This section focuses on specific technologies in the Windows Optimized Desktop that can help IT embrace consumerization on rich devices running Windows 7. These technologies can address challenges such as managing applications and user data, safeguarding data, defending the network, and protecting intellectual property in consumerization scenarios.
Application Management
Configuration Manager provides a rich set of tools and resources that you can use to manage the complex task of creating, modifying, and distributing application packages to computers in your enterprise. Deploying applications by using an existing Configuration Manager infrastructure is remarkably straightforward. Administrator Workflows for Software Distribution on TechNet describes this process in detail:
- Create a software distribution package containing the application installation files.
- Create a program to include in the package. Among other options, the program defines the command necessary to install the application package.
- Distribute the package to distribution points.
- Advertise the package to computers in your organization.
To control access to physical or virtual applications, Windows 7 Enterprise offers AppLocker. AppLocker is a new feature that replaces the Software Restriction Policies feature in earlier Windows versions. It adds capabilities that reduce administrative overhead and help you control users’ access to program files, scripts, and Windows Installer files. By using AppLocker to control access to physical applications, you can prevent unlicensed, malicious, and unauthorized applications from running.
To use AppLocker, you create a Group Policy Object (GPO) and then define AppLocker rules inside it. Within a rule, you can allow or deny access to a program file, script, or Windows Installer file for a specific user or group. You identify the file based on file attributes—including the publisher, product name, file name, and file version—from the digital signature. For example, you can create rules based on product-name and file-version attributes that persist through updates, or you can create rules that target a specific version of a file. In addition to allowing or denying access to a file, you can define exceptions. For example, you can create a rule that allows all programs which ship as part of Windows 7 to run except for the Registry Editor (regedit.exe).
AppLocker is surprisingly easy to configure and deploy. It provides wizards that make defining rules for program files, scripts, and Windows Installer files straightforward. However, because AppLocker prevents users from opening or running files that are not defined explicitly in a rule, you should plan your AppLocker deployment after examining an inventory of applications used in your environment. More information about AppLocker is available in AppLocker on TechNet.
User State Virtualization
User state virtualization addresses these challenges. It centralizes storage of users’ files and settings to make backing up and securing them easier. Managing the availability of important files is possible. Also, user-state virtualization enables users’ files and settings to follow them from PC to PC and even to VMs. In Windows 7, three technologies support user state virtualization:
- Roaming user profiles give you the ability to store user profiles (i.e., files stored in C:\Users\Username, including the registry hive file) in a network share. Windows 7 synchronizes the local and remote user profiles when users log on to and off of the computer. For more information, see What's New in Folder Redirection and User Profiles.
- Folder Redirection redirects folders such as Documents, Pictures, and Videos from a user profile to a network share. Redirecting folders reduces the size of roaming user profiles and can improve logon and logoff performance. You configure Folder Redirection by using Group Policy. The important distinction between roaming user profiles and Folder Redirection is that you use roaming user profiles primarily for settings and Folder Redirection for documents. For more information, see What's New in Folder Redirection and User Profiles.
- Offline Files, a feature enabled by default in Windows 7, provide the ability to work with redirected folders and other shared network content when disconnected from the network by caching copies locally. Offline Files synchronizes changes the next time a connection is available. For more information, see What's New in Offline Files.
Local Data Security
BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. Using BitLocker with a TPM provides enhanced data protection and helps assure early boot component integrity. This option requires that the computer have a compatible TPM microchip and BIOS:
- A compatible TPM is defined as a version 1.2 TPM.
- A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM Specifications section of theTrusted Computing Group Web site.
The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for deploying BitLocker. Additionally, numerous Group Policy settings are available for managing BitLocker. You can learn about these in theBitLocker Group Policy Reference. You can provision BitLocker during deployment by using the Microsoft Deployment Toolkit (MDT) 2010 or Configuration Manager. For more information, see the MDT 2010 documentation.
Windows 7 Home Premium and Windows 7 Professional do not include BitLocker. If you allow employees to use devices that are running these operating systems, you can use the Encrypting File System (EFS) to help protect corporate data on these computers. However, EFS does not provide full-volume encryption, as BitLocker does. Instead, users choose the folders and files they want to encrypt. For more information about EFS in Windows 7, see The Encrypting File System.
Note: Users who are running Windows 7 Home Premium or Windows 7 Professional can use Windows Anytime Upgrade to upgrade to Windows 7 Ultimate for a charge. Doing so would provide BitLocker. For more information about Windows Anytime Upgrade, see Windows Anytime Upgrade.
Removable Storage
The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for using BitLocker To Go. Additionally, numerous Group Policy settings are available for managing BitLocker To Go, which the BitLocker Group Policy Reference describes.
Backups
Whereas Windows 7 provides a built-in backup feature that users can use on their own devices, System Center Data Protection Manager (DPM) 2010 enables an organization to create a two-tiered backup solution that combines the convenience and reliability of disk for short-term backup—where most recovery requests are concentrated—with the security of tape or other removable medium for long-term archiving. This two-tiered system helps to alleviate the problems associated with tape backup solutions while still allowing for the maintenance of long-term off-site archives.
Important to consumerization scenarios, DPM 2010 adds support for protecting client computers, such as laptop computers and slates, which are not always connected to the network. Additionally, users can recover their own data without waiting for the backup administrator. You can learn more about DPM 2010 at System Center Data Protection Manager 2010.
Network Access
- Forefront UAG as a publishing server. You can configure Forefront UAG to publish corporate applications and resources, and enable remote users to access those applications in a controlled manner from a diverse range of endpoints and locations.
- Forefront UAG as a DirectAccess server. You can configure Forefront UAG as a DirectAccess server, extending the benefits of DirectAccess across your infrastructure to enhance scalability and simplify deployment and ongoing management. Forefront UAG DirectAccess provides a seamless connection experience to your internal network for users who have Internet access. Requests for internal resources are securely directed to the internal network without requiring a VPN connection.
- Single and multiple server deployment. You can configure a single server as a publishing server and as a Forefront UAG DirectAccess server, or deploy an array of multiple servers for scalability and high availability.
Network Security
NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access (RRAS), or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:
- Internet Protocol security (IPsec)-protected communications
- Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
- VPN connections
- Dynamic Host Configuration Protocol (DHCP) configuration
- Terminal Services Gateway (TS Gateway) connections
In Configuration Manager, NAP lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server (NPS). The NPS then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation. For more information about NAP in Configuration Manager, see Network Access Protection in Configuration Manager.
Information Protection
- Rights Management Services. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment your organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands. Microsoft Exchange Server 2010 and Microsoft Office SharePoint Server 2010 are examples of applications that integrate with AD RMS. You can learn more about AD RMS at Active Directory Rights Management Services.
- File Classification Infrastructure. To reduce the cost and risk associated with this type of data management, the File Classification Infrastructure in Windows Server 2008 R2 offers a platform that allows you to classify files and apply policies based on that classification. The storage layout is unaffected by data-management requirements, and you can adapt more easily to a changing business and regulatory environment. Files can be classified in a variety of ways. Additionally, you can specify file-management policies, based on a file’s classification, and automatically apply corporate requirements for managing data, based on business value. You can easily modify the policies and use tools that support classification to manage their files. For example, you can automatically manage the rights to files that contain the word confidential. To learn more about the File Classification Infrastructure, see Working with File Classification.