Sunday, February 08, 2009

Windows 7 News Roundup #7: SKU’s, UAC’s, and VHD’s

Lots of stuff going on with Windows 7 this week. 

Fortunately it has been concentrated in a few key areas: SKU’s for Windows 7 and more back-n-forth action with UAC than we say during this year’s Super Bowl.

  • How well does Windows 7 handle 512MB? - Ed Bott’s Microsoft Report.  “Very well” apparently is the answer.  I’m not surprised and I suppose some real low-end systems might be used to run Windows 7 (along with “netbooks”) but I wouldn’t want to have to use a system with anything less than 2GB RAM now.  Call me spoiled but I like the extra headroom.

  • A closer look at the Windows 7 SKUs - Windows 7 Team Blog and Six of 7: Microsoft announces Windows 7 versions – Chron.com TechBlog.  Details emerge from the W7 levels for sale.  Do want Windows 7 Home Premium or Windows 7 Professional?   A single DVD will contain all versions offered for Windows 7, so if you go cheap and regret it, you get instant upgrade satisfaction (with some extra greenbacks).  As you crawl up the SKU food-chain, you keep all the features of the lower versions, but get more. Then if you are in a “specific market” there is Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Enterprise.  Then there is Windows 7 Ultimate which offers the whole kit-n-caboodle.   Yep.  Leave it to MS to make product selection still clear as mud.

  • Windows 7 DirectAccess – Features and Windows 7 DirectAccess – Experiences – 4sysops blog takes a look at this VPN-replacement feature for Windows 7 clients and Server 2008.  It has lots of features and supports automatic, VPN’ish connections between the user’s system and the remote server with no end-user interaction once set up.  However it does seem to have some high requirements to function on the server side.  Looks to be pretty cool but I’m not seeing it as a replacement for traditional VPN setups anytime soon.

And then there was that whole UAC fumble and recovery…

  • Engineering Windows 7 : Update on UAC – Engineering Windows 7 Blog – Microsoft goes in depth on why W7 UAC is so much better than Vista UAC. Not only that, they feel malware will have an even harder time getting on a W7 system than a Vista system.  And that people (sysadmins and security folks) just aren’t getting those facts correct.  Key takeaway quotes were “One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed.” and “Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system.”  I know they are working hard at listening to test users, but they just weren’t also listening to the outcry from the security researchers and folks who have to clean up the messes users make on their systems, despite UAC.

  • Windows 7 auto-elevation mistake lets malware elevate freely, easily - Within Windows. R.Rivera then found that not only was the previous issue with UAC still bad, a new weakness was found.  If (malicious or otherwise) code uses a “trusted” MS binary to launch another code under an elevated process (malicious or otherwise) UAC settings for notification/approval of the elevation was bypassed.  Oops.

  • Second Windows 7 beta UAC security flaw: malware can silently self-elevate with default UAC policy – istartedsomething – Long Zheng details R.Rivera’s findings a bit more and makes them easy and clear to see the danger this presents.  Even if “UAC is not a security boundary.”

  • List of Windows 7 (beta build 7000) auto-elevated binaries - Within Windows – R.Rivera then goes through the binaries in Windows 7 and identifies 68 selected binaries that could be potentially used (some more likely than others) to auto-elevate any code they are asked to execute on behalf on the application that has engaged them to do so.

  • Engineering Windows 7 : UAC Feedback and Follow-Up  – Engineering Windows 7 Blog – Windows developers finally listen to the outcry from it’s professional users and relent on UAC design and conceptualizations:

    With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation

    The first change was a bug fix and we actually have a couple of others similar to that—this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we’re seeing. This “inconsistency” in the model is exactly the path we’re taking. The way we‘re going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password.

    The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required.

Windows 7 and VHD Mounting

A lesser-know feature of Windows 7 is its native support to recognize and access virtual hard drive files.  Now to be clear, this won’t be the same as actually virtually “running” any OS the virtual hard drive may have (a la Virtual PC 2007).  It is more like mounting an “off-line” version of the virtual hard drive so you can access the files contained within.

But how to do this is neither intuitive or well documented.

Thank goodness for the Virtual PC Guy

In Windows 7 / Windows Server 2008 R2 VHD support is now part of the platform.  This means that you do not need to enable Hyper-V to mount and manipulate virtual hard disks.  You can mount virtual hard disks directly on your Windows 7 / Windows Server 2008 R2 system in two ways.  The first is to use the Disk Management UI:

  1. Open the Start menu
  2. Right click on Computer and select Manage
  3. Expand Storage and click on Disk Management
  4. Click on the Action menu and select Attach VHD
  5. Enter the Location and name of you virtual hard disk (there is a browse button you can use)
  6. Click OK

And you are done - simple!  To unmount the virtual hard disk you just need to right click on Disk entry for the virtual hard disk and select Detach VHD.

The other option is to use diskpart.  To do this you will need to:

  1. Open up an administrative command prompt.
  2. Run diskpart
  3. Type in SELECT VDISK FILE=insert your VHD file path and name here
  4. Type in ATTACH VDISK

When you are done you can unmount the VHD using the DETACH VDISK command under diskpart.

Awesome work there Ben!

Though I personally think Microsoft should just go ahead and add it natively to the right-click shell context menu to instantly allow for right-click mounting/dismounting of the VHD’s.  I think it will only be a short matter of time before someone is clever enough to do so via a registry hack like the method Robert McLaws came up with for handling WIM file mounting/dismounting.

Cheers!

--Claus V.

No comments: