Wednesday, October 7, 2015

Adminizer still beats LAPS

Microsoft nowadays offers a free Local Admin Password Solution to randomize the passwords on computers and save them to Active Directory. So why am I still selling my Adminizer and even more important why do people still keep buying it?  Smile

Here’s a short list of why:

  1. Adminizer not only randomizes your local passwords but makes them onetime as well. LAPS only randomizes the passwords. Half the security and no way to give temporary access.
  2. Adminizer works without Active Directory so Workgroups, BYOD, CYOD, Azure AD joined Windows 10 etc. are easy to manage as well. LAPS requires AD.
  3. Adminizer works totally offline. LAPS will not change the password of a computer if it can’t reach AD or GPO’s don’t work for some reason.


Of course you should test both so here are the required links:




Wednesday, September 2, 2015

Hugely successful TechMentor!

I can’t help sharing this with you as in TechMentor Redmond 2015 I had in my opinion the most fun Security session I’ve ever had. I enjoyed it so much that I’m still excited about it Smile As I try to always share my tips on presentation skills as well as technical stuff I will once more say that the most important thing in winning Best-in-Show awards at conferences is YOUR OWN EXCITEMENT ON WHAT YOU ARE TALKING ABOUT!

My motto: Teach what you love and love what you teach or at least learn to fool yourself into believing that you love what you teach.

So how did it go? AWESOME! I had 40 people that filled in the evals which is great as there was about 400 people attending and Ignite had 23000 attending I got about 100 evals returned there.


Some stats: (Average score by speakers at the conference in RED / My score in GREEN

1. Speaker Effectiveness: (1-5, 5=Excellent; 1=Poor)

a. Style and delivery 4.57 / 4.88

b. Knowledge of subject 4.87 / 5.00

c. Speaker open to my specific problems/questions 4.66 / 4.74

2. Content Effectiveness: (1-5, 5=Excellent; 1=Poor)

a. Consistency with agenda description 4.71 / 4.95

b. New information/update/clarification 4.67 / 4.88

c. Met my expectations 4.50 / 4.98

3. Your overall rating of this session: (1-5, 5=Excellent; 1=Poor) 4.56 / 4.95

4. The level of the session was appropriate: (1. Yes 2. No) 1.03 / 1.00

5. Would you recommend the session to others? (1. Yes 2. No) 1.06 / 1.00

6. Did you feel this session was a product or corporate sales pitch? (1. Yes 2. No) 1.86 / 1.97


Unedited comments:

  • Sami is a great speaker, and I'm very impressed by his knowledge and delivery of the content.
  • Always entertaining, informative, and eye opening!
  • Was fun and educational!
  • Excellent speaker ‐ highly knowledgeable.
  • Very interesting, knowledgeable, relevant to my job, will save me time, make auditing easier and security
    setting more secure and less vulnerable. Excellent!
  • More time to go over even more; want more.
  • Great information!
  • Awesome!! And insightful!!
  • This could have been an all‐day session ‐ three hours was not enough. Excellent info.
  • Best presenter at the conference.
  • Sami was my favorite speaker at TechMentor. He taught very well, was very entertaining, and very
    informative. I will be taking back a lot of value to my company from what he taught me about Windows OS
    Internals and Security.
  • Great!
  • Captivated from start to finish. Sami delivered a homerun of a session. Knock out demos, engaging dialogue
    and lots of audience interaction. Even things going wrong were turned into opportunities to learn. #Amazing!
  • This was the best class all week. Sami did a fantastic job.
  • I as appreciated the many examples on how to make things more secure and also what to look for and what
    not to do.
  • Definitely one of the best sessions so far. Sami's ability to show real time examples makes this session
    extremely valuable.
  • Great job. Great advice.
  • great examples. I learned a lot.
  • The energy that Sami has and his depth of knowledge was amazing. I would watch his presentations any day.
  • Great information provided.
  • The best session! Fun and very informative! I wish I would have recorded the session.
  • Great session
  • Great job.
  • Again, subject matter perhaps better in shorter chunks.

Friday, August 7, 2015

“EFS” on FAT drives in Windows 10

Doesn’t this look weird to you?


It sure looks like there’s an encrypted file on a FAT volume, doesn’t it? EFS has always been said to be a file system service available only to the NTFS volumes…

Well now it gets interesting ‘cause EFS requires alternate data streams for the metadata and only NTFS supports ADS. If we take a _really_ close look at that file it actually isn’t EFS encrypted although it looks and behaves like one. It’s actually an encrypted PFILE and Enterprise Data Protection takes care of storing required metadata. The file system has been changed to present it like an EFS-file to the rest of the OS.

Thursday, April 9, 2015

How to install full version of Teamviewer on someone elses computer so that it works with UAC

I get this question so often that I decided to document it. The problem is that if you ask someone to start a Teamviewer Quick Support –version it won’t work with UAC. You need to get Teamviewer installed on the computer as a service to work with UAC. This isn’t always straightforward so I’ll show here my version on how to do it with a few gotchas to look at.

1. You first ask your friend/customer to download Teamviewer QS from for example:

2. Ask them to Run it and allow elevation



3. Ask them to tell you the ID and Password


4. Connect to the computer and upgrade to the full version


5. Choose the proper version, NOT THE QS-version!


6. Reconnect to the computer – the ID and Password stay the same as for the QS-version

7. Configure Unattended access


8. The one thing that I always do after this because UAC is still not usually really working at this phase is to restart the Teamviewer service


9. Once more reconnect and now you have Full Control with UAC working properly

Sunday, November 9, 2014

TechEd Europe 2014 Barcelona Results are in!


GRANDSLAM! My second year as a TechEd Speaker couldn’t have gone better! I am honored and more than thankful for everyone who joined my sessions and gave such overwhelming evaluations. Best session at both major TechEd’s in 2014 and even happier that they weren’t the same session at both events. My aim was to get all the sessions to the top 50 in the overall and top 10 on my track and I got it!

Overall results (410 sessions, 325 speakers)

Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

  • #1 BlackBelt Security – Sami Laiho
  • #4 BlackBelt Troubleshooting – Sami Laiho
  • #9 Building a BulletProof BitLocker – Sami Laiho

Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

  • #3 BlackBelt Troubleshooting – Sami Laiho
  • #4 BlackBelt Security – Sami Laiho
  • #23 Building a BulletProof BitLocker – Sami Laiho

      WINDOWS-track results (45 sessions, 25 speakers)

      Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

      • #1 BlackBelt Security – Sami Laiho
      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 Building a BulletProof BitLocker – Sami Laiho

      Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 BlackBelt Security – Sami Laiho
      • #6 Building a BulletProof BitLocker – Sami Laiho

      You can see the sessions here:

      Thanks again to everyone! And big congratulations to all other speakers as well.


      Tuesday, October 28, 2014

      BitLocker Policies for TechEd Europe 2014 in Barcelona!

      I promised my viewers that I’d give the presented GPO-settings as a prebuilt Group Policy object so here you go!
      Download BitLocker-policy

      If you want to get the promised TPM Flowchart as well you should enroll to my free newsletter at:

      Friday, August 29, 2014

      Proactive Security Beats Reactive Security (as seen on the Windows IT Pro Insider)


      I had the opportunity to write an article to the Windows IT Pro Insider newsletter (previously known as Sprinboard Newsletter). Make sure you have subscribed to it like more than a million of your collegues. You can sign up here:

      Here’s my article:

      Community update


      Proactive Security Beats Reactive Security
      By Sami Laiho, Microsoft MVP – Windows Expert-IT Pro

      You have probably read interviews with major anti-malware company executives saying that the IT world is changing to direction where reactive protection can’t defend the user and the computer anymore. Threats are changing and evolving so rapidly that systems that focus on finding something according to fingerprints or heuristics just can’t do the job they used to do. My company specializes in getting rid of end user administrative rights and I’ve always been a strong believer in proactive security. I hope you take the time to read through this article where I try give my five cents on how I believe we need to protect our environment in the future.


      I recently bought a new Dell Precision laptop with Windows 8.1 to work as my travelling data center. I travel more than 100 days a year and connect to hundreds of different networks and environments. To prove a point, I’m running a different OS configuration than I normally do. My laptop doesn’t have any anti-malware software installed and has all ports opened in my firewall. (Windows 8.1 actually makes it quite hard to keep it this way; it tries its best to turn on anti-malware and Windows Firewall whenever it gets a chance.) Before you get ahead of yourself, I would like to remind you that this configuration is just to prove a point and is an experiment. I don’t recommend that anyone to turn off their anti-malware solution or Windows Firewall. In fact, I recommend that you keep both enabled to stay on top of the proactive security measures I’m going to talk about.

      With this current configuration, I manually scan my computer weekly with different anti-malware solutions to document how my experiment goes and how effective proactive security can be. Am I worried? I had to stop for a few seconds and actually think about it, but I have to say, "No, not at all."

      So what is my "shields up" defense if not an anti-malware solution and a firewall? Let’s first look at a list of my defensive measures:

      No end user administrator rights – This is the most fundamental and important part. Even Microsoft documentation states that if you are running local administrative rights you can’t protect yourself.

      Current OS – I’m running a 64-bit version of Windows 8.1 Enterprise that is fully up to date.

      Unified Extensible Firmware Interface (UEFI) – I always run hardware that has UEFI and Secure Boot enabled.

      Trusted Platform Module (TPM) – I always run hardware that has a TPM, either as a physical chip or as part of the firmware.

      BitLocker – I always have hard disk encryption in place.

      AppLocker – I only run whitelisted software. You can do this with Windows 8.1 Pro and Software Restriction Policies, but AppLocker in Windows 8.1 Enterprise is easier to administer.

      IPsec – I only answer to devices I trust.

      So, if you ask about me being worried or scared, I would answer you like this, "I have a Windows machine that only runs code that I explicitly trust and only talks to other devices I explicitly trust and I have no way of mistakenly disabling or bypassing it." The whole thing is not a walk in the park; every part requires planning and some administrative overhead, as you can imagine. As a result, I’d like to walk you quickly through every feature I’m using and offer a short description on how I do it.

      No end user administrator rights

      During daily use, I never log on with an administrative account. When people have told me that they hate User Account Control (UAC), I have to say that I love it. I don’t need UAC for its protection as I don’t have any administrator rights, but I love the extra power that UAC gives me by asking me if I would like to use an administrator account when I need one. In Windows XP, I had to press the SHIFT key and right-click icons to get an option to Run As a different user. With Windows Vista came UAC and I don’t have this overhead anymore. I have a local administrator account if I need it. It’s actually simply called "A" so I can quickly type in ".\a" and the password when prompted. (To be honest, I use a software called Privilege Guard that gives me the opportunity to give administrative access to processes instead of only users or computers.)

      Current OS and only x64

      People always know that they need a 64-bit system to get better use of their 4GB+ memory, but they seem to forget that x64 versions of Windows can be more secure than x86. For example, an x86 Windows 8.1 system will run unsigned code in the kernel while the x64 version won’t – a fundamental difference when keeping a computer secure against malware.

      UEFI + Secure Boot + TPM + BitLocker

      I’m running BitLocker with TPM protection only—no PIN, no USB stick. This does; however, require Windows 8 and UEFI with Secure Boot to keep it secure. The reasons behind this are long enough that I can’t list them here, but check out my TechEd North America session, Building a Bulletproof Windows BitLocker, for more details.


      Software restrictions come in two flavors: blacklisting and whitelisting, Blacklisting serve its purpose in certain cases, but it is a perfect example of an old, reactive way of protecting a computer. For example, it’s basically impossible to use for securing your computer as a blacklist includes all non-wanted software. How would you make a list of all the software in the world you wouldn’t want to run on your computer? As a result, the only effective solution is whitelisting, which is a great example of a proactive measure. You list what you want to run.
      Now, many IT pros stop me here before I get started by saying, "My company has over a thousand application with many more executables. How would I list those in AppLocker?" You wouldn’t. It’s time to stop thinking about objects and start thinking about containers. Instead of counting the executables, count the applications that run outside of c:\Program Files or c:\Windows folders. I know my Windows image (WIM) file so I start from a trusted environment. Then, I tell AppLocker to allow everything for Administrators (not me) and to allow C:\Program Files, C:\Program Files (x86)\ and C:\Windows. As I don’t have administrator rights, I can’t add anything to those folders – it’s simple. This prevents things like like Chrome, Firefox, Spotify, and TeamViewer from running in my environment, although (as you probably know) those can run without administrator rights by default. You do need to tweak these rules and add some of your own, that’s for sure. I have a running environment that has more than 30,000 workstations, and that has been running Software Restriction Policies since 2002, and they have 14 rules. Before Windows XP, they had a whitelist of a whopping 8,000 executables!
      AppLocker is my number one proactive measure in Windows and I have to say I just love it! However; even with AppLocker, you need to audit your installation. By default, C:\Windows should be a place that no limited user can write to, but sadly that is not the case. You can check where limited users have write access with a free Windows Sysinternals tool called AccessChk. Here is a screenshot of a default Windows folder on a Windows 8.1 Enterprise machine and, as you can see, you need to exclude at least three folders to make it bulletproof:

      Figure 1. AccessChk process


      Today, I would say that a firewall should be built inside of port 443. I don’t really understand the reason behind blocking 65,534 ports when everything goes through the one that’s "always" open. IPsec has been around for ages, and is almost always misunderstood (like AppLocker) to be something that requires huge overhead. IPsec consists of two protocols: Authentication Header (AH) which does authentication and Encapsulating Security Payload (ESP) which does encryption. Only when you start talking about encryption do you start to see any overhead, if even then. When I say I use IPsec 99% of the time, I am only referring to authentication. My IPsec policy is built in a way that I always try to authenticate when sending packets. If the other end can’t do it, I revert to unauthenticated. If I would require outbound authentication, I couldn’t browse the Internet or search with a search engine. When someone starts talking to me (inbound), I’m stricter and I won’t reply if the device doesn’t belong to my domain or have a certificate from my certificate authority (CA). So, I do have all my firewall ports open and I won’t block them when they are reported dangerous, but, on the other hand, I don’t let anyone in that I don’t trust—again an example of proactive versus reactive measures.

      That’s all for now, but I hope you follow me on Twitter to get updates on how my experiment is going, and start to be proactive instead of reactive when it comes to the security of your environment!

      Sami LaihoSami Laiho is one of the world’s leading Windows OS professionals. A Microsoft MVP (Windows Expert – IT Pro) and member of the Springboard Series Technical Expert Panel (STEP), Sami has been working with and teaching troubleshooting, management, and security for more than 15 years. His session was evaluated as the best session, and Sami as the best speaker, at TechEd North America 2014 and TechEd Australia 2013. Sami’s session at TechEd Europe 2013 was also rated the best session by an external speaker. Sami is globally known as the creator of a free Windows SteadyState replacement called Wioski and a one-time admin password creator called Adminizer. You can follow him on Twitter @samilaiho or visit his website at