For those of you who don’t already know about Sysinternals, I will introduce you to a few of the utilities that proved popular with server and Active Directory administrators. These are:

• AD Explorer
• AccessChk
• BGInfo
• AutoRuns
• Disk2VHD

AD Explorer

Tools for viewing and navigating the Active Directory database — which, as we know, isn’t really one monolithic database, any more than there is such a thing as one Windows Registry — have not been the most user-friendly utilities Microsoft ever designed. There’s LDP, formally the “Active Directory Administration Tool,” which is pretty much the picture of an uninformative interface, and there’s ADSI Edit, which is better, but it’s still almost as user-hostile as REGEDIT. To make matters worse, many Active Directory operations require NTDSUTIL, a command-line tool with as many levels as an M. C. Escher staircase. For something as important as managing AD, one would think that Microsoft could do better.

Microsoft’s prehistoric-feeling AD database utilities created a void in the marketplace that has been filled by a variety of third-party vendors with products that make Active Directory administration a task fit for humans.

However, many of these third-party tools cost fairly big bucks. The Sysinternals ADExplorer tool is more intuitive than LDP, ADSI Edit, and NTDSUTIL, and it has the virtue of being free. With AD Explorer, you can browse the database. Click on an object in the navigation pane at left and see its attributes populate the details pane at right. You can even copy the object’s attributes to the Windows clipboard, although the process is implemented a little bit strangely. Instead of right-clicking the object itself, you have to right-click one of its attributes, then choose Copy attributes from the context menu. All the attributes will be copied, not just the one you right-clicked.

If you want to see an object’s permissions, right-click the object, choose Properties, and click the Security tab. Domain Administrators have full rights to the Win7 Restricted Organizational Unit.

One of the handy things about AD Explorer is that it has back and forward buttons, much like a Web browser, which are useful as you navigate around the database. In another design touch borrowed from the world of browsers, you can create a “favorites” list of places in the database, which can be a nice timesaver and is something ADSI Edit doesn’t have.

Another nice advantage AD Explorer has over ADSI Edit is the ability to save, view, and even compare AD snapshots. This is normally an operation that requires the NTDSUTIL command-line tool, but AD Explorer makes it very easy.

With AD Explorer, you can also change attributes, delete objects, create new objects, and change permissions. This of course can be hugely dangerous. So, if you can perform a desired operation with one of the “normal” Active Directory tools — AD Users and Computers, AD Sites and Services, AD Domains and Trusts — then, in general, you should do so. These management consoles have some (not enough, but some) built-in safeguards to prevent you from doing something stupid. AD Explorer has virtually no such safeguards, and it’s possible to do Very Bad Things in AD Explorer if you’re not paying attention.

AccessChk

AccessChk does ICACLS one better in that it isn’t limited to displaying file system permissions. AccessChk can display Registry key permissions, local file permissions, network share permissions, process permissions — basically permissions for any securable object. This tool can also display “effective” permissions based on multiple group memberships.

AccessChk unique capabilities can be useful when you’re trying to accomplish a task on a system (such as install software), and you don’t know whether the account you’re planning to use has the necessary user rights. Run AccessChk with full administrative rights for the most useful results. And if you don’t require permission information on processes, services, or user rights, the alternative tool AccessEnum (also in the Sysinternals Suite) is graphical and possibly more convenient.

BGInfo

BGInfo is a very handy utility for support technicians because it puts a lot of system configuration information right on the user’s wallpaper, where the user can read it off to a Help Desk troubleshooter. It’s also handy for IT professionals who have so many virtual machines whirling around that they sometimes forget what system they’re on, and who they’re logged in as (of course that never happens to me. Yeah, right!)

There are 24 “canned” display fields in all, and you can even go beyond them and create custom fields, based on WMI queries (WMI, or Windows Management Instrumentation, is a repository of data about Windows systems that can be queried in much the same manner as a SQL database.)

When you get a configuration set up that you like, you can save it to a file (*.BGI). You can also specify that you’d like BGInfo to integrate with your existing wallpaper. All told, this is a very useful tool to have in your hip pocket.

Autoruns

The excellent Autoruns tool shows you every program that is set to automatically run in Windows. Doesn’t MSCONFIG already do that? Well, yes, but not as well as Autoruns.

• MSCONFIG doesn’t show you per-user autostart entry points. Autoruns does.
• You don’t need administrator privileges to invoke Autoruns (although you will need privileges to make changes).
• Autoruns lets you analyze a system that isn’t even running. You can boot to WinPE, for example, and display the autostart entries for your unbooted Windows hard drive.

It’s amazing how many programs and services start in a normal Windows environment — some of which are unnecessary, others of which might even be malicious. You can simplify things significantly by hiding the Windows entries, on the supposition that they’re more likely to be OK. You can right-click Registry entries and jump to REGEDIT.

This tool is great for server administrators but also for help desk technicians, troubleshooters, and security administrators as well. A little pruning of your autoruns, either by clearing the checkboxes next to undesired items or by deleting the entries altogether (which requires elevated permissions), might not be a bad idea. Also helpful is the ability to save results to a file. For example, you might “baseline” a normal, clean, healthy PC and then compare its Autoruns results with a system that is having problems.

Disk2VHD

You’ve probably heard of “P-to-V” (or “P2V”) migrations — Physical to Virtual. If you’re looking at migrating some of your servers to virtual, it’s often easier to do a P-to-V migration than to go through a backup/restore cycle. However, among the various tools that are available, not all are free and not all can capture a live, running system. Disk2VHD can. It can also save your shiny new VHD file to the same volume you’re capturing.

The Disk2VHD user interface is about as clean as it gets. Select the volumes you want, and click Create. Files that don’t need to be copied (page file, hibernation file) aren’t. If you are a System Center licensee, then you will probably want to use the System Center Virtual Machine Manager (SCVMM) for P-to-V migrations, but if not, Disk2VHD is nice to have. Just realize that you’ll probably have some device updating to do, considering that the old drivers for your physical drivers won’t be optimal for the virtual environment. Also, remember that you’ll have to install integration components too.

Conclusion

If you haven’t looked at the Sysinternals tools — ever or lately — I recommend doing so. Some are more useful than others of course, but I guarantee at least a handful that you will find helpful. Get the whole collection by downloading the “Sysinternals Suite” or pick and choose just the ones you want to try. You can run most of the tools directly. And to get the most out of these utilities, check out the 2011 book, Windows Sysinternals Administrator’s Reference, from Microsoft Press. You can also visit the Sysinternals blog site.

Related Courses
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring, Managing, and Maintaining Server 2008 R2
MCITP: Server Administrator Boot Camp

Excerpted from Global Knowledge White Paper: Sysinternals: Free Windows Server 2008 Utilities You Should Know About by Glenn Weadock

Courtesy of lusi at rgbstock.com

One of Windows 2008 Active Directory’s most under-utilized features is the ability to precisely target computers with Group Policy Preferences. Group Policy Preferences are different than traditional policy settings because they can be reversed by a user and not reapplied when Group Policy is refreshed. Windows 2008, Vista, and Windows 7 all have special Client Side Extensions (CSEs) for preference settings. You can download KB943729 from the Microsoft Download Center to retrofit Windows XP.

There are many preference settings available. One of the most widely used maps network drives for users, which is usually done by scripts that run when a user logs on. The Group Policy Drive Maps Preference with item-level targeting is easier to create than a script and has more configurable options.

To create a Group Policy with a Drive Map Preference:

• Open the Group Policy Management Console and expand the Forest and Domain nodes
• Expand the Computer Configuration\Preferences\Windows Settings node
• Select Drive Maps then “New”>“Mapped Drive”, and a New Drive Properties window will open
• In the window’s General tab, select “Create” from the drop down menu next to the “Action” label
• In the “Location” text box, type the UNC path to the network share location using the \\Servername\Sharename format. You can specify a drive letter or allow Windows to use the next available letter and input alternate user accounts credentials to connect the drive
• Now that the basic drive map is complete, select the “Common” tab, and check the box for Item-Level targeting
• Click on the “Targeting” button, and a new Targeting Editor window will appear
• In the “New Item” drop down list, select “User”, and a text box will appear
• Enter the user’s name for the drive mapping. The * wildcard character can be used to specify multiple users

Link the Group Policy to the user accounts location in Active Directory, and the drive will be mapped at the next logon. You can map multiple drives to multiple users in a single GPO, and that GPO can be applied to other Preferences such as Network Printers.

Check out Microsoft’s white paper on Preferences here.

courtesy of photoxpress.com

FTP Servers are an extremely useful way to store and transfer large files efficiently over any network including the Internet. Microsoft featured an FTP Server in Windows Server for over a decade. But while Microsoft lavished attention on Internet Information Server’s World Wide Web services and created the tools to build a new generation of .NET web applications, the FTP server was virtually unchanged. Even Windows Server 2008, which shipped with a brand-new Internet Information Services 7.0, still has the FTP server from Windows Server 2003.

Finally Microsoft added an updated and vastly improved FTP Server with enhanced security and manageability to Windows Server 2008 R2 and Windows 7. Here is a partial list of the terrific new features:

• FTP over Secure Sockets Layer (SSL) Uses SSL based security for secure authentication and data encryption. This corrects the most glaring fault of previous versions of Windows FTP Servers, which was that they could not satisfactorily protect data
• Host Header Support Multiple FTP sites on the same server can be differentiated by IP, Port number or Host Header value just as web sites are in IIS
• FTP and Web Site Integration An IIS site can easily accept both HTTP and FTP client connections
• XML file based configuration store Just like IIS websites, FTP site configuration settings are stored in simple, robust xml files. Moving ftp sites to a different server has never been easier
• FTP Extensibility Developers can create managed code to extend FTP Servers functionality with customized authentication, authorization and logging capabilities
• FTP Request Filtering Control client requests using file name extensions, hidden segments, and denied URL sequences and restricted commands

I created a test installation of Windows Server 2008 and found FTP Server 7.5 to be easy to install and simple to configure. And, the good news is, Microsoft has made FTP Server 7.5 available at no charge for Windows Server 2008 and Vista. You can download it here.

By arinas74 via RGBstock

Virtual desktop infrastructure (VDI) is a very hot topic right now. A VDI can deliver a pre-configured Windows virtual machine with all of the necessary applications on demand. This benefits highly regulated environments like banking and healthcare because they can configure their virtual desktop with precise security settings to comply with current laws. Also, legacy applications that won’t run on Windows 7 can run on a virtual desktop using an older version of Windows.

To implement a VDI with Windows Server 2008 R2 you need an Active Directory Domain, Hyper-V, and the Remote Desktop Services Role. A VDI requires the following:

• Remote Desktop Session Host makes applications and virtual desktops available to clients running the Remote Desktop Connection Client (RDC) using the RDP protocol
• Remote Desktop Virtualization Host integrates Hyper-V based virtual machines with the Remote Desktop Session Host to make them available to RDC clients
• Remote Desktop Connection Broker works with the Virtualization Host to direct RDC clients to a virtual desktop. Connection Broker also reconnects users to their desktops if their connection momentarily drops out
• Remote Desktop Web Access allows Windows 7 users to connect to their virtual desktop from the start menu. Users with older versions of Windows can connect from their web browser
• Remote Desktop Licensing issues and manages Remote Desktop Services client access licenses (RDS CALs) which are required to use Remote Desktop Services

All virtual machines in Hyper-V that are available as Virtual Desktops must be joined to the Active Directory Domain and have the same fully qualified domain name in the Hyper-V console. The Remote Desktop Connection Manager console configures Virtual Desktops. A Virtual Desktop can be placed in a pool of identical desktops that are available when clients connect. A single Virtual Desktop can also be assigned to a user account in Connection Manager so that the user can reconnect to the same desktop.

A Remote Desktop-based VDI is available from anywhere in the world using a low-bandwidth connection. Any computer, including thin clients, that can run RDC, can reach a virtual desktop accessing new technology on older hardware. Security updates and software management are centralized, and administration is simplified with VDI, making it a low-cost alternative to conventional networks.

courtesy of photoxpress.com

Windows Server 2008 Remote Server Administration Tools (RSAT) includes a new check box in Active Directory Users and Computers (ADUC) that can save administrators from fumble-fingering and deleting important accounts.

The new check box can be viewed in ADUC by going to its View Menu and selecting Advanced Features. The Advanced Features view reveals many new tabs in the properties of an account. The Object tab has a check box which has the text — “Protect object from accidental deletion”. User Accounts, Computer Accounts, Contacts, Groups, InetOrgPerson Accounts, and Organizational Units all have the checkbox, but only Organizational Units have the checkbox enabled by default. All other object types must have the check box enabled in a separate action by an administrator. Enabling the checkbox adds the Everyone group to the Discretionary Access Control List (DACL) for the account. The special permissions of Deny — Delete and Deny — Delete subtree are enabled in the Security tab of the account. While the checkbox is enabled even an Enterprise Administrator cannot delete the account. A dialogue box will appear proclaiming that, “You do not have sufficient privileges to delete accountname” or “this object is protected from accidental deletion.”

Accidents will happen, but a little prevention can save you a lot of time and trouble.

courtesy of photoxpress.com

Windows Server 2008 R2, with PowerShell 2.0 and the GroupPolicy management module allows for powerful administration of Active Directory Domain Services (AD DS) based Group Policy. A question came up during a recent session of the Group Policy course, and then again the following week during a session of a PowerShell course. The distilled-down question is essentially: Scripting the GPMC is good for linking GPOs and other such activities, and the W2K8R2 cmdlets let us examine values if we know the particular registry value we’re looking for, but how can we search, peruse, or report on the settings in one or more GPOs without running either a GPO report of resultant set of policy (RSoP) report?

Have you ever wanted to find what registry values a group policy object (GPO) contains? Indeed, you can get a report of one GPO using the Get-GPOReport, or for all GPOs in a domain by adding the –All parameter to that cmdlet, yet in either case, the output is either in HTML or XML format. There is also a wonderful Get-GPResultantSetOfPolicy cmdlet which also gets the effective policy settings, but again in either HTML or XML format. Sure, a text search or parse of the HTML gives some decent results, and reading the XML output is far better, especially with the built-in XML tools in PowerShell, however there is actually an even easier to work with and more powerful alternative.

Consider the following functions, which use the Get-GPRegistryValue cmdlet to do the actual work.

trap [ParameterArgumentValidationException] {

# placeholder for processing bad key errors

}

if( @(get-module GroupPolicy).count –eq 0 ){

import-module GroupPolicy

}

function global:Get-GPRegistrySubKey( $gpo, $key ){

$val = @(Get-GPRegistryValue $gpo –Key $key )

$val | %{

$_

if( $_. FullKeyPath –ne $key ){

Get-GPRegistrySubKey $gpo $_. FullKeyPath

}

}

}

function global:Get-GPRegistryKey( $gpo, = “Default Domain Policy”, $key = “HKLM\Software” ){

Get-GPRegistrySubKey $gpo $key | FT ValueName,PolicyState,HasValue,Type,Path,Value –auto

}

That’s it. The trap handler and conditional Import-Module block may be optional, depending on the environment in which you’re using the functions. The first function, Get-GPRegistrySubKey, does then actual work, and the second one, Get-GPRegistryKey, formats the results to be more dense and human readable. With these functions defined in your profile or other appropriate script, dealing with the output is more convenient that using the parsed XML output from Get-GPOReport or Get-GPResultantSetOfPolicy.

In its simplest form, this Get-GPRegistryKey function can be called with no parameters, which will assume the default GPO of the Default Domain Policy, and also assumes the registry key HKLM\Software (the Policies, Computer Configuration portion of the GPO) as the base for the search/report. This function in turn simply calls the other function, Get-GPRegistrySubKey, with these same values, and then formats the output in table form. Get-GPRegistrySubKey fetches all of the values under that key by calling the Get-GPRegistryValue cmdlet with just the GPO name, this base key, and no specific value. Although the variable $val could be optimized out by rewriting the script to send the Get-GPRegistryValue results directly to the ForEach-Object cmdlet (used with its % alias here) loop, this intermediate step of storing the results in a variable and then passing those results down the pipeline to ForEach-Object was retained for troubleshooting purposes. Within the body of the loop through each of the results, the subkey is emitted and then if the subkey is not the same as the key, then Get-GPRegistrySubKey calls itself recursively in order to traverse down to the subkeys and values.

Specific values for the GPO name and registry key could be supplied to these functions for more focused results. Additionally, a number of GPOs could be reported on by using a technique such as:

get-gpo –all | %{

Get-GPRegistryKey $_.displayName “HKLM\Software”

Get-GPRegistryKey $_.displayName “HKCU\Software”

}

The results of Get-GPRegistryKey or this sort of loop which invokes it could be used with filtering mechanisms such as Where-Object. These fairly simple functions not only provide a straightforward way to enumerate and list the settings within a GPO, but also can serve as an example of a more elaborate searching and reporting tools and automation for bringing sanity to GPO management.

Related Courses

Automating Administration with Windows PowerShell 2.0 (M10325)

Automating Windows Server 2008 Administration with Windows Powershell (M6434)

Managing Windows Environments with Group Policy (M50255)

With Windows Server 2008 R2 Microsoft has changed the name of Terminal Services to Remote Desktop Services and calls it a “Presentation Virtualization” technology. TS RemoteApp programs are now called RD RemoteApps. The TS Terminal Server is now known as a RD Session Host Server.  In 2008 and earlier Terminal Servers some applications could not function properly because each applications running in a session must have its own IP address. Server 2008 R2 has an important new feature that permits winsock and other applications that need a unique IP address to run properly in Remote Desktop Services.

To enable Remote Desktop IP Virtualization you must create a DHCP Scope range large enough to provide virtual IPs for all of the RD RemoteAPP programs that require them. Instead of DHCP it is also possible to create a static pool of addresses using Regedit on the RD Session Host. Navigate to the: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\TSAPPSrv\VirtualIP location and create a new key with the IP addresses you want assigned as virtual IPs.

The RD Session Host server must be configured to provide virtual IPs to Remote APPs by opening the Remote Desktop Host Configuration console and selecting RD IP Virtualization. Check the Enable IP virtualization box and select the network adapter to be used for IP virtualization.  In the IP virtualization mode heading select the Per program option to ensure that each terminal application receives its own IP.

You can download Microsoft’s Step by Step guide here.

Unlike traditional Group Policy settings, changes applied by preferences can be undone by the user of a computer and can be configured to not be reapplied when the Policy is refreshed. This flexibility makes it more practical to apply many settings to specialize a computer for a specific purpose and still allow users to adapt it to their personal needs.

Even though Group Policy preferences were developed after Windows XP and Server 2003 were created, those operating systems can by updated with Client Side Extensions (CSEs) that allow them to process some preference settings. Windows Server 2003 domain controllers can also be configured with a Central Repository of ADMX and ADML files that define old and new GPO settings. Using the Remote Server Administration Tools (RSAT) installed on a Windows 7 computer, an administrator can then create and edit GPOs with preferences. This allows existing Active Directory Domains that have yet to be updated from Server 2003 to support the very latest policy options for their Window 7 and Vista clients.

So, don’t wait until you deploy Windows Server 2008 R2 to enjoy the benefits of Group Policy Preferences. Get started now by checking out Microsoft’s official white paper on preferences here.

courtesy of photoxpress.com

Windows NT 4.0 included an implementation of the Point to Point Tunneling Protocol (PPTP) for both the NT4 Workstation and NT4 Server products, with a client for Windows 95 OSR2, and PPTP is still supported in Windows and other operating systems. Virtual Private Networking (VPN) technologies have evolved since then. In fact, could they have perhaps evolved so much that they don’t exist any more?

While one of the great synergistic co-features of using Windows 7 in a Windows Server 2008 R2 network infrastructure is DirectAccess, which Microsoft claims is not a VPN technology, these operating systems still support PPTP, as well as VPN cousins L2TP (as of Windows 2000) and SSTP (as of Vista SP1 and Windows Server 2008). Just how does DirectAccess compare to those other technologies, and how can it be useful as an alternative to those older VPN technology choices?

Why does Microsoft claim that DirectAccess is not a VPN technology? To understand this, let us first look at what some of the other VPN technologies are, then the similarities and differences between these and DirectAccess, and the distinction should become clear.

Many hardware and software vendors offer VPN implementations, yet from a Microsoft perspective, the PPTP, L2TP, and SSTP VPN solutions in Microsoft Windows are coupled with Routing and Remote Access Services (RRAS) on the server side, and dial-up networking (DUN) on the client side. The way most people use these VPN technologies in Windows, the end-user on the client machine either explicitly “dials” into the VPN server after they have logged on, or perhaps as a part of the logon process. The first real distinction between these technologies and DirectAccess is that this supposedly non-VPN DirectAccess technology is always on. In other words, DirectAccess clients connect into their DirectAccess server as soon as the client machine starts up and the underlying physical network connection(s) become available.

The ramifications of this, and if we merely focus on the benefits of this for a moment, are significant with respect to applying Active Directory Domain Services (AD DS) based Group Policies to such client machines, applying updates via Windows Update Automatic Updates (WUAU) and Windows Server Update Services (WSUS), and ability to perform other forms of remote administration of these client systems at any time. We do not have to wait for a user to log on and dial into the VPN in order to have centralized management ability and control over the constituent systems. To Microsoft, perhaps this is construed as a key distinction which casts DirectAccess as a non-VPN technology, however from my humble perspective, as it has always been possible to have a startup script dial into a VPN connection using particular user credentials, I’m not 100% clear why they would consider that a distinction other than a variation from the average end-user expectation of how VPNs are typically used. To me it doesn’t make DirectAccess a non-VPN technology, but that’s just my opinion. If Microsoft wants to use the always-on distinction to market DirectAccess’s advantages over how people classically use other VPN technologies, that’s fine.

Although, like with many new technologies, there are requirements specific to DirectAccess that are not needed for other VPN technologies, establishing a DirectAccess Server based on Windows Server 2008 R2, the necessary infrastructure, and as many DirectAccess clients as you need, running Windows 7 Ultimate or Enterprise, is a fairly straightforward endeavor. The benefits are many for this always on VPN technology, primarily the ability to support always manageable systems in remote offices, home offices, and in mobile Windows 7 machines the field. DirectAccess allows private, controlled access, over tunneled virtual network interfaces of Windows 7 machines which need to be connected into their main office whenever they have public Internet access available. To VPN or not VPN, is not really a relevant question anymore. What’s in a name? Beside the fact that you might be used to dialing up your VPN connection after you log on, whereas DirectAccess is always on, does it really matter whether you call it a VPN technology or not?

courtesy photoxpress

In a recent post, I described a high-level overview of 802.1x authentication. Now, let’s dive a bit deeper into the use of 802.1x as a foundation for Network Access Protection (NAP) enforcement of health policies in a Windows Server 2008 network infrastructure.

Recall that 802.1x can be used with Ethernet switches and Wireless Access Points (WAPs) that support the feature, with the purpose of authenticating the devices connected to them (e.g., servers, workstations, tablets, phones, etc.). Generically, we could refer to Ethernet switches, wireless APs (i.e., 802.11), VPN servers, and dial-in servers as Network Access Points (NAPs) or Network Access Servers (NASs). Yet, because Microsoft uses the term NAP for their access protection mechanism, which we will discuss shortly, let’s use the term “NAS” when referring to an Ethernet switch, WAP, VPN server, or dial-up host.

Whether the NAS supports 802.1x or some other authentication scheme, it can be configured to relay such authentication using the RADIUS protocol. There are actually RADIUS authentication and accounting protocols! Thus, each NAS could be configured as a RADIUS client, whereas a Windows Server running Microsoft’s Network Policy Services (NPS) performs the role of RADIUS server. Several NPS servers could be used for redundancy and load distribution. Additionally, in larger environments, NPS servers could act as RADIUS proxy servers as a front-end from regional NAS points of presence to more centralized NPS RADIUS servers.

Network Connection Policies can be checked on the NPS servers to determine if the end-station client devices ought to be allowed on the network via the NAS to which they are connecting. Thus, centralized, policy-based access control of Ethernet, wireless, VPN, and dial-in clients is supported by proper integration of these elements. But, what we just described was somewhat supported in Windows Server 2000 and, with a couple of name changes, in Windows Server 2003.

Now we have an established foundation that Network Access Protection (NAP) can build upon. Beyond mere authentication checks to determine whether to allow a client on the network, NAP’s advantage is its support of health policies. With respect to health policies, NAP offers an elaborate, extensible framework that computer vendors, like HP or Dell, and security vendors such as Symantec or McAfee (Intel) could leverage to provide NAP system health agents (SHAs) and system health validators (SHVs).

Included with NAP is one, default Microsoft Security Health Validator (WSHV), which runs via the NPS on Windows Server 2008 or 2008 R2, and one, default Microsoft Windows Security Health Agent (WSHA), which runs in NAP clients on systems such as Windows XP ≥SP2, Vista, and Windows 7. This built-in SHV/SHA pair can be configured to check if the clients’ firewall is enabled, antivirus is enabled, antivirus is up-to-date, antispyware is enabled, and antispyware is up-to-date. It can also check to see if critical (or other level) of updates have been applied (i.e., from WSUS).

Microsoft also offers a System Center Configuration Manager SHA (SCCM SHA) and a ForeFront Client Security SHA (FCS SHA). Other vendors such as Avenda Systems, Computer Associates, McAfee, and Symantec offer their own extensions including SHA/SHV pairs that can extend NAP health-checking capabilities beyond the built-in WSHA/WSHV pair. For example, the Avenda Windows Universal System Health Validator can scan for specific registry values that you configure. You can configure this validator to check for particular registry values that must be present, and if they are not, the Avenda Universal SHV will command the corresponding Universal SHA to create or update the proper registry values you have indicated.

Additionally, this Universal SHV can confirm that another list of registry values are not present (“ must be absent,” for example) and request the Universal SHA to delete such keys from the offending client if they are present. In other words, third-party, Microsoft (second-party), and your own, custom (first-party) extensions to NAP can offer remediation to enforce particular client configuration as a part of authorizing such client machines to be allowed on the network–or not.

One of the great benefits of the Windows Server 2008 R2 version of NAP, beyond the first version in Windows Server 2008, is that multiple configurations of a SHV can be configured as a part of the health policies. It’s  not super exciting that W2K8R2’s NAP supports having different update criticality requirements for hot fixes of different sets of machines with the WSHV. But it can be very exciting if differentiated SHV configuration allows you to specify different sets of registry parameters or updates that must be a part of the compliance specification of sets of machines with unique security and compatibility requirements.

Related Courses

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure (M6421)

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (M6425)

Configuring, Managing, and Maintaining Server 2008 R2 (M6419)