Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 59 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
59
Dung lượng
1,42 MB
Nội dung
Conguring Security and Internet Explorer Additional settings 28. On the Wizard Complete page, click Next. This creates a custom package for the instal- lation of Internet Explorer 8 on the Windows Vista x86 and Windows Server 2008 x86 operating systems. Make note of the folder in which the package is installed. 29. Review the installation les in the build folder using Windows Explorer. ■ Internet Explorer Administration Kit allows you to create customized Windows Internet Explorer packages. ■ The Internet Explorer Administration Kit Prole Manager allows you to congure auto- matic conguration les for Windows Internet Explorer. These conguration les can be hosted at an accessible location. ■ Add sites that you suspect of containing malware to the Restricted Sites zone. Add sites that you trust but that are not located on your organizational network to the Trusted Sites zone. ■ You can allow specic add-ons while blocking all others by conguring Group Policy. You can use the following questions to test your knowledge of the information in Lesson 2, “Conguring Windows Internet Explorer.” The questions are also available on the companion CD if you prefer to review them in electronic form. Lesson 2: Conguring Windows Internet Explorer Note 1. You want to ensure that users in your organization are unable to add and remove Web site addresses from the Windows Internet Explorer Trusted Sites and Restricted Sites zones. Which of the following Group Policy items should you congure to accomplish this goal? a. Security Zones: Use Only Machine Settings B. Security Zones: Do Not Allow Users To Change Policies c. Security Zones: Do Not Allow Users To Add/Delete Sites D. Restrict Search Providers To A Specic List Of Providers 2. You want to limit Windows Internet Explorer accelerators to those that are congured through Group Policy. You do not want to add additional accelerators. Which of the following policies should you congure? a. Deploy Non-Default Accelerators B. Deploy Default Accelerators c. Turn Off Accelerators D. Use Policy Accelerators 3. You are in the process of creating a distribution plan for the deployment of Internet Explorer 8 using organization-specic conguration settings. Windows Internet Explorer must be deployed to 60 portable computers that are not part of your organization’s Active Directory environment. Which of the following methods allows you to deploy organizational settings consistently to these computers with a minimum of administra- tive effort? a. Local Group Policy B. Security Policy c. Domain-level Group Policy D. Internet Explorer Administration Kit 4. You want to ensure that users are not able to remove temporary Internet les and cookies when browsing using Internet Explorer 8. Which of the following policies should you congure to accomplish this goal? a. Prevent Deleting Passwords B. Prevent Deleting InPrivate Filtering Data c. Prevent Deleting Favorites Site Data D. Prevent The Deletion Of Temporary Internet Files And Cookies Conguring Security and Internet Explorer 5. You want to ensure that users of Internet Explorer 8 in your organization are not able to browse in a way that avoids automatic recording of cookies and browsing history. Which of the following policies should you congure to accomplish this goal? a. Turn Off InPrivate Filtering B. Turn Off InPrivate Browsing c. Do Not Collect InPrivate Filtering Data D. InPrivate Filtering Threshold To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: ■ Review the chapter summary. ■ Review the list of key terms introduced in this chapter. ■ Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. ■ Complete the suggested practices. ■ Take a practice test. ■ When dening a client security standard, select a technology that is appropriate to the outcome you want to accomplish. ■ Use BitLocker and EFS to encrypt data and AppLocker policies to restrict application execution. ■ Use account policies to set password policies and use user account control policies to determine how Windows treats requests for elevated privileges. ■ Windows Internet Explorer can be congured through the Internet Explorer Administration Kit, through Group Policy or through a combination of both technologies. Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book. ■ AppLocker ■ BitLocker ■ InPrivate Browsing ■ InPrivate Filtering Chapter Review In the following case scenarios, you apply what you’ve learned about subjects of this chapter. You can nd answers to these questions in the “Answers” section at the end of this book. You are in the process of developing a client security baseline policy for implementation on the computers running the Windows 7 operating system at Contoso Pharmaceuticals. You have recently installed the Windows 7 Enterprise edition operating system on all client computers at Contoso. Contoso has a policy of purchasing applications only from vendors who digitally sign the application binaries. As a part of its portable computer strategy, Contoso has just purchased 200 small form factor notebook computers. These netbook computers do not have a TPM (Trusted Platform Module) chip. You want to ensure that users are able to start their netbook computers without having to insert a USB key or use a startup PIN. You want to ensure that the contents of the C:\Documents folder on these netbook computers cannot be recovered by unauthorized third parties if the netbook computer is misplaced. With these facts in mind, answer the following questions: 1. What encryption solution should you deploy to protect the C:\Documents folder on the netbook computers? 2. What steps should you take to prevent users from running applications that are not digitally signed by an approved vendor? 3. How can you ensure that computers running Windows 7 accept inbound communication only from computers that are members of the Contoso domain? The legal department at Contoso Pharmaceuticals is concerned that the browsing habits of users at the organization are being tracked by third parties. After a security incident where sensitive intranet data was forwarded to an untrusted third-party Web site, your manager has recommended that you congure Internet Explorer to block add-ons and accelerators. Several users in your organization connect to a partner organization’s internal network to interact with a Web application. They have noticed that some aspects of this Web application do not function with Internet Explorer 8. The partner organization reports that their users are able to fully utilize the Web application when it is accessed locally using Internet Explorer 8. With these facts in mind, answer the following questions: 1. What steps can you take to ensure that user browsing sessions at Contoso Pharmaceuticals are not tracked across multiple sites by third parties? 2. What steps can you take to ensure that users are unable to install additional accelerators or add-ons on computers that have Internet Explorer 8 installed? 3. What steps can you take to ensure that users that connect to the Web application hosted by Fabrikam are able to run it without problems? Conguring Security and Internet Explorer To help you successfully master the exam objectives presented in this chapter, complete the following tasks. In this practice, you will perform two conguration tasks that are critical for those interested in developing client security standards for computers running the Windows 7 operating system. ■ Congure security policy so that a user is locked out for a period of 20 minutes if they enter an incorrect password three times in a 5-minute period. Also congure security policy so that users must change their passwords every 21 days and are unable to use any of their previous ve passwords. ■ Congure security policy so that administrators and standard users must respond to all user account control prompts by entering credentials on the secure desktop. In this practice, you perform two conguration tasks related to the conguration of Internet Explorer. ■ Use the Internet Explorer Administration Kit to create custom Windows Internet Explorer deployment les for Windows XP x86 Service Pack 3. Install the resulting build in a Windows XP Mode deployment hosted on your computer running Windows 7. ■ Use Group Policy to congure browser history settings so that users are unable to delete their browsing history. The practice tests on this book’s companion CD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-686 certication exam content. You can set up the test so that it closely simulates the experience of taking a certication exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. More INfo C hapter 3, “Creating and Managing System Images,” discusses various methods for creating customized Windows Imaging les for deployment on an enterprise network. This chapter introduces the deployment process itself and helps you to decide which of the available deployment methods is most suitable for a particular organization. Lesson 1 lists the basic steps of a Windows 7 deployment and describes the permutations of the process that occur when you use the various Microsoft deployment tools. Lesson 2 provides the criteria administrators should use to decide what deployment method is best for their organizations. ■ Analyze the environment and choose appropriate deployment methods. ■ Lesson 1: Understanding the Windows 7 Deployment Process ■ Lesson 2: Choosing a Deployment Method To complete the practice exercises in this chapter, you must have the following: ■ A computer running Windows 7 or Windows Server 2008 R2 on which you have installed Windows 7 AIK and MDT 2010, as described in the Chapter 3, Lesson 1 practice: “Downloading and Installing the Windows 7 AIK.” ■ A Windows 7 installation DVD. Contents Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Lesson 1: Understanding the Windows 7 Deployment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Windows 7 Deployment Basics 221 Using Windows Deployment Services 225 Using Windows 7 Automated Installation Kit 230 Using Microsoft Deployment Toolkit 2010 235 Lesson Summary 246 Lesson Review 247 Lesson 2: Choosing a Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . 248 Understanding Deployment Options 248 Understanding Deployment Scenarios 250 Evaluating the Infrastructure 253 Scaling the Client Deployment Process 256 Lesson Summary 259 Lesson Review 260 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Chapter Summary 261 Key Terms 262 Case Scenarios 262 Suggested Practices 263 Take a Practice Test 264 Designing a Windows 7 Client Deployment Strategy real World T Depending on the number of workstations you have to install, the requirements imposed by your organization, and the tools at your disposal, the process of deploying Windows 7 can be simple or extremely complex. This lesson explains the basic steps of the deployment process, and describes how the various Microsoft deployment tools implement those steps. ■ Understand the steps of a basic Windows 7 deployment and variations that result from the use of various deployment tools. Lesson 1: Understanding the Windows 7 Deployment Process In its simplest form, a Windows 7 deployment consists of a user starting a computer and inserting an installation disk into the DVD drive. After the user answers a few simple ques- tions, the Windows 7 setup program takes over and installs the operating system. The process is completely automated until it is time for the user to provide an account name and log on for the rst time. The user then congures various settings and installs various applications until the workstation has a working environment suitable for specic tasks. Although much of it is transparent to the user, this interactive installation process is essentially the same as that performed in a complex Windows 7 deployment on an enterprise network. The computer starts, loads the Windows Preinstallation Environment (Windows PE), and applies a Windows Imaging le containing the operating system to the computer’s local disk. The differences between an individual, interactive installation, and an enterprise deploy- ment include the following: ■ How the computer obtains the Windows PE boot les ■ The conguration of the Windows Imaging le containing the operating system ■ How the computer interacts with the setup program ■ How the workstation receives the applications and conguration settings it needs The main object of an enterprise deployment is to install Windows 7 in a standardized conguration on multiple computers with little or no interaction at the workstation site. At its most basic level, an enterprise workstation deployment consists of the following steps: 1. Build a deployment share. 2. Perform a reference computer installation. 3. Capture an image of the reference computer. 4. Boot the target computer by using Windows PE. 5. Apply the captured image containing Windows 7. These steps are described in the following sections. A deployment share, as described in Chapter 3, is simply a shared folder on a Windows server where you store the Windows Image les and other software components that computers on the network need to access during the various phases of the deployment process. Although in a mass deployment, you can burn your customized images to DVD-ROM discs and distribute them to the target workstations that way, as in an individual installation, having the work- stations access the images over the network is far easier. There are performance factors to consider when deploying images over the network, however. Windows Imaging les are usually large, and hundreds of workstations download- ing them simultaneously can ood the network, slowing down the deployment process and negatively affecting other users. For more information on benchmarking your networking and factoring performance issues into your deployment planning, see Lesson 2, “Choosing a Deployment Method,” later in this chapter. Designing a Windows 7 Client Deployment Strategy Windows Deployment Services (WDS), Windows 7 Automated Installation Kit (AIK), and Microsoft Deployment Toolkit (MDT) 2010 all provide mechanisms for creating deployment shares and populating them with image les and other software components. In WDS, you use the Windows Deployment Services console. In Windows 7 AIK, you use Windows Sys- tem Image Manager (SIM), and in MDT 2010, you use Deployment Workbench. You can also create a share manually and use it to distribute your images, but these tools streamline the process considerably. Note As described in Chapter 3, a reference computer is a workstation, installed and congured in a lab, which administrators use as a model for the workstations they plan to deploy on the production network. By creating a reference installation and then capturing an image of it, administrators can implement their own customized workstation congurations without having to congure each computer individually. Windows 7 installation disks have image les on them, which contain the basic operating system les, but most administrators create their own customized images for mass deploy- ments. You can use the Microsoft deployment tools to automate the process of installing and conguring a reference computer, but whether this is necessary for a particular deployment project is a decision each administrator must make individually. For example, if you are planning a deployment of 500 workstations that are completely identical, you need only one reference computer, and you might nd it easier to install and congure Windows 7 on the reference computer manually. If, however, you are deploying 500 workstations using 20 different congurations, you are not likely to want to perform 20 separate reference computer installations; automating the process can save a lot of time and effort. The Microsoft deployment tools provide two ways of automating a reference computer installation. You can use the Windows SIM utility from Windows 7 AIK to create an answer le, which the Windows setup program uses to congure the installation process, or you can use Deployment Workbench from MDT 2010 to create a task sequence and a boot image. For more information on creating answer les and task sequences, see Chapter 3. Lesson 1: Understanding the Windows 7 Deployment Process After you install and congure a reference computer, you capture an image of it in Windows Imaging format, complete with all of its applications and customized settings. This is the image that you will deploy to your target workstations. Each of the Microsoft deployment tools has its own way of creating images, as follows: ■ Windows 7 AIK includes the ImageX.exe utility, which you can use to create images from the command line. ■ MDT 2010 creates boot images that include the Windows Deployment Wizard. When you run the wizard on the reference computer, you select the task sequence you want to use, and the wizard performs the Windows 7 installation and automatically captures an image of the resulting workstation. ■ WDS enables you to create capture images, which when deployed on a reference computer, boot the system and capture an image of it. Whichever method you choose, the program can upload the image it creates back to the deployment share for later distribution to the target workstations. Your target computers are the production workstations on which you want to deploy Windows 7. To install an operating system on any computer, you have to boot the system rst, and in the case of a new, bare-metal computer, there are no boot les on the local disk. Windows PE is a stripped-down version of the Windows operating system that you can use to start a com- puter without installing an operating system to a local disk. During the default boot process, Windows PE loads the entire operating system from the boot disk into memory using a RAM disk, which is an area of memory to which the system assigns a drive letter and uses it like a disk. After Windows PE is loaded, you can remove, disconnect, or reformat the boot disk as needed to complete the installation. The three Microsoft deployment tools support Windows PE in the following manner: ■ Windows 7 AIK includes the Windows PE boot les and a script called Copype.cmd that you can use to create a Windows PE build directory. Then, you use a program called Oscdimg.exe to create a boot-disk image that you can burn to a removable medium, such as a CD-ROM or USB ash drive, or deploy over the network. ■ MDT 2010 automates the process of creating a Windows PE boot image, which con- tains the Windows Deployment Wizard. As with the Windows 7 AIK boot image, you can deploy Windows PE on a removable medium or over the network. ■ WDS provides the ability to deploy Windows PE boot images over the network to computers that support the Pre-Boot Execution Environment (PXE) standard. Instead of reading the boot les from a local device, such as a disk drive, the workstation con- nects to the WDS server and downloads a boot image. [...]... Understanding the Windows 7 Deployment Process CHAPTER 6 241 p Figure 6-1 4 Creating an answer file in Windows SIM E xe rcise 2 Partitioning a Disk with an Answer File When deploying Windows 7, you can use an answer file to automate the process of partitioning the disk on which you intend to install Windows 7 1 In Windows SIM, in the Windows Image box, browse to the Microsoft -Windows- Setup_ 6.1 .76 00.163 85_ neutral\DiskConfiguration\Disk\CreatePartitions\CreatePartition... Images,” in MCTS Self-Paced Training Kit (Exam 7 0- 680): Configuring Windows 7, by Ian MacLean and Orin Thomas (Microsoft Press, 2009) Using WDS as a Complete Deployment Solution Every Windows 7 installation disk contains, in the Sources folder, a boot image file called Boot.wim and an install image called Install.wim These are the default images containing the Windows PE boot files and the Windows 7 operating... Image Manager (Windows SIM) A graphical tool that creates distribution shares and answer files that administrators can use to customize Windows 7 installations System Preparation (Sysprep.exe) A command-line program that prepares Windows 7 workstations for imaging, auditing, and deployment CHAPTER 6 Designing a Windows 7 Client Deployment Strategy Because Windows 7 AIK is a set of free-standing tools,... the reference computer 2 32 CHAPTER 6 Designing a Windows 7 Client Deployment Strategy More Info Creating Answer Files For more information on creating answer files, see Chapter 2, “Configuring System Images,” in MCTS Self-Paced Training Kit (Exam 7 0- 680): Configuring Windows 7 For complete documentation of the answer file creation process, see the Windows System Image Manager Technical Reference help... newly installed workstation 2 36 CHAPTER 6 Designing a Windows 7 Client Deployment Strategy Figure 6-9 The New Task Sequence Wizard in Deployment Workbench More Info Creating a task sequence For more information on creating a task sequence, see Chapter 3, “Deploying System Images,” in MCTS Self-Paced Training Kit (Exam 7 0- 680): Configuring Windows 7 For complete documentation of the task sequence creation... the Distribution Share box, as shown in Figure 6-1 2 Figure 6-1 2 Creating a distribution share in Windows SIM 2 40 CHAPTER 6 Designing a Windows 7 Client Deployment Strategy 4 Right-click Select A Windows Image Or Catalog File, and from the context menu, choose Select Windows Image The Select A Windows Image dialog box appears 5 Insert the Windows 7 installation disk into the DVD drive, browse to... install images Using Windows 7 Automated Installation Kit The Windows 7 Automated Installation Kit is a collection of tools and documentation that enable you to perform all the tasks essential to a Windows 7 workstation deployment The same can be said of Microsoft Deployment Toolkit 2010, except that Windows 7 AIK does not include the planning and coordination framework for complex, high-volume deployment... Figure 6-1 5 The exact folder name varies depending on the Windows 7 version you are using 2 42 CHAPTER 6 Designing a Windows 7 Client Deployment Strategy Figure 6-1 5 Locating Disk Configuration components 2 Right-click CreatePartition, and from the context menu, select Add Setting To Pass 1 WindowsPE The CreatePartition setting appears in the Answer File box, as shown in Figure 6-1 6 Figure 6-1 6 Adding... deployment of a bare-metal workstation using only the Windows 7 AIK tools can consist of the following steps: 1 Install Windows 7 AIK on a build computer The build computer is where you will create your answer files by using Windows SIM and your Windows PE boot media 2 Create a distribution share by using Windows SIM, as shown in Figure 6-6 Lesson 1: Understanding the Windows 7 Deployment Process... complete documentation of all answer file component and package settings, see the Unattended Windows Setup Reference for Windows 7 help file Both of these help files are supplied with the Windows 7 AIK 5 Create a configuration set using Windows SIM, using the interface shown in Figure 6 -7 A configuration set is a self-contained version of the files from the distribution share you referenced in the answer . MCTS Self-Paced Training Kit (Exam 7 0- 680): Conguring Windows 7 Every Windows 7 installation. Designing a Windows 7 Client Deployment Strategy Windows Deployment Services (WDS), Windows 7 Automated Installation Kit (AIK), and Microsoft Deployment Toolkit (MDT) 2010 all provide. running Windows 7 or Windows Server 2008 R2 on which you have installed Windows 7 AIK and MDT 2010, as described in the Chapter 3, Lesson 1 practice: “Downloading and Installing the Windows 7 AIK.” ■