windows vista - pennsylvania state university · windows vista a replacement for windows xp a long...

Windows VistaAll Staff Breakout Session

June 28, 2006

All features are subject to change. Confidential to ITS

Windows Vista Task ForceGroup formed to assess Vista impact on PSU

Co-chair: Connie Welch & Al WilliamsParticipants from all ITS Operating UnitsMeeting monthly since March 1Several Vista Beta subscribers – testing every buildSeveral MSDN subscribers – testing customer technology previews (ctp)

Logging experiences on a wiki

Have initiated a communication planOnline updates: http://its.psu.edu/headsup/VistaOS/Will publish in ITS news distributionsWill participate in ITS events

http://its.psu.edu/headsup/VistaOS


Windows VistaA replacement for Windows XPA long time coming (will be 5 years in October)Lacking in many of the promised featuresNot going to be available on a PC you buy in 2006Not a replacement for Server 2003

Windows Longhorn Server predicted for 2007 or 2008Very graphically intense GUIHas confusing hardware requirements


A single product with 5 versions

**MUI -All Languages

*Windows Ultimate Extras

Remote Desktop

Web Server

Fax & scanning utility

Domain Join

Offline folders

Group Policy

SUA (Unix Subsystem)

BitLocker (Full Volume Encryption)

**Virtual PC Express

Encrypted File System

Mobility (Tablet, Aux Display)

Network Projection

HD MovieMaker & DVD authoring

Media Center (incl. extender)

Aero glass, animations and visuals

Scheduled & Networked Backup

Join OnlyP2P Meeting Space

Search & Organize

Security & Perf. Enhancements

UltimateEnterpriseBusinessHomePremiumHome BasicDifferentiated Feature

*Available separately for free for these SKUs only


New FeaturesUser Account Control Changes

All users run in the context of a standard userStandard users can do moreRegistry and file system Virtualization

Bidirectional firewallBitLocker™

What is it?Who should use it?Recovery/ForensicsSecure Decommissioning

User Interface Changes


User Account ControlMany options are configured via Local Security MMC

Elevation prompt for admins – consent/credentials/no promptElevation prompt for standard users – credentials/no promptInstaller detection on/offAdmin approval mode on/offOnly allow signed/trusted admin apps on/offFile/registry virtualization on/off


Elevation ModelAdministrator Privileges

Standard User Privileges (Default)

AdministratorAccount

Standard UserAccount

Ways to Request ElevationApplication marking

Setup detectionCompatibility fix (shim)Compatibility assistantRun as administrator


Standard Users Can Do MoreView system clock and calendarChange time zoneConfigure secure wireless (WEP/WPA) connectionChange power management settingsCreate and configure a Virtual Private Network connectionAdd printers and other devices that have the required driversinstalled or allowed by group policyDisk defragmentation is a scheduled background process

Shield icons mark what actionsrequire administrative users


Registry and Personal Data Virtualization

Virtualization defaults to On for all standard users Off for administrators

Registry VirtualizationWrites: Redirect per-machine file and registry writes to equivalent per-userlocationsReads: Try the per-user location first, then the global location

Data RedirectionLegacy applications write to administrator locations

HLKM\Software%SystemDrive%\Program Files, etc

Redirection removes need for elevationWrites to HKLM go to HKCU redirected store

HKU->(user SID)_classes->VirtualStoreWrites to system directories redirected to per-user store

(%localappdata%\virtualstore)


Vista FirewallWindows XP SP2 Windows Vista

Direction Inbound Inbound, outboundDefault action Block Configurable for directionPacket types TCP, UDP, some ICMP AllRule types Application, global

ports, ICMP typesMultiple conditions from basic five-tuple to IPsec metadata

Rule actions Block Block, allow, bypass;with rule merge logic

UI and tools Control Panel, netsh C-Panel, more netsh, MMCAPIs Public COM, private C More COM to expose rules, more C

to expose featuresRemotemanagement

none Via hardened RPC interface

Group policy ADM file MMC, netshTerminology Exceptions; profiles Rules; categories=profiles


Trusted Platform Module (TPM)

Smartcard-like module on the motherboardTPM 1.2 offers the following features:

Performs cryptographic functionsRSA, SHA-1, RNGMeets encryption export requirements

Can create, store and manage keysHolds Platform MeasurementsAnchors chain of trust for keys and credentialsProtects itself against attacks


BitLocker™ Features Overview

BitLocker Drive Encryption – Windows VolumeAES-128 or AES-256

Integrity Checking of Windows Boot FilesPre-OS Multi-factor AuthenticationSecure DecommissionSingle Microsoft TPM driverTPM Base Services (TBS)0% - 15% Performance Decrease4 Implementation

USBTPMTPM + PinTPM + USB

22

33

1

StorageStorageRoot KeyRoot Key

Volume Volume Encryption Encryption

KeyKey

BootBoot300MB-1.5GB300MB-1.5GB

WindowsWindowsTPM orUSB Key

Not Encrypted

Encrypted


Who’s BitLocker™ for?“If I wrote Policy!”

REQUIRED:Anyone with Domain/Enterprise Administrator RightsAnyone who touches Confidential DataAnyone using a machine provided for the purpose of telecommuting

STRONGLY RECOMMENDED:Any workstation storing confidential informationAny laptop primarily used by staff who access confidential informationAny system (specifically laptops) containing test scores, course rosters orother information that may identify individual students

OPTIONAL:The desktops and laptops of anyone performing an IT function on campus

Confidential Data: Student Records, SSN’s or PSU-ID, HR / Salary Information, etc.


Recovery/ForensicsRecovery Keys

Can be stored at a specified file locations(USB Key/File Server)

Cannot be stored on the same USB key used to start a machineCan be automatically stored in AD(Windows 2003 SP1 or higher AD Schema Required)Group Policies can control all these settings

ForensicsEverything is encrypted with AES-128 or AES-256You’ll need the recovery keysDon’t implement this technology without having a good recoverykey strategy!


Secure Decommissioning

**************

Nothing

Reformatdrive

Admin wipes drive

Delete keys

Normal Secure DecommissionVs.


User Interface ChangesVista will be confusing because of new GUI

Everything looks and feels like you are running InternetExplorerThe menu is missingFamiliar things like File Explorer, Network Center and ControlPanel are sufficiently different to be disconcertingMouse actions are sometimes not clear as to when mouse-over does something vs mouse hover vs single click vsdouble click

How fast the system functions is directly proportional to howglitzy you want the UI to look

The more glitz, the more confusing at firstGlitzy UI features can be turned off for less powerful machines

We’ll document this in more detail


Some Things Don’t Work YetCisco VPNSymantec Anti-VirusWireless 802.**

Can access unsecuredSome WEP worksDoes not support 802.1x EAP-TTLS

Remember - it’s still Beta Code


Public Beta AvailableWindows Vista Beta 2 has been released.The Public Beta is available for everyone to

download and usehttp://www.microsoft.com/windowsvista/getready

http://www.microsoft.com/windowsvista/getready


Vista Reference SitesMicrosoft Marketing Site:

http://www.microsoft.com/windowsvista/Vista Versions :

http://www.microsoft.com/windowsvista/versions/Interesting Alternate Opinion (Paul Thurrott):

http://www.winsupersite.com/reviews/Where Vista Fails (Paul Thurrott):

http://www.winsupersite.com/reviews/winvista_5308_05.asp

http://www.microsoft.com/windowsvista

http://www.microsoft.com/windowsvista/versions

http://www.winsupersite.com/reviews

http://www.winsupersite.com/reviews/winvista_5308_05.asp

Let’s Take a Tour

windows vista - pennsylvania state university · windows vista a replacement for windows xp a long...

Documents