Sunday, November 9, 2014

TechEd Europe 2014 Barcelona Results are in!


GRANDSLAM! My second year as a TechEd Speaker couldn’t have gone better! I am honored and more than thankful for everyone who joined my sessions and gave such overwhelming evaluations. Best session at both major TechEd’s in 2014 and even happier that they weren’t the same session at both events. My aim was to get all the sessions to the top 50 in the overall and top 10 on my track and I got it!

Overall results (410 sessions, 325 speakers)

Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

  • #1 BlackBelt Security – Sami Laiho
  • #4 BlackBelt Troubleshooting – Sami Laiho
  • #9 Building a BulletProof BitLocker – Sami Laiho

Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

  • #3 BlackBelt Troubleshooting – Sami Laiho
  • #4 BlackBelt Security – Sami Laiho
  • #23 Building a BulletProof BitLocker – Sami Laiho

      WINDOWS-track results (45 sessions, 25 speakers)

      Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

      • #1 BlackBelt Security – Sami Laiho
      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 Building a BulletProof BitLocker – Sami Laiho

      Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 BlackBelt Security – Sami Laiho
      • #6 Building a BulletProof BitLocker – Sami Laiho

      You can see the sessions here:

      Thanks again to everyone! And big congratulations to all other speakers as well.


      Tuesday, October 28, 2014

      BitLocker Policies for TechEd Europe 2014 in Barcelona!

      I promised my viewers that I’d give the presented GPO-settings as a prebuilt Group Policy object so here you go!
      Download BitLocker-policy

      If you want to get the promised TPM Flowchart as well you should enroll to my free newsletter at:

      Friday, August 29, 2014

      Proactive Security Beats Reactive Security (as seen on the Windows IT Pro Insider)


      I had the opportunity to write an article to the Windows IT Pro Insider newsletter (previously known as Sprinboard Newsletter). Make sure you have subscribed to it like more than a million of your collegues. You can sign up here:

      Here’s my article:

      Community update


      Proactive Security Beats Reactive Security
      By Sami Laiho, Microsoft MVP – Windows Expert-IT Pro

      You have probably read interviews with major anti-malware company executives saying that the IT world is changing to direction where reactive protection can’t defend the user and the computer anymore. Threats are changing and evolving so rapidly that systems that focus on finding something according to fingerprints or heuristics just can’t do the job they used to do. My company specializes in getting rid of end user administrative rights and I’ve always been a strong believer in proactive security. I hope you take the time to read through this article where I try give my five cents on how I believe we need to protect our environment in the future.


      I recently bought a new Dell Precision laptop with Windows 8.1 to work as my travelling data center. I travel more than 100 days a year and connect to hundreds of different networks and environments. To prove a point, I’m running a different OS configuration than I normally do. My laptop doesn’t have any anti-malware software installed and has all ports opened in my firewall. (Windows 8.1 actually makes it quite hard to keep it this way; it tries its best to turn on anti-malware and Windows Firewall whenever it gets a chance.) Before you get ahead of yourself, I would like to remind you that this configuration is just to prove a point and is an experiment. I don’t recommend that anyone to turn off their anti-malware solution or Windows Firewall. In fact, I recommend that you keep both enabled to stay on top of the proactive security measures I’m going to talk about.

      With this current configuration, I manually scan my computer weekly with different anti-malware solutions to document how my experiment goes and how effective proactive security can be. Am I worried? I had to stop for a few seconds and actually think about it, but I have to say, "No, not at all."

      So what is my "shields up" defense if not an anti-malware solution and a firewall? Let’s first look at a list of my defensive measures:

      No end user administrator rights – This is the most fundamental and important part. Even Microsoft documentation states that if you are running local administrative rights you can’t protect yourself.

      Current OS – I’m running a 64-bit version of Windows 8.1 Enterprise that is fully up to date.

      Unified Extensible Firmware Interface (UEFI) – I always run hardware that has UEFI and Secure Boot enabled.

      Trusted Platform Module (TPM) – I always run hardware that has a TPM, either as a physical chip or as part of the firmware.

      BitLocker – I always have hard disk encryption in place.

      AppLocker – I only run whitelisted software. You can do this with Windows 8.1 Pro and Software Restriction Policies, but AppLocker in Windows 8.1 Enterprise is easier to administer.

      IPsec – I only answer to devices I trust.

      So, if you ask about me being worried or scared, I would answer you like this, "I have a Windows machine that only runs code that I explicitly trust and only talks to other devices I explicitly trust and I have no way of mistakenly disabling or bypassing it." The whole thing is not a walk in the park; every part requires planning and some administrative overhead, as you can imagine. As a result, I’d like to walk you quickly through every feature I’m using and offer a short description on how I do it.

      No end user administrator rights

      During daily use, I never log on with an administrative account. When people have told me that they hate User Account Control (UAC), I have to say that I love it. I don’t need UAC for its protection as I don’t have any administrator rights, but I love the extra power that UAC gives me by asking me if I would like to use an administrator account when I need one. In Windows XP, I had to press the SHIFT key and right-click icons to get an option to Run As a different user. With Windows Vista came UAC and I don’t have this overhead anymore. I have a local administrator account if I need it. It’s actually simply called "A" so I can quickly type in ".\a" and the password when prompted. (To be honest, I use a software called Privilege Guard that gives me the opportunity to give administrative access to processes instead of only users or computers.)

      Current OS and only x64

      People always know that they need a 64-bit system to get better use of their 4GB+ memory, but they seem to forget that x64 versions of Windows can be more secure than x86. For example, an x86 Windows 8.1 system will run unsigned code in the kernel while the x64 version won’t – a fundamental difference when keeping a computer secure against malware.

      UEFI + Secure Boot + TPM + BitLocker

      I’m running BitLocker with TPM protection only—no PIN, no USB stick. This does; however, require Windows 8 and UEFI with Secure Boot to keep it secure. The reasons behind this are long enough that I can’t list them here, but check out my TechEd North America session, Building a Bulletproof Windows BitLocker, for more details.


      Software restrictions come in two flavors: blacklisting and whitelisting, Blacklisting serve its purpose in certain cases, but it is a perfect example of an old, reactive way of protecting a computer. For example, it’s basically impossible to use for securing your computer as a blacklist includes all non-wanted software. How would you make a list of all the software in the world you wouldn’t want to run on your computer? As a result, the only effective solution is whitelisting, which is a great example of a proactive measure. You list what you want to run.
      Now, many IT pros stop me here before I get started by saying, "My company has over a thousand application with many more executables. How would I list those in AppLocker?" You wouldn’t. It’s time to stop thinking about objects and start thinking about containers. Instead of counting the executables, count the applications that run outside of c:\Program Files or c:\Windows folders. I know my Windows image (WIM) file so I start from a trusted environment. Then, I tell AppLocker to allow everything for Administrators (not me) and to allow C:\Program Files, C:\Program Files (x86)\ and C:\Windows. As I don’t have administrator rights, I can’t add anything to those folders – it’s simple. This prevents things like like Chrome, Firefox, Spotify, and TeamViewer from running in my environment, although (as you probably know) those can run without administrator rights by default. You do need to tweak these rules and add some of your own, that’s for sure. I have a running environment that has more than 30,000 workstations, and that has been running Software Restriction Policies since 2002, and they have 14 rules. Before Windows XP, they had a whitelist of a whopping 8,000 executables!
      AppLocker is my number one proactive measure in Windows and I have to say I just love it! However; even with AppLocker, you need to audit your installation. By default, C:\Windows should be a place that no limited user can write to, but sadly that is not the case. You can check where limited users have write access with a free Windows Sysinternals tool called AccessChk. Here is a screenshot of a default Windows folder on a Windows 8.1 Enterprise machine and, as you can see, you need to exclude at least three folders to make it bulletproof:

      Figure 1. AccessChk process


      Today, I would say that a firewall should be built inside of port 443. I don’t really understand the reason behind blocking 65,534 ports when everything goes through the one that’s "always" open. IPsec has been around for ages, and is almost always misunderstood (like AppLocker) to be something that requires huge overhead. IPsec consists of two protocols: Authentication Header (AH) which does authentication and Encapsulating Security Payload (ESP) which does encryption. Only when you start talking about encryption do you start to see any overhead, if even then. When I say I use IPsec 99% of the time, I am only referring to authentication. My IPsec policy is built in a way that I always try to authenticate when sending packets. If the other end can’t do it, I revert to unauthenticated. If I would require outbound authentication, I couldn’t browse the Internet or search with a search engine. When someone starts talking to me (inbound), I’m stricter and I won’t reply if the device doesn’t belong to my domain or have a certificate from my certificate authority (CA). So, I do have all my firewall ports open and I won’t block them when they are reported dangerous, but, on the other hand, I don’t let anyone in that I don’t trust—again an example of proactive versus reactive measures.

      That’s all for now, but I hope you follow me on Twitter to get updates on how my experiment is going, and start to be proactive instead of reactive when it comes to the security of your environment!

      Sami LaihoSami Laiho is one of the world’s leading Windows OS professionals. A Microsoft MVP (Windows Expert – IT Pro) and member of the Springboard Series Technical Expert Panel (STEP), Sami has been working with and teaching troubleshooting, management, and security for more than 15 years. His session was evaluated as the best session, and Sami as the best speaker, at TechEd North America 2014 and TechEd Australia 2013. Sami’s session at TechEd Europe 2013 was also rated the best session by an external speaker. Sami is globally known as the creator of a free Windows SteadyState replacement called Wioski and a one-time admin password creator called Adminizer. You can follow him on Twitter @samilaiho or visit his website at

      Thursday, July 17, 2014

      Server 2012 R2 Essentials shutting down from time to time

      Sometimes I seem to forget to look at the INFORMATION event log entries as I’m looking for errors. Many times the unwanted reboots are intentional and don’t show as Warnings or errors. Like here:


      I had mistaken and installed Server 2012 R2 Essentials as a Member server which is not allowed. It’s my Direct Access server so I meant it to be Standard but had used the wrong USB key for installation.  The pointed Event Log told it to me in plain English as soon as I remembered to look at the INFO events as well Winking smile


      I just changed from GoDaddy to Bluehost. This link helps when deciding where to host:

      On GoDaddy I was sharing the IP with thousands of websites and Bluehost with 16 Winking smile


      Wednesday, July 16, 2014

      Uninstall MSI-packages in Safe Mode

      I dug this up from a 10 year old course material I wrote but it’s still very usableSmile

      One weird thing in Windows OS troubleshooting is that Microsoft wants software developers to use MSI as the installation method and at the same time says on their documentation that if you run into problems after installing some software you should boot into Safe Mode and uninstall it. The weird part is the fact that Safe Mode in Windows actually doesn’t allow the Windows Installer service to start thus preventing uninstallation of any software that was installed with an MSI!

      You can get around this by tweaking the Safe Mode registry key with following command:

      REG ADD "HKEY_LOCAL_MACHINE\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /D "Service"

      After this you can start the service with the following command or do it graphically with Services.msc:

      NET START msiserver

      Now you can uninstall any software that was installed by an MSI!

      Tuesday, July 1, 2014

      Why you need to manage your GPO’s from a Windows 8.1 and not with an RDP session to a Server 2012 r2

      Inspired by Jeremy Moskowitz and his blog “RSAT is not Evil” I decided to give my 5 cents on this matter as well.

      Most of my customers have adopted a style of administering their GPO’s from a central Server by establishing an RDP connection to it instead of using RSAT from a Windows 8.1 machine. This is not the case with just 8.1 and Server 2012 R2 but I’ll use them as an example. There are positive sides to using a server of course:

      1. A centralized location which always has the right ADMX-files even if no CentralStore has been created
      2. No need to install RSAT on workstations

      But there are drawbacks as well which are the reasons why I on the other hand never do it but instead always use a management workstation for it:

      1. There are only 2 free RDP instances available on a server while infinite amount of RSAT’s can be used
      2. The most important: GPMC uses the underlying OS to gather settings you can administer even if you have a Central Store or the most up to date ADMX-files!

      Let’s dig in to the second one a bit more with an example. Let’s say I have a scenario where my Boss asks me to:

      1. Change the startup type of WebClient service to Disabled to make connections to unknown UNC paths quicker
      2. Only allow the “Weather” Modern App on our Windows 8.1 machines

      Here’s how the settings look from Windows Server 2012 R2 server:



      And here’s what it looks like from GPMC installed on a Windows 8.1 machine: