Lesson 2: Managing Disks CHAPTER 4 247 Practice Configuring Access Policy and Converting a Disk In this practice, you use the Local Group Policy Editor to configure a computer policy that denies write access to USB flash memory devices. You then use the Diskpart command-line utility to convert a basic disk to dynamic. exercise 1 Configuring Write Access to USB Flash Memory Devices In this exercise, you disable write access to USB flash memory devices. You then remove this configuration setting. 1. Ensure you have a USB flash memory device connected to your computer. 2. Log on to the Canberra computer with the Kim_Akers account. 3. Click Start, and in the Start Search box, enter gpedit.msc. This opens the Local Group Policy Editor. 4. In the left pane of the Local Group Policy Editor, expand Computer Configuration and then expand Administrative Templates. 5. Expand System and click Removable Storage Access. 6. Click Standard to select the Standard tab on the right pane. You see a screen similar to Figure 4-34. 7. In the right pane, double-click Removable Disks: Deny Write Access. 8. Select Enabled, as shown in Figure 4-39. Click OK. FIGURE 4-39 Enabling the Removable Disks: Deny Write Access policy 2 4 8 CHAPTER 4 Managing Devices and Disks 9. Check that you can no longer write to the USB flash memory device. You might have to remove the device and reinsert it to see it in the Computer console. 10. In the Local Group Policy Editor, double-click Removable Disks: Deny Write Access. 11. Select Not Configured. Click OK. 12. Check that you can now write to the USB flash memory device. As before, you might have to remove the device and reinsert it to see it in the Computer console. exercise 2 Converting a Basic Disk to Dynamic Converting a basic disk to dynamic is typically a safe procedure that does not affect the information on the disk. Nevertheless, before you attempt this procedure, it is a good idea to back up any important files on the disk. If you have two disks on your computer, choose the disk that does not contain your operating system. 1. If necessary, log on to the Canberra computer with the Kim_Akers account. 2. On the All Programs/Accessories menu, right-click Command Prompt and click Run As Administrator. If necessary, click OK to close the UAC dialog box. 3. Enter diskpart. 4. At the DISKPART> prompt, enter list disk and note the number of the disk you want to convert. 5. At the DISKPART> prompt, enter select disk <disknumber>. Your screen should look similar to Figure 4-40. FIGURE 4-40 Selecting a disk to convert 6. At the DISKPART> prompt, enter convert dynamic. Lesson Summary n You can use the Disk Management console or the Diskpart command-line tool to manage disks, partitions, and volumes on a computer running Windows 7. n You can use Group Policy to control access to removable devices. Lesson 2: Managing Disks CHAPTER 4 249 n Windows 7 supports basic disks, dynamic disks, the MBR partition type, and the GPT partition type and allows you to convert from one to the other. n Windows 7 offers software RAID-0, RAID-1, and RAID-5 volumes. You can also create simple and spanned volumes. You can shrink or expand a volume without needing to use third-party tools. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Managing Disks.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. Which Diskpart command converts an MBR disk to a GPT disk? a. convert gpt B. convert mbr c. convert basic D. convert dynamic 2. You require fault tolerance for your operating system so that your computer running Windows 7 Home Premium can still boot up if a disk fails. You have two disks and unallocated space on your second disk. What do you do? a. Create a VHD and install an image of your computer on the VHD. Use BCDEdit to make the VHD bootable. B. Create a RAID-0 volume. c. Create a RAID-1 volume. D. Create a RAID-5 volume. 3. You want to prohibit read, write, and execute access to all types of external storage devices. What computer policy setting do you enable? a. All Removable Storage: Allow Direct Access In Remote Sessions B. All Removable Storage Classes: Deny All Access c. Removable Disks: Deny Read Access D. Removable Disks: Deny Write Access 4. You are using the Diskpart tool to create a RAID-0 volume from unallocated space on Disks 1, 2, and 3. You want the volume to be as large as possible. What command do you enter? a. create volume stripe size=0 disk=1,2,3 B. create volume stripe disk=1,2,3 2 5 0 CHAPTER 4 Managing Devices and Disks c. create volume raid size=0 disk=1,2,3 D. create volume raid disk=1,2,3 5. You are moving a dynamic volume from the Canberra computer running Windows 7 to the Aberdeen computer running Windows 7. The disk had been allocated drive letter H: on Canberra. Drives C:, D:, and E: already exist on Aberdeen. You have not config- ured Aberdeen to prevent new volumes from being added to the system. What drive letter is allocated to the disk on Aberdeen? a. The disk is not mounted, and no drive letter is allocated. B. F: c. G: D. H: Key Terms CHAPTER 4 251 Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: n Review the chapter summary. n Review the list of key terms introduced in this chapter. n Complete the case scenarios. These scenarios set up real-word situations involving the topics of this chapter and ask you to create a solution. n Complete the suggested practices. n Take a practice test. Chapter Summary n If a device is not PnP, you need to supply administrator credentials to install it. You can prestage a device driver and (if necessary) digitally sign it so non-administrators can install it. n You can prevent drivers downloading from Windows Update and installing automatically. You can also remove the Windows Update site from the search path for device drivers not in the device driver store. You can update, disable (or stop), uninstall, or roll back device drivers. n Windows 7 enables you to manage disks, partitions, and volumes and to control access to removable devices. You can convert one disk type to another and one partition type to another. You can shrink or expand volumes. n Windows 7 supports single, spanned, RAID-0, RAID-1, and RAID-5 volumes. Key Terms Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book. n defragmentation n driver store n staging n Redundant Array of Independent Disks (RAID) n Trusted Publisher store 2 5 2 CHAPTER 4 Managing Devices and Disks Case Scenarios In the following case scenarios, you apply what you’ve learned about deploying system images. You can find answers to these questions in the “Answers” section at the end of this book. Case Scenario 1: Enforcing a Driver Signing Policy You are a senior systems administrator at the A. Datum Corporation. A. Datum’s written company policy states that only drivers that have been through the WHQL evaluation process and have been digitally signed by Microsoft should be installed on the production network. You have a test network completely separate from the production network on which you test software, including currently unsigned device drivers. You suspect that one of your assistants has installed an unsigned driver on a computer on the production network and as a result, the video card on that computer is not working properly. Answer the following questions: 1. How do you check the DirectX video card and discover whether the driver is not WHQL-approved and if there are any other problems? 2. How do you check there are no other unsigned drivers installed on the computer? 3. If the problem is not the driver, what tool can you use to determine if there is a resource clash with other hardware? 4. The unsigned driver in question worked fine on your test network. You want to test it again more thoroughly under stress conditions, such as low resources. What tool can you use to do this? Case Scenario 2: Managing Disks You have configured a computer running Windows 7 Enterprise and added three hard disks. Drive 0 is the original disk. It holds the operating system on the C: drive. It is a 200-GB disk and has no unallocated space. Drive 1 is a 200-GB drive, Drive 2 is a 400-GB drive, and Drive 3 is a 200-GB drive. Currently, all space on Disks 1, 2, and 3 is unallocated. You want to ensure fault tolerance for both your operating system and your data. You also want to reduce the time taken to access data. Answer the following questions: 1. What type of volume would you create to hold your operating system, and on which disks would you create it? 2. What type of volume would you create to hold your data, and on which disks would you create it? 3. Given the answer to question 2, what would be the size of the usable data storage on your data volume? Take a Practice Test CHAPTER 4 253 Suggested Practices To help you master the exam objectives presented in this chapter, complete the following tasks. Investigate the Group Policies Available for Managing Device Installation n Practice 1 Investigate the available policies in the Local Group Policy Editor. Double- clicking any policy enables you to read a detailed description. In particular, browse to Computer Management, Administrative Templates, System, and investigate the policies under Removable Storage Access, Driver Installation, Device Installation, and Device Installation Restrictions. Use the Driver Verifier Monitor Tool n Practice 1 Use the Driver Verifier Monitor to test a chosen driver under stress conditions. If you intend to install a third-party device that is not PnP, use the Driver Verifier Monitor to test the driver the manufacturer provides. Use Diskpart n Practice 1 The Diskpart tool is widely used for disk management. Use the tool until you are familiar with its parameters and processes, such as selecting (focusing) on a disk or volume before carrying out operations on it. Look at how you would create scripts using the tool and the use of the noerr parameter. Take a Practice Test The practice tests on this book’s companion DVD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-680 certification exam content. You can set up the test so that it closely simulates the experience of taking a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. More Info PRACTICE TESTS For details about all the practice test options available, see the section entitled “How to Use the Practice Tests,” in the Introduction to this book. CHAPTER 5 255 CHAPTER 5 Managing Applications O ne of the most important aspects of migrating to a new operating system is ensuring that all of the business-critical applications that functioned on the previous operating system function on computers running the new operating system. Organizations are understandably unwilling to migrate to a new operating system if it means that they will be unable to run the applications necessary to perform their important business activities. Compatibility is a big issue with the adoption of Windows 7 because many organizations will be migrating from Windows XP. Applications designed to run on Windows XP sometimes do not run on Windows 7 because of compatibility problems. Windows 7 includes several application compatibility features that allow administrators to configure the operating system in such a way so that these older applications can be run, which allows organizations that rely on these older applications to move their computers to Windows 7. Just as it is important to ensure that critical business applications function on a new operating system, it is also important to block users from executing unauthorized applications that may disrupt a business environment. There can be many reasons for only allowing a list of authorized applications to execute on a computer. These reasons range from securing your environment against malware to ensuring that users are not distracted by productivity- sapping diversionary applications. Allowing only authorized applications to execute automatically stops the execution of unauthorized applications, such as malware, games, and file sharing programs. In this chapter, you learn what steps you can take to resolve application compatibility issues, from configuring the built-in Windows 7 compatibility modes to using the Windows XP Mode virtualization option. You also learn how to use AppLocker and Software Restriction Policies to limit which applications that users can execute on the computers running Windows 7 in your organization. Exam objectives in this chapter: n Configure application compatibility. n Configure application restrictions. Lessons in this chapter: n Lesson 1: Application Compatibility 257 n Lesson 2: Managing AppLocker and Software Restriction Policies 271 2 5 6 CHAPTER 5 Managing Applications Before You Begin To complete the exercises in the practices in this chapter, you need to have done the following: n Install the Windows 7 operating system on a stand-alone client PC, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7.” n Download Process Explorer from Microsoft’s Web site. You can find Process Explorer by navigating to http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx. real World Orin Thomas S oftware Restriction Policies are one of those things that are a great idea in theory but rather time consuming to implement in practice. The theory is that you can use Software Restriction Policies to enforce an allow list of applications that you let run on the computers that are in your organization. If the application is not on the list, it cannot execute. In practice, this means figuring out precisely which executable files on your computer you are going to allow. This is not a simple process because there are a lot of applications hidden in the Windows folder that are essential to the operation of the computer. The strongest sort of Software Restriction Policy is the hash rule, which uses a digital fingerprint for file identification. To use hash rules, you need to generate manually a separate digital fingerprint for every executable file on your allow list. Needless to say, this takes even longer than coming up with the list itself. To complicate matters further, every time you update your software with a patch, you need to recalculate the hash values for all executable files modified by the update process. This is because the original digital fingerprint no longer matches the updated files. The process of generating an allow list and then going out to calculate and recalculate hash values is one that even the most enthusiastic security administrators find a little tedious. It results in a very secure environment, but it takes a lot of effort to maintain that security. AppLocker, which debuts in Windows 7 and Windows Server 2008 R2, greatly reduces the workload involved in creating an application allow list. There are wizards that automate the process of creating hash rules. There are also improved publisher rules that give you the ability to allow-list a particular application and all later versions of that application. You can build a reference system and then automatically generate rules for every executable file on it. Needless to say, this improvement allows the great idea in theory to become a great idea in practice. [...]... shown in Figure 5-2 You can use the drop-down menu to select from one of the following compatibility modes: n Windows 98 / Windows Me n Windows NT 4. 0 (Service Pack 5) n Windows 2000 n 2 58 Windows 95 n Windows XP (Service Pack 2) CHAPTER 5 Managing Applications Figure 5-2   Available compatibility modes n Windows XP (Service Pack 3) n Windows Server 2003 (Service Pack 1) n Windows Vista n Windows Vista... warm reboot after configuring BIOS As 256 MB of RAM must be allocated to the Windows XP Mode client, the computer running Windows 7 on which you deploy Windows XP Mode requires a minimum of 2 GB of RAM, which is more than the 1 GB of RAM Windows 7 hardware requirement To install applications that are not compatible with Windows 7, you must start the ­ indows W XP Mode client from the Windows Virtual... on computers running Microsoft Windows 2000 Professional but does not work on computers running Windows XP? A Windows 98 / Windows Me B Windows NT 4. 0 (Service Pack 5) C Windows XP (Service Pack 2) D Windows 2000 3 Which of the following file types does the Windows 7 Program Compatibility t ­ roubleshooter application work with? A .cab files B .exe files C .msi files D .zip files 4 An application used... the problem causing the failure Windows XP Mode for Windows 7 Windows XP Mode is a downloadable compatibility option that is available for the ­ rofessional, P Enterprise, and Ultimate editions of Windows 7 Windows XP Mode uses the latest version of Microsoft Virtual PC to allow you to run an installation of Windows XP virtually under W ­ indows 7 The difference between Windows XP Mode and other operating... internal Web site displays correctly when you migrate all users to computers running Windows 7 Which of the following tools can you use to accomplish this goal? A Internet Explorer Administration Kit (IEAK) B Application Compatibility Toolkit (ACT) C Windows Automated Installation Kit (Windows AIK) 2 70 D Microsoft Deployment Toolkit (MDT) CHAPTER 5 Managing Applications Lesson 2: Managing AppLocker and Software... shown in Figure 5-8 Figure 5-8   Virtual XP shut down to run application Windows XP Mode provides an x86 version of Windows XP Professional SP3 Windows Virtual PC does not support x 64 virtual clients, which means that you cannot use Windows XP Mode or Virtual PC as a compatibility solution for x 64 applications Because the application is not executing natively within Windows 7, there will be some performance... irtualization ­ olutions is that all applications that you install on the Windows XP Mode client will s be ­ vailable automatically on the Windows 7 host computer For example, if you install Microsoft a Office 2000 on the Windows XP Mode client, the shortcuts for the Office 2000 applications b ­ ecome available on the Windows 7 Start menu When you run an application, it starts in its own separate window... using the Application Compatibility Toolkit (ACT) n Locate Windows Internet Explorer compatibility issues using the Internet E ­ xplorer Compatibility Test Tool Estimated lesson time: 40 minutes Configuring Compatibility Options Although many applications that work on Windows XP work without a problem on Windows 7, a small, but significant, number of mission-critical applications do not There are several... between Windows 7 and earlier Microsoft Windows client operating systems Improvements in the way that the operating system handles application security, with features such as Data Execution Protection and Mandatory Integrity Control, mean that applications that were able to perform certain functions in earlier versions of Windows are unable to perform the same functions when run on the Windows 7 platform... Restriction Policies Software Restriction Policies is a technology available to clients running Windows 7 that is available in Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 You manage Software Restriction Policies through Group Policy You can find Software R ­ estriction Policies in the Computer Configuration \Windows Settings\Security Settings\­ Software Restriction Policies node . screen similar to Figure 4- 3 4. 7. In the right pane, double-click Removable Disks: Deny Write Access. 8. Select Enabled, as shown in Figure 4- 3 9. Click OK. FIGURE 4- 3 9 Enabling the Removable. 5-2 . You can use the drop-down menu to select from one of the following compatibility modes: n Windows 95 n Windows 98 / Windows Me n Windows NT 4. 0 (Service Pack 5) n Windows 2000 n Windows. of Windows 7 because many organizations will be migrating from Windows XP. Applications designed to run on Windows XP sometimes do not run on Windows 7 because of compatibility problems. Windows