Using debugging mode
Debugging mode is an option where Windows boots a special version of itself called the kernel debugger. A developer can use this mode to troubleshoot errant code either locally (when the system is generally working) or from a remote location. Unlike Remote Desktop or other methods of connecting remotely, debugging mode requires a serial connection, normally using COM2. Disabling the automatic restart on system failure Windows is set up to restart automatically during a major system failure. This behavior makes it possible to recover from a major failure without having to perform a hard boot (essentially pulling the plug or pressing the Reset button on the front of the system), which can cause damage to your hard drive. There are two problems with this feature:
✦ Windows can reboot before you can record all the information you need about the major failure.
✦ Some viruses rely on the reboot feature and can actually prevent you from using the server by causing the server to constantly crash
Disabling driver signature enforcement
Many of the virus, adware, security, and crash problems with Windows occur when someone installs a driver of dubious origin. The driver supposedly provides some special feature for Windows but in reality makes Windows unstable and can open doors for people of ill intent who want your system for themselves. Of course, Microsoft’s solution is to lock down Windows so that you can use only signed drivers. A signed driver is one in which the driver creator uses a special digital signature to “sign” the driver software. You can examine this signature (as can Windows) to ensure that the driver is legitimate.
Windows 2008 doesn’t load a driver that the vendor hasn’t signed. Unfortunately, you’ll find more unsigned than signed drivers on the market right now. Vendors haven’t signed their drivers, for the most part, because the process is incredibly expensive and difficult. Many vendors see the new Windows 2008 feature as Microsoft’s method of forcing them to spend money on something that they dispute as having value.
Theoretically, someone can forge a signature, which means that the signing process isn’t foolproof and may not actually make Windows more secure or reliable. Of course, the market will eventually decide whether Microsoft or the vendors are correct, but for now you have to worry about having signed drivers to use with Windows.
Using the boot method of permanently disabling signed driver checking An undocumented method of disabling the signed driver requirement for both 32-bit and 64-bit versions of Windows Server 2008 is to use the BCDEdit utility to make a change to the boot configuration. Because this feature isn’t documented, Microsoft could remove it at any time. This procedure isn’t something that a novice administrator should attempt to do, but it’s doable. The following steps describe the process:
1. Choose Start➪Programs➪Accessories. You see the Accessories menu.
2. Right-click Command Prompt and choose Run As Administrator from the context menu.
Windows opens a command line with elevated privileges. You can tell that the privileges are elevated because the title bar states that this is the administrator’s command prompt rather than a standard command prompt.
3. Type BCDEdit /Export C:\BCDBackup and press Enter.
BCDEdit displays the message This Operation Completed Successfully. This command saves a copy of your current boot configuration to the C:\BCDBackup file. Never change the boot configuration without making a backup.
4. Type BCDEdit /Set LoadOptions DDISABLE_INTEGRITY_CHECKS and press Enter.
BCDEdit displays the message This Operation Completed Successfully. Your command prompt should now look like the one shown in this fig.
5. Restart your system as normal to use the new configuration.
Using the group policy method of permanently disabling signed driver checking Users of the 32-bit version of Windows Server 2008 also have a documented and Microsoft-approved method of bypassing the signing requirement. (This technique will never work on the 64-bit version of the product.) In this case,you set a global policy that disables the requirement for the local machine (when made on the local machine) or the domain (when made on the domain controller). The following steps describe how to use the Global Policy Edit (GPEdit) console to perform this task.
1. Choose Start➪Run.
You see the Run dialog box.
2. Type GPEdit.MSC (for Group Policy Edit) in the Open field and click OK.
Windows displays the Local Group Policy Editor window.
3. Locate the Local Computer Policy\User Configuration\ Administrative Templates\System\Driver Installation folder.
4. Double-click the Code Signing for Device Drivers policy.
You see the Code Signing for Device Drivers Properties dialog box,shown below.....
5. Select Enabled.
6. Choose Ignore (installs unsigned drivers without asking), Warn (displays a message asking whether you want to install the unsigned driver), or Block (disallows unsigned driver installation automatically) from the drop-down list.
7. Click OK.
The Local Group Policy Editor console sets the new policy for installing device drivers.
8. Close the Local Group Policy Editor console.
9. Reboot the server.
Theoretically, the changes you made should take effect immediately after you log back in to the system. However, to make sure the policy takes effect for everyone, reboot the server.
Debugging mode is an option where Windows boots a special version of itself called the kernel debugger. A developer can use this mode to troubleshoot errant code either locally (when the system is generally working) or from a remote location. Unlike Remote Desktop or other methods of connecting remotely, debugging mode requires a serial connection, normally using COM2. Disabling the automatic restart on system failure Windows is set up to restart automatically during a major system failure. This behavior makes it possible to recover from a major failure without having to perform a hard boot (essentially pulling the plug or pressing the Reset button on the front of the system), which can cause damage to your hard drive. There are two problems with this feature:
✦ Windows can reboot before you can record all the information you need about the major failure.
✦ Some viruses rely on the reboot feature and can actually prevent you from using the server by causing the server to constantly crash
Disabling driver signature enforcement
Many of the virus, adware, security, and crash problems with Windows occur when someone installs a driver of dubious origin. The driver supposedly provides some special feature for Windows but in reality makes Windows unstable and can open doors for people of ill intent who want your system for themselves. Of course, Microsoft’s solution is to lock down Windows so that you can use only signed drivers. A signed driver is one in which the driver creator uses a special digital signature to “sign” the driver software. You can examine this signature (as can Windows) to ensure that the driver is legitimate.
Windows 2008 doesn’t load a driver that the vendor hasn’t signed. Unfortunately, you’ll find more unsigned than signed drivers on the market right now. Vendors haven’t signed their drivers, for the most part, because the process is incredibly expensive and difficult. Many vendors see the new Windows 2008 feature as Microsoft’s method of forcing them to spend money on something that they dispute as having value.
Theoretically, someone can forge a signature, which means that the signing process isn’t foolproof and may not actually make Windows more secure or reliable. Of course, the market will eventually decide whether Microsoft or the vendors are correct, but for now you have to worry about having signed drivers to use with Windows.
Using the boot method of permanently disabling signed driver checking An undocumented method of disabling the signed driver requirement for both 32-bit and 64-bit versions of Windows Server 2008 is to use the BCDEdit utility to make a change to the boot configuration. Because this feature isn’t documented, Microsoft could remove it at any time. This procedure isn’t something that a novice administrator should attempt to do, but it’s doable. The following steps describe the process:
1. Choose Start➪Programs➪Accessories. You see the Accessories menu.
2. Right-click Command Prompt and choose Run As Administrator from the context menu.
Windows opens a command line with elevated privileges. You can tell that the privileges are elevated because the title bar states that this is the administrator’s command prompt rather than a standard command prompt.
3. Type BCDEdit /Export C:\BCDBackup and press Enter.
BCDEdit displays the message This Operation Completed Successfully. This command saves a copy of your current boot configuration to the C:\BCDBackup file. Never change the boot configuration without making a backup.
4. Type BCDEdit /Set LoadOptions DDISABLE_INTEGRITY_CHECKS and press Enter.
BCDEdit displays the message This Operation Completed Successfully. Your command prompt should now look like the one shown in this fig.
5. Restart your system as normal to use the new configuration.
Using the group policy method of permanently disabling signed driver checking Users of the 32-bit version of Windows Server 2008 also have a documented and Microsoft-approved method of bypassing the signing requirement. (This technique will never work on the 64-bit version of the product.) In this case,you set a global policy that disables the requirement for the local machine (when made on the local machine) or the domain (when made on the domain controller). The following steps describe how to use the Global Policy Edit (GPEdit) console to perform this task.
1. Choose Start➪Run.
You see the Run dialog box.
2. Type GPEdit.MSC (for Group Policy Edit) in the Open field and click OK.
Windows displays the Local Group Policy Editor window.
3. Locate the Local Computer Policy\User Configuration\ Administrative Templates\System\Driver Installation folder.
4. Double-click the Code Signing for Device Drivers policy.
You see the Code Signing for Device Drivers Properties dialog box,shown below.....
5. Select Enabled.
6. Choose Ignore (installs unsigned drivers without asking), Warn (displays a message asking whether you want to install the unsigned driver), or Block (disallows unsigned driver installation automatically) from the drop-down list.
7. Click OK.
The Local Group Policy Editor console sets the new policy for installing device drivers.
8. Close the Local Group Policy Editor console.
9. Reboot the server.
Theoretically, the changes you made should take effect immediately after you log back in to the system. However, to make sure the policy takes effect for everyone, reboot the server.
0 comments on windows server 2008 working with Special Boot Mode.PART-II :
Post a Comment