Multiple desktops in Windows 10

Multiple desktops are great for keeping unrelated, ongoing projects organized, or for quickly hiding from the boss that browser game you can't stop playing. To create multiple desktops: 

• On the taskbar, select Task view > New desktop .
• Open the apps you want to use on that desktop.
• To switch between desktops, select Task view again.

Meet the Man Who Keeps Microsoft Safe and Secure

As the chief security officer for Microsoft, Mike Howard has more than a passing interest in the things he sees on the nightly news. Whether it's an uprising in the Middle East, the ongoing threat of terrorism or a natural disaster somewhere in the world, the former CIA officer is prepared for the impact various events could have on his company and its employees.

"Cybersecurity is a big issue on everyone's mind as we've become more globalized as a society and businesses have expanded their footprints and everything is digital," Howard said. "But, traditional security issues of theft, violence against employees, terrorism and natural disasters are all still paramount in terms of being the big security challenges for businesses."

This is especially true when your company is so large and so much in the public eye. Howard's security team is ultimately responsible for the safety and security of Microsoft's entire executive team, its 90,000 employees, roughly 90,000 contractors, 700 facilities in more than 100 countries worldwide and all of the visitors to those facilities. He's also responsible, of course, for all of their computers and hardware and the information it they contain.

The Microsoft security teams deals with threats of violence against executives and employees, employee violence, kidnapping threats, terrorism, natural disasters, property theft and, peripherally, intellectualproperty protection (which also falls under the purview of a separate, cybersecurity group at Microsoft).

Security "evangelist"

In Howard's time at the company, the security team has had to evacuate employees from Beirut and the Ivory Coast, has contracted forensic psychologists to examine threatening letters and regularly provides emailed safety information and warnings to all employees who travel overseas.

But it may be his role as an "evangelist" for the company's physical security business group that looms the largest in Howard's job description. Finding ways to communicate and demonstrate the importance of security — both physical and cyber — to the company's executives is the linchpin of developing a security program that manages to keep such a large and public company running smoothly, he said.

"A lot of [Microsoft's commitment to security] has to do with the evangelizing of security on several fronts within the last decade," Howard said. "My IT securitycounterpart and I have worked diligently to really get the movers and shakers, the decision makers here to understand security and to support those security efforts and the pushing down of that message throughout the enterprise."

Howard believes that his work driving home the importance of both physical and cybersecurity is part of the reason that Microsoft's company culture has come to reflect those values.

"We brief all new corporate vice presidents on security, we bring senior executives to the Global Security Operations Center in Redmond, [Wash.] and show them what technologies we employ to keep the company safe," Howard said. "We're not just guys checking doors and responding to emergencies."

Howard believes that Microsoft has come to understand what many companies never do: That cyber and physical security is integral to the company's overall business, and even its marketing plan.

"Security is important to the entire company," he said. "Intellectual property could be compromised and it can affect the company's brand reputation or lead to lawsuits," Howard said. "This realization led to cultural shift with company becoming more security conscious."

Employee assistance

To facilitate the rollout of solid security plans throughout the company, Howard's team has had to essentially deputize every employee to be the eyes and the ears of the company. Microsoft does that with a formal training program.

"Having a training program in place is essential to any security program," Howard said. "Without it, you don’t have a well-rounded security program. We have a certain amount of full-time employees and vendors to cover Microsoft globally; we could never cover the world adequately without educating and creating awareness programs that teach people what to look for."

Today, regular Microsoft employees are instructed to stop a stranger entering a building and ask to see their badge.

"That never would have happened ten years ago," Howard said.

Howard said that good security also involves working with the company's human resources department, which offers employee assistance programs that can help workers in difficult times and potentially prevent an employee problem from becoming a security threat.

"A robust employee assistance program is very important to security issues," he said. A bad economy, problems at home, even dealing with a sick relative can be things that can trigger security issues at work and having a team in place to help solve those problems can prevent them from ever turning into an incident of violence or theft, he said.

Reference & Courtesy: http://www.ittechnewsdaily.com/153-microsoft-security-officer-keeping-company-safe.html

Microsoft: Financial Services: A Survey of the State of Secure Application Development Processes

The financial services industry is one of the world’s largest industries by monetary value, and an industry which has a direct impact on the lives of billions of people around the world. Organizations in the financial services industry handle trillions of transactions each year involving sensitive information about individuals,companies, and other third parties. To help protect this sensitive information it is important that financial services organizations are developing, procuring, and using software applications that have been developed with security in mind.

Microsoft commissioned an independent research and consultancy firm, The Edison Group, to examine the current state of application development in the financial services sector from a security perspective. Their report – Microsoft Security Development Lifecycle Adoption: Why and How – is available today.

The paper was developed following in-depth interviews with Chief Security Officers and senior executives representing some of the leading banks and financial services companies in the United States. Some highlights from the paper:

• The Edison Group examined the usage of the Microsoft Security Development Lifecycle (SDL) and how it has been integrated into the software design life cycles of financial services companies.
• The study describes the business benefits of using the SDL, along with adoption approaches and integration methods.
• The adoption maturity of the Security Development Lifecycle (SDL) in participating organizations ranged from highly refined through years of implementation, to a brand new adopter about to begin integrating the SDL into the development processes.
• The paper also includes two case studies, one illustrating the use if the SDL in a Microsoft Windows based environment, and one illustrating the adoption of the SDL in an open source development environment.

In addition to these highlights, the Edison Group found that using a software development process, such as the SDL, to help developers build more secure software can also help address security compliance requirements. For example, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) recognized the need for standards around security development processes and developed ISO/IEC 27034-1. This international standard is the first of its kind to focus on the processes and frameworks needed to build a comprehensive software security program. Earlier this year, Microsoft announced through its Declaration of Conformity that Microsoft’s SDL conforms to ISO 27034-1. Organizations using the Microsoft SDL to develop more secure software may already be conformant to the standard.

In the United States financial services sector, many of the largest companies came together in 1996 to form BITS, a division of the Financial Services Roundtable. BITS is an organization that addresses threats and opportunities relevant to the financial services sector, particularly those related to cyber-security. In 2012, the BITS Software Assurance Framework was created to document the importance of secure development practices and to provide guidelines that financial services organizations can use to implement these practices more fully.  The Software Assurance Framework was developed to help financial institutions better follow secure development practices and avoid the risks outlined above.

The Framework is rooted in education, integration of security in design using standards and threat modeling, best practices for coding, focused and comprehensive testing and followed with important implementation and response practices.  The Framework was developed in collaboration with Microsoft, and integrates the Microsoft Security Development Lifecycle at the foundation.

According to Paul Smocer, BITS president, “Building safe software is a necessity, a priority and a complex process for financial institutions.  The BITS Framework offers a practical approach to software security through strong design, implementation and testing processes.”
If you are responsible for the development or procurement of software for companies operating in the financial sector, then I strongly encourage you to check out this new whitepaper and the many free security development resources available at www.microsoft.com/sdl.

Wipe your Deleted Data Away: Using cipher.exe

Administrators can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. An updated version of the Cipher tool has been released for Windows 2000, and is included with Windows XP. The updated version adds another security option. This new option is the ability to overwrite data that you have deleted so that it cannot be recovered and accessed.

When you delete files or folders, the data is not initially removed from the hard disk. Instead, the space on the disk that was occupied by the deleted data is "deallocated." After it is deallocated, the space is available for use when new data is written to the disk. Until the space is overwritten, it is possible to recover the deleted data by using a low-level disk editor or data-recovery software.

If you create files in plain text and then encrypt them, Encrypting File System (EFS) makes a backup copy of the file so that, if an error occurs during the encryption process, the data is not lost. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data is not completely removed until it has been overwritten. The new version of the Cipher utility is designed to prevent unauthorized recovery of such data.

Most Windows 2000 and XP Professional users are aware of the ability to encrypt data at the file level, using the Encrypting File System (EFS). It’s easy to do through the graphical interface—as easy as checking a checkbox on the Advanced File Attributes property sheet. However, many IT pros aren’t aware that encryption can also be performed at the command line.

The cipher.exe utility is included with Microsoft’s most recent NT-based operating systems. It allows you to do the same tasks—encrypt and decrypt—that you can do through the GUI, but also allows you to do much more—all through the command line. Administrators and power users can take advantage of the cipher tool’s power to gather encryption information and more quickly perform encryption tasks.

This Daily Drill Down will introduce you to the cipher tool and walk you through the steps of using its various switches.

Why a command line encryption tool?
What’s the need for a command line encryption tool if it’s so easy to encrypt and decrypt files using the GUI (other than the fact that some of us just like the character-based interface)? While encryption and decryption are easy attributes to set through a file or folder’s property sheet, there are other encryption-related tasks that are difficult (or impossible) to accomplish through the GUI.

For example, what if a user wants to create a new file encryption key? You might think you could generate a new key pair by requesting a new EFS certificate. You would do this by invoking the Certificate Request Wizard via the Certificates MMC (if you’re in an Active Directory domain) or via the certification authority’s Web page. But the problem with this method is that the file encryption key that is generated by EFS is wrapped with the user’s public key during the encryption process. As a workaround, the cipher tool allows you to create a new encryption key by typing cipher /k.

What if you want to encrypt files that are already encrypted? There’s no way to do that through the graphical interface; you must first decrypt the file before you’re allowed to change its attribute back to encrypted. With the cipher tool, you can force encryption on all files and folders, including those that are already encrypted.

---

Tip
The original version of cipher.exe that was released with Windows 2000 does not include the data overwrite function. This was added in a version of the cipher tool that Microsoft released in June 2001 (and included in Windows 2000 SP3). The drive-wiping function is included in the cipher tool that comes with Windows XP.

---

The cipher.exe command is an external command that is available in the below Microsoft operating systems.

Windows 2000
Windows XP
Windows Vista
Windows 7

Syntax

Displays or alters the encryption of directories [files] on NTFS partitions.

CIPHER [/E | /D] [/S:dir] [/A] [/I] [/F] [/Q] [/H] [/K] [pathname [...]]

CIPHER /W:directory

CIPHER /X[:efsfile] [filename]

/E	Encrypts the specified directories. Directories will be marked so that files added afterward will be encrypted.
/D	Decrypts the specified directories. Directories will be marked so that files added afterward will not be encrypted.
/S	Performs the specified operation on directories in the given directory and all subdirectories.
/A	Operation for files as well as directories. The encrypted file could become decrypted when it is modified if the parent directory is not encrypted. It is recommended that you encrypt the file and the parent directory.
/I	Continues performing the specified operation even after errors have occurred. By default, CIPHER stops when an error is encountered.
/F	Forces the encryption operation on all specified objects, even those that are already encrypted. Already-encrypted objects are skipped by default.
/Q	Reports only the most essential information.
/H	Displays files with the hidden or system attributes. These files are omitted by default.
/K	Create new file encryption key for the user running CIPHER. If this option is chosen, all the other options will be ignored.
/W	Removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume will be removed.
/X	Backup EFS certificate and keys into file filename. If efsfile is provided, the current user's certificate(s) used to encrypt the file will be backed up. Otherwise, the user's current EFS certificate and keys will be backed up.
dir	A directory path.
pathname	Specifies a pattern, file or directory.
efsfile	An encrypted file path.

Used without parameters, CIPHER displays the encryption state of the current directory and any files it contains. You may use multiple directory names and wildcards. You must put spaces between multiple parameters.

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:

1. Quit all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.

   The /w switch is used to overwrite data in unallocated space on the disk.

   Note With mount points in Windows 2000, you can mount a volume on any empty folder on an NTFS volume. When you do this, the mounted volume does not have a drive letter of its own. The only way to address that volume is by using the path where you created the mount point. Therefore, the /w switch requests a path of a folder, and from that, it determines the associated volume to wipe. Because of the way the file system works, the whole volume must be wiped. A file can be written anywhere on the volume at any time. A folder does not address a specific physical location on disk but is a logical container for file entries in the volume's table of contents (MFT or FAT). To make sure that there is no leftover data in unallocated space, all unallocated space on the volume must be wiped.

For more details, look into following links:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cipher.mspx?mfr=true

http://support.microsoft.com/kb/315672

http://www.computerhope.com/cipher.htm

http://www.techrepublic.com/article/use-cipherexe-for-command-line-encryption/5030732

http://www.windowsecurity.com/articles/using-cipherexe.html

Windows Optimized Desktop

The Windows Optimized Desktop offers client computing choices to enhance user productivity while meeting specific business and IT needs. Built on the Windows 7 Enterprise operating system, managed by Microsoft System Center, and secured by Microsoft Forefront Endpoint Protection, the Windows Optimized Desktop includes virtualization technologies with integrated management across physical and virtual machines (VMs), including virtual desktop infrastructures. Add Microsoft Office 2010, Windows Internet Explorer 9, and the Microsoft Desktop Optimization Pack (MDOP) to enable a workforce that is more productive, manageable, and secure.

This section focuses on specific technologies in the Windows Optimized Desktop that can help IT embrace consumerization on rich devices running Windows 7. These technologies can address challenges such as managing applications and user data, safeguarding data, defending the network, and protecting intellectual property in consumerization scenarios.

Application Management

In consumerization scenarios, application management is about provisioning applications and controlling which applications users can run on their computers. System Center Configuration Manager 2007 and Microsoft Application Virtualization (App-V) are key deployment technologies. Additionally, AppLocker is a Windows 7 Enterprise feature that you can use to control access to applications.

Configuration Manager provides a rich set of tools and resources that you can use to manage the complex task of creating, modifying, and distributing application packages to computers in your enterprise. Deploying applications by using an existing Configuration Manager infrastructure is remarkably straightforward. Administrator Workflows for Software Distribution on TechNet describes this process in detail:

1. Create a software distribution package containing the application installation files.
2. Create a program to include in the package. Among other options, the program defines the command necessary to install the application package.
3. Distribute the package to distribution points.
4. Advertise the package to computers in your organization.

Organizations using System Center Essentials can also use it to distribute applications. For more information about Essentials, see System Center Essentials. Technical guidance for deploying applications is available in the System Center Essentials 2010 Operations Guide.

To control access to physical or virtual applications, Windows 7 Enterprise offers AppLocker. AppLocker is a new feature that replaces the Software Restriction Policies feature in earlier Windows versions. It adds capabilities that reduce administrative overhead and help you control users’ access to program files, scripts, and Windows Installer files. By using AppLocker to control access to physical applications, you can prevent unlicensed, malicious, and unauthorized applications from running.

To use AppLocker, you create a Group Policy Object (GPO) and then define AppLocker rules inside it. Within a rule, you can allow or deny access to a program file, script, or Windows Installer file for a specific user or group. You identify the file based on file attributes—including the publisher, product name, file name, and file version—from the digital signature. For example, you can create rules based on product-name and file-version attributes that persist through updates, or you can create rules that target a specific version of a file. In addition to allowing or denying access to a file, you can define exceptions. For example, you can create a rule that allows all programs which ship as part of Windows 7 to run except for the Registry Editor (regedit.exe).

AppLocker is surprisingly easy to configure and deploy. It provides wizards that make defining rules for program files, scripts, and Windows Installer files straightforward. However, because AppLocker prevents users from opening or running files that are not defined explicitly in a rule, you should plan your AppLocker deployment after examining an inventory of applications used in your environment. More information about AppLocker is available in AppLocker on TechNet.

User State Virtualization

A specific challenge to embracing consumerization is people working on more than one computer. This scenario can be painful for both end users and IT pros. Users’ files and settings do not follow them when they roam from computer to computer. If a user creates a document on his or her work computer, for example, that document isn’t immediately available when he or she logs on to a slate or through a VM accessed by a non-Windows PC. For IT, decentralized storage of files and settings leads to even more challenges. Files are difficult to back up. They’re difficult to secure. And because they’re scattered across many PCs, availability of important files is difficult to manage.

User state virtualization addresses these challenges. It centralizes storage of users’ files and settings to make backing up and securing them easier. Managing the availability of important files is possible. Also, user-state virtualization enables users’ files and settings to follow them from PC to PC and even to VMs. In Windows 7, three technologies support user state virtualization:

• Roaming user profiles give you the ability to store user profiles (i.e., files stored in C:\Users\Username, including the registry hive file) in a network share. Windows 7 synchronizes the local and remote user profiles when users log on to and off of the computer. For more information, see What's New in Folder Redirection and User Profiles.
• Folder Redirection redirects folders such as Documents, Pictures, and Videos from a user profile to a network share. Redirecting folders reduces the size of roaming user profiles and can improve logon and logoff performance. You configure Folder Redirection by using Group Policy. The important distinction between roaming user profiles and Folder Redirection is that you use roaming user profiles primarily for settings and Folder Redirection for documents. For more information, see What's New in Folder Redirection and User Profiles.
• Offline Files, a feature enabled by default in Windows 7, provide the ability to work with redirected folders and other shared network content when disconnected from the network by caching copies locally. Offline Files synchronizes changes the next time a connection is available. For more information, see What's New in Offline Files.

The Infrastructure Planning and Design: Windows User State Virtualization guide can help you implement user state virtualization.

Local Data Security

BitLocker Drive Encryption is an integral security feature in Windows 7 Enterprise that helps protect data stored on fixed drives and the operating system drive. BitLocker helps protect against offline attacks, which are attacks made by disabling or circumventing the installed operating system or by physically removing the hard drive to attack the data separately. BitLocker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a BitLocker-protected computer that has the proper keys.

BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. Using BitLocker with a TPM provides enhanced data protection and helps assure early boot component integrity. This option requires that the computer have a compatible TPM microchip and BIOS:

• A compatible TPM is defined as a version 1.2 TPM.
• A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM Specifications section of theTrusted Computing Group Web site.

The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and the user will need a recovery password or recovery key to regain access to the data.

The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for deploying BitLocker. Additionally, numerous Group Policy settings are available for managing BitLocker. You can learn about these in theBitLocker Group Policy Reference. You can provision BitLocker during deployment by using the Microsoft Deployment Toolkit (MDT) 2010 or Configuration Manager. For more information, see the MDT 2010 documentation.

Windows 7 Home Premium and Windows 7 Professional do not include BitLocker. If you allow employees to use devices that are running these operating systems, you can use the Encrypting File System (EFS) to help protect corporate data on these computers. However, EFS does not provide full-volume encryption, as BitLocker does. Instead, users choose the folders and files they want to encrypt. For more information about EFS in Windows 7, see The Encrypting File System.

Note: Users who are running Windows 7 Home Premium or Windows 7 Professional can use Windows Anytime Upgrade to upgrade to Windows 7 Ultimate for a charge. Doing so would provide BitLocker. For more information about Windows Anytime Upgrade, see Windows Anytime Upgrade.

Removable Storage

In Windows 7 Enterprise, BitLocker To Go extends BitLocker to portable drives, such as USB flash drives. Users can encrypt portable drives by using a password or smart card. Authorized users can view the information on any PC that runs Windows 7, Windows Vista, or Windows XP by using the BitLocker To Go Reader. Also, by using Group Policy, you can require data protection for writing to any removable storage device but can enable unprotected storage devices to be used in read-only mode.

The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for using BitLocker To Go. Additionally, numerous Group Policy settings are available for managing BitLocker To Go, which the BitLocker Group Policy Reference describes.

Backups

The Windows 7 Backup and Restore feature creates safety copies of users’ most important personal files. They can let Windows choose what to back up or pick individual folders, libraries, and drives to back up—on whatever schedule works best for them. Windows supports backing up to another drive or a DVD. Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise also support backing up files to a network location.

Whereas Windows 7 provides a built-in backup feature that users can use on their own devices, System Center Data Protection Manager (DPM) 2010 enables an organization to create a two-tiered backup solution that combines the convenience and reliability of disk for short-term backup—where most recovery requests are concentrated—with the security of tape or other removable medium for long-term archiving. This two-tiered system helps to alleviate the problems associated with tape backup solutions while still allowing for the maintenance of long-term off-site archives.

Important to consumerization scenarios, DPM 2010 adds support for protecting client computers, such as laptop computers and slates, which are not always connected to the network. Additionally, users can recover their own data without waiting for the backup administrator. You can learn more about DPM 2010 at System Center Data Protection Manager 2010.

Network Access

Forefront Unified Access Gateway (UAG) provides remote client endpoints with access to corporate applications, networks, and internal resources via a Web site. Client endpoints include not only computers running Windows but also other non-Windows devices. It supports the following scenarios:

• Forefront UAG as a publishing server. You can configure Forefront UAG to publish corporate applications and resources, and enable remote users to access those applications in a controlled manner from a diverse range of endpoints and locations.
• Forefront UAG as a DirectAccess server. You can configure Forefront UAG as a DirectAccess server, extending the benefits of DirectAccess across your infrastructure to enhance scalability and simplify deployment and ongoing management. Forefront UAG DirectAccess provides a seamless connection experience to your internal network for users who have Internet access. Requests for internal resources are securely directed to the internal network without requiring a VPN connection.
• Single and multiple server deployment. You can configure a single server as a publishing server and as a Forefront UAG DirectAccess server, or deploy an array of multiple servers for scalability and high availability.

Infrastructure Planning and Design: Forefront Unified Access Gateway on TechNet provides guidance for designing a Forefront UAG deployment. Additional detailed technical guidance is available in Forefront Unified Access Gateway (UAG)on TechNet.

Network Security

Network Access Protection (NAP) includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP can also provide ongoing health compliance enforcement while a compliant client computer is connected to a network.

NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access (RRAS), or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:

• Internet Protocol security (IPsec)-protected communications
• Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
• VPN connections
• Dynamic Host Configuration Protocol (DHCP) configuration
• Terminal Services Gateway (TS Gateway) connections

The Network Access Protection Design Guide can help you design a NAP deployment. The Network Access Protection Deployment Guide provides detailed technical guidance for the above scenarios.

In Configuration Manager, NAP lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server (NPS). The NPS then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation. For more information about NAP in Configuration Manager, see Network Access Protection in Configuration Manager.

Information Protection

In addition to securing local data and network access, protecting access to business information—such as intellectual property—is an important consideration if you're embracing consumerization. Two technologies are available for protecting this information:

• Rights Management Services. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment your organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands. Microsoft Exchange Server 2010 and Microsoft Office SharePoint Server 2010 are examples of applications that integrate with AD RMS. You can learn more about AD RMS at Active Directory Rights Management Services.
• File Classification Infrastructure. To reduce the cost and risk associated with this type of data management, the File Classification Infrastructure in Windows Server 2008 R2 offers a platform that allows you to classify files and apply policies based on that classification. The storage layout is unaffected by data-management requirements, and you can adapt more easily to a changing business and regulatory environment. Files can be classified in a variety of ways. Additionally, you can specify file-management policies, based on a file’s classification, and automatically apply corporate requirements for managing data, based on business value. You can easily modify the policies and use tools that support classification to manage their files. For example, you can automatically manage the rights to files that contain the word confidential. To learn more about the File Classification Infrastructure, see Working with File Classification.

Microsoft Technologies for Consumerization

The workplace is changing. The boundaries between peoples’ professional and personal lives are blurring. Work is no longer confined to the office. Employees check work email at home during the night and update their social media at the office during the day. In addition to their desktop computers, they're using portable computers, slates, and smartphones.

Contributing to this trend is the increasing computing power that’s available on a wide range of devices. Consumer devices, including smartphones and media tablets, are becoming powerful enough to run applications that were previously restricted to desktop and portable computers. For many workers, these devices represent the future of computing and help them do their job more efficiently.

In a world in which highly managed information technology (IT) infrastructures can seem inflexible, workers prefer to use the many consumer devices available to them. For IT, the challenge is to embrace consumerization as appropriate while minimizing risks to the enterprise and its data. Many consumer devices were not initially designed for business use, so IT must plan carefully to enable the level of management and control they require.

As a leader in business and consumer technologies, Microsoft is in a unique position to understand and provide guidance on how to responsibly embrace consumerization within enterprises. In a previous white paper, Strategies for Embracing Consumerization, you'll find specific strategies for embracing the latest consumerization trends. This article explores specific technologies that the aforementioned white paper recommends in its various scenarios.

In this article:

• Windows Optimized Desktop
• Windows Cloud Services
• Microsoft Application Virtualization
• Virtual Desktop Infrastructure
• Choosing the Right Technologies
• Smartphones and Mobile OS Support
• Conclusion

Using Batch Files to Automate Networking Tasks - PART3

How to Restart Services On All Domain Controllers Within a Domain

To restart service on all domain controllers within a domain, perform the following steps: 

1. Create the Restart.bat and Restart2.bat files listed below.
2. Run the Restart.bat Service Name from a computer running Windows NT using administrator privileges. The Restart.bat file issues the Windows NT Resource Kit utility NETDOM to create a file called Netdom.txt. The Netdom.txt file gets parsed using the FOR command (part of Windows NT command extensions). Each \\DomainControllerName gets passed to the Restart2.bat file where the Windows NT Resource Kit utility NETSVC command gets issued to stop and start the Service Name entered at the command prompt.

Filename: RESTART.BAT 

echo off
cls
if (%1)==() goto NoParams
netdom bdc > netdom.txt
for /F "skip=6 tokens=4" %%a in (netdom.txt) do call restart2.bat
%%a %1
echo ---------
echo - Done! -
echo ---------
goto bottom
:NoParams
echo usage: RESTART "Service Name"
echo.
echo. i.e.- RESTART "License Logging Service"
echo.
:bottom
    

Filename: RESTART2.BAT 

echo Restarting %2 on %1
netsvc %2 %1 /stop
netsvc %2 %1 /start
echo.
  

Using Batch Files to Automate Networking Tasks - PART2

How to Add Files to Many Users' Home Directories

To add files to many users' home directories, perform the following steps: 

1. Create the Addfile.bat and Addfile2.bat files listed below.
2. Run Addfile.bat <Parent Directory> <File to Add> with administrative privileges from a computer running Windows NT. The Addfile.bat file simply issues a DIR command and redirects the output to a file, which in turn gets parsed using the FOR command (part of Windows NT command extensions). The Addfile2.bat file gets called once for each directory name listed in the Dir.txt file. The Addfile2.bat file issues a copy command to copy the file to each user directories.

Filename: ADDFILE.BAT

v
echo off
cls
IF (%1)==() GOTO NoParams
IF (%2)==() GOTO NoParams
Echo Creating directory listing...
dir %1 > dir.txt
for /F "skip=7 tokens=4" %%a in (dir.txt) do call addfile2.bat %%a
%1 %2
echo ---------
echo - Done! -
echo ---------
GOTO Bottom
:NoParams
ECHO usage: ADDFILE [Parent Directory] [File to Add]
ECHO.
ECHO  i.e.- ADDFILE C:\PROFILES MyFile.lnk
ECHO.
:Bottom
    

Filename: ADDFILE2.BAT 

if (%1)==() goto bottom
if (%1)==(bytes) goto bottom
copy %3 %2\%1
:bottom