Friday, August 7, 2015

“EFS” on FAT drives in Windows 10

Doesn’t this look weird to you?


It sure looks like there’s an encrypted file on a FAT volume, doesn’t it? EFS has always been said to be a file system service available only to the NTFS volumes…

Well now it gets interesting ‘cause EFS requires alternate data streams for the metadata and only NTFS supports ADS. If we take a _really_ close look at that file it actually isn’t EFS encrypted although it looks and behaves like one. It’s actually an encrypted PFILE and Enterprise Data Protection takes care of storing required metadata. The file system has been changed to present it like an EFS-file to the rest of the OS.

Thursday, April 9, 2015

How to install full version of Teamviewer on someone elses computer so that it works with UAC

I get this question so often that I decided to document it. The problem is that if you ask someone to start a Teamviewer Quick Support –version it won’t work with UAC. You need to get Teamviewer installed on the computer as a service to work with UAC. This isn’t always straightforward so I’ll show here my version on how to do it with a few gotchas to look at.

1. You first ask your friend/customer to download Teamviewer QS from for example:

2. Ask them to Run it and allow elevation



3. Ask them to tell you the ID and Password


4. Connect to the computer and upgrade to the full version


5. Choose the proper version, NOT THE QS-version!


6. Reconnect to the computer – the ID and Password stay the same as for the QS-version

7. Configure Unattended access


8. The one thing that I always do after this because UAC is still not usually really working at this phase is to restart the Teamviewer service


9. Once more reconnect and now you have Full Control with UAC working properly

Sunday, November 9, 2014

TechEd Europe 2014 Barcelona Results are in!


GRANDSLAM! My second year as a TechEd Speaker couldn’t have gone better! I am honored and more than thankful for everyone who joined my sessions and gave such overwhelming evaluations. Best session at both major TechEd’s in 2014 and even happier that they weren’t the same session at both events. My aim was to get all the sessions to the top 50 in the overall and top 10 on my track and I got it!

Overall results (410 sessions, 325 speakers)

Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

  • #1 BlackBelt Security – Sami Laiho
  • #4 BlackBelt Troubleshooting – Sami Laiho
  • #9 Building a BulletProof BitLocker – Sami Laiho

Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

  • #3 BlackBelt Troubleshooting – Sami Laiho
  • #4 BlackBelt Security – Sami Laiho
  • #23 Building a BulletProof BitLocker – Sami Laiho

      WINDOWS-track results (45 sessions, 25 speakers)

      Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

      • #1 BlackBelt Security – Sami Laiho
      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 Building a BulletProof BitLocker – Sami Laiho

      Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 BlackBelt Security – Sami Laiho
      • #6 Building a BulletProof BitLocker – Sami Laiho

      You can see the sessions here:

      Thanks again to everyone! And big congratulations to all other speakers as well.


      Tuesday, October 28, 2014

      BitLocker Policies for TechEd Europe 2014 in Barcelona!

      I promised my viewers that I’d give the presented GPO-settings as a prebuilt Group Policy object so here you go!
      Download BitLocker-policy

      If you want to get the promised TPM Flowchart as well you should enroll to my free newsletter at:

      Friday, August 29, 2014

      Proactive Security Beats Reactive Security (as seen on the Windows IT Pro Insider)


      I had the opportunity to write an article to the Windows IT Pro Insider newsletter (previously known as Sprinboard Newsletter). Make sure you have subscribed to it like more than a million of your collegues. You can sign up here:

      Here’s my article:

      Community update


      Proactive Security Beats Reactive Security
      By Sami Laiho, Microsoft MVP – Windows Expert-IT Pro

      You have probably read interviews with major anti-malware company executives saying that the IT world is changing to direction where reactive protection can’t defend the user and the computer anymore. Threats are changing and evolving so rapidly that systems that focus on finding something according to fingerprints or heuristics just can’t do the job they used to do. My company specializes in getting rid of end user administrative rights and I’ve always been a strong believer in proactive security. I hope you take the time to read through this article where I try give my five cents on how I believe we need to protect our environment in the future.


      I recently bought a new Dell Precision laptop with Windows 8.1 to work as my travelling data center. I travel more than 100 days a year and connect to hundreds of different networks and environments. To prove a point, I’m running a different OS configuration than I normally do. My laptop doesn’t have any anti-malware software installed and has all ports opened in my firewall. (Windows 8.1 actually makes it quite hard to keep it this way; it tries its best to turn on anti-malware and Windows Firewall whenever it gets a chance.) Before you get ahead of yourself, I would like to remind you that this configuration is just to prove a point and is an experiment. I don’t recommend that anyone to turn off their anti-malware solution or Windows Firewall. In fact, I recommend that you keep both enabled to stay on top of the proactive security measures I’m going to talk about.

      With this current configuration, I manually scan my computer weekly with different anti-malware solutions to document how my experiment goes and how effective proactive security can be. Am I worried? I had to stop for a few seconds and actually think about it, but I have to say, "No, not at all."

      So what is my "shields up" defense if not an anti-malware solution and a firewall? Let’s first look at a list of my defensive measures:

      No end user administrator rights – This is the most fundamental and important part. Even Microsoft documentation states that if you are running local administrative rights you can’t protect yourself.

      Current OS – I’m running a 64-bit version of Windows 8.1 Enterprise that is fully up to date.

      Unified Extensible Firmware Interface (UEFI) – I always run hardware that has UEFI and Secure Boot enabled.

      Trusted Platform Module (TPM) – I always run hardware that has a TPM, either as a physical chip or as part of the firmware.

      BitLocker – I always have hard disk encryption in place.

      AppLocker – I only run whitelisted software. You can do this with Windows 8.1 Pro and Software Restriction Policies, but AppLocker in Windows 8.1 Enterprise is easier to administer.

      IPsec – I only answer to devices I trust.

      So, if you ask about me being worried or scared, I would answer you like this, "I have a Windows machine that only runs code that I explicitly trust and only talks to other devices I explicitly trust and I have no way of mistakenly disabling or bypassing it." The whole thing is not a walk in the park; every part requires planning and some administrative overhead, as you can imagine. As a result, I’d like to walk you quickly through every feature I’m using and offer a short description on how I do it.

      No end user administrator rights

      During daily use, I never log on with an administrative account. When people have told me that they hate User Account Control (UAC), I have to say that I love it. I don’t need UAC for its protection as I don’t have any administrator rights, but I love the extra power that UAC gives me by asking me if I would like to use an administrator account when I need one. In Windows XP, I had to press the SHIFT key and right-click icons to get an option to Run As a different user. With Windows Vista came UAC and I don’t have this overhead anymore. I have a local administrator account if I need it. It’s actually simply called "A" so I can quickly type in ".\a" and the password when prompted. (To be honest, I use a software called Privilege Guard that gives me the opportunity to give administrative access to processes instead of only users or computers.)

      Current OS and only x64

      People always know that they need a 64-bit system to get better use of their 4GB+ memory, but they seem to forget that x64 versions of Windows can be more secure than x86. For example, an x86 Windows 8.1 system will run unsigned code in the kernel while the x64 version won’t – a fundamental difference when keeping a computer secure against malware.

      UEFI + Secure Boot + TPM + BitLocker

      I’m running BitLocker with TPM protection only—no PIN, no USB stick. This does; however, require Windows 8 and UEFI with Secure Boot to keep it secure. The reasons behind this are long enough that I can’t list them here, but check out my TechEd North America session, Building a Bulletproof Windows BitLocker, for more details.


      Software restrictions come in two flavors: blacklisting and whitelisting, Blacklisting serve its purpose in certain cases, but it is a perfect example of an old, reactive way of protecting a computer. For example, it’s basically impossible to use for securing your computer as a blacklist includes all non-wanted software. How would you make a list of all the software in the world you wouldn’t want to run on your computer? As a result, the only effective solution is whitelisting, which is a great example of a proactive measure. You list what you want to run.
      Now, many IT pros stop me here before I get started by saying, "My company has over a thousand application with many more executables. How would I list those in AppLocker?" You wouldn’t. It’s time to stop thinking about objects and start thinking about containers. Instead of counting the executables, count the applications that run outside of c:\Program Files or c:\Windows folders. I know my Windows image (WIM) file so I start from a trusted environment. Then, I tell AppLocker to allow everything for Administrators (not me) and to allow C:\Program Files, C:\Program Files (x86)\ and C:\Windows. As I don’t have administrator rights, I can’t add anything to those folders – it’s simple. This prevents things like like Chrome, Firefox, Spotify, and TeamViewer from running in my environment, although (as you probably know) those can run without administrator rights by default. You do need to tweak these rules and add some of your own, that’s for sure. I have a running environment that has more than 30,000 workstations, and that has been running Software Restriction Policies since 2002, and they have 14 rules. Before Windows XP, they had a whitelist of a whopping 8,000 executables!
      AppLocker is my number one proactive measure in Windows and I have to say I just love it! However; even with AppLocker, you need to audit your installation. By default, C:\Windows should be a place that no limited user can write to, but sadly that is not the case. You can check where limited users have write access with a free Windows Sysinternals tool called AccessChk. Here is a screenshot of a default Windows folder on a Windows 8.1 Enterprise machine and, as you can see, you need to exclude at least three folders to make it bulletproof:

      Figure 1. AccessChk process


      Today, I would say that a firewall should be built inside of port 443. I don’t really understand the reason behind blocking 65,534 ports when everything goes through the one that’s "always" open. IPsec has been around for ages, and is almost always misunderstood (like AppLocker) to be something that requires huge overhead. IPsec consists of two protocols: Authentication Header (AH) which does authentication and Encapsulating Security Payload (ESP) which does encryption. Only when you start talking about encryption do you start to see any overhead, if even then. When I say I use IPsec 99% of the time, I am only referring to authentication. My IPsec policy is built in a way that I always try to authenticate when sending packets. If the other end can’t do it, I revert to unauthenticated. If I would require outbound authentication, I couldn’t browse the Internet or search with a search engine. When someone starts talking to me (inbound), I’m stricter and I won’t reply if the device doesn’t belong to my domain or have a certificate from my certificate authority (CA). So, I do have all my firewall ports open and I won’t block them when they are reported dangerous, but, on the other hand, I don’t let anyone in that I don’t trust—again an example of proactive versus reactive measures.

      That’s all for now, but I hope you follow me on Twitter to get updates on how my experiment is going, and start to be proactive instead of reactive when it comes to the security of your environment!

      Sami LaihoSami Laiho is one of the world’s leading Windows OS professionals. A Microsoft MVP (Windows Expert – IT Pro) and member of the Springboard Series Technical Expert Panel (STEP), Sami has been working with and teaching troubleshooting, management, and security for more than 15 years. His session was evaluated as the best session, and Sami as the best speaker, at TechEd North America 2014 and TechEd Australia 2013. Sami’s session at TechEd Europe 2013 was also rated the best session by an external speaker. Sami is globally known as the creator of a free Windows SteadyState replacement called Wioski and a one-time admin password creator called Adminizer. You can follow him on Twitter @samilaiho or visit his website at

      Thursday, July 17, 2014

      Server 2012 R2 Essentials shutting down from time to time

      Sometimes I seem to forget to look at the INFORMATION event log entries as I’m looking for errors. Many times the unwanted reboots are intentional and don’t show as Warnings or errors. Like here:


      I had mistaken and installed Server 2012 R2 Essentials as a Member server which is not allowed. It’s my Direct Access server so I meant it to be Standard but had used the wrong USB key for installation.  The pointed Event Log told it to me in plain English as soon as I remembered to look at the INFO events as well Winking smile


      I just changed from GoDaddy to Bluehost. This link helps when deciding where to host:

      On GoDaddy I was sharing the IP with thousands of websites and Bluehost with 16 Winking smile