Eric Cherng

There are a lot of blog posts and articles out there on the process of installing Vista on a brand new machine. However most people who actually have existing machines that want to move to Vista will likely upgrade rather than reinstall in order to save all their settings and files. In this post, I will go over my experience of upgrading an existing Windows XP machine to Vista RC2.

The machine I am upgrading is a Thinkpad T60 model 2623-D7U restored back to the original factory state. Yes this means all the junk normally installed on a new PC is all there. Not only that, but I installed a couple of other applications just to see how Vista handles software conflicts. My software includes:

• Firefox 1.5.0.8
• Office 2007 Beta 2 Technical Refresh
• Autohotkey
• foobar2000
• Activesync
• Internet Explorer 7

with some of the existing original factory software:

• Google Desktop
• Symantec Client Security
• Sonic DVD Burning
• Thinkvantage Stuff
• Diskeeper Lite
• Verizon Broadband
• Java 1.4
• Netwaiting
• PC-Doctor 5
• Adobe Reader 7

 

The first thing I did was pop in my RC2 DVD into the drive. Autorun started up immediately and loaded up the setup dialog.

 

If you click the "Check compatibility online" link, it just opens up your browser to this Microsoft site. Nothing special so just click "Install Now".

 

After a few seconds of waiting, I get this dialog to ask if I want to get the latest updates.

 

Once I confirmed the updates, I get the next dialog telling me setup is searching for updates.

 

Of course you have to enter in a key installing anything nowadays.

 

Not to mention agreeing to the EULA.

 

After 5 steps, I'm finally greeted with the meat of the upgrade: easy upgrade or advanced upgrade.

 

Being lazy, I went ahead and let the easy upgrade go. Before upgrading, Vista has to scan for any incompatabilities.

 

Which it does indeed find. The first time, setup told me that the Symantec security client installed is not compatible and that I had to uninstall it before proceeding. After doing that, I had to go through all the previous steps once again to come back to this screen. This time, it provided warnings about incompatibilities, but didn't quit setup.

 

Finally, I arrive at the copy file stage.

 

During this phase, setup will reboot a few times. Up to now, setup has been running on your existing Windows XP operating system. However, once your computer reboots, your computer will now boot into Windows PE setup mode.

Everything after this setup is exactly the same as the fresh installation as I blogged about here.

 

So reactions to my Vista upgrade.

First off, the time it takes to upgrade your operating system is no shorter than a fresh install. In fact I would say it took longer. I have yet to see a 20 minute installation that Vista marketing keeps saying. The only 20 minute setup of an OS that I have seen recently is for Ubuntu.

The setup program for upgrading to Vista versus installing a new Vista OS is nearly identical. The only difference is you don't have a formatting hard drive step. On the other hand, now you have to deal with any incompatabilities that setup might have detected.

Looking at my hard drive after the upgrade, some of the significant folders are gone. For example the notorious Documents and Settings folder is gone from the root. Only a symlink exists there. Instead this folder is now in the new Users folder.

After the upgrade, all of my files and settings were kept intact. Even all the junk applications were still around. The common drivers still worked in Vista except the Sonic Solutions DVD recording driver and the Thinkpad Trackpoint drivers. I don't have a Verizon Broadband account so I wasn't able to test that out. Also if you try to run any of the Thinkvantage software (security, backup, ...) Vista will tell you they are not compatible. Though the fingerprint scan tutorial worked, the fingerprint login was gone.

So now that I've tried the upgrade process with Vista, I still believe a clean install is the way to go for the majority of installations. If you really want to keep your settings around, go for the upgrade. However just remember that the UI for Vista is so different, it won't matter what settings you have in Windows XP. If you are doing an upgrade just because you are too lazy to back up your computer, you are putting a lot of faith that the upgrade won't end in disaster. And finally if you are doing an upgrade because you think your hardware will work better as opposed to a clean install, I can definitely say that is not the case. If the drivers you had for Windows XP works in Vista, you can always install a fresh copy of Vista and install those XP drivers as well. The only advantage of upgrading for this scenario is you don't have to go download the drivers again since they are already installed. 

Therefore, my recommendation is that a clean install of Vista is better than upgrades for the majority of cases. A clean install will not only get rid of all the "junk" on your computer, but it will make sure your new operating system will be performing at its peak without old applications bogging it down.

 

Whenever an application asks you to save a file somewhere, you get a window that looks something like this in Vista:

 

Notice the Favorite Links on the left hand side. This is similar to the Places Bar in the save dialog in Windows 2000/XP:

 

In Windows 2000/XP, it was difficult to customize this list of shortcuts. You would have to hack some registry settings or do it programmatically. Luckily in Vista, they made it much easier to customize this list.

All you have to do is add a shortcut to the C:\Users\[username]\Links folder!

 

I download files frequently, so i usually put them in a Downloads folder. So to make it easier to save files, I added a shortcut to the Downloads folder. Now whenever I need to save a downloaded file, I can click on my new shortcut!

 

This also customizes the Favorite Links in Windows Explorer as well. So when you browse for files on your computer, the shortcut will also appear there!

 

 

In the first part of this article, I discussed how to use the simple Blocked file types feature to provide some basic security protection. Although this feature makes it very simple to provide some security, in the long run it does not provide a complete solution to protecting your servers. In this post, I will focus on SharePoint's second line of defense: built in Antivirus support.

Setup

If you look in Operations, Security Configuration, you can find the Antivirus feature.

 

If you check the Scan options here without actually installing an antivirus program, SharePoint will do nothing. This is a very bad design. Instead of gladly accepting the changes, SharePoint should let the user know that no antivirus application is installed and that these options will not do anything. An unsuspecting SharePoint admin who does not know this behavior will get a false sense of security, leading to big problems down the road.

So what SharePoint actually provides is not built in antivirus scanning, but the support to plugin your own antivirus software. Luckily for us, Microsoft recently released a beta version of the Forefront product line for SharePoint called Forefront Security for SharePoint. You might recognize the Forefront name associated with Exchange server. Now there's a version for SharePoint. This software will not only allow us to scan for viruses using multiple scanning systems, but also scan for malware!

So to actually enable antivirus scanning on your SharePoint server, the first thing you will need to do is install Forefront for SharePoint (or any other antivirus program that supports SharePoint). As you can see, Forefront's setup is really simple:

 

Once you install Forefront, the next thing you want to do is make sure it is configured properly. Use the Forefront Server Security Administrator console to configure Forefront:

 

As you can see, Forefront provides many options so it may seem daunting at first. Still it is a good idea that you review all the options to make sure you didn't miss anything.

And finally, don't forget the last step: once you've installed your antivirus scanning program, in this case Forefront, make sure to enable the scan options in SharePoint to enable scanning.

That's all you'll need to do to setup your server for antivirus protection! Can't get any simpler than this!

 

Scanning

Now let's say you want to manually scan your SharePoint installation. In the Security Administrator console, just go to the Operate section and click on the Quick Scan option. Select the sites you want to scan and hit the Start button.

 

So on Monday, Bob from Sales gets a "contract" document from a potential customer. Being the awesome team player, Bob immediately uploads the file to SharePoint to get feedback from his other team members. Uh-oh... looks like there's something wrong with the file. SharePoint shows this page when a virus is detected with an uploaded file:

 

Note that I did not really upload a virus onto our SharePoint server. My virus is just a "test" virus.

While the benefits of installing an antivirus solution into SharePoint is clear, what tradeoffs exist with having antivirus enabled? After installing Forefront, I noticed the following behavior with SharePoint:

• Forefront takes a significant chunk of memory on the server.
• Downloading files will takes longer.

Hopefully some of these issues is because Forefront is still in beta. Whether these tradeoffs are acceptable or not depends on your organization and your security needs. Personally I feel the need for security and protection against a virus aftermath far outweighs these tradeoffs.

So that's a quick walkthrough of antivirus support with SharePoint, more specifically the Microsoft Forefront product. As you can see, adding antivirus support into SharePoint is fairly simple, and takes security on your server to a whole new level. Combining Blocked file types along with antivirus support provides a comprehensive security protection plan for your SharePoint server to protect against those miscreants out there.

 

Everyone can agree that SharePoint is a great platform to facilitate collaboration amongst team members. One of the main benefits of collaborating using SharePoint is working on documents together with your team. The workflow for collaborating on documents is something like this:

1. Create the document and edit initial draft.
2. Upload to SharePoint document library.
3. Send email to colleagues on document location.
4. Reviewers provide feedback and update the document as needed.

All this is great, but in the world that we live in, security is an important issue to consider, even amongst your team mates. Of course we all trust the people we work with, but sometimes there are just bad apples out there.

In the steps mentioned above, step 2 is where trouble can come in. Once a bad file is uploaded onto SharePoint, unknowing colleagues that download the document will catch the cold and spread the disease. This becomes an even bigger problem if SharePoint is configured for extranet access where people outside of the network without the same security restrictions can upload files.

So ignoring my dramatic example, what facilities does SharePoint provide to help prevent such security breaches? The good news is that SharePoint has 2 built in features that will help with this:

• Blocked file types
• Antivirus

These are 2 broad features, that I will split the discussion of into 2 posts: this post will discuss the Blocked file types while my next post will describe the Antivirus support.

Both of these are configured through the Operations tab in Central Administration.

 

If you click the Blocked file types link, this will bring you to the configuration page where you can edit the list of file types not allowed on your SharePoint server.

 

So what does Blocked file types do? Blocked file types is a simple method of allowing only certain file types to be uploaded onto SharePoint. While this doesn't completely prevent files with viruses from being uploaded, it makes it less likely that a user will unknowingly click on such files and infect his own machine. For example, EXE files are by default a part of the blocked file list and cannot be uploaded directly. SharePoint responds to EXE uploads with the following message:

 

If an EXE file named "2006 Budget.exe" was uploaded onto SharePoint, the company financial officer may not notice the EXE and accidentally click on the file, thus executing the rogue application causing havok on his machine.

However, a malicious user could simple rename the file "2006 Budget.exe.xls", which would bypass SharePoint's file extension check and allow the file to be uploaded. Although the file uploaded is actually an EXE, the file extension is what determines how a file is executed. So instead of running the EXE directly, Excel will attempt to open the file and thankfully fail since it is not a recognized format.

 

Still, having an EXE on your server is not something IT will like. Who knows, the next day, someone may find an exploit within SharePoint that lets any process to run. When that day comes, you don't want to be around!

So as you can see, Blocked file types allows for a simple way to mitigate some the risk of uploading rogue files. As I mentioned, even though the risk is somewhat less, rogue files can still be uploaded onto the server. If some other server-side security hole is found, the rogue file on the server can potentially cause problems on the server, leading to even more security problems and potentially loss of data. That is how the other security feature of SharePoint comes into play which I will elaborate more on in the second part of this post.