Archive for category Windows Vista
UAC – User Account Control ( and my ipconfig )
Posted by Mark Raborn in Windows Vista on 2008/04/05
User Account Control – “The requested operation requires elevation”
Boy… even simple procedures get a couple of added steps when you are serious about security.
Note to self, sit down and do a little more reading on Vista!
LINKS
- Getting Started with User Account Control on Windows Vista
- Understanding and Configuring User Account Control in Windows Vista
- Administrative Privileges in Vista
Administrators and Power Users who sometimes have to float around their department helping out with DNS, DHCP and the like have another step in the procedure chain when dealing with Windows Vista and ipconfig (or any other command/GUI based Administrative function).
IPCONFIG is an old tool at the command line that is responsible for utility type tasks in configuring IP (Internet Protocol) such as
- release - releasing an IP address
- renew - renewing an IP address
- flushdns - flushing out the Domain Name System resolver
- all - seeing all the data relating to a particular network adapters current settings
- etc…
In the old days, you would open up cmd.exe , type in your ipconfig command and whalla !!! You’d get your information, network happy faces all round. It’s a little different in Vista, because of a new security feature called User Account Control.
User Account Control keeps functions, applications, executables in the Vista computer from being executed with ADMINISTRATOR privileges. This is a makes sense approach and is practiced in most computing environments whether Linux, Mac, Windows, whatever. Plainly put this security practice says, DONT logon as the administrator and run everything as the administrator! If the bad guys were to get in… then they get in as the administrator
In Windows XP and prior, Windows (Microsoft) suggested that you use this practice of least privilege by setting up TWO ACCOUNTS ~ (1) an every day regular computing account [a limited account] and (2) an account to use, only when needed, for the BIG BOY tasks (like Administrator type stuff).
The difference today with Vista is that Microsoft is enforcing this practice in the Operating System itself. This addition to Windows Vista/Windows Server 2008 is called User Account Control.
Unless you turn off UAC “User Account Control” (yes there is a switch to do this in Vista), then least privilege is enforced even when you are logged on as the Administrator. Personally, I often elevate privilege by using runas to launch a command line window within the context of the Administrator account. There is one little hitch in the giddee-up though… the command line does not elevate privilege that way that it once did using runas in prior versions of Windows.
In Windows 2003 / Windows XP / Windows 2000 / keep going backward …. you could be logged in as a LIMITED user and launch the Start > Run > cmd.exe , re-launch another command window using runas Administrator, then any program you ran from that command line was “run as” the Administrator. This does not work in Vista. You can specifically instruct the OS to open a command line with elevated privileges (i.e. runas Administrator) and it will not allow you to do simple things like release and IP address. NO WAY buddy, sorry, not today 
.
The funny thing is that you can do it with the mouse! Yes… RIGHT CLICK – Run as administrator. But using the command line runas command no longer achieves the same result.
So… if you need to elevate privileges, and you are old school command line people, TRY USING YOUR MOUSE, you can right-click program Icon (and with Administrator credentials) you can runas and get back to work.
I guess with Vista, that little cheese eating string tailed input device is really getting the VIP treatment. alas for my command windows: (To read more… visit this excellent article (with Pictures!) Administrative Privileges in Vista
BTW… if this article is more of a headache then a help, and you’re looking for some relief, contact WIGITAL, that’s our company. We’re technology people and we do this stuff every day 
.
Oh… and (personal opinion): overall, be thankful for these little inconveniences. They are keeping our networks “a little bit more secure” and our personal info “a little bit more our own”. Cheers
Vista SP1 Release Candidate – RC1
Posted by Mark Raborn in Windows Vista on 2008/01/13
Windows Vista has been running on my laptop in one way or another since Beta. After some time of using Vista on a day to day and task to task basis, I have hoped for performance gains, less CPU usage, less memory usage and wondered about what new features Microsoft would include in RC1. As of early December, Service Pack 1 (Release Candidate) is available:
- Windows Vista Service Pack 1 RC – 5 Language Standalone Package
- Windows Vista Service Pack 1 RC Public Availability Program
Be sure to read the documentation included with the download info. Installing Service Pack 1 requires multiple steps and preparing your system by installing additional downloads prior to the Vista SP1 package. Please read the Windows Vista Service Pack 1 Before You Install.doc. Potential required preparations include:
- KB935509
- KB938371
- KB937287
To understand more about Service Pack one, review these articles:
- Windows Vista Service Pack 1 Revealed – Paul Thurrott
- Announcing Windows Vista SP1 Release Candidate (RC) – Vista Team
- Announcing Windows Vista Service Pack 1 Beta – Vista Team
Personally, “I am pleased with the RC installation of Service Pack 1 on at this point.”
When Vista first was released, I had the typical experience with a major OS release of learning to find the familiar tools and utilities. The heritage of Windows was there but digging for it was necessary to find the stuff you use on a regular basis. What did not take any digging to discover was the bloat and lag associated with the user experience. A long wait for something great to happen was common. To be totally transparent, the user experience was frustrating for me and the reason was the processes and services churning away under the hood needed to be tuned up. Running Performance and Reliability Monitor (perfmon.exe) or Task Manager (taskmgmt.msc) trying to discover why system resources were so beleaguered by Vista led to various articles on the net. Fortunately, three processes in particular appear to be much improved:
- TrustedInstaller.exe
- MsMpEng.exe
- slsvc.exe
Vista SP1 has finally made the most simple of user experiences: opening programs, closing programs, shutting down or hibernating more like it should be.
The final version Service Pack 1 will release around 2008-03-01. I encourage users to install it. RC1 of the Service Pack has dropped my CPU usage during inactivity (a metric that unbelievably could hover between 40-70% with Vista) down to less than 10% and often around 4%. obviously this is a huge improvement. Memory usage is still high, so I suggest that anyone using Vista buy 2 gigs of RAM for their machine and/or upgrade to 2 GB if you can.
I will be attending with 2008 product launch (2008-02-27/28) for Windows Server 2008, SQL Server 2008 and Visual Studio 2008 in Los Angeles this year. It is this event that should truly herald the current 6.0 and 6.1 builds of the Microsoft operating system (this includes Vista). Since Vista SP1 has been developed in lock step with the development and release of Windows Server 2008, this release of Windows Server is the date when you can plan on installing Vista SP1 on you computers. Windows Update can handle that for you.
As of today, Windows Vista SP1 gets 5 stars for improvement in performance. New features are minimal but the SP1 should help existing users of old hardware and corporate upgrade installations finally make the jump. Enjoy the improvements.
Windows Vista SP1
Posted by Mark Raborn in Windows Vista on 2007/12/27
With the release of Windows Server 2008 coming officially in February of 2008, it seems pertinent to begin application testing with Windows Vista Service Pack 1. (Note: Windows Vista SP1 final bits will most likely release with WS2008 release).
The first step is to install Vista SP1.
Here are some useful links:
Windows Vista Service Pack 1 (SP1) Release Candidate
http://technet.microsoft.com/en-us/windowsvista/bb738089.aspx
Microsoft Application Compatibility Toolkit 5.0
http://technet.microsoft.com/en-us/windowsvista/aa905102.aspx
Happy New Year
Vista Help and Support cannot download
Posted by Mark Raborn in Windows Vista on 2007/12/26
Help and Support – internet explorer cannot download from windows when Dreamweaver is the default XML editorp
Adobe: KB400789
Microsoft: KB937491
“for the fluff” …. read on:
Every once in a while I become amazed at how core OS features are affected by the use of applications on a computer. Today is one of those days.
Software
Help and Support is not a feature of Windows that I use every day. Having first become familiar with Windows in the early 90’s, I have found online articles and specifically the Microsoft website (i.e. TechNet, Support, Knowledgebase) to be a far better place to both learn what Windows does and also Troubleshoot Windows.
In Windows Vista however (and soon Windows Server 2008) , it is apparent the Microsoft has made a considerable effort to make Help and Support a place a User would want to go “locally” to learn more about Windows.
Today I launched Help and Support and found (with bitten lip and rising blood pressure) that I could not update my local Help and Support on Windows Vista. Why?
(why 1) Adobe: KB400789
(why 1a) Microsoft: KB937491
Ironically my journey for a solution (i.e. Google search) to KB937491 sort of reinforces why I ever searched the web for help in the first place. Look out registry, here we come.
Oh yeah… the reason I have Dreamweaver currently enabled to edit XML files by default (for lightweight stuff I prefer the colors :) – kind of the same reason I choose a favorite football team – NOT!.
Messenger fails to connect in Windows Vista
Posted by Mark Raborn in Windows Vista on 2007/04/13
Windows Live Messenger fails to connect in Windows Vista
Quoting: http://michitsch.spaces.live.com/blog/cns!24F6FD85048B600D!107.entry
And here is a solution, that worked perfectly for me, and several of my clients clients.
Drop to a command prompt and run: netsh interface tcp set global autotuninglevel=disabled
If the command returns this response, “Set global command failed on IPv4 The requested operation requires elevation”, then you need to do this: Click start (windows symbol), Accessories, right click on “Command Prompt”, then choose “Run as Administrator”, then try the netsh command (above) again.
Because this command failed when I was logged on as Administrator, I say again…
If the command returns this response, “Set global command failed on IPv4 The requested operation requires elevation”, then you need to do this: Click start (windows symbol), Accessories, right click on “Command Prompt”, then choose “Run as Administrator”, then try the netsh command (above) again.
EXPLANATION:
The Microsoft Windows Vista OS enables the TCP Window Scaling option by default (previous Windows OSes had this option disabled). The TCP Window Scaling option is described in RFC 1323 (TCP Extensions for High Performance), and allows for the device to advertise a receive window larger than 65 K than TCP originally specified. This is useful in the higher speed networks of today, where more data can be outstanding on the wire before it is acknowledged. This slow performance, or dropped TCP connections is caused by some versions of Cisco IOS® Firewall software not supporting the TCP Window Scaling option. This causes it to have a much smaller TCP window than the endpoints actually have. This causes the Cisco IOS router that runs the IOS Firewall feature set to drop packets that it believes are outside the TCP window, but which really are not.
So, through many firewalls, many protocals fall apart.
Protocols and Ports in Windows – Domain Category
Posted by Mark Raborn in Windows Vista on 2007/03/02
The following table and list describes services grouped into the Domain category by Microsoft in their latest Windows Operating System release. This set of headings, descriptions and images is taken from the Windows Firewall with Advanced Security Settings in the Windows Vista client operating system.
Please use this reference for clarifying exactly which protocols and ports should be considered in “internal” firewall and security policies.
With Windows Vista and Longhorn, there is a strong emphasis on moving toward IPv6 architecture. Please note the many IPv6 entries in the Domain category for Vista Client computing.
| DESCRIPTION | PROTOCOL TYPE | PROTOCOL # | LOCAL PORT | REMOTE PORT | NOTE |
|---|---|---|---|---|---|
| Destination Unreachable (ICMPv6-In) | ICMPv6 | 58 | |||
| Destination Unreachable Fragmentation Needed (ICMPv4-In) | ICMPv4 | 1 | |||
| Dynamic Host Configuration Protocol (DHCP-In) | UDP | 17 | UDP 68 | UDP 67 | |
| Internet Group Management Protocol (IGMP-In) | IGMP | 2 | |||
| IPv6 (IPv6-In) | IPv6 | 41 | |||
| Multicast Listener Done (ICMPv6-In) | ICMPv6 | 58 | |||
| Multicast Listener Query (ICMPv6-In) | ICMPv6 | 58 | |||
| Multicast Listener Report (ICMPv6-In) | ICMPv6 | 58 | |||
| Multicast Listener Report v2 (ICMPv6-In) | ICMPv6 | 58 | |||
| Neighbor Discovery Advertisement (ICMPv6-In) | ICMPv6 | 58 | |||
| Neighbor Discovery Solicitation (ICMPv6-In) | ICMPv6 | 58 | |||
| Packet Too Big (ICMPv6-In) | ICMPv6 | 58 | |||
| Parameter Problem (ICMPv6-In) | ICMPv6 | 58 | |||
| Router Advertisement (ICMPv6-In) | ICMPv6 | 58 | |||
| Teredo (UDP-In) | UDP | 17 | |||
| Time Exceeded (ICMPv6-In) | ICMPv6 | 58 | |||
| (DHCP Server-In) | UDP | 17 | UDP 67 | ||
| (DHCPv4-In) | UDP | 17 | UDP 68 | ||
| (DHCPv6-In) | UDP | 17 | UDP 547 | ||
| (DNS Server-In) | UDP | 17 | UDP 53 | ||
| (Router Solicitation-In) | ICMPv6 | 58 | |||
| (SSDP-In) | UDP | 17 | UDP 1900 | ||
| (UPnP-In) | TCP | 6 | TCP 2869 | ||
| Windows Live Messenger 8.1 |
Core Networking – Destination Unreachable (ICMPv6-In)
Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Destination Unreachable Fragmentation Needed (ICMPv4-In)
Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don’t fragment bit was set.
PROTOCOL TYPE = ICMPv4, PROTOCOL # = 1
Core Networking – Dynamic Host Configuration Protocol (DHCP-In)
Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.
PROTOCOL TYPE = UDP, PROTOCOL # = 17
UDP 67, UDP 68
Core Networking – Internet Group Management Protocol (IGMP-In)
IGMP messages are sent and received by nodes to create, join and depart multicast groups.
PROTOCOL TYPE = IGMP, PROTOCOL # = 2
Core Networking – IPv6 (IPv6-In)
Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.
PROTOCOL TYPE = IPv6, PROTOCOL # = 41
Core Networking – Multicast Listener Done (ICMPv6-In)
Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Multicast Listener Query (ICMPv6-In)
An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Multicast Listener Report (ICMPv6-In)
The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Multicast Listener Report v2 (ICMPv6-In)
Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Neighbor Discovery Advertisement (ICMPv6-In)
Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Neighbor Discovery Solicitation (ICMPv6-In)
Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Packet Too Big (ICMPv6-In)
Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Parameter Problem (ICMPv6-In)
Parameter Problem error messages are sent by nodes as a result of incorrectly generated packets.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Router Advertisement (ICMPv6-In)
Router Advertisements are sent to by routers to other nodes for stateless auto-configuration.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Core Networking – Teredo (UDP-In)
Inbound UDP rule to allow Teredo edge traversal, a technology that provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.
PROTOCOL TYPE = UDP, PROTOCOL # = 17
Specific Ports – Edge Traversal
Core Networking – Time Exceeded (ICMPv6-In)
Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Internet Connection Sharing (DHCP Server-In)
Inbound rule for Internet Connection Sharing to allow use of the IPv4 DHCP Server. [UDP 67]
PROTOCOL TYPE = UDP, PROTOCOL # = 17
Local Port = UDP 67
Internet Connection Sharing (DHCPv4-In)
Inbound rule for Internet Connection Sharing to allow use of the IPv4 DHCP Server. [UDP 68]
PROTOCOL TYPE = UDP, PROTOCOL # = 17
Local Port = UDP 68
Internet Connection Sharing (DHCPv6-In)
Inbound rule for Internet Connection Sharing to allow use of the IPv6 DHCP Server. [UDP 547]
PROTOCOL TYPE = UDP, PROTOCOL # = 17
Local Port = UDP 547
Internet Connection Sharing (DNS Server-In)
Inbound rule for Internet Connection Sharing to allow use of the DNS Server. [UDP 53]
PROTOCOL TYPE = UDP, PROTOCOL # = 17
Local Port = UDP 53
Internet Connection Sharing (Router Solicitation-In)
Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.
PROTOCOL TYPE = ICMPv6, PROTOCOL # = 58
Internet Connection Sharing (SSDP-In)
Inbound rule for Internet Connection Sharing to allow use of the Simple Service Discovery Protocol. [UDP 1900]
PROTOCOL TYPE = UDP, PROTOCOL # = 17
Local Port = UDP 1900
Internet Connection Sharing (UPnP-In)
Inbound rule for Internet Connection Sharing to allow use of Universal Plug and Play. [TCP 2869]
PROTOCOL TYPE =TCP, PROTOCOL # = 6
Local Port = TCP 2869
Windows Live Messenger 8.1
Allow this program through firewall if needed
Windows Live Messenger 8.1 (SSDP-In)
Allow this program through firewall if needed
Windows Live Messenger 8.1 (UPnP-In)
Allow this program through firewall if needed