tag:blogger.com,1999:blog-13285714549554358832024-03-05T20:02:11.462+02:00Win-Fu Official BlogSami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.comBlogger75125tag:blogger.com,1999:blog-1328571454955435883.post-49763418454272725202022-03-02T19:03:00.002+02:002022-03-19T18:00:56.831+02:00Glory to Ukrain!<p><span lang="EN-US">Because of the current state of
cybersecurity, and to protect the <u>COMPANY</u> networks in Ukraine, I have decided
to publish easy to implement and free instructions for protecting Windows
environments against an invader. Read the whole thread and if you find it
useful </span><span lang="EN-US" style="font-family: Wingdings;">à</span><span lang="EN-US"> Retweet!</span></p>
<p class="MsoNormal"><span lang="EN-US">I could tell you that you should remove
end-user admin rights, deploy AppLocker etc. but in reality those are not done
in a matter of days. So these instructions are meant to give fast gains and
real-life effect in defending against cyber-attacks.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">At the end of the day, security is simple.
It’s more about correct ways of operating, concepts, than expensive products.
In this thread I’m going through what I would personally do if I was at war and
protections would have to upped to the next level in hours without
disconnecting the systems from the Internet.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The instructions are meant to prevent
losing your biggest treasure – the Directory Service. A few soldiers might be
lost but the directory service will not be compromised. Companies don’t get on
the news by having ransomware on one computer, but by someone controlling the
whole infrastructure and keeping your operations as hostage.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">These instructions are simple and apply to
any company that uses a Directory Service (AD/AAD). These could be better by
taking time with the customer and tailoring it for them – but now I aim to
build instructions that work for most if not all.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">You can always create better but remember
that “in security, don’t let perfect be the enemy of good”. Now we need to
DEPLOY things FAST so that innocent companies stay safe! There’s no time for
“This is only 99% secure” or “There is probably a way around this”.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We need to make things BETTER, NOW! We can
tweak and harden later, when we have the basics deployed.</span></p><p class="MsoNormal"><span style="text-indent: -18pt;">1. Tier0-isolation. The holy grail
of every attacker is a Domain Admin account. So that DA’s can’t be stolen, we
block them from being used anywhere else than where they are needed. Link the
following policy to every computer except your DC’s.</span></p><p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjMkCtzBzb4yAmhYTrazWTD_yg3eW2-HgSG3XU12x_QnhXKk7joOJW0SQBjbJBJeNa-KHpsegsjcMz-7wtTpy3BqIxf63A4Gza5R5F2Sj5xaJ1DTWbLMWP2x-04oiCtAQ0-ibz1MFyHdd8VVODy1l56V_MKk8iz23nzsol5K9Lo-SjXbZhhRBWyhzI3=s1002" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="589" data-original-width="1002" height="188" src="https://blogger.googleusercontent.com/img/a/AVvXsEjMkCtzBzb4yAmhYTrazWTD_yg3eW2-HgSG3XU12x_QnhXKk7joOJW0SQBjbJBJeNa-KHpsegsjcMz-7wtTpy3BqIxf63A4Gza5R5F2Sj5xaJ1DTWbLMWP2x-04oiCtAQ0-ibz1MFyHdd8VVODy1l56V_MKk8iz23nzsol5K9Lo-SjXbZhhRBWyhzI3=s320" width="320" /></a></div><br /><p class="MsoListParagraphCxSpMiddle" style="text-align: left; text-indent: -18pt;"><span style="text-indent: -18pt;"><span> </span><span> </span>Since you can’t use DA to
manage anything but DC’s, you need to add the following setting to the policy, so that members of ComputerAdmins can manage the other computers.</span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaXnjq0V1e8-IJJFvCXSzdbqQvaI-q80dahKXEKeURo7P_WJI5MbDmS92L9GR_j0KRpz9VG-avKFeTnKBYh9vqK_5NJir6gAd1BNjYXg9d5kdmtA5y6-92X5DSZTVXrZ2y3StxNcCXZ9v25YkqBTO8MJolYHSZveuxnzan9rLr5BPBu8AjVSAiIAW_/s787/RestrictedGroups.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="459" data-original-width="787" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaXnjq0V1e8-IJJFvCXSzdbqQvaI-q80dahKXEKeURo7P_WJI5MbDmS92L9GR_j0KRpz9VG-avKFeTnKBYh9vqK_5NJir6gAd1BNjYXg9d5kdmtA5y6-92X5DSZTVXrZ2y3StxNcCXZ9v25YkqBTO8MJolYHSZveuxnzan9rLr5BPBu8AjVSAiIAW_/s320/RestrictedGroups.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">3.<span style="font: 7pt "Times New Roman";"> </span></span></span><span lang="EN-US">Same for Azure. You can achieve
the same even if settings are not exactly the same. These pics show how I do it
and how I block limited users from accessing the portal.. <a href="https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207">https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207</a><o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjRgO_riQxlGXvL_PxtfaKOW5c3YygRJG4Zkr9qh8Qc7ys-rctQ53ePlmUpduS5Mf3mMUsUzhuDvv1LStPvrmpT490vVICkNpEZTH5wVaS51zCx6cbIHQ0EuG8aiy8x0JYO6SqxApwRyEkTb9HNvvjf3kiv1W8dpP3jevSYn5Sc136LNWYUMtQDxAqx=s1920" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="180" src="https://blogger.googleusercontent.com/img/a/AVvXsEjRgO_riQxlGXvL_PxtfaKOW5c3YygRJG4Zkr9qh8Qc7ys-rctQ53ePlmUpduS5Mf3mMUsUzhuDvv1LStPvrmpT490vVICkNpEZTH5wVaS51zCx6cbIHQ0EuG8aiy8x0JYO6SqxApwRyEkTb9HNvvjf3kiv1W8dpP3jevSYn5Sc136LNWYUMtQDxAqx=s320" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjDiT2rDHlXofc4LHiuPD0-o0UsNKz-xnv-EE7rg69scZoJyzNdLAirzOpJaFsXlckapq7TJf0czJ0VTnfFsgmAS-yHk9SbedWmUDyVgepixk382LgX0tRGGJU6TJ0JRx7NjN4b1-zn-pUTL95mLfuhqDWP8GpxpAvlVA6rV-1TVqtZZ0XucYYo6E82=s994" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="994" height="139" src="https://blogger.googleusercontent.com/img/a/AVvXsEjDiT2rDHlXofc4LHiuPD0-o0UsNKz-xnv-EE7rg69scZoJyzNdLAirzOpJaFsXlckapq7TJf0czJ0VTnfFsgmAS-yHk9SbedWmUDyVgepixk382LgX0tRGGJU6TJ0JRx7NjN4b1-zn-pUTL95mLfuhqDWP8GpxpAvlVA6rV-1TVqtZZ0XucYYo6E82=s320" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiBzKQRbBoVfrFpWOSOWe07z5ImGd-lqskNzwecuSNLg9R4GfyInCVX0nfOZODiRyewqamWIFudBLARcfFMR6lvIYcTCnYknCY1IKaHw_ArXEcwmsE19AuhLv9gyQqbIZF9TIexNd8cNQGKFpL_YtNUq6zWKgkjN9R-vDTi6iotxwpmO75yv_xATt9w=s642" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="642" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEiBzKQRbBoVfrFpWOSOWe07z5ImGd-lqskNzwecuSNLg9R4GfyInCVX0nfOZODiRyewqamWIFudBLARcfFMR6lvIYcTCnYknCY1IKaHw_ArXEcwmsE19AuhLv9gyQqbIZF9TIexNd8cNQGKFpL_YtNUq6zWKgkjN9R-vDTi6iotxwpmO75yv_xATt9w=s320" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<p class="MsoNormal"><span lang="EN-US">You can later tweak and split your AD into
more tiers, deploy PAWs etc. Now the Tier0 isolation is the one you MUST DO NOW!</span></p><p class="MsoNormal" style="text-indent: 0px;"><span style="text-indent: -18pt;">2. Containing PowerShell. PS is
used by almost all malware. It attacks, takes orders and sends precious
information to the attacker. So, let’s block it by adding Outbound Firewall
Rules to the policy as seen in the pic:</span></p><p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhXsQNzCaHgVkYR3kyuW1mPIV7lqrvOb763JV_-52ZpmTvSxEgYnkZxYkGLOlINYm6_q4qPGdOPSK4FQPDL7A2wOryRQZ5jN_-1Jo-EkzfvcTz-NO5Mgq7N7SQu4_NGkb7Awhsl8uLYnPJaTDnEZT5xXIUQGn46VmXoqIv4vOnARKuYEnMzsKBcz9nB=s996" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="266" data-original-width="996" height="85" src="https://blogger.googleusercontent.com/img/a/AVvXsEhXsQNzCaHgVkYR3kyuW1mPIV7lqrvOb763JV_-52ZpmTvSxEgYnkZxYkGLOlINYm6_q4qPGdOPSK4FQPDL7A2wOryRQZ5jN_-1Jo-EkzfvcTz-NO5Mgq7N7SQu4_NGkb7Awhsl8uLYnPJaTDnEZT5xXIUQGn46VmXoqIv4vOnARKuYEnMzsKBcz9nB=s320" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">3. UAC-settings in order. If you have computers that are logged in by admins, add this UAC setting to the policy. If you don’t, GREAT, your mitigating 80% of attacks!</div><div class="separator" style="clear: both; text-align: center;"><span lang="EN-US" style="text-align: left; text-indent: -18pt;"><br /></span></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj2mbzyzG6RHf5OLdVVWkXeoyc12oTPLLMEvrLhBvsgYt52SmTwCR4pxos7pv__5FrnWAYjjcdpZU3SDv0KDP7xvlohI2q040T-QB-MPd5UPBNvGfNunPKwZ7DuqzsAjLbwG-NHih6PJ8ziYKNpo10OVv7dtl7v0TnpMMF5VENJSTIuidleJgzGCUd7=s722" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="722" data-original-width="589" height="320" src="https://blogger.googleusercontent.com/img/a/AVvXsEj2mbzyzG6RHf5OLdVVWkXeoyc12oTPLLMEvrLhBvsgYt52SmTwCR4pxos7pv__5FrnWAYjjcdpZU3SDv0KDP7xvlohI2q040T-QB-MPd5UPBNvGfNunPKwZ7DuqzsAjLbwG-NHih6PJ8ziYKNpo10OVv7dtl7v0TnpMMF5VENJSTIuidleJgzGCUd7=s320" width="261" /></a></div><span style="text-indent: -18pt;"><div><span style="text-indent: -18pt;"><br /></span></div>4. Least Privilege. If you logon
to your computer with an admin account at home or work, STOP RIGHT NOW! Your
computer works better, longer and with less reinstallations. Even your SSD will
last longer! </span><div><span style="text-indent: -24px;"><br /></span></div><div><span style="text-indent: -24px;">Create yourself a separate Admin account and drop your current to a Limited user. If you have a fingerprint reader, register your index finger for your limited user and your middle finger for your admin. <b>From now on you use your Admin-finger only when UAC requests elevation or to wave at Putin! </b></span></div><div><span style="text-indent: -24px;"><br /></span></div><div><span style="text-indent: -24px;">5. Start to deploy the Privileged Access Workstation concept. Don’t surf the web and read email from a computer that can take down your network, like connecting with RDP to your DCs. Later you’ll do it cool with VMs but for now just operate safe. </span></div><div><span style="text-indent: -24px;"><br /></span></div><div><span style="text-indent: -24px;">6. Use MFA everywhere. If you have servers that accept RDP, protect them with for example Cisco DUO. Do the same for the computers you use to manage your services. If you don’t need RDP, block it!</span></div><div><span style="text-indent: -24px;"><br /></span></div><div><span style="text-indent: -24px;"><b>REMEMBER </b>“In security, don’t let perfect be the enemy of good”. We can tweak, harden and play smart later – Let’s DO THIS NOW! </span></div><div><span style="text-indent: -24px;"><br /></span></div><div><span style="text-indent: -24px;">I would recommend everyone to read Mikko Hyppönen’s book “Internet”, but it’s currently encrypted in Elvish: <a href="https://www.wsoy.fi/kirja/mikko-hypponen/internet/9789510464410">https://www.wsoy.fi/kirja/mikko-hypponen/internet/9789510464410</a></span></div><div><span style="text-indent: -24px;"><br /></span></div><div><span style="text-indent: -24px;">I originally first wrote this for the Finnish audience to protect my own country in the war times but the real aim was to publish this for the Ukranian companies, which I did earlier today. Against the norm, I finally translated this to English as the last language. My future content will be in one of these languages, let's see ;) </span></div><div><span style="text-indent: -24px;"><br /></span></div><div><span style="text-indent: -24px;">Thanks for reading, stay safe – Glory to Ukraine!</span></div><div><div style="text-indent: -24px;"><div><br /></div></div><p></p><div class="separator" style="clear: both; text-align: center;"><br /><br /></div><br /></div>Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-11041436945840901132022-03-02T15:59:00.004+02:002022-03-19T18:01:55.559+02:00Kunnia Ukrainalle<p> </p><p class="MsoNormal"><span lang="EN-US">Muuttuneen kyberturvallisuustilanteen
johdosta, maanpuolustushengessä, päätin julkaista mahdollisimman yksinkertaiset
ohjeet Windows-ympäristön puolustamiseen, ulkoista hyökkääjää vastaan. LUE KOKO
KETJU, ja jos koet, että tästä on hyötyä </span><span lang="EN-US" style="font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;"><span style="mso-char-type: symbol; mso-symbol-font-family: Wingdings;">à</span></span><span lang="EN-US">
Retweet! <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">For all my English followers, normally I
would tweet in English but this is a matter of protecting my own country. I’ll
translate ASAP, until </span><span lang="EN-US" style="font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;"><span style="mso-char-type: symbol; mso-symbol-font-family: Wingdings;">à</span></span><span lang="EN-US"> Google.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Voisin ohjeistaa, että teidän pitää ottaa
pois admin-oikat, asentaa AppLocker jne. mutta tosiasia on, että näitä ei tehdä
päivässä, eikä kahdessa. Joten seuraavassa nopeat ohjeet, joilla on oikeasti
merkitystä ja välitön teho, kyberhyökkäyksiä vastaan.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Tietoturva on lopulta yksinkertaista. Kyse
on enemmän oikeista toimintatavoista, konsepteista, kuin kalliista tuotteista.
Seuraavassa käyn läpi, mitä tekisin, jos olisin sotatilanteessa ja suojaus
pitäisi saada äkkiä nostettua potenssiin kaksi, irroittamatta verkkoa
Internetistä.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ohjeet on tehty estämään kokonaisen
ympäristön menetys. Pari sotilasta voidaan tässä menettää, mutta estetään
vierasta tahoa valtaamasta koko firmaa. Yritykset eivät joudu uutisiin, koska
heidän käyttäjä saa ransomwaren, vaan siksi, että koko yrityksen toiminta
voidaan lamauttaa.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ohjeet ovat yksinkertaisia, jotka auttavat
kaikkia yrityksiä, joilla on hakemistopalvelu(AD/AAD). Näistä saadaan paremmat,
jos yhdessä tehdään, juuri teille – Nyt kuitenkin on tarkoitus tehdä ohjeita,
jotka sopivat kaikille. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Aina voi parantaa, mutta muistakaa, että
tietoturvassa ei saa antaa täydellisen olla hyvän vihollinen. Nyt pitää TEHDÄ
näitä asioita, jotta maan yritykset pysyvät turvassa! Ei ole aikaa siihen, että
“Tämä ei ole 100% turvallinen” tai “Tämä vuotaa kuitenkin”. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Nyt parannetaan olemassa olevaa. Tehdään
täydellisempää sitten kun perussuojaukset on kytketty!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">1.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Tier0-suojaus. Jokaisen
hyökkäyksen graalin malja on Domain Admin -tunnus. Jotta sitä ei voi varastaa,
sen käyttö estetään siellä missä sitä ei tarvita. Osoita seuraava policy
kaikille koneille, paitsi DC-koneille.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjl77T0szLa50lMgy1BXEGHvlxmw0WZrH-bVPMJDPhDL5WqLy84ZBn2bu6gPp82KQ255HlDhvV9gikE4QTZeLeZPnT-JuehpvGnVAWGi9fZDATZr6xQAEqvvxFRnVz9JrmUs0c3Sx1vU833MMOocGLNMGcvJ9b2Ww_pKJdCoUKY0JDjuIJZjqHHyI_n=s1002" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="589" data-original-width="1002" height="188" src="https://blogger.googleusercontent.com/img/a/AVvXsEjl77T0szLa50lMgy1BXEGHvlxmw0WZrH-bVPMJDPhDL5WqLy84ZBn2bu6gPp82KQ255HlDhvV9gikE4QTZeLeZPnT-JuehpvGnVAWGi9fZDATZr6xQAEqvvxFRnVz9JrmUs0c3Sx1vU833MMOocGLNMGcvJ9b2Ww_pKJdCoUKY0JDjuIJZjqHHyI_n=s320" width="320" /></a></div><br /><p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><br /></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">2.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Koska nyt et voi Domain Admin
-tunnuksilla hallita kuin DC-koneita, lisätään seuraavalla policyllä asetus,
jotta jatkossa käyttäjä, joka kuuluu ryhmään ComputerAdmins, saa hallita muita
koneita.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbgtzHUXkKsjq8-Z1BeixmN-_fCdAawDRuSj3YNKu1aVCVBoa1vqHSHTLqcJdXMxWk5FitVjjCjJjl_mIQfNQkZ2VtDGV1AyWnOuqWzh-7_fwm64DK406U1QxfzLLde5fkxC8-1oomAyEMumnmQgiVC0Y6CtZYvszhyCU4uNSHgZQ106m17x0rm02w/s787/RestrictedGroups.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="459" data-original-width="787" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbgtzHUXkKsjq8-Z1BeixmN-_fCdAawDRuSj3YNKu1aVCVBoa1vqHSHTLqcJdXMxWk5FitVjjCjJjl_mIQfNQkZ2VtDGV1AyWnOuqWzh-7_fwm64DK406U1QxfzLLde5fkxC8-1oomAyEMumnmQgiVC0Y6CtZYvszhyCU4uNSHgZQ106m17x0rm02w/s320/RestrictedGroups.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">3.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Sama Azuressa. Voit hoitaa
saman, hieman eri tavoin. Tässä kuvissa vinkkiä miten teen sen Azuressa, ja
toisessa miten estät käyttäjiä kirjautumasta portaaliin. <a href="https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207">https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207</a><o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgur4wmTMc3cvLHouCVM7UI0Brgd8P08FqjT4D4B-QHVR-RKF53sQQxSMaOgEVaNttw2h_o1a2nLJ6uwnwKmTLZYxaD5ee1rRQCYUyGBKCBU2E_XDbV-97vHcVMSemMUfqz_rPFMExB7s62KhHlk9BKTVt_2_dFlnnML8ornauDtVoKw9_1MVZ33PR5=s1920" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="180" src="https://blogger.googleusercontent.com/img/a/AVvXsEgur4wmTMc3cvLHouCVM7UI0Brgd8P08FqjT4D4B-QHVR-RKF53sQQxSMaOgEVaNttw2h_o1a2nLJ6uwnwKmTLZYxaD5ee1rRQCYUyGBKCBU2E_XDbV-97vHcVMSemMUfqz_rPFMExB7s62KhHlk9BKTVt_2_dFlnnML8ornauDtVoKw9_1MVZ33PR5=s320" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhKC1nnU4cyeTzNTkom_ghlxvmvPdINgnY_Ru6RhWfuu9eO-qxVGvbQSyYb-Hxs-W_Ph9i4zUIkEJTwZAwDq8fdRXIL2Phq-xXjPmGcdpdGR0YLREHgXH9v3GFTgTxkx78nqQ_iHFdaFYRW-GBDNC3P3el_xLJAwZLV4_DCqiVkUTIHwm_m3uZEjK66=s994" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="994" height="139" src="https://blogger.googleusercontent.com/img/a/AVvXsEhKC1nnU4cyeTzNTkom_ghlxvmvPdINgnY_Ru6RhWfuu9eO-qxVGvbQSyYb-Hxs-W_Ph9i4zUIkEJTwZAwDq8fdRXIL2Phq-xXjPmGcdpdGR0YLREHgXH9v3GFTgTxkx78nqQ_iHFdaFYRW-GBDNC3P3el_xLJAwZLV4_DCqiVkUTIHwm_m3uZEjK66=s320" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjK12K9KD19uOX9XsWfjEjoY8L6faZojIzH6eD3jbePOb9UoNWhCamFkOiI0DeBr0CY6S3Nh3ps2bjJjD0xMr7PmOUNmfGln7m8_vZqB56bhcwKdBa99Ed1ahaRczM3NWocqYB8RXAUPH_cjcsCoj__lJgikIuZqp0rpXxunuCBAnvwWz03TgVYyW2p=s642" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="642" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEjK12K9KD19uOX9XsWfjEjoY8L6faZojIzH6eD3jbePOb9UoNWhCamFkOiI0DeBr0CY6S3Nh3ps2bjJjD0xMr7PmOUNmfGln7m8_vZqB56bhcwKdBa99Ed1ahaRczM3NWocqYB8RXAUPH_cjcsCoj__lJgikIuZqp0rpXxunuCBAnvwWz03TgVYyW2p=s320" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>
<p class="MsoNormal"><span lang="EN-US">Kun nämä on tehty, voit sitten myöhemmin
hoitaa tämän tyylikkäämmin ja hajauttaa hallintaa vielä enemmän, ottaa käyttöön
PAW:it yms. Nyt kuitenkin tuo DC:n suojaus on se tärkeä asia!<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">5.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">PowerShell:in kommunikoinnin
esto. PS:ää käytetään käytännössä kaikissa hyökkäyksissä. Se hyökkää, hakee
käskyjä ja lähettää elintärkeää dataa hyökkääjälle. Estetään se, lisäämällä
edellisellä policyllä Palomuurille Outbound-sääntöjä, kuvan mukaisesti:</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEghawZcaBWhU8oiITIS-r63buZHm9e335MmnksOK3JpmdE6-Ok1GdmaQ75MW6EfhL_5ImW-h4LwbahoUBIc_E4pWsxi7AOYLUYNvKLK5SIWDxA9KrPvaX_cYwoEGqOsI9SmTEi8XgWmC_Hd7GB_-pldE-8N-fcvNwBbPV5MviXiUGcbISHo5OXAq3wD=s996" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="266" data-original-width="996" height="85" src="https://blogger.googleusercontent.com/img/a/AVvXsEghawZcaBWhU8oiITIS-r63buZHm9e335MmnksOK3JpmdE6-Ok1GdmaQ75MW6EfhL_5ImW-h4LwbahoUBIc_E4pWsxi7AOYLUYNvKLK5SIWDxA9KrPvaX_cYwoEGqOsI9SmTEi8XgWmC_Hd7GB_-pldE-8N-fcvNwBbPV5MviXiUGcbISHo5OXAq3wD=s320" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">6.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">UAC-asetukset kuntoon. Jos
sinulla on koneita, joihin joku kirjautuu Admin-tunnuksella, lisää tämä
UAC-asetus tuohon policyyn. Jos ei, hienoa, 80% hyökkäyksistä ei toimi sinuun!</span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjMNWlS3Vv5Be-pz_02sC6HlxwRF0b1Fetrny7lYAiOa3u1e8cl5tTx5gJhflo9SZll8SYajkJsRjloSrGAYmclbMwt1LKiVtwKoCeZKFb0XbwjRzA1JaYHrL8qNhU4dbo1tG_YRY6cIg7rqTlfv0cwkaCGXNR5kMClM1N5XLdf5PnybOJ7HbTLlwGp=s722" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="722" data-original-width="589" height="320" src="https://blogger.googleusercontent.com/img/a/AVvXsEjMNWlS3Vv5Be-pz_02sC6HlxwRF0b1Fetrny7lYAiOa3u1e8cl5tTx5gJhflo9SZll8SYajkJsRjloSrGAYmclbMwt1LKiVtwKoCeZKFb0XbwjRzA1JaYHrL8qNhU4dbo1tG_YRY6cIg7rqTlfv0cwkaCGXNR5kMClM1N5XLdf5PnybOJ7HbTLlwGp=s320" width="261" /></a></div><br /><span lang="EN-US"><br /></span><p></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">7.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Admin-tunnukset. Jos itse
kirjaudut koneellesi admin-tunnuksella, kotona tai töissä, LOPETA SE! Koneesi
toimii paremmin, joudut asentamaan sen harvemmin uudelleen ja SSD:si elää
pidempään.<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">8.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Tee itsellesi toinen tunnus,
joka on Admin, ja pudota nykyinen tavalliseksi käyttäjäksi. Jos sinulla on
sormenjälkilukija, rekisteröi etusormi normikäyttäjälle ja keskisormi
admin-käyttäjälle. Tästä lähtien käytät Admin-sormea vain UAC-kehotteen
kysyessä, tai Putinille heiluttaessa.<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">9.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Siirtykää PAW-ajatteluun
(Privileged Access Workstation), eli älkää surffatko niiltä koneilta, joilta
teidän firman voi pudottaa polvilleen. Esim. Avata RDP-yhteyden DC-koneelle.
Sitten joskus teette sen hienosti virtuaalikoneella, mutta nyt alkuun, toimikaa
oikein. <o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">10.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Ota MFA käyttöön kaikkialla.
Jos sinulla on palvelimia, joissa RDP on auki, suojaa ne vaikka Cisco DUO:lla.
Samoin ne koneet, joita käytät hallintaan. Jos et käytä RDP:tä, sulje se.<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">11.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Muista vielä “In security,
don’t let perfect be the enemy of good”. Tee nyt nämä, hienostellaan ja
viisastellaan sitten myöhemmin.<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">12.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Näiden lisäksi, lukekaa
Hyppösen Mikon kirja “Internet” <a href="https://www.wsoy.fi/kirja/mikko-hypponen/internet/9789510464410">https://www.wsoy.fi/kirja/mikko-hypponen/internet/9789510464410</a><o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><!--[if !supportLists]--><span lang="EN-US" style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">13.<span style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US">Käännätän nämä seuraavaksi
Ukrainaksi, sitten julkaisen myös Englanniksi. Kiitos. <o:p></o:p></span></p><div class="separator" style="clear: both; text-align: center;"><br /></div><br />Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-75919650474602577832022-03-02T15:49:00.004+02:002022-03-19T18:02:37.808+02:00Glory to Ukrain<p> </p><p style="margin: 0cm;"><span style="color: black;">Через поточний стан
кібербезпеки, та для захисту КОРПОРАТИВНИХ мереж в Україні я вирішив
опублікувати прості та безкоштовні інструкції щодо захисту середовищ Windows
від зловмисників. Прочитайте весь тред і, якщо вважаєте його корисним, зробіть ретвіт!</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">Я міг би сказати, що ви повинні
видалити права адміністратора кінцевих користувачів, налаштувати AppLocker і
так далі, але це не робиться за кілька днів. Тому, ці інструкції призначені для
отримання швидкого та реального ефекту захисту від кібератак.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">Безпека може бути простою. Це
швидше про правильні шляхи роботи, концепції, ніж про дорогі продукти. У цьому
треді я розповім про те, що б я зробив особисто, якби працював в умовах війни,
і захист довелося б покращувати за кілька годин, не відключаючи системи від
Інтернету.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">Інструкції призначені для
запобігання втраті вашого найбільшого скарбу - Directory Service. Втрати
можливі, але DS не буде скомпрометован</span><span lang="UK" style="color: black; mso-ansi-language: UK;">о</span><span style="color: black;">. Компанії потрапляють
у новини не тому що на </span><span lang="UK" style="color: black; mso-ansi-language: UK;">одному </span><span style="color: black;">комп'ютері є ransomware, а тому що
хтось контролює всю інфраструктуру. </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">Ці інструкції прості та можуть
бути застосовані до будь-якої компанії, що використовує DS (AD/AAD). </span><span lang="UK" style="color: black; mso-ansi-language: UK;">Вони</span><span style="color: black;"> могли б бути кращими, якби були адаптовані до конкретного
клієнта, але я хочу створити інструкції, які будуть працювати для більшості,
якщо й не для всіх.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">Ви завжди можете зробити краще,
але пам'ятайте, що «в безпеці, досконалість - це ворог добра». Тому нам
потрібно НАЛАШТУВАТИ речі ШВИДКО, щоб безневинні компанії залишалися </span><span style="background: white; color: #3c4043; font-family: Roboto; font-size: 10.5pt;">захищеними. </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">Немає часу на “Це безпечно лише
на 99%” або “Мабуть, є спосіб обійти це”. Нам потрібно зробити КРАЩЕ і ЗАРАЗ!
Ми можемо покращити пізніше, коли у нас будуть розгорнуті основи!</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">1. Tier0-ізоляція. Святим
Ґраалем кожного зловмисника є Domain Admin обліковий запис. Щоб DA не можна
було вкрасти, ми блокуємо </span><span lang="UK" style="color: black; mso-ansi-language: UK;">їх</span><span style="color: black;"> використання в будь-якому місці, крім
того, де вони потрібні. Застосуйте це правило на усіх комп’ютерах, крім вашого </span><span style="background: white; color: #202124;">Domain Controller</span><span style="color: black;">.</span></p><p style="margin: 0cm;"><span style="color: black;"><br /></span></p><p style="margin: 0cm;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjzBpF-ILFo0RD31QALn9gB3k6DmHUHIung6UzNfJGc6OKWgijagenJXpDCDJUFX7e1pL9XP67z2WF7opOpVkSDYlWRCTUE45mCjlveVIdn3mXBvdi_TqHOkscsLjDL1iNQ1VUs7MAEzosTsQcN2iiYVN0IFdDkKrUpbPT_LObJQUhBRVds_BxzhfaK=s1002" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="589" data-original-width="1002" height="188" src="https://blogger.googleusercontent.com/img/a/AVvXsEjzBpF-ILFo0RD31QALn9gB3k6DmHUHIung6UzNfJGc6OKWgijagenJXpDCDJUFX7e1pL9XP67z2WF7opOpVkSDYlWRCTUE45mCjlveVIdn3mXBvdi_TqHOkscsLjDL1iNQ1VUs7MAEzosTsQcN2iiYVN0IFdDkKrUpbPT_LObJQUhBRVds_BxzhfaK=s320" width="320" /></a></div><br /><span style="color: black;"><br /></span><p></p>
<p style="margin: 0cm; vertical-align: baseline;"><span style="color: black;"><o:p> </o:p></span></p>
<p style="margin: 0cm;"><span style="color: black;">2. Оскільки ви можете
використовувати DA тільки для керування DC, необхідно додати наступний параметр
до політики, для того, щоб члени ComputerAdmins могли керувати іншими
комп'ютерами.</span></p><p style="margin: 0cm;"><span style="color: black;"><br /></span></p><p style="margin: 0cm;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1LbVyDZ4qoI4ACWDgBIN1zJ5x2x75b6JnmAcQptiZW22MwnNfYSbGld_VyJhhdT9xcKahQO4mrLmAJlp9h_D1E-B2KzLVIRIwKnqO3u4SxyO3eVpliYm0TOe7F_ib3HpdVb9eF8eH2zD_gkTXq6XN38ussl8vC5vBg0K9Ohd6kZ5pO_kIQMbhCHs3/s787/RestrictedGroups.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="459" data-original-width="787" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1LbVyDZ4qoI4ACWDgBIN1zJ5x2x75b6JnmAcQptiZW22MwnNfYSbGld_VyJhhdT9xcKahQO4mrLmAJlp9h_D1E-B2KzLVIRIwKnqO3u4SxyO3eVpliYm0TOe7F_ib3HpdVb9eF8eH2zD_gkTXq6XN38ussl8vC5vBg0K9Ohd6kZ5pO_kIQMbhCHs3/s320/RestrictedGroups.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>
<p style="margin: 0cm;"><span style="color: black;">3. Те саме для Azure. Ви можете
зробити аналогічно, навіть якщо налаштування трохи відрізняються На цих
фотографіях показано, як я це роблю і як блокую обмежених користувачів від
доступу до порталу.</span><o:p></o:p></p>
<p style="margin: 0cm;"><a href="https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fnew-settings-available-to-configure-local-user-group-membership%2Fba-p%2F3093207&data=04%7C01%7C%7Cb16b8ef23876471966dc08d9fbb4be19%7C0fd66b3d1cef4472ba2db10bdb2953bf%7C0%7C0%7C637817576551231857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tPx5ge3OIgjx7SkwE4kUDlZEB3tWOOg7cp6zZd90Sy4%3D&reserved=0">https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207</a><o:p></o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhh0dUEAovRGRwoc1oocrShZF9K_zBowFk09lbUOIIQsiq0diE5gPOIBYOxj-ekmjKqzh7KEdlDYP2suhn1GDdjCs3A4pAN4ZRBEhkHHCwrAI2eZSqPG938o4QW-vJklkgTZzun-UvUzuS7d7bYqS-ItBrmx0RgG06H9iq3OyUFXvZGphVekW47Xnab=s1920" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="180" src="https://blogger.googleusercontent.com/img/a/AVvXsEhh0dUEAovRGRwoc1oocrShZF9K_zBowFk09lbUOIIQsiq0diE5gPOIBYOxj-ekmjKqzh7KEdlDYP2suhn1GDdjCs3A4pAN4ZRBEhkHHCwrAI2eZSqPG938o4QW-vJklkgTZzun-UvUzuS7d7bYqS-ItBrmx0RgG06H9iq3OyUFXvZGphVekW47Xnab=s320" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjQ7Vrsmzpa_zfPvernGG-Fx-1IHji-0Ub3-wxekTVY8loFpdGoQPbAvZ4sqMsCwcd1jIkZP9fphHbYD4icxMwcqMO0SrgYyY98boFXLa0wSHA6lMNHNwxnd_GHWTVSeDEDuwXknOG08cXd6d8Vo7ufljERUe5RRV4jdp2kusCRXx1YHIIL7BnXK8GS=s994" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="994" height="139" src="https://blogger.googleusercontent.com/img/a/AVvXsEjQ7Vrsmzpa_zfPvernGG-Fx-1IHji-0Ub3-wxekTVY8loFpdGoQPbAvZ4sqMsCwcd1jIkZP9fphHbYD4icxMwcqMO0SrgYyY98boFXLa0wSHA6lMNHNwxnd_GHWTVSeDEDuwXknOG08cXd6d8Vo7ufljERUe5RRV4jdp2kusCRXx1YHIIL7BnXK8GS=s320" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiwprVChKWEunivg5lsAUGB6TQaRQT7FdoKBoWqVH07_acikOe0sTWQD3AhY01YlU6-csKy8WpczsnPQ4X4-kToUyDh-LpGmqq3jhj_V1cN6csS_QEivYjbcWBUG6iJIYTXat4BEVifX4A1VTNfsraJZ2647AO9hrBvZEPQ8V4opkrcE7njCippt1T-=s642" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="642" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEiwprVChKWEunivg5lsAUGB6TQaRQT7FdoKBoWqVH07_acikOe0sTWQD3AhY01YlU6-csKy8WpczsnPQ4X4-kToUyDh-LpGmqq3jhj_V1cN6csS_QEivYjbcWBUG6iJIYTXat4BEVifX4A1VTNfsraJZ2647AO9hrBvZEPQ8V4opkrcE7njCippt1T-=s320" width="320" /></a></div><br /><p class="MsoNormal"><br /></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">4. Пізніше ви можете
налаштувати та розділити AD на більше рівнів, розгорнути PAWs тощо. Але наразі
ізоляція Tier0 — це те, що вам НЕОБХІДНО ЗРОБИТИ ПРЯМО ЗАРАЗ!</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">5. Маючи PowerShell. PS
використовується майже всіма шкідливими програмами. Він може атакувати,
приймати накази та надсилати зловмиснику цінну інформацію. Тому, давайте
заблокуємо його, додавши Outbound Firewall Rule до політики, як показано на
малюнку:</span></p><p style="margin: 0cm;"><span style="color: black;"><br /></span></p><p style="margin: 0cm;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhZadMDNLeeMkt4t5iDbLXYEPBvyOIB4HupjDS9XbCtLT71ZB3_Z3dzL_2jrPEhexqHQlxVY1Ys-Lp4ZrYdm2ZC1nPQBLA2sKXW6npQrAtUI9sjq8LFVC-_fPuqO14BqcwJo14D0gSoO71cvw_Oe7M_0lTp0dAY7raqDip3iLl44cXgnkLV16aI_Rnl=s996" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="266" data-original-width="996" height="85" src="https://blogger.googleusercontent.com/img/a/AVvXsEhZadMDNLeeMkt4t5iDbLXYEPBvyOIB4HupjDS9XbCtLT71ZB3_Z3dzL_2jrPEhexqHQlxVY1Ys-Lp4ZrYdm2ZC1nPQBLA2sKXW6npQrAtUI9sjq8LFVC-_fPuqO14BqcwJo14D0gSoO71cvw_Oe7M_0lTp0dAY7raqDip3iLl44cXgnkLV16aI_Rnl=s320" width="320" /></a></div><br /><span style="color: black;"><br /></span><p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">6. UAC-налаштування наступні в
списку. Якщо у вас є комп'ютери, на яких залогінені адміністратори, додайте цей
UAC параметр до політики. Якщо у вас таких немає, ЧУДОВО, ви знижуєте
ймовірність виникнення 80% атак!</span></p><p style="margin: 0cm;"><span style="color: black;"><br /></span></p><p style="margin: 0cm;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgkBOy2u7mZssYUl-HdqJUzaRUhgcGyUPEdmfHCGWG3AqWmRwS6VYhmXQzFoH1KD3j3GqNKg4GVOnyzuMWYGjxQKQTzBfLGn-4RD7mG1ZrtgsYLbc4WGyzNmbfQP_ZL-AYhcp6cDZZzZYw0kPeO_184l4AOX9qlOq3YfkLD6eFQlE38zmEFclMLrjSn=s722" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="722" data-original-width="589" height="320" src="https://blogger.googleusercontent.com/img/a/AVvXsEgkBOy2u7mZssYUl-HdqJUzaRUhgcGyUPEdmfHCGWG3AqWmRwS6VYhmXQzFoH1KD3j3GqNKg4GVOnyzuMWYGjxQKQTzBfLGn-4RD7mG1ZrtgsYLbc4WGyzNmbfQP_ZL-AYhcp6cDZZzZYw0kPeO_184l4AOX9qlOq3YfkLD6eFQlE38zmEFclMLrjSn=s320" width="261" /></a></div><br /><span style="color: black;"><br /></span><p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">7. Принцип найменших привілеїв.
Якщо ви логінитесь до свого комп’ютера з обліковим записом адміністратора вдома
чи на роботі, ПЕРЕСТАНЬТЕ ПРЯМО ЗАРАЗ! Ваш комп’ютер працюватиме краще, довше
та з меншою кількістю переінсталяцій. Навіть ваш SSD прослужить довше!</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">8. Створіть собі окремий
обліковий запис адміністратора та замініть ваш поточний на обмежений. Якщо у
вас є пристрій для зчитування відбитків пальців, зареєструйте ваш вказівний
палець для обмеженого користувача, а середній — для адміністратора. <o:p></o:p></span></p>
<p style="margin: 0cm;"><span style="color: black;"><o:p> </o:p></span></p>
<p style="margin: 0cm;"><span style="color: black;">Відтепер ви користуєтеся
“пальцем адміністратора” лише тоді, коли вам потрібно скористатись правами
адміна, або щоб помахати Путіну!<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">9. Інтегруйте концепцію
Privileged Access Workstation. Не гортайте інтернет</span><span lang="UK" style="color: black; mso-ansi-language: UK;"> чи</span><span style="color: black;">
пошту з комп’ютера, який може зруйнувати вашу мережу, як-от під’єднання за
допомогою RDP до ваших DC. Пізніше ви зробите це круто – з віртуальними
машинами, але поки давайте просто працювати безпечно.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">10. Використовуйте MFA всюди.
Якщо у вас є сервери, які підтримують RDP, захистіть їх, наприклад
використовуючи Cisco DUO. Зробіть те ж саме для комп’ютерів, які використовуєте
для керування вашими сервісами. Якщо вам не потрібен RDP, заблокуйте його!</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">11. ПАМ’ЯТАЙТЕ “в безпеці,
досконалість - це ворог добра”. Ми можемо покращити налаштування пізніше. Тому
давайте зробимо базові кроки ЗАРАЗ!</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin: 0cm;"><span style="color: black;">12. Я б рекомендував усім
прочитати книгу Мікко Гіппонена “Інтернет”, але наразі вона зашифрована
ельфійською: </span><a href="https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wsoy.fi%2Fkirja%2Fmikko-hypponen%2Finternet%2F9789510464410&data=04%7C01%7C%7Cb16b8ef23876471966dc08d9fbb4be19%7C0fd66b3d1cef4472ba2db10bdb2953bf%7C0%7C0%7C637817576551231857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yxJHEykMDhjDikQ1RNqdO8DJr6Mh1b%2FTPZbXeZGLNM8%3D&reserved=0">https://www.wsoy.fi/kirja/mikko-hypponen/internet/9789510464410</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color: black; font-size: 11pt;">13. Це було перекладено
@svitlanaExe </span><span lang="UK" style="color: black; font-size: 11pt; mso-ansi-language: UK;">та </span><span style="font-size: 11pt;">@FraktalCyber<span style="color: black;"> з мого треду фінською мовою. </span></span><span lang="UK" style="color: black; font-size: 11pt; mso-ansi-language: UK;">Скоро</span><span style="color: black; font-size: 11pt;"> я опублікую </span><span lang="UK" style="color: black; font-size: 11pt; mso-ansi-language: UK;">його</span><span style="color: black; font-size: 11pt;"> англійською. Дякую, що читаєте,
бережіть себе!</span><span style="font-size: 11pt;"><o:p></o:p></span></p>
<p style="margin: 0cm;"><span style="color: black;">Слава Україні!</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="background: white; color: #252324; font-family: Merriweather; font-size: 10.5pt;">#UkrainiansWillResist<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="background: white; color: #252324; font-family: Merriweather; font-size: 10.5pt; mso-ansi-language: EN-GB;">#StandWithUkraine<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="background: white; color: #252324; font-family: Merriweather; font-size: 10.5pt; mso-ansi-language: EN-GB;">#StopPutin</span><span lang="EN-GB" style="mso-ansi-language: EN-GB;"><o:p></o:p></span></p>Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-53995643636944951522020-02-18T17:08:00.002+02:002020-05-15T10:00:50.336+03:00Future of my Blog<br />
Hello all my followers!<br />
<br />
I have started blogging on another platform: <a href="https://4sysops.com/archives/author/sami-laiho/"><span style="font-size: large;">https://4sysops.com/archives/author/sami-laiho/</span></a><br />
<br />
<span style="color: red; font-size: large;">PLEASE CHECK IT OUT! :)</span><br />
<br />
There are many reasons for this:<br />
<br />
<br />
<ul>
<li>Better reach and exposure</li>
<li>Requirements of how much I need to blog:</li>
<ul>
<li>More deadlines for me --> More content to you</li>
<li>More structure for my content</li>
</ul>
<li>Better platform me to do post-post commenting and answering questions</li>
<li>Some income for me for blogging --> More intensive for me to keep producing content for you</li>
</ul>
<div>
I started by the following weekly articles that I hope you find usefull:</div>
<div>
<ul>
<li><a href="https://4sysops.com/archives/hacking-admin-rights-on-an-autopilot-installed-windows-device-return-of-the-shift-f10/">https://4sysops.com/archives/hacking-admin-rights-on-an-autopilot-installed-windows-device-return-of-the-shift-f10/</a></li>
<li><a href="https://4sysops.com/archives/how-to-access-a-users-windows-desktop-without-knowing-their-password/">https://4sysops.com/archives/how-to-access-a-users-windows-desktop-without-knowing-their-password/</a></li>
</ul>
<div>
<br /></div>
</div>
<div>
All content is still free to you as before but there will be a lot more of it so I hope you keep following me on the new platform. I will keep writing the newsletter for more personal content and notifications. You can subscribe to my newsletter here: <a href="http://eepurl.com/F-GOj">http://eepurl.com/F-GOj</a></div>
<div>
<br /></div>
<div>
Thanks,</div>
<div>
<br /></div>
<div>
Sami</div>
<div>
<br /></div>
<div>
<br /></div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-42641636290588597582019-11-08T16:18:00.001+02:002019-11-08T16:18:55.607+02:00Viewing file activity on a Remote fileshare without permissionsAt Ignite 2019 in Orlando I demonstrated how you can view file activity on a remote share with no permissions. This demo is made against a "Home folder share" which normally allows only very limited rights to the shares root, and then NO PERMISSIONS for anything under it. By Microsoft's opinion this is not a problem and not a security issue because I can't see the content of the files but only the file names. I don't agree at all as the file names, and all metadata what so ever, are in my opinion "data" as well. The weakness is deep inside the filesystem and you can abuse it with different languages. I will use PowerShell.<br />
<br />
Does this mean that I can read other peoples email as long as I only read the Subject?<br />
<br />
What you need is very simple. Start by downloading this PS Module from this article here: <a href="https://mcpmag.com/articles/2015/09/24/changes-to-a-folder-using-powershell.aspx">https://mcpmag.com/articles/2015/09/24/changes-to-a-folder-using-powershell.aspx</a><br />
<br />
Then load the module, and allow it to run - depending on your environment you might need Set-Executionpolicy first.<br />
<br />
Run Start-FileSystemWatcher -Path "\\server\yourhomeshare" -Recurse<br />
<br />
Now you can see all file activity, even if you don't have permissions to do so ;)<br />
<br />
Cheers from Orlando,<br />
<br />
Sami<br />
<br />
PS. A lot of credit on helping me to find this has to go to Mr. "T" from Finland.Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-20642420406034152472018-04-28T10:50:00.000+03:002018-04-28T10:50:21.589+03:00TechMentor 2018 Redmond - Better price with my chairmans code!<br />
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">I’ll be speaking at
TechMentor, August 6-10 at Microsoft HQ in Redmond. Surrounded by your fellow
IT professionals, TechMentor provides you with in-depth, immediately usable
training that will keep you relevant in the workforce.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">I’ll be presenting the
following sessions:<o:p></o:p></span></div>
<ul style="margin-top: 0cm;" type="disc">
<li class="MsoListParagraphCxSpFirst" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; margin-left: 0cm; mso-add-space: auto; mso-list: l0 level1 lfo1;"><span lang="EN-US" style="mso-ansi-language: EN-US;">M01 - Workshop: How to Prevent
all Ransomware / Malware in 2018 <o:p></o:p></span></li>
<li class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; margin-left: 0cm; mso-add-space: auto; mso-list: l0 level1 lfo1;"><span lang="EN-US" style="mso-ansi-language: EN-US;">W02
- Troubleshooting Sysinternals Tools 2018 Edition <o:p></o:p></span></li>
<li class="MsoListParagraphCxSpLast" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; margin-left: 0cm; mso-add-space: auto; mso-list: l0 level1 lfo1;"><span lang="EN-US" style="mso-ansi-language: EN-US;">W10 - Deploying Application
Whitelisting on Windows Pro or Enterprise<o:p></o:p></span></li>
</ul>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">SPECIAL OFFER: As a
speaker/chair, I can extend $500 savings on the 5-day package. Register here: <b><span style="color: red;"><a href="http://bit.ly/RDSPK12_reg">http://bit.ly/RDSPK12_reg</a><o:p></o:p></span></b></span></div>
<br />Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-24854160554575576922017-08-22T17:55:00.000+03:002017-08-22T17:55:22.537+03:00Stored passwords found all over the place after installing Windows in company networks :(Hi everyone!<br />
<br />
It's been a while as I had a nice summer and a busy Techmentor conference after my holiday, and hence I haven't really had the chance to blog :/<br />
<br />
Now many of you have seen me point out how hacking into company computers is many times a lot easier than banging on every door with Kali Linux and an armada of different exploits. I'm what I call a conceptual hacker more that a shooting hacker. I like to use deep knowledge of the OS for my benefit and try to find weaknesses based on that. And... I also luckily know a lot of smart people and networking is your core skill for all matters IT.<br />
<br />
When I start to look into an environment one of the first things is to PXE boot a machine and hunt for MDT etc. that store passwords in all the wrong places. Now MS has gotten better on this and you know that they remove those quite well... I'll take that back... Not that well it seems.<br />
<br />
A good friend of mine and a fellow MVP, Mikko Järvinen (@mikko_jarvinen) sent me a great summary of so many passwords stored in so many wrong places :) Most installation systems should use an account that is just a limited account with delegated privileges to join computers to a domain etc. BUT... We've all seen it, many just put in the Domain Admin accounts and passwords.<br />
<br />
Here is Mikko's quote:<br />
<br />
<span style="font-family: "Times New Roman",serif; font-size: 10.0pt; mso-ansi-language: FI; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: FI;"><i>I discovered that username, domain and password of the
user account used in installation of Windows from <b>Windows Deployment Server</b>
will be left on the disk after Windows installation is finished and are
readable by any user.<br />
<br />
In Windows PE phase, Windows Setup creates a file "setupinfo" in
"X:\Windows\Panther" (X: is the WinPE RAM disk). The username,
password and domain of the user account which has authenticated to the Windows
Setup (WDS mode) will be written in to this file in a readable format
immediately after authentication. The information can be easily found by
searching the following strings inside "setupinfo":<br />
<br />
C r e d U s e r <br />
C r e d D o m a i n <br />
C r e d P a s s w o r d <br />
<br />
After Windows installation has restarted from Windows PE to the Windows itself
there is a new "setupinfo" file in "%systemroot%\Panther"
folder, but there is also the original WinPE-phase "setupinfo" file
which has been renamed to "setupinfo.bak". It is fully accessible and
still contains username, domain and password information.</i>
<!--[if !supportLineBreakNewLine]--><br />
<!--[endif]--></span><br />
We know that MS cleans things like Unattend.xml to say <span style="font-family: "Times New Roman", serif; font-size: 10pt;">*SENSITIVE*DATA*DELETED* </span>so why don't they just do this all the way and clear these out as well... :(<br />
<br />
There's a fix for this: just add a deletion of that file in the setupcomplete.cmd for example and for previously installed machines you could just add a GPP like Mkko shows here:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhigtlXVXFk4xtNAEhyz5FckxG1c38TQk1uThEve1ZpmjWd8xY0DNjquXKM37Ha2egrfBjPuZ1ODF3LtScVmaFNwZW4XU3eDL_EgDU9017mk-CvboVjbofGd2ZNxihTkGd2frFni2eiblA/s1600/Mikko.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="483" data-original-width="532" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhigtlXVXFk4xtNAEhyz5FckxG1c38TQk1uThEve1ZpmjWd8xY0DNjquXKM37Ha2egrfBjPuZ1ODF3LtScVmaFNwZW4XU3eDL_EgDU9017mk-CvboVjbofGd2ZNxihTkGd2frFni2eiblA/s320/Mikko.png" width="320" /></a></div>
<br />
This was for WDS but many use MDT instead and just the WDS engine to PXE boot. Mikko also asked to remind about something that I've used as well. The fact that also MDT saves the credentials in the <span style="color: #1f497d; font-size: 11pt;"><span style="font-family: inherit;">C:\MININT\SMSOSD\OSDLOGS\VARIABLES.DAT. </span></span>although not in clear text but Base64-encoded. Well that's sadly easy to decode so the if you lose that file the password is then bye-bye-captured-by-enemy.<br />
<br />
These were all reported to Microsoft but as they require physical access Microsoft doesn't really bother to fix them as these anyway break the immutable laws of security. The truth in the end of the day still is that in many networks these allow an easy to achieve privilege elevation attack so I would strongly encourage you to make sure you are not affected and that that the user accounts used in installation don't have more than bare minimum privileges.<br />
<br />
Cheers,<br />
<br />
SamiSami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com5tag:blogger.com,1999:blog-1328571454955435883.post-92086714728793864532017-04-18T15:22:00.003+03:002017-04-19T17:22:59.786+03:00Is Group Policy Gonna Die? Do I have to use MDM in the Future? Interview with Jeremy MoskowitzHi everyone!<br />
<br />
I believe most of my followers are wondering if Group Policy is going to be replaced By MDM or not. I am too and I have my own opinions on this which I am not afraid to share. In my last newsletter (<a href="http://eepurl.com/cJ2pqL">link</a>) I touched this topic a bit. I was honored to have Mr. Group Policy - Jeremy Moskowitz - himself contacting me and giving me his opinions on this. As he must know this better than most on this planet I asked him if he would do an interview on this topic. Oh boy was I happy when he said "Yes!"<br />
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Full Disclosure: Jeremy Moskowitz is a
personal friend of mine, a 14-year Group Policy MVP and heck of an awesome guy.
He teaches THE WORLD’S BEST Group Policy training (with MDM tips and tricks
too!). He also runs PolicyPak software, which plugs into Group Policy/SCCM/MDM while
doing amazing things. And because there is no way to shy away from it, I gave
him permission to mention PolicyPak in this interview. </i></span></span></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>If you’re interested in his training and/or
some insanely great Windows 10 management software, check out </i></span><a href="http://www.gpanswers.com/"><span style="color: blue; font-family: "calibri";"><i>www.GPanswers.com</i></span></a><span style="font-family: "calibri";"><i> and </i></span><a href="http://www.policypak.com/"><span style="color: blue; font-family: "calibri";"><i>www.PolicyPak.com</i></span></a><span style="font-family: "calibri";"><i>.</i></span></span></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Now, on with the interview . . . </i></span></span></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="color: #444444; font-family: "calibri";"><i><b>Q: What is MDM, and how is it different
than traditional in-the-box management (Group Policy and SCCM)?</b></i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: MDM stands for Mobile Device Management.
It’s a new built-in agent-like “receiver,” similar to other agent-like
“receivers” in Windows such as Group Policy, PowerShell, and RemoteRM, not to
mention other “receivers” you might add on after the fact—SCCM, Altiris, or a
zillion others. </i></span></span><br />
<div style="margin: 0px 0px 13px;">
<br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>MDM support actually started with Windows
8.1 but really wasn’t “ready” until Windows 10. </i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>MDM requires a third-party server to be
available to give MDM directives (policies) to endpoints; this occurs over XML
using a thing called the “OMA-DM protocol.” The most popular MDM servers are
Windows Intune, VMware Airwatch, and MobileIron. Plus, there are dozens more.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>What’s special about MDM is that the
protocol and “receiver” can work across a multitude of devices like iPhones,
Androids, and Windows 10. </i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>So the dream is “make one policy and apply
it everywhere.” Then boom, you’re done!</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>It’s a nice dream, but it still has a ways
to go. </i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><b>Q: How do you feel about MDM in general?</b></i></span></span><span style="color: #444444;"><br /></span></div>
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: I’m glad you asked that question. Sometimes
people secretly ask me, “Hey, Jeremy, as one of the Group Policy MVPs, do you secretly
hate MDM?” I tell them, “No, I don’t hate MDM; it’s not ‘hate-able.’” </i></span><span style="margin: 0px;"><span style="font-family: "calibri";"><i> </i></span></span><span style="font-family: "calibri";"><i>In fact, MDM does a reasonable job in one key
scenario: enabling users to </i></span><span style="font-family: "calibri";"><i>bring</i></span><span style="font-family: "calibri";"><i> or </i></span><span style="font-family: "calibri";"><i>choose</i></span><span style="font-family: "calibri";"><i> their own device when the IT
admin doesn’t care how the machine ends up configured.</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Actually, this is not only my opinion, but
also Microsoft's official opinion. They've articulated MDM's strengths in this
(recently updated) article about their modern management thinking:</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><a href="https://technet.microsoft.com/itpro/windows/manage/manage-windows-10-in-your-organization-modern-management">https://technet.microsoft.com/itpro/windows/manage/manage-windows-10-in-your-organization-modern-management</a></i></span></span></b></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Microsoft calls the new MDM way “modern
management.” Who knows, maybe you’ll decide to trade in Group Policy for MDM to
be more modern.</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>That sounds pretty cool, but, okay, here’s
my analogy.</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Let’s say you want to save money and trade
in your old gasoline car (Group Policy) for a more efficient scooter (MDM). Great!
On the plus side, you’ll have less payment of overhead (scooter insurance vs.
car insurance), and there’ll be less to go wrong (a scooter is far simpler than
a car.)</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>But after you do your trade-in, there are
tradeoffs. As such, with your scooter, you’re not allowed to complain about not
having enough horsepower or getting caught in the rain with no protection. </i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Remember, the scooter ISN’T meant to have a
lot of horsepower or keep you out of the rain. The car is. On the other hand, the
car isn’t meant to be a nimble, lightweight machine to navigate twisty
sidewalks. The scooter is.</i></span><span style="margin: 0px;"><span style="font-family: "calibri";"><i> </i></span></span><span style="font-family: "calibri";"><i>Oh, and neither
a scooter (MDM) nor a car (Group Policy) is meant to do complex tasks or take you
to the battlefield like a tank (SCCM) would.</i></span><span style="margin: 0px;"><span style="font-family: "calibri";"><i>
</i></span></span><span style="font-family: "calibri";"><i>These are simply different tools for different scenarios. </i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>So if you trade in your car or tank for a
scooter, you will likely save money. But there is a hidden cost: you (the
admin) cannot care how the machine is configured or managed. In the MDM world,
we call this “intent.” That is, you have to give up knowing what is happening
end to end from a configuration perspective. Yes, there is some logging when
MDM settings are actually applied, but it’s not a slam dunk to configure or
troubleshoot.</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>As a company, and as an IT team, you have
to decide if you want your Windows unmanaged (nothing at all), lightly managed
(with MDM), managed (with Group Policy), and/or fully managed (with SCCM and/or
SCCM alternatives). Each has pros and cons with different costs as well as
security implications and pitfalls.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>And, for the record, I own two cars and one
scooter. (And zero tanks.)</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="color: #444444; font-family: "calibri";"><i><b>Q: How do you see the future when it comes
to GP vs MDM? On servers or clients?</b></i></span></span><span style="color: #444444;"><br /></span></div>
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: I think you can think of Group Policy
and MDM as you would IPv4 and IPv6.</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Some people will have an immediate need for
the new thing. Others will have no need at all. And others will have some mixed
need. </i></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>If clients are domain joined, Group Policy
is going to be able to manage them. On this matter, Microsoft has been pretty
clear: if they enable a new setting (say for Microsoft Edge or a security
setting), Microsoft will encourage the team in charge of the setting to light
it for use with the Group Policy channel and the MDM channel at the same time. Sometimes
(and usually), the teams will do it correctly. Sometimes, there is some lag. I
know, Sami, that you found an interesting setting that would fix a security
hole, and the fix was ONLY MDM enabled. But with Windows 10, 1703 edition, they
did what they said they were going to do, and they backported that setting to Group
Policy. </i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>So to me, Microsoft is basically keeping
their promise: when they make a new setting, they Will Group Policy-enable and
MDM-enable those new settings. </i></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>It’s a good strategy, and it is one I
really agree with.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Servers will either be domain joined or
they won’t be. And they can either be “traditional” servers or Nano server.
Nano has no Group Policy support. (See my take on this below.) For traditional
servers, Group Policy will continue to work as expected if you want them to, or
you can leverage DSC. (This is also explained below.)</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><b>Q: Is Microsoft going to give up on Group
Policy?</b></i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: I think this is the key question on
people’s mind, and I have a pretty direct answer: Microsoft is not giving up on
(also known as deprecating) Group Policy. They simply aren’t.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>In order for Microsoft to give up on Group
Policy, Microsoft has to first give up on the idea of on-prem domain controllers
AND the idea of domain-joined machines—not just one idea but both.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>When there are no more on-prem domain controllers,
and IT admins start to say, “I won’t domain join a machine again!” only then
can Microsoft think about giving up on Group Policy.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>But don’t take it from me. Take it from
Jeffrey Snover, who is a technical fellow at Microsoft and the person largely
in charge of Windows as you know it. Here’s one of his tweets I suggest reading:
</i></span><a href="https://twitter.com/jsnover/status/730104387591274496"><span style="color: blue; font-family: "calibri";"><i>https://twitter.com/jsnover/status/730104387591274496</i></span></a><span style="font-family: "calibri";"><i>
</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>With that being said, Group Policy for Nano
is a different story when there is no Group Policy support. To address this
issue, we refer to this tweet </i></span><a href="https://twitter.com/jsnover/status/730008240361103360"><span style="color: blue; font-family: "calibri";"><i>https://twitter.com/jsnover/status/730008240361103360</i></span></a><span style="font-family: "calibri";"><i>,
where Jeffrey Snover explains that on servers (especially Nano server) DSC is
the replacement for Group Policy. </i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>I do have one quibble with the current
Group Policy world as it sits though. While the core is stable and not changing
much except for bug fixes and minor updates, there are some areas in Group
Policy Preferences that worked perfectly in Windows 7, but when Windows 8.1
(and later) came around, </i></span><span style="font-family: "calibri";"><i>boom!</i></span><span style="font-family: "calibri";"><i>, they stopped
working. We call this a “breaking change.” The key areas that broke were Group Policy
Preferences File Associations and Group Policy Preferences Start Menu settings.
I’ll mention how these breaking changes can be worked around a bit later.</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><span style="color: #444444;"><b>Q: How do you feel about Nano server not
having the ability to get Group Policy directives at all?</b></span> </i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: After some deep soul searching—about
five minutes—I agreed this was totally the correct decision. Nano doesn't need the
Group Policy engine, and Group Policy isn’t the best for Nano.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>On the one hand, you could argue, “If we could
use Group Policy everywhere, we (IT admins) would only need to learn one thing,
and it would work everywhere!” </i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Yep, that’s true. But it cannot be that way.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>But in the same way there are different
programming languages for different types of workloads (VisualBasic vs C++),
there must be different management technologies for the right job (Group Policy
vs. DSC).</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>For those who aren’t familiar with DSC, it
stands for Desired State Configuration and is a toolkit built upon PowerShell
to bring new servers (yes, only servers!) into the world very quickly to a
desired end-all configuration. DSC does an amazing job at what it's meant to
do: bring up 1 or 1000 servers and keep them configured. </i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Group Policy isn't trying to do that. It is
the best way to manage and provide the end-user experience (look and feel
settings, drive maps, shortcuts, and user-based restrictions to control panel, etc.)
and client-computer security configuration.</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>That being said, if you have existing Group
Policy settings, you’ll want to convert into DSCland, where Microsoft has some
Powershell converter tools. But again, for 100000% clarity, supporting DSC on
clients SHOULD NOT be attempted. DSC is for servers, servers and only servers. </i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="color: #444444; font-family: "calibri";"><i><b>Q: In your opinion, what are the biggest benefits
and drawbacks when it comes to MDM?</b></i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: On the plus side, MDM is interesting
because it's the same protocol (OMA-DM) across operating systems as in Windows,
devices such as Apple and Android, or whatever comes next (wireless
brain-implants?!). This is similar to what Microsoft says about MDM, “It's
great for devices that are constantly on the go,”(e.g., phones and tablety
things).</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>But on the flipside, when you say, in MDM, "Force
password policy to be strong," it could have different interpretations on
the final device.</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>It's up to the MDM vendor to bring clarity
to each setting and demonstrate on what device it's going to apply as well as what
the ultimate experience is going to be.</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Since MDM implementation is up to each
vendor, there are a variety of items that you might or might not get, such as change
management, reporting, backup/restore/rollback, inventory, reporting, and other
things you, your IT team, and managers have come accustomed to.</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>By design, MDM isn’t trying to do
EVERYTHING that Group Policy is trying to do. This can lead to a disconnect
when people try an MDM pilot, where they will find that the things they are trying
to do aren’t possible in MDMland. </i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>In fact, people often ask us about PolicyPak
Cloud AFTER a failed MDM pilot attempt because PolicyPak Cloud can literally
deliver ALL of Group Policy TODAY over the Internet the way IT admin expect it
to— which is expressly NOT a goal of MDM.</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="color: #444444; font-family: "calibri";"><i><b>Q: I know PolicyPak On-Prem and PolicyPak
Cloud add to what is “in the box” with Group Policy. Have you seen a change in
what people ask for because of Windows 10?</b></i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: First, thanks for the questions about
PolicyPak. Here’s your beer. </i></span></span><span lang="EN-US" style="font-family: "wingdings"; margin: 0px;"><span style="margin: 0px;"><i>J</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>For people who don’t know what PolicyPak
is, we’re an add-on for Windows 7, 8.1, and 10, which improves on the
management of applications, browsers, Java, and operating systems. In other
words, think new Group Policy Preferences items but for 21</i></span><sup><span style="font-family: "calibri"; font-size: x-small;"><i>st</i></span></sup><span style="font-family: "calibri";"><i> century
needs. We have seven components and a zillion demos on our website.</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>First thing’s first, PolicyPak’s policies are
agnostic. That is, we work with what IT admins are already using. You can
deliver PolicyPak directives using </i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -18pt;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";"><i>-</i></span><span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;"><i>
</i></span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Group Policy (which is
typically what I show in the demos on the website); </i></span></span><i><br /></i></div>
<div style="margin: 0px 0px 0px 48px; text-indent: -18pt;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";"><i>-</i></span><span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;"><i>
</i></span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>SCCM, Altiris, KACE, or similar;</i></span></span><i><br /></i></div>
<div style="margin: 0px 0px 0px 48px; text-indent: -18pt;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";"><i>-</i></span><span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;"><i>
</i></span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Windows Intune, Airwatch, and Mobile
Iron . . . if someone has already decided to use an MDM service; </i></span><span style="margin: 0px;"><span style="font-family: "calibri";"><i> </i></span></span></span><i><br /></i></div>
<div style="margin: 0px 0px 13px 48px; text-indent: -18pt;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";"><i>-</i></span><span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;"><i>
</i></span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Or with PolicyPak Cloud if the
IT team wants no infrastructure at all (or are MSPs).</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Like I said, since Group Policy’s core is staying
the same but isn’t updating some areas of Group Policy Preferences to
accommodate Windows 8.1/10’s changes, then we step in to fix this. </i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>As such, we’re days away from shipping our
newest component, PolicyPak File Associations Manager, which fixes this problem
thoroughly. And after the summer, we plan to release PolicyPak Start Menu
Manager. We have more surprises, but those are the two I’m ready to talk about
before they ship.</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><b>Q: Like me, you teach a lot of people
around the world. Do you see people using MDM, InTune, and BYOD?</b> </i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: In my classes, when I ask, “Are you
using Intune, Airwatch, MobileIron, . . . or something similar,” on average,
two hands go up every class. Then I ask them, “Are you using it for Phones,
Windows, or both?” Their answer every time is “only phones.”</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>I'm not trying to be a naysayer or bad guy
or "pooh-pooh-er." This is just what I am seeing when I ask the
question. You could argue, "Well, Jeremy, you ARE teaching a Group Policy
class!" Well, actually, my class covers Group Policy and MDM in case people
want information on both.</i></span></span><br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i><br /></i></span></span>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Also, it should be noted that Intune is a
special case and has </i></span><u><span style="font-family: "calibri";"><i>three</i></span></u><span style="font-family: "calibri";"><i> ways it can be used. You can do a straight
MDM join; you can get the SCCM client delivered through it and manage it using
SCCM console; or you can install the “fat” Windows Intune MSI client. Even with
these three different ways to use it, I simply don’t get people who are
actively using it to manage Windows PCs. </i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Again, maybe I’m talking to the wrong
population, or maybe I’m somehow in my own self-made bubble and thousands of
happy customers are using it. But they don’t seem to be at my classes or at
special events I do with larger audiences.</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<span lang="EN-US" style="margin: 0px;"><span style="color: #444444; font-family: "calibri";"><i><b>Q: So what is the future of MDM and Group
Policy?</b></i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>A: I cannot be sure of MDM, but I can be
sure of Group Policy.</i></span></span><br />
<div style="margin: 0px 0px 13px;">
<br />
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>By which, I mean Group Policy is a known
entity, which likely won’t change much more. This is both a pro and a con. It’s
a Pro because it means it’s not constantly changing under your feet, requiring
you to learn a new thing every 6-10 months or guess where the wind is going to blow.
It’s a con because Microsoft knows about the rough edges in Group Policy/Group
Policy Preferences and likely won’t fix them. But that’s okay too. Because for
every rough edge I know about in Group Policy, we’re going</i></span><span style="margin: 0px;"><span style="font-family: "calibri";"><i> </i></span></span><span style="font-family: "calibri";"><i>to smooth it out using PolicyPak. And,
technically, other companies are welcome to do this too. Group Policy is and
was very extensible from day one. MDM actually isn’t extensible today at all.
If Microsoft doesn’t make and then ship the moving part (called the CSP), then
there’s simply no way to do it using MDM. That could change in the future. But
right now, what Microsoft ships is all that you get.</i></span></span></div>
<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>MDM, however, is a moving target. Because
it’s getting active development, it’s hard to know where it might go. Again,
the stated goal is NOT to bring over the Group Policy “baggage” from the past,
yet when you ask IT admins what they want in modern management, they actually tend
to explain scenarios and settings that are almost exactly like what we already
have with on-prem Group Policy.</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Maybe it’s because that’s what they already
know; or maybe it’s because that management style works, or maybe some other
reason.</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>In Windows 10, 1703 (Creators Update), they
enabled a lot more policy settings in MDMland. But it’s still only a few
hundred. </i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Again, if that’s all you need, then MDM is
a fine choice. But if the admin really want the full control of the device, then
I don’t think MDM can dislodge Group Policy’s place in the IT world in the
foreseeable future. </i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>If you’re not sick of this subject yet or if
you want more detail from a different level, I would recommend checking out my “Why
Group Policy Is Not Dead Manifesto” at </i></span><a href="https://www.gpanswers.com/the-why-group-policy-is-not-dead-manifesto/"><span style="color: blue; font-family: "calibri";"><i>https://www.gpanswers.com/the-why-group-policy-is-not-dead-manifesto/</i></span></a><span style="font-family: "calibri";"><i>
.</i></span></span><br />
<i><br /></i><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"><i>Thanks for the Q&A, Sami. This was fun.
If people want to sign up for Group Policy (and sometimes MDM tips) at </i></span><a href="http://www.gpanswers.com/"><span style="color: blue; font-family: "calibri";"><i>www.GPanswers.com</i></span></a><span style="font-family: "calibri";"><i>, we’d love to have them.
And if people want to learn more about PolicyPak, watch our daily webinar at </i></span><a href="http://www.policypak.com/"><span style="color: blue; font-family: "calibri";"><i>www.PolicyPak.com</i></span></a><span style="margin: 0px;"><u><span style="color: blue; font-family: "calibri";"><i>;
it</i></span></u></span><span style="font-family: "calibri";"><i> is the best first step.</i></span></span><br />
<i><br /></i>
<br />
<div style="margin: 0px 0px 13px;">
<br /></div>
<b></b><u></u><sub></sub><sup></sup><strike></strike><b></b><b></b><b></b><b></b><b></b><b></b><b></b><b></b><i></i>Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com3tag:blogger.com,1999:blog-1328571454955435883.post-6567796512906105412017-03-21T11:56:00.004+02:002017-03-21T11:56:42.794+02:00Prevent interactive logon of Local Admins - Only allow UAC elevationHi again!<br />
<br />
I've been asked this many times:"How can I block interactive logon of an admin account so they would just be able to use UAC?"<br />
<br />
This is a good point as this will:<br />
<br />
<ul>
<li>Allow a user to use UAC-prompt to authorize admin procedures</li>
<li>Not allow the user to actually start logging on as that user (as a convenience for themselves)</li>
</ul>
<div>
Windows does not allow the separation of a "UAC Logon" which is annoying as this would be great. So I can block logon interactively but the UAC won't work and if I want to allow UAC then they can always logon as well.</div>
<div>
<br /></div>
<div>
My trick on making this happen is to use AppLocker/SRP to block them from using the Explorer.exe or Task Manager. When they logon they get an empty screen with no ability to do anything. You could replace it with launching a custom shell as well and that shell would just show a note: "You are not allowed to logon interactively with this user!!"</div>
<div>
<br /></div>
<div>
So these are the rules I use:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3lpYRM16yFOwh9Xo9NHoHv9U8pcS6xLfCtJrLXKVKbKOsnRS1TCjKZQDZs1nmokbmAnGUm0dmVW1V2Bb0Jljl8RmBym9F4RSq2k6pBgAH_uidb6XUCEtHFf-9YVIrlbUP0ACppreVOV4/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="16" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3lpYRM16yFOwh9Xo9NHoHv9U8pcS6xLfCtJrLXKVKbKOsnRS1TCjKZQDZs1nmokbmAnGUm0dmVW1V2Bb0Jljl8RmBym9F4RSq2k6pBgAH_uidb6XUCEtHFf-9YVIrlbUP0ACppreVOV4/s320/Capture.JPG" width="320" /></a></div>
<div>
<br /></div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com4tag:blogger.com,1999:blog-1328571454955435883.post-34235501531768906292017-03-19T23:10:00.002+02:002017-03-20T21:22:44.172+02:00The Fuzz about Terminal Services Session HijackingHi!<br />
<br />
I just wanted to take a short moment and tell everyone on my blog about the latest news about TS Session hijacking. Mainly noted here: http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html<br />
<br />
My two cents on this: "Calm down, Spread out, nothing to see here!"<br />
<br />
This a normal feature of the OS that I use daily on my lab server where my students use VM's on. The OS is the same for the server and the client below the surface so you can do this on a client or a server for that reason. This "Feature" is known as shadowing.<br />
<br />
Here's a few screen shots where I "HIJACK" a session and do "PRIVILEGE ELEVATION!!"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEmcJPzDW61cxu0Yh1WPX495pYkCBH2UZ-bbDT1oNqYjbQEHxz7CcumJN-1V0I2WdDKqUBLEB5fIQzn_YONG4AOitsGV6u5biJr1kTN67BPvbKIQa-AN1CX7bynUv-S5_RtZzHyRy_31Q/s1600/Capture1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEmcJPzDW61cxu0Yh1WPX495pYkCBH2UZ-bbDT1oNqYjbQEHxz7CcumJN-1V0I2WdDKqUBLEB5fIQzn_YONG4AOitsGV6u5biJr1kTN67BPvbKIQa-AN1CX7bynUv-S5_RtZzHyRy_31Q/s320/Capture1.JPG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6OCibwU2pZGphqQuyV1VyZEJZ7IC9nsEIi2hi4pwACgJD7U3YsPX4MsHWgTqTE9a00dN33IvCGD6f5nwf-_GKAT2Qm9bE-hU7UchYZJOdVGkIhgKg2uqOQEMBefrNBwjhd2MFvuimZa8/s1600/Capture2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6OCibwU2pZGphqQuyV1VyZEJZ7IC9nsEIi2hi4pwACgJD7U3YsPX4MsHWgTqTE9a00dN33IvCGD6f5nwf-_GKAT2Qm9bE-hU7UchYZJOdVGkIhgKg2uqOQEMBefrNBwjhd2MFvuimZa8/s320/Capture2.JPG" width="320" /></a></div>
<div>
<br /></div>
<div>
So any <u>Admin</u> can do this not just SYSTEM and not just with a Service.<br />
<br />
With SYSTEM you get the privilege of attaching to <u>disconnected</u> sessions - that is a nice bonus. Just remember if you want to show the session hijack thing it's a lot easier by running <b>PSEXEC -SID TASKMGR.exe</b> <br />Then go to Users tab and choose who you want to be. No service needed and works on all OS's.<br />
<br />
Also a good point once again that you can't allow Domain Admins to log on to normal workstations as they could be compromised and someone can use this trick against him.</div>
<div>
<br /></div>
<div>
Cheers,</div>
<div>
<br /></div>
<div>
Sami</div>
<br />Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-16822690077138007422017-03-19T22:44:00.004+02:002017-03-19T22:44:52.048+02:00Found a BUG in Windows Defender Anti-TamperingHi!<br />
<br />
You should never logon to your Windows 10 as an Admin - You know I think so. Now it was just so amazingly funny when Avecto called me and asked to to do a webinar on this, which I delivered this week on Thursday. Like I (sadly) often do I just looked at what I was supposed to talk about a few days before primetime :) I just then realized it said "Sami Will show how to disable anti-malware"... Uups... I didn't really know exactly how to do it as I haven't tried in a long time to block Windows Defender.. Microsoft has done a good job with the Anti-Tampering anyway so I was honestly a bit worried... <br />
<br />
Then I told myseld what I keep telling you: "If you are an Admin you can anyway do whatever you want". And for sure it took me like 5 minutes to come up with a way to totally block Defender. No, not just make it silent in the background, I mean really block it :)<br />
<br />
Here is a video on how to do it:<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="361" mozallowfullscreen="" src="https://player.vimeo.com/video/208799592" webkitallowfullscreen="" width="640"></iframe>
<br />
How to mitigate? <b>Don't run as an admin!</b>Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-85765462453053122832017-03-09T10:37:00.001+02:002017-03-09T10:45:37.207+02:00How I Choose Speakers and SessionsA bit different topic this time. If you are not interested in how a topic gets on your conference agenda catalog or how I evaluate potential speakers then this post is probably not for you.<br />
<br />
I am writing this because I get to choose sessions and speakers for TechMentor conferece which I am honored to be given the responsibility of being a Chair for. Here is the link for proposals - so after reading it's time to head over here: <a href="https://live360events.com/pages/call-for-presentations.aspx">https://live360events.com/pages/call-for-presentations.aspx</a><br />
<br />
<br />
This a list of things that came up to my head just now and might not be that well organized:<br />
<br />
<br />
What I look for when choosing speakers/sessions:<br />
<br />
<ul>
<li>Videos. Videos. Videos. If you need to prove you can speak at my conference you are best of if you can point to a video about you presenting (or I have seen you speak). If you need tool to get into conferences it's this! Speak at a user group meeting and have a friend record it - I need to see you and hear you, that's all. Written material is important like books and blogs but they won't get you in usually as the only proof as I need to know if I can put you in front of an audience. Without a book on the other hand - you can easily get in (I've never written one - yet)</li>
<li>Bio. I want to know what you've done both as a speaker but also in practice. If you've done big projects that you are proud of tell me. This Bio needs to be easy to sell to attendees as well so not just to convince me. And I do need a picture. Every Speaker needs to start somewhere so got to user groups and present, then come back to me with a video. I've got a soft spot for new speakers as TechMentor was my first global conference I've ever spoken at (thanks to Greg Shields for betting on me). </li>
<li>Topic. I read the names of the session, hundreds of them, and make my mind if I'm gonna read the description more closely. I need the topic to be sexy but also tell what it is about. The topic doesn't need to be about Windows 10 or Server 2016 in my case. I build conferences that teach how to do things right, in practise. So I'd be happy to know how you've done a successfull IPv6 implementation as it is something people need and it's actually doable, but I don't want to hear you guess on how you pretend to know how Windows 10 can be better managed without Group Policy using only MDM. Give me facts, not fiction. General sessions like "What's new in Windows 10 build 17540" will always get a few slots - not my favorite but I need them as well. When I know you can't know in practise how these work I need to pick these more based on the speaker. That said, it does mean you can get in By being a good Speaker or just post a great topic - either might work.</li>
<ul>
<li>In TechMentor the stuff you show (not regarding the What's new -sessions) NEEDS TO WORK AND BE APPLICABLE NOW! I want to know to how to do things in practise (read NO MARKETING SLIDES). 50% of people use Windows 7 so I'm fine if you want to talk about that as long as you are not the ones who says you are not planning to move to Windows 10. So I look for real life experience with the mentality of willingness to change and evolve.</li>
<li>If you think your session would be great but it's too old a topic - try your luck as I'm very willing to get stuff in that's not brand new. </li>
</ul>
<li>I like soft skills as well but they need to be inspiring and entertaining to even more extent</li>
<li>Presentation itself needs to be interesting and hopefully entertaining. I have a few golden rules I follow on sessions:</li>
<ul>
<li>Session needs to give something to the attendee that they Will take to their Office and start telling people:"Did you know this?", "Did you know this can be done with this?", "This is now so much faster when I learned this!", "Everyone, I just learned this!"</li>
<li>If you are aiming for great evals I always add something personal as well. Something that's not required at the Office but Will benefit the attendee in his personal life. A small tip about how I do backup at home for free or such.</li>
<li>The most important thing about any successful session and the one that is almost impossible to teach or cheat against - Passion and Inthusiasm. I need to present things you like and are passionate about. If you are not it shows and it's harder to get in next time...</li>
<li>My golden rule is that you can get into Top 100 sessions By just being extremely good at what you teach. To get into Top10 - it needs to be a show. So go and watch more standup comedy and remember to add some jokes to your sessions as well. For a person like me as a chair I can easily say I'd rather have an entertaining teacher who is not the most technical in the world, than having a technical Speaker that can't keep me awake. Don't get me wrong here I am sure we are aiming for the same goal. I've been teaching people for most of my life and I'll bet you people learn more when they are enjoying there time, and even more important: awake. I, as a chair, need to make sure people get return for their investment which in this case is learning. If you kept them awake and interested and managed to teach them ONE important concept that's way better that them walking out of session "well rested" but only looking for me to ask where they can get your slides from to know what you were talking about while they were sleeping. Written material is not what people come to conferences for but people. They can read more than enough on the Internet for free.</li>
</ul>
</ul>
<div>
If you want to talk more you are free to join my Slack channel and discuss more: <a href="https://winfuslackautomate.herokuapp.com/">https://winfuslackautomate.herokuapp.com/</a></div>
<div>
<br />
And the CFP itself, once more: <a href="https://live360events.com/pages/call-for-presentations.aspx">https://live360events.com/pages/call-for-presentations.aspx</a><br />
<br /></div>
<div>
Hope to get you on board a fun journey :)</div>
<div>
<br /></div>
<div>
Cheers,</div>
<div>
<br /></div>
<div>
Sami</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-33561399863933814632017-02-01T11:01:00.000+02:002017-02-01T11:01:15.408+02:00The True Story of Windows 10 and the DMA-protectionThis blog post will tell you if / how Windows 10 protects against DMA (Direct Memory Access) bases attacks used against BitLocker and other encryption mechanisms by stealing the encryption key from the memory of a running computer. The story might be long(ish) but rest assured you want to read it through.<br />
<br />
It all actually started when I was delivering a session on Windows 8.1 in TechEd. I believed what the documentation says and told people that in Windows 8.1 never before seen DMA-enabled devices would not be usable on the logon screen. So if your computer had no one logged on or the computer was locked we would not need to worry about DMA-attacks anymore. As I soon learned this did not actually work in Windows 8.1 and Microsoft told me that it had "skipped" from the RTM build without them (that I was interacting with) knowing about it. I felt horrible as I had given misinformation but more that I had "skipped" the vital "Always test - Don't just trust" policy of mine.<br />
<br />
Now the story continued when things like this showed up:<br />
<br />
Quote from: <a href="https://technet.microsoft.com/en-us/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511">https://technet.microsoft.com/en-us/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511</a><br />
<h4 id="new-bitlocker-features-in-windows-10-version-1507">
<span style="background-color: #f3f3f3; font-size: x-small;">New Bitlocker features in Windows 10, version 1507</span></h4>
<ul>
<li><strong><span style="background-color: #f3f3f3; font-size: x-small;">DMA port protection</span></strong><span style="background-color: #f3f3f3; font-size: x-small;">. You can use the </span><a href="https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess"><span style="background-color: #f3f3f3; font-size: x-small;">DataProtection/AllowDirectMemoryAccess</span></a><span style="background-color: #f3f3f3; font-size: x-small;"> MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.</span></li>
</ul>
<span style="color: black;">So I decided that I would this time show how it finally worked at Microsoft Ignite. Nowadays the need for this is much bigger as before we could just block FireWire and ThunderBolt as no one used them - but now most of my customers have ThunderBolt 3 docking stations so we can't just disable the bus anymore. I started experimenting with this and soon found out something that I showed on my Ignite session for 3000 people (<a href="https://myignite.microsoft.com/videos/15848">https://myignite.microsoft.com/videos/15848</a>). It still didn't work! At least By default. </span><br />
<br />
So the problem with Windows 10 was that Microsoft gave misinformation to my customers and on their websites that Windows 10 would now protect them from the DMA-attacks as wasn't the case by default. Now the bigger problem with this is that MS only supports settings this ON via MDM. Now honestly how many of my customers have MDM? Almost none :( There is no support to set it via SCCM (as it doesn't support custom URIs), Provisioning package or most of all Group Policy...<br />
<br />
I got a friend of mine (thanks to Petri Paavola @petripaavola) to help me and build me a PowerShell script so I could experiment without InTune. <br />
<br />
I set the setting but DMA still worked. I thought maybe I really need InTune so I installed InTune and set the setting from there... Still nothing... Now I got really worried. Was the setting done wrong or was this yet again a "skipped" feature. Now I needed to get secure@microsoft.com and the product Group on board with this as this seemed.. well.. fishy...<br />
<br />
I would like to thank Microsoft for working with me on this. It took a long time but now finally we have some results. First of all the DMA-protection is not FULL. Quote from MS:<br />
<div class="O1" style="direction: ltr; language: fi; margin-bottom: 0pt; margin-left: .81in; margin-top: 4.32pt; mso-line-break-override: none; punctuation-wrap: hanging; text-align: left; text-indent: -.31in; unicode-bidi: embed; word-break: normal;">
<span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"><br /></span></div>
<div class="O1" style="direction: ltr; language: fi; margin-bottom: 0pt; margin-left: .81in; margin-top: 4.32pt; mso-line-break-override: none; punctuation-wrap: hanging; text-align: left; text-indent: -.31in; unicode-bidi: embed; word-break: normal;">
<span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">”</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">This</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">mitigation</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">only</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">protects</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> PCI-</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">based</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">buses</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">, for </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">example</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">, ExpressCard, </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">Thunderbolt</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">, & </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">some</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">docking</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">stations</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> (</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">PCIe</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">based</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">). </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">Older</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">, </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">non</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">-PCI </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">busses</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">such</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> as 1394 and </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">CardBus</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">are</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">still</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;"> </span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">vulnerable</span><span style="color: black; font-family: "Museo Sans 300"; font-size: 18.0pt; font-style: normal; font-weight: normal; language: fi; mso-ascii-font-family: "Museo Sans 300"; mso-bidi-font-family: "Museo Sans 300"; mso-color-index: 1; mso-fareast-font-family: +mn-ea; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 12.0pt; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: black; mso-style-textfill-fill-themecolor: text1; mso-style-textfill-type: solid;">.”</span></div>
<br />
That is why I got it working all the time as I was using FireWire to steal the memory.<br />
<br />
So the story continues By Microsoft providing me instructions to deal with this:<br />
<br />
<ol>
<li>Set the DMA protection on <span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><a href="https://msdn.microsoft.com/en-us/library/dn904962(v=vs.85).aspx">https://msdn.microsoft.com/en-us/library/dn904962(v=vs.85).aspx#DataProtection_AllowDirectMemoryAccess</a></span></li>
<li><span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;">Use Group Policy to block Firewire like we have done for years: <u style="text-underline: single;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><a href="https://support.microsoft.com/en-us/kb/2516445">Blocking</a></span></u><u style="text-underline: single;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><a href="https://support.microsoft.com/en-us/kb/2516445"> </a></span></u><u style="text-underline: single;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><a href="https://support.microsoft.com/en-us/kb/2516445">the</a></span></u><u style="text-underline: single;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><a href="https://support.microsoft.com/en-us/kb/2516445"> SBP-2 </a></span></u><u style="text-underline: single;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><a href="https://support.microsoft.com/en-us/kb/2516445">driver</a></span></u><u style="text-underline: single;"><span style="color: black; font-family: "Museo Sans 300"; font-size: 16pt; font-style: normal;"><a href="https://support.microsoft.com/en-us/kb/2516445"><span style="font-size: small;"> …</span><b> </b></a></span></u></span></li>
</ol>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;">So I started to experiment again. Sadly this information is not complete either and I know most of my customers have them deployed incomplete as well and have had for many years :( When I used the instructions as such the TB3-devices didn't work (as I expected). When I used the recommended GP-settings to block just FireWire my TB3-devices and Dock now worked but so did <b>PassWare Memory Imager</b>... This is in turn because the instructions don't include all 1394 devices that you can find from here: <span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx"><span lang="EN-GB" style="font-family: "Tahoma",sans-serif; font-size: 10.5pt; margin: 0px;"><span style="color: #0563c1;">https://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx</span></span></a></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">I have reported this to Microsoft as well and I hope the instructions are fixed soon.</span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">Now to give you what you are probably here for :) First how to set the DMA-protection on without InTune:</span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></div>
<ul>
<li><span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">In a few days/weeks you will get an Insider Build that has a Group Policy settings to set this! Thanks to a lot of feedback from MVPs and customers.</span></span></span></li>
<li><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><b>Until then the registry key you can set with any method you want is this:</b></span></span></span></li>
<ul>
<li><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><b>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PnP\Pci</b></span></span></span></li>
<ul>
<li><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><b>DisableExternalDMAUnderLock (DWORD) = 1</b></span></span></span></li>
</ul>
</ul>
</ul>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">Second, here is recommendation from now on to my customers to block DMA but allow the use of ThunderBolt 3 devices:</span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">
</span></span></span></div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><ol start="1" style="margin-top: 0cm;" type="1">
<ol start="1" style="margin-top: 0cm;" type="a">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin: 0px;"><span lang="EN-GB" style="margin: 0px;">Have UEFI+SecureBoot+TPM+NoAdminRights</span></li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin: 0px;"><span lang="EN-GB" style="margin: 0px;">Block DMA for ThunderBolt by using the
registry key until we get the GPO</span></li>
</ol>
</ol>
<div>
</div>
<div style="margin: 0px 0px 0px 144px; text-indent: -108pt;">
<span lang="EN-GB" style="margin: 0px;"><span style="margin: 0px;"><span style="font-size-adjust: none; font-stretch: normal; font: 7pt "Times New Roman"; margin: 0px;">
</span>i.<span style="font-size-adjust: none; font-stretch: normal; font: 7pt "Times New Roman"; margin: 0px;">
</span></span></span><span lang="EN-GB" style="margin: 0px;">Or MDM of course if you have one…</span></div>
<div>
</div>
<ol start="1" style="margin-top: 0cm;" type="1">
<ol start="3" style="margin-top: 0cm;" type="a">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin: 0px;"><span lang="EN-GB" style="margin: 0px;">Use Group Policy to disable FireWire</span></li>
</ol>
</ol>
<div>
</div>
<div style="margin: 0px 0px 0px 144px; text-indent: -108pt;">
<span lang="EN-GB" style="margin: 0px;"><span style="margin: 0px;"><span style="font-size-adjust: none; font-stretch: normal; font: 7pt "Times New Roman"; margin: 0px;">
</span>i.<span style="font-size-adjust: none; font-stretch: normal; font: 7pt "Times New Roman"; margin: 0px;">
</span></span></span><span lang="EN-GB" style="margin: 0px;">See the old article: </span><a href="https://support.microsoft.com/en-us/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker"><span lang="EN-GB" style="margin: 0px;"><span style="color: #0563c1;">https://support.microsoft.com/en-us/help/2516445/</span></span></a><a href="https://support.microsoft.com/en-us/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker"><span lang="EN-GB" style="margin: 0px;"><span style="color: #0563c1;">blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker</span></span></a></div>
<div>
</div>
<div style="margin: 0px 0px 0px 144px; text-indent: -108pt;">
<span style="margin: 0px;"><span style="margin: 0px;"><span style="font-size-adjust: none; font-stretch: normal; font: 7pt "Times New Roman"; margin: 0px;">
</span>ii.<span style="font-size-adjust: none; font-stretch: normal; font: 7pt "Times New Roman"; margin: 0px;"> <b>
</b></span></span></span><span style="margin: 0px;"><b>But
block these ClassIDs:</b></span></div>
<div>
</div>
</span></span></span><ol><span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">
<ol start="3" style="margin-top: 0cm;" type="a">
<ol start="2" style="margin-top: 0cm;" type="i">
<ol start="1" style="margin-top: 0cm;" type="1">
<ul>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; margin: 0px;"><span style="margin: 0px;"><b>{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}</b></span></li>
</ul>
<ul>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; margin: 0px;"><span style="margin: 0px;"><b>{c06ff265-ae09-48f0-812c-16753d7cba83}</b></span></li>
</ul>
<ul>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; margin: 0px;"><span lang="EN-GB" style="margin: 0px;"><b>{d48179be-ec20-11d1-b6b8-00c04fa372a7}</b></span></li>
</ul>
<ul>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; margin: 0px;"><span lang="EN-GB" style="margin: 0px;"><b>{6bdd1fc1-810f-11d0-bec7-08002be2092f}</b></span></li>
</ul>
</ol>
</ol>
</ol>
</span></span></span></ol>
<div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">For some cases if the customer really requires it: add a PIN
code protector and disable standby.</span></span></span></span></div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><div>
<br /></div>
</span></span></span></span><div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">Hope this clears things out and sorry it took a while but there is coordinated disclosure procedure I want to respect. If you found this helpful please enrol to my newsletter at: <a href="http://eepurl.com/F-GOj">http://eepurl.com/F-GOj</a></span></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">And remember my training videos on <a href="https://www.pluralsight.com/search?q=laiho&clm_id=58386d888c0fa00f000c9ff5&CLM_Id__c=58386d888c0fa00f000c9ff5">PluralSight</a> and my Dojo at <a href="https://win-fu.com/dojo/">https://win-fu.com/dojo/</a></span></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></span></div>
<div>
<span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><br /></span></span></span></span><span style="color: black; font-family: "Museo Sans 300";"><span style="color: black; font-family: "Museo Sans 300";"><span style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;"><span lang="EN-GB" style="font-family: "Calibri",sans-serif; font-size: 11pt; margin: 0px;">Sami</span></span></span></span></div>
<span style="color: black; font-family: "Museo Sans 300"; font-style: normal; font-weight: normal;"><u style="text-underline: single;"><span style="color: black; font-family: "Museo Sans 300"; font-style: normal;"></span></u></span><div>
<span style="color: black; font-family: "Museo Sans 300";"><br />
</span></div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com21tag:blogger.com,1999:blog-1328571454955435883.post-67659919410834392962016-12-06T22:48:00.000+02:002016-12-07T00:12:24.553+02:00Every Windows 10 in-place Upgrade (even with SCCM) is a SEVERE Security risk PART II <br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
So, 127000 blog
reads and a week later I believe it's a good time to publish the episode II of
this story. Please read these few points and then see how to apply this on SCCM
managed machines as well.</div>
<br />
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
First a few things:</div>
<br />
<ol style="direction: ltr; font-family: Calibri; font-size: 11.0pt; font-style: normal; font-weight: normal; margin-bottom: 0in; margin-left: .375in; margin-top: 0in; unicode-bidi: embed;" type="1">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;" value="1"><span style="font-family: "calibri"; font-size: 11.0pt; font-style: normal; font-weight: normal;">My bad, I used the wrong term
that was used in previous Windows versions. The BitLocker is SUSPENDED not
DISABLED like I said. The end result is of course the same but I do want
to use the correct terms.</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Most comments say this is an
old thing that was in Windows decades ago. Yes, the Shift+F10 feature has
been there for ages and I've used it for troubleshooting for ages. That is
why I knew to look for it. I found it first in the beta-version of Windows
10. After finding it I knew the first time it really was an issue was the
time when people upgraded from Windows 8 to 8.1 as that was the first time
the in-place upgrade was recommended and we had BitLocker. So in XP you
could press Shift+F10 but so what, we didn't use it to bypass BitLocker (I actually played Solitaire with it just for fun) -
so I don't think this is the same thing at all…</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">What makes this a
"bug" (again you have to give me some slack, I'm Finnish and
English is not my first language. I speak a language where we log on to
Windows using the local Administrator account name of
JÄRJESTELMÄNVALVOJA). So let me rephrase, this is a "mistake" that Microsoft
forgot this in the upgrade sequence as they know how to block it and have
a feature for that.</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">I categorize myself as a
conceptual hacker. This means that I find and use holes that are not Zeroday
attacks or 3rd party application issues but holes based on principles that I know to look for because I've
studied the OS for over 20 years. I teach Windows Internals and always
tell my students that the base knowledge on the OS is a requirement for
both creative troubleshooting and taking care of security. How would you
know what's bad if you don't know what's normal.</span></li>
<ol style="direction: ltr; font-family: Calibri; font-size: 11.0pt; font-style: normal; font-weight: normal; margin-bottom: 0in; margin-left: .375in; margin-top: 0in; unicode-bidi: embed;" type="a">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;" value="1"><span style="font-family: "calibri"; font-size: 11.0pt; font-style: normal; font-weight: normal;">You can find my
training on <a href="http://pluralsight.com/">http://PluralSight.com/</a> and </span><a href="http://win-fu.com/"><span style="font-family: "calibri"; font-size: 11.0pt;">http://win-fu.com/</span></a><span style="font-family: "calibri"; font-size: 11.0pt; font-style: normal; font-weight: normal;"> Let me teach you to find this stuff as well :)</span></li>
</ol>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">LTSB. You don't have to agree
with me on this. This was just my personal opinion. I did offer other
choices as well like the not leaving computers unattended when they are
upgrading. I currently plan on staying on LTSB until 2018 and the do an easy upgrade to CBB - If things are worked out to the level I want by then.</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;">Will there be a time when this all will be put to a test? Yes, Microsoft just declared 1607 as Current Branch for Business. This means that 1507 release will be out of support in a few months and we will get to test this in action ;) You can read more about this here: <a href="https://blogs.technet.microsoft.com/windowsitpro/2016/11/29/windows-10-1607-is-now-a-current-branch-for-business-cbb-release/">https://blogs.technet.microsoft.com/windowsitpro/2016/11/29/windows-10-1607-is-now-a-current-branch-for-business-cbb-release/</a></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">I know the Immutable laws of
security and I know the computer is not your computer anymore if someone
has physical access to it. If it wasn't a case like this trust me I would
have gotten a bounty on this from Microsoft ages ago. I still believe that
this is an issue as if I don't do inplace upgrades I don't have this
issue… Some people got upset that I called it "SEVERE"… Well if
you ask me when a computers integrity protection and data protection fail
by pressing two keys… Sorry, I just believe it's SEVERE - I will agree to
disagree with you on this if you don't.</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">I also saw some
recommendations on using Linux to hack the box - Although Linux is Finnish
and I like to promote it, you don't need Linux to hack Windows - It does
so itself just fine as I show in the next video.</span></li>
</ol>
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Now let's talk about
the next "issue" here. My good friend Johan Arwidmark made an amazing
job in building a bandage for the Shift+F10 to be blocked. It could be used by
SCCM/MDT or any manual upgrade. Here is the link: <a href="http://deploymentresearch.com/Research/Post/567/Using-ConfigMgr-to-fix-the-Shift-F10-security-issue-for-Windows-10-inplace-upgrades">http://deploymentresearch.com/Research/Post/567/Using-ConfigMgr-to-fix-the-Shift-F10-security-issue-for-Windows-10-inplace-upgrades</a> This is what Microsoft will probably use to fix the hole in the first place as well.</div>
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Although this is
great I guess some people didn't see the real problem in this whole issue. If
the Shift+F10 is a "bug" or a "mistake" it can be easily fixed as we
see. The real security issue is the suspending of BitLocker. The next video
shows you how to use this against any system including SCCM/WSUS controlled
machines. Again it uses the knowledge gained on Windows Internals classes. I
also do Security Audits (hire me ;) ) and you can bet I will take this into my
toolbox for myself when I have the next bank to break into ;) And yes it does require physical access still and yes I boot the machine from a bootable media so you can just glue the USB ports. I will then take the disk at correct point and move it to another machine or start playing with Linux. Anyway at the end of the day you are fighting against windmills.</div>
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="542" mozallowfullscreen="" src="https://player.vimeo.com/video/194063890" webkitallowfullscreen="" width="640"></iframe>
<br />
<br />
<div style="margin: 0in;">
<span style="font-family: "calibri"; font-size: 11.0pt;">And
BTW I have a big issue to disclose that's totally unrelated to this and needs
Microsoft's actions before I can talk about it so do enroll to my newsletter -
like thousands of you already have: </span><a href="http://adminize.us7.list-manage.com/track/click?u=e13c84c9564fa4b2cb6afcb15&id=3cc79adc8d&e=32e9f80416"><span style="font-family: "arial"; font-size: 12.0pt;">http://eepurl.com/F-GOj</span></a></div>
<br />
And be sure to follow me on Twitter @samilaiho<br />
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Thanks for all the
great feedback,</div>
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Sami</div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com23tag:blogger.com,1999:blog-1328571454955435883.post-78996461419122988282016-11-28T18:14:00.000+02:002016-12-06T23:41:54.722+02:00Every Windows 10 in-place Upgrade is a SEVERE Security risk<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
This is a big issue
and it has been there for a long time. Just a month ago I finally got
verification that the Microsoft Product Groups not only know about this but that
they have begun working on a fix. As I want to be known as a white hat I had to
wait for this to happen before I blog this.</div>
<br />
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
There is a small but
CRAZY bug in the way the "Feature Update" (previously known as
"Upgrade") is installed. The installation of a new build is done by
reimaging the machine and the image installed by a small version of Windows
called Windows PE (Preinstallation Environment). This has a feature for
troubleshooting that allows you to press <b>SHIFT+F10</b> to get a Command Prompt.
This sadly allows for access to the hard disk as during the upgrade Microsoft
disables BitLocker. I demonstrate this in the following video. This would take
place when you take the following update paths:</div>
<br />
<br />
<ul style="direction: ltr; margin-bottom: 0in; margin-left: .375in; margin-top: 0in; unicode-bidi: embed;" type="disc">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Windows 10 RTM --> 1511 or
1607 release (November Update or Anniversary Update)</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Any build to a newer Insider
Build (up to end of October 2016 at least)</span></li>
</ul>
<br />
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<b>The real issue here
is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of
Windows) even on a BitLocker (Microsoft's hard disk encryption) protected
machine</b>. And of course that this doesn't require any external hardware or
additional software. It's just a crazy bug I would say :(</div>
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Here's the video: </div>
<iframe allowfullscreen="" frameborder="0" height="480" mozallowfullscreen="" src="https://player.vimeo.com/video/193386195" webkitallowfullscreen="" width="640"></iframe>
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Why would a bad guy
do this:</div>
<br />
<ol style="direction: ltr; font-family: Calibri; font-size: 11.0pt; font-style: normal; font-weight: normal; margin-bottom: 0in; margin-left: .375in; margin-top: 0in; unicode-bidi: embed;" type="1">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;" value="1"><span style="font-family: "calibri"; font-size: 11.0pt; font-style: normal; font-weight: normal;">An internal threat who wants
to get admin access just has to wait for the next upgrade or convince it's
OK for him to be an insider</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">An external threat having
access to a computer waits for it to start an upgrade to get into the
system</span></li>
</ol>
<br />
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
I sadly can't offer
solutions better than:</div>
<br />
<ul style="direction: ltr; margin-bottom: 0in; margin-left: .375in; margin-top: 0in; unicode-bidi: embed;" type="disc">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Don't allow unattended
upgrades</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Keep very tight watch on the
Insiders</span></li>
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Stick to LTSB version of
Windows 10 for now</span></li>
</ul>
<br />
<i>(Update 6.12.2016: Read the next blog as well: </i><a href="http://blog.win-fu.com/2016/12/every-windows-10-in-place-upgrade-even.html"><i>http://blog.win-fu.com/2016/12/every-windows-10-in-place-upgrade-even.html</i></a><i> )</i><br /><br />
<br />
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
I am known to share
how I do things myself and I'm happy to say I have instructed my customers to
stay on the Long Time Servicing Branch for now. At least they can wait until
this is fixed and move to a more current branch then. I meet people all the time
who say that LTSB is a legacy way but when I say I'm going to wait a year or
two to get the worst bugs out of this new "Just upgrade" model - this
is what I meant…</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Remember to subscribe to my newsletter as I will disclose more like this very soon! <a href="http://eepurl.com/F-GOj">Subscribe here!</a></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
And you can learn how to find these by yourself by letting me teach you some Windows Internals!</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<ul>
<li><a href="http://win-fu.com/ilt/">http://win-fu.com/ilt/</a></li>
<li><a href="http://dojo.win-fu.com/">http://dojo.win-fu.com/</a></li>
<li><a href="http://pluralsight.com/">http://pluralsight.com/</a></li>
<li>I also offer Security Auditing for companies just send me an email: sales@adminize.com</li>
</ul>
</div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike>Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com80tag:blogger.com,1999:blog-1328571454955435883.post-38385990616057789392016-11-02T10:44:00.000+02:002016-11-02T11:17:05.198+02:00We have a winner - Bye Bye SurfaceBook!So it's time to talk about my new best friend :) I wanted to wait a month to write this so I've had the opportunity to try the new device in all environments and tasks that I actually need. The new Best Friend, my company, my everything in business life, is now the Lenovo X1 Yoga. And I have to start by saying that I almost couldn't be happier with a laptop. In the last month I've done: <br />
<br />
<ul>
<li>Microsoft Ignite - Demos for thousands of attendees</li>
<li>Consulting - Smaller part of my business</li>
<li>Taught many classes - 75% of my business</li>
<li>Broken into a few banks - My pentest business</li>
<li>Flown 22 flights - My life</li>
</ul>
So now I feel like I'm ready to give some sort of a verdict on this machine: IT'S AWESOME!!<br />
Let's talk more specific. I have the i7 with 16GB of RAM and 512GB SSD (I'm waiting for my 1TB NVMe disk as we speak). As before remember this is only my personal opinion based on what I do. I need 4 VM's, that's it, and I need to present and travel a lot.<br />
<br />
Now let's do this the other way than usual and let me start by the cons:<br />
<ul>
<li>Fn-button is in the totally wrong place for me as I've never had a Lenovo before</li>
<li>Battery life wasn't that good first but reverting to an older version of the graphics driver fixed it</li>
<ul>
<li>With the newest Microsoft provided driver the screen wouldn't change brightness at all but was stuck on max setting</li>
<li>Now I'm mostly getting around 6h of battery life which could be better as I fly so much</li>
</ul>
<li>The Pen is small and not good for serious artists but works for me well enough</li>
<li>I can't seem to flip it to tablet mode and have the flight attendants believe it's a tablet.. They ask me to put it away when landing as my SurfaceBook was allowed without the keyboard. Well, I watch videos mainly from my iPhone 6s Plus anyway.</li>
<li>The worst is easy... My device has totally lost its sex appeal and hotness :( I'm not kidding.. With my SurfaceBook I would sit in the airport lounge and Mac-people would talk to me... They would ask questions and mostly wonder how it was possible that my device cost more than their Macbook... But that's not the point - we were communicating for the first time in this way that they made the first move. Now with the X1 I'm all alone again - No one asks anything about my laptop :( It's a dull business machine with nothing of interest to Cool people... Lenovo X1 works like a perfect 100% proof contraception...</li>
</ul>
<br />
But now for the GREAT stuff:<br />
<ul>
<li>It just works! With the year with SurfaceBook I had almost forgotten how it feels when everytime you plug your laptop in to the docking station you actually get a working mouse and bigger screen. USB3-disks works like their supposed to, as does Wifi not to mention 2.4GHz powerpoint clickers! When you close the lid the computer actually goes to sleep - after SB it's actually really hard to believe so I still check many times if the computer actually stopped humming by placing it next to my ear.</li>
<li>The Pen is tucked into the laptop and charges automatically. This is Great! Now it's always ready and available. Although not as good as SB's Pen I'd still choose this.</li>
<li>The size is a lot better than SurfaceBook. More sleek and lighter.</li>
<ul>
<li>On the plane it fits on my lap even when in economy and the guy in front of has reclined to max settings and his head is against my X1</li>
<li>The screen allows for minimal backlight on so it's good for the battery</li>
<li>The touchpad could be better but when things get really tight on a plane I actually like the small nob on the keyboard although I really thought I would never use it for anything - I was wondering why Lenovo still has two different mouse replacements but now I'm happy they do.</li>
</ul>
<li>Keyboard is a lot better than SB's (except the Fn-key placement)</li>
<li>The screen is phenomenal!! As I've now learned you haven't seen black as black on a laptop before you get an OLED screen! It's crazy how black can get so...well...black...</li>
<ul>
<li>This is not a joke.. The battery lasts longer when you have no content for the pixels so your screen background is better as black than anything else. I thought it was funny when I did my first demos on Dark Web as surfing there would save me battery life for the first time ;)</li>
</ul>
<li>I have enough ports :) Full HDMI and three USB3 ports which is just perfect for me. I realized I've been carrying a hub with me all the time but haven't used it at all.</li>
<li>The killer feature compared to SB is the mechanism so traditional to the Yoga lineup that it seems so BORING compared to the cool hinge of the Book. But it works. It just works. When I need to draw I can without breaking the connection to my devices and my Skype session. It works for all situations and never fails! </li>
</ul>
So while all sexiness from my laptop is gone and I still have to say SurfaceBook is the most beautiful and coolest device I've ever owned it's time to admit that a working device might still be more important to me. But hey, that's just me. <br />
<br />
Waiting to see what SurfaceBook 2 brings to the picture and what they've done with the hinge.<br />
<br />
Cheers,<br />
<br />
SamiSami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com7tag:blogger.com,1999:blog-1328571454955435883.post-80854480799355051582016-08-26T13:30:00.001+03:002016-08-26T13:30:16.105+03:00SurfaceBook's 1st Birthday approaching - How's it Really Been?Hi all,<br />
<br />
I've has lots of requests to update my judgement on the SurfaceBook. In this short update I try to go through my experiences and thoughts about the future.<br />
<br />
In the beginning of November my 1 year guarantee will end and before that I'm luckily going to US as I have to return the device. The thing that amazed me the most is (not that surprisingly now that I think about it) actually the reason to take it back: The Hinge. Since a few months now the problem has been that when I crab the tablet part of the Book the connection between the tablet and the keyboard breaks. At home this means that for an annoyingly long 1 minute or so I lose my external monitor, LAN, keyboard and mouse. While training on Skype for Business or doing some webinars this much more dramatic as I lose the connection to my headset which then disconnects me from the call. If I'm presenting in a big conference I lose my connection to the projector so this is one of the biggest game stoppers for me.<br />
<br />
Now a hinge can probably be repaired but now it's time to think about what I really need from the Book and why would I keep using it. This is not to include the reason of paying crazy amount of money for it of course.<br />
<br />
What I need or don't need from the Book compared to others:<br />
<br />
<ul>
<li>The Pen. This is what made me choose it over the Dell XPS 13.</li>
<ul>
<li>I've just bought this as I can't touch my touchscreen currently (see above): <a href="http://www.bestbuy.com/site/wacom-intuos-draw-creative-small-pen-tablet-white/4359302.p?id=1219736632620">http://www.bestbuy.com/site/wacom-intuos-draw-creative-small-pen-tablet-white/4359302.p?id=1219736632620</a></li>
<li>After training for just one day I'm actually just as fluent with it as I am with the Book and the Pen. I love to see where I draw so I would love to have a tablet to do it but this has proven to be super portable and easy to just attach to any device I happen to have. So I'm starting to say this is not a game stopper anymore.</li>
</ul>
<li>The camera</li>
<ul>
<li>I just can't live with the XPS's camera pointing at my fatter and fatter chin... That's just a looks issue but the technical is more important which is the compatibility with the Windows Hello facial recognition. Now I just realized I really need it only maybe four times a year as a fingerprint reader is more convenient for my use anyway. I now have an Intel RealSense R200 for my demos which is a lot smaller than the previous one I had which was the F200. The feature is FUN that's for sure but when thinking about my primary machine - not a game stopper anymore.</li>
</ul>
<li>The Tablettability (I just came up with the term)</li>
<ul>
<li>Adults honestly?? I only detach the tablet from the keyboard for the short amount of time when my plane takes off or lands. The time when you need to put your laptop away. Now with the iPhone 6s Plus I actually use that to watch videos for that short time so for the past two months I haven't detached it once except to brag to friends about the cool mechanics (that don't work anymore...). When I detach I lose all connections to projectors, all USB-devices, more than half of my battery, my external SSD and all the juice of the GPU in the keyboard base. The connection-thingy looks very neat but when I need to fold my laptop to a tent to draw for my students I need to detach and turn the tablet around which again means I lose all the connections for a while. So if you compare this to HP's devices or Lenovo's Yoga series, this is a really big disadvantage :(</li>
</ul>
</ul>
<div>
So from the previous perspective I can probably live without the Book. Now what's still wrong with the Book after almost a year of ownership:</div>
<div>
<br /></div>
<div>
<ul>
<li>The USB-issue is still there :( So after every build upgrade of Windows 10 I need to install a false USB Controller and a USB Hub driver. That is to keep my external SSD's working.</li>
<li>The wireless issue is still there. SurfaceBook is still the only one of my machines that doesn't work with my wireless presenter from Logitech. That's not a game stopper as I have the Kensington BlueTooth one that works perfectly.</li>
</ul>
<div>
What do I now want:</div>
</div>
<div>
<br /></div>
<div>
<ol>
<li>I still believe that the Book has huge potential and it is easily the coolest and best device from Microsoft that I have ever had. I can't wait to get the next one (I guesstimate it's 2017 spring) to see how it will be and will it make me a SurfaceBook lover again.</li>
<li>I am going to buy something else.. If not before then at least after writing all down to this blog post do I realize I can make my life easier. I need a higly portable UltraBook with i7, 16GB or RAM, 8 hours of batterylife, 1TB SSD, a normal camera and at least a DisplayPort connection and a USB3 or 3.1 port. I don't need a tablet, I don't need a pen or a touch screen, I don't need a Windows Hello Camera, I don't need a USB-C only option for network/screens and I absolutely don't need a US keyboard...</li>
<li>I think I'm going to get my hands on a Lenovo X1 Carbon and an X1 Yoga to start testing how my relationship after the honeymoon will be with either one.</li>
</ol>
<div>
Cheers,</div>
</div>
<div>
<br /></div>
<div>
Sami</div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-21605852437613679212016-08-11T11:24:00.003+03:002016-08-11T11:24:52.857+03:00Biometrics – Have your fingers been pwned?
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">First to start with I believe biometrics are in many
ways the future of authentication but sometimes people forget to think about
the bad sides as well – when they get too excited. I wanted to take some time
and write down my thoughts on this and related topics. I’m talking about
Security Internals in Estonia this year (</span><a href="http://koolitus.ee/blackbelt/"><span style="color: #0563c1; font-family: Calibri;">http://koolitus.ee/blackbelt/</span></a><span style="font-family: Calibri;">)
and I started to gather my thoughts on current trends in security and that gave
me the inspiration to write this article. One important trend in my life also
changed dramatically this summer as I and my family moved to iPhones. I still
think that Windows OS is the best one that there is for mobile phones but at
some point the lack of stability and apps just threw me over the Edge. “Over
the Edge” in this context is actually just funny if you ask me ;) The iPhone
introduced me with the simplicity of using my fingerprint to authenticate to my
phone and boy did I welcome this ease! After the honeymoon with my new iPhone I
started to seriously consider about this. In the next few paragraphs I’m going
to talk about some common questions/comments I get and some points that I don’t
believe all people totally understand.<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<u><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">#1 Ease of changing a password<o:p></o:p></span></span></u></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">I hope all of you know the best website out there
monitoring system breaches called </span><a href="http://haveibeenpwned.com/"><span style="color: #0563c1; font-family: Calibri;">http://haveibeenpwned.com/</span></a><span style="font-family: Calibri;">
It’s run by a fellow PluralSight author and highly appreciated security expert
called Troy Hunt. So what if you lose a password as you just need to change it,
right? Right. So now what happens if your biometrics get stolen? You change
your finger? Or even worse your face or your retina? So to cut corners a bit
you can only be ten times pwned when it comes to your fingerprints.<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<u><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">#2 Lack of true biometric data in Windows<o:p></o:p></span></span></u></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">This is what I hear quite often: “Why do we still need
to use a password in Windows which is then protected by a PIN or a biometric
info? Why can’t we yet in 2016 save the biometric data to Active Directory and
just use that?” Think about the previous point and the bad thing about not
using a password. If your fingerprint is value 400 and your password is value
400 we can calculate a value of 160000 by multiplying them. If I lose my
biometric data to someone I just need to change the password to invalidate the
result. So from this perspective I am happy that my true biometric data is not
stored in my AD as it would make it more probable for someone to steal my true
identity and a lot harder for me to recover when it happens – and it will.<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<u><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">#3 Difference between physical and mental proof of
ownership<o:p></o:p></span></span></u></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">By law in US you can be forced to use your finger or
your “face” to open your device. By law you cannot be forced to give your PIN
code to open your device. I would say I have nothing to hide and I’m not a
criminal so it doesn’t really matter but many people don’t like the fact that a
device with a biometric protection can be used to incriminate you and one with
a PIN code can’t.<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<u><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">#4 Why Windows wants me to use a 4 digit PIN code when
I have a 16 character password?<o:p></o:p></span></span></u></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">When you install Windows 10 and start using any cloud
related features it will ask you to change to using a PIN code even if your
password would be a lot stronger mathematically. This is because this PIN code
protects your password on that certain device. If your real password is stolen
all of your physical devices can be used to access your data but with the PIN
code only that one device is compromised. That is if you use a different PIN on
different devices – As this has always been the suggested best practice I’m
sure all of you adhere to it ;) BTW. If your computer has a TPM then that is
used to store the PIN making it very secure but if you don’t have one then the
PIN is actually just saved in the registry making it a lot less secure.<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<u><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">#5 How do I do it?<o:p></o:p></span></span></u></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">To finalize I believe it’s fair to share how I do it
personally. So here are some of my best practices I know I use and I also
really, I mean REALLY, have the strength to follow.<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">My Windows passwords
are always passphrases that have at least 15 characters, have at least
characters from three different character sets and have numbers in the middle.
So for example Jakedrank16beers! is a very good password but easy to remember.
Most people use numbers at the beginning or the end and that’s also programmatically
a lot easier to break so put them in the middle. I’m not trying to play Mother
Teresa here so next time Jake might have drunk 17 beers ;)<o:p></o:p></span></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">I protect that password
with facial detection on my SurfaceBook and with different PINs on my tablets
that don’t have a keyboard.<o:p></o:p></span></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">I will never buy a
device that doesn’t have a TPM, and I’d prefer them to have an IO-MMU for
future features.<o:p></o:p></span></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">When signing in to
websites I have a strong base-password but I use the two first letters of the
websites Top Level Domain name to make it more unique.<o:p></o:p></span></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">I always use a password
manager. I prefer LastPass although I hate that they were acquired by LogMeIn
and I know they have had their break ins. It is still the only tool that does
everything I need.<o:p></o:p></span></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">I never logon as an
Admin to my workstations! And my Domain Admins are always prevented by policy from
logging on to any computer except Domain Controllers<o:p></o:p></span></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">And YES, on my iPhone I
use a fingerprint – the ease of use wins in my case – at least with my personal
phone.<o:p></o:p></span></span></div>
<br />
<div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-fareast-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">If you would ask me
what the secure authentication of my choice would be I would like it to be a
PIN+Biometrics so I could have a strong protection, easily change the password,
not forget my dongles and not too complicated a method to use.<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">Stay safe,<o:p></o:p></span></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p><span style="font-family: Calibri;"> </span></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><span style="font-family: Calibri;">Sami<o:p></o:p></span></span></div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-46284272634891110052016-04-06T19:16:00.001+03:002016-04-06T19:16:07.189+03:00First PluralSight Course Published!I am so proud/happy/excited to tell you that my first ever PluralSight course was published today!<br />
<br />
You can find it here: <a href="https://www.pluralsight.com/courses/windows-how-its-hacked-how-to-protect">https://www.pluralsight.com/courses/windows-how-its-hacked-how-to-protect</a><br />
<br />
It's about how to hack the OS so my favorite topic :)<br />
<br />
Hope you have already gotten your license to PluralSight as it is the Best VOD training site out there with thousands of courses at an easy to handle price!<br />
<br />
Hope you can view and enjoy my video.<br />
<br />
SamiSami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-71266947039017368142016-02-17T12:02:00.000+02:002016-02-17T12:05:20.722+02:00Best Speaker at Nordic Infrastructure Conference 2016! YES!!Today Nicconf organizers had this to say:<br />
<br />
<b><span style="background-color: black; color: red; font-family: "calibri" , sans-serif;">We are proud to announce Best Speaker of NIC 2016:</span></b><br />
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">
<span style="background-color: black;"><span style="color: red;"><br /></span></span></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">
<b><span style="background-color: black; color: red; font-family: "calibri" , sans-serif;">Congratulations to SAMI LAIHO for outstanding feedback and
performance! Your sessions rated extremely high with a large number of votes,
and you also manage to combine a great sense of humor with deep technical and
practical knowledge, which make your sessions highly appreciated.</span></b></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">
<b><span style="background-color: black; color: red; font-family: "calibri" , sans-serif;"><br /></span></b></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">
<br /></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">
<span style="background-color: black; color: white; font-family: "calibri" , sans-serif;">YES, YES, YES - I'm super happy about this because I was in a crowd of so many of the Best speakers in the world and even honored to just get invited :) </span></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">
<span style="background-color: black; color: white;"><span style="font-family: "calibri" , sans-serif;"><br /></span>
<span style="font-family: "calibri" , sans-serif;">Here are the results (censored other than mine):</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8Tuh2XMWYtQ4ve4oiJOhLTn2291ylY1rIQ5VNw7V8tcV0e4S3JZV6oiRKe-dHDqe2akiYdzeCejZHlS80bzYvAybum2HjgpiyuWmZ26jZKKtawY7rn2CCZFFlnEGJg2VHREMCQKl4RhE/s1600/NICCONF+Results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8Tuh2XMWYtQ4ve4oiJOhLTn2291ylY1rIQ5VNw7V8tcV0e4S3JZV6oiRKe-dHDqe2akiYdzeCejZHlS80bzYvAybum2HjgpiyuWmZ26jZKKtawY7rn2CCZFFlnEGJg2VHREMCQKl4RhE/s320/NICCONF+Results.png" width="247" /></a></div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-78813368410461712812016-02-16T10:22:00.000+02:002016-02-17T12:09:01.780+02:00Sysinternals 20th Birthday Party this summer in Helsinki!<span style="background-color: black; color: white; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 22.5px;">This is a short one I know but I need you to be in the front row to get this news! I have been given the permission from Mark Russinovich himself to host the SYSINTERNALS 20th BIRTHDAY PARTY in Helsinki this Summer! Seats are limited and there's an EarlyBird price so head to: </span><a href="http://www.sysinternals20.com/" style="line-height: 22.5px;" target="_blank">http://www.sysinternals20.com/</a><span style="line-height: 22.5px;"> We'll update the speaker list asap but already now we have both of the official Sysinternals Admin Guide authors:</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: black; color: white;"><br /></span>
<span style="background-color: black; color: white; line-height: 22.5px;">WelcomeNote by Mark Russinovich</span></span><br />
<span style="background-color: black; color: white; font-family: Arial, Helvetica, sans-serif; line-height: 22.5px;">Keynote by Aaron Margosis</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: black; color: white; line-height: 22.5px;">Session on Sysmon by </span><span style="background-color: black; color: white; line-height: 22.5px;">Pa</span><span style="background-color: black; color: white; line-height: 22.5px;">ula</span><span style="background-color: black;"><span style="color: white; line-height: 22.5px;"> </span><span style="color: white; font-family: Arial, Helvetica, sans-serif;">Januszkiewicz</span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: black; color: white;"><br /></span>
<span style="background-color: black; color: white; line-height: 22.5px;">I have never been this honored and excited to host an event :) JIIHAA!!!</span></span><br />
<h2 class="null" style="letter-spacing: -0.75px; line-height: 32.5px; margin: 0px; padding: 0px;">
<span style="background-color: black;"><span style="color: white; font-family: Arial, Helvetica, sans-serif; font-size: small; line-height: 1.6;"></span></span></h2>
<span style="background-color: black; color: white; font-family: Arial, Helvetica, sans-serif; line-height: 22.5px;">Sami</span><br />
<span style="background-color: black; color: white; font-family: Arial, Helvetica, sans-serif; line-height: 22.5px;">Twitter: @samilaiho</span>Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com2tag:blogger.com,1999:blog-1328571454955435883.post-71928718432320962142016-02-10T21:05:00.002+02:002016-02-10T21:05:57.799+02:00Quick and Dirty Reinstall of Windows 10 on XPS 13I just wanted to share this super easy and dirty way to do a clean reinstall on an OEM-installed XPS 13 (in this case it was the XPS but can be any OEM Windows 10).<br />
<br />
<ol>
<li>Use Johan's instructions on creating a fresh ISO of newest Windows 10: <a href="http://deploymentresearch.com/Research/Post/399/How-to-REALLY-create-a-Windows-10-ISO-no-3rd-party-tools-needed">http://deploymentresearch.com/Research/Post/399/How-to-REALLY-create-a-Windows-10-ISO-no-3rd-party-tools-needed</a></li>
<li>Create a bootable USB key</li>
<ol>
<li><b>Diskpart</b></li>
<ol>
<li><b>list disk</b></li>
<li><b>select disk 1</b></li>
<li><b>clean</b></li>
<li><b>cre part pri</b></li>
<li><b>format fs=fat32 quick</b></li>
<li><b>assign</b></li>
<li><b>active</b></li>
</ol>
<li>Mount the ISO (in this case shows up as e:\)</li>
<li><b>xcopy e:\*.* f:\ /cherkyi</b></li>
</ol>
<li>On the OEM-installed XPS 13Run in PowerShell "<b>Export-WindowsDriver -Online -Destination d:\drivers</b>" while you have the USB key as D:\ on it</li>
<ol>
<li>This exports all 3rd party drivers to the USB</li>
</ol>
<li>Mount the install.wim with dism to add the drivers to the Windows image itself</li>
<ol>
<li><b>copy d:\install.wim c:\temp</b></li>
<li><b>dism /mount-wim /wimfile:install.wim /index:1 /mountdir:mount</b></li>
<li><b>Dism /Image:C:\temp\mount /Add-Driver /Driver:d:\drivers /Recurse</b></li>
<li><b>dism /unmount-wim /mountdir:mount /commit</b></li>
<li><b>copy /y install.wim d:\sources\ </b>(or replace with other means)</li>
</ol>
<li>(You can repeat the previous for the D:\Sources\Boot.wim if you want to skip steps 7 & 8) </li>
<li>Boot the new machine with the USB</li>
<li>If you can't find the disk so do the following</li>
<ol>
<li>Hit Shift+F10 to get to the command prompt</li>
<li>Change to your drivers folder like c:\Drivers</li>
<li>Run "for /r %i in (*.inf) do drvload "%i"</li>
</ol>
<li>Refresh the disk view</li>
<li>Clean the disks and install Windows 10</li>
</ol>
<div>
So what this does is takes all needed drivers from the preinstalled OS and makes sure your new OS (and WinPE if you did the step 5) has the same drivers :) Your Device Manager should look quite nice without any additional steps!</div>
<div>
<br /></div>
<div>
Cheers,</div>
<div>
<br /></div>
<div>
Sami</div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com1tag:blogger.com,1999:blog-1328571454955435883.post-15363433125353415072016-02-10T17:16:00.003+02:002016-02-10T17:16:27.874+02:00Judgement day: SurfaceBook vs Dell XPS 13Now it's time for the verdict :) Remember this is purely from my point of view as someone who travels 200 days a year and does presentations for living. This is just my opinion.<br />
<br />
I'm trying to review features that really matter to me. It's easy to say that both are superb devices compared to many others as the 3000$ price tag would suggest.<br />
<br />
For more specific figures and values read this: <a href="http://www.notebookcheck.net/Dell-XPS-13-9350-InfinityEdge-Ultrabook-Review.153376.0.html">http://www.notebookcheck.net/Dell-XPS-13-9350-InfinityEdge-Ultrabook-Review.153376.0.html</a><br />
<br />
I totally agree with it and it gives the common performance numbers that I've verified with the great (Finnish) PCMark tests.<br />
<br />
<b><u>Size with Accessories = What I need to carry</u></b><br />
<br />
The Dell XPS is way more beautiful and compact. Seeing them next to each other I would easily choose Dell. That's not the whole story anyway when it comes to what I need to carry with me. I sit in the airplane and I'm usually first in the plane because I'm a priority passenger and I want get a place for my trolley. This means I sit in the airplane more than others and have more time to watch series before the seat belt light goes off. This time I need a tablet and Dell XPS won't do. This means it doesn't work by itself but I need to carry my Surface 3 etc. with me to be able to use it while the flight ascends or descends. With the SurfaceBook I'm good. I'll turn the keyboard under the screen and if someone still complains I just put the keyboard away. It's a very big screen so I am missing my kickstand to be honest. That's something I'll live with or buy a kickstand.<br />
<br />
That's for the device itself but that's not all. I need a USB hub and wired network. That goes for both and the external devices for this are the same sized. I need DisplayPort adapter for the SurfaceBook. The one I have is from StarTech with VGA,DVI and HDMI. With Dell I need the USB 3.1 extender but it has VGA, HDMI and Ethernet. It only has one USB port so I need the Hub anyway. So both require two devices which are of equal size and weight in total.<br />
<br />
I need Biometric readers to authenticate. With the Dell XPS this only means a thumb size USB fingerprint reader for my personal use. It doesn't take space but looks ugly. And it only allows me to authenticate but not to demo Windows Hello's Facial Detection. For this I need an external camera. With the SurfaceBook I'm good to go as it has the needed camera for both my personal use and demos. SurfaceBooks battery lasts twice as long for me as the XPS does. With the XPS I can get through flights but only with the Power Companion from Dell. So SurfaceBook is bigger but with Dell I need these extra things to carry with me: Powerbank, RealSense Camera, Fingerprint reader. The ones that I need to carry for both or are of equal size are not listed, like external SSD, power supply, mouse and a wireless presenter.<br />
<br />
<b><u>Working with the computer = What can I do with it and how well</u></b><br />
<br />
Keyboard and touchpad on both are good. The only problem I have is the US keyboard on the Surface which really does heavily bug me. Performance is good enough on both though SurfaceBook beats basically every aspect and the SSD and GPU performance is WAY better on the Book. Now when it comes to presenting there are a few things that differ. SurfaceBook with the DisplayPort adapter has never failed me - it just works. Only thing I need to do sometimes is to change resolutions. XPS on the other hand only fails me :( The HDMI-adapter hasn't worked on any of my external screens without using Intel's application to set frequencies etc... The VGA I haven't tried on either one. For me the quick and easy use of external monitors and projectors is of huge importance. The next thing I need to do is draw on the screen while presenting. I bought this to work with the touch screen of the XPS at all: <a href="http://www.adonit.net/jot/pro/">http://www.adonit.net/jot/pro/</a> I highly recommend it if you don't have an active digitizer - it's very good compared to any other I've tried. Now I can't rest my hand on the screen, I can't erase, I can't select and I don't get pressure sensitivity. All of these I get with the SurfaceBook. This is honestly one of the biggest differences for me between these two. To do my work I like to do it I need the Surface 3 as a companion for my Dell. Well I need it for the travelling time as well on the other hand. But getting that picture to show from two devices during a presentation - that's not always that easy. Next I need to run VMs. If you've read my previous blog you know how it works on SurfaceBook as well and I can say both run just as fine with nice SSDs and 16GB of RAM.<br />
<br />
<b><u>Fun and spare time = Which one I like if I don't need to worry about work</u></b><br />
<br />
The Dell is awesome on the lap! Both have equally good speakers and screens. I'd rather have the XPS on my lap but honestly the battery runs out too soon for my liking... I like to sketch and draw sometimes so Dell won't do it for that either. And OH BOY do I hate the webcam placement on the XPS!! I knew I wasn't in perfect shape and have gained a few pounds but the XPS really makes sure I understand the seriousness of the situation... The webcam is situated in the lower left corner of the screen so it looks up to you below your chin and you have no contact what so ever with your family while on Skype...<br />
<br />
<b><u>The verdict</u></b><br />
<br />
I know SurfaceBook has it's faults and I do hate the wrong keyboard layout but for my work the choice is actually quite easy at the end of the day: The XPS has to go! SurfaceBook is a keeper :)<br />
<br />
Cheers,<br />
<br />SamiSami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-75465306803988360602016-01-27T11:12:00.002+02:002016-01-27T19:19:53.331+02:00Review #2 of the SurfaceBook - The Honeymoon is OverIt's now been about two months of full workdays with my SurfaceBook. It's taken me this long to write this blog post as I strongly believe in this product and I want to keep using it so much that I wanted to give Microsoft some heads up and time to figure out if they can fix the biggest problems I've faced. Trust me, I'll tell you the whole story and everything there is to it. Sometimes it's just more important for the big picture to help rather than creating headlines. We all know this from the security vulnerabilities point of view.<br />
<br />
The first month with my SurfaceBook I call the "Honeymoon". I was so happy and amazed about the product that I could spend my nights at the hotel just Attaching and Detaching the screen from the base and marveling the engineering behind that mechanism.<br />
<br />
Now the Honeymoon is over and it's time to give an update how we're doing together today. Yesterday was a breaking point in some way. Next week I need to have a working demo machine to present at NIC in Oslo so I decided to call a friend of mine to fix me a Dell XPS 13 for Friday - Just in case. So as one can imagine the SurfaceBook hobby of mine and its cost to me is starting to make me a bit sad. I wish we were back at the Honeymoon paradise. By Murphy's law last night, after making the plan B, I finally fixed the biggest issue.<br />
<br />
There are two major issues for me that are deal breakers. I speak at Big events and I need to have Hyper-V machines running on my local box as I can't put my machines on Azure. I need to be able to boot my demo machines with ISO-images and I can't trust the Internet. In TechEd EU 2012 the Internet connection was down for 36 hours and even at Ignite the connections were down all the time. If you want to be in the top positions as a speaker YOU DO NOT HAVE YOUR VMs BEHIND THE INTERNET CONNECTION without a backup at least - My rule for success #1. I don't want to show screenshots like the Azure demoing speakers need to or be left without working demos at all. So now back to the SurfaceBook.<br />
<br />
<b>ISSUE 1: Wireless presenters don't work</b><br />
<br />
There's some sort of a shielding issue with the Books USB 3. This only happens on the Book and not on any other laptops I have. None of my 2.4GHz presenters work properly when there is a USB 3 device plugged in next to the receiver. I thought it was because of the magnesium shell but it's not. USB 3 uses frequencies that collide with the 2.4GHz range. People are experiencing bad Wireless performance because of this as well. Intel actually has a document on this that everyone should take a look at: <a href="http://www.intel.it/content/dam/www/public/us/en/documents/white-papers/usb3-frequency-interference-paper.pdf" style="font-family: Calibri, sans-serif; font-size: 11pt;">http://www.intel.it/content/dam/www/public/us/en/documents/white-papers/usb3-frequency-interference-paper.pdf</a> The reason why your home wireless is bad might be because you plugged a USB 3 disk or printer to your access point. I've uploaded a video showing this: <a href="https://youtu.be/lHA-QAjNZfs">https://youtu.be/lHA-QAjNZfs</a><br />
<br />
I've fixed this in two ways. I have a BlueTooth device that works quite well - Again 100$ more spent on this project. And I have a fix which is cheaper but looks unprofessional as you can see below:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidjb6QfyQTHTwcYtQBl0ZeR7ptHR3eviw_PJjggpbh0jq4mp4sC8of7LwS-4WL8BmxOU2QAy4OAj3RFDBrfcYeSMZWN-HHxrm5XsnwhQkJWwCc877FDyiegld7FQu3BWSzB06lurMTocs/s1600/WP_20151210_002.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidjb6QfyQTHTwcYtQBl0ZeR7ptHR3eviw_PJjggpbh0jq4mp4sC8of7LwS-4WL8BmxOU2QAy4OAj3RFDBrfcYeSMZWN-HHxrm5XsnwhQkJWwCc877FDyiegld7FQu3BWSzB06lurMTocs/s320/WP_20151210_002.jpg" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Microsoft is aware and I hope there is something they can do about it. It might a physical issue so if not fixed for my Surface I hope it will be for future patches.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>ISSUE 2: USB 3 external disks work only for a few minutes</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is biggest one and the one I fixed yesterday. When ever my USB 3 devices are under load they get to 100% usage level and then they just disappear! I can't run Hyper-V and I can't for example create Windows To Go -sticks. I've tried this with many external enclosures, USB keys and now latest with Samsungs AWESOME 1TB External SSD (size of a credit card!!). 500$ more on the project as I thought I had a broken disk :( I struggled with this and spend time almost every day trying to troubleshoot this for two months. I can't use the book if I can't run Hyper-V with an external SSD - That's just it! I tried different cables, different powered USB hubs, USB2, all the possible power management settings... No success. Yesterday I finally went to measures I don't recommend anyone. I figured out the Intel devices that are used, tweaked the INF-files to cheat Windows it's OK to use them, digitally signed the drivers myself and cheated the Book to trust my signatures. To get this working I needed help from another famous Finn called Kim Dot Com. He runs the Mega download site in New Zealand where I found the first hacked Intel drivers for experimenting with before creating my own. Last night I finally got the tweaked USB drivers installed for the USB 3 controller and the internal hub. And to my amaze.. IT WORKS!! Now Hyper-V is running with multiple VMs and has been stable for hours and hours! Not only does it run but it's actually lightning fast :)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So I'm going to NIC with my SurfaceBook that finally does what I need! :) I couldn't be happier! The ISSUE 1 still exists and ISSUE 2 is only a temporary fix by me so I hope Microsoft reacts fast and gets me permanent solutions :)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have some issues with the tablet disconnecting from time to time from the base and from the docking station but even these seem to fixed now. That kind of adds up as the "Power/Dock connector" of the Book is just a weird shaped USB3-connection. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I love the design, keyboard, performance, battery life, screen, airplane usability and the Pen - So don't get me wrong, this product is awesome in so many ways and with these "minor" issues fixed it will hopefully become the Best.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And... I guess in a few weeks you'll get to read an "XPS 13 vs SurfaceBook" blog post ;)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Cheers,</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Sami and the Book </div>
Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0tag:blogger.com,1999:blog-1328571454955435883.post-25490118401363247872016-01-25T15:54:00.002+02:002016-01-25T15:54:34.054+02:00My new Applixure Blog PostI'm more than proud about the Startup company that I work as a mentor for: Applixure!<br />
<br />
I've written a blog post for them that I would like to share with you as Applixure is getting features I'm super excited about: <a href="http://www.applixure.com/blog/security-starts-with-choosing-the-correct-devices/">http://www.applixure.com/blog/security-starts-with-choosing-the-correct-devices/</a><br />
<br />
The Applixure can now collect security information that I have requested and they also announced a really cool new tool to collect user satisfaction data so read the newest additions to their blog as well at: <a href="http://www.applixure.com/blog/">http://www.applixure.com/blog/</a><br />
<br />
Cheers,<br />
<br />Sami<br />
<br />Sami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.com0