application compatibility final
Post on 02-Nov-2014
618 Views
Preview:
DESCRIPTION
TRANSCRIPT
Everything You Want to Know About Application Compatibility But Were Afraid to Ask
Harold Wong
blogs.technet.com/haroldwong
TechNet goes virtual
Click to edit Master title style
TechNet goes virtual
How much is this app compat thing going to cost me?
Should I just stay on Windows XP?
Why did you break half of my software?
Why cant my company afford a chair for me?
Can I just stroke a check and have this problem go away?
Doesnt App-V just fix it all for me?
All I need to do is run ACT long enough, and its fixed, right?
No, seriously, can I have a chair, please?
The MED-V brochure said just virtualize it all and migrate.
The tool brochure said it fixes 90% of the problems.
The Internets said to just turn off UAC.
Listen, Im not talking about App Compat until I get a chair.
Click to edit Master title style
TechNet goes virtual
2
http://www.microsoft.com/technet
ITPROSRV-202
App-V
Beyond Trust
ACT 5.5
Win XP Mode
ACF Partners
MED-V
AppDNA
ChangeBase
Shims
Disable UAC
There Are No Silver Bullets
Click to edit Master title style
TechNet goes virtual
3
http://www.microsoft.com/technet
ITPROSRV-202
Session Objectives and Takeaways
Session Objectives:
Understand that app compat isnt easy
Understand that app compat is not impossible
Key Takeaway:
Chris home number is a 900 number. Check the bathroom wall for details.
Click to edit Master title style
TechNet goes virtual
4
2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
9/15/2010
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internets About
Were going to be speaking mainly the truth today
but well also be confronting some mistruths along the way
Mistruths and misconceptions will be identified with the headingThings I Heard on the Internet About:
For those who are not familiar with The Internets, its a series of tubes
Click to edit Master title style
TechNet goes virtual
Why Is App-Compat Hard?
It never used to be this hard!
Backward-compatibility used to win
Shell Folders
p:\\products\public
CON, PRN, NUL
Starting with XP SP2, not anymore
Customers demanded better security
Vista was the first major desktop OS release after TWC memo
Starting with Windows 7, were winning again
Click to edit Master title style
TechNet goes virtual
6
http://www.microsoft.com/technet
ITPROSRV-202
How Do I Run an App-Compat Project?
Planning, Planning, Planning!!!
Click to edit Master title style
TechNet goes virtual
Automated Analysis Assessment
start
end
ACT Inventory
Rationalize
Install Manual Test
Ready to Deploy
Remediate
InitialBudget
Refine Budget
Refine Budget
App Install Green?
Runtime
Manual Test
User
Manual Test
Detailed Automated Analysis
Yes
No
App Run Green?
Yes
No
App Compat Project Plan
Click to edit Master title style
TechNet goes virtual
8
http://www.microsoft.com/technet
ITPROSRV-202
Planning an App Compat Project
TechNet Magazine
June 2009
Articles by:
Chris Jackson and Chris Corio
http://technet.microsoft.com/en-us/magazine/dd799202.aspx
Click to edit Master title style
TechNet goes virtual
9
http://www.microsoft.com/technet
ITPROSRV-202
What Breaks in Windows 7?
features
Click to edit Master title style
TechNet goes virtual
10
Tech Ed North America 2010
9/15/2010 4:26 PM
2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
http://www.microsoft.com/technet
ITPROSRV-202
Some things that had to changeMicrosoft Agent had to go
Productivity killer
Users hypnotized by agents antics
More popular than YouTube
Made computers too easy to use
Killed market for instructional videos
The single biggest app-compat hit, ever
Click to edit Master title style
TechNet goes virtual
11
http://www.microsoft.com/technet
ITPROSRV-202
Nobody uses the Agent control!Do they?
Actual screenshot from a real customer engagement.
No consultants were (seriously) harmed in the capture of this screenshot.
Click to edit Master title style
TechNet goes virtual
12
http://www.microsoft.com/technet
ITPROSRV-202
Some things that had to changeEveryone runs as standard user
The infamous User Account Control
Even admins run as standard user
The single biggest app-compat hit, ever
Click to edit Master title style
TechNet goes virtual
13
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About: User Account Control
UAC is
Windows asking me Are you sure? over and over and over again
A useless pain in the @$$
Stupid, and smart people disable it
Especially smart developers
UAC breaks everything
Its OK to say, We recommend turning off UAC to run this software.
Wrong!
Click to edit Master title style
TechNet goes virtual
14
http://www.microsoft.com/technet
ITPROSRV-202
The Truth About UAC
The first step toward Standard User
Required to improve security and TCO
Suite of technologies to fix stuff, not break it
Running as standard user breaks stuff
Thats why no one did it before UAC!
Admin-Approval Mode enables legit admins to run as standard user
And then perform admin actions using the same account
Your end users shouldnt be admins to begin with
And cant approve elevation prompts
Disabling UAC turns off IE Protected Mode
Click to edit Master title style
TechNet goes virtual
15
http://www.microsoft.com/technet
ITPROSRV-202
We break we fixUACs file and registry virtualization
Redirects access attempts from protected areas to non-roaming parts of user profile
Not related to App-Vs bubble
This is per-user, not per-application
Click to edit Master title style
TechNet goes virtual
16
http://www.microsoft.com/technet
ITPROSRV-202
Virtual overloadIts the new .NET!
Virtual memory
Virtual address space
Virtual communities
NT Virtual DOS Machine (NTVDM)
Java Virtual Machine (JVM)
MS Visual Basic Virtual Machine (MSVBVM)
Virtual processors (hyperthreading)
Virtual reality
Virtual teams
Virtual private network (VPN)
UAC file and registry virtualization
Application virtualization
Machine virtualization (Virtual PC, Virtual Server, Hyper-V)
Virtual Earth
MS Enterprise Desktop Virtualization (MED-V)
Virtual pets
Virtual Desktop Infrastructure (VDI)
virtual keyword (C++, C#)
Virtual directory (IIS)
Virtual device driver (VxD obsolete!)
Click to edit Master title style
TechNet goes virtual
17
http://www.microsoft.com/technet
ITPROSRV-202
We break we fixUACs file and registry virtualization
Redirects access attempts from protected areas to non-roaming parts of user profile
Transparent to the app
Fixes many permissions-related issues
Does not apply to all apps or all file types
New in Win7: Writing to root of C:\ redirects
Click to edit Master title style
TechNet goes virtual
18
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet about:Internet Explorer 8 Standards Compliance
IE8 breaks the web and makes little girls cry
If your site works on IE6, but breaks on IE8, the fix is easy use Firefox!
Wrong!
Click to edit Master title style
TechNet goes virtual
19
http://www.microsoft.com/technet
ITPROSRV-202
Some things that had to changeInternet Explorer 8 Standards Compliance
Meets customer demand, good for the web
App compat > 80%
Compatibility View is extremely helpful
On by default for Intranet
Quirks mode also helpful, but no admin UI!
Many tools available for troubleshooting
Fixes either super easy or require devs
Hardest problem: server apps for IE6 only
E.g., Oracle, SAP
MED-V a great solution
Click to edit Master title style
TechNet goes virtual
20
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:Internet Explorer Protected Mode
Almost like running a secure browser!
Like Safari!
More Microsoft security theater
Breaks all my Java
Breaks all my ActiveX controls
Wrong!
Click to edit Master title style
TechNet goes virtual
21
http://www.microsoft.com/technet
ITPROSRV-202
Some things that had to changeInternet Explorer Protected Mode
IEPM has protected you from exploits
if you left UAC enabled
With IE8, off by default for Intranet zone
May need to configure to recognize Intranet
External sites can be added to Trusted Sites
E.g., sites that require Java
Other products like the idea!
Google Chrome
Office 2010
Click to edit Master title style
TechNet goes virtual
22
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:Windows version number changed
No earthly reason for doing that!
Couldnt possibly cause any problems!
Windows 7 is version 7.0, right?
No, Windows 7 is version 6.1 because its just a minor upgrade, and therefore probably should be free so go ahead and steal it
Wrong!
Click to edit Master title style
TechNet goes virtual
23
http://www.microsoft.com/technet
ITPROSRV-202
Some things that just changedWindows version number changed
The most common bugs we find
Making it 6.1 keeps more apps working!
Version lie shims are easy to apply
And now easier to lie to MSIs
Still dont think it can be that common?
Click to edit Master title style
TechNet goes virtual
24
http://www.microsoft.com/technet
ITPROSRV-202
Check the Windows version!
// This program requires WinXP or newer.
// Windows XP is version 5.1
// This is easy!
If Not (vMajor >= 5 AND vMinor >= 1) Then
{
DisplayMessage(This program requires Windows XP or newer);
LayDownAndDie;
}
Win7 as Windows 7.0?
vMajor: 7 >= 5
vMinor: 0 >= 1? Crap!
Vista is Windows 6.0:
vMajor: 6 >= 5
vMinor: 0 >= 1? Oops!
Win7 as Windows 6.1?
vMajor: 6 >= 5
vMinor: 1 >= 1! It works!
Click to edit Master title style
TechNet goes virtual
25
http://www.microsoft.com/technet
ITPROSRV-202
More things that just changedFolder locations
We moved the profiles again!
Myth: We did this for no good reason
Truth: There was probably a good reason
And we changed where files need to go!
Myth: No guidance about where to put stuff
Truth: Well, yeah, but were fixing that
Myth: Everything breaks, apps actually cry
Truth 1: Correctly-written apps still work
Truth 2: Junctions fix many bad apps
Click to edit Master title style
TechNet goes virtual
26
http://www.microsoft.com/technet
ITPROSRV-202
Directory Junctions
Some support for old folder names
Can traverse, but cannot list
Can directly access files through old names
Cannot list contents of these junctions
Click to edit Master title style
TechNet goes virtual
27
http://www.microsoft.com/technet
ITPROSRV-202
Where Should I Store Files?
Per-User FilesLocation (Symbolic Constant and Examples)Visible to user in ExplorerWindows 7 example:Windows XP equivalent:FOLDERID_Documents / CSIDL_MYDOCUMENTSC:\Users\username\DocumentsC:\Documents and Settings\username\My DocumentsHidden from user, LocalWindows 7 example:Windows XP equivalent:FOLDERID_LocalAppData / CSIDL_LOCAL_APPDATAC:\Users\username\AppData\LocalC:\Documents and Settings\username\Local Settings\Application Data Hidden from user, RoamingWindows 7 example:Windows XP equivalent:FOLDERID_RoamingAppData / CSIDL_APPDATAC:\Users\username\AppData\RoamingC:\Documents and Settings\username\Application DataShared FilesLocation (Symbolic Constant and Examples)Visible to user in ExplorerWindows 7 example:Windows XP equivalent:FOLDERID_PublicDocuments / CSIDL_COMMON_DOCUMENTSC:\Users\Public\DocumentsC:\Documents and Settings\All Users\DocumentsHidden from user, LocalWindows 7 example:Windows XP equivalent:FOLDERID_ProgramData / CSIDL_COMMON_APPDATAC:\ProgramDataC:\Documents and Settings\All Users\Application DataClick to edit Master title style
TechNet goes virtual
28
http://www.microsoft.com/technet
ITPROSRV-202
More things that just changedDefault color scheme
Question:
What happens when a VB6 dev modernizes the dialog background using the first white color he/she finds (Active Title Bar Text)?
Click to edit Master title style
TechNet goes virtual
29
http://www.microsoft.com/technet
ITPROSRV-202
More things that just changedDefault color scheme
Occasional mistake by VB6 devs
Easy to fix (if you have the source)
.NET WinForms made themes easy to use
Oops: everyone tested only on Luna
Fortunately, we have FakeLunaTheme shim
Note: apps that work only with one theme probably violate accessibility laws
You WILL go to jail!
Push back if developer or vendor insists on Windows Classic Theme
Click to edit Master title style
TechNet goes virtual
30
http://www.microsoft.com/technet
ITPROSRV-202
How Good are the Tools to Find Problems?
tools
Click to edit Master title style
TechNet goes virtual
31
Tech Ed North America 2010
9/15/2010 4:26 PM
2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:Application Compatibility Toolkit
Its all you need for app compat!
It must be! Look at the name!
If ACT hasnt found all of your issues, you just havent run it long enough
We compete directly with the static analysis tools venders, and its critical that we WIN!
Wrong!
Click to edit Master title style
TechNet goes virtual
32
http://www.microsoft.com/technet
ITPROSRV-202
Application Compatibility Toolkit
Great at inventory
Some agent data can be useful
at the right time
Standard User Analyzer makes folks happy
(LUA Buglight makes engineers happy)
IE Compatibility Test Tool makes some AJAX devs happy
Setup Analysis Tool makes very few people happy
Compatibility Administrator makes people with a lot of free time happy
Click to edit Master title style
TechNet goes virtual
33
http://www.microsoft.com/technet
ITPROSRV-202
Automated Analysis Assessment
start
end
ACT Inventory
Rationalize
Install Manual Test
Ready to Deploy
Remediate
InitialBudget
Refine Budget
Refine Budget
App Install Green?
Runtime
Manual Test
User
Manual Test
Detailed Automated Analysis
Yes
No
App Run Green?
Yes
No
ACT & App Compat Project Plan
Click to edit Master title style
TechNet goes virtual
34
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:Static Analysis
Finds and fixes 95% of all problems with all software ever made by anyone anywhere!
Humans are no longer a necessary part of the process
Static analysis is expensive and not worth the money unless it does all of the above
Wrong!
Click to edit Master title style
TechNet goes virtual
35
http://www.microsoft.com/technet
ITPROSRV-202
Static Analysis Reality
These tools average 90 95% at telling you if the app as a whole will work
False green the primary accuracy issue
Will not detect every issue
More impact on setup, less on runtime
Complementary to ACT
ACT does inventory
ACT does runtime analysis
ACT does no better than chance at predicting application breakage for the app as a whole
Click to edit Master title style
TechNet goes virtual
36
http://www.microsoft.com/technet
ITPROSRV-202
Static Analysis The Ugly
Can be hard to set up and configure
Setup has to follow written instructions or it doesnt work
Failure of any other component typically results in the app crashing or just vanishing
Never, ever use without experienced services accompanying the tools
NOT a substitute for knowledge/training!
Ensure you tune so that Red actually means broken and not could be better in an ideal world
Click to edit Master title style
TechNet goes virtual
37
http://www.microsoft.com/technet
ITPROSRV-202
Static Analysis Value Proposition
Can give you the data you need to start a project with a reasonable budget
Can save millions of dollars in install testing and a percentage reduction in runtime testing
Run the numbers!
Click to edit Master title style
TechNet goes virtual
38
http://www.microsoft.com/technet
ITPROSRV-202
Automated Analysis Assessment
start
end
ACT Inventory
Rationalize
Install Manual Test
Ready to Deploy
Remediate
InitialBudget
Refine Budget
Refine Budget
App Install Green?
Runtime
Manual Test
User
Manual Test
Detailed Automated Analysis
Yes
No
App Run Green?
Yes
No
Static Analysis & App Compat Project Plan
Click to edit Master title style
TechNet goes virtual
39
http://www.microsoft.com/technet
ITPROSRV-202
How Good are the Tools to Fix Problems
tools
Click to edit Master title style
TechNet goes virtual
40
Tech Ed North America 2010
9/15/2010 4:26 PM
2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:Shims
Shims are scary and unpredictable
Shims reduce the security of the system
Shims are unsupported
Shims fix everything
Shims are useful only in the hands of ShimFreaks
SHIMS is an acronym for ?
Software Happens to Implode Magically Solve?
See How Ive Misdirected Sneakily?
Wrong!
Click to edit Master title style
TechNet goes virtual
41
http://www.microsoft.com/technet
ITPROSRV-202
What Are Shims?
Applied to specific apps
Configured with ACT tools
Deployable to enterprise
Changes what the app thinks it sees
Does not change what app is allowed to do
Click to edit Master title style
TechNet goes virtual
42
http://www.microsoft.com/technet
ITPROSRV-202
What Are Shims Good For?
Great for many kinds of bugs:
Bad Windows version checks
Writing to HKCU at runtime
Unnecessary checks for am I admin?
Writing to WRP-protected keys and files
Windows thinks your app is an installer
Some file/registry redirections
Click to edit Master title style
TechNet goes virtual
43
http://www.microsoft.com/technet
ITPROSRV-202
Shims The Rest of the Story
Some considerations
Not all general purpose shims have the same customer love applied in their creation
The tools are primitive
Shims management not integrated into other management tools (e.g. Group Policy)
You can do a lot with just the Top 10 shims
But to becoming a shim ninja takes time and much practice
Click to edit Master title style
TechNet goes virtual
44
http://www.microsoft.com/technet
ITPROSRV-202
Virtualization
the V word
Click to edit Master title style
TechNet goes virtual
45
Tech Ed North America 2010
9/15/2010 4:26 PM
2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:Application Virtualization
If you cant fix it with shims, you can just use App-V and sequence it on XP!
App-V fixes app-to-OS bugs
You cant shim App-V applications
Wrong!
Click to edit Master title style
TechNet goes virtual
46
http://www.microsoft.com/technet
ITPROSRV-202
Application Virtualization
Formerly SoftGrid; now part of MDOP
Isolates apps from one another
Does not isolate it from the OS
Side effects (not really advertised):
Apps can write anywhere in the registry
Apps can be allowed to write to specific files in protected locations
Apps actually write to private copies
NOTE: May not be true in future versions of App-V
Yes, you can shim sequenced apps
Click to edit Master title style
TechNet goes virtual
47
http://www.microsoft.com/technet
ITPROSRV-202
Application Virtualization
Lots of goodness beyond app-compat
Licensing, deployment
Key part of larger virtualization vision
Click to edit Master title style
TechNet goes virtual
48
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internets About:MED-V
Migrate to Windows 7 today
Put all of your apps in MED-V
No need to worry about app compat!
Wrong!
Click to edit Master title style
TechNet goes virtual
49
http://www.microsoft.com/technet
ITPROSRV-202
What is MED-V?Microsoft Enterprise Desktop Virtualization
Machine virtualization solution
App actually runs on an XP OS
User sees only the app window
Centrally managed
Part of MDOP
Compelling IE6 app compat story
Seamless redirection of the browser
Click to edit Master title style
TechNet goes virtual
50
http://www.microsoft.com/technet
ITPROSRV-202
MED-VMicrosoft Enterprise Desktop Virtualization
Please, use it as a backstop, not as the plan of record
Requires an exit strategy
How and when to lose XP dependency
Once a VM is deployed, it needs to be managed like any physical machine
Makes a great if all else fails strategy
v1 SP1 coming soon; v2 dates not set yet
Neither v1 nor v2 requires Hardware Assisted Virtualization (HAV)
MED-V v2 TAP starting soon! Email medvtap@microsoft.com if you are interested in participating!
Click to edit Master title style
TechNet goes virtual
51
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:XP Mode
If the app fails, just run it in XP Mode!
XP Mode fixes everything!
As long as you maintain your Windows 7 host, XP Mode requires no maintenance or anti-malware.
XP Mode will be supported as long as Windows 7.
XP Mode is as safe as Windows 7.
People dont notice when their XP Mode My Documents is different than their Windows 7 My Documents!
XP Mode is a silver bullet! Its magic!
Wrong!
Click to edit Master title style
TechNet goes virtual
52
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:How To Use XP Mode
Wrong!
Click to edit Master title style
TechNet goes virtual
53
http://www.microsoft.com/technet
ITPROSRV-202
What is Windows XP Mode?
Windows XP SP3 virtual machine
It is not a mode within Windows 7
Similar to MED-V, without manageability
License included with certain Windows 7 SKUs
Designed only for Small Business market
Install apps in the XP VM; shortcuts in the All Users Start Menu get copied to the host
Click on shortcut in host Start menu, app appears in a window
eventually
Click to edit Master title style
TechNet goes virtual
54
http://www.microsoft.com/technet
ITPROSRV-202
Windows XP Mode the Good
App designed for XP actually runs on XP
Windows 7 deployment not held hostage by one app that resists other compat solutions
What its good for:
Web apps that require IE6
Running 16-bit apps on x64
Some types of desktop apps
Microsoft Agent
Click to edit Master title style
TechNet goes virtual
55
http://www.microsoft.com/technet
ITPROSRV-202
Windows XP ModeThe rest of the story
You must have an explicit exit strategy
XP is out of mainstream support
Extended support ends in 2014
Resource requirements
Need RAM, CPU to support guest VM
Out of the box, requires HAV (hotfix available to support non-HAV)
Management requirements
It is a separate computer
AV, patches, policies, domain not inherited from host
VM is hibernated when not running an app
Click to edit Master title style
TechNet goes virtual
56
http://www.microsoft.com/technet
ITPROSRV-202
Windows XP ModeMore of that story
Apps cant interact with host desktop apps
E.g., app wants to send email
Does not have MED-Vs IE6 redirection
Default XP Mode user is admin
Might conflict with enterprise policies
Click to edit Master title style
TechNet goes virtual
57
http://www.microsoft.com/technet
ITPROSRV-202
Things I Heard on the Internet About:Changing Security
Running as standard user on XP? Youre probably modifying ACLs. Theres nothing wrong with doing that forever
Security settings that break stuff cant be turned off
If I have given the Users group SeBackup, SeRestore, and SeLoadDriver, oh, and write access to Program Files, its OK, because theyre standard users
Wrong!
Click to edit Master title style
TechNet goes virtual
58
http://www.microsoft.com/technet
ITPROSRV-202
Changing Security
Only if other options dont work
Loosen file or registry permissions
Allow interactive user to start/stop a particular service or driver
Disable an IE security feature (e.g. DEP)
Must be done surgically
Least amount of additional privilege on the smallest number of objects
Click to edit Master title style
TechNet goes virtual
59
http://www.microsoft.com/technet
ITPROSRV-202
Changing Security
Benefits:
Results often more predictable than with shims
Drawbacks:
Risk of elevation of privilege
Risk of system instability
Requires threat modeling hard to do right
Click to edit Master title style
TechNet goes virtual
60
http://www.microsoft.com/technet
ITPROSRV-202
Changing SecurityHow some did standard user on XP
ACL loosening scripts
Most required fixes are now automatic
Installing apps to writable folders
Exposes EoP and infection risks
Granting admin-equivalent rights
(What could possibly go wrong?)
We can help
Click to edit Master title style
TechNet goes virtual
61
http://www.microsoft.com/technet
ITPROSRV-202
App doesnt work now what?What are those geeks doing?
Make sure they dont debug what they dont plan to fix (support required)
Layer debugging and remediation
Tier 1: get the repro, run scripted tests of common solutions
Tier 2: leverage tools, configure basic fixes
Tier 3: deep debugging, complex remediation (typically just a few per customer)
Important: efficient handoff between IT Pros and Developers
Click to edit Master title style
TechNet goes virtual
62
http://www.microsoft.com/technet
ITPROSRV-202
Who Is There to Help Me?
Click to edit Master title style
TechNet goes virtual
63
http://www.microsoft.com/technet
ITPROSRV-202
Plan
MCS Desktop Application Compatibility Strategy
Collect
MCS Desktop Application Compatibility Remediation
ACF Engagement
Analyze
MCS Desktop Application Compatibility Remediation
ACF Engagement
Test and Remediate
MCS Desktop Application Compatibility Remediation
ACF Engagement
AE SWAT Workshop
Premiere App Compat for the Enterprise / Developers
CSS CAST
What can you do?
Turn UAC back on
No, really, turn UAC back on
STOP building Microsoft Agent applications!!!
Come on, you just turned UAC back off I saw that!
Click to edit Master title style
TechNet goes virtual
64
http://www.microsoft.com/technet
ITPROSRV-202
What can you do?
Dont seek silver bullets
Make sure youre not writing apps today which will become incompatible
Start thinking about the problem today
Get your developers running your future platform early
Click to edit Master title style
TechNet goes virtual
65
http://www.microsoft.com/technet
ITPROSRV-202
Additional Resources
Application compatibility portal: http://technet.com/appcompat
Find whether apps/hardware are compatible:http://www.microsoft.com/windows/compatibility
Click to edit Master title style
TechNet goes virtual
66
http://www.microsoft.com/technet
ITPROSRV-202
top related