Microsoft Press Windows Vista Administrator's Pocket Consultant ebook
Page 5
The taskbar displays a button for each program running interactively. Clicking the button enables you to display the program window in front of all other windows. When you are running multiple similar programs, these programs are grouped automatically under one taskbar button. Clicking the taskbar button then displays a dialog box with an entry for each folder window, enabling you to select which item to display.
With Windows Aero, when you move the mouse pointer over a taskbar button, Windows Vista displays a live thumbnail of the window, showing the content of that window. For grouped taskbar buttons, Windows displays a thumbnail of the most recently opened window and the thumbnail appears to include a group of windows.
Beyond this, you can work with running programs in several different ways:
If you press Alt+Tab, Windows Vista displays a view window containing live thumbnails of all open windows. This view is called a flip view. Holding down the Alt key keeps the flip view open. Pressing Tab while holding down the Alt key allows you to cycle through the windows. When you release the Alt key, the currently selected window is brought to the front. You can also select a window and bring it to the front by clicking the thumbnail.
If you press the Windows logo key and Tab, Windows Vista displays a skewed 3D view of all open windows. This view is called a 3D flip view. Holding down the Windows logo key keeps the 3D flip view open. Pressing the Tab key while holding down the Windows logo key enables you to cycle through the windows. When you release the Windows logo key, the currently selected window is brought to the front. You can also select a window and bring it to the front by clicking the 3D window view.
The notification area, on the far right on the taskbar, is divided into an area for standard notification icons, such as those used by programs you've installed, and an area for system notification icons, such as those for the clock, volume, network, and power. To manage the notification area settings, right-click the Start button and then select Properties. In the Taskbar And Start Menu Properties dialog box, click the Notification Area tab and then use the options provided to configure notification.
Working with the Start Menu
The Start menu is the gateway to all the programs installed on a computer running Windows Vista. As shown in Figure 2-2, when you click the Start button, you see a list of recently used programs and programs that have been pinned to the Start menu. By default, Internet Explorer and Windows Mail (previously called Microsoft Outlook Express) are pinned to the Start menu, and up to eight recent programs are displayed as well.
Figure 2-2: The Start menu.
The Search box on the Start menu enables you to search a computer for files, folders, or programs that match the search text you've entered. Working with the Search box is easy. To do so, follow these steps:
Begin a search by typing your search text into the Search box. Search results are displayed in the left pane of the Start menu.
Click an item in the results list to open that item.
Click the Clear button to the right of the Search box, or press the Esc key, to clear the search results and return to normal view.
Tip
If you're already at the Start menu, you don't need to click in the Search box before you begin typing. Just type your search text.
The system feature that performs the search is the Windows Search service. Windows Search service is the next generation of the Indexing service included in earlier versions of Windows. Windows Search service searches the entire computer for the search text you've specified. The search service returns any related results after performing the following tasks.
Matching the search text to words that appear in the title of any program, file, or folder
Matching the search text to properties of programs, files, and folders as well as the contents of text-based documents
Matching the search text to entries in the Favorites and History folders
By default, the service indexes the documents contained in the %SystemDrive%Users folders and the %SystemDrive%ProgramDataMicrosoftWindowsStartMenu folders, enabling it to quickly identify matches with items stored in these folders. You can use the Indexing Options utility in Control Panel to view indexing status and to configure indexing options. By default, index data is stored in the %SystemRoot% ProgramDataMicrosoftSearch folder.
Note
When you install and configure Microsoft Office Outlook 2007, user mailboxes stored or locally cached on the computer are indexed automatically. Any locally cached public folders are indexed as well.
Tip
You can perform local folder and Internet searches as well. When you open a folder, you'll find a Search text box in the upper-right corner of the Windows Explorer window. By default, typing search text in this text box and pressing Enter results in localized searches of the currently open folder and its subfolders. To perform an Internet search, click the Start button and then enter your search text. Afterward, click the Options button to the right of the Search box and then select the Search The Internet option. Search The Internet uses the computer's default search provider to search the Internet using the search text that you've provided. The default search provider is MSN Search. You can use the Internet Options utility in Control Panel to set the default search provider.
The right pane of the Start menu provides options buttons that you can use to access commonly used folders and features. From top to bottom, the option buttons appear as follows:
Current user Shows the name of the currently logged-on user. Clicking this option opens the user's personal folder in Windows Explorer.
Documents Displays the current user's Documents folder in Windows Explorer.
Pictures Displays the current user's Pictures folder in Windows Explorer.
Music Displays the current user's Music folder in Windows Explorer.
Games Displays the Microsoft Games folder in Windows Explorer. The Games button is not listed in the Start menu for business editions of Windows Vista.
Search Displays Windows Explorer, which you can use to search the computer.
Recent Items Displays a menu that lists recently opened files.
Computer Displays a window in which you can access hard disk drives and devices with removable storage. In the Computer window, double-click a disk to browse its contents.
Network Displays a window in which you can access the computers and devices on your network.
Connect To Displays the Connect To A Network dialog box for connecting to wireless networks.
Control Panel Displays Control Panel, which provides access to system configuration and management tools.
Default Programs Displays the Default Programs window, which lets you choose the programs that Windows Vista uses by default for documents, pictures, and more. You can also associate file types with programs and configure AutoPlay settings.
Help And Support Displays the Windows Help And Support console, which you can use to browse or search help topics.
Several additional options can be added to the right pane, including:
Administrative Tools Displays a list of system administration tools.
Printers Displays a Printers window, which lists and provides access to currently configured printers.
Run Displays the Run dialog box, which can be used to run commands.
To display these additional options, follow these steps:
Right-click the Start button and then select Properties. This displays the Taskbar And Start Menu Properties dialog box.
On the Start Menu tab, click the Customize button. In the Customize Start Menu dialog box, scroll down through the options.
To display the Printers option, select the Printers check box.
To display the Run option, select the Run Command check box.
To Display the Administrative Tools option, select Display On The All Programs Menu And The Start Menu option under System Administrative Tools.
Click OK.
Working with Control Panel
&nbs
p; Most of the tools you use to manage computers running Windows Vista are accessible from Control Panel. You can access Control Panel by clicking the Start button on the taskbar and then clicking Control Panel. You can also display Control Panel in any Windows Explorer view by clicking the leftmost option button in the Address bar and then selecting Control Panel.
Control Panel in Windows Vista has two views:
Category Control Panel, or simply Control Panel, is the default view. This view provides access to system utilities by category and task.
Classic Control Panel is an alternative view. This view provides the look and functionality of Control Panel in Windows 2000 and earlier versions of Windows.
Unlike Classic Control Panel, which lists each individual utility available, Category Control Panel is a console window in which 10 categories of utilities are listed. As shown in Figure 2-3, each category includes a top-level link, and under this link are some of the most frequently performed tasks for the category. If you click a category link, Control Panel displays a list of utilities in that category. Each utility has a link that opens the utility, and under this link are several of the most frequently performed tasks for the utility.
Figure 2-3: Control Panel.
Managing User Account Control and Elevation Prompts
User Account Control (UAC) represents a significant change in the way user accounts are used and configured. It affects which privileges standard users and administrator users have, how applications are installed and run, and much more. In this section, I'll extend the discussion provided in Chapter 1 and provide a comprehensive look at how UAC affects user and administrator accounts. This is essential information to know when managing Windows Vista systems.
Note
Learning how UAC works will help you be a better administrator. To support UAC, many aspects of the Windows operating system had to be reworked. Some of the most extensive changes have to do with how applications are installed and run. In Chapter 5, "Installing and Maintaining Programs," you'll find a complete discussion of how the architecture changes affect programs running on Windows Vista.
Redefining Standard User and Administrator User Accounts
In Windows XP and earlier versions of Windows, malicious software programs can exploit the fact that most user accounts are configured as members of the local computer's administrators group. Not only does this allow malicious software to install itself, but it also allows malicious software to use these elevated privileges to wreak havoc on the computer, because programs installed by administrators can write to otherwise secure areas of the registry and file system.
To combat the growing threat of malicious software, organizations have locked down computers, required users to log on using standard user accounts, and required administrators to use Run As for performing administrative tasks. Unfortunately, these procedural changes can have serious negative consequences on productivity. A person logged on as a standard user under Windows XP can't perform some of the most basic tasks, such as changing the system clock and calendar, changing the computer's time zone, or changing the computer's power management settings. Many software programs designed for Windows XP simply will not function properly without local administrator rights–these programs use local administrative rights to write to system locations during installation and during normal operations. Additionally, Windows XP doesn't let you know beforehand when a task you are performing requires administrator privileges.
User Account Control seeks to improve usability while at the same time enhancing security by redefining how standard user and administrator user accounts are used. User Account Control represents a fundamental shift in computing by providing a framework that limits the scope of administrator-level access privileges and that requires all applications to run in a specific user mode. In this way, UAC prevents users from making inadvertent changes to system settings and locks down the computer to prevent unauthorized applications from installing or performing malicious actions.
Because of UAC, Windows Vista defines two levels of user accounts: standard and administrator. Windows Vista also defines two modes (run levels) for applications: standard user mode and administrator mode. Although standard user accounts can use most software and can change system settings that do not affect other users or the security of the computer, administrator user accounts have complete access to the computer and can make any desired changes. When an administrator user starts an application, her access token and its associated administrator privileges are applied to the application, giving her all the rights and privileges of a local computer administrator for that application. When a standard user starts an application, her access token and its associated privileges are applied to the application at run time, limiting her to the rights and privileges of a standard user for that application. Further, all applications are configured to run in a specific mode during installation. Any tasks run by standard mode applications that require administrator privileges are not only identified during setup but also require user approval to run.
In Windows Vista, the set of privileges assigned to standard user accounts has changed. Standard user accounts can perform the following tasks:
Install fonts, view the system clock and calendar, and change the time zone.
Change the display settings and the power management settings.
Add printers and other devices (when the required drivers are installed on the computer or are provided by an IT administrator).
Download and install updates (when the updates use UAC-compatible installers).
Create and configure virtual private network (VPN) connections. VPN connections are used to establish secure connections to private networks over the public Internet.
Install Wired Equivalent Privacy (WEP) to connect to secure wireless networks. The WEP security protocol provides wireless networks with improved security.
Windows Vista also defines two run levels for applications: standard and administrator. Windows Vista determines whether a user needs elevated privileges to run a program by supplying most applications and processes with a security token. If an application has a standard token, or an application cannot be identified as an administrator application, elevated privileges are not required to run the application, and Windows Vista starts it as a standard application by default. If an application has an administrator token, elevated privileges are required to run the application, and Windows Vista prompts the user for permission or confirmation prior to running the application.
The process of getting approval prior to running an application in administrator mode and prior to performing tasks that change system configuration is known as elevation. Elevation enhances security and reduces the impact of malicious software by notifying users prior to performing any action that could impact system settings and by preventing applications from using administrator privileges without first notifying users. Elevation also protects administrator applications from attacks by standard applications. For more information on elevation and how UAC works with applications, see Chapter 5.
Optimizing User Account Control and Admin Approval Mode
Admin Approval Mode is the key component of UAC that determines whether and how administrators are prompted when running administrator applications. The default way that Admin Approval Mode works is as follows:
All administrators, including the built-in local administrator account, run in, and are subject to, Admin Approval Mode.
Because they are running in and subject to Admin Approval Mode, all administrators, including the built-in local administrator account, see the elevation prompt whenever they run administrator applications.
In Group Policy under Local PoliciesSecurity Options, five security settings determine how Admin Approval Mode and elevation prompting work. These security settings are:
User Account Control: Behavior Of The Elevation Prompt For Standard Users Determines whether users logged on with a standard user account see an elevation prompt when running administrator
applications. By default, users logged on with a standard user account are prompted for the credentials of an administrator when running administrator applications. You can also configure this option so users are not prompted, in which case, the users will not be able to elevate privileges by supplying administrator credentials. This doesn't prevent users from right-clicking an application shortcut and selecting Run As Administrator.
User Account Control: Switch To The Secure Desktop When Prompting For Elevation Determines whether Windows Vista switches to the secure desktop before prompting for elevation. As the name implies, the secure desktop restricts the programs and processes that have application to the desktop environment and in this way reduces the possibility that a malicious program or user could gain access to the process being elevated. By default, this security option is enabled. If you don't want Windows Vista to switch to the secure desktop prior to prompting for elevation, you can disable this setting. However, this makes the computer more susceptible to malware and attack.
User Account Control: Run All Administrators In Admin Approval Mode Determines whether users logged on with an administrator account are subject to Admin Approval Mode. By default, this feature is enabled, which means administrators are subject to Admin Approval Mode and further subject to the elevation prompt behavior stipulated for administrators in Admin Approval Mode. If you disable this setting, users logged on with an administrator account are not subject to Admin Approval and therefore are not subject to the elevation prompt behavior stipulated for administrators in Admin Approval Mode.
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode Determines whether administrators subject to Admin Approval Mode see an elevation prompt when running administrator applications and also determines how the elevation prompt works. By default, administrators are prompted for consent when running administrator applications. You can configure this option so administrators are prompted for credentials, as is the case with standard users. You can also configure this option so administrators are not prompted at all, in which case, the administrator will not be able to elevate privileges. This doesn't prevent administrators from right-clicking an application shortcut and selecting Run As Administrator.