup files to allow you to start with a ''clean'' configuration. To
access safe mode while booting Windows 2000, press the F8 key when you see the message
''Please select the operating system to start.'' You will then be presented with a list of options that
includes three safe mode options: standard, networking-enabled, and safe mode with command
prompt. Use the arrow keys to navigate the list. Press the Enter key to make your selection.

12

Once the system is running in safe mode, you can then attempt to open and run the software in
question. Since you are using a clean version of the registry, if the software still fails, you
know it is an issue with that code. If the software runs as expected in safe mode, then a change
was made to the registry that is affecting its performance in standard mode, and it will have to be
corrected.

13

Chapter 2 Identifying Causes of and

Resolving Networking Issues.
Identify and resolve logon issues.
A password can be used to log on to a network and access personal files. Passwords
are a part of a user's credentials, which include, at a minimum, the username and
password, and in a multi-domain enterprise also include the user's domain.
Passwords are generally known only to users themselves and possibly to members
of the Administrators or Account Operators group on Windows based networks.
Logins that require the domain to be included should be checked first when a user
reports login issue. If they are attempting to login to the incorrect domain, then their
password combination will not work, even if they are entering the correct password.
When establishing a password policy for your company, you should determine:
Who will control passwordsthe administrators or the users. Giving
users control over their own passwords makes them completely
responsible for their systems and personal folders. You can configure
systems so that the first time users log on to the network they must
change their initial password to one that only they know. This is usually
the best solution.

How complex passwords should be and how often they should be

changed. If you make passwords too complex, such as random
scrambles of letters, numbers, and symbols, the network might be less
secure instead of more because users are likely to write down a
difficult-to-remember password and tape it under their keyboard or in
some other handy location. Also, if passwords must be changed
frequently, users will typically make simple changes such as adding an
incremental number to the end of each new password.
The best policy is usually to require a password of six to eight
characters that doesn't change and to teach users to select passwords
that do not include family names, addresses, postal codes, and so on.
Passwords should usually be simple combinations of letters and
numbers, such as ''hat5920'' or ''0p3ns2ysm3.
If you require a password to be changed after a certain amount of time
(for example, every 45 or 60 days), it must be decided if users can
recycle passwords: can they reuse a password previously used before,
and if so, how long must they wait before it can be reused? Or, are they
required to create a new password every time?

14

Logons can be one of two types:

1.

Interactive logons: Occur when users sit at the console of the computer they want to
access and enter their credentials in the logon dialog box. (hardware logon)

2.

Remote logons: Occur when a user has already logged on interactively to a machine but
wants to establish a network connection with a remote computer. For example, if the user
tries to map a drive letter to a shared folder on the remote computer, a remote logon must
take place during the process so that the remote computer can be sure that the user has the
right to perform the action. (network logon)

Logons can be stored:

On the local machine itself, such as a computer running Microsoft Windows that is
configured as part of a workgroup. In the workgroup security model, each machine
maintains its own separate list of valid user accounts in its local security database.
When a user performs an interactive logon to a stand-alone machine running
Windows that is not part of a domain, the machine itself validates the user's
credentials.

On a designated machine or group of machines on the network. For example, in a

Windows NTbased network that is based on the domain security model, special
machines called domain controllers store and maintain the list of valid user accounts
for all users on the network in the domain directory database or Security Account
Manager (SAM) database.
These domain controllers are used for validating attempts by users logging on to
computers in the domain. When the user attempts to log on interactively to the local
machine that is part of a domain, the local machine forwards the user's credentials to
a domain controller on the network by using a mechanism called pass-through
authentication, and the domain controller authenticates the user's credentials and
informs the user's local machine that it should allow the user access to the network.

Logon hours are the hours during which a user has access to the network. In Microsoft
Windows NT, administrators use User Manager for Domains to establish logon hours and other
restrictions for each user account. In Windows 2000, administrators use Active Directory Users
and Computers, which is implemented as a snap-in for Microsoft Management Console (MMC).
Logon hours can be applied on either a permit or deny basis. If a user attempts to login outside
allowed hours, the login will fail. This is not an issue of the system failing, but rather the system
is working as programmed and there is an issue of end-user training.

15

NOTE: For security reasons, you might want to restrict logon hours for
ordinary users to company working hours. This reduces the chance
of accounts being used for unauthorized access during off hours.

Trust relationships allow users in one domain to access resources in another domain. Trusts
work by having one domain trust the authority of the other domain to authenticate its user
accounts. If you want to establish a two-way trust between two domains, you must create two
trusts, one in each direction. Administrators can set up trust relationships between domains by
using the Policies menu in User Manager for Domains. The administrator on the accounts
domain should permit the trust first, and then the administrator on the resource domain should
complete the trust. Only global accounts (global users and global groups) can cross trusts.
By using trusts, you can join Windows NT domains into a variety of domain models, including
the complete trust model, the master domain model, and the multiple master domain model. You
can join domains to support 100,000 or more users for enterprise-level networks.
You must know your trust settings when troubleshooting login issues. If the trust is one way, and
the end user is on the receiving only end, then the login will fail going back the other direction.
Most end users are not going to know anything about trusts, they will just know they cant log
into machine C, while they can always log into machine A

16

Identify and resolve network connectivity issues.

Connectivity issue should always be handled using the OSI stack model physical layer first. If
using cabled connection, is the cable all the way in? Is there a link light? If wireless, do you have
a full connection to your access point? You wont be able to access anything in the network if
the computer is acting as a stand-alone entity.
Once you have established your physical layer is correct, check your NIC settings, does it have
an IP address, is it valid for the network? If it doesnt have a hardcoded IP, but is using DHCP,
verify it has received an IP by opening a command prompt (cmd) and typing ipconfig. All
adapters will show, along with IPs assigned. If the IP is 169.x.x.x, your system is not pulling a
valid IP from its DHCP server. You will then need to verify the network connection is complete
at the device your computer is attached to. If your system is assigned a static IP address, doublecheck that the default gateway address falls within the address scheme permitted by the subnet
mask. The ping command is one of the first commands to use to troubleshoot communication
problems on a TCP/IP network.
The usual procedure for using ping to troubleshoot a TCP/IP network follows:

Verify that TCP/IP is installed and running by pinging the local loopback address
using ping 127.0.0.1.
Ping your own IP address and host name.
Ping the IP address of the default gateway for your local network.
Ping the IP address of a host on a remote network

The default gateway is a device on a TCP/IP internetwork that can forward IP packets to another
network, usually a router. In an internetwork, a given subnet might have several router interfaces
that connect it to other, remote subnets. One of these router interfaces is usually selected as the
default gateway of the local subnet. When a host on the network wants to send a packet to a
destination subnet, it consults its internal routing table to determine whether it knows which
router to forward the packet to in order to have it reach the destination subnet.
If the routing table does not contain any routing information about the destination subnet, the
packet is forwarded to the default gateway (one of the routers with an interface on the local
subnet). The host assumes that the default gateway knows what to do with any packets that the
host itself does not know how to forward.

17

Determine if there are any proxy servers on the network. A proxy server is computer that can act
on the behalf of other computers to request content from the Internet or an intranet. Proxy servers
can be used to secure private networks connected to unsecured public networks such as the
Internet. They have greater functionality than packet-filtering routers because they operate at a
higher level of the protocol stack and afford greater control over monitoring and managing
network access.
A proxy server functioning as a security agent for a private network is generally called a firewall.
An application-level gateway can implement security policies for analyzing packets that reach
the external (public) interface of the proxy server from distrusted public networks. These security
policies can examine packet addresses and other header information, permit or deny packets on
the basis of their contents, and modify the address, header, or contents of packets that they
monitor in order to hide key information about the internal network's applications and services.
Application-level gateways provide proxy services only for specifically configured applications
and protocols such as HTTP, File Transfer Protocol (FTP), Simple Mail Transfer Protocol
(SMTP), and Telnet. For each type of application for which you want to regulate access through
the firewall, you must install and configure a related proxy service on the proxy server.
Applications and protocols for which a proxy service is not installed cannot be accessed through
the firewall. If the end-user computer resides on one side of a proxy, and the network device you
are trying to access is on the other, you must validate that you can pass your required traffic
through the proxy.

Identify and resolve name resolution issues.

If you have issues when attempting to access web sites within and outside your company
network, you may need to check your DNS settings.

18

A hierarchical system for identifying hosts on the Internet or on a private, corporate TCP/IP
internetwork, the Domain Name System (DNS) provides:

A method for identifying hosts with friendly names instead of IP addresses.

A distributed mechanism for storing and maintaining lists of names and IP addresses
of hosts.
A method for locating hosts by resolving their names into their associated IP
addresses so that network communication can be initiated with the host.

A DNS client is a machine configured to send name resolution queries to a DNS server. A DNS
client is also called a resolver. When a client needs to resolve a remote host's name into its IP
address, it sends a request to the DNS server, which returns the IP address of the remote host.
DNS client software, which is built into most machines that have TCP/IP installed, enables the
machines to issue DNS queries to name servers. For example, on Microsoft Windows platforms,
the DNS client software makes possible the use of DNS names for browsing the Internet using
Microsoft Internet Explorer.
The collection of database files, or zone files, and associated files that contain resource records
for a domain is the DNS database. These files are stored on a name server. DNS database files
are typically flat-file database files in the form of simple ASCII files. They contain:

The zone file, which has the extension .dns and contains the resource records that the
DNS server manages.
The reverse lookup file, which resolves IP addresses into host names.
The cache file, which has the names and IP addresses of the root name servers for
DNS.
The boot file, which is used for startup configuration of the DNS server and is needed
only for resolving the names of hosts that are located outside the zones for which the
DNS server is authoritative.

When dealing with DNS issues, a good idea is to flush the local DNS cache so we are starting
with a clean sheet.
To do this, simply enter: ipconfig /flushdns in a command prompt.
Now that we have a clean DNS cache, we can proceed with making a couple of changes to the
registry:
1. Block Negative Entries
To force Windows NOT to cache negative entries we need to add a new DWORD to the
following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
DWORD: MaxNegativeCacheTtl

19

Value: 0
This will now ensure NO negative entries are stored.
2. Cache TTL
To force Windows to keep positive entries in DNS Cache for only 4 hours instead of the default
24 hours we need to apply the following change to the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
DWORD: MaxCacheTtl
Value: 14400

WARNING:

Make sure you enter the 14400 (seconds) as Decimal Base

and NOT Hexadecimal Base!

Now your registry key should look similar to this:

20

DNS console is a snap-in for the Microsoft Management Console (MMC) in Microsoft Windows
2000 that enables administrators to manage Windows 2000 Servers running as DNS servers. You
can use the DNS console to:

Create and maintain the DNS database of host name to IP address mappings.
Create and manage zones of authority.
Create start of authority (SOA), name server (NS), address (A), CNAME, and other
resource records in the DNS database.
View DNS server statistics.
Control how zones are stored and replicated between DNS servers.
Configure how DNS servers will process DNS queries and handle dynamic updates.
Configure security for specific zones and resource records.

NSLOOKUP is a built in DNS diagnostic utility. When you use the NSLOOKUP command, it
assumes that you are querying a local domain on your private network. You can query an
external domain, but NSLOOKUP will try to search for the domain internally first. Once the
NSLOOKUP shell is open, you will need to tell NSLOOKUP which DNS server you want to
query. To do so, enter the SERVER command, followed by the DNS servers IP address, as
shown here:

21

You can also enter the servers fully qualified domain name (assuming that it can be resolved) as
an alternative to the servers IP address.
The DHCP scope is a range of IP addresses that a DHCP server can lease out to DHCP clients.
You configure the DHCP scope using the Windows Server MMC snap-in DHCP console. The IP
addresses are leased for a specific Time to Live (TTL), usually three days. Information about
scopes and leased IP addresses is stored in the DHCP database on the DHCP server. The values
for IP address scopes created on DHCP servers must be taken from the available pool of IP
addresses allocated to the network. Errors in configuring the DHCP scope are a common reason
for problems in establishing communication on TCP/IP networks.

DHCP servers do not share their database of leased IP addresses, so if your network has
more than one DHCP server, be sure that their DHCP scopes do not overlap.
Assign DHCP options to the DHCP server if clients need them.
Assign static IP addresses to non-DHCP clients, and exclude these addresses from the
scope on the DHCP server if necessary.
Assign static IP addresses to all servers on your network or assign them DHCP client
reservations on the DHCP server to ensure that they always lease the same IP address.
Configure DHCP relay agents if one DHCP server must serve hosts on several subnets.

Identify and resolve network printer issues.

One of the first steps in troubleshooting a network (or local) printing issue is to become familiar
with the terminology that Microsoft uses for printing technology. This terminology may be
different from what you may use, however, it is critical to understand.
Print device the hardware device that produces the printed output (such as your HP
LaserJet device)
Printer the software, driver and metadata that is used to manage and communicate with
the print device and print queue.
o When you install or map to a print device, you are creating a printer. Many find
it helpful to think of the printer as the icon that represents the connection to the
device.

22

Print Spooler this is a directory on the computer where the data to be printed is
temporarily stored until it is moved to the print device. The default directory is
%SystemRoot%\System32\Spool\Printers. The default directory can be changed.

Troubleshooting network printer issues can involve several steps. The first step is to eliminate
the potential variables and to narrow-down the possible causes of the issue. Several items to
consider include:
Check for physical problems with the print device. Physical problems can include:
o Paper jams on the print device
o Print device out of paper
o Print device taken off-line
o Print device out of ink or toner
Check for network connectivity problems:
o Can you ping the IP address of the machine hosting the shared printer or the IP
address of the print device itself (if you are using TCP/IP based printing)
o Is name resolution working to the host name of the print server hosting the shared
printer? This can be tested with the NSLOOKUP command-line tool
o Can you open the print queue of the shared printer (this will verify network
connectivity). If you can open the print queue, is the print job in question
paused? If so, attempt to resume the print job

Issues with drivers

o If you are printing to a shared printer on a Windows-based server, the driver for
the printer should have been downloaded and installed when you mapped to the
shared printer. The driver that is installed is based upon the drivers available on
the print server. An incorrect driver on the print server can cause problems for
the client machines that have mapped to that shared printer. One tell-tale sign of
an incorrect driver being used is that he printed output will be garbled or
unreadable.
o Drivers on Windows 7 systems are architecture specific, meaning that a an x86
host must use an x86 driver and an x64 host must use an x64 driver. x86 and x64
drivers are not interchangeable!

23

o Drivers can become corrupt. A corrupted driver will cause printing issues or print
failures. If a driver becomes corrupt, the best method to replace the driver for a
shared printer on a print server is to delete the shared printer, manually delete the
driver from the system and then reconnect (re-map) to the shared printer. This
will cause the driver to be downloaded from the print server to the client. Failure
to remove the corrupted/old driver before reconnecting to the shared printer can
cause the problem to remain since Windows 7 will use the existing driver on the
local system if it is available.
o On a Windows 7 machine, the easiest place to view and manage all installed print
drivers is the Print Management snap-in. To open Print Management, click
Start, point to Administrative Tools, and then click Print Management.

o Improvements to the Print Management snap-in enable you to better manage print
servers, print queues, and print drivers. In Windows 7, the Print Management
snap-in includes better support for driver management and the ability to view all
print drivers installed on the network. You can now examine driver versions,
driver package information, and manage driver isolation.
Printer Driver Isolation
o Prior to Windows 7, the failure of printer driver components has been a main print
server support issuethe failure of a printer driver loaded onto the print spooler
process would cause the process to fail, which would lead to an outage of the
entire printing system. The impact of a spooler failure on a print server is

24

particularly significant because of the large number of users and printers that are
typically affected.
o In Windows 7, you can now configure printer driver components to run in an
isolated process separate from the printer spooler process. By isolating the printer
driver, you can prevent a faulty printer driver from stopping all print operations
on a print server, which results in a significant increase in server reliability.
o In addition to the benefit of improving overall printing system stability, this new
feature provides a means to isolate new drivers for testing and debugging, and to
identify which printer drivers have been causing spooler failures.
o Printer driver isolation is enabled by default and can be disabled via the following
group policy setting: Computer Configuration / Administrative Templates /
Printers / Execute print drivers in isolated processes

o This policy setting determines whether the print spooler will execute print drivers
in an isolated or separate process. When print drivers are loaded in an isolated

25

process (or isolated processes), a print driver failure will not cause the print
spooler service to fail.
o If you enable or do not configure this policy setting, the print spooler will execute
print drivers in an isolated process by default.
o If you disable this policy setting, the print spooler will execute print drivers in the
print spooler process.
Location Aware Printing
o In Windows 7, the Default Printer setting is now location aware. A mobile or
laptop user can set a different default printer for each network that they connect
to. They may have a default printer set for home, and a different default printer
set for office use. Their laptop can now automatically select the correct default
printer, depending on where the user is currently located.
o One potential troubleshooting item related to network printing and location aware
printing is that location aware printing does not work via a terminal services
connection. If a user connects via a terminal services connection, they will have
to set the default printer appropriately for the location they are at, it will not
change dynamically.
XPS based printing
o The XPS Document Writer (installed by default on Windows 7) allows you to
create .xps files using any program that you run on Windows.
o XPS documents look the same in print as they do on the screen. They are
portable, like any other file that you can email or transfer using a CD, DVD,
universal serial bus (USB) drive, or network connection.
o They are also easy to share because you can view them on any computer where an
XPS viewer is installed, even if the computer does not have the same programs
that you used to create the original documents.
o After printing to the .xps file format, you can view an XPS document by browsing
to it and opening it. You can print a paper copy, share the XPS document, or send
it to a commercial printer or other people in any way that you prefer.

26

Chapter 3 Managing and Maintaining

Systems that Run Windows 7 Client.
Identify and resolve performance issues.

Chapter

Quick Jump To:

The first step in diagnosing performance issues on any system is to be able to define
what is normal or expected behavior versus what is abnormal or unexpected
behavior for a system. Quite simply, you cannot diagnose abnormal behavior until
you know what is normal!

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Identifying performance related issues can start from many different types of
events:
Reports from end-users regarding slow performance
Error messages reported
System crashes

Chapter 5

Tools for performance monitoring

Several tools exist natively within the Windows 7 operating system that will assist
in profiling system performance as well as diagnosing abnormal performance.

Event Viewer
o Event Viewer is a tool that displays detailed information about
significant events on your computer. Event Viewer is particularly
useful for troubleshooting problems with the Windows OS as well as
with other programs
o Event Viewer tracks information in several different logs. Windows
Logs include:
Application or program events. Events are classified as
error, warning, or information, depending on the seriousness
of the event. An error is a significant problem, such as loss of
data. A warning is an event that isn't necessarily significant,
but might indicate a possible future problem. An information
event describes the successful operation of a program, driver,
or service.
Security-related events. These events are called audits and
are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was
successful.
Setup events. Computers that are configured as domain
controllers will have additional logs displayed here.
System events. System events are logged by Windows and
Windows system services, and are classified as error,
warning, or information.

27

Forwarded events. These events are forwarded to this log by other

computers.

Event Viewer in Windows 7 includes several new and improved tools including
forwarded events, custom views and attaching a task to an event:
o Forwarded Events Windows 7 can be configured as both an event forwarder as
well as an event collector. The event log collecting and forwarding feature allows
an administrator to centralize the process of reviewing event logs. This can
significantly reduce the amount of time required when troubleshooting several
computers as you can do all analysis from one machine.
Configured as a forwarder, Windows 7 will forward the designated events
to the collector computer. Configured as a collector, the designated
machine will be the target (repository) of forwarded events from other
(forwarder) machines.
The process for configuring forwarding is as follows:
Log on to all collector and source computers. It is a best practice to
use a domain account with administrative privileges
On each source computer run the command winrm quickconfig

28

NOTE: If you intend to specify an event delivery optimization of

Minimize Bandwidth or Minimize Latency, then you must also
run the above command on the collector computer.

On the collector computer, type the following at an elevated

command prompt wecutil qc
Add the computer account of the collector computer to the local
Administrators group on each of the source computers.
The process for creating event subscriptions is as follows:
On the collector computer, run Event Viewer as an administrator.
Click Subscriptions in the console tree.

NOTE: If the Windows Event Collector service is not started, you will be
prompted to confirm that you want to start it. This service must be
started to create subscriptions and collect events. You must be a
member of the Administrators group to start this service.

On the Actions menu, click Create Subscription.

In the Subscription Name box, type a name for the subscription.
In the Description box, enter an optional description.
In the Destination Log box, select the log file where collected
events are to be stored. By default, collected events are stored in
the ForwardedEvents log.
Click Add and select the computers from which events are to be
collected.
Click Select Events to display the Query Filter dialog box. Use
the controls in the Query Filter dialog box to specify the criteria
that events must meet to be collected.
Click OK on the Subscription Properties dialog box. The
subscription will be added to the Subscriptions pane and, if the
operation was successful, the Status of the subscription will be
Active.
You can configure how collected events are delivered and specify the
account used to manage the process of collecting events. Event Viewer
provides three event delivery optimization options: Normal, Minimize
Bandwidth and Minimize Latency.
Normal - This option ensures reliable delivery of events and does
not attempt to conserve bandwidth. It is the appropriate choice
unless you need tighter control over bandwidth usage or need
forwarded events delivered as quickly as possible. It uses pull
delivery mode, batches 5 items at a time and sets a batch timeout
of 15 minutes.

29

Minimize Bandwidth - This option ensures that the use of

network bandwidth for event delivery is strictly controlled. It is an
appropriate choice if you want to limit the frequency of network
connections made to deliver events. It uses push delivery mode and
sets a batch timeout of 6 hours. In addition, it uses a heartbeat
interval of 6 hours.
Minimize Latency - This option ensures that events are delivered
with minimal delay. It is an appropriate choice if you are collecting
alerts or critical events. It uses push delivery mode and sets a batch
timeout of 30 seconds.
The Minimize Bandwidth and Minimize Latency options both
batch a default number of items at a time. You can determine the
value of this default by typing the following command at a
command prompt:
o winrm get winrm/config.
You can change the default number of items in a batch by typing
the following command at a command prompt:
o

winrm set winrm/config @{MaxBatchItems=<NumberOfItems>}

30

o Custom Views - Custom views are like filters that have been named and
saved. After creating and saving a custom view, you will be able to reuse it
without re-creating its underlying filter.
The process for creating custom views is as follows:
Start Event Viewer
On the Action menu, click Create Custom View.
To filter events based upon when they occurred, select the
corresponding time period from the Logged drop-down list
NOTE: If none of the options are acceptable, choose Custom range. In the
Custom range dialog box, specify the earliest date and time from
which you want events and the latest date and time from which
you want events. Click OK.

In Event level, select the check boxes next to the event levels
that you want included in the custom view.
You can either specify the event logs or the event sources of
the events that will appear in the custom view.
To specify the event logs: Select the Event Log option
and, in the Event log drop-down list, select the check
boxes next to the event logs from which you want to
include events.
To specify the event sources: Select the Event Source
option and, in the Event source drop-down list, select
the check boxes next to the event sources in the dropdown list that you want to include in the custom view.
In Event IDs, type the event IDs that you want your custom
view to display. Separate multiple event IDs by commas. If you
want to include a range of IDs, say 4624 through 4634
inclusive, type 4624-4634. If you want your filter to display
events with all IDs except certain ones, type the IDs of those
exceptions, preceded by a minus sign.
In Task Category, select the check boxes next to the task
categories in the drop-down list that you want included in the
custom view.
In Keywords, select the check boxes next to the keywords in
the drop-down list that you want included in the custom view.
In User, enter the name of the user accounts you want to
display. Enter multiple users by separating them with a comma
(,).
In Computer(s), enter the name of the computers that you
want your custom view to display. Enter multiple computers by
separating them with a comma (,).
Click OK.

31

On the Save Filter to Custom View dialog box, in Name, type

a name for the custom view.
In Description, type an optional description of the custom
view.
Select the folder in which you want to store the custom view.
o Attach a task to an event - You can configure a task to run when an event
meeting specified criteria is logged. Using this option, an administrator can
configure event viewer to do the following when a specific event is raised:
Run a Program
Display a message (interactively on the machine where the event is
raised)
Send an email
The process for attaching a task to an event is as follows:
Start Event Viewer.
In the console tree, navigate to the log that contains the event
you want to associate with a task.
Right-click the event and select Attach Task to This Event.
Perform each step presented by the Create Basic Task
Wizard.

32

Task Manager
o TaskManagershowsyoutheprograms,processes,andservicesthatarecurrently
runningonyourcomputer.YoucanuseTaskManagertomonitoryourcomputers
performanceortocloseaprogramthatisnotresponding.
TaskManagerallowsyoutoview,monitorandmanage:
Applicationsthattheuserhasstarted
Allrunningprocesses(executablefiles)onthemachine
WindowsServices
Performanceinformation(includinggraphicalrepresentationsof
processorutilizationandmemoryutilization)
Networkinformation
Usersloggedontothesystem

33

Task Manager contains a detailed help file. To access the Task Manager
help file, InTaskManager,clickHelp,andthenclickTaskManagerHelpTopics.

Performance Monitor
o You can use Windows Performance Monitor to examine how programs you run
affect your computer's performance, both in real time and by collecting log data
for later analysis. Windows Performance Monitor uses performance counters,
event trace data, and configuration information, which can be combined into Data
Collector Sets.
Performance counters are measurements of system state or activity. They
can be included in the operating system or can be part of individual
applications. Windows Performance Monitor requests the current value of
performance counters at specified time intervals.
Event trace data is collected from trace providers, which are components
of the operating system or of individual applications that report actions or
events. Output from multiple trace providers can be combined into a trace
session.
Configuration information is collected from key values in the Windows
registry. Windows Performance Monitor can record the value of a registry
key at a specified time or interval as part of a log file.
o Real-time data can be collected with Performance Monitor. In order to do this,
the logged-on user must be a member of the PerformanceLogUsersgroup,or
equivalent.

34

o One particularly helpful capability of Performance Monitor is to establish a

baseline for system performance (representation of system performance over
time). When creating a baseline, the four primary physical subsystems of a
computer should be monitored, these include:
CPU
Memory
Disk
Network
o Windows Performance Monitor combines the functionality of previous standalone tools including Performance Logs and Alerts (PLA), Server Performance
Advisor (SPA), and System Monitor. It provides a graphical interface for the
customization of Data Collector Sets and Event Trace Sessions.
o Data Collector sets are particularly helpful in creating a baseline of performance.
Data Collector sets organize multiple data collection points into a single
component that can be used to review or log performance. A Data Collector Set
can be created and then recorded individually, grouped with other Data Collector
Set and incorporated into logs, viewed in Performance Monitor, configured to
generate alerts when thresholds are reached, or used by other non-Microsoft
applications. It can be associated with rules of scheduling for data collection at
specific times.

35

Power Management
o The power management technologies in Windows 7 provide platform and
processor efficiencies that reduce power consumption and can help lower energy
costs. Features of the Windows 7 Power Management tools include:
Reduced Power Consumption
Enhanced end-user experience
Better management tools
o Windows 7 includes a command line tool, Powercfg.Exe, that you can use to
configure power management settings. Windows 7 introduces a new switch,
/energy, to provide a comprehensive report of those settings.
o Powercfg.exe also offers diagnostics that can indicate which applications or
devices might be causing power management issues (such as a USB driver not
entering suspend) and what power management settings you can configure
differently for better results. At an elevated command prompt, simply enter:
POWERCFG ENERGY OUTPUT <path\filename>
o The tool will observe your computer for 60 seconds, and then create a file called
ENERGY-REPORT.HTML in the path you specified. Simply double-click on this
file to see whats going on.

Optimizing Virtual Memory

o When your computer's physically installed random-access memory (RAM) is
running low, Windows adds available memory by using a paging file, generally
known as virtual memory, on the hard disk to simulate physical RAM.
o You can manually change the size of the paging file to make it larger or smaller.
You can also optimize virtual memory use by dividing the file space between
multiple drives and by removing allocated space from slow or heavily accessed
drives.
o In order to optimize the placement of the page file, use the following guidelines:
Try to avoid having a paging file on the same drive as the system files,
usually drive C.
Avoid putting a paging file on a fault-tolerant drive such as a mirrored
volume or a RAID-5 volume.
Do not put multiple paging files on different partitions on the same
physical disk drive.

Ready Boost
o Ready Boost is a feature that was introduced in Windows Vista, allowing a
flash memory device (such as a USB flash drive or SD card) to act as a
memory cache.
o Windows 7 includes several important feature improvements for Read Boost
over Windows Vista:
Maximum cache size has been increased from 4GB to 32GB. Note
that to utilize a memory cache of greater than 4GB, the flash drive
needs to be formatted with either a exFAT or NTFS file system.
Support for up to 8 ReadyBoost devices simultaneously on the PC.
Windows Vista only supported a single ReadyBoost device per PC.

36

The ReadyBoost cache can be used during boot to improve startup

performance.

Identify and resolve hardware failure issues.

The tools used for troubleshooting hardware failure issues will sometimes be the same tools that
were used to troubleshoot performance issues. These common tools are such things as the
Windows Event Viewer and the Performance Monitor Tools.
Windows 7 includes several tools specifically design as assist in the diagnosis of hardware
issues. Tools well-suited for hardware troubleshooting include:
Alternate Boot Modes such as Safe Mode
Device Manager
Hardware Compatibility List (HCL)
Memory Diagnostic Tools
Device Manager
Device Manager provides an interface for viewing the configuration of hardware
devices, and the wizards help you install and configure the correct driver for a device
In Device Manager hardware wizards simplify the process of obtaining the correct
device driver for a particular device

37

Administrators can access Device Manager through Control Panel\System and

Maintenance\System.
Device Manager can work in conjunction with hardware wizards and the Windows
Update Web site to deliver updated drivers for installed hardware.

Driver Verifier
You can use the Driver Verifier tool to troubleshoot driver issues.
You can run Driver Verifier from the command prompt by using verifier.exe
See http://support.microsoft.com/kb/244617 for a complete description of this tool
Memory Diagnostics
If Windows detects possible problems with your computers memory, it will prompt
you to run the Memory Diagnostics Tool.
You can adjust the following settings:
o Test mix - choose what type of test you want to run: Basic, Standard, or
Extended. The choices are described in the tool.
o Cache - choose the cache setting you want for each test: Default, On, or Off.
o Pass count - type the number of times you want to repeat the test.

Startup Repair Tool

The Windows Recovery Environment (Windows RE) is an extensible recovery
platform based on Windows Preinstallation Environment (Windows PE).
When a computer fails to start, Windows automatically fails over into this
environment, and the Startup Repair tool in Windows RE automates the diagnosis and
repair of an unbootable Windows 7 installation.

38

Startup Repair will try to repair computers that are unbootable because of the
following reasons:
o Registry corruption
o Missing or damaged system and driver files
o Disk metadata corruption (MBR, partition table, and boot sector)
o File system metadata corruption
o Installation of problematic or incompatible drivers
o Installation of incompatible Windows service packs and patches
o Corrupt boot configuration data
o Bad memory and hard disk hardware (detection only)
Startup Repair will not repair unbootable systems caused by the following issues:
o Malfunctioning firmware and other hardware components
o Problems with clean Windows installations or Windows upgrades (for
example, from Windows XP to Windows Vista)
o Windows logon errors
o Viruses and malicious software
After Startup Repair has run, a text log with diagnostic information and repair results
is generated. This log file is located at
%WINDIR%\System32\LogFiles\Srt\SrtTrail.txt.

39

Chapter

Chapter 4 Supporting Mobile Users.

Quick Jump To:

Identify and resolve Wireless Connectivity Issues.

If Windows ever notifies you about a weak signal, it probably means your
connection isn't as fast or as reliable as it could be. Worse, you might lose your
connection entirely in some parts of your home. If you're looking to improve the
signal for your wireless network, try some of these tips for extending your wireless
range and improving your wireless network performance.
1. Position your wireless router (or wireless access point) in a central location
When possible, place your wireless router in a central location in your home. If your
wireless router is against an outside wall of your home, the signal will be weak on
the other side of your home. Don't worry if you can't move your wireless router,
because there are many other ways to improve your connection.

2. Replace your router's antenna

The antennas supplied with your router are designed to be omni-directional, meaning
they broadcast in all directions around the router. If your router is near an outside
wall, half of the wireless signals will be sent outside your home, and much of your
router's power will be wasted. Most routers don't allow you to increase the power
output, but you can make better use of the power. Upgrade to a hi-gain antenna that
focuses the wireless signals only one direction. You can aim the signal in the
direction you need it most.

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

40

3. Replace your computer's wireless network adapter

Although Windows provides built-in support for 802.11 wireless LAN networking, the wireless
components of Windows are dependent upon the following:
The capabilities of the wireless network adapter
The capabilities of the wireless network adapter driver
Wireless network signals must be sent both to and from your computer. Sometimes, your router
can broadcast strongly enough to reach your computer, but your computer can't send signals back
to your router. To improve this, replace your laptop's PC card-based wireless network adapter
with a USB network adapter that uses an external antenna. In particular, consider the Hawking
Hi-Gain Wireless USB network adapter, which adds an external, hi-gain antenna to your
computer and can significantly improve your range.
Laptops with built-in wireless typically have excellent antennas and don't need to have their
network adapters upgraded.
4. Update your firmware or your network adapter driver
Router manufacturers regularly make free improvements to their routers. Sometimes, these
improvements increase performance. To get the latest firmware updates for your router, visit
your router manufacturer's Web site.
Similarly, network adapter vendors occasionally update the software that Windows uses to
communicate with your network adapter, known as the driver. These updates typically improve
performance and reliability. To get the driver updates, do the following:

Click Start menu, click All Programs, and then click Windows Update.
In the left pane, click Check for updates, and then wait while Windows Vista looks for
the latest updates for your computer.
Install any updates relating to your wireless network adapter

5. Change your wireless channel

Wireless routers can broadcast on several different channels, similar to the way radio stations use
different channels. In the United States and Canada, these channels are 1, 6, and 11. Just like
you'll sometimes hear interference on one radio station while another is perfectly clear,
sometimes one wireless channel is clearer than others. Try changing your wireless router's
channel through your router's configuration page to see if your signal strength improves. You

41

don't need to change your computer's configuration, because it'll automatically detect the new
channel.

6. Upgrade 802.11b devices to 802.11g

802.11b is the most common type of wireless network, but 802.11g is about five times faster.
802.11g is backward-compatible with 802.11b, so you can still use any 802.11b equipment that
you have. If you're using 802.11b and you're unhappy with the performance, consider replacing
your router and network adapters with 802.11g-compatible equipment. If you're buying new
equipment, definitely choose 802.11g.
Encryption and decryption require the use of some secret information, referred to as a key. There
are two types of encryption: secret key and public key. In secret-key encryption, also referred to
as symmetric encryption, the same key is used for both encryption and decryption. In the publickey encryption, also referred as asymmetric encryption, each user has a public key and a private
key. Encryption is performed with the public key while decryption is done with the private key
A secret key is, in essence, a sequence of numbers each of which has value from 0 to 255 (such
numbers are called bytes). The required length of secret key is determined by the algorithm
which is used for encryption. The required length of key for algorithms used in this program
varies from 16 bytes (IDEA algorithm) to 255 bytes (RC-6 algorithm). If you do not know the
correct key, you will not be able to access the data.
WEP stands for Wired Equivalent Privacy. This encryption standard was the original encryption
standard for wireless. As its name implies, this standard was intended to make wireless networks
as secure as wired networks. Unfortunately, this never happened as flaws were quickly
discovered and exploited. WEP encryption is better than nothing when it comes to protecting
your wireless network, but other standards are preferred.
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular
WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment
needs to be bought. WPA is a trimmed-down version of the 802.11i security standard that was
developed by the Wi-Fi Alliance to replace WEP. WPA Enterprise provides RADIUS based
authentication using 802.1x. WPA Personal uses a pre-shared Shared Key (PSK) to establish the
security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character
hexadecimal string.
The WPA-improvement over the IEEE 802.1X standard already improved the authentication and
authorization for access of wireless and wired LANs. In addition to this, extra measures such as
the Extensible Authentication Protocol (EAP) have initiated an even greater amount of security.
This is because EAP uses a central authentication server. Unfortunately, users discovered some
shortcomings. Over the next few years these shortcomings were addressed with the use of TLS
and other enhancements. This new version of EAP is now called Extended EAP and is available
in several versions.
Lightweight Extensible Authentication Protocol (LEAP) is based on 802.1X and helps minimize
the original security flaws by using WEP and a sophisticated key management system. This
EAP-version is safer than EAP-MD5. This also uses MAC address authentication.

42

WPA2 is a WiFi Alliance branded version of the final 802.11i standard. The primary
enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory feature.
Both WPA and WPA2 support EAP authentication methods using RADIUS servers and
preshared key (PSK).
With an increasing number of mobile devices with 802.1x interfaces, security of these mobile
devices becomes a concern. While open standards such as Kismet are targeted towards securing
laptops, access point solutions should extend towards covering mobile devices as well. Security
methodologies within mobile devices fall under the following three categories:
1. Protecting against ad-hoc networks
2. Connecting to rogue access points
3. Mutual authentication schemes such as WPA2.

Identify and resolve remote access issues.

Remote Desktop Protocol
Troubleshooting Remote Desktop Protocol (RDP) connection issues typically falls into one of
three areas:
Diagnosing connectivity issues. Connectivity problems can be diagnosed using the
following tools:
o IPConfig (/all /release /renew /flushdns)
o NSLookup checking name resolution problems
o PING
o PathPing
o Tracert
o Windows Firewall configuration
Diagnosing permission issues. Determining if the user attempting to make an RDP
connection is allowed to connect.
o Permission to connect to a machine via RDP is defined in the System Properties

43

Diagnosing configuration issues. Ensure that the RDP connection capability is enabled
via the System Properties

44

VPN
Windows 7 introduces VPN Reconnect technology to the existing support for VPN
connections from Windows XP and Windows Vista.
o VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN
connectivity, automatically re-establishing a VPN when users temporarily lose
their Internet connections.
o VPN Reconnect refers to the support in Routing and Remote Access service
(RRAS) for a new tunneling protocol, IPsec Tunnel Mode with Internet Key
Exchange version 2 (IKEv2)
o When using other VPN protocols, and the network connection is interrupted for
any reason, the user typically loses the VPN tunnel completely and must manually
reestablish the VPN tunnel. VPN Reconnect allows the underlying network
connection to be interrupted for a configurable amount of time, without losing the
tunnel. As soon as network connectivity is reestablished, even through a different
network interface, the tunnel is automatically restored with no interaction required
from the user.
NOTE: If your laptop hibernates when you close the lid, then the
connection is lost and you will have to manually reinitiate the
connection.

o When configuring a VPN connection, care must be taken to specify the correct
parameters for such items as:
IP address or FQDN to connect to

45

Use of a Smart Card for authentication

User credentials and domain name
Advanced properties such as:
User of a pre-shared key for authentication
Use of a certificate for authentication
VPN Type
Authentication protocols (PAP, CHAP, MS CHAPv2)
Network settings including how to obtain an IP Address for the
connection

Direct Access
Direct Access enables remote users to access the corporate network anytime they have an
Internet connection, without the extra step of initiating a virtual private networking
(VPN) connection.
Direct Access requirements include:
o One or more Direct Access servers running Windows Server 2008 R2 (with or
without UAG) with two network adapters: one that is connected directly to the
Internet and one that is connected to the intranet. Direct Access servers must be a
member of an AD DS domain.
o On the Direct Access server, at least two consecutive, public IPv4 addresses
assigned to the network adapter that is connected to the Internet.
o Direct Access client computers that are running Windows 7 Enterprise or
Windows 7 Ultimate. Direct Access clients must be members of an AD DS
domain.
o At least one domain controller and DNS server that is running
Windows Server 2008 SP2 or Windows Server 2008 R2. When UAG is used,
Direct Access can be deployed in some scenarios with DNS servers and domain
controllers that are running Windows Server 2003 R2.
o A public key infrastructure (PKI) to issue computer certificates, and optionally,
smart card certificates for smart card authentication and health certificates for
NAP.
o Without UAG, an optional NAT64 device to provide access to IPv4-only
resources for Direct Access clients. Direct Access with UAG provides a built-in
NAT64.
Troubleshooting a Direct Access connection involves the following steps:
o Determining if the remote user can access Internet resources
o Running the Network Troubleshooter by right clicking the network icon in the
notification area of the desktop, and then click Troubleshoot problems
o Testing name resolution by using ping to a highly available intranet server by its
name.
o From a Windows command prompt, run netsh dns show status. The Machine
Location field indicates the location of the computer (inside corporate network or
outside corporate network). The Direct Access Settings field indicates whether
the Direct Access NRPT rules have been configured and whether they are enabled
or disabled.

46

o Perform computer certificate troubleshooting; including ensuring an appropriate

computer certificate exists in the Direct Access clients computer certificate store
o To correctly determine that it is located on the intranet, a Direct Access client
must be able to successfully connect to the HTTPS-based URL of the network
location server and verify the server certificate offered by the network location
server. Certificate verification includes validating the SSL certificate and
verifying that it has not been revoked. The certificate offered by the network
location server must have a certificate revocation list (CRL) distribution point that
is accessible by the Direct Access client and with an FQDN that is resolvable by
using the DNS servers configured in the clients TCP/IP settings (intranet DNS
servers)
o To successfully create an IP-HTTPS-based connection, a Direct Access client
must be able to successfully connect to the HTTPS-based URL of the IP-HTTPS
server (typically the Direct Access server) and verify the server certificate offered
by the IP-HTTPS server. Certificate verification includes validating the SSL
certificate and verifying that it has not been revoked. The certificate offered by
the IP-HTTPS server must have a certificate revocation list (CRL) distribution
point that is accessible by the Direct Access client through the DNS servers
configured in the clients TCP/IP settings (Internet DNS servers)
o To use IP-HTTPS diagnostics to troubleshoot IP-HTTPS connectivity problems,
you must configure the appropriate firewall rules to allow the IP-HTTPS server to
respond to Echo Request messages
NOTE: When troubleshooting Direct Access issues, do not use the
Nslookup.exe tool without the s parameter that specifies the IPv6
address of an intranet DNS server.

The Direct Access server also requires significant configuration. Typically,

verification of this configuration is outside the scope of the desktop support engineer.
Steps detailing the configuration of the Direct Access server can be found here http://technet.microsoft.com/en-us/library/dd637813%28WS.10%29.aspx

Connection Manager Administration Kit (CMAK)

Connection Manager in Windows is connection management software that simplifies
and enhances the management of remote connections.
Connection Manager uses profiles made of connection settings that allow connections
from the local computer to a remote network.
You can use the Connection Manager Administration Kit (CMAK) to create profiles
for Connection Manager and distribute them to your users. The profile contains all of
the settings required for the user to connect. The user does not have to know the
phone number of a dial-up server, or the IP address of a VPN server.

47

Chapter 5 Identifying Causes of and

Resolving Security Issues.

Chapter

Quick Jump To:

Identify and resolve Windows Internet Explorer security issues

Internet Explorer troubleshooting involves several steps and areas:
Determining if the failure is due to connectivity issues
Determining if the failure is due to configuration issues within Internet
Explorer
Determining if the failure is due to web server issues that the IE client is
connecting to
Internet Explorer 8 contains several significant security features that enhance the
security of Internet Explorer, the Windows operating system as well as the privacy of
the user.
Internet Explorer Security Zones
Internet Explorer includes five predefined zones: Internet, Local Intranet,
Trusted Sites, Restricted Sites, and My Computer
Configuration of the security settings for each one of these zones will affect
the functionality of Internet Explorer
o Internet Zone - The level of security set for the Internet zone is
applied to all websites by default. The security level for this zone is
set to Medium High (but you can change it to either Medium or
High). The only websites for which this security setting is not used are
those in the Local intranet zone or sites that you specifically entered
into the Trusted or Restricted site zones.
o Local Intranet Zone - The level of security set for the Local intranet
zone is applied to websites and content that is stored on a corporate or
business network. The security level for the Local intranet zone is set
to Medium (but you can change it to any level)
o Trusted sites - The level of security set for Trusted sites is applied to
sites that you have specifically indicated to be ones that you trust not
to damage your computer or information. The security level for
Trusted sites is set to Medium (but you can change it to any level).
o Restricted sites - The level of security set for Restricted sites is
applied to sites that might potentially damage your computer or your
information. Adding sites to the Restricted zone does not block them,
but it prevents them from using scripting or any active content. The
security level for Restricted sites is set to High and can't be changed.

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

48

Protected Mode
Protected Mode
Internet Explorer's protected mode is a feature that makes it more difficult for
malicious software to be installed on your computer
In addition to helping protect your computer from malicious software, protected mode
allows you to install wanted ActiveX controls or add-ons when you are logged in as
an administrator
When IE runs in protected mode, it ties IE process into the User Account Control
(UAC) process
Protected mode is turned on by default in the Internet, intranet, and Restricted sites
zones and an icon appears on the status bar to let you know that it's running.

InPrivate Browsing and InPrivate Filtering

InPrivate Browsing allows you to browse the web without recording a history in the
browser.
o When you start InPrivate Browsing, Internet Explorer opens a new browser
window. The protection that InPrivate Browsing provides is only in effect during
the time that you use that window
o InPrivate Browsing changes the behavior of the following items:
Cookies - Kept in memory so pages work correctly, but cleared when you
close the browser.
Temporary Internet Files - Stored on disk so pages work correctly, but
deleted when you close the browser.
Webpage history not stored
Form data and passwords not stored

49

Anti-phishing cache - Temporary information is encrypted and stored so

pages work correctly.
Address bar and search AutoComplete not stored
Automatic Crash Restore (ACR) - ACR can restore when a tab crashes in
a session, but if the whole window crashes, data is deleted and the window
cannot be restored.
Document Object Model (DOM) storage - The DOM storage is a kind of
"super cookie" web developers can use to retain information. Like regular
cookies, they are not kept after the window is closed
InPrivate doesn't clear any history or information about toolbars or
browser extensions that is stored on your computer

InPrivate Filtering helps prevent website content providers from collecting information
about sites you visit.
o InPrivate Filtering works by analyzing web content on the web pages you visit,
and if it sees the same content being used on a number of websites, it will give
you the option to allow or block that content.

50

o By default, InPrivate Filtering analyzes the websites you visit and the content
providers they use, but does not automatically block them. You can choose to
allow or block any content provider that InPrivate Filtering identifies as receiving
information about your browsing.
SmartScreen Filter
SmartScreen Filter is a feature in Internet Explorer 8 that helps you avoid socially
engineered malware phishing Web sites and online fraud when you browse the Web
o Checks Web sites against a dynamically updated list of reported phishing and
sites.
o Checks software downloads against a dynamically updated list of reported
malicious software sites
o Helps prevent you from visiting phishing Web sites and other Web sites that
contain malware that can lead to identity theft

Compatibility Views
Internet sites that were written specifically for previous versions of Internet Explorer may
not display correctly in Internet Explorer 8
When a site does not display correctly, click the Compatibility View toolbar button to
display the website as viewed in Internet Explorer 7, which will correct display problems
like misaligned text, images, or text boxes
This option is on a per site basis and all other sites will continue to display with Internet
Explorer 8 functionality. When you click on the Compatibility View button for a site, you

51

dont need to do it again as the next time you visit that site the browser will show it in
compatibility mode
You can maintain a list within Internet Explorer 8 for sites that should be displayed in
Compatibility View. From the Command Bar, select Tools, and then select
Compatibility View Settings to add and remove sites from this list. There are also
options for viewing all websites and intranet sites in Compatibility View.

Run IE with no add-ins

Running Internet Explorer 8 without add-ons can assist in isolating issues that may have
been caused by an installed add-on
One way to open IE without add-ons is to navigate to start menu-> All Programs->
Accessories-> System Tools-> Internet Explorer (no Add-ons). This opens up IE without
ActiveX controls and browser extensions

52

Identify and resolve issues due to malicious software.

Defining malicious software
Malware is any software written with malicious intent. Often the software is installed
without the users consent. It is often helpful to understand the different variants or types
of malware when attempting to troubleshoot issues.
o Viruses malicious software that typically needs some form of user interaction to
execute a file to trigger the virus
o Rootkits a type of malware that allows an attacker undetected or hidden
administrative access to a compromised system
o Bots a compromised system becomes a slave or zombie machine
A botnet can be comprised of thousands of machines working in
cooperation to carry out an attack. Each bot can carry out a very small
part of the attack with the cumulative effect being devastating
o Worms spreads from machine to machine without user interaction
o Spyware - computer software that obtains information from a user's computer
without the user's knowledge or consent
o Trojan horse - malicious code embedded in an otherwise legitimate application

53

Removing Malware
The first step in removing malware is to attempt to determine the effect that the malware
is having on the system
o Reviewing machine behavior, log files, Event Viewer logs and user reported
information can be helpful
o Consult your antivirus vendor for removal instructions
o If removal is not possible, reinstalling the OS may be necessary. Before
reinstalling the OS, be sure to backup all user data. Before restoring the user data,
be sure to run antivirus/malware scans on the saved data

Malware Protection Tools

Malware protection technologies available in Windows 7 or from Microsoft include:
o Action Center - consolidates message traffic from key Windows maintenance and
security features, including Windows Defender and User Account Control
o IfWindowsrequiresyourattention,theActionCentericonappearsinthetaskbar.Click
itandyoullseebothalertsandsuggestedfixesforanyproblems.

Windows Defender - Windows Defender is software that helps protect your computer
against pop-ups, slow performance, and security threats caused by spyware and other
unwanted software by detecting and removing known spyware from your computer

54

o Windows Defender features real-time protection, a monitoring system that

recommends actions against spyware when it's detected, minimizes interruptions,
and helps you stay productive.

Microsoft Baseline Security Analyzer (MBSA) - is an easy-to-use tool designed to help

determine the security state of a machine in accordance with Microsoft security
recommendations and offers specific remediation guidance
Malicious Software Removal Tool - checks computers running Windows 7, Windows
Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by
specific, prevalent malicious softwareincluding Blaster, Sasser, and Mydoomand
helps remove any infection found
o When the detection and removal process is complete, the tool displays a report
describing the outcome, including which, if any, malicious software was detected
and removed.
o Microsoft releases an updated version of this tool on the second Tuesday of each
month, and as needed to respond to security incidents. The tool is available from
Microsoft Update, Windows Update and the Microsoft Download Center
o The version of the tool delivered by Microsoft Update and Windows Update runs
in the background and then reports if an infection is found. To run this tool more
than once a month, use the version on this Web page or install the version that is
available in the Download Center

Identify and resolve encryption issues.

Encrypted File System
Encrypting File System (EFS) is a feature of Windows that you can use to store
information on your hard disk in an encrypted format.

55

o EFS is available for Windows Professional, Enterprise and Enterprise editions.

EFS is not fully supported on Windows 7 Starter, Windows 7 Home Basic, and
Windows 7 Home Premium
o For enterprise deployments, an Active Directory Certificate Server (ADCS) is
recommended for deployment of the digital certificates used in EFS
If you dont have this, Windows 7 will generate a self-signing digital
certificate and issue it to the user. This can be problematic if the users
encrypts files on multiple systems, there will be multiple keys involved
that will be difficult to maintain
Loss of the users key will render the data unusable as without the users
private key, the file encryption key cannot be accessed
A method for backing up users keys should be developed
A Digital Recovery Agent (DRA) should be defined so that in the
event that a users private key is lost, the file can still be access and
decrypted by the DRA
Additional DRAs can be defined via Group Policy

o Since EFS technology is implemented by an end user who may not have the
knowledge necessary to manage the technology, thought should be given to
disabling EFS.
o EFS can be disabled on a specific system or domain-wide via Group Policy

56

57

BitLocker
BitLocker Drive Encryption is a data protection feature available in Windows Enterprise
and Ultimate
BitLocker is full-volume encryption providing protection against theft, since the entire
HDD volume is encrypted, unlike EFS, which only provides file-level encryption.
To encrypt the drive that Windows is installed on, your computer must have two
partitions: a system partition (which contains the files needed to start your computer) and
an operating system partition (which contains Windows). The operating system partition
will be encrypted and the system partition will remain unencrypted so your computer can
start.

BitLocker Modes
o TPM Only
o TPM with Startup Key
Small plain-text file stored on external drive.
Computer will not be able to be booted without the USB thumb drive
inserted, thus providing additional security.
Dependent on not losing the thumb drive.
o TPM with PIN
Doesnt require the thumb drive to be present.
User has to remember their PIN
o TPM with PIN and Startup Key
Most secure combination
But, least convenient
o Without TPM
Via Group Policy
If your computers motherboard doesnt have the required chip.
BitLocker Recovery in the event that a BitLocker encrypted drive must be recovered,
several methods can be used
o Via password

58

o Via USB stick with recovery key

o Active Directory Escrow
Specified in Group Policy - Store BitLocker recovery information
in Active Directory Domain Services
BitLocker-to-Go
BitLocker to Go extends BitLocker data protection to USB storage devices, enabling
them to be restricted with a passphrase.
o In addition to having control over passphrase length and complexity, IT
administrators can set a policy that requires users to apply BitLocker protection to
removable drives before being able to write to them
o BitLocker-to-Go drives are not readable by legacy versions of Windows if you
encrypt an NTFS formatted drive
If you encrypt a FAT (or exFAT, FAT32) formatted drive, you will see the
BitLocker to Go Reader when you plug it into a down level machine,
which will allow read access to your files.

59

Identify and resolve software update issues.

Having a plan to evaluate and deploy necessary updates to a Windows system is critical for the
health of the system
Configuring Automatic Updates
Automating the Windows Update process can be achieved through several mechanisms:
o Manual
o AutomaticUpdate
o Local
o WSUS3.0
o SCCM
MSUpdateversusWindowsUpdateasofWindowsVista,youllhitWindowsUpdatefirst
(foronlyOSupdates),thenyoullbegiventheoptiontoupgradetoMicrosoftUpdate
(includingotherMSsoftware,suchasOffice,SQL,Sharepoint,etc.).