Happy Independence Day to All my Friends out there.... :)

Windows Optimized Desktop

The Windows Optimized Desktop offers client computing choices to enhance user productivity while meeting specific business and IT needs. Built on the Windows 7 Enterprise operating system, managed by Microsoft System Center, and secured by Microsoft Forefront Endpoint Protection, the Windows Optimized Desktop includes virtualization technologies with integrated management across physical and virtual machines (VMs), including virtual desktop infrastructures. Add Microsoft Office 2010, Windows Internet Explorer 9, and the Microsoft Desktop Optimization Pack (MDOP) to enable a workforce that is more productive, manageable, and secure.

This section focuses on specific technologies in the Windows Optimized Desktop that can help IT embrace consumerization on rich devices running Windows 7. These technologies can address challenges such as managing applications and user data, safeguarding data, defending the network, and protecting intellectual property in consumerization scenarios.

Application Management

In consumerization scenarios, application management is about provisioning applications and controlling which applications users can run on their computers. System Center Configuration Manager 2007 and Microsoft Application Virtualization (App-V) are key deployment technologies. Additionally, AppLocker is a Windows 7 Enterprise feature that you can use to control access to applications.

Configuration Manager provides a rich set of tools and resources that you can use to manage the complex task of creating, modifying, and distributing application packages to computers in your enterprise. Deploying applications by using an existing Configuration Manager infrastructure is remarkably straightforward. Administrator Workflows for Software Distribution on TechNet describes this process in detail:

1. Create a software distribution package containing the application installation files.
2. Create a program to include in the package. Among other options, the program defines the command necessary to install the application package.
3. Distribute the package to distribution points.
4. Advertise the package to computers in your organization.

Organizations using System Center Essentials can also use it to distribute applications. For more information about Essentials, see System Center Essentials. Technical guidance for deploying applications is available in the System Center Essentials 2010 Operations Guide.

To control access to physical or virtual applications, Windows 7 Enterprise offers AppLocker. AppLocker is a new feature that replaces the Software Restriction Policies feature in earlier Windows versions. It adds capabilities that reduce administrative overhead and help you control users’ access to program files, scripts, and Windows Installer files. By using AppLocker to control access to physical applications, you can prevent unlicensed, malicious, and unauthorized applications from running.

To use AppLocker, you create a Group Policy Object (GPO) and then define AppLocker rules inside it. Within a rule, you can allow or deny access to a program file, script, or Windows Installer file for a specific user or group. You identify the file based on file attributes—including the publisher, product name, file name, and file version—from the digital signature. For example, you can create rules based on product-name and file-version attributes that persist through updates, or you can create rules that target a specific version of a file. In addition to allowing or denying access to a file, you can define exceptions. For example, you can create a rule that allows all programs which ship as part of Windows 7 to run except for the Registry Editor (regedit.exe).

AppLocker is surprisingly easy to configure and deploy. It provides wizards that make defining rules for program files, scripts, and Windows Installer files straightforward. However, because AppLocker prevents users from opening or running files that are not defined explicitly in a rule, you should plan your AppLocker deployment after examining an inventory of applications used in your environment. More information about AppLocker is available in AppLocker on TechNet.

User State Virtualization

A specific challenge to embracing consumerization is people working on more than one computer. This scenario can be painful for both end users and IT pros. Users’ files and settings do not follow them when they roam from computer to computer. If a user creates a document on his or her work computer, for example, that document isn’t immediately available when he or she logs on to a slate or through a VM accessed by a non-Windows PC. For IT, decentralized storage of files and settings leads to even more challenges. Files are difficult to back up. They’re difficult to secure. And because they’re scattered across many PCs, availability of important files is difficult to manage.

User state virtualization addresses these challenges. It centralizes storage of users’ files and settings to make backing up and securing them easier. Managing the availability of important files is possible. Also, user-state virtualization enables users’ files and settings to follow them from PC to PC and even to VMs. In Windows 7, three technologies support user state virtualization:

• Roaming user profiles give you the ability to store user profiles (i.e., files stored in C:\Users\Username, including the registry hive file) in a network share. Windows 7 synchronizes the local and remote user profiles when users log on to and off of the computer. For more information, see What's New in Folder Redirection and User Profiles.
• Folder Redirection redirects folders such as Documents, Pictures, and Videos from a user profile to a network share. Redirecting folders reduces the size of roaming user profiles and can improve logon and logoff performance. You configure Folder Redirection by using Group Policy. The important distinction between roaming user profiles and Folder Redirection is that you use roaming user profiles primarily for settings and Folder Redirection for documents. For more information, see What's New in Folder Redirection and User Profiles.
• Offline Files, a feature enabled by default in Windows 7, provide the ability to work with redirected folders and other shared network content when disconnected from the network by caching copies locally. Offline Files synchronizes changes the next time a connection is available. For more information, see What's New in Offline Files.

The Infrastructure Planning and Design: Windows User State Virtualization guide can help you implement user state virtualization.

Local Data Security

BitLocker Drive Encryption is an integral security feature in Windows 7 Enterprise that helps protect data stored on fixed drives and the operating system drive. BitLocker helps protect against offline attacks, which are attacks made by disabling or circumventing the installed operating system or by physically removing the hard drive to attack the data separately. BitLocker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a BitLocker-protected computer that has the proper keys.

BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. Using BitLocker with a TPM provides enhanced data protection and helps assure early boot component integrity. This option requires that the computer have a compatible TPM microchip and BIOS:

• A compatible TPM is defined as a version 1.2 TPM.
• A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM Specifications section of theTrusted Computing Group Web site.

The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and the user will need a recovery password or recovery key to regain access to the data.

The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for deploying BitLocker. Additionally, numerous Group Policy settings are available for managing BitLocker. You can learn about these in theBitLocker Group Policy Reference. You can provision BitLocker during deployment by using the Microsoft Deployment Toolkit (MDT) 2010 or Configuration Manager. For more information, see the MDT 2010 documentation.

Windows 7 Home Premium and Windows 7 Professional do not include BitLocker. If you allow employees to use devices that are running these operating systems, you can use the Encrypting File System (EFS) to help protect corporate data on these computers. However, EFS does not provide full-volume encryption, as BitLocker does. Instead, users choose the folders and files they want to encrypt. For more information about EFS in Windows 7, see The Encrypting File System.

Note: Users who are running Windows 7 Home Premium or Windows 7 Professional can use Windows Anytime Upgrade to upgrade to Windows 7 Ultimate for a charge. Doing so would provide BitLocker. For more information about Windows Anytime Upgrade, see Windows Anytime Upgrade.

Removable Storage

In Windows 7 Enterprise, BitLocker To Go extends BitLocker to portable drives, such as USB flash drives. Users can encrypt portable drives by using a password or smart card. Authorized users can view the information on any PC that runs Windows 7, Windows Vista, or Windows XP by using the BitLocker To Go Reader. Also, by using Group Policy, you can require data protection for writing to any removable storage device but can enable unprotected storage devices to be used in read-only mode.

The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for using BitLocker To Go. Additionally, numerous Group Policy settings are available for managing BitLocker To Go, which the BitLocker Group Policy Reference describes.

Backups

The Windows 7 Backup and Restore feature creates safety copies of users’ most important personal files. They can let Windows choose what to back up or pick individual folders, libraries, and drives to back up—on whatever schedule works best for them. Windows supports backing up to another drive or a DVD. Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise also support backing up files to a network location.

Whereas Windows 7 provides a built-in backup feature that users can use on their own devices, System Center Data Protection Manager (DPM) 2010 enables an organization to create a two-tiered backup solution that combines the convenience and reliability of disk for short-term backup—where most recovery requests are concentrated—with the security of tape or other removable medium for long-term archiving. This two-tiered system helps to alleviate the problems associated with tape backup solutions while still allowing for the maintenance of long-term off-site archives.

Important to consumerization scenarios, DPM 2010 adds support for protecting client computers, such as laptop computers and slates, which are not always connected to the network. Additionally, users can recover their own data without waiting for the backup administrator. You can learn more about DPM 2010 at System Center Data Protection Manager 2010.

Network Access

Forefront Unified Access Gateway (UAG) provides remote client endpoints with access to corporate applications, networks, and internal resources via a Web site. Client endpoints include not only computers running Windows but also other non-Windows devices. It supports the following scenarios:

• Forefront UAG as a publishing server. You can configure Forefront UAG to publish corporate applications and resources, and enable remote users to access those applications in a controlled manner from a diverse range of endpoints and locations.
• Forefront UAG as a DirectAccess server. You can configure Forefront UAG as a DirectAccess server, extending the benefits of DirectAccess across your infrastructure to enhance scalability and simplify deployment and ongoing management. Forefront UAG DirectAccess provides a seamless connection experience to your internal network for users who have Internet access. Requests for internal resources are securely directed to the internal network without requiring a VPN connection.
• Single and multiple server deployment. You can configure a single server as a publishing server and as a Forefront UAG DirectAccess server, or deploy an array of multiple servers for scalability and high availability.

Infrastructure Planning and Design: Forefront Unified Access Gateway on TechNet provides guidance for designing a Forefront UAG deployment. Additional detailed technical guidance is available in Forefront Unified Access Gateway (UAG)on TechNet.

Network Security

Network Access Protection (NAP) includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP can also provide ongoing health compliance enforcement while a compliant client computer is connected to a network.

NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access (RRAS), or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:

• Internet Protocol security (IPsec)-protected communications
• Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
• VPN connections
• Dynamic Host Configuration Protocol (DHCP) configuration
• Terminal Services Gateway (TS Gateway) connections

The Network Access Protection Design Guide can help you design a NAP deployment. The Network Access Protection Deployment Guide provides detailed technical guidance for the above scenarios.

In Configuration Manager, NAP lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server (NPS). The NPS then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation. For more information about NAP in Configuration Manager, see Network Access Protection in Configuration Manager.

Information Protection

In addition to securing local data and network access, protecting access to business information—such as intellectual property—is an important consideration if you're embracing consumerization. Two technologies are available for protecting this information:

• Rights Management Services. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment your organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands. Microsoft Exchange Server 2010 and Microsoft Office SharePoint Server 2010 are examples of applications that integrate with AD RMS. You can learn more about AD RMS at Active Directory Rights Management Services.
• File Classification Infrastructure. To reduce the cost and risk associated with this type of data management, the File Classification Infrastructure in Windows Server 2008 R2 offers a platform that allows you to classify files and apply policies based on that classification. The storage layout is unaffected by data-management requirements, and you can adapt more easily to a changing business and regulatory environment. Files can be classified in a variety of ways. Additionally, you can specify file-management policies, based on a file’s classification, and automatically apply corporate requirements for managing data, based on business value. You can easily modify the policies and use tools that support classification to manage their files. For example, you can automatically manage the rights to files that contain the word confidential. To learn more about the File Classification Infrastructure, see Working with File Classification.

Microsoft Technologies for Consumerization

The workplace is changing. The boundaries between peoples’ professional and personal lives are blurring. Work is no longer confined to the office. Employees check work email at home during the night and update their social media at the office during the day. In addition to their desktop computers, they're using portable computers, slates, and smartphones.

Contributing to this trend is the increasing computing power that’s available on a wide range of devices. Consumer devices, including smartphones and media tablets, are becoming powerful enough to run applications that were previously restricted to desktop and portable computers. For many workers, these devices represent the future of computing and help them do their job more efficiently.

In a world in which highly managed information technology (IT) infrastructures can seem inflexible, workers prefer to use the many consumer devices available to them. For IT, the challenge is to embrace consumerization as appropriate while minimizing risks to the enterprise and its data. Many consumer devices were not initially designed for business use, so IT must plan carefully to enable the level of management and control they require.

As a leader in business and consumer technologies, Microsoft is in a unique position to understand and provide guidance on how to responsibly embrace consumerization within enterprises. In a previous white paper, Strategies for Embracing Consumerization, you'll find specific strategies for embracing the latest consumerization trends. This article explores specific technologies that the aforementioned white paper recommends in its various scenarios.

In this article:

• Windows Optimized Desktop
• Windows Cloud Services
• Microsoft Application Virtualization
• Virtual Desktop Infrastructure
• Choosing the Right Technologies
• Smartphones and Mobile OS Support
• Conclusion

Virtual Private Networking with Windows Server 2003 :: Overview

Consider a business organization that has its facilities spread across the country or around the world. There is one thing that it will need - a way to maintain fast, secure and reliable communication amongst all its branches. There are also many organizations which require their employees to access the network remotely, when they are on any on-site work. This way, the employees are able to access the network resources, as they are connected to the network of the company.
Until recently, the only choice available to the administrators was to use leased lines to maintain a WAN, which provides reliability, performance and security. However, this was not a very feasible solution, as maintaining a WAN is quite expensive. And the expenses increase with distance between the offices.
An alternative came in the form of Virtual Private Networks. A VPN is a private network that utilizes a public network (Internet) to connect remote sites or users together. Thus, instead of dedicated leased lines, a VPN uses a secure virtual connection, which is routed through the Internet, connecting remote sites or users to the network.

We can configure a Windows 2003 server to allow network access to remote clients either by configuring a dial-up remote access server or a VPN remote access server. Each method has its own advantages and disadvantages. However, the VPN technology is most widely used today, since it avoids additional costs that are associated with dial-up, in the form of long-distance phone services and hardware costs.

In order to configure a VPN server :

• You have to select the network interface used to connect to the Internet
• You need to assign an address pool. Every VPN client will need an IP address that is local to the VPN server, (The IP address should be of the same range as of the local network) so that they can access the resources of the local network.
• Finally, you need to assign remote access permissions to the users who require the privilege.

VPN technology is most widely used today, since it avoids additional costs that are associated with dial-up, in the form of long-distance phone services and hardware costs.

Windows 2003 allows us to implement VPN using Microsoft proprietary PPTP and Cisco’s L2TP. PPTP is a very straight forward protocol and the implementation of VPN using it is very simple. Let me explain the basic steps required to configure a PPTP VPN remote access server.

• Open RRAS MMC console - Select Start -> Administrative Tools -> Routing And Remote Access.
• Select the server you want to configure - From the right pane of MMC, Right-click the server and choose the option, “Configure And Enable Routing And Remote Access“. The RRAS Setup Wizard appears. Click the Next button.
• Configuration page - Select the “Remote Access (Dial-Up Or VPN)” radio button, and then click Next.
• Remote Access page - Select the VPN check box. Here, we are concentrating on configuring a VPN RAS.
• Internet Connections page - It lists all the network interfaces that are available to the RRAS. Select the interface which you are using to connect to the Internet.
• IP Address Assignment page - This page allows you to define a pool of IP addresses which will be assigned, when a VPN client connects to the server. You can do this either using DHCP or by defining an explicit address range, from a specified range of addresses button.
• Managing Multiple Remote Access Servers - We can use this option in the servers to set your RRAS server work with other RADIUS-capable servers. Here, you can also choose the option “No, Use Routing And Remote Access To Authenticate Connection Requests“, if you do not want to use RADIUS.
• Summary page - Click on the Finish button to start the RRAS service.

By default, the users are not granted permission to use the services provided by VPN. In the next step, we determine the users for whom we allow remote access to our network. For this, execute the following steps.

• Open User Management console.
• On the Properties page of the user for whom we need to grant access to the VPN, select the Dial in properties page.
• Select “Allow access” under Remote Access Permissions.

Your VPN is now configured.

Conclusion

Using a VPN can have a large impact on your company by increasing sales. Prior to VPN’s the only options for you to manage this type of communication were expensive leased lines, Frame Relay or ATM access circuits. VPN’s are the solution now. They essentially offer international business travelers with significant cost savings, compared to the dial-up charges.

NAT Simplified : Configuring and Deploying Network Address Translation

NAT - Network Address Translation, is a term that comes across regularly in the production environment. Here, I would like to explain the steps that you need to follow, in order to implement NAT in a Windows 2003 Server. The steps are fairly simple and if you already have a public address, you can set it up in less than an hour.
Basically, there are two benefits in using NAT:

• It allows to secure our internal IP addressing scheme.
• It also allows to save costs, because we don’t need to purchase a public IP address for each host in the network. We can hide several machines under a NAT server, which is configured to use a single public IP address. If you had to purchase or reserve an IP address for each computer and host in the internal networks across the globe, there would practically be no IP address left.

Before going into the steps for implementing NAT, it will be useful to know how a NAT server modifies the outgoing and incoming packets.

• The client machine generates a request and sends it to the NAT server. Let’s assume that the packet is intended to port 80 at 206.xx.xx.xx.
• The NAT server scans the packet and creates an entry in the NAT table, which ties the real destination address and the port number to its origin and a substitute port number, that it chooses in random. It also replaces the source IP address in the packet with its own address, so that, replies from 206.xx.xx.xx will reach the NAT server.

The NAT table is the key to the whole process, because it associates the original source address and port with the destination address and port. When a packet arrives at the NAT server, it redirects it to the machine which actually generated the request, using the information in the NAT table.

NAT allows to secure our internal IP addressing scheme, and also to save costs, because we don’t need to purchase a public IP address for each host in the network.

Installing NAT Using the RRAS Console

In Windows, NAT is actually treated as another routing protocol that you install using the Routing and Remote Access Service (RRAS). You can open the RRAS snap-in by clicking: Start > Administrative Tools > Routing and Remote Access.
Note : You should have at least two network interfaces available on your computer for this; One for the public side and the other for the private side.
If you’ve already configured RRAS to handle some other feature, then you will need to configure NAT without deactivating RRAS, or it can lead to wiping out its configuration information.
Now, I’ll mention the steps that you need to follow if you have already configured RRAS to handle some other feature like IPX routing.

1. In the RRAS snap-in, locate the server on which you want to enable NAT. If the icon has a small red downward arrow, right-click on it and choose the “Enable And Configure Routing and Remote Access Service” command. Also, choose the option for NAT/basic firewall in the RRAS Wizard to complete the NAT installation.
2. Otherwise, right-click on the “General node” under IP Routing and select “New Routing Protocol“.
3. In the “New Routing Protocol” dialog box, select the NAT/Basic Firewall option and click OK.
4. You can see that a new node called NAT/Basic Firewall now appears under IP Routing.

Adding and Removing NAT Interfaces

Before you can use NAT on your local network, you have to add a NAT interface using the RRAS console.
Note: You have to distinguish between adapters that are connected to your local network and those connected (or that can connect) to the Internet, when adding a NAT interface.
Adding a NAT Interface

First, create an interface for your local network adapter.
Next, create the Internet adapter interface.

You can do this as follows.

• Right-click on “NAT/Basic Firewall” and choose “New Interface“.
• The “New Interface For Network Address Translation” dialog box comes up. Select the adapter that you want to use and click OK.

Setting NAT Interface Properties

Each NAT interface has its own set of properties. We can edit the properties by right-clicking an interface and choosing the Properties command on the context menu.
The relevant options to our discussion are: the NAT/Basic Firewall, Address Pool, Services And Ports tabs. Under each tab, I will explain the options that we need to be concerned about.

The NAT table is the key to the whole process, because it associates the original source address and port with the destination address and port.

The NAT/Basic Firewall Tab:
The NAT/Basic Firewall tab allows you to designate what kind of NAT interface it is.

• The “Private Interface Connected To Private Network” radio button, is what you use to specify that the interface is bound to the adapter on your local network.
• The “Public Interface Connected To The Internet” button specifies that the adapter is connected to the Internet.

The Address Pool Tab:
It basically lists the configured range of public IP addresses assigned to you. The address range is typically obtained from your ISP. You can manage the pool using Add, Edit, Remove, and Reservations buttons
The Services And Ports Tab:
Suppose you need to run a web server on your local network, which should serve requests from around the globe. In this case, you can set it up in a machine with a private IP and configure NAT to forward the requests that it receives on port 80 in the public interface, to port 80 on your internal Web server.
You can specify the ports to which inbound traffic should be mapped to, using the Services And Ports tab.
The Services And Ports tab lists the port mappings you have in effect. You can manage the the port mappings using buttons at the bottom of the pane.

Configuring NAT Properties

You can also specify the properties that affect all NAT interfaces and connections on your NAT server. This can be accessed by right-clicking the NAT/Basic Firewall node in the RRAS console and using the Properties command.
The Properties dialog box has four tabs:

1. General tab,
2. Translation tab
3. Address Assignment tab and
4. Name Resolution tab.

Among these, we need to be concerned only about the General tab and the Translation tab. Name Resolution Tab and the Address Assignment Tab allows us to decide whether we need to use the NAT addressing component and the NAT name resolution component of the NAT. It is not used commonly since almost all the networks have a DHCP server and a DNS server.
General Tab
The General tab allows you to change the amount of event logging information that the NAT software writes to the system event log.
Translation Tab:
The Translation tab help us to have a control over how long the the entries, remain in the NAT table after the use..

Conclusion

The translation tables in NAT are of short-lived nature, and it has been reported that devices on the internal network lose IP connectivity within short periods of time, unless there is a keep-alive mechanism by frequently accessing external hosts.
On the positive side, the greatest benefit of NAT is that it has been a practical solution to the exhaustion of IPv4 address space. Networks that previously required a block of network addresses can be connected to the Internet with a single dynamic or static IP address.