|RSS | MY PROFILE | PRIVACY|
Vol. 19, #33 - August 18, 2014 - Issue #993
This week's newsletter is all about safeguarding the boot volume of your Windows servers and workstations. Unfortunately I searched in vain for a Dilbert comic that might have something humorous to say about the word "boot" so instead of the usual comic strip here's a joke about boots I found on JokeBuddha.com:
Awww, kids are so cute, aren't they?
In the previous Issue #992 Troubleshooting Strategies, a reader named Paul asked:
Does any reader use the 3CX Phone System? I have been unable to configure the Vipre firewall to allow 3CX software for UDP/TCP port forwarding. If anybody has succeeded doing this, I would appreciate some help.
A reader named JanChris from the Netherlands had the following suggtestion:
Is he sure the port is available from his provider? I had a 4 month row with my provider because they keep the designated port for SIP for themselves and do not allow the user to use 5060. Remedy: configure sip on 5061 and document well for all equipment.
In Issue #990 The Importance of Roadmaps, we included the following request from a reader named Marguerite:
Is there a newsletter for non-server ordinary win8.1 users?
In the two issues that followed that one several readers identified the following as useful resources:
This week a reader named Mark who is a Technical Architect in the UK suggested one additional resource:
We're in the middle of deploying 1300 Windows 8.1 Tablets and have found [this] invaluable:
Ask Our Readers: WServerNews has 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at firstname.lastname@example.org
In Issue #992 Troubleshooting Strategies, we talked about strategies for troubleshooting problems with PCs and servers running Windows. Several readers shared their feedback concerning this topic, and here's a short sampling:
And now on to the main topic of this issue...
There was a big discussion on tech forums around two years ago about Microsoft's inclusion of UEFI Secure Boot technology in Windows 8. Linux gurus complained that Secure Boot would prevent users who purchased Windows 8 pre-installed on OEM PCs from wiping their machines and installing Linux should they want to do so. In the end the reality was a bit more prosaic since it's only on Windows RT machines that Secure Boot can't be disabled as this TechNet article explains:
But this discussion does raise an important question: How can a PC be configured so it can only be booted from its boot volume?
There are lots of threat vectors in today's world where Windows PCs and other types of end-user computing devices are ubiquitous. One of those vectors is where an attacker who has access to a PC can boot it to a bootable Linux installation on CD or DVD media. Wikipedia has a good article on this topic:
There are zillions of kinds of such live CDs available:
Naturally, this can work with USB removable drives as well:
Windows To Go, a technology introduced in Windows 8.1 that allows a portable Windows installation to be booted from a USB-connected external drive, has some of the capabilities of a live CD but in other ways it's different. For example, the internal hard disks of the host PC are offline when you boot the host into Windows To Go. This means you can't use Windows To Go to copy sensitive data from the internal drives of a PC. See this TechNet article for a good description of what Windows To Go can and can't do:
But getting back to the live CD threat vector, it's tempting to say that if the PC secured then of course it's vulnerable to this kind of attack which circumvents the normal Windows boot process. But the reality however is that physical security isn't an absolute black-and-white form of protection. There is actually a spectrum of different levels of physical security ranging from not very secure to very secure indeed. For example:
The moral of course is that if you push too hard on ensuring security you're simply going to end up weakening security instead of strengthening it.
But let's get back to securing the boot volume to ensure that a PC can only be booted to its own Windows installation or be overwritten by installation of another operating system. This is a very big requirement in some environments. For example, an educational organization wants to prevent students from installing or booting from any other operating system on their PCs. How can they do this?
Basically, the good old two-step method is best:
Keep in mind however that:
Send us feedback
Do you configure the BIOS password on your organization's PCs to secure their boot volumes? Or do you have some other solution you can recommend on this issue? Let us know at email@example.com
From time to time Microsoft releases "update rollups" that contain batches of fixes for some of their products. An example of this was the enterprise hotfix rollup available for Windows 7 SP1 and Windows Server 2008 R2 SP1 which is described in this KB article:
Note that while applying a rollup is supposed to fix multiple problems at once, as you can see from reading the above article sometimes further fixes are released to fix new problems that were introduced by the earlier fix. Regardless of this, it's important to try to ensure that Microsoft products you're using in your environment are up to date with updates and hotfixes released for that product. A good place to find recent updates is on the Microsoft Download Center, and this link lists update rollups that have been released by their date of availability:
GOT TIPS you'd like to share with other readers? Email us at firstname.lastname@example.org
Want to test-drive Microsoft software without having to commit hardware from your lab? Explore the TechNet Virtual Labs at:
Two announcements from the Microsoft Virtual Academy:
August 26: The Modern Web Platform Jump Start
"If you don't know where you are going, you'll end up someplace else." -- Yogi Berra
Until next week,
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at email@example.com and we’ll try to troubleshoot things from our end.
Do you know which users have access to sensitive files or directories? Using Permissions Analyzer, you’ll be able to easily see what permissions a user or group of users has for an object and why.
Veeam Task Manager for Hyper-V is a portable, standalone performance monitoring tool. Improve troubleshooting in your Hyper-V environment by seeing what Windows Task Manager doesn’t show you.
Amazon Web Services and Metalogix Virtual Private Cloud provide organizations with a highly secure and scalable Exchange and Files archive solution. Take it for an Instant Test Drive Today.
The PUREX Technology tablet multi-flex tablet mount lets you adjust to any position you like and just enjoy using your tablet comfortably.
ExifToolGUI for Windows lets you view and edit metadata inside image files.
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
TechEd Europe on October 27-31, 2014 in Barcelona, Spain
TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact firstname.lastname@example.org
Join our expert panel of Exchange MVPs to benefit from their insights into Office 365, Azure and other top issues and questions facing Exchange Administrators, as obtained by a July 2014 survey of the TechGenix audience.
This live online event, sponsored by Kemp Technologies and hosted by MSExchange.org, takes place on Wednesday, August 20, 2014, at 12N EDT | 9AM PDT. You'll hear a wide range of topics discussed by this panel of experts which includes MS Exchange MVP Steve Goodman, MS Exchange MVP Michael Van Horenbeeck, and MVP and MCM Bhargav Shukla of KEMP Technologies.
Just a few examples include:
You'll also be able to get your live questions answered by the experts. Don't miss this unique opportunity.
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact email@example.com
Cloud Computing Guide for Legal (Microsoft Download Center)
Oracle Becomes Data-as-a-Service Provider (Data Center Knowledge)
Enabling Hybrid Cloud Today with Microsoft Technologies whitepaper (Microsoft Download Center)
Configuring AD users and managers with PowerShell (4sysops)
Explore enterprise social scenarios (Microsoft Download Center)
How to Register for Dell Firmware Updates (Dell TechCenter Blog)
Save and share files in the cloud by using OneDrive for Business (Microsoft Download Center)
Quick Start to Office 365 for Small to Medium Businesses (Microsoft Download Center)
Migrating Windows SBS 2003 to Windows SBS 2011 Essentials (Microsoft Download Center)
Easy Print Anomaly (Third Tier)
Cluster-Aware Update Runs: How Long? (Third Tier)
Allowing Expired or Forced Password Changes on RDWeb (Third Tier)
Windows Networking Tricks and Tips
Getting started with SaltStack
Planning Considerations for BYOD and Consumerization of IT (Part 1)
Managing mailbox features with corporate profiles (Part 1)
It’s easy to associate private cloud with security and privacy, but it’s not always the case. To ensure your private cloud is secure and really private, you need a well-crafted and carefully monitored plan to avoid a potential disaster. Find out what steps to take inside.
As surprising as it sounds, free VDI is not a joke. Though VDI has a costly reputation, free VDI products do exist for specific environments. Learn how to evaluate your options and choose the one that will best match your current and future needs by understanding and comparing their features, limitations, and capabilities.
In a perfect world, hardware failure wouldn’t be a concern, but unfortunately, planning for recovery is an absolute must. Learn about several different and easy-to-implement ways you can start to plan for hardware failure to ensure you’re prepared for unexpected interruptions.
With OVA and OVF files, you can deploy and create multiple complex and useful vApps, or a collection of VMs to make up an appliance group. Doing so can save you time and reduce a variety of potential problems. Learn how to start building VMware vApps today so you can ward off potential problems tomorrow.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at firstname.lastname@example.org
Microsoft has developed a new way to condense long, often boring first-person videos into a ultra-smooth 'hyperlapse':
The 'Hot - Crazy Matrix' - a funny guide to dating women. Also includes the 'Cute vs Rich Matrix' for women dating men:
Highlights from the Budapest Airshow 2014 featuring planes flying through the beautiful city and taking off from and flying under the bridges of the Danube river:
Taking 'How to slice up a watermelon into bite-size chunks' to the next level:
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.