Windows 7 will include many user interface improvements and security enhancements over Windows Vista. It is scheduled for release in early 2010 but past delays mean the date may slip. Windows 7 will offer improved performance and compatibility with existing hardware and drivers compared to Vista. New features include enhanced desktop navigation using libraries, improved remote access using DirectAccess, and enhanced security tools like AppLocker. Windows 7 also expands support for virtualization, networking, and Active Directory administration using PowerShell.

1. The Next Windows:
quot;Lucky Seven?quot;
presented by Mark Minasi
help@minasi.com
tech forum, newsletters at
www.minasi.com
1

2. Topics
 Um, what do I do… Vista, Win 7, roll back to
Windows 98?
 New UI stuff, networking changes
 Rolling it out, securing it, storing things
 Virtuality!!!
 Active Directory
 Saving Money
2

3. Okay, First Thing…
 What are they going to call it
 (Like anybody cares)
 Desktop = Windows 7 (unless it changes)
 Server=Windows Server 2008 R2
 Server only comes in x64, no x86
 Desktop still offers x86
 NOTE: when I say quot;Windows 7,quot; I'm usually
speaking generically of both OSes
3

4. quot;When? When? When?quot;
quot;can I skip Vista? Can I can I can I? Pleeze?quot;
 The plan is the first half of 2010
 But, um, that's the plan…
– 2000 shipped two years late
– 2003 shipped two years late
– 2008 shipped three years late
– So when exactly will 7 ship?
 And XP's losing support this year, so many of
us will think, quot;hey, I gotta do something!quot;
4

5. The Vista/Win 7 Choice is Easy
 Microsoft knows you hate Vista
 (I don't work for Microsoft, and you guys tell
me anyway!)
 Vista's main problem was that it came out too
early – many 2005 machines couldn't handle
its needs, drivers didn't exist yet, nor did SP1
 Which means that even if you think you hate
Vista, the chances are good that if you took a
fresh look at it today, it'd look pretty good
5

6. Vista or Win 7 = You're Fine
Either Way
 And so…
– Speed is about equal between the two
– quot;If it's a Vista driver, it's a Win 7 driverquot;
– quot;If it runs Vista well, it'll run Win 7 wellquot;
– Windows 7 includes nearly 400 quot;fixes,quot; built-in shims
that solve compatibility problems
– Any SDB-type patches created in Vista work on W7
 Bottom line: you can use the same hardware
for Vista or Win 7, so Win 7 will cause you no
more planning needs than Vista would
6

7. UI Stuff
 SideBar's gone, now gadgets go right on the
desktop
 UI does an interesting job of being more
document-centric than app-centric: you can
have MRU lists for as many apps as you like
on the taskbar, as if the app were running
 You can control system tray behavior for
each app
7

8. More UI Stuff
 Easy adjustment to make two windows share
the screen side-by-side, half apiece
 Some tablet users will be able to run their
Win 7 boxes as they were iPhones, all finger
pushes (of course, most tablets currently
don't respond to fingers…)
 ONE right-click on the Desktop gets you to
video resolution
 Paint and WordPad get the Ribbon!
8

9. More UI: Libraries
 New way to show files, sort of an evolution of
how (for example) Vista shows tunes
differently than videos or pictures
 Extends to downloaded files (shows their
URL), contacts (shows their essential values)
 Essentially it's a meta-view of a bunch of
folders
 Includes and extends the notion of search
folders
9

10. The Blue UI: PowerShell
 You'll see PowerShell support in a lot of
things – it was a design goal
 Win 7 has Powershell 2.0, which does neat
remote stuff
 Remoting atop WinRM, not RPC
 .NET's now on Server Core, so PowerShell's
on Server Core
10

11. Remote Access News
 You've heard about PowerShell and WinRM
 Terminal services has new name: Remote
Desktop Services
 Not exactly a Win 7 topic, but MS is now
pushing Hyper-V for virtual desktops (quot;MED-
Vquot;)
 Server Manager now works remotely for
role/feature control, even on Server Core
11

12. Networking
 Mobile broadband support makes mobile
broadband look like a NIC, not dialup
 Different NICs can have different firewall
profiles
 DHCP now has support for scope failover
from one DHCP server to another and lets
you block/allow MAC addresses
12

13. Deployment
 How will we get this thing out?
 Same quot;Pantherquot; engine as Vista/08
– Asks questions up front, you go away, come
back, you've got a system running
– Very easy to script with Windows System Image
Manager, free download from Microsoft
 Unpopular news for some: you can upgrade
from Vista, but not XP
13

14. Deployment
 Multicasting
– Important new changes in WDS multicasting: three
different quot;speed lanesquot; for multicasting images
 Dynamic driver provisioning: deploys an image,
and removes unneeded drivers
 New tool: DISM replaces peimg, pkgmgr, and
some of ImageX's features
 … and DISM patches offline virtual machines
 USMT quot;hard linksquot; lets you wipe a disk but
retain whatever files you choose
14

15. Security in Win 7
 Some big stuff:
– DirectAccess
– Applocker
– Bitlocker to go
– No more LM
– DNSSEC
 And some odds 'n' ends
15

16. DirectAccess
 Call it quot;seamless VPNquot;
 Microsoft has used a process for years now whereby
employees log onto the network, get an IPv6 address
and tunnel (via Teredo) into MS's corpnet, using
IPsec
 Local inside-corpnet-only addresses and names now
look local (quot;Name Resolution Policy Tablequot;
accomplishes it)
 Difference: it's seamless
 Requires IPv6, IPsec, R2 RRAS servers – set up with
a wizard
16

17. DirectAccess
 Benefits:
– Seamless remote access to internal resources
– VPN that doesn't force your Internet traffic to be
encrypted
– Machine/machine connection means that central
IT staff can patch/examine system even when
user's not connected
17

18. AppLocker: SAFER, but Safer
 (SAFER= the beta name of Software
Restriction Policies)
 Basically an improved Software Restrictions
 But it's a lot smarter about handling signed
applications
 Includes a wizard that will look at a system
and create an AppLocker policy for it
automatically
18

19. BitLocker To Go
 Removable devices can now be bitlockered
 You can even create a group policy requiring
it
 Or say, quot;we won't write data to this USB stick
unless it's Bitlockeredquot;
 As before, you can store keys in AD, or in
external 48-digit keys
19

20. Security
 UAC now has a slider with four ticks on it to
control how intrusive it is
 Windows Solution Center (which contains the
old Security Center) gives you more control over
what sort of notifications the system gives you,
reducing its irritation factor
 Workgroups can now be quot;HomeGroups,quot; a
password-protected group that lets you connect
to resources in your home's network with your
company's PC without your company's security
settings getting in the way
20

21. More Security
 Neat new quot;global security access control listquot;
makes object access auditing more useful
 Just point to a user and an object and it'll tell
you, quot;user A tried to access object B and
failed/succeeded because of X group
membershipquot;
 Multihomed systems can now have different
firewall settings
 Read-Only DFS for branch office security
21

22. And Even More…
 New group policies let you block NTLM logons
 LM can't happen
 Windows now has in-the-box support for biometrics
(fingerprint readers etc)
 BitLocker To Go encrypts portable devices like
USB sticks… and a group policy lets you mandate
quot;if you want to use a USB stick, it must be
encryptedquot;
 quot;VPN reconnectquot; aims to keep you connected even
when the VPN's spotty, as it's smart enough to retry
at multiple VPN junction points
22

23. DNSSEC
 Relatively old protocol-wise (2001-ish), but
topical now
 Does not secure dynamic DNS updates
 Does secure responses to queries, with the
result that it makes a DNS cache poisoning
of the type recently discussed very unlikely
 For full effect, it'll require at least all R2 DNS
servers on the forwarders/masters, and
possibly on all DNS servers
23

24. Storage
 VHDs are becoming the new quot;containerquot;
standard, and have less and less to do with
VMs
– You can put one on your system, install an OS to
it… and tell bcdedit to boot that OS
– Mounting a VHD in Win7 is called quot;surfacingquot; it
– Diskpart is the basic tool of choice to work with it
– Of course, Vista & 2008 use them for backups
now
24

25. Storage
 Consider the idea of a VHD-ed system; it has only
– A C: drive with a boot record, basically
– An E: drive with one file named something like
quot;mywindows.vhdquot;
– Some BCDEDIT commands to point to
e:mywindows.vhd
 On drives larger than about 30 GB, Windows
automatically creates a small, un-lettered partition
(whether or not you mess with VHDs)
 Makes BitLocker easier to set up and makes for a
quot;cleanerquot; looking C: drive
25

26. BranchCache Lite (quot;Distributedquot;)
 So you're in a remote site, and you're using a
file accessed across the WAN…
 Someone else on your subnet needs that file…
 And you supply it (without knowing)
 You advertise your files using a Network
Discovery protocol (the thing that's replaced
Computer Browser in Vista/2008)
 Uses multicasts, not broadcasts
26

27. BranchCache Lite
 Caches SMB and HTTP/HTTPS traffic
 Security integrated so you can't look at things
in the cache that you don't have access to
 Only Windows 7 systems can participate
 Extra: the SMB client does more caching…
reopen a file and it's as quick as if you've
already opened it
27

28. Hosted BranchCache
 What's that you say, you have more than one
subnet?
 Enable BranchCaching on a local server
 Caches on the basis of hashed 64K blocks
 Server is obviously faster and can dedicate
more resources
 It's a quot;rolequot; in 2008 R2
 Windows 7 clients know to use it because group
policy tells it to
28

29. Virtual Machines/Hyper-V
 Live Migration (like VMotion), shifts in ~10 ms
range
 New NIC hardware supports separate queues
for different virtual NICs, Hyper-V supports it
 Ditto NICs with embedded network switches
 Second level address translation on CPUs now
supported – solves a problem (flushing VM
page tables) that can take up to 10% of CPU
time
 256 cores supported
29

30. Active Directory Changes
 New domain functional level
 New task-oriented UI: AD Administration Center
 PowerShell cmdlets
 AD Recycle Bin
 Automatically maintained domain-based service
accounts, new type of account
 Best Practice Analyzer
 Offline Domain Join
30

31. AD and PS
 We get 70+ PowerShell cmdlets for AD
 New AD Administration Center is the new AD
GUI tool but, interestingly enough, it's really
just a PowerShell application – PowerShell
2.0 supports GUI forms, so
 … but under the hood, it's nothing more than
a GUI front end to PowerShell commands
 No quot;reflectivity,quot; though… bummer!
31

32. Saving Money
performance, less power, easier
hardware updates…
32

33. Misc Good Things
 Problem Steps Recorder
 The way that the OS gives RAM to apps
changes (with Vista, it's pretty generous in an
attempt to make it faster), and so W7 should
use less memory
 Non-miniport print drivers mean no (well,
fewer) printer driver blue screens
33

34. Power Management
 Big push on this
 New quot;AQquot; logo program
 Three PM defaults all yield 10% better power
use
 quot;Core Parkingquot; shuts down particular cores
or entire sockets when not needed on Hyper-
V systems
34

35. Hardware
 Device Stage also contains links to vendor
things like supplies and accessories and,
with hope, PDFs of the manual
 Wake-on-wireless LAN
35

36. Thanks for coming!
 I'm doing talks on Hyper-V, new Active
Directory features in 2008 R2 and quot;12 Tips to
Secure Your Networkquot; tomorrow and
Wednesday
 I am teaching my two-day techie seminar on
Server 2008 next week in Philadelphia and
the end of April in Chicago
 Info at www.minasi.com
36