Lesson 2: Windows 7 Remote Management CHAPTER 7 413 FIGURE 7-27 Remote Desktop Client 14. When presented with the warning that the identity of the remote computer cannot be verified, shown in Figure 7-28, click Yes. FIGURE 7-28 Remote ID verification 15. When the connection has been established, click the Start menu and type PowerShell into the Search Programs And Files text box. Click the Windows PowerShell item. 16. At the PowerShell prompt, type the command $env:ComputerName;$env:UserName and press Enter. Verify that the command returns the values Aberdeen and Cassie Hicks. Close the PowerShell window and log off of computer Aberdeen. 4 1 4 CHAPTER 7 Windows Firewall and Remote Management exercise 2 Using Windows PowerShell and WinRS for Remote Management In this exercise, you configure a client running Windows 7 so that it can be managed remotely using Windows PowerShell and WinRS. You execute commands remotely to verify that this configuration is correct. 1. Log on to computer Aberdeen with the Kim_Akers computer account. 2. Open an elevated command prompt and issue the command WinRM Quickconfig. When prompted, press the Y key and press Enter twice, as shown in Figure 7-29. FIGURE 7-29 WinRM Quickconfig 3. Close the Command Prompt window and log off of computer Aberdeen while keeping computer Aberdeen turned on. 4. Log on to computer Canberra using the Kim_Akers user account. 5. Open an elevated command prompt. 6. Enter the command winrm quickconfig. Press Enter. Press the Y key and then press Enter when prompted. 7. Enter the command winrm set winrm/config/client @{TrustedHosts=”Aberdeen”} and press Enter. 8. Enter the command whoami. Verify that the result is Canberra\Kim_Akers. 9. Execute the command winrs –r:Aberdeen whoami. Verify that the result is Aberdeen\Kim_Akers. 10. Enter the command ipconfig. Note the IP address information. 11. Enter the command winrs –r:Aberdeen ipconfig. Note the different IP address information. 12. Enter the command PowerShell and press Enter. This starts Windows PowerShell. 13. Enter the command Get-Process | Sort-Object –Property CPU –Descending | Select –First 10 and press Enter. This displays a list of the top 10 processes by CPU usage on Canberra. Lesson 2: Windows 7 Remote Management CHAPTER 7 415 14. Enter the command icm Aberdeen { Get-Process | Sort-Object –Property CPU –Descending | Select –First 10 } and press Enter. This displays a list of the top 10 processes by CPU usage on Aberdeen. 15. Close Windows PowerShell and the command prompt, and then shut down the operating system and turn off the computer. Lesson Summary n Remote Desktop allows you to make a connection to a remote computer and view its desktop as though you were logged on directly. n When Remote Desktop with Network Level Authentication is enabled, only clients running Windows Vista and Windows 7 can connect. It is possible to connect using a client running Windows XP with SP3, but it requires special configuration and is not supported by default. n Standard users must be members of the Remote Desktop Users group before they can connect to a client running Windows 7 using Remote Desktop. n You need to run the command WinRM Quickconfig from an elevated command prompt on a client that you want to manage remotely using either WinRS or Windows PowerShell. WinRM Quickconfig configures the Windows Remote Management service and appropriate firewall rules and enables the WinRM listener. n You can use the winrs –r:hostname command to run a command-line command remotely on the host named hostname. n Only Windows PowerShell V2 and later support remote Windows PowerShell. Windows PowerShell V2 is the default version of Windows PowerShell included with Windows 7. n You can use the icm hostname command to run PowerShell Command on computer hostname remotely. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Windows 7 Remote Management.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. You need to manage a computer running Windows 7 from a computer running Windows XP with SP2 when no user is logged on to the computer running Windows 7. 416 CHAPTER 7 Windows Firewall and Remote Management You want connections to be as secure as possible. Which of the following settings on the Remote tab of the System Properties dialog box should you configure? a. Remote Assistance: Enable The Allow Remote Assistance Connections To This Computer Option B. Remote Desktop: Don’t Allow Connections To This Computer c. Remote Desktop: Allow Connections From Computers Running Any Version Of Remote Desktop D. Remote Desktop: Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication 2. You want to user Windows PowerShell on a client running Windows 7 named Alpha to manage a client running Windows 7 named Beta. Which of the following steps do you need to take to do this? a. Run the command WinRM Quickconfig from an elevated command prompt on client Alpha. B. Run the command WinRM Quickconfig from an elevated command prompt on client Beta. c. Create a WFAS rule for TCP port 80 on client Alpha. D. Create a WFAS rule for TCP port 80 on client Beta. 3. You are logged on to a client running Windows 7 named Canberra. You want to determine the media access control (MAC) address of a client running Windows 7 named Aberdeen, which is located on another subnet. Both computers are members of the same domain and your domain user account is a member of the local administrator group on both computers. The command WinRM Quickconfig has been executed on all clients running Windows 7 in your organization. Which of the following commands should you execute to accomplish your goal? a. nslookup Aberdeen B. winrs –r:Aberdeen ipconfig /all c. winrs –r:Canberra ipconfig /all D. arp -a 4. Which of the following Windows PowerShell commands can you issue on a client running Windows 7 named Canberra to get a list of processes, including CPU and memory usage, on a client running Windows 7 named Aberdeen? A. icm Canberra {Get-Process} B. icm Aberdeen {Get-Process} C. winrs –r:Aberdeen Get-Process D. winrs –r:Canberra Get-Process Lesson 2: Windows 7 Remote Management CHAPTER 7 417 5. Which of the following reasons might explain why a helper is unable to connect to a Remote Assistance session when two stand-alone clients running Windows 7 are located on the same LAN? a. The WinRM service is disabled on Aberdeen. B. Client Aberdeen is configured to accept only Remote Desktop sessions that use Network Level Authentication. c. The helper is not a member of the Remote Desktop Users local group on Aberdeen. D. The Remote Assistance panel has been closed on client Aberdeen. 4 1 8 CHAPTER 7 Windows Firewall and Remote Management Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: n Review the chapter summary. n Review the list of key terms introduced in this chapter. n Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. n Complete the suggested practices. n Take a practice test. Chapter Summary n Windows Firewall can only be configured for applications and features. n WFAS can be configured for applications, features, services, and ports. It is possible to configure authentication and scope option for WFAS rules. n Remote Assistance allows a user to forward an invitation to a helper that enables that helper to view the user’s screen concurrently. There are several safeguards in place to stop the helper from overriding the user and taking control of the user’s computer. n Remote Desktop allows a user to connect to an existing session that the user has created on a remote client running Windows 7 or to initiate a new session. n The Windows Remote Management service allows command-line utilities and Windows PowerShell scripts to be run remotely against clients running Windows 7. Key Terms Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book. n connection security rule n inbound rule n outbound rule n Windows Remote Shell Case Scenarios In the following case scenarios, you apply what you’ve learned about subjects of this chapter. You can find answers to these questions in the “Answers” section at the end of this book. Suggested Practices CHAPTER 7 419 Case Scenario 1: University Client Firewalls You work as a desktop support technician at a local university. All client computers at the university have Windows 7 Enterprise installed. You have several support tickets that you need to resolve. The first ticket involves an academic who wants to run a personal Web site off his laptop computer when he is presenting at conferences and is connected to an ad hoc network. Attendees at his presentations should be able to connect to download information from the site, but people from elsewhere should not be able to connect. The second ticket involves students in the undergraduate laboratory running a stand-alone file sharing application off USB flash drives. You know the port that this application uses, but the name of the application appears to vary. The third ticket involves a postgraduate computer laboratory that has 25 stand-alone clients running Windows 7. You want to ensure that each of these computers has the same WFAS configuration. With this information in mind, answer the following questions: 1. What steps would you take to resolve the first ticket? 2. What steps would you take to resolve the second ticket? 3. What steps would you take to resolve the third ticket? Case Scenario 2: Antarctic Desktop Support Your organization is responsible for supporting a small scientific research facility in Antarctica. The person responsible for IT support at the facility has come down with a serious illness and has been confined to the base medical facility for the next week. In her place, you are providing client operating system support to 30 scientists stationed at the facility. Your office in Tasmania is connected to the base by a high-speed Internet link. All clients running Windows 7 have Remote Desktop enabled. With these facts in mind, answer the following questions: 1. One of the scientists needs an application installed on their client running Windows 7 that you cannot deploy through Group Policy. You have the ability to elevate your privileges on the computer, but this scientist does not. How can you resolve this situation? 2. Another staff member at the Tasmanian office needs to connect to a client running Windows 7 at the Antarctic base to verify some scientific results but is unable to do so. You check and find that you are able to establish a Remote Desktop connection. What steps can you take to resolve this problem? 3. You need to be able to run Windows PowerShell scripts remotely against the clients running Windows 7. What steps do you need to take before you can do this? Suggested Practices To help you master the exam objectives presented in this chapter, complete the following tasks. 4 2 0 CHAPTER 7 Windows Firewall and Remote Management Configure Windows Firewall n Practice 1 Configure a WFAS incoming rule for port 1138 for the UDP protocol for IP addresses between 10.10.10.1 and 10.10.10.255. n Practice 2 Configure a WFAS incoming rule for the program Calc.exe in the C:\Windows\System32 folder. Configure Remote Management n Practice 1 Create and execute a WinRS command that provides a list of all local groups on a remote client running Windows 7. n Practice 2 Create a Windows PowerShell script that lists the free space left on the volumes on a remote computer. Take a Practice Test The practice tests on this book’s companion DVD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-680 certification exam content. You can set up the test so that it closely simulates the experience of taking a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. More Info PRACTICE TESTS For details about all the practice test options available, see the section entitled “How to Use the Practice Tests,” in the Introduction to this book. CHAPTER 8 421 CHAPTER 8 BranchCache and Resource Sharing P eople in the workplace rarely create documents that only they access. This is because organizational data is generally useful only when it is shared among people in the organization. People generally spend countless hours creating and formatting documents in Microsoft Office Word because they expect other people to read those documents. They write documents to explain ideas or to transmit data to other people because, generally, it is not necessary to write a document to explain something to yourself. The first part of this chapter looks at the methods you can use to share data stored on computers running Windows 7. This includes the simplified technique of sharing data through HomeGroups and the more complex technique of configuring shared folders. The second part of this chapter looks at how you can restrict the sharing of data, ensuring that only the people who should to be able to view that data are actually able to view it. You can do this by applying file and folder permissions restricting who can access the data and by using encryption to ensure that data is encoded so that only specific people can decode it. The final part of this chapter looks at how you can speed up data access for people that are located in small branch offices in larger organizations through a new Windows 7 feature named BranchCache. Exam objectives in this chapter: n Configure shared resources. n Configure file and folder access. n Configure BranchCache. Lessons in this chapter: n Lesson 1: Sharing Resources 423 n Lesson 2: Folder and File Access 442 n Lesson 3: Managing BranchCache 461 4 2 2 CHAPTER 8 BranchCache and Resource Sharing Before You Begin To complete the exercises in the practices in this chapter, you need to have done the following: n Installed Windows 7 on a stand-alone client PC named Canberra, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7.” real World Orin Thomas A lthough file and folder sharing at the client rather than the server level can be quite useful for small businesses that do not have the resources to deploy a dedicated file server, I’ve found that if people are not paying attention, shared folders on client computers can cause a lot of problems. Perhaps this is because people think about shared folders on a server and shared folders on a client computer quite differently. When you have a file server, people are very aware that files saved in that location will be visible to other people in the organization. When you deploy file servers, it is relatively simple to set up file shares on the basis of group membership, and people remember that a file that should be visible only to managers gets put in the Managers shared folder. Sure, you can do this with client computers, but it generally takes more effort to configure different shares with specific permissions on each client computer. It takes even more effort to get the people that actually use these computers to remember how permissions actually work. A colleague of mine had to deal with a meltdown that occurred at one client he worked for because a manager had saved performance reviews to a local folder that was visible to everyone on the network. Although there had been a specific shared folder set up that did limit document access to the administrative assistant and the company director, the manager hadn’t paid attention when this was explained to him. He worked off the assumption that no one else would see the reviews because he told only his administrative assistant and the company’s director that the documents were present in the shared folder. Shared printers can cause similar problems. In many small businesses, the people who run the company get the best hardware. The person that ends up with the most fully featured printer gets it because she is the person who owns the company and signs the purchase orders. The printer ends up shared so that the people who might use features such as automatic double-sided printing and collation can actually do so. The downside to this is that these people have to keep going across to the senior staff member’s work space to retrieve their printing. At one organization I know, several people had to be given keys to the boss’s office so they could access their printing when he was away on business. Rather than move the printer to a more public location, the boss ended up authorizing the purchase of another printer. . running Windows 7 named Aberdeen? A. icm Canberra {Get-Process} B. icm Aberdeen {Get-Process} C. winrs –r:Aberdeen Get-Process D. winrs –r:Canberra Get-Process Lesson 2: Windows 7 Remote. to manage a computer running Windows 7 from a computer running Windows XP with SP2 when no user is logged on to the computer running Windows 7. 416 CHAPTER 7 Windows Firewall and Remote Management. Windows 7 Remote Management CHAPTER 7 413 FIGURE 7- 27 Remote Desktop Client 14. When presented with the warning that the identity of the remote computer cannot be verified, shown in Figure 7- 28,