If you haven’t taken a look at the SystInternal utilities, it is high time that you did. Since mid of last year, Sysinternals is now a part of Microsoft. Anyone in the IT department or even the developers or DBAs should have some of these utilities in their arsenal to help you better manage and diagnose issues with your Windows Systems. Here is the link to the main site:

http://www.microsoft.com/technet/sysinternals/default.mspx

Some of the recent new additions are:

a) Handle v3.30: This utility can be used to display information about the open handles for any process in the system.

b) BgInfo v4.11: This can be used to automatically display relevant information (name, IP address, service pack information etc.) about a Windows PC on the desktop’s background. That way, when you get a help-desk request, you can just ask the user to state what they see on their desktop rather than going through msinfo32.exe or System Summary etc.

c) Process Explorer v11.03: This is my favorite utility - and one that has saved me enormous amount of time. Many a times while installing/un-installing applications on Windows, you would notice that the un-install sometime hangs because some process is holding on the resource. In order to troubleshoot it, you can use this utility to quickly find out which application it is.

d) ZoomIt v1.71: This is a zooming and annotation utility for technical presentations.

e) Process Monitor v1.23: This is an advanced monitoring tool for Windows that shows real time file system, registry and process/thread activity.

There are many others that might be of use to you. So, start playing with these utilities and see which one you can use in your development as well as production environment.

BitLocker is intended to  prevent the theft of data on computers that have either been lost, stolen, or prematurely/improperly discarded. This new security feature is available from Microsoft on the following operating systems: Windows Vista Enterprise and Ultimate, as well as Windows Server Longhorn.

BitLocker utilizes a feature known as a Trusted Platform Module (TPM) to protect system data and ensures that the system was not tampered with while it was offline.  It prevents malicious attackers from successfully running hacker tools in an attempt to either break the system’s file protections or perform offline viewing of data on an unprotected drive.

The two main tasks performed by BitLocker to achieve data protection is full encryption of the hard drive and checking the integrity of boot component upon startup. Drive encryption prevents unauthorized users from access the data stored on the drive, and the integrity checking validates that the protected hard drive is still in the original computer, and ensures that decryption is allowed only if the system appears not to have been tampered with.

BitLocker is a completely integrated part of the Windows Vista operating system , and even includes its own Recovery Console in the event that data needs to be retreived off a failing or failed hard drive.

In addition to the features mentioned above, BitLocker also offers the ability to lock the normal boot process. The boot process is actually interrupted, and the user is prompted to enter a PIN number, which must be entered correctly for the system to boot into the operating system. Bootup can also be protected via an external USB key that  contains a security key which BitLocker validates against while booting the system.

The use of BitLocker is transparent during day-to-day use, and is configured via its own wizard, and can be further configured via a Windows Managment Interface (WMI).

Microsoft has introduced an interesting new tool with the release of Windows Vista - the Windows System Assessment Tool, or WinSAT. This tool rates a computer on a scale of 1 thru 5, with 5 being the highest (or best) possible score. Some of the components WinSAT analyzes include a system’s processor, memory, hard disks, and graphics capabilities. It then uses an algorithm to calculate what is called a system’s ‘Windows System Performance Rating’. This is not merely an average of the performance of the various components. The algorithm provides a much more accurate picture of a system’s performance capabilities than other tools like PerfMon, for example, which is average-based. 

 To better understand this rating system, consider the following scenario: You have a desktop PC with 4 Gig of memory,  but a terribly inferior graphics card. A normal averaging rating system would rank the memory of the machine at a 5, and the graphics card would receive a 1, which would average out to be a 3.  Now, we all know that an operating system like Vista is much more dependent on excellent graphics capabilities than the excessive 4 Gig of memory, so in reality this machine will have terrible performance. In this example, the average rating of 3 is misleading, and not at all indicative as to how the system will actually perform.

So how do you run WinSAT? Go to Control Panel -> System and Maintenance -> Performance Information and Tools. The process will take a few minutes, and once completed the results will be displayed as shown in the screen-shot below:

WinSAT Screenshot

From here you can view and print the details of the report, or learn more about the scores by clicking on the “What do these numbers mean?” link.

In case you’re wondering about the low score of “1″ in the screen-shot, the machine was a VMWare virtual machine with 748MB of memory.

The more you work with Windows Vista, the more you will experience the many popup messages generated by the new User Access Control (UAC) feature.

What is UAC?

UAC is the new Microsoft watchdog that minimizes the amount of privileges a user has while logged in with their profile. Each time an activity is attempted that requires elevated privileges, like installing a piece of 3rd party software or accessing the Group Policy editor for example, a message appears informing the user that “Windows needs your permission to continue”. At this point the user has the option to either Continue or Cancel as shown below:

Can I Disable UAC?

It is safe to assume that 99% of us will always want to continue, and being constantly interrupted by messages that you have to take time to click past can be frustrating and a waste of time. So, this obviously begs the question of whether or not UAC can be disabled. Fortunately the answer is “Yes”.  UAC can be disabled via the User Accounts Control Panel. Simply navigate to Control Panel -> User Accounts, and then click on the User Accounts icon. This brings you to the ‘Make changes to your user account’ screen as shown below:

Then you need to select the bottom option - ‘Turn User Account Control on or off’, ironically, the next thing that you will see is a UAC pop-up message :). Once past the pop-up all that is left is to uncheck the checkbox in the following screen:

Lastly, you will need to reboot the system for the change to take affect….old habits are indeed very hard to break!

Now, the above solution is appropriate for experienced administrators, but not a good idea for the average user. A better option is to use the local security settings provided by the MMC Administrative Tools console. Under Local Policies -> Security Options there are numerous UAC configuration options. For example, administrators can specify that elevated privileges be automatically allowed. This does not turn UAC off completely, but it does prevent a majority of the UAC pop-up messages.

The release of Windows Vista presents a whole new set of challenges for IT administrators and end-users alike. The overall goal of the design and functionality of the operating system is to simplify the user experience, but Microsoft has changed enough of the ‘look and feel’ to make it difficult for seasoned Windows veterans to find their way around initially. In addition, there many new security features bundled with Vista, and it will take some time to become familiar with all of these. There will be many blogs posted here that will address various pieces of the Vista security stack. This initial posting will give a brief overview of some of the new security features, and subsequent entries will explore each in greater detail.

BitLocker

BitLocker encrypts files so that they are rendered unreadable if a laptop or PC is stolen. BitLocker also has built-in logic that prevents files from being encrypted if the system appears to have been stolen or tampered with. Users have the option to lock the boot process with a PIN number or by attaching a USB thumb drive with the key to decrypt files.

Windows Firewall

There are many new features and capabilities in the newest version of Windows Firewall. These have already been addressed in the following blog entry:

http://decipherinfosys.wordpress.com/2007/01/25/enhancements-in-windows-firewall

Network Access Protection

This security feature allows administrators to customize policies that relate to client machines on a shared network. These policies can included certain minimum requirements such as operating system patch levels, firewall settings, and antivirus software to name but a few. If the client machine requesting access does not meet these specified requirements, the machine is either denied network access, or is placed in a ‘quarantined’ area of the network isolated from other machines. Full network access is granted once the client machine has been updated with whatever is required to meet that particular network’s policy requirements.

Software Protection Platform

Microsoft is increasing their efforts to reduce the circulation of pirated copies of their operating system. If Microsoft discovers an illegal copy of Vista, which can be accomplished via something as simple as connecting to Microsoft’s website to download a patch or piece of software, the operating system switches over to a mode of significantly reduced functionality. Most services and features will be rendered inoperable, but basic security functionality, like the ability to download updates, is retained.

‘Forefront’ Security Protection

Forefront is Microsoft’s answer to antivirus and anti-spyware solutions in a all-inclusive package. Forefront is designed to us Active Directory and Windows Server Update services to distribute its security updates and virus definition files. Forefront will offer a number of sub-components that are intended to protect Microsoft applications. Two examples of these sub-components are:

· Forefront Security for Microsoft Exchange

· Forefront Security for Microsoft SharePoint

Forefront is currently still in testing, and is tentatively scheduled to be released later this year.

Vista User Account Control

User Account Control allows for highly granular control over user accounts, reducing the need to grant users Administrator or Power User privileges. Most applications and processes can be run with minimal privileges, but these permissions can be temporarily elevated so that certain administrative tasks and application functions can be performed. Once these have been completed the privileges level will revert back to its original state.

Another feature of User Account Control is that when a task requires elevated privileges, like installing an application, a pop-up box will appear advising the user of the issue and asks if it is okay to proceed. At this point the user can simply click “Allow”, and the task will continue as normal. You can expect to see a large number of these pop-up notifications during the initial installation and configuration of a machine running Vista. There are advantages to this control, the main one being that is that it helps to prevent users from accidentally making changes to their machines. It also helps to mitigate the damage done by malware.

As promised, here is the first of many entries regarding new and improved Windows features found in Microsoft Vista and Longhorn.

Both Windows Vista and Longhorn operating systems come bundled with the latest edition of Windows Firewall. Many of you are familiar with this firewall from Windows XP SP2 and Windows Server 2003 SP1, and the overall look and feel of the new version is quite similar. However, there are a number of enhancements that Microsoft has included to ensure not only better security of the operating system, but also to improve the ease with which the firewall can be managed.

Comprehensive Traffic Filtering

The new Firewall supports comprehensive filtering for both incoming and outgoing traffic, and has the ability to drop not only block traffic that does not correspond to any allowed access rule, but also blocks unsolicited traffic – even if that traffic has been earmarked as allowed or expected. This capability is extremely beneficial since it will help prevent the spread of viruses and worms that spread through unsolicited traffic. The default settings for the Firewall are to block all incoming traffic unless it is solicited or matches an Inbound access rule, and allow all outgoing traffic unless it matches an Outbound access rule.

Integrated Firewall and IPSec Configuration 

In Windows XP SP2 and Windows Server 2003 SP1, Windows Firewall and IPSec settings were configured separately. Since both of these security features can allow or block incoming traffic, it was far too easy to configure overlapping, or even worse contradictory, access rules. The new version of Windows Firewall does away with this by enabling the configuration of both Firewall and IPSec settings through the same GUI and command line commands.

In addition, for inbound and outbound traffic that must have IPSec protection, administrators can specify a list of computer, group, or user accounts that are authorized to initiate such communications.

Multiple Ways to Configure Rules 

The new Windows Firewall allows for rules to be configured any number of ways including but not limited to:

• Rules for source and destination IP addresses can now be configured for both inbound and outbound traffic. You can also specify certain predefined addresses for destination addresses, including DNS, DHCP, and WINS servers, as well as default gateways.
• In addition to creating rules based on TCP and UDP ports, you can now specify other types of traffic that do not use these protocols.
• Rules can be configured for both source and destination TCP and UDP ports
• In the past you could only configure port-based rules by specifying a single TCP or UDP port. The new version of the Firewall still allows single port configuration, but goes a step further by allowing users to also specify a range of ports or all ports.
• Rules can now be configured for certain interfaces, including LAN, wireless, or remote access.

New MMC Snap-In – In the past, Windows Firewall configuration has been limited to a section within Control Panel and some Group Policy settings that have to be accessed via the Group Policy snap-in. The new version can still be administered via Control Panel and Group Policies, but Microsoft has added a separate snap-in called Windows Firewall with Advanced Security. The snap-in has a nice yet simple GUI layout that allows administrators to configure such items as Inbound and Outbound Rules as well as the ability to monitor existing Firewall configurations.