NOVO ENDEREÇO

Publicado: setembro 18, 2011 em Projetos

PESSOAL ESTAMOS EM UM NOVO ENDEREÇO QUE É:

WWW.TECNOINFOBSB.BLOGSPOT.COM

ESTAMOS COM DIVERSAS ATIVIDADES E COM ATUALIZAÇÕES SEMPRE AOS FINAIS DE SEMANA !!!

 

ESTAMOS EM OUTRO ENDEREÇO

 

NÃO PERCAM AS NOSSAS PROMOÇÕES !!!

Como descompactar arquivos zip, rar, tar.gz, bz2, tar.bz2 pelo terminal

Para descompactar estes formatos de arquivos os comandos são simples:

zip:

gunzip nomedoarquivo.zip

rar:

unrar x nomedoarquivo.rar

tar:

tar -xvf nomedoarquivo.tar

tar.gz:

tar -vzxf nomedoarquivo.tar.gz

bz2:

bunzip nomedoarquivo.bz2

tar.bz2:

tar -jxvf nomedoarquivo.tar.bz2

 

Instalando Redmine

Publicado: novembro 7, 2010 em Projetos

Introdução

Sumário: 

  1. Sobre o Redmine
  2. Preparando ambiente para o Redmine
  3. Instalando e configurando o Redmine
  4. Download do Redmine
  5. Conhecendo a estrutura de diretórios
  6. Configurando a aplicação
  7. Criando base de dados Redmine
  8. Instalando o Redmine
  9. Script para inicialização automática
  10. Sobre o autor

Sobre o Redmine

Redmine é um software livre e de código aberto, licenciado sob os termos da GNU General Public License v2 (GPL). Foi desenvolvido na linguagem Ruby utilizando framework Ruby on Rails.

Redmine é uma ferramenta multi-plataforma que suporta vários bancos de dados, extensões de plugins e sistema de controle de versão. Abaixo segue a relação das fortes características dessa ferramenta:

  • Vários projetos de apoio
  • Controle de acesso baseado em papel flexível (Controle de acesso)
  • Flexibilidade no sistema de monitoramento
  • Gráfico e calendários
  • Gerenciamento de noticias, arquivos e documentos
  • Fórum, wiki do projeto
  • Gerenciamento de tempo (projetos e usuário)
  • Integração ao sistema de controle de versões (svn, git, cvs)
  • Suporte a autenticação LDAP
  • Suporte a multilinguagem
  • Vários bancos de dados

Preparando ambiente para o Redmine

Para preparar o ambiente de produção com Redmine é necessário a utilização de diversos softwares, bem como servidor web, banco de dados e suporte para linguagem de programação Ruby e framework Rails. Os seguintes pacotes são requeridos para a instalação.

  • build-essential – lista informativa de pacotes “build-essential”
  • ssh – Security Shell Host
  • Openssh-server – Para acesso remoto
  • mysql-server – Servidor de banco de dados
  • phpmyadmin – Ferramenta web de administração de banco de dados MySQL
  • rails – Framework para desenvolvimento de aplicação web
  • rubygems – Infraestrutura de gerência de pacotes para aplicações/bibliotecas Ruby
  • mongrel – Biblioteca HTTP e servidor para Ruby
  • ruby1.8-dev – Interpretador de script orientado a objeto da linguagem Ruby
  • libmysql-ruby -Módulo MySQL para Ruby
  • subversion – Sistema avançado de controle de versões
  • apache2 – Servidor Web
  • ruby – Linguagem de programação
  • irb – Ruby interativo
  • rdoc – Gerador de documentação para arquivos Ruby
  • rake – Compilador de programa escritos em Ruby
  • libapache2-mod-fastcgi – Módulo para inicialização de scripts CGI

Use comandos abaixo para fazer as instalações dos programas.

Comandos para instalação:

# aptitude install build-essential sudo apt-get install ssh openssh-server mysql-server phpmyadmin rails rubygems mongrel ruby1.8-dev libmysql-ruby subversion apache2 ruby irb rdoc rake libapache2-mod-fastcgi

As dependências das bibliotecas ou programas serão instaladas juntamente com os softwares.

Instalando e configurando o Redmine.

Download do Redmine

Será necessário fazer o download do software no site do projeto e configurar bases de dados na aplicação. Embora seja simples e possua várias formas de fazer fazer o download, utilizaremos o svn para obtermos a versão mais atual que se encontra no repositório do Redmime. Portanto entre no diretório de opcional de instalação e inicie o download.

Crie uma pasta em / no meu caso ficou assim /rails:

# cd /

#mkdir rails

Iniciar processo de download:

http://rubyforge.org/frs/download.php/73140/redmine-1.0.3.tar.gz

Feito o Download descompacte-o em /rails:

tar -vzxf  redmine-1.0.3.tar.gz

Para iniciar o processo de configuração iremos configurar o acesso às bases de dados. Atualmente elas ainda não foram criadas, mas tenha em mente o nome banco, usuário e senha. Pode-se entrar dentro do diretório /rails/redmine e verificar a sua estrutura de diretórios, use o comando ls para listá-los.

# ls
app
config
db
doc
extra
files
lib
log
public
Rakefile
README.rdoc
script
test
tmp
vendor

Conhecendo a estrutura de diretórios:

  • app – Esse diretório é responsável por fazer o fluxo de controle da aplicação. Possui as camadas de visão, controle e modelo.
  • config – Diretório onde se encontram os arquivos de configuração da aplicação.
  • db – Diretório onde contém as classes de persistência da aplicação.
  • doc – Contém as referencias para instalação e documentação da aplicação.
  • extra – Diretório de compartilhamento.
  • files – Diretório para arquivos de diversas extensões.
  • lib – Bibliotecas da aplicação e extensões (plugins).
  • log – Armazena o log da aplicação.
  • public – Contém os arquivos públicos que poderão estar disponíveis para os usuários.
  • script – Contém scripts usados pela aplicação.
  • test – Contém exemplos e classes para o help da aplicação.
  • tmp – Utilizada para armazenar arquivos temporários.
  • vendor – Contém pacote de instalação do gem e outros plugins, caso seja necessário instalar outros programas para o uso do Redmine pode-se usar esse diretório.

Configurando a aplicação

Como vimos na rápida abordagem dos diretórios acima, o diretório config é responsável por armazenar os arquivos de configuração da aplicação. As diretivas de configuração podem contextualizar diversas situações, bem como configurações gerais da aplicação, ambiente, inicialização da aplicação e base de dados, que é a única configuração que iremos efetuar. 

Primeiramente podemos perceber que dentro desse diretório há vários arquivos de exemplos, portanto será necessário fazer uma cópia desse arquivo com o nome original que iremos usar na aplicação. Copie o arquivo database.yml.example para database.yml, como mostra o comando abaixo:

# cp config/database.yml.example config/ database.yml

Abra o arquivo e e configure a diretiva de configuração da seguinte forma.

# MySQL (default setup).
#Configure somente se estiver usando MySQL
production:
adapter: mysql
database: redmine
host: localhost
username: root
password: senha_de_root
encoding: utf8 

development:
adapter: mysql
database: redmine_development
host: localhost
username: root
password: senha_de_root
encoding: utf8

# Warning: The database defined as “test” will be erased and
# re-generated from your development database when you run “rake”.
# Do not set this db to the same as development or production.
test:
adapter: mysql
database: redmine_test
host: localhost
username: root
password:
encoding: utf8
#Configure somente se estiver usando  postgresql
test_pgsql:
adapter: postgresql
database: redmine_test
host: localhost
username: postgres
password: “postgres”

#Configure somente se estiver usando sqlite3
postgresql
test_sqlite3:
adapter: sqlite3
database: db/test.db

Criando base de dados Redmine

Criaremos a base de dados que será utilizada pela aplicação. O nome desse banco deve se chamar “redmine” e utilizar a charset utf8. Use os comandos abaixo para implementar os bancos e definir usuários:

# mysql -u root -p
mysql> create database redmine character set utf8;
mysql> create user redmine@localhost;
mysql> grant all privileges on redmine.* to redmine@localhost;
mysql> flush privileges;
mysql> exit

Instalando o Redmine

Após preparado todo todo o ambiente necessário é preciso compilar a aplicação. Siga os comandos abaixo:

# gem install -v=2.3.5 rails
# rake generate_session_store
# rake db:migrate RAILS_ENV=production
# RAILS_ENV=production rake db:migrate
# RAILS_ENV=production rake redmine:load_default_data

É necessário mudar a permissão e grupo de alguns diretórios. Siga os comandos abaixo:

# chown -R felix.felix files/
# chown -R felix.felix log/
# chown -R felix.felix tmp/
# chown -R felix.felix public/plugin_assets/
# chmod -R 755 files/
# chmod -R 755 log/
# chmod -R 755 tmp/
# chmod -R 755 public/plugin_assets/

Neste momento podemos testar o servidor executando o servidor WEBrick.

# ruby script/server webrick -e production

Acesse localhost:3000, a senha de acesso padrão é:

  • login: admin
  • senha: admin

Tela inicial:

Script para inicialização automática

Por padrão o Redmine não inicializa o servidor WEBrick. Então será necessário criar um script para inicializá-lo sempre que o sistema operacional for iniciado. Dentro do diretório /etc crie um arquivo com o nome redmine, mude a permissão para a execução e adicione o conteúdo citado abaixo:

# cd /etc/init.d
# touch redmine
# chmod +x redmine
# vim redmine

#!/bin/sh cd /opt/redmine ruby script/server webrick -e production

Em seguida adicione o script nos diretórios de inicialização com o seguinte comando:

# update-rc.d redmine defaults 99

Compartilhamento de Pastas no VBOX

Publicado: novembro 7, 2010 em Tutoriais

1° Caso (host Linux e guest Windows)

Antes de ligar sua máquina virtual, vá em “Configurações” -> “Pastas Compartilhadas” e escolha as pastas que deseja compartilhar.

Linux: Compartilhamento de pastas no VirtualBox

Ligue a máquina virtual, e acesse “Dispositivos” -> “Instalar Adicionais para Convidado”.

Linux: Compartilhamento de pastas no VirtualBox

Note que em “Meu computador” na máquina virtual será criada uma unidade de CDROM a mais com a imagem dos adicionais. Execute-a e prossiga a instalação.

Linux: Compartilhamento de pastas no VirtualBox

Quando avisado que o software não passou no teste de compatibilidade, clique em “Continuar assim mesmo”, conclua a instalação e reinicie a máquina virtual.

Linux: Compartilhamento de pastas no VirtualBox

Depois de reiniciado, acesse “Menu Iniciar” -> “Todos os Programas” -> “Acessórios” -> “Windows Explorer” -> “Meus Locais de Rede” -> “Toda a rede” -> “VirtualBox Shared Folders”, e verá que aparecerão suas pastas escolhidas para serem compartilhadas anteriormente.

Linux: Compartilhamento de pastas no VirtualBox

Se você desejar também mapear as pastas compartilhadas para agilizar o acesso posteriormente as mesmas, clique com o botão direito em “Meu Computador” e vá em “Mapear unidade de rede”, e digite \\VBOXSVR\ seguido do nome da pasta de compartilhamento criada.

Linux: Compartilhamento de pastas no VirtualBox

Ex:

\\VBOXSVR\arquivos

Linux: Compartilhamento de pastas no VirtualBox

Se desejar que o instalador de adicionais saia dos seus dispositivos disponíveis em Meu Computador, clique com o botão direito no mesmo e peça para ejetar.

Pronto, pastas compartilhadas!

2° Caso (host Windows e guest Linux)

Os passos são quase iguais ao caso anterior, escolha as pastas a serem compartilhadas em “Configurações” -> “Pastas Compartilhadas”.

Ligue a máquina, e acesse “Dispositivos” -> “Instalar Adicionais para Convidado”.

Acesse a unidade de CD que foi criada e execute o arquivo.

$ sh ./VBoxLinuxAdditions*.run

Crie a pasta a ser montada:

$ sudo mkdir /mnt/nome_pasta

Montando:

$ sudo mount -t vboxsf nome_pasta_compartilhada /mnt/nome_pasta

Lembrando que: “nome_pasta_compartilhada” = nome da pasta criada no primeiro passo.

Pronto, pasta criada e disponível no seu diretório /mnt com o nome que você colocou.

Instalando Win7 pelo PenDrive

Publicado: novembro 2, 2010 em Tutoriais

Procedimentos para preparar o pendrive
Antes de começar, espete seu pendrive na porta USB

1 – Abra o prompt de comando (Iniciar >> All Programs >> Acessories >> Command Prompt).

2 – Digite os comandos abaixo, sempre pressionando Enter após cada um:

1. Diskpart (Uma nova janela será aberta, espere até o cursor aparecer)

2. List Disk

3. Select Disk 1 (substitua o 1 pelo número referente ao seu pendrive)

4. Clean

5. Create partition primary

6. Active

7. Format fs=ntfs quick

8. Assign

9. Exit

Copiando os arquivos
Agora, coloque o DVD do Windows 7 no drive e copie todo o conteúdo para o pendrive.

Prontinho, reinicie seu computador e verifique na BIOS se a ordem de BOOT está para Dispositivos USB.

Introduction

This KB takes up some Exam Notes for 70-680 TS: Windows 7, Configuring. All notes are written by John Bryntze.

Important! This is NOT a braindump or alike.

The 070-680 Exam objectives are the following:

  • Installing, Upgrading, and Migrating to Windows 7
  • Deploying Windows 7
  • Configuring Hardware and Applications
  • Configuring Network Connectivity
  • Configuring Access to Resources
  • Configuring Mobile Computing
  • Monitoring and Maintaining Systems that Run Windows 7
  • Configuring Backup and Recovery Options

Installing, Upgrading, and Migrating to Windows 7 (14%)

Perform a clean installation

Identifying hardware requirements
The minimum hardware requirements for Windows 7 are:

  • 1 GHz or faster 32-bit (x86) or 64-bit (x64) CPU
  • 1 GB of RAM (32-bit)/2 GB of RAM (64-bit) (recommended 2GB of RAM in 32 bit if running Virtual PC in XP Mode)
  • 16 GB of available disk space (32-bit)/20 GB (64-bit) (15GB extra if running Virtual PC in XP mode)
  • DirectX 9 graphics device with Windows Display Driver Model 1.0 or higher driver

Setting up as dual boot
You can dual boot with other Windows OS but as always you need to install the oldest OS first. If you for example install Windows XP after Windows 7 the newer boot system (BCD (Boot Configuration Data)) will be overwritten by XP:s boot (boot.ini) that cannot handle Vista/Windows 7.
So install first XP, then Vista, then Windows 7 to be able to dual (well in this case triple) boot.

Install with answer files
When Windows 7 start to install it will look in the root of all removable medias for a file named Autounattend.xml and if it finds one tries to a do a silent installation with help of the answers in the file. Autounattended.xml can easily be created with Windows SIM.
If the answer file is in another path (not in a root) you can also specify the path by installing Windows 7 with setup.exe

setup.exe /unattend:f:\jbkb\jbkb-standard.xml

Upgrade to Windows 7 from previous versions of Windows

You can only do a in-place upgrade from Vista with Service Pack 1 or later to Windows 7, all other versions demands a clean installation.
Check with Windows 7 Upgrade Advisory for known compatibility problems, such as lack of disk space, programs that will stop to work, drivers that need to be upgraded.
Image:Certification-kb12-Windows7-Upgrade-Advisor.png

Upgrading from Windows Vista

Upgrade path per version are:
Windows Vista Home Premium -> Windows 7 Home Premium
Windows Vista Business -> Windows 7 Professional
Windows Vista Ultimate -> Windows 7 Ultimate

If you have Vista Home Premium you cannot upgrade to Windows 7 Ultimate, only to Windows 7 Home Premium (haven’t tried it myself, but I cannot see any problem to do this in 2 steps, first upgrade Vista Home Premium to Windows 7 Home Premium and then Windows Anytime Upgrade from Windows 7 Home Premium to Windows 7 Ultimate).
Know that if you for example have a French Windows Vista Business and want to upgrade to a Swedish Windows 7 Professional that is not possible, you cannot go from one language to another.
Upgrade media comes in DVD format.

Migrating from Windows XP
There is not direct in-place upgrade from XP to Windows 7. Nothing stops you from upgrading your Windows XP to windows Vista and then upgrade the Windows Vista to Windows 7 with a in-place upgrade. If not you will need to do a clean installation.

Upgrading from one edition of Windows 7 to another edition of Windows 7
If it follows Vista it should work to upgrade from lower edition to higher but not the other way around (not included started edition, not upgradable)
Windows 7 continues the Windows Anytime Upgrade, since all versions (except Starter) will include all features even if not active (depending with version/edition) it will not need a disc/DVD to upgrade from one edition to another edition.

  • Windows 7 Starter Edition – in XP/Vista this edition could only have 3 programs opened at the same time, this limit is now gone with Windows 7 Starter Edition. Comes only as OEM and support no extra features such as Multiple monitors, fast user switching, aero, Windows Mobility Center etc.
  • Windows 7 Home Basic – For emerging markets. Support: join (only) a Home Group, maximum 8GB of RAM, Windows Mobility Center, Multiple Monitors, Fast User Switching, Desktop Windows Manager, Windows AERO (partial).
  • Windows 7 Home Premium – For home users. Support: same as Home Basic plus; Multi-Touch, Premium Games, Windows Media Center, Windows Media Player Remote Media Experience.
  • Windows 7 Professional – For business use. Support: same as Home Premium plus; join a domain, EFS, Location Aware Printing, Remote Desktop Host, Presentation Mode and Windows XP Mode.
  • Windows 7 Enterprise – For business only. Support: Same as Professional plus; AppLocker, BitLocker Drive Encryption, BranchCache, Distributed Cache, DirectAccess, Subsystem for Unix-based Applications, MUI pack and Virtual Hard Disk Booting.
  • Windows 7 Ultimate – For home and business use. Support: same as Enterprise.

Unclear if this will be on the exam but it can be good to know anyway that E edition of Windows 7 is shipped without Internet Explorer and the N edition of Windows 7 is shipped without Windows Media Player (these versions can only be bought in Europe).

Migrate user profiles

Migrate user profile is either done by USMT 4.0 (User State Migration Tool) or Windows Easy Transfer (migwiz).
For better control and multiple user USMT is preferred and for home users or single profile migration Windows Easy Transfer could be used.
Windows Easy Transfer exist on Windows XP and newer and should be run first on the machine who got the profile to transfer “This is my old computer” and chose media (special USB transfer cable/network/external disk) and the wizard scan what can be transferred (you have no control of what is being transferred). You get an option to password protect the file (.mig). Then go to the new machine that needs the profile and run the Windows Easy Transfer wizard again and this time choose “This is my new computer“.
Image:Certification-kb12-WindowsEasyTransfer.png

USMT work the same as Windows Easy Transfer but you can control what to transfer and not to transfer and other more advanced features. USMT uses scanstate to collect profile data and loadstate to apply profile data.
Scanstate and Loadstate are command line tools and include many different switches, here are some important:

  • /all – Migrates all users
  • /v – Verbose loging with 16 different levels
  • /i – specifies XML files, example /i:MigDocs.xml
  • /ue – Users to not migrate (think User Exclude) /ue:*\* excludes ALL users except those specified in /ui
  • /ui – Users to migrate (think User Include)
  • /lac – specifies it is a none admin Local user accounts
  • /lae – Enables the account specified with /lac else the account is enabled on the target machine.

 


Exam Tips: Know Scanstate and Loadstate and some of the common switches for the exam.


Migration store types

  1. Compressed – saves space and save all migration data into one image file. This is default.
  2. Uncompressed – needed for Hard-links and can use explorer.exe to browse and modify migration data /nocompress
  3. Hard-Link – new feature in USMT 4.0. Files are not duplicated but stays on the disk and when the older OS has been removed and the new OS installed loadstate finds this data. This works of course only when reusing the same machine (Wipe and load/PC Refresh scenario) /hardlinks

You can migrate profile data from a 32-bit OS to a 64-bit OS but not the other way around. It doesn’t work if source and target machine has different OS languages. No starter edition are supported.

Migrating from one machine to another
1. Run Scanstate on source client machine for example this command:

scanstate \\jbkb-server01\USMT /i:migdocs.xml /i:migapp.xml /ui:JBKB\john /v:14 /l:scanresult.log

where \\jbkb-server01\USMT is the path to save the profile data, migdocs.xml specify which documents should be saved, migapp.xml which applications settings to save, /ui:JBKB\john to only take data from user JBKB\john and the last /v:14 /l:scanresult.log verbose level and logfile name.
2. On target machine make sure Windows 7 and all programs are installed.
3. Run Loadstate on target client machine for example this command:

loadstate \\jbkb-server01\USMT /i:migdocs.xml /ui:JBKB\john /i:migapp.xml /v:14 /l:loadresult.log

where \\jbkb-server01\USMT is the path to get the profile data from, migdocs.xml specify which documents should be transferred, migapp.xml which applications settings to transferring, /ui:JBKB\john to only take transfer data from user JBKB\john and the last /v:14 /l:loadresult.log verbose level and logfile name.

Migrating from previous version of windows
If the source machine is running Windows XP it must have Service Pack 2 or later for USMT to run scanstate on it (you cannot run loadstate on a Windows XP machine with USMT v4.0) and you must run scanstate as a local administrator on the machine.
If the source machine is running Windows Vista with UAC you must run scanstate in Administrator mode. (not needed for the exam but if target machine will be Vista then you need to specify /targetvista)

side-by-side vs. wipe and load
Side-by-side refers to have 2 machines, one old source machine and a newer target machines.
The user migration data must be transferred from the source machine with scanstate and then be loaded back to the target machine with loadstate.
Wipe and load refers to have 1 machine, the machine might have Windows XP but has the required hardware requirement for Windows 7 and therefor you need to run scanstate to save the migration data. and then run loadstate on the same machine after Windows 7 has been installed.
It is important to know a new feature in USMT 4.0, that is Hard-link. Hard-link migration store is stored on the machine so no extra disk space is needed. this is only possible if you reuse a machine (Wipe and load). To use Hardlinks you need to specify that while running scanstate with the switch /hardlink which always use migration store type Uncompressed with switch /nocompress.

Deploying Windows 7 (13%)

Capture a system image

Sysprep
When you a have a reference machine (sometimes called master machine) and prepared it with all configuration and software and want to prepare the system to be imaged you can strip away “not needed” info by using sysprep.

c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown

ImageX already default strip away not needed folder and files, sysprep removed unique settings such as the computer SID that must be unique for each machine in a domain.

Creating a WIM file
After a machine has been prepared (maybe with sysprep) – boot with a WinPE on the reference machine to take/create/capture a WIM image.
Once booted with a WinPE with ImageX tool create an WIM image to external disk e: by running the following command:

ImageX /Capture C: E:\WIMImages\JBKB.wim "Windows 7" /verify

With the command above a JBKB.wim will be created with the content of disk C:

Prepare a system for image deployment

In Vista and before it was Pkgmgr.exe to use for adding drivers and applications into WIM images, that was pretty tricky to do. With latest WAIK you can use DISM.exe instead that is more powerful and easier to use.

Insert a driver into a system image
To insert a driver into a WIM image you need DISM.exe (from WAIK 2.0)
First mount the WIM image file and then add driver with the /Add-Driver switch.

DISM.exe /Mount-Wim /wimfile:C:\WIMimages\JBKB.wim /index:1 /mountdir:c:\jbkbmount
DISM.exe /Image:C:\jbkbmount /Add-Driver:C:\Drivers\NetworkDriver\oem01.inf
DISM.exe /Unmount-Wim /MountDir:C:\jbkbmount /commit

Insert an application into a system image
To insert an application into a WIM image you need DISM.exe (from WAIK 2.0)

DISM.exe /Mount-Wim /wimfile:C:\WIMimages\JBKB.wim /index:1 /mountdir:c:\jbkbmount
DISM.exe /image:c:\jbkbmount /Add-Package /PackagePath:”C:\JBKBcabs\jbkb.cab”
DISM.exe /Unmount-Wim /MountDir:C:\jbkbmount /commit

Deploy a system image

You can deploy a WIM image with zero touch with help of SCCM/WDS/WDT and other tools but you can also deploy manually with ImageX.
Boot on target machine with help of example WinPE prepared with ImageX.
Prepare the disk with Diskpart for example to prepare a C: disk run these commands (if the disk already have a OS since before)

diskpart
select disk 0
select partition 1
format fs=ntfs quick override label="windows"
assign letter=c
active
exit

Where Quick do a Quick Format (takes about 3 seconds) and Override still continue even if partition is in use/locked.

Run the following command to deploy (apply) a WIM image located on an external disk e: to a machine

ImageX /apply e:\JBKB.WIM 1 c:

The “1” tells ImageX to use the first image in the file, since it is possible to have multiple images in the same WIM file (shared files reduce the size)


Exam Tips: Remember that ImageX uses /Apply to deploy an WIM image and /Capture to create a WIM image.


 

Configure a VHD

VHD (Virtual Hard Disk) is used in Microsoft Virtual Server and Windows Virtual PC. Windows 7 can even create VHDs, configure/edit and boot if you have right edition. Only Windows 7 Enterprise and Ultimate can boot from a VHD.

Creating VHD
1. GUI: Use Disk Management, start Computer Management and then go to Disk Management and in menu go: Action -> Create VHD
Image:Certification-kb12-Action-CreateVHD.png

Then the Create and Attach Virtual Hard Disk window comes up. Here specify the location to the physical file (.vhd) and set size and VHD format; Dynamically expanding or Fixed Size (Dynamically expanding doesn’t verify if existing disk space is enough, Fixed size do and give error if disk space isn’t enough). Press OK when finished and the disk shows up in Disk Management.
Image:Certification-kb12-Create-fixed-sizeVHD.png

The disk shows up but is not initialized or format or anything, so to initialize right click on the disk and chose Initialize Disk
Image:Certification-kb12-Initialize-DiskVHD.png

Now this disk can be treated as a normal one to be formatted, assign drive letter.

2. Command Line: Start CMD, type in following
diskpart
create vdisk file=d:\JBKB\JBKBdisk.vhd type=fixed maximum=50000
select vdisk file=d:\JBKB\JBKBdisk.vhd
attach vdisk
Image:Certification-kb12-DiskpartVHD.png
First create the vhd disk with type and size (is set in MB by default). Then select the disk and attach it. Same as with Disk Manager if you want to format it and assign letter you need to continue with Diskpart create partition primary/assign letter=y/format fs=NTFS label=JBKBVHD quick

Deploying VHD
You can deploy VHD either by Xcopy or WDS (Windows DeploymentServices).
With Xcopy you need to boot and configure disks, then press SHIFT + F10 to get a command line during the installation, then use xcopy to copy in VHD file, then use diskpart to apply the VHD.
With WDS (on Windows Server 2008 R2) you can deploy bootable VHDs.

Booting VHD
Only Windows 7 Enterprise and Ultimate can boot from a VHD.
You can use either Windows PowerShell (Install-WindowsImage.ps1) or ImageX to include a bootable WIM image to a VHD. You can also use a tool called WIM2VHD command-line to automate this stephttp://code.msdn.microsoft.com/InstallWindowsImage/Wiki/View.aspx?title=http%3a%2f%2fcode.msdn.microsoft.com%2fwim2vhd&referringTitle=Home (that is outside the scope of this KB).

Using Install-WindowsImage.ps1 (first download it here: http://code.msdn.microsoft.com/InstallWindowsImage/Release/ProjectReleases.aspx?ReleaseId=2662 and I needed to run this command to let PowerShell run unsigned ps1 set-executionpolicy unrestricted)
Run these commands:

.\Install-WindowsImage.ps1 -WIM e:\sources\install.wim

Now we got all Index, if we want to use Windows Ultimate we chose Index 4 (see image below)

.\Install-WindowsImage.ps1 -WIM e:\sources\install.wim -Apply -Index 4 -Destination Y:

Destination is to the mounted VHD file assigned letter Y: in this case.
Image:Certification-kb12-PowerShell-Apply-WIM2VHD.png

Using ImageX (first install WAIK)

ImageX /info e:\sources\install.wim

This gives image data in XML format where you can read out <IMAGE INDEX=”number“> for the image you want to use.

ImageX /Apply E:\sources\install.wim 4 Y:

This will copy in the Index 4 image of install.wim into the VHD file mounted/assigned to Y:
Image:Certification-kb12-ImageX-Apply-WIM2VHD.png

Once you got the VHD file you need to decide if you want to prepare it for VHD image native boot (by Windows 7 editions Enterprise/Ultimate) or VHD image boot inside virtual machine.
VHS native bootY:\Windows\System32\bcdboot y:\windows (if you want to change boot order or more advance change with BCDedit, that is out of the scope for this KB)
VHD virtual machine bootY:\Windows\System32\bcdboot y:\windows /s y:

Mounting VHD
Either use Disk Management or diskpart explained above to mount a VHD.

Updating VHD
After a VHD file is mounted you can update the VHD using Windows Explorer.
For the exam and real life you need to know a command-line tool named DISM.EXE (Deployment Image Servicing and Management) that can update a VHD image’s drivers and add Windows Features.
Examples:

Dism /image:y: /Add-Driver /driver:c:\drivers\jbkb-nic.inf

Image:Certification-kb12-dism-VHD.png
Would add driver for JBKB-NIC into the VHD image

Dism /image:y:\ /Enable-FeatureName:TelnetClient

Would enable the Telnet Client in Windows 7 (default it is disabled)


Exam Tips: Know that offline update/servicing of VHD images can be done with DISM.exe


 

Configuring Hardware and Applications (14%)

Configure application compatibility

Application Compatibility Toolkit 5.5 (ACT) is a tool that collects information about the applications installed on the network. It is an important and critical process when doing the planning to migrate to Windows 7, will my applications work? better to know before deploying Windows 7 out in the organization.

Implementing shims
Shim = an application compatibility workaround
Shims can be seen as an API that correct compatibility issues. You need to know that most vendors doesn’t support their applications if they been modified with a shim so it should be used in these cases:

  • Vendor of the product is no longer in business.
  • The application is developed internally
  • The vendor will release a new supported version for Windows 7 but the current isn’t supported for Windows 7.

Shims included in Windows 7 Out of the box are updated through Windows Update. So you have the same support terms as the rest of the Windows operating system.

Configure application restriction

Windows 7 still support Software Restriction Policies (will be SRP at rest of this KB) for compatibility purpose. Windows 7 has the next version of SRP called AppLocker. These two versions doesn’t work together but separate.
This KB will cover both AppLocker and SRP.

Setting software restriction policies
There are 3 default security levels:
Disallow: Block all applications except those explicit set as allow (unrestricted).
Unrestricted: Allow all applications except those you explicit block (disallow).
Basic User: Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.

The 4 ways to explicit define a Disallow/Unrestricted application is the following:

  1. Network Zones rule
  2. Path rule (Support wild cards, if multiply rules exist the most narrated “wins”.)
  3. Hash rule (Supports for SHA256 hash rules)
  4. Certificate rule

Image:Certification-kb3-SSR-Rules.png
The 4 different Software Restriction Rules

For each of these rules you can apply an exception from the default security level:
Unrestricted: Can be used if default security level is set to Disallow
Disallow: Can be used if default security level is set to Unrestricted
Basic User: Uses UAC function to force an application to run as a normal user.
This new feature applies to all the above 4 rules except Certificates and can be very useful for limiting an application to do system wide changes.
Image:Certification-kb3-SSR-Path-Rule.png
Example of a Path Rule to set c:\jbkb\adminstools\QoS.exe to run as Basic User
If multiply rules match a software the latest in the list take present:

  • Default rule (weakest)
  • Network Zone rule
  • Path rule
  • Hash rule
  • Certificate rule (strongest, always wins)

Example: If default rule is set Disallow and Path Rule for c:\jbkb\jbkb.exe is set to Unrestricted, then even default rule Disallow running c:\jbkb\jbkb.exe the Path Rule take presents and allow c:\jbkb\jbkb.exe to run.

To find in event viewer for blocked applications search for Event ID: 866
Application Event log shows only entries of applications that are blocked, if you want to see allowed (unrestricted) entries you will need to enable advanced logging by adding a string to the log file in the following registry key:
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

If you lock yourself out by to restrict polices log on in Safe Mode (restart press F8 during bootup) and login as a local administrator, since Windows 7 ignores Restriction Polices for local administrators in Safe Mode.

Setting application control
AppLocker is only supported by Windows 7 editions Enterprise/Ultimate (also supported by Windows Server 2008 R2) and needs the service Application Identity service started to run. Windows 7 Professional can however be used to create AppLock rules but it cannot itself be enforced by the rules.

AppLocker has the following new enhancements:

  • You can define rules based on attributes from a files signature (publisher, product name, file name, file version)
  • AppLocker PowerShell cmdlets to manage AppLocker from PowerShell.
  • Only if a file is specified in a rule is allow to run, if not it cannot run.
  • “What If” implementation, you can set all settings but not make them live and just audit what would have had been blocked if the rules where in place.
  • MMC snap-in accessible from GPMC or Local Group Policy editor.

AppLocker doesn’t include the SRP rule types: Internet Zoneper-machine and registry path rules.

To configure AppLocker you can either use domain GPO or Local Security Policy (SecPol.msc), this KB will use Local Security Policy. Navigate: Security Settings -> Application Control Policies -> AppLocker.
There are several scenarios but this KB will take the most common one.
1. you have a reference computer (remember this machine can be a Windows 7 Professional) with all the companies standard software updated with the correct version.
2. Create the default rules, this is to ensure that administrators still can manage the machine and users can run files in %WinDir% (normally c:\windows) and %ProgramFiles% folder. Remember that if you have an application installed in c:\JBKBApps\design2010.exe will not work since it is not in the c:\program files folder, (you can later create a manual rule to allow to run applications that doesn’t install in default program files folder). To do this right click Executable Rulesand chose Create Default Rules.
This creates these 3 default rules:

    • Allow all users (everyone) to run All files located in the Program Files Folder (%ProgramFiles%)
    • Allow all users (everyone) to run All files located in the Windows Folder (%WinDir%)
    • Allow Administrators (BUILTIN\Administrators) to run All files

Image:Certification-kb12-AppLocker-Create-Default-Rules.png
3. Automatically generate rules: If your reference machine have all latest software and updates you require you can right click Executable Rules and chose Automatically Generate Rules…
Here specify which folder (default c:\Program Files) that will be analyzed and for which users/groups the rule will apply to (default set to Everyone) and finally set a Name to identify the rules.
Image:Certification-kb12-AppLocker-Automatically-Generate-Rules.png

Next is the Rule Preferences with 2 choices:

  • Create publisher rules for files that are digitally signed – you also get the option if a file isn’t signed it can create a File hash or path rule.
  • Create file hash rules for all files

Image:Certification-kb12-AppLocker-Rule-Preferences.png
Next it will scan the specified folder and create a suggestion of rules, it can take some minutes depending of quantity of files. The Review Rules where you can before to create the rules view that it is the expected rules (either way you will be able to manually change them after). Press Create to create the rules.
Image:Certification-kb12-AppLocker-Review-Rules.png
Now you got a lot of extra rules. Those files that had were digital signed (if chosen) will show up as Condition Publisher and the others as (if chosen) Path (those files that isn’t digitally signed).
Image:Certification-kb12-AppLocker-Result.png
Now modify/delete/add extra rules manually.

Something good with this is that if a user has a software that can run stand alone with just an exe file that is located in their Documents folder that program will not be able to run unless there is a specific rule for that.

Apply this either with GPO on Domain/site/OU level or configure it with Local Security Policy and make sure the machines refresh their Group Policy settings.
Enforcement can be set to Enforce rules or Audit Only; pretty self explainging but with Enforce rules the rules are active and with Audit Only the rules only log to Event Viewer, they are never block.
Image:Certification-kb12-AppLocker-Enforce-AuditOnly.png

With digital signed files and condition Publisher you have a lot more freedom to do rules that for example check File version and allow it to be at a certain level And above or Exactly that version or in rare cases this version And Below.
Image:Certification-kb12-AppLocker-Publisher-Settings.png

Configure Internet Explorer

Windows 7 (except the E edition) has Internet Explorer 8 as it’s native web browser which include a lot of extra security features.
Remember that all settings here can be configures with GPO and IEAK8, the difference between GPO and IEAK8 is that GPO set values that end user might not be able to change and IEAK8 just set default values that the end user can change.

Configuring compatibility view
Internet Explorer 8 has a new rendering engine that can cause compatibility problems for websites that are designed for Internet Explorer 7’s rendering engine. The Compatibility view function include the Internet Explorer 7 rendering engine and can switch to that engine for specific sites (those who doesn’t render satisfied with Internet Explorer 8 rendering engine)
If you go Tools -> Compatibility View Settings you can change the default settings:

  • Include updated website lists from Microsoft – Checked by default, get updated list from Microsoft Update of sites who need to be run in Compatibility View mode.
  • Display intranet sites in Compatibility View – Checked by default, all sites that are on intranet site/zone are displayed with Compatibility View mode so for example companies Intranet done to work in Internet Explorer 7 still work.
  • Display all websites in Compatibility View – Not checked by default, if checked would run all web pages with Internet Explorer 7 render engine (Compatibility View mode)

Image:Certification-kb12-IE8-Compatibility-View-Settings.png

Internet Explorer 8 remembers which sites has been seen in Compatibility Mode for future visits.

Configuring security settings
There are several new or updates security functions/settings, here they come in short format:

  • Enhanced Delete Browsing History – You can now keep cookies and temp files for sites specified in your favorites and delete all the others. You also have the option to delete InPrivate Filtering data.
  • SmartScreen Filter – the new name; in Internet Explorer 7 it was called phishing filter (I didn’t like that name either, to hard to pronounce). Not only a new name it do have some new features such as Anti-Malware support, improved Group Policy support, faster performance, improved user interface.

Image:Certification-kb12-IE8-SmartScreenFilter.png

  • Cross-Site Scripting Filter – Cross Site Scripting (XSS) attacks are common, this filter helps to protect.
  • Domain Name Highlighting – Some try to fool end user with names that looks to come from a trusted source for example http://www.ebay.onlinejbkb.com might look to be from ebay. So Domain Name Highlighting simply highlight the domain name.

Image:Certification-kb12-IE8-DomainNameHiglighting.png

  • Tab Isolation – LCIE (Loosely-Coupled Internet Explorer) makes that if one tab crashes it doesn’t affect the other tabs or browser windows.

Configuring providers
Search Providers can be configured with Manage add-ons – Search Providers where you can add/remove search providers, set order, default search and Prevent programs from suggesting changes to my default search provider (not checked default).

Managing add-ons
Toolbars and add-ons are usually the cause of Internet Explorer crashing, and in Internet Explorer 8 you control better add-ons and toolbars.
Toolbars now comes up with a cross/x on the right side so the users can close toolbars easier.
Image:Certification-kb12-IE8-Close-Toolbar-x.png
On the image above (Live Toolbar) you can close it by just pressing on the “X” and you get the dialog as below:
Image:Certification-kb12-IE8-Disable-Add-on.png

Managing Add-ons windows let you manage Toolbars and extensions, Search Providers, Accelerators and InPrivate Filtering.
Image:Certification-kb12-IE8-Manage-Add-ons.png

Controlling InPrivate mode
InPrivate Mode has two functions; InPrivate Browsing and InPrivate Filtering.
InPrivate Browsing: This function exist similiar in other browsers but under other names; called Private Browsing in Firefox and incognito in Chrome. When browsing in InPrivate the users browser historytemporary Internet filesform data,cookies and usernames/passwords are not stored or retained by the browser.
Image:Certification-kb12-IE8-InPrivate.png
InPrivate Filtering: This function track third-party content on a website and provides users with control over which third-party content is downloaded and displayed. If a Third-party content appears frequently across web pages those can be blocked.
Either you set to Automatically Block or Choose content to block or allow or off (default). If you enable InPrivate Filtering default it is set to 10 frequent third-party content to trigger but can be changed by the user (value 3 to 30). If you choseAutomatically Block all sites who hit the value will be blocked. If you chose Choose content to block or allow all sites will be default Allowed but listed for you to chose Blocked.
Image:Certification-kb12-IE8-InPrivate-filtering.png
Certificates for secure Web sites
If a site has a valid certificate the URL field will display it in Green
Image:Certification-kb12-IE8-Certificate-https.png

If the site has a invalid certificate you will be prompted with a warning and must press Continue to this website (not recommended) to continue to the site.
Image:Certification-kb12-IE8-Certificate-https-problem.png

Configuring Network Connectivity (14%)

Configure IPv4 network settings

Not much have changed here in many years so it is still to know the old stuff such as:
IPv4 uses 32 bit length where the (sub)net mask decide which bits are network and which bits are for host. APIPA addresses doesn’t route but give access to other APIPA clients on the same net, the range is: 169.254.0.0/16. Keep in mind that if you see a output of a IPconfig and the client has 169.254.0.0/16 that machines is a DCHP client that failed to get a IP lease.
Know Ping/Tracert/PathPing/arp
Know the private address range and that those addresses aren’t routable on the Internet:
10.0.0.0/8172.16.0.0/12192.168.0.0/16 (APIPA: 169.254.0.0/16)
Remember that when you calculate how many hosts a certain subnet has you must remove 2 “reserved” hosts, all 1 = Broadcast address and all 0 = network address. Example 10.46.0.0/28 has 4 bits left for hosts and that is 16 decimal but due to 1111=Broadcast and 0000=network address there are only 16-2 (14!) hosts left for clients/servers/routers etc. The exam will for sure play on this that you need an range for a certain amount of server/clients/printers and test that you understand this.

Know that with subnetting you can make smaller broadcast domains with one assigned network ID (255.255.0.0 to 255.255.128.0) and supernetting is the opposite and merge to smaller net to a bigger (255.255.0.0 to 255.254.0.0).

Configure IPv6 network settings

Even if the exam probably will test nearly IPv4 you should know that IPv6 is fully supported by Windows 7
IPv6 uses 128 bit length and are for that reason longer so know that :: is shortening for only 0 (Zeros). 2001:AA12::G3D1:7AAE is shortening of original 2001:AA12:0000:0000:0000:0000:G3DA:7AAE.
Unicast IPv6 addresses uses the first 64 bits for network and the last 64 for host (the last 48 bits are usually the MAC address).

  • Global Addresses: starts with 2000-3FFF, example 3ABA::1 is a Global Address.
  • Link-local Addresses: starts with FE80, example FE80::AA12:231E:FFFF:12bC%2, notice the %2 is the zone ID, could be any number but unique on the host. Think of Link-local address as an IPv4 APIPA address, self configured except that you always get an Link-local address assigned.
  • Unique Local Addresses: starts with FD, example FD46::1, think of these as IPv4 private addresses (10.0.0.0/8172.16.0.0/16192.168.0.0/16)

Know that IPv6 doesn’t use arp as IPv4 do, IPv6 uses Neighbor Discovery (ND) with higher security (no arp poisoning possible).

Configure network settings

Configuring location-aware printing
Windows 7 support Location-Aware printing a new feature only supported by Professional/Ultimate/Enterprise edition of Windows 7. You can also on a stand alone (or domain) Windows 7 machine set different default printer depending on which network you are connected to. For example you can have one printer default at home and another one at work.
Image:Certification-kb12-Printer-change-default-location.png

Configure Windows Firewall

Windows Firewall is enabled by default for all connections. By default:

  • The firewall drops all inbound traffic except traffic sent in response to a request by your computer, and traffic allowed by an exception.
  • All outgoing traffic is allowed unless it matches an exception.
  • Windows Firewall supports both incoming and outgoing network traffic (which it did in Vista also but in XP SP2 and later it only supported inbound).

Windows Firewall have 3 different network Location type and different Firewall rules applies depending on the type:

  • Domain – Used when your computer is joined to an Active Directory domain
  • Private – Used when your computer is connected to a Home or Work network in a workgroup
  • Public – Used often on Wireless hot spots.

Configuring Access to Resources (13%)

Configure shared resources

Configuring HomeGroup settings
HomeGroup is a new concept and as the name implies it is used at home (in contrast to a Domain/WorkGroup). It works on all editions of Windows 7 but Starter and Home Basic editions cannot create a HomeGroup but they can join an existing HomeGroup.
When you setup a new computer a HomeGroup is created automatically if one doesn’t already exist on your home network. To join an existing HomeGroup your network location must be set to Home Network (not Work Network/ Public Network or Domain) and you must enter correct password (created when the HomeGroup was setup).
Image:Certification-kb12-HomeGroup-Create-PWD.png

Control Panel -> Network and Internet -> HomeGroup
Image:Certification-kb12-HomeGroup-settings.png
Here you chose what to be shared and also change HomeGroup password.

If you want to include other folders (share libraries) than Pictures/Music/Videos/Printers/Documents you can mark a folder in explorer.exe and go in menu Share With and chose:

  1. Nobody
  2. Homegroup (Read)
  3. Homegroup (Read/Write)
  4. Specific people…

Image:Certification-kb12-HomeGroup-SharePermission.png

Configure user account control (UAC)

User Account Control (will be shortening to UAC for rest of this KB) is nothing new, it has existed in Windows Vista and Windows Server 2008 for some years now.
Basically UAC works like this: When a user log on a machine that the account is member of the Local Administrator group and have admin rights on the machine the user get 2 access token, one normal user (removes the admin rights and admins SIDs) and one normal with admin rights. Explorer.exe (desktop) and all is ran with the lower right normal user account and all sub processes inherit those rights. If more rights/permission are needed UAC will prompt and depending on the settings it will elevate to the higher rights Access token.
Windows 7 also include UAC and it works like before but with some improvements:

  • Increased numbers of tasks that standard user can perform without prompting for Admin Approval.
  • Allow admin users to configure UAC experience (requires restart to be active)

Image:Certification-kb12-UAC-settings.png

  • Local Security Policies to change behavior of UAC messages for admins in Admin Approval Mode and for standard users

 

Configuring local security policy
Local Computer Policies can be set to change behavior of UAC, those are found here: Local Computer Policies -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Image:Certification-kb12-Local-Computer-Policy-UAC.jpg

Here are the 10 different settings, the important for the exam in bold:

  1. User Account Control: Admin Approval Mode for the built-in Administrator account – This is disabled default, which means that default account administrators bypass UAC, if enabled it is treated as all other administrators account.
  2. User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop – This is disabled default, if enabled it means that applications such Remote Assistance can be run without getting blocked by Secure Desktop.
  3. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode – This is set to Prompt for consent for non-Windows binaries default (more about this setting further below in this KB)
  4. User Account Control: Behavior of the elevation prompt for standard user – This is set to Prompt for credentials on the secure desktop default (more about this setting further below in this KB)
  5. User Account Control: Detect application installations and prompt for elevation – This is enabled default on Home editions and disabled default on enterprise edition; due to in enterprise you might deploy applications with SMS/SCCM/GPO and want that to install silent.
  6. User Account Control: Only elevate executables that are signed and validated – This is disabled default, even if this is good for security it is not practical since not all executables are signed.
  7. User Account Control: Only elevate UIAccess applications that are installed in secure locations – This is enabled default, only elevate UIAccess applications installed into %SystemDrive%\Program Files (including sub-folders),%SystemDrive%\Program Files (x86) (including sub-folders for 64-bit editions) and %SystemDrive%\windows\system32
  8. User Account Control: Run all administrators in Admin Approval Mode – This is enabled default, and if it is disabled whole UAC is disabled! know this for the exam as they will try to trick you on this one.
  9. User Account Control: Switch to the secure desktop when prompting for elevation – This is enabled default, All elevates request goes to Secure Desktop that dims the screen until you answer.
  10. User Account Control: Virtualize file and registry write failures to per-user locations – This is enabled default, if a none elevated program tried to write it HKLM registry or for example c:\program filesc:\windows\system32 etc and fails this setting does so it writes to the user profile instead so the program work. Good example is http://triplea.sourceforge.net/ a game who want saved games to be saved in a sub folder of the game installation that is default inc:\program files and instead get saved under %UserProfile%\AppData\Local\VirtualStore

Configuring admin vs. standard UAC prompt behaviors
For administrators in Admin Approval Mode you have the Behavior of the elevation prompt for administrators in Admin Approval Mode 6 different settings that can be set from to not notify at all when elevating to prompt for password with secure desktop and all between. Prompt for consent means that the user just accept/deny elevate a program/process without entering password.
Image:Certification-kb12-UAC-GPO-AdminApproval.png

For normal users (with no administrator rights/privileged) you have 3 different settings

  1. Automatically deny elevation requests – this will give an error each time admin rights/privileged is needed
  2. Prompt for credentials on the secure desktop (default) – this will prompt for administrator rights/privileged on the secure desktop.
  3. Prompt for credentials – same as above but without Secure Desktop.

Image:Certification-kb12-UAC-GPO-ElevateUser.png

Configuring Secure Desktop
Secure Desktop is a extra layer of security that is enabled default but can be turned off by Local Computer Security/GPO. When an executable file request elevation the user desktop is switched to Secure Desktop (it dims the user desktop) and the user get a question to elevate (yes or no). Only Windows processes can access the Secure Desktop.

Configure BranchCache

BranchCache is a new feature that reduce WAN link utilization by letting the first client in a branch office download the file from Main Office and if a second client from the branch office request the same file it will not go over the WAN link but ask the first client for a copy.


Exam Tips: Know that only Windows 7 editions Enterprise and Ultimate support BranchCache.


In short the client request a file on a BranchCache-enabled server over a WAN link via HTTP/SMB/BITS preferable encrypted with IPSec. Then the client check if this file can be found cached locally on LAN (either by other Windows 7 clients or a local Windows Server 2008 R2). with BranchCache discovery Protocol and WS-discovery. If the file can be found locally it get it there and if it cannot it takes the file from the remote Main Office server and then cache it locally so next client doesn’t have to go over the WAN to get the file.

Network infrastructure requirements
You will need minimum one Windows Server 2008 R2 (2 servers for Hosted Cache mode) with BranchCache role/feature installed and Windows 7 Enterprise/Ultimate editions (BranchCache is installed default but not enabled by default). IPsec is needed and also a Certificate infrastructure.

Distributed cache mode vs. hosted mode
Know these 2 different mode and that you can only have one active at the same time on the client:

  1. Distributed Cache Mode – The Branch Office doesn’t need to have any servers, just Windows 7 clients and any files requested from the Main Office are hosted on clients and shared by clients.
  2. Hosted Cache Mode – The Branch Office has one (or more) Windows Server 2008 R2 that hosts the cached files from the Main Office Windows Server 2008 R2 file server. The win in this is that clients who aren’t always online can always get the cached file from their local servers.

Regardless of which mode you use the first time a file is accessed it goes to the Main Office, there after the file is accessed locally.

Configuration settings
Default BranchCache is installed but not enabled. First step is to enable BranchCache and chose either Distributed Cache mode or Hosted mode on clients and that can be done either with GPO or Netsh (GPO override netsh).

  • GPOLocal Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> BranchCache and set Turn on BranchCache to enabled and then chose one of Set BranchCache Distributed Cache mode orSet BranchCache Hosted Cache mode to enabled.

Image:Certification-kb12-GPO-BranchCache-enable.png

Image:Certification-kb12-GPO-BranchCache-Hosted-Cache.png

  • Netshnetsh branchcache set service mode=DISTRIBUTED (for Distributed Cache mode) or netsh branchcache set service mode=HOSTEDCLIENT LOCATION=jbkbserver01.jbkb.local (for Hosted Cache)

Certificate management
If you use Hosted Cache mode, the Hosted Cache server must have a certificate that the BranchCache clients trust. If the certificate isn’t trusted by the clients it must be exported from the server and then imported to the clients under local computer account

Configuring Mobile Computing (10%)

Configure BitLocker and BitLocker To Go

Know the 2 way to use BitLocker
1. Trusted Platform Mobile (TPM) 1.2 Chip, store decryption key in TPM (Preferred option)
2. Store decryption key on USB flash drive (this option needs to be activated in Group Policy and is not enabled default) the USB Flash drive must be presented at each startup.
If anything of the following changes, BitLocker will lock the drive and it will not be possible to read from it:

  • Disable TPM in BIOS
  • Clear TPM
  • The BitLocker-encrypted disk is moved to another computer
  • Changes in boot files
  • Boot without TMP, PIN, USB flash drive.

BitLocker To Go is used for removable storage and include a hidden driver for Windows 7 (discovery drive) but viewable for XP and Vista that contains software for BitLocker To Go Reader that is used to unlock the BitLocker To Go drive with a password.
When you enable BitLocker on removable disks you get to chose how to unlock the drive; by password you specify or by smart card.
Image:Certification-kb12-BitLocker-RemovableDrive.png
You then get 2 different options to store the recovery key; save to a file or print it.

Configuring BitLocker and BitLocker To Go policies
Here are some of the most important “BitLocker To Go” GPOs:

  • Allow access to BitLocker-protected removable data drives from earlier versions of Windows – If this is not configured or enabled versions such as Vista and XP SP2 and higher can unlock the drive with BitLocker To Go Reader. There is also an checkbox for Do not Install BitLocker To Go Reader on FAT formatted removable drives
  • Deny write access to removable drives not protected by BitLocker – If this policy is enabled removable disks that isn’t protected with BitLocker will be mounted as read-only.
  • Control use of BitLocker on removable drives – If this policy is enabled or not configured user can run the BitLocker wizard to protect removable drives.

Here are some of the most important BitLocker GPOs:

  • Require additional authentication at startup – If the checkbox “Allow BitLocker without a compatible TPM” is check you can boot with removable USB flash disk. This is not checked default and then only TPM chip enabled machines are allowed to use BitLocker. This policy also can set how TMP can be used together with Startup key/PIN/TPM

Image:Certification-kb12-BitLocker-GPO-Require-additional-authentication-at-startup.png

  • Configure minimum PIN length for startup – If this is disabled or not configured the minimum length is 4 and maximum 20, if enabled you can set a value from 4 to 20.

Image:Certification-kb12-GPO-BitLocker-MinPIN.png

  • Choose drive encryption method and cipher strength – Default is AES-128 with Diffuser but can be changed to: AES 256-bit with DiffuserAES-128AES-256.

If you have TPM 1.2 Chip you can use nothing else or together with a PIN or a Startup key or both. Without TPM you can only specify a Startup key.
Image:Certification-kb12-BitLocker-Startup-Preferences.png
The image above show only the Startup key options due to no TPM 1.2 Chip on that computer.

If BitLocker is enabled and you need to change BIOS, Hardware upgrades, OS updates you should suspend protection and then do the changes. You could Turn Off BitLocker but then you would need to recreated it from start to get back encryption (also new keys are created).
Image:Certification-kb12-BitLocker-Panel.png

Data recovery agent support
When enabling BitLocker you get the option to save or print the recovery key. Saving the recovery key either to a file or to a USB Flash drive.
Image:Certification-kb12-BitLocker-Recovery-Key.png
The Data Recovery Agent needs to been configured with a proper certificate and you must Add Data Recovery Agent to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> BitLocker Drive Encryption (close to same path in GPMC).
Image:Certification-kb12-BitLocker-AddDataRecoveryAgent.png

In the wizard either add a user who got a correct certificate or add a certificate directly (.cer)

Know that the command line tool to manage all this is manage-bde.
For example on a BitLocker enabled machine who is decryption (disabling BitLocker) you can run this command to see the status:

manage-bde -Status

Image:Certification-kb12-BitLocker-manage-bde.png

In a Domain environment recommended is to store BitLock recovery information for system drives into AD DS

Configure DirectAccess

Latest technology that replace the need for VPN, DirectAccess is always active with no login and checks if it is on the Internal network then not in use, if it is outside the internal network the DirectAccess client connect to DirectAccess server (without being logged on the client) and can give access to files wherever you are. This solution requires latest technology on servers (Windows Server 2008 R2), Clients (Windows 7 Ultimate/Enterprise) and network (IPv6/IPsec).

Configuring client side
First of all the Windows 7 edition must be Enterprise or Ultimate. Second the machine must be joined to a Active Directory domain.
Have had problems to find any special local GPO or client settings on Windows 7, might be all managed from Windows Server 2008 R2.

Configuring authentication
The DirectAccess client establish 2 IPsec tunnels (first a NAP check can be used to check computers security health, but it is optional and out of the scope of this KB).

  1. IPsec ESP tunnel using Computer Certificate – used to connect to Intranet DNS/DC allowing GPO and authentication.
  2. IPsec ESP tunnel using both user and computer certificate – when reaching resources on the intranet.
    1. End-to-end protection – Separate IPsec connection to each resource/server, more secure but requires applications/servers to run IPv6
    2. End-to-egde protection – One IPsec connection to a IPsec gateway server (could be DirectAccess server) the IPsec gateway forward all requests without encryption (IPsec)

Default username and password is used as Authentication but smart card can be used as an extra layer of security.
After establish an IPsec connection with certificates the DirectAccess servers verify if the client and user is member of the AD group so they got authorized for connecting with DirectAccess.

Network infrastructure requirements

  • Minimum one DirectAccess servers running Windows Server 2008 R2 with two NICs: one connected directly to the Internet, and a second connected to the intranet.
  • On the DirectAccess server minimum 2 public IPv4 addresses assigned to the NIC connected to the Internet.
  • DirectAccess clients running Windows 7 (Enterprise/Ultimate edition) or Windows Server 2008 R2.
  • Active Directory Domain/DNS/GPO
  • PKI and IPsec
  • IPv6 transition technologies on DirectAccess server: ISATAP, Teredo, and 6to4.

Monitoring and Maintaining Systems that Run Windows 7 (11%)

Monitor systems

Event subscriptions
Event subscriptions works more or less the same as it did in Vista, some smaller changes. One change is that Windows Remote Management has changed TCP port from 80/443 to 5985/5986 (where 5985 is setup default and 5986 encrypted needs extra actions).
Event subscriptions works so one machine will Forward it’s Event Viewer entries to a Collecting computer.
To enable a Windows 7 machine to be able to forward Event Viewer entries you need to run following command:

winrm quickconfig

If answering Yes on all questions a listener will be created on port TCP/5985
Image:Certification-kb12-WinRM-QuickConfig.jpg

To give a remote machined named JBKB-Desktop245 (in domain jbkb.local) permission to collect EventViewer entries from the local forwarding machine the machine account needs to be added to the local group named Event Log Readers, for example:

net localgroup "Event Log Readers" JBKB-Desktop245$@jbkb.local /add

notice the $ after the machine name.

Now the forwarding machine has been configured to listen to for incoming requests from collecting machine (in this case JBKB-Desktop245)

To enable a Windows 7 machine to be able to collect Event Viewer entries from a Forwarding machine you need to start the Windows Event Collector service by running following command:

wecutil qc

Image:Certification-kb12-Wecutil-qc.png

Now you can create a subscription in Event Viewer and decide which entries you want to collect.

Configuring Backup and Recovery Options (11%)

Configure Backup

The new updated backup in Windows 7 is a big improvement from Vista’s built-in backup that couldn’t specify a single file or folder to backup, now you can do that again :-).
Start the Backup wizard and chose where to save the backup, possible choices are writable CD/DVD or external hard disks. It is also possible to “Save on a network…” where you specify a UNC path together with a username and password with permission on the share.
If you later want the possibilities to do a system image (VHD) you must specify a NTFS disk.
Image:Certification-kb12-BackUp-Media.png

What do you want to back up? either you let Microsoft choose getting all documents/music/video/e-mails/compressed files/data in libraries and desktop or let me choose and you can choose extra folders outside the user profile such asc:\jbkb\important data.
Image:Certification-kb12-BackUp-WhatToBackUp.png

If you choose Let me choose you can browse the disk and add folders of choice. If the disk you chooses for backup is large enough and has the NTFS file-system you can do a system image by checking Include a system image (those will be saved under WindowsImagesBackup\%ComputerName%\xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.vhd as a Virtual Hard disk!)
Image:Certification-kb12-BackUp-WhatToBackUp2.png

Then you get a Review and can change the default schedule time (always backup on a Sunday?)
Image:Certification-kb12-BackUp-Review.png

Links

http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-680&locale=en-us#tab1 Certification 70-680 Windows 7, Configuration.
http://technet.microsoft.com/en-us/library/dd349342(WS.10).aspx – Technet info of Windows 7, a lot of this KB is based of this information.
http://en.wikipedia.org/wiki/Windows_7_editions#Comparison_chart – Compare different Windows 7 versions
http://www.microsoft.com/downloads/details.aspx?FamilyID=A9A1ED8A-71AB-468E-A7E0-470FD46E46B3&displaylang=en – BranchCache Early Adopter’s Guide
http://www.microsoft.com/downloads/details.aspx?familyid=64966e88-1377-4d1a-be86-ab77014495f4&displaylang=en – DirectAccess
http://www.microsoft.com/downloads/details.aspx?FamilyID=19d2fc2b-a7f2-4aad-a1e2-6bbb773fb78b&displaylang=en – Internet Explorer 8 Technology Overview for IT Pros
http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part2.html – good DISM.exe examples.

http://www.john.bryntze.net/jbkb/index.php?title=Certification-kb12_070-680_TS_Windows_7_Configuring_-_Exam_Notes#Configuring_Access_to_Resources_.2813.25.29

 

Instalando Firescrum

Publicado: outubro 5, 2010 em Projetos
FireScrum 1.0 Beta 3 Release Notes
1. Overview
FireScrum 1.0 Beta delivers the third public beta release package.
2. Installation Prerequisites
Before installing FireScrum, make sure the following products,
with the specified versions, are installed on your system:
* Java 6 Development Kit (JDK)  -> http://java.sun.com/javase/downloads/index.jsp
* Red5 Server 0.7.0   -> http://osflash.org/red5/070final
After installing the JDK, set or modify the following environment variables:
* JAVA_HOME — set this environment variable
to point at the root directory of the JDK installation.
* PATH — make sure that your PATH includes:
%JAVA_HOME%\bin  (Windows)
$JAVA_HOME/bin   (UNIX)
3. New Installation
3.1 Create target database (Ex. firescrum) in PostgreSQL.
3.2 Copy firescrum.war to Tomcat webapps folder.
3.3 Start Tomcat.
3.4 Edit webapps\firescrum\WEB-INF\applicationContext.xml file:
– Configure database connection in following section
<bean id=”dataSource”>
<property name=”driverClassName” value=”org.postgresql.Driver” />
<property name=”url” value=”jdbc:postgresql://<your host name>/firescrum” />
<property name=”username” value=”<your database username>” />
<property name=”password” value=”<your database password>” />
</bean>
– Configure hibernate to generate FireScrum database, setting “hibernate.hbm2ddl.auto” property to “create”
<prop key=”hibernate.hbm2ddl.auto”>create</prop>
3.5 Restart Tomcat, tables and data will be created in the database.
3.6 Edit webapps\firescrum\WEB-INF\applicationContext.xml and remove following line or change value to “update” and save.
<prop key=”hibernate.hbm2ddl.auto”>create</prop>
3.7 Copy firescrumServer folder to Red5 webapps folder.
3.8 Start Red5.
3.9 Update RTMP_CONNECTION_STRING row at config table in database, setting your hostname or ip in the value field.
Ex: rtmp://<your hostname>/firescrumServer/
3.10 Type http://<your hostname>:8080/firescrum to open the project main page on your browser.
3.11 Type “admin” user name and “admin” password to login.
3.12 Enjoy!

FireScrum 1.0 Beta 3 Release Notes
1. Overview
FireScrum 1.0 Beta delivers the third public beta release package.
2. Installation Prerequisites
Before installing FireScrum, make sure the following products,with the specified versions, are installed on your system:
* Java 6 Development Kit (JDK)  -> http://java.sun.com/javase/downloads/index.jsp * Tomcat 6.x -> http://tomcat.apache.org/download-60.cgi * Red5 Server 0.7.0   -> http://osflash.org/red5/070final * PostgreSQL 8.x -> http://www.postgresql.org/download/
After installing the JDK, set or modify the following environment variables:
* JAVA_HOME — set this environment variable      to point at the root directory of the JDK installation.
* PATH — make sure that your PATH includes:       %JAVA_HOME%\bin  (Windows)      $JAVA_HOME/bin   (UNIX)
3. New Installation
3.1 Create target database (Ex. firescrum) in PostgreSQL. 3.2 Copy firescrum.war to Tomcat webapps folder.3.3 Start Tomcat.3.4 Edit webapps\firescrum\WEB-INF\applicationContext.xml file: – Configure database connection in following section <bean id=”dataSource”> <property name=”driverClassName” value=”org.postgresql.Driver” /> <property name=”url” value=”jdbc:postgresql://<your host name>/firescrum” /> <property name=”username” value=”<your database username>” /> <property name=”password” value=”<your database password>” /> </bean> – Configure hibernate to generate FireScrum database, setting “hibernate.hbm2ddl.auto” property to “create”
<prop key=”hibernate.hbm2ddl.auto”>create</prop> 3.5 Restart Tomcat, tables and data will be created in the database.3.6 Edit webapps\firescrum\WEB-INF\applicationContext.xml and remove following line or change value to “update” and save.
<prop key=”hibernate.hbm2ddl.auto”>create</prop>
3.7 Copy firescrumServer folder to Red5 webapps folder.3.8 Start Red5.3.9 Update RTMP_CONNECTION_STRING row at config table in database, setting your hostname or ip in the value field. Ex: rtmp://<your hostname>/firescrumServer/3.10 Type http://<your hostname>:8080/firescrum to open the project main page on your browser.3.11 Type “admin” user name and “admin” password to login.3.12 Enjoy!

Como fazer projeto de Redes

Publicado: setembro 21, 2010 em Projetos

Documentação de rede

Um ponto muito importante e freqüentemente relegado a um segundo plano, é a documentação de uma rede de comunicação.

Particularmente em redes mais antigas, não projetadas de acordo com as normas de cabeamento estruturado, nem sempre é fácil encontrar informações em quantidade e qualidade suficientes para que se possa substituir o administrador da rede sem sentir um frio na espinha.

Sim, isso seria o ideal. Poder substituir seu administrador de rede, sem ter de passar semanas – ou meses – com medo de que a rede possa entrar em colapso e parar de funcionar de uma hora para outra.

Com a aderência cada vez maior às normas do cabeamento estruturado, esse problema tende a diminuir, na medida em que a própria norma prescreve um padrão de documentação de rede – ao menos para o cabeamento.

Mas somente a documentação do cabeamento não é suficiente.Oque dizer dos usuários da rede? Quantos são? O que esperam da rede? Que serviços são oferecidos? Quais serviços devem estar disponíveis 24 horas por dia, 7 dias na semana? Qual o desempenho que se espera desses serviços?

Essas, e tantas outras perguntas, deveriam ser respondidas por uma boa documentação de rede. Obviamente, não é simples elaborar e, principalmente, manter atualizada tal documentação.

Diversas proposições existem para tentar definir o que, onde e como deve-se documentar em relação à uma rede. Este documento é uma proposição. Ele não pretende ser completo e nem conclusivo. É uma composição de diversas proposições já analisadas e usadas pelo autor, com um pouco da experiência adquirida ao longo dos anos.

Roteiro para documentação da rede

O roteiro proposto aqui objetiva tornar mais metódico o procedimento de documentação de uma rede. Não necessariamente todos os seus passos precisam ser seguidos – embora isso seja o recomendado.

O importante é que exista algum tipo de documentação da rede, de modo que o administrador e seus auxiliares possam recuperar a funcionalidade da rede no menor tempo possível quando da ocorrência de algum problema na mesma.

Em outras palavras, além, obviamente, das ferramentas de monitoração e gerência, uma boa documentação é fator fundamental para a minimização de downtime da rede.

Identificação das necessidades e objetivos Corporativos

Como início de uma documentação de rede, é importante ter uma descrição do que o cliente necessita e quais são seus objetivos. A palavra cliente aqui é usada no sentido mais amplo, identificando a própria corporação.

O ideal é que a rede seja encarada como uma ferramenta para ajudar a corporação a atingir seus objetivos de negócio e, para tanto, a corporação espera que a rede atenda bem suas necessidades.
É importante destacar os objetivos e restrições do negócio, os objetivos e restrições técnicos, e caracterizar o tráfego projetado para a rede, incluindo principais fluxos (de onde vem e para onde vão os fluxos de dados – aplicações da intranet, aplicações da extranet, uso da Internet, tráfego entre matriz e filiais), carga – agregação de fluxos e requisitos de QoS (Quality of Service).

Requisitos técnicos tais como escalabilidade, disponibilidade, desempenho, segurança, gerenciabilidade, usabilidade, adaptabilidade e custo-benefício, devem ser descritos.

O escopo da rede, ou seja, sua abrangência – física e de serviços – dentro da corporação deve ser bem definido. O ideal seria destacar bem os locais e serviços que devem e não devem ser atendidos e oferecidos pela rede.

Restrições arquiteturais e ambientais que podem afetar a implementação e/ou expansão da rede devem ser descritas.

Além disso, devemos descrever a comunidade de usuários – possivelmente dividida em classes – com suas necessidades de serviços, e as aplicações, com seus atributos e necessidades específicas.

Requisitos de treinamento e de suporte devem estar definidos.

Projeto lógico

No projeto lógico busca-se documentar a organização lógica da rede. Por organização lógica costuma-se entender:

  • A topologia lógica da rede;
  • Uma descrição dos protocolos de nível 2 (comutação) e nível 3 (roteamento), incluindo qualquer recomendação sobre o uso desses protocolos;
  • Um esquema de endereçamento e atribuição de nomes;
  • Um esquema de roteamento;
  • Os mecanismos e produtos recomendados para a segurança, incluindo um resumo de políticas de segurança e procedimentos associados (um plano completo de segurança pode ser incluído como apêndice);
  • Recomendações sobre arquitetura e produtos para a gerência;
  • Explicações sobre o porquê de várias decisões tomadas, relacionando as decisões aos objetivos do cliente.

    É importante incluir esquemas e desenhos no projeto lógico que facilitem sua compreensão. Veremos na próxima subseção um exemplo completo para elucidar melhor as recomendações descritas.

    Topologia Lógica

    Consideremos uma rede com a topologia indicada na Figura 1.


    Figura 1: Topologia lógica.
    Observe que a topologia lógica fornece uma visão geral da organização da rede sem, contudo, especificar qualquer informação relativa a cabeamento, tecnologias de transmissão usadas, disposição física de cabos e equipamentos etc.

    Protocolos Níveis 2 e 3

    Nessa proposição, procurou-se definir uma forma de interconexão dos diversos setores da empresa através de comutadores nível 2 e um comutador nível 3 (também conhecido como switch-router), dotado de capacidade de roteamento e de filtragem de pacotes.

    Procura-se fornecer uma redundância de acesso de qualquer setor da empresa até os servidores por meio de comutação nível 2, com o uso do protocolo de Spanning Tree (SPT).

    A rede toda utilizará a arquitetura TCP/IP; o comutador nível 3 com capacidade de filtragem de pacotes permitirá a utilização de redes virtuais (Virtual LANs – VLANS) e a realização de um controle de tráfego mais apurado entre os diversos setores da empresa.

    Como a implementação da capacidade de redundância é baseada em protocolo nível 2 (SPT), o roteamento utilizado pode ser o estático.

    Esquema de Endereçamento e Atribuição de Nomes

    Para essa rede, um esquema de endereçamento possível seria o indicado na Tabela 1.


    TABELA 1: Esquema de endereçamento.

    Para atribuir nomes aos elementos da rede, deve-se adotar alguma convenção simples que seja utilizada de forma consistente o tempo todo.

    Para servidores, por exemplo, pode-se usar Sv-X[-Y], onde X indica o serviço oferecido pelo servidor e [.Y] indica, opcionalmente, um número de índice. Exemplos: Sv-DNS-1, Sv-DNS-2, Sv-MAIL.

    No caso de servidores que acumulam diversos serviços, pode-se adotar uma convenção mais simples como Sv-N, onde N indica um índice seqüencial. Exemplos: Sv-1, Sv-2.

    Para estações clientes e as respectivas tomadas nas áreas de trabalho, pode-se usar ppSSS-ee-tt, onde pp indica o pavimento, SSS indica a sala, ee indica o espelho e tt indica a tomada no espelho. Exemplos: 01S10-01-02, máquina/tomada 02, do primeiro espelho da sala 10 do primeiro pavimento.

    Para roteadores, pode-se usar Rt-N, onde N indica um índice seqüencial. Exemplos: Rt-1, Rt-2.

    Para comutadores, pode-se usar CnX-Y-Z, onde X indica o nível do comutador – 2 ou 3, Y indica o pavimento e Z indicaumíndice seqüencial. Exemplos: Cn2-2-1, Cn2-2-2, Cn3-3-1.

    Para Armário de Telecomunicação, Painel de Manobra (patch-panel) e tomada em Painel de Manobra, pode-se usar ppA-qq-tt, onde pp indica o pavimento, A indica um armário no pavimento, qq indica o painel de manobra numerado de cima para baixo no armário, iniciando em 01 e tt indica a tomada no painel de manobra. Exemplos: 03C, armário C do pavimento 03; 03C-02, painel de manobra 02, do armário 03C; 91D-04-02, tomada 02 do painel de manobra 91D-04.

    Cabos de conexão cruzada e de área de trabalho devem ser identificados em ambas as pontas com números inteiros sequenciais.

    Esquema de Roteamento

    Considerando o roteamento estático e o uso de redes virtuais, o esquema de roteamento a ser usado torna-se simples. Basicamente:

  • Cada servidor tem como rota default o Comutador nível 3, na sua respectiva VLAN;
  • Cada cliente da Diretoria, Gerência e Produção tem como rota default o Comutador nível 3, na sua respectiva VLAN;
  • O comutador nível 3 tem como rota default o Firewall Interno;
  • O firewall Interno tem como rota default o Roteador/Firewall Externo;
  • O firewall Interno deve estar configurado para realizar NAT (Network Address Translation) ou ser um servidor Proxy.
    Mecanismos e Produtos de Segurança

    Como norma de segurança básica, adotou-se o uso de dois níveis de Firewall (Externo e Interno), com implementação de endereçamento privativo para a rede interna.

    O Firewall Interno deve ser, idealmente, configurado para realização de serviço Proxy, sobre o qual serão definidos os serviços que podem ou não ser utilizados pelos usuários da rede.

    Os procedimentos padrão de identificação e autenticação de usuários, bem como a concessão de direitos de utilização de serviços para cada usuário (ou classe de usuários), devem ser descritos no documento de “Política de Segurança” elaborado pela empresa.

    Recomendações sobre Arquitetura e Produtos de Gerência

    Considerando a necessidade de se manter a rede operando em sua capacidade plena, com a maior qualidade de serviço possível, embora a mesma não seja uma rede de grande porte, adota-se uma arquitetura de gerência de rede centralizada, padrão SNMP (Simple Network Management Protocol), com a adoção da ferramenta de gerência de rede XYZ, em sua versão KLM, desenvolvida pela empresa RST. Tal ferramenta executa sobre uma plataforma baseada em microcomputador compatível com IBM PC, com memória mínima de 256 MBytes e área de armazenamento em disco mínimo de 40 Gbytes.

    Projeto físico

    No projeto físico costuma-se documentar a organização física da rede. Por organização física costuma-se entender:

  • A topologia física da rede, destacando pontos de interconexão, centros de fiação etc.;
  • A especificação das tecnologias de cabeamento e de transmissão utilizadas, com justificativas para cada escolha;
  • A especificação dos equipamentos utilizados – máquinas clientes, máquinas servidoras, máquinas de armazenamento de dados (data stores), máquinas de backup (backup), dispositivos de interconexão (concentradores, comutadores, roteadores etc.) – com justificativas para cada escolha;
  • Aescolha do provedor de acesso à Internet e a forma de conexão ao mesmo;
  • Os custos de manutenção mensal (ou anual) de equipamentos e serviços.

    Vejamos um exemplo completo para elucidar melhor as recomendações acima.

    Topologia Física

    A rede está implantada em um prédio de 3 pavimentos, com a seguinte ocupação:

    Cada pavimento dispõe de um armário de telecomunicação que funciona como centro de fiação para o pavimento e local de instalação dos equipamentos de interconexão da rede. No pavimento 3/Diretoria, localiza-se a sala de equipamentos que contém os servidores da rede.

    A Figura A5-2 mostra a topologia física da rede.


    FIGURA A5-2: Topologia física.

    Tecnologias de Cabeamento e Transmissão

    Considerando a adoção das normas de cabeamento estruturado e a abrangência da rede para sua implantação nos 3 pavimentos, adotou-seumcabeamento vertical em fibra ótica monomodo, com conectorização padrão SC para suporte de tráfego a 1000 Mbits por segundo (Mbps).

    Para o cabeamento horizontal, adotou-se cabo de pares trançados, categoria 5e, com conectorização padrão RJ45/568A, com suporte para tráfego a 100 Mbps.

    Para a conexão ao ISP, usamos o serviço Frame-Relay oferecido pela operadora de telefonia local, com velocidade nominal de 512 Mbps e CIR (Commited Insertion Rate) de 256 Mbps, que apresenta a melhor relação custo/benefício para a empresa.

    Especificação de Equipamentos Utilizados

    Os equipamentos seguintes são utilizados na rede. Em cada caso, são indicados marca e modelo do produto, versão do hardware e software, características básicas, nome e endereço da assistência técnica, identificação na rede (de acordo com as regras de nomes adotada).

    Provedor de Acesso à Internet

    Informações sobre os provedores de acesso à Internet utilizados devem também ser documentadas. Para este exemplo, poderíamos documentar que a empresa Sdrubs&Sdrubs está sendo usada como provedor de acesso à Internet, com um link com tecnologia Frame-relay em 512/256 Kbps.

    Custo de manutenção

    Os custos de manutenção mensal da rede são divididos em custos de provimento de serviço Internet, custos de contrato de manutenção preventiva e custeio geral (pequenas despesas diversas), de acordo com a Tabela 2 abaixo.


    Tabela 2: Custo de Manutenção

    Configuração de Equipamentos

    Uma parte importante da gerência de uma rede é a configuração dos equipamentos que a compõe.
    Com ou sem o uso de uma ferramenta de gerência, é de suma importância que haja documentação sobre a configuração dos equipamentos da rede.

    Essa documentação pode ser feita na forma de roteiros impressos (menos indicado) ou de procedimentos parametrizáveis que possam se executados a partir de uma estação de trabalho.

    Para diversos equipamentos de interconexão, existem programas de configuração que permitem o salvamento da configuração de um equipamento em um arquivo em disco para posterior reconfiguração do equipamento no caso de problemas de perda de configuração.

    Servidores e estações clientes devem ter seus procedimentos de instalação e configuração bem definidos e impressos, para que possam ser localizados e usados rapidamente.

    Documentação adicional

    Além dos itens já elencados, é importantes anexar à documentação da rede os seguintes elementos:

  • Planta baixa de infra-estrutura, indicando as dimensões de tubulação e/ou eletrocalhas utilizadas;
  • Planta baixa com o encaminhamento dos cabos, indicando o número de cabos UTP e/ou fibra por segmento da tubulação;
  • Relatório dos testes de certificação de todos os pontos instalados;
  • Relatório de testes dos segmentos de fibra óptica;
  • Layout dos Armários de Telecomunicações;
  • Mapa de interconexão dos componentes ativos e passivos, isto é, lista de todas as tomadas RJ45 de cada painel de conexão e das portas dos equipamentos;
  • Termos de garantia dos elementos ativos e passivos da rede.

    As plantas baixa dos prédios com o projeto de rede, deverão ser fornecidas, idealmente, em formato apropriado (por exemplo, AUTOCAD), obedecendo às seguintes convenções:

  • Nível 0 – edificação e arquitetura com legenda, contendo escala do desenho, identificação da unidade, nome do prédio, pavimento, nome do projetista e data de execução;
  • Nível 1 – tubulação preexistente e a construída;
  • Nível 2 – cabeamento UTP;
  • Nível 3 – cabeamento óptico;
  • Nível 4 – componentes ativos tais como estações de trabalho, estações servidoras, concentradores (hubs), comutadores (switchs), roteadores etc.;
  • Nível 5 – componentes passivos, armários de telecomunicação, painéis de manobra e pontos de telecomunicações;
  • Nível 6 – identificação de salas e observações;
  • Nível 7 – móveis ou outros objetos.

    Os termos de garantia obtidos ao final da implantação de uma rede, devem descrever claramente os limites e a duração da garantia para cada componente do sistema instalado. Mesmo que o prestador de serviço tenha contratado outros terceiros, a garantia final será dada e mantida pelo prestador. Os requisitos mínimos de garantia recomendados para cada componente são:

  • Equipamentos ativos: 1 ano após a instalação (idealmente 3 anos para equipamentos de interconexão);
  • Cabos e componentes acessórios: 5 anos contra defeitos de fabricação;
  • Infra-estrutura: 3 anos contra ferrugem e garantia de resistência mecânica;
  • Funcionalidade e desempenho: 5 anos.
    — 3ª PROVA
    Declaração de desempenho assegurado para as aplicações para as quais a rede física foi proposta, com indicação de possíveis restrições para outras aplicações ou para as aplicações introduzidas no futuro pelos principais organismos internacionais (IEEE, TIA/EIA, ISO/IEC, ATM FORUM etc.), também deve ser fornecida.
  • http://www.malima.com.br/article_read.asp?id=53