Least Privilege Security for Windows 7, Vista and XP

Table of Contents

Least Privilege Security for Windows 7, Vista and XP

Credits

About the Author

About the Reviewers

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. An Overview of Least Privilege Security in Microsoft Windows

What is privilege?

What is Least Privilege Security?

Limiting the damage from accidental errors with Least Privilege Security

Reducing system access to the minimum with Least Privilege Security

Least Privilege Security in Windows

Windows 9.x

Windows NT (New Technology)

Windows 2000

Windows XP

Windows Vista

Windows 7

Advanced Least Privilege Security concepts

Discretionary Access Control

Mandatory Access Control

Mandatory Integrity Control

Role-based Access Control

Least Privilege Security in the real world

Benefits of Least Privilege Security on the desktop

Change and configuration management

Damage limitation

Regulatory compliance

Software licensing

What problems does Least Privilege Security not solve?

Common challenges of Least Privilege Security on the desktop

Application compatibility

System integrity

End user support

Least Privilege and your organization's bottom line

Determining the affect of Least Privilege Security on productivity

Reducing total cost of ownership

Improved security

Summary

2. Political and Cultural Challenges for Least Privilege Security

Company culture

Defining company culture

Culture shock

Culture case studies

Company A

Company B

Getting support from management

Selling Least Privilege Security

Using key performance indicators

Using key risk indicators

Mapping CSFs to KPIs

Security metrics

Threat modeling

Reducing costs

Security adds business value

Setting an example

User acceptance

Least Privilege Security terminology

Justifying the decision to implement Least Privilege Security

Applying Least Privilege Security throughout the enterprise

Deciding whom to exempt from running with a standard user account

What not to do

Managing expectations

Service catalog

Chargebacks

Maintaining flexibility

User education

Summary

3. Solving Least Privilege Problems with the Application Compatibility Toolkit

Quick compatibility fixes using the Program Compatibility Wizard

Applying compatibility modes to legacy applications

Program Compatibility Wizard

Program Compatibility Assistant

Disabling the Program Compatibility Assistant

Excluding executables from the Program Compatibility Assistant

Achieving application compatibility in enterprise environments

Compatibility fixes

Modifying applications using shims

Enhancing security using compatibility shims

Deciding whether to use a shim to solve a compatibility problem

Vendor support

In-house applications

Kernel-mode applications

Creating shims for your legacy applications

Solving compatibility problems with shims

LUA compatibility mode fixes in Windows XP

LUARedirectFS

LUARedirectFS_Cleanup

LUARedirectReg

LUARedirectReg_Cleanup

LUATrackFS

Creating your own custom database

Maxthon on Windows XP

Working with other commonly used compatibility fixes

ForceAdminAccess

CorrectFilePaths

VirtualRegistry

ADDREDIRECT

Working with custom databases

Adding new shims to your custom database (merging custom databases)

Temporarily disabling compatibility fixes

Installing a custom database from Compatibility Administrator

Deploying a database to multiple devices

Finding the GUID of custom database

SDBINST command-line switches

Distributing or updating a custom database using Group Policy

Summary

4. User Account Control

User Account Control components

Elevation prompts

Protected administrator (PA)

Windows Integrity Control and User Interface Privilege Isolation

Application Information Service

Filesystem and registry virtualization

Internet Explorer Protected Mode

The shield icon

User Account Control access token model

Standard user access token

Protected administrator access token

Conveniently elevating to admin privileges

Automatically launching applications with admin privileges

Consent and credential elevation prompts

Consent prompts

Credential prompts

Application-aware elevation prompts

Windows Vista

Publisher verified (signed)

Publisher not verified (unsigned)

Publisher blocked

Administrator accounts

Elevation prompt security

Securing the desktop

Providing extra security with the Secure Attention Sequence (SAS)

Securing elevated applications

Windows Integrity Mechanism

Integrity policies

Assigning integrity levels

User Interface Privilege Isolation

User Interface Privilege Level

UIPI and accessibility

Achieving application compatibility

Application manifest

Power Users

Windows Logo Program

Certification requirements

Filesystem and registry virtualization

Filesystem virtualization

Virtual root directory

Registry virtualization

Virtual root registry

Using Task Manager to determine whether a process is using UAC filesystem and registry virtualization

Windows Installer and User Account Control

Automatically detecting application installers

Controlling User Account Control through Group Policy

Admin Approval Mode for the built-in administrator account

Allowing UIAccess applications to prompt for elevation without using the secure desktop

Behavior of the elevation prompt for administrators in Admin Approval Mode

Behavior of the elevation prompt for standard users

Detect application installations and prompt for elevation

Only elevate executables that are signed and validated

Only elevate UIAccess applications that are installed in secure locations

Run all administrators in Admin Approval Mode

Switch to the secure desktop when prompting for elevation

Virtualize file and registry write failures to per-user locations

What's new in Windows 7 User Account Control

User Account Control slider

Auto-elevation for Windows binaries

Executables

Microsoft Management Console (MMC)

Component Object Model (COM) objects

More settings accessible to standard users

Summary

5. Tools and Techniques for Solving Least Privilege Security Problems

Granting temporary administrative privileges

Granting temporary administrative access using a separate logon (Vista and Windows 7 only)

Creating three support accounts

Creating a policy setting to automatically delete the support account at logoff

Testing the support accounts

Putting into practice

Granting temporary administrative access without a separate logon

Creating a batch file to elevate the privileges of the logged in user

Testing the procedure

Limitations of the procedure

Bypassing user account control for selected operations

Using Task Scheduler to run commands with elevated privileges

Running the Scheduled Task as a standard user

Configuring applications to run with elevated privileges on-the-fly

Solving LUA problems with Avecto Privilege Guard

Defining application groups

Defining access tokens

Configuring messages

Defining policies

Solving LUA problems with Privilege Manager

Defining Privilege Manager rules

Assigning permissions

Adding or removing individual privileges

Specifying integrity levels

Suppressing unwanted User Account Control prompts

Modifying application manifest files

Editing manifests using Resource Tuner

Modifying manifests using the RunAsInvoker shim

Setting permissions on files and registry keys

Identifying problems using Process Monitor

Modifying permissions on registry keys and files with Group Policy

Fixing problems with the HKey Classes Root registry hive

Using Registry Editor to copy keys from HKCR to HKCU

Mapping .ini files to the registry

Using LUA Buglight to identify file and registry access violations

Summary

6. Software Distribution using Group Policy

Installing software using Group Policy

Installing software using Windows Installer

Deploying software using Group Policy

Comparing Group Policy Software Installation with system images for software distribution

Choosing between thin and fat images

Preparing applications for deployment

Extracting .msi files from setup packages

Using WinRAR or 7-Zip to extract .msi files

Using command-line switches for silent installs and customization

Deploying system changes using Group Policy startup scripts

Creating an .msi wrapper

Repackaging an application with a legacy installer

Installing AdminStudio

Configuring AdminStudio's Repackager to run on a remote machine

Installing the remote repackager

Monitoring a legacy installation routine

Customizing an installation package

Customizing Acrobat Reader's MSI installer using Adobe Customization Wizard 9

Using the Distributed File System with GPSI

Creating a DFS namespace

Adding a folder to the namespace

Deploying software using GPSI

Configuring software installation settings

Targeting devices using WMI filters and security groups

Active Directory security groups

Creating a security group to filter a GPO

Windows Management Instrumentation filtering

Upgrading software with GPSI

Uninstalling software with GPSI

Removing software when it falls out of scope of management

Removing .msi packages from Group Policy Objects

Summary

7. Managing Internet Explorer Add-ons

ActiveX controls

Per-user ActiveX controls

Changing the installation scope to per-user

Best practices

Deploying commonly used ActiveX controls

Deploying Adobe Flash and Shockwave Player

Deploying Microsoft Silverlight

ActiveX Installer Service

Enabling the ActiveX Installer Service

Using the GUI to install the ActiveX Installer Service

Using the command line to install the ActiveX Installer Service

Determining the ActiveX control host URL in Windows 7

Determining the ActiveX control host URL in Windows Vista

Configuring the ActiveX Installer Service with Group Policy

Testing the ActiveX Installer Service

Managing add-ons

Administrator approved controls

Determining the Class Identifier CLSID of an installed ActiveX control

Adding ActiveX controls to the Add-on List

Summary

8. Supporting Users Running with Least Privilege

Providing support

Preparing to support least privilege

Troubleshooting using remote access

Troubleshooting for notebook users

The notebook challenge

Having the right tools in place

Notebook users who seldom visit the office

Setting out IT policy

Other functions the help desk might require

The last resort: An administrative backdoor for notebooks

Enabling and using command-line remote access tools

WS-Management

Configuring WS-Management with Group Policy

Connecting to remote machines using WS-Management

Running standard Windows commands as an administrator on remote computers

Enumerating information using Windows Management Instrumentation

Performing actions on remote computers as an administrator using WMI methods

Connecting to WS-Management 1.1 from Windows Server 2008 R2

Working with WS-Management security

Automating administration tasks using PowerShell Remoting

Enabling and using graphical remote access tools

Enabling Remote Assistance

Different types of Remote Assistance

Enabling Remote Assistance via Group Policy

Offering a computer unsolicited Remote Assistance: DCOM

Sending Remote Assistance invitations

Initiating Remote Assistance from the command line

Connecting to remote PCs using Easy Connect

Enabling Remote Assistance with Network Address Translation

Remote Desktop

Connecting to a remote computer using the Microsoft Management Console (MMC)

Configuring Windows Firewall to allow remote access

Creating a GPO for Windows Firewall in Windows 7

Importing Windows 7 Firewall rules to a GPO

Modifying the default Windows Firewall rules

Adding additional inbound exceptions for remote administration

Creating a WMI filter to restrict the scope of management to Windows 7

Linking the new GPO to the Client OU

Checking the GPO applies to Windows 7

Creating a GPO for Windows Firewall in Vista

Enabling the Remote Assistance and Remote Administration inbound exceptions for the Domain profile

Creating a WMI query for Windows Vista

Creating a GPO for Windows Firewall in Windows XP

Configuring GPO settings

Creating an exception for WS-Management

Creating an exception for Remote Desktop

Creating an exception for Remote Administration

Creating an exception for Remote Assistance

Creating a WMI filter to restrict the scope of management to Windows XP

Linking the new GPO to the Client OU

Summary

9. Deploying Software Restriction Policies and AppLocker

Controlling applications

Blocking portable applications

Securing Group Policy

Preventing users from circumventing Group Policy

Implementing Software Restriction Policy

Creating a whitelist with Software Restriction Policy

Defining hash rules

Defining path rules

Trusting software signed by a preferred publisher (Certificate Rules)

Making exceptions for IE zones (Network/Internet Zone Rule)

Creating a whitelist with Software Restriction Policy

Configuring applications to run as a standard user

AppLocker

Automatically generating AppLocker rules

Manually creating an AppLocker rule to blacklist an application

Importing and exporting AppLocker rules

Summary

10. Least Privilege in Windows XP

Installing Windows XP using the Microsoft Deployment Toolkit

Providing a Volume License product key for an MDT XP Task Sequence

Windows XP security model

Power users

Network Configuration Operators

Support_<1234>

User rights

Modifying logon rights and privileges

Logon rights

Privileges

CD burning

Third-party CD/DVD burning software

Nero Burning ROM

Installing Nero BurnRights

Configuring Nero BurnRights from the command line

Allowing non-administrative users to burn discs in CDBurnerXP

Additional security settings

Restricting access to removable media

ActiveX controls

Flash Player

Acrobat Reader

Silverlight

Other popular ActiveX controls

RealPlayer

QuickTime

Sun Java Runtime Environment

Alternatives to QuickTime and RealPlayer

Changing the system time and time zone

Changing the system time

Changing the time zone

Setting time zone registry permissions using a GPO

Power management

Managing power settings with Group Policy Preferences

Creating a GPO startup script to install GPP CSEs

Configuring power options using Group Policy Preferences

Configuring the registry for access to power settings

Managing network configuration

Configuring Restricted Groups

Identifying LUA problems using Standard User Analyzer

Summary

11. Preparing Vista and Windows 7 for Least Privilege Security

The Application Compatibility Toolkit

Application Compatibility Manager

Installing and configuring ACT

Creating a Data Collection Package

Analyzing data collected by ACT

The application attempted to store a file in a restricted location

The application attempted to store a file in a system location that was virtualized by Windows Vista

The application attempted to open a restricted registry key and write to a restricted registry location

The application attempted to store information under the HKEY_LOCAL_MACHINE\SOFTWARE registry hive

Printers and Least Privilege Security

Installing printers using Group Policy Preferences

Installing printers using Windows Server 2003 Print Management and Group Policy

Installing printers using a script

Logon scripts

Synchronizing the system time

Updating antivirus definitions

Changing protected system configuration

Mapping network drives and printers

Creating desktop shortcuts

Why do a desktop refresh from a technical perspective?

Different methods of reinstalling Windows

Manual, non-destructive install

Automated install

Reinstall Vista or Windows 7 with Least Privilege Security

Installing the Microsoft Deployment Toolkit

Creating a deployment share

Adding an operating system image

Adding core packages to our Lite Touch installation

Creating a Lite Touch task sequence

Updating our deployment share

Preserving default local group membership

Refreshing our OS with the Windows Deployment Wizard

Summary

12. Provisioning Applications on Secure Desktops with Remote Desktop Services

Introducing Remote Desktop Services

Installing Remote Desktop Session Host and Licensing roles

Controlling access to the Remote Desktop Server

Installing the Remote Desktop Gateway

Creating Connection (CAP) and Resource (RAP) Authorization Policies

Installing the RD Gateway SSL Certificate in Windows 7

Connecting to a Remote Desktop Server via an RD Gateway from Windows 7

Installing applications on Remote Desktop Servers

Publishing applications using Remote Desktop Services

Adding applications to the RemoteApp Manager

Managing Remote Desktop Services licenses

Understanding Remote Desktop Licensing

Revoking Per Device Remote Desktop Services Client Access Licences

Tracking Per User Remote Desktop Services Client Access Licences

Installing Remote Desktop Web Access

Configuring RSS for advertising RemoteApps in Windows 7

Understanding Remote Desktop and Virtual Desktop Infrastructures

Scaling with Remote Desktop Services

Summary

13. Balancing Flexibility and Security with Application Virtualization

Microsoft Application Virtualization 4.5 SP1 for Windows desktops

Isolating applications with SystemGuard

Deploying App-V

Deploying App-V using the standalone model

Deploying App-V using the streaming model

Deploying App-V using the full infrastructure

Creating a self-service system with App-V for standard users

Enforcing security descriptors

Emulating Application Programming Interface (API)

Solving App-V compatibility problems with shims

Sequencing an application for App-V

Installing the sequencer

Installing the client

Streaming applications with an App-V Server

Installing Microsoft System Center Application Virtualization Streaming Server

Deploying and managing applications for users who never connect to the corporate intranet

Updating applications and Differential Streaming

Active Update

Override URL

VMware ThinApp

Summary

14. Deploying XP Mode VMs with MED-V

Solving least privilege security problems using virtual machines

Virtual PC and Windows 7 XP Mode

Differentiating between App-V and XP Mode

Setting up Windows 7 XP Mode

Launching applications installed in XP Mode from the Windows 7 Start menu

Security concerns when running XP Mode

Microsoft Enterprise Desktop Virtualization (MED-V)

Installing MED-V 1.0 SP1

Installing the Image Repository

Installing the MED-V Server component

Installing the MED-V Management Console

Preparing a virtual machine for use with MED-V

Working with the MED-V Management Console

Importing a VM for testing

Creating a usage policy

Testing the workspace and usage policy

Packing the VM for use with the MED-V Server

Uploading the VM image to the MED-V Server

Testing the uploaded VM image

Summary

Index

Least Privilege Security for Windows 7, Vista and XP

Russell Smith

Least Privilege Security for Windows 7, Vista and XP

Copyright © 2010 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: July 2010

Production Reference: 1290610

Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK.

ISBN 978-1-849680-04-2

www.packtpub.com

Cover Image by Tina Negus (<tina_manthorpe@sky.com>)

Credits

Author

Russell Smith

Reviewers

Alun Jones

Stephen Lamb B.Sc (Hons)

Marco Shaw

Acquisition Editor

James Lumsden

Development Editors

Kerry George

Reshma Sundaresan

Technical Editors

Vinodhan Nair

Gaurav Datar

Copy Editor

Sanchari Mukherjee

Editorial Team Leader

Gagandeep Singh

Project Team Leader

Priya Mukherji

Project Coordinator

Ashwin Shetty

Proofreader

Chris Smith

Indexer

Rekha Nair

Graphics

Geetanjali Sawant

Production Coordinator

Adline Swetha Jesuthas

Cover Work

Adline Swetha Jesuthas

About the Author

Russell Smith specializes in management and security of Microsoft-based IT systems and is a Contributing Editor for CDW's Biztech magazine and writes regularly for industry journal Windows IT Professional. Russell is also contributing author to Supporting and Troubleshooting Applications on a Microsoft Windows Vista Client for Enterprise Support Technicians from Microsoft's Official Academic Course (MOAC) series of books published by Wiley and Sons.

An independent IT consultant and MCSE with more than ten years of experience, Russell's recent projects include Active Directory Security Consultant for the UK Health Service National Programme for Information Technology (NPfIT) and Exchange Architect for Wipro Technologies. Russell also has extensive experience as an IT trainer.

About the Reviewers

Alun Jones (MVP, MCP) is the President of Texas Imperial Software (http://www.wftpd.com). Texas Imperial Software develops secure networking software and provides security engineering consulting services. Texas Imperial Software's flagship product is WFTPD Pro, a secure FTP server for Windows, written entirely by Alun.

Alun entered the security field as more and more of WFTPD's support needs indicated that few companies were able to meet their needs for security on the Internet without help. His current day job is as a Security Engineer for an online retailer.

The Information Security-related blog, Tales from the Crypto (http://msmvps.com/blogs/alunj) carries Alun's occasional thoughts on the topic of Computer Security.

Alun has attended University at Corpus Christi College, Cambridge, and Bath University, and now lives near Seattle, Washington with his wife Debbie and son Colin, both of whom he now wishes to thank for their patience in allowing him to review this book.

Stephen Lamb has worked as an Information Security Professional for fifteen years, working with clients throughout Europe. Stephen is a firm believer that effective information security enables people and businesses to be more effective. He found from experience that a successful security strategy must encompass user awareness together with meaningful processes and procedures. During his career, Stephen has designed, developed, and implemented technical solutions to complex information security challenges. Stephen is fascinated by the challenges and opportunities social media bring to the security posture of organizations and individuals.

Marco Shaw is currently working as an independent contractor. He has been working in the IT industry for over 12 years. He was awarded the Microsoft Most Valuable Professional award for his contributions to the Windows PowerShell community in 2008, 2009, and again in 2010.

Marco spoke at TechMentor at San Francisco in 2008, where he provided two popular sessions on PowerShell. He also provided two popular sessions on Windows Server 2008 R2 and System Center Operations Manager 2007 at TechDays 2009 in Halifax, Canada.

His recent authoring activities have included writing PowerShell content for a Windows Server 2008 book by Microsoft Press, a PowerShell-related article on System Center Operations Manager 2007 for TechNet Magazine, providing PowerShell content for a SQL Server 2008 book by Sams, and also for a revised edition of System Center Operations Manager 2007 Unleashed by Sams. He has also co-authored the second edition of PowerShell Unleashed, published by Sams released early in 2009.

Marco has also been the technical reviewer for other books covering Microsoft technologies.

Blog: http://marcoshaw.blogspot.com

Twitter: http://twitter.com/marcoshaw

E-mail: <marco.shaw@gmail.com>

Dedicated to St. Petersburg, Russia - where this book was written.

Preface

In this, the first book to be entirely dedicated to the subject of running Least Privilege Security (or standard user accounts) on Windows operating systems in the enterprise, you will learn about the benefits Least Privilege brings organizations in terms of not only security, but regulatory compliance, improved manageability, and operational simplicity. The book provides a complete guide to implementing Least Privilege Security on the desktop, with step-by-step instructions and advice about how to overcome the most common technical and political challenges.

What this book covers

Chapter 1, An Overview of Least Privilege Security in Microsoft Windows, explores the principle of Least Privilege Security and shows how to implement it in different versions of Microsoft Windows. It also explains how to control and change system privileges, benefit from implementing Least Privilege Security on the desktop, and overcome the most common technical and political problems and challenges when implementing Least Privilege Security.

Chapter 2, Political and Cultural Challenges for Least Privilege Security, covers the reasons why users may not accept Least Privilege Security on the desktop. It also clearly explains and justifies the benefits of Least Privilege Security for your organization. The chapter also covers how to apply Least Privilege Security to different categories of users and get buy-in from management.

Chapter 3 , Solving Least Privilege Problems with the Application Compatibility Toolkit, covers how to modify incompatible applications on the fly and achieve the best balance between compatibility and security by using Application Compatibility shims. It explains how to create shims using the Application Compatibility Toolkit 5.5 and distribute compatibility databases to devices across the enterprise.

Chapter 4, User Account Control, covers how to achieve a seamless user experience by using the different components and compatibility features of User Account Control. It also explains how to configure User Account Control on multiple computers using Group Policy and the inner workings of User Account Control's core components.

Chapter 5, Tools and Techniques for Solving Least Privilege Security Problems, covers how to set up a system for temporarily granting administrative privileges to standard users for support purposes. It also covers how to use Task Scheduler to run common processes without the need to elevate privileges and how to install third-party solutions to configure administrative privileges for applications and Windows processes on-the-fly.

Chapter 6, Software Distribution using Group Policy, explains how to prepare applications for Group Policy Software Installation (GPSI) and Windows Installer deployment. It also explains how to repackage legacy setup programs in Windows Installer .msi format and how to make GPSI more scalable and flexible using the Distributed File System (DFS). It covers how to target client computers using Windows Management Instrumentation (WMI) filters and Group Policy Scope of Management.

Chapter 7, Managing Internet Explorer Add-ons, covers how to support per-user and per-machine ActiveX controls and manage Internet Explorer add-ons via Group Policy. It also explains how to install per-machine ActiveX controls using the ActiveX Installer Service (AxIS) and how to implement best practices for working with ActiveX controls in a managed environment.

Chapter 8, Supporting Users Running with Least-Privilege, explains how to support Least-Privilege user accounts using reliable remote access solutions, how to connect to remote systems with administrative privileges using different techniques and enable remote access using Group Policy and Windows Firewall.

Chapter 9, Deploying Software Restriction Policies and AppLocker, explains how to deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run. It discusses how to force an application to launch with standard user privileges even if the user is an administrator and how to blacklist an application using SRP or AppLocker.

Chapter 10, Least Privilege in Windows XP, covers how to redeploy Windows XP with Least Privilege Security configured and identify problems with applications caused by Least Privilege Security using the Microsoft Deployment Toolkit. It also explains how to mitigate the problems and limitations users may face when running with a Least Privilege Security account and how to handle ActiveX controls in Windows XP.

Chapter 11, Preparing Vista and Windows 7 for Least Privilege Security, explains how to collect and analyze data to identify any potential compatibility problems with Least Privilege Security and software installed on networked PCs using Microsoft's Application Compatibility Toolkit (ACT). The reader will learn how to analyze logon scripts for Least Privilege compatibility, how to prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings.

Chapter 12, Provisioning Applications on Secure Desktops with Remote Desktop Services, explains how to install the core server roles for Remote Desktop Services in Windows Server 2008 R2 using Windows PowerShell. It also explains how to set up and understand Remote Desktop Licensing and configure Remote Desktop Gateway for secure remote access to applications over HTTPS. This chapter also discusses how to advertise published Remote Applications on Windows 7’s Start menu using Remote Desktop Web Access.

Chapter 13, Balancing Flexibility and Security with Application Virtualization, covers how to sequence an application for streaming and virtualization, and how to set up the App-V Client to work with a server-less deployment model.

Chapter 14, Deploying XP Mode VMs with MED-V, explains how to deploy legacy applications that are not compatible with newer versions of Windows and how to set up Windows XP Mode for Windows 7. It also explains how to configure the different components of MED-V for managing and deploying VMs in a large corporate environment and how to prepare VMs for use with MED-V.

What you need for this book

The following software products are used in this book:

Windows Server 2008 R2 (any edition)

Windows XP Professional

Windows Vista (Business, Enterprise, or Ultimate)

Windows 7 (Professional, Enterprise, or Ultimate)

Microsoft Desktop Optimization Pack (MDOP) 2010

An application that is not compatible with a standard user account on Windows XP, Vista or 7

Who this book is for

This book is for System Administrators or desktop support staff who want to implement Least Privilege Security on Windows systems.

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text are shown as follows: Now that we've got our machines configured with the WinRM service and listening on port 5985 (or port 80 for WinRM 1.1), we need to see if we can connect using the winrs command.

Any command-line input or output is written as follows:

net user Support1 ******** /expires:never /passwordchg:no /ADD

net localgroup Administrators Support1 /ADD

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: The Allow non-administrators to install drivers for these device setup classes setting under Computer Configuration | Policies | Administrative Templates | System | Driver Installation in Vista and Windows 7 Group Policy allows administrators to stipulate devices that can be installed by standard users according to the device GUID as specified in the driver.

Note

Warnings or important notes appear in a box like this.

Note

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an e-mail to <feedback@packtpub.com>, and mention the book title via the subject of your message.

If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail .

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once