1. Trang chủ
  2. » Công Nghệ Thông Tin

Configuring Windows 7 (Training Kit) - Part 30 pptx

10 217 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 10
Dung lượng 260,24 KB

Nội dung

Lesson 1: Application Compatibility CHAPTER 5 263 FIGURE 5-5 The Internet Explorer Compatibility Test Tool Setup Analysis Tool The Setup Analysis Tool monitors the actions taken by application installers and can detect the following compatibility issues: n Installation of kernel mode drivers n Installation of 16-bit components n Installation of Graphical Identification and Authentication dynamic-link libraries (DLLs) n Modification of files or registry keys that are guarded by Windows Resource Protection (WRP) To perform an analysis, open the Setup Analysis Tool and type in the location of the setup file that you want to analyze. The Setup Analysis Tool runs the setup command and profiles the installation procedure to determine what issues might exist. Standard User Analyzer The Standard User Analyzer, shown in Figure 5-6, allows you to test applications to determine if they might have compatibility issues caused by User Account Control. The Standard User Analyzer provides data about problematic files and APIs, registry keys, .ini files, tokens, privileges, namespaces, processes, and other related items that the application uses that might cause problems when running on a computer with Windows 7 installed. To use the Standard User Analyzer, start the tool, specify the target application, and then click Launch. 2 6 4 CHAPTER 5 Managing Applications The application attempts to start, and the Standard User Analyzer profiles how it interacts with the Windows 7 environment. FIGURE 5-6 Standard User Analyzer More Info ACT For more information about the ACT, consult the following TechNet Magazine article: http://technet.microsoft.com/en-us/magazine/dd797545.aspx. Application Compatibility Diagnostics Policies There are six application compatibility related group policies that influence how Windows 7 responds when it encounters an application compatibility problem. These policies are located in the Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics node of a Group Policy Object (GPO). These policies are shown in Figure 5-7. FIGURE 5-7 Application compatibility diagnostics policies Lesson 1: Application Compatibility CHAPTER 5 265 The policies have the following functions: n Notify Blocked Drivers When enabled, Windows notifies the user when a driver is blocked due to compatibility issues. n Detect Application Failures Caused By Deprecated COM Objects When enabled, Windows notifies the user if a program attempts to create a COM object that is not supported by Windows 7. n Detect Application Failures Caused By Deprecated Windows DLLs When enabled, Windows notifies the user if a program tries to load Windows DLLs that are not supported by Windows 7. n Detect Application Install Failures When enabled, application installer failures are detected and the user is presented with the option to restart the installation process using application compatibility mode. n Detect Application Installers That Need To Be Run As Administrator When enabled, application installations that fail because they need to be run as an administrator can be restarted with the Run As Administrator option. n Detect Applications Unable To Launch Installers Under UAC This setting is similar to the previous one except that instead of running as an administrator, the user receives a User Account Control prompt to elevate privileges when the installation of an application fails. If you do not configure these policies, the default Windows 7 setting is to notify the user that the failure has occurred and, in some instances, to start the Program Compatibility Troubleshooter. In environments where users are not able to resolve application compatibility issues by themselves, administrators often disable these notifications because there is little reason to notify a user of the reason for the failure if the user is unable to resolve the problem causing the failure. Windows XP Mode for Windows 7 Windows XP Mode is a downloadable compatibility option that is available for the Professional, Enterprise, and Ultimate editions of Windows 7. Windows XP Mode uses the latest version of Microsoft Virtual PC to allow you to run an installation of Windows XP virtually under Windows 7. The difference between Windows XP Mode and other operating system virtualization solutions is that all applications that you install on the Windows XP Mode client will be available automatically on the Windows 7 host computer. For example, if you install Microsoft Office 2000 on the Windows XP Mode client, the shortcuts for the Office 2000 applications become available on the Windows 7 Start menu. When you run an application, it starts in its own separate window as any other application does. From the perspective of the user, this means that applications appear as though they are executing directly within Windows 7. Windows XP Mode requires a processor that supports hardware virtualization using either the AMD-V or Intel VT options. Most processors have this option disabled by default; to enable it, you must do so from the computer’s BIOS. After the setting has been configured, 2 6 6 CHAPTER 5 Managing Applications it is necessary to turn the computer off completely. The setting is not enabled if you perform a warm reboot after configuring BIOS. As 256 MB of RAM must be allocated to the Windows XP Mode client, the computer running Windows 7 on which you deploy Windows XP Mode requires a minimum of 2 GB of RAM, which is more than the 1 GB of RAM Windows 7 hardware requirement. To install applications that are not compatible with Windows 7, you must start the Windows XP Mode client from the Windows Virtual PC folder of the Start menu. After you have installed the application, you can then start it from the Virtual Windows XP Applications folder of the Start menu. You can also copy items from this folder to the desktop or to the Taskbar to start them directly as you would any other program installed on a computer running Windows 7. When you start an application installed on Virtual XP directly from the Start menu in Windows 7, the Virtual Windows XP operating system is shut down, as shown in Figure 5-8. FIGURE 5-8 Virtual XP shut down to run application Windows XP Mode provides an x86 version of Windows XP Professional SP3. Windows Virtual PC does not support x64 virtual clients, which means that you cannot use Windows XP Mode or Virtual PC as a compatibility solution for x64 applications. Because the application is not executing natively within Windows 7, there will be some performance overhead to using an application through Windows XP Mode. You should consider Windows XP Mode as a compatibility option of last resort. This is because it requires significantly more system resources to use than the built-in or custom compatibility modes. Another drawback to Windows XP Mode is that it requires administrators to manage and maintain the Windows XP virtual client as they would any other client desktop computer in their organization. This means that you need to keep the Windows XP virtual client up to date with updates even though the people using the computer will not be accessing the Windows XP operating system directly. eXaM tIP An application that functions well on a computer that has Windows XP SP3 installed, but which does not run normally on Windows 7, might run without a problem if you configure it to use the Windows XP SP3 compatibility mode. Lesson 1: Application Compatibility CHAPTER 5 267 Practice Windows 7 Compatibility In this practice, you investigate Windows 7 compatibility options for an application that you have downloaded from the Internet. exercise Configuring Compatibility Options for Process Explorer In this exercise, you explore the compatibility options for an application and verify that an application is digitally signed. Although Process Explorer functions without problems in Windows 7, you need to obtain an application that is not included with Windows 7 to configure compatibility options. It is not possible to configure compatibility options for an application that is included within Windows 7, such as Calc.exe or Solitaire.exe. 1. If you are not logged on already, log on to computer Canberra using the Kim_Akers user account. If you have not already downloaded the file ProcessExplorer.zip to the desktop from Microsoft’s Web site, do so now. 2. Right-click ProcessExplorer.zip and then choose Extract All. This opens the Extract Compressed (Zipped) Folders Wizard. Accept the default folder location and settings and then click Extract. 3. Right-click the Procexp.exe application and then choose Properties. Click the Digital Signatures, select Microsoft Corporation, and then click Details. Verify that the application is digitally signed by Microsoft, as shown in Figure 5-9. Click OK to close the Digital Signature Details dialog box. FIGURE 5-9 Verify the digital signature 4. Click the Compatibility tab. Under Compatibility Mode, select the Run This Program In Compatibility Mode For check box and use the drop-down menu to select Windows Vista (Service Pack 2). 2 6 8 CHAPTER 5 Managing Applications 5. Select the Disable Desktop Composition check box and then select the Run This program As An Administrator check box, as shown in Figure 5-10. Click OK. FIGURE 5-10 Configuring application compatibility 6. Double-click procexp.exe. You should be confronted by a User Account Control dialog box that warns you that the following program may make changes to your computer, the program name, and the origin of the file, as shown in Figure 5-11. Click Yes. FIGURE 5-11 User Account Control prompt for Process Explorer Lesson 1: Application Compatibility CHAPTER 5 269 7. In the Process Explorer License Agreement dialog box, click Agree. Process Explorer does not execute with these compatibility settings. Click Close The Program. 8. Right-click Procexp.exe and choose Properties. Click the Compatibility tab and then clear the Run This Program In Compatibility Mode, Disable Desktop Composition, and Run This Program As An Administrator check boxes. Click OK. 9. Double-click Procexp.exe. Click Run if prompted by the Open File–Security Warning dialog box. 10. Verify that the application executes properly and then close the application. Lesson Summary n You can run the Program Compatibility troubleshooter to diagnose common application compatibility issues. n Windows 7 has several compatibility modes that allow the majority of existing software to execute on it. n The ACT contains several tools that allow you to analyze potential compatibility problems prior to deploying Windows 7 in your organization. n You can use the Compatibility Administrator to search for existing compatibility fixes and compatibility modes that have already been developed for popular applications. n You can use the Internet Explorer Compatibility Test Tool to check existing Web sites and applications for compatibility problems that might exist when Internet Explorer 8 is used as a browser. n Windows XP Mode allows you to run applications through a virtualized instance of Windows XP that runs on Windows 7 Professional, Ultimate, or Enterprise edition. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Application Compatibility.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. You are planning to migrate all the computers in your organization to Windows 7 Professional. Your organization has several applications that are installed on computers running Windows XP Professional. You are unable to install these applications on computers running Windows 7 due to compatibility problems. You are unable to configure a custom compatibility mode to support these applications using the ACT. 2 7 0 CHAPTER 5 Managing Applications Which of the following solutions could you implement to deploy these mission-critical applications on the computers running Windows 7? a. Install the Window XP Mode feature. Install the application under Windows XP. B. Create a custom compatibility fix for the application using the ACT. c. Create a shim for the application using the ACT. D. Configure the application installer to run in Windows XP Professional SP2 compatibility mode. 2. Which of the following compatibility modes would you configure for an application that works on computers running Microsoft Windows 2000 Professional but does not work on computers running Windows XP? a. Windows 98 / Windows Me B. Windows NT 4.0 (Service Pack 5) c. Windows XP (Service Pack 2) D. Windows 2000 3. Which of the following file types does the Windows 7 Program Compatibility troubleshooter application work with? a. .cab files B. .exe files c. .msi files D. .zip files 4. An application used by the administrators in your organization is not configured to prompt for elevation when it is run. Which of the following compatibility options could you configure for the application to ensure that users with administrative privileges are always prompted when they execute the application? a. Configure the application to run in Windows XP (Service Pack 3) compatibility mode. B. Enable the Run In 256 Colors compatibility option. c. Enable the Run This Program As An Administrator compatibility option. D. Enable the Disable Desktop Composition compatibility option. 5. Your organization’s internal Web site was designed several years ago, when all client computers were running Windows XP and Microsoft Internet Explorer 6. You want to verify that your organization’s internal Web site displays correctly when you migrate all users to computers running Windows 7. Which of the following tools can you use to accomplish this goal? a. Internet Explorer Administration Kit (IEAK) B. Application Compatibility Toolkit (ACT) c. Windows Automated Installation Kit (Windows AIK) D. Microsoft Deployment Toolkit (MDT) Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 271 Lesson 2: Managing AppLocker and Software Restriction Policies Occasionally it might be necessary to limit the applications that users can run on a computer. You might want to block a specific application from running, or you might want to ensure that only applications that are on an approved list function on your organization’s network. There are two different technologies that you can use with computers running Windows 7 to restrict the execution of applications: AppLocker and Software Restriction Policies. You manage AppLocker and Software Restriction Policies through Group Policy. You can use these technologies to restrict programs, installation files, scripts, and even DLL libraries. In this lesson, you learn the differences between the two technologies and the situations in which you would choose to deploy one technology over the other. After this lesson, you will be able to: n Configure Software Restriction Policies to restrict the execution of applications. n Configure AppLocker policies to restrict the execution of applications, installers, and scripts. Estimated lesson time: 50 minutes Software Restriction Policies Software Restriction Policies is a technology available to clients running Windows 7 that is available in Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. You manage Software Restriction Policies through Group Policy. You can find Software Restriction Policies in the Computer Configuration\Windows Settings\Security Settings\ Software Restriction Policies node of a group policy. When you use Software Restriction Policies, you use the Unrestricted setting to allow an application to execute and the Disallowed setting to block an application from executing. note CONTROLLING APPLICATIONS THROUGH PERMISSIONS Although it is possible to restrict the execution of an application on the basis of NTFS permissions, configuring the NTFS permissions for a large number of applications on a large number of computers requires significant administrative effort. You can achieve many of the same application restriction objectives with Software Restriction Policies that you can with AppLocker policies. The advantage of Software Restriction Policies over AppLocker policies is that Software Restriction Policies can apply to computers running Windows XP and Windows Vista, as well as to computers running Windows 7 editions that do not support AppLocker. The disadvantage of Software Restriction Policies is that all rules must be created manually because there are no built-in wizards to 2 7 2 CHAPTER 5 Managing Applications simplify the process of rule creation. You learn more about AppLocker policies later in this lesson. Software Restriction Policies are applied in a particular order, with the more explicit rule types overriding more general rule types. The order of precedence from most specific (hash) to least specific (default) is as follows: 1. Hash rules 2. Certificate rules 3. Path rules 4. Zone rules 5. Default rules If two conflicting rules with different security levels are established for the same program, the most specific rule takes precedence. For example, a hash rule that sets a particular application to Unrestricted overrides a path rule that sets a particular application to Disallowed. This is different from AppLocker policies, which do not use precedence rules and where a block in any rule type always overrides any allow rule. note APPLOCKER OVERRIDES SOFTWARE RESTRICTION POLICIES In environments that use both Software Restriction Policies and AppLocker, AppLocker policies take precedence. If you have an AppLocker policy that specifically allows an application that is blocked by a Software Restriction Policy, the application executes. Security Levels and Default Rules The Security Levels node allows you to set the Software Restriction Policies default rule. The default rule applies when no other Software Restriction Policy matches an application. You can enable only one default rule at a time. The three default rules, shown in Figure 5-12, are: n Disallowed When this rule is set, users are unable to execute an application if the application is not allowed by an existing Software Restriction Policy. n Basic User When this rule is set, users are able to execute applications so long as those applications do not require administrative access rights. Users are able to access applications that require administrative access rights only if a rule has been created that covers that application. n Unrestricted When this rule is set as the default rule, a user is able to execute an application unless an existing Software Restriction Policy blocks that application. If you are working on an allow list of applications, you would configure the disallowed default rule. This ensures that any application that is not specifically allowed cannot run. If you just want to block a couple of troublesome applications but do not want to go to the trouble of creating a rule for all the applications used in your environment, you should set the Unrestricted default rule. This allows any application to run unless you explicitly block it. . running Windows XP? a. Windows 98 / Windows Me B. Windows NT 4.0 (Service Pack 5) c. Windows XP (Service Pack 2) D. Windows 2000 3. Which of the following file types does the Windows 7 Program. failure. Windows XP Mode for Windows 7 Windows XP Mode is a downloadable compatibility option that is available for the Professional, Enterprise, and Ultimate editions of Windows 7. Windows XP. allocated to the Windows XP Mode client, the computer running Windows 7 on which you deploy Windows XP Mode requires a minimum of 2 GB of RAM, which is more than the 1 GB of RAM Windows 7 hardware

Ngày đăng: 02/07/2014, 10:21