The Edge

Granted, Windows 7 will still be Windows 7. So, moving from Windows 7 Beta to Windows 7 RC will not fundamentally change your operating system. Still, the whole point of Beta testing is to identify problems and gather user feedback to incorporate changes into the final product. The Engineering Windows 7 blog posted a detailed look at 36 different changes we will see from Beta to RC once the Release Candidate becomes available.

You can read the post on the Engineering Windows 7 blog to get the complete details. But, here is a short list of some of my favorite updates:

• the ability to hold down the 'Shift' key when doing a drag/drop action to the Taskbar in order to invoke 'open with' rather than adding the file or program to the Taskbar or pinning it to the Jumplist of an existing application
• restricting the number of items automatically added to application Jumplists to 10 to keep the lists from being too long to provide any value
• changes made to the behavior of UAC to reflect some of the feedback and backlash about potential security risks introduced by the default UAC configuration in the Windows 7 Beta
• improving performance and speed from Beta to RC (although I have been happy with the Beta performance and speed- but faster is always better)

No word yet on when we might expect to see that RC, but at least we know when it is released it will have a number of compelling changes and updates.

The Microsoft Springboard program is leading the way in evangelizing for the Windows 7 operating system and providing the types of resources and information that IT pros and end-users need to understand the new features and capabilities and get the most out of the new OS. Toward that end, they have developed a series of screencast 'walkthroughs' providing in-depth looks at various features and functions of Windows 7. Currently the series includes the following instructional videos:

• AppLocker
• Deployment Image Servicing and Management
• Enteprise Application Compatibility
• Problem Steps Recorder
• BitLocker and BitLocker-to-Go
• Windows PowerShell 2.0

I am sure they will continue to expand the series to include more Windows 7 features, so check back on the Windows 7 Feature Walkthroughs site periodically.

On February 28 Stephen Rose and Joey Snow will be presenting an event in Irvine, CA kicking off Windows 7 and providing a comprehensive look at the new features and functions. You can check out the details of the session (titled TechNet and MSDN Unleashed: Windows Vista to Windows 7) below to see the topics that will be covered in this 5 1/2 hour event.

The live event is already maxed out, but  the session will also be broadcast via LiveMeeting. You can register to attend the LiveMeeting event here: https://www.clicktoattend.com/invitation.aspx?code=135966 

Event Code: 135966

2/28/2009

8:00 AM - 1:30 PM PST

SESSION TOPICS:

Better Together: Windows Server 2008 R2 and Windows 7

Overview of the Better Together story.

Is Vista Still Relevant? Windows Vista - The Path to 7

With Windows 7 on the horizon, is Vista still relevant? This presentation will cover why Vista is the best path to Windows 7 readiness as well as discuss the key underpinnings in the Windows 7 OS and product evolutions with Server 2008 R2, IPv6 and beyond. Focus will be around top 10 things IT Pros should know about Windows Vista and its evolution in Windows 7.


Welcome to Windows 7

This session will be an overview of the GUI and Feature improvements in Windows 7. This will include
  • Task Bar/System Tray Improvements
  • Aero Features
  • System Improvements
  • Control Panels and Features
  • Desktop Improvements
  • IE 8
  • Under The Hood

Windows 7 Deep Dive

Deep Dive will dig into Windows 7 and the new or redesigned under the hood features in the product.

The topics covered will be:
  • Microsoft’s understanding of the needs of IT Pros when designing Windows 7
  • Hardware Readiness
  • Improved Applications
  • Application Compatibility
  • AIK
  • VHD Images and Imaging
  • DISM
  • Dynamic Driver Provisioning
  • Multicast Multiple Stream Transfer
  • Streamlined Installation and File Migration
  • USMT
  • DHCP Hint
  • Enterprise Application Compatibility
  • Windows Troubleshooting Platform

Don’t get too excited. These updates won’t add any new features or functionality to Windows 7. You’ll have to wait for the Windows 7 Release Candidate (RC) for those kinds of changes. However, Windows 7 will be getting updates next week, February 24, but they will just be test updates. It is a drill more or less just to make sure that Windows 7 is communicating properly with Windows Update and able to download and apply the updates. It is important to note though that these will not be automatically applied. You will have to manually visit Windows Update and select the updates.

If you are participating in the Windows 7 Beta, please read the information below and participate in this Windows 7 update drill when the updates become available next week.

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Move over Sony and Apple. Microsoft is coming to a mall near you as they jump into the retail outlet chain market. Last year Microsoft dispatched an army of Microsoft experts to take up stations at stores like Best Buy and provide expert guidance for customers. The Microsoft 'Gurus' were more or less a response to the 'Genius Bar' found in Apple stores.

Apple has seen a boost in their image and their sales which they attribute to their standalone retail stores. However, with the current economy sales have been slowing. Holiday sales for 2008 were down an average of almost 18% per store from the same period in 2007. Circuit City, an electronics warehouse that also sells computers and computer equipment, is in the process of going out of business. People don't have the disposable and discretionary income they had a couple years ago.

That said- I think it is a good idea. The timing could be better (I will assume they had this idea and were already in the planning stages before the economy imploded). However, I think that customers will appreciate having a brick and mortar store they can go to for expert guidance on Microsoft products. Just as customers have enjoyed the one-on-one guidance and expert customer service in Apple stores, the Microsoft retail store can help customers make decisions about what software is right for them, help them to install the products, educate them on how to maximize the functionality and productivity of the software and more. This level of interaction and guidance will really help in my opinion- especially as they prepare to roll out Windows 7 later this year or early 2010.

Customers need this. Stores like Walmart that sell some computer hardware and software offer no guidance or support at all. Stores like Circuit City (R.I.P.) and Best Buy ostensibly have personnel with the appropriate knowledge to provide guidance, but I have never witnessed it. Most of the time you are lucky if you can get an employee at one of those stores to acknowledge your existence. When you do, finding one that actually knows something more than which model they are supposed to push this week and how to con customers into buying the in-store extended warranty is little short of a miracle.

Done right, this is a great idea. I look forward to checking out the local Microsoft store if and when comes to my neighborhood.

Tomorrow, Thursday, February 12th Microsoft's Springboard program will be hosting another Virtual Roundtable broadcast. Windows 7: To the Beta and Beyond will start at 11am Pacific / 2pm Eastern time.

Join Mark Russinovich and a panel of subject matter experts for a live discussion of what's in store for IT pros with Windows® 7. Learn about the evolution of features like Group Policy, BitLocker To Go™, DirectAccess, BranchCache™, and AppLocker™ then get tips on troubleshooting, deployment, and application compatibility. Bring your questions—Mark and the panel will answer as many as they can during the hour-long event, then publish the rest in a Q&A after the event.

As part of the “virtual” experience, you may submit your questions about Windows 7 Beta to the panel live during the event—or submit questions in advance to vrtable@microsoft.com. Click here to add the event to your Outlook calendar.

While Microsoft has maintained that UAC (User Account Control) is not a security control, and that the behavior of UAC in Windows 7 is by design in response to the feedback and negative publicity that UAC has received in Windows Vista, they have now announced that there will be some modifications of UAC behavior between the Windows 7 Beta and Windows 7 Release Candidate versions. A follow-up post on the Engineering Windows 7 blog last week stated:

"With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation."

Many in the Windows 7 Beta community seem to be upset about the change of direction or consider it some sort of flaw or sign of weakness on the part of Microsoft that they have responded this way. It seems to me like Microsoft is held to an unreasonable standard by certain groups of users. It reminds me of how 'flip-flopping' becomes such an issue during election seasons. No company (or politician) is perfect. It is an unrealistic expectation to demand that they get it all right the first time. To take that lack of realism a step farther and also expect that the company (or politician) never alter or modify their position, even in the face of rational, logical evidence that counters the original position is ridiculous. Having conviction and a stubborn determination to stick to an initial decision regardless of evidence to the contrary is a huge character flaw and not a desirable characteristic for a company or a politician.

It creates a no-win situation for the company- their damned if they leave things the way they are, and they're damned if they modify their course in response to feedback. For the record though, this is BETA software. The whole point is to elicit feedback from the user community and make modifications prior to the RC or final RTM versions of the operating system. If they weren't going to listen to and respondto user feedback, this would be RTM already.

Personally, I say 'Thank You' to Microsoft for listening and responding to the user feedback. I also reiterate my appreciation for the sense of community and the open dialogue being fostered by Microsoft with the Windows 7 Beta and the Engineering Windows 7 blog.

Do you use the Recent Items menu in Windows Vista? You may not even know what it is if you haven't poked around some. It is not enabled by default, but if you right-click on the taskbar and select Properties you can configure the way the Start Bar and Start Menu look and feel. One of the options in those settings is to enable the Recent Items menu which provides a quick access menu to the last 15 files you have worked with (whether they are Word docs, PDF files, JPG images, Virtual PC VMC images, etc.). I use it frequently to access the files I am working with rather than trying to use Windows Explorer or some other method to navigate to them. It is a great time saver.

With Windows 7, Microsoft adds a new dimension to this concept with Jump Lists. I mentioned them a little in my earlier post about the Windows 7 Taskbar. Perhaps you have used the Recent Documents from the File menu within programs like Microsoft Word. I rarely ever used this feature because I always use the Recent Items list from the Start Menu. Well, Windows 7 essentially combines the Recent Items from the Start Menu with the Recent Documents from the application to create application specific Jump Lists.

In the Start Menu some applications have an arrow next to them. That arrow is how you access the Jump List for that application. The Jump List is essentially the Recent Items list for that specific application. So- while the Recent Items (which is still available as a Start Menu option in Windows 7) includes the most recent 15 files you have accessed of any type, the Microsoft PowerPoint 2007 Jump List contains only the most recent PowerPoint files you have accessed. The application Jump Lists make it much easier and faster to navigate Windows 2007 and work with files. In addition to the most recent files used for a given application, you can also 'pin' important or frequently used files to the Jump List for an application so that they are always quickly accessible.

Having been a fan of the Recent Items already, but sometimes frustrated by the files I want getting cycled off of the top 15 list, I am thoroughly enjoying the convenience and functionality of the Windows 7 Jump Lists.

That darn UAC function just can't stand to not be the center of attention. It has been one of the most talked about features of Windows Vista - good, bad, or indifferent as your point of view might be- and now it has more or less dominated the discussion of Windows 7 for the past week.

Windows 7 Beta testers have pointed out that the default setting for UAC in a Windows 7 installation leaves it 'vulnerable' to malware altering the UAC protection level or disabling it entirely without the user's knowledge or consent. They then also pointed out that the way UAC manages Microsoft-signed code by default could be potentially exploited by malware to cause malicious code to run without triggering any UAC warnings.

Microsoft has responded that the functionality of UAC in Windows 7 is by design in response to the mountains of feedback they have gotten on UAC from customers and from the field. They have also countered that while the claims mentioned above are true neither provides a plausible method for how said-malware would get on the system in the first place. Microsoft contends that the default UAC setting will alert or notify the user if such malware tries to run on the system and that only explicit acceptance of that UAC warning would make the other two issues mentioned above viable.

Rather than me blathering on further about UAC in Windows 7, I recommend that you read this post from the Engineering Windows 7 blog. Jon DeVaan does an excellent and eloquent job of explaining the reasons why UAC works the way it does, and the reasons why Microsoft does not feel that these issues are as critical as the blogosphere has made them out to be. DeVaan provides a detailed look at how UAC works, and an explanation of the purpose of UAC. In general, this is an excellent post. It clears up misconceptions. It shows that Microsoft is listening and responsive, even when they don't ask 'how high' and go re-engineer features.

Windows 7 represents a great new direction for the desktop operating system. But, as important, or even moreso, to the success of Windows 7 and Microsoft in general is the shift in Microsoft's mentality toward its customers and the IT Pro community. The open communications and responsive dialogue will go a long way to strengthening their reputation and their relationships with customers.

Many users may not be aware of this, but in Windows XP and Windows Vista you can actually stretch the taskbar at the bottom of the screen up to gain more real estate. You can make it double or triple its normal height so you can fit more applications in the QuickLaunch menu if you want, and you can have more programs open simultaneously and still view them all separately rather than dealing with the annoying 'feature' where all of the instances of a program are collapsed to one taskbar entry and you have to sort of manually sift through the list that pops up to try and find the one you want. I have leveraged this feature to expand my taskbar for years, making it twice the normal height so I can have more applications in QuickLaunch and more programs opened simultaneously. I don't need to do that in Windows 7 (although it still possible if you choose).

First of all, instead of the QuickLaunch toolbar, Windows 7 lets you 'pin' applications. You can pin them to either the Start Menu or to the Taskbar (or both). Items pinned to the taskbar appear as icons and the applications can be launched by simply clicking on the icon. Similarly, when applications are launched by other methods, they also appear as an icon rather than the wide tabs you are used to seeing in the Windows XP or Windows Vista taskbar. And, only one icon appears per application- similar to that annoying collapsed tab I mentioned above. However, with Windows 7 it is not annoying- its brilliant! Simply hovering over the icon for the application brings up thumbnails of all instances currently running and hovering over the thumbnail instantly displays that instance full screen so you can quickly, easily, and visually find the application or instance you want to use.

The coolness doesn't end there though. For applications that are pinned to the taskbar you can right-click to bring up a history menu that lets you jump straight to specific instances. For example, I can right-click my Internet Explorer icon and view my web browsing history to find a specific site, or right-click the Microsoft Word icon to view the history and open a specific document. Applications pinned to the Start Menu behave the same way. There is an arrow next to the application that opens a menu of songs played recently in Windows Media Player or spreadsheets recently viewed in Excel. It is sort of like an application-specific edition of the Recent Items menu on the Start Menu (it is an option though and may not be displayed unless you have configured it to do so).

I know that people get comfortable with the way they do things and they are reluctant to change- even if the change in and of itself is good. With any new operating system or application there will be updates and modifications. If there weren't, why would they bother releasing a new one?? Often these changes have a learning curve before they become second-nature, but this Windows 7 taskbar is a change I find very intuitive and very smooth and I instantly fell in love with it.

Soon after identifying a controversial design decision related to the default implementation of UAC in Windows 7, Beta tester Long Zheng identified another issue with UAC in Windows 7 that is of greater concern. In a nutshell, because of the inherent trust that Windows 7 places on internal Microsoft code or code signed by Microsoft, the default setting of UAC in Windows 7 (at least in its current Beta form) allows a malicious application to autonomously elevate themselves to full administrative privileges without UAC prompts or turning UAC off. You can read the full blog post from Zheng to get the nitty gritty details. This flowchart is from Zheng's blog post and illustrates the logic flow of how UAC processes decisions and how that decision process can be exploited to execute malicious code:

There has also been some debate about the ethics of disclosing these issues publicly. Some have argued that it is irresponsible to share this information publicly while others have defended Zheng and claimed that Microsoft has been unresponsive unless their is public backlash. I definitely think that issues should be shared with the vendor in secret rather than disclosed publicly in order to allow the vendor time to address the issue beore letting the world know how to exploit it. However, I also know that many security researchers are frequently frustrated by the lack of response and some issues remain for months after the vendor has been notified.

Zheng addresses some of the comments related to the first UAC disclosure and his stance on vulnerability disclosure and on Windows 7 in this blog post:

"In Microsoft’s defense, some people have also argued UAC is not a “security boundary”, a vague term in my books. I argue because UAC is designed to enforce privileges (processes cannot jump to any privilege they want) and control privileges (prompts for privilege changes) it is a security feature. If a security feature can be maliciously and silently bypassed or turned off, I would consider that a security flaw.

Finally, to clarify my perspective on the whole issue, Windows 7 is a great operating system and these UAC issues are just two particular cases in a very small list of notable issues. I disagree with how Microsoft had handled the original issue but I’m sure with the wider public feedback it received we will end up with a more secure operating system as a result. In no part am I trying to “derail” Windows 7’s success run, but ensuring the default security policy is adequately safe for current and future users."

Microsoft today unveiled the various versions of Windows 7 that will be available when the new flagship desktop operating system launches. Here is a table of the versions an the features available in each:

Some versions like the Starter version (aimed primarily at the emerging netbook market) and the Home Basic edition seem to have very limited, niche application. The Home Premium version is the main edition for the consumer market, and the Enterprise edition is the main edition for large corporate enterprises. The Professional edition is roughly equivalent to the Vista Business edition and is targeted at small and medium businesses.

Unfortunately, Windows 7 Professional lacks many of the best features that SMB's will be interested in. It does include a few additional features that businesses can use that aren't found in the Home Premium version, like the ability to join a Domain, and additional data backup and encryption options. I think Microsoft misses the mark though for the SMB market. They are smaller than their corporate enterprise cousins, but they have essentially the same needs.

Many SMB's are in the healthcare or financial services industries and are impacted by mandates such as HIPAA, GLBA, or PCI DSS. They have a need to protect data on mobile devices and portable media and they really need BitLocker as much as their enterprise counterparts. SMB's like small banks or real estate offices have roaming users and multiple office sites and can benefit from new Windows 7 functions like DirectAccess and BranchCache.

Both DirectAccess and BranchCache require Windows Server 2008 as a backbone. That may explain why Microsoft, which targets SMB's with other server offerings such as Windows Small Business Server (SBS 2008) and Windows Essential Business Server (EBS 2008) may have left those features out of the Professional version. Admittedly, the SMB would have to have or be willing to implement the Windows Server 2008 infrastructure necessary, but my feeling is  that small and medium business owners/users who want to gain all of the advantages of Windows 7 should just go straight to Windows 7 Ultimate.

For that matter, as an information security professional I have never really appreciated the Home version of any of the operating systems from Microsoft. In their effort to make them simple or dummy-proof they leave out key functionality and remove components that users need to secure and protect their PC's. Arguably, with no IT department protecting the network and no Help Desk available to clean malware infections and restore system functionality the home user market needs more security than the corporate enterprise market, not less. So, my recommendation for home users is to skip Home Premium and go straight for Windows 7 Ultimate as well.

Bottom line, I would probably narrow this down to only three options: Windows 7 Starter (because the netbook market will continue to grow as users seek out cheap portable computer systems), Windows 7 Ultimate, and Windows 7 Enterprise. If you aren't using a netbook, and you aren't part of a corporate enterprise, you should be using Windows 7 Ultimate.

If you know that the computer is the box that the keyboard connects to and that the monitor is simply a display screen odds are good you are the technical guru among your friends and family. When I first began my role as family and friend computer expert it was mostly to work out IRQ and DMA conflicts so that the sound and video would work properly. There was no Internet and most people didn't have more than one computer in the home so personal networking was a foreign concept reserved for uber geeks.

Now, instead of one family computer it is common for each computer user to have their own. My wife has a laptop. My three older boys have their own laptops. I have a laptop, and a desktop that I use for testing purposes. My not-quite three year old daughter has a laptop as well- but since her's is a Barbie laptop running some proprietary pre-school operating system I won't count hers. So- our household of 6 has...1 plus 3, carry the 2, times the square root of the inverse....6 computers! Two of them are running Windows XP SP2 (I don't believe my boys have SP3 yet), two of them are running Windows Vista Ultimate SP1, and two of them (mine) are running Windows 7 Ultimate Beta (one is 32-bit and one is 64-bit). We won't count the other operating systems I have running in Virtual PC on my lab computer.

Those 6 computers all talk to each other and to the Internet through a wireless network. With Vista and Windows 7 you can specify that the network connection is a Home network (as opposed to Work or Public networks) and that establishes a certain degree of trust regarding the devices available on that network. For some reason though, actually connecting with other computers and sharing resources in a Workgroup (as opposed to a Domain) setting is always more difficult and complicated than it seems like it should be. Part of the issue is that in a Domain the usernames and passwords are authenticated against Active Directory on the domain controller allowing users to be authenticated across various machines. With a Workgroup. each computer maintains its own local database of usernames and passwords. I may be able to log on to my computer, but my username and password are meaningless on my son's computer unless I go add myslef as a user with the same username and password on his computer. We only have 2 printers and only one computer with a decent quality speaker system so we need to connect to print documents and play music. Let's just say its a more or less 50/50 proposition whether it will work and it generally requires some additional manual process. It is almost never easy.

So, you can imagine how impressed I might be with the HomeGroup concept in Windows 7. The Windows 7 HomeGroup promises to simplify this process. When you create a HomeGroup it is assigned a password. You can specify which Libraries to share (Libraries are another cool Windows 7 feature work like Folders but provide easier access to and usage of data no matter where it resides on the computer or network, but we'll cover than in another post sometime). Other computers on your network can then join the HomeGroup as long as they have the password. The need for a password means that family members (or co-workers in a small business) can share resources without having to set the permissions for Everyone and allowing any friend or visitor to access those shared resources.

Here is my only real issue with HomeGroup so far- backward compatibility. It is a great concept and it seems to work as advertised....as long as you have Windows 7 PC's. Some members of my family are reluctant to jump on cutting edge operating systems. Some members of my family like their Windows XP because of its compatibility with their favorite games. Sure, they'll all upgrade eventually, but based on my home network right now HomeGroup only works for my two computers running Windows 7. Microsoft needs to create some sort of stand-alone application that can be installed on Vista and XP to let them play in the HomeGroup as well.

Last week a Windows 7 Beta tester posted a blog entry describing a flaw or weakness in the way UAC (User Account Control) is implemented in Windows 7. For starters, although I titled this post 'Security vs. Usability' I want to to stress that UAC is not a security feature or control. It is a control in Windows Vista and Windows 7 designed to enforce least privileged access and enable users to operate as Standard Users rather than running as Administrator. There are security implications to UAC though. For example, security professionals generally recommend that users run as Standard User rather than Administrator because malware exploits generally operate with the same privileges as the logged in user. If someone running as Administrator is compromised, the malware has much more power to affect malicious change on the computer system than if a Standard User is compromised.

That said, UAC is largely perceived as a security function (I should say that security is 'blamed' for UAC), and it has been one of the most prominent complaints about Windows Vista. Users complain about the constant pop-up alerts asking for Administrator permission every time they want to open a console, install a program, or access an application. Truth be told- if they were running as Standard User, they wouldn't see those prompts. Those prompts are a result of running as Administrator and an attempt on the part of Windows Vista / Windows 7 to alert the user that the action they are about to initiate requires Administrator-level access to the system and could potentially affect or modify the system.

With Windows 7, Microsoft has seemingly caved to the UAC backlash and negative marketing from Windows Vista. UAC is still there, but now it has a slider that lets the user adjust what level they want UAC to operate at. Users can access the Windows 7 Action Center from the Control Panel and click on User Account Control Settings. The crux of the issue described in the blog mentioned above is that by default UAC is configured to not notify or alert when changes are made to Windows Settings. The operating system can not differentiate between a user clicking on options to change Windows Settings, or an application- malicious or otherwise- affecting changes to Windows Settings. Since the UAC Account Control Settings is a Windows Setting itself, a malware program can disable UAC entirely before doing more insidious actions to the PC and the user will not be notified.

The official Microsoft response so far has been that this is not a flaw or vulnerability. UAC operates the way it does by design and after much consideration and user feedback. The foundation of their defense also seems to rest on deflecting the blame to the malware itself. Basically, Microsoft has stated that in order for malware to modify UAC the malware first has to get onto the system and have permission to execute. Therefore, the issue is how to protect Windows 7 from malware, not how to modify the behavior of the UAC Control Settings.I can see where Microsoft is going with this logic. It does seem to make sense on some levels. But, it also seems like it would be a trivial adjustment to exclude UAC itself from the Windows Settings that are ignored so that there would be some sort of alert if UAC itself is modified.

Users may not ever notice or care (until some malware exploit compromises their system through this 'feature'), but the security world is all up in arms. The feeling is that Microsoft is back-pedalling on their commitment to be secure by design and secure by default in order to appease users. Being primarily a security guy- I tend to side with that line of thinking. I think that it makes more sense to alter the behavior of the UAC Control Settings before the RTM release of Windows 7. I think that rather than sacrificing security in the interest of marketing, that Microsoft should invest more in marketing UAC and educating enterprises and users on how and why it does what it does, and how to use it properly.