Vol. 22, #16 - April 17, 2017 - Issue #1127

Reconsidering biometric security


Deep Packet Inspection for Quality of Experience Monitoring

Read this whitepaper to get a detailed description of packet analysis techniques to measure high network response times, network delay, server processing times, client processing time, traffic distribution, and overall quality of experience.

Download Now>>


Editor's Corner

This week's newsletter is all about whether biometric security is in fact secure. We also have some responses to Ask Our Readers items from previous issues, plus the usual tips, tools, and other stuff. Enjoy!

Speaking of biometric security, here's one from Dilbert that is guaranteed to work:


Ask Our Readers - Dealing with GLOBE ransomware (a response)

Back in Issue #1125 Windows Server 2016 resources a reader named Eduardo emailed us with the following request:

2 weeks ago my Word files (and some other from Microsoft Office 2013) were encrypted and they are demanding ransom. The "program" was GLOBE. Any software available to "open" and read my files? Thanks.

Mark, a Network Administrator working in the UK sent us the following comment:

Emsisoft has a Globe3 decrypter here:


Hope that helps!

Ask Our Readers - Mac automation in the enterprise (some responses)

In last week's issue of WServerNews we fielded a question from Kevin who is an IT Director for a company that supplies contamination monitoring systems and airborne particle counters. Kevin had previously offered his own thoughts on this subject in Issue #1122 Reader feedback: Mac vs PC TCO and he wanted us to ask our readers whether they had any additional wisdom or insights they could share regarding automating the management of Apple Mac computers in the enterprise:

I would like to find out how other companies manage Macs on a corporate network with lots of VLANs and lots of identical printers. I'd also like to find out how Apple manages Macs and sharing of files & printers, as I don't see them having Windows servers, and there are probably no PC's outside QA testing.

Mark who works in IT at a university in the USA responded to Kevin's inquiry as follows:

The short answer to Kevin's question is to use JAMF, formerly Casper, to manage Macs:


 The slightly longer answer, is to use CIFS file shares for sharing and JAMF should be able to manage the printers as well. We must have over 100 VLANS on campus and use JAMF for nearly all management of over 1,000 Macs. Apple's Deploy Studio is still utilized to lay down the initial image. Finally, we use a Linux tool that works under BSD to join our Macs to the Active Directory to allow the Macs to use the common Activate Directory for Kerberos authentication. The Active Directory authentication also helps with having common tokens for connecting to files shares on either SANs, Windows file servers, or Linux file servers. Universities tend to be seriously heterogeneous environments.

Another Mark who works as an Infrastructure Solution Specialist in the UK and who previously shared some thoughts on this subject in the Mailbag section of Issue #1124 Value dilution in IT provided me with some additional details of how they manage Macs in their Windows environment:

We currently use Absolute DDS (ex-Computrace) on our MacBooks and Tablets:


Touch wood we haven't had any go missing but we did trial one and bricked it. We've around 100 MacBooks in the estate and 1350 Windows 8 tablets. We're now looking at using it on our Windows laptop estate (around 800). No real point in using it on desktops (Mac or Win). Only downside is there's no agent for iOS but we've very few of those and the only new project I'm aware of may end up with Android (costs as much as anything) as it's a simple web browser app for workforce management.

As far as Casper [JAMF] is concerned we probably don't use it to its fullest extent. Basically it sits on 3 Windows servers (2012R2), 1 primary point and 2 software distribution points. We do actually have an OS X server that we were going to 'PXE' boot (not called that in Apple terminology) from but we found it quicker to build from a bootable USB. Basically that pulls down an OS X image (10.11 in our case) and then does a task sequence (customisable) of app installs. It also adds the Mac into AD and puts it into the correct OU (we use FileVault on MacBooks (equivalent of BitLocker) but not on Mac Pros/iMacs. We also use it for custom login screens/messages and then primarily as a self-service portal so users can select the correct printers, install apps that aren't common across the board etc.

We used a 3rd party to do it all so that's about my depth of knowledge. One thing I could have added (we haven't actually used it) is that there is an SCCM plugin for JAMF:


Ask Our Readers - Windows Server Essentials in the cloud? (new question)

Bob, the Directory for Information Services of a company in Colorado, USA sent us the following:

I am frustrated that I cannot find anywhere a "How To" on adding a Windows Server 2016 Essentials Server to either AWS or Azure, with precise details:

There are a lot of companies out there that would benefit from knowing how to do this and the costs involved.

Can any readers out there help Bob with this? Or maybe someone who works at Microsoft Azure or Amazon AWS and is reading this? Email us at [email protected]

Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at [email protected]

Reconsidering biometric security

My wife and I recently enjoyed watching a six episode mini-series called The Night Manager which stars Hugh Laurie and Tom Hiddleston and is based on a book by John Le Carre:


In one episode Tom Hiddleston's character uses his cellphone to perform biometric authentication (iris scanning) for transferring $300,000,000 to a bank in Luxembourg. This got me thinking. Would I trust an iris scan alone for authenticating the transfer an amount anywhere near that large from my own bank account? How secure is iris scan authentication, really?

Are iris scanners secure?

As this article from The Hacker News a couple of years ago demonstrates, iris scanners certainly can be fooled if you have a suitable photo showing the person's eyes:


Then I remembered another movie (maybe by Tom Cruise?) where the character used a device that displayed a collection of different iris patterns in rapid succession to defeat an iris scanner. The character simply held the device up against the scanner and turned in on, and in about 10 seconds the scanner responded with positive authentication and let the character into the secure facility to do whatever he was planning to do--steal something, I imagine. I wondered, could this actually work? Could one create a catalog or database of "base iris patterns" that would have a high probability of fooling an iris scanner in a reasonable amount of time?

Are fingerprint scanners secure?

I filed away the above question in the depths of my brain somewhere, and it remained there until a few days ago when I came across the paper "MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems" on the IEEE website:


The above article is paywalled but there's a good summary of it here on the MSU Today website of Michigan State University:


The interesting part is this:

With MasterPrints derived from real human fingerprints, the team reported successfully matching between 26 and 65 percent of users, depending on how many partial fingerprint impressions were stored for each user and assuming a maximum number of five attempts per authentication.

In other words, by creating a database of base partial fingerprint patterns, the researchers were able to fool cellphone fingerprint readers a good chunk of the time. So if it can be done with fingerprints, it can probably be done with iris scanners too.

Are voiceprint authenticators secure?

Now let's bring it home. Rod Trent's site myITforum recently informed us that "One of the promised updates to Cortana in Windows 10 Creators Update is the ability to manage the shutdown, restart and locking of your device."


Okay, now let's pretend I'm Tom Cruise or whoever and I'm faced with the impossible mission of trying to unlock a Windows 10 computer so I can abort the launch of a missile that is likely to start World War Three. Leaning over the screen I shout, "Hey, Cortana, unlock my computer!" Nothing happens. "Cortana! Please unlock my computer! Unlock my computer now!!" No response, the clock is ticking. Then Ving Rhames sidles over and says, "Here, let me try." He then presses a button on his cellphone and from phone's tiny speaker comes a rapid-fire stream of "base voiceprint patterns" repeating the words "Hey Cortana unlock my computer" in rapid succession, each voice sounding different from the rest in terms of gender, age, ethnicity, etc. Tom stares on anxiously while Ving seems almost relaxed. Then just before the missile launch sequence activates, the Windows 10 computer responds with "Unlocking your computer" and once again Tom (or actually Ving) saves the world.

Could it be possible to hack a voiceprint authentication system like this? Could it be possible to collect or generate a set of "base voiceprint patterns" such that one of them would have a good chance of defeating a voiceprint authentication system that has been "trained" to identify a certain individual? I think, why not? After all, there must be a lot of variables and assumptions that go into how a real-world voice authenticator works since people don't always speak a phrase with the same clarity or tonality or speed etc. I haven't studied the actual mechanics of how voice authentication systems work but I imagine they work with some set of partial identifiers like how sibilant consonants are articulated or the tonal range and length of certain vowel sounds, so compiling a catalog of all possible permutations of a subset of such partial identifiers could have a good probability of fooling how voice authentication systems work, especially ones implemented in personal computing devices that have relatively limited processing capabilities.

Final thoughts

My point in all this is simply this: Does your organization or business currently use any biometric systems for authentication purposes? How much do trust them? What safeguards do you have in place for using them? Are they used in conjunction with passwords or smartcards for multi-factor authentication? And would you ever consider using biometric authentication alone without a second factor being involved? Why or why not? We'd be interested in hearing our readers' thoughts and experiences on this subject--email us at [email protected]

Send us your feedback

Got feedback about anything in this issue of WServerNews? Email us at [email protected]

Recommended for Learning

Hybrid and Networking Cloud Architecture posters updated for the SharePoint Server 2016 in Azure scenario

With the recent publication of the SharePoint Server 2016 in Microsoft Azure content set, we have updated two posters in the Microsoft Cloud for Enterprise Architects Series. Microsoft Cloud Networking for Enterprise Architects: Includes a new section at the end of the Designing networking for Azure IaaS topic that describes the 9-server high availability SharePoint Server 2016 farm as an example IT workload running in Azure IaaS. You can download the posters in PDF and Visio form from this post on the Cloud Adoption Advisory Board blog:



Microsoft Virtual Academy

Microsoft Azure for IT Pros Content Series: Web & Mobile Apps

Need help with managing, monitoring and maintaining web and mobile apps in Microsoft Azure? Watch this course to learn the basics of Azure websites and mobile services, and how to manage them using the UI, PowerShell and external tools. With our expert instructor, Corey Hynes, you'll compare and contrast infrastructure as a service (IaaS) and platform as a service (PaaS), explore app deployment options with Azure App Service, and get an overview of Azure mobile apps in Azure.


Factoid of the Week

Last week's factoid and question was this:

Peter Ackerman wrote a children's book in 2010 called "The Lonely Phonebooth" about one of only four remaining outdoor phone booths in all of Manhattan. When was the last time you saw a phonebooth? And when was the last time you *used* a phonebooth?

Best answer we received was this one from Don Hill:

The one in Kelly Iowa. I was there couple of years ago. I used it just to take pictures.


Now let's move on to this week's factoid:

Fact: The appropriate response to 'How are you?' in Luxembourgish is 'Tip-Top'.

Source: http://www.wservernews.com/go/cpo9cb3c/

Question: How do *you* usually respond when someone asks "How are you"? Why do you respond that way? Hint: I usually feel uncomfortable when someone asks me how I am as it throws me into a moral dilemma i.e. should I answer honestly or just return a meaningless pleasantry?

Email your answer to us at: [email protected]

Until next week, 

Mitch Tulloch


Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at [email protected]

The Expert Guide to VMware Disaster Recovery and Data Protection by Mike Preston. Enable always-on operations shifting from backup and recovery to Availability.


Dashlane helps you never forget another password:


NirSoft Wireless Network Watcher is a small utility that scans your wireless network and displays the list of all computers and devices that are currently connected to your network:


Netwrix Change Notifier for Group Policy tracks every change made to your group policy objects (GPOs), including GPO links, audit policy, password policy, and software deployment changes, and fills major gaps found in native auditing tools:



This Week's Tips

GOT TIPS you'd like to share with other readers? Email us at [email protected]

Azure - Azure Automation DSC

Anthony Watherston has a great how-to tutorial showing how create a compiled DSC configuration in Azure Automation DSC released via Visual Studio Team Services:


Internet Explorer - Launch IE in Private Mode with PowerShell

The OneScript Team Blog has a link to a script you can download from the TechNet Script Gallery that shows how you can create a shortcut to start IE in private mode by PowerShell:


Windows - Remove all network computers

The OneScript Team Blog has created some sample VBScript code you can use to remove all network printers on a computer:


Events Calendar

Microsoft Build in May 10-12, 2017 in Seattle, Washington.


Microsoft Worldwide Partner Conference (WPC) on July 9-13, 2017 in Washington, D.C.


Microsoft Ignite on September 25-29, 2017 in Orlando, Florida


Add Your Event

PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact [email protected]

New on TechGenix.com

Parallels RAS: A solution for all your application-virtualization needs

IT managers looking for an all-purpose solution to implement application virtualization would be wise to check out the offering from Parallels:


Microsoft: How to monitor the use of cloud applications without violating user privacy

Cloud App Security by Microsoft gives IT administrators a secure way to see what cloud apps are being used while anonymizing the data:


Despite problems, is Microsoft retiring its EMET security tool too soon?

According to WikiLeaks, the CIA and others can bypass Microsoft's soon-to-be-retired EMET security tool. Does this leave you vulnerable to attackers?


Start to finish guide: Migrating from VMware to Hyper-V

Migrating from VMware to Hyper-V is becoming common. But common doesn't mean easy. Follow this guide and you can accomplish the task without too much pain.


Revisiting Server Manager

With some help from a Senior Premiere Field Engineer (PFE) at Microsoft we re-examine Server Manager in this article and learn why sysadmins may want to give this tool another look.



Tech Briefing


4 ways of adding your application to Azure Active Directory (Azure Development Community)


How to Secure an ARM-based Windows Virtual Machine RDP access in Azure (Ask PFE Platforms)



The five most common mistakes approaching DevOps (TechNet UK Blog)


Book Excerpt: Introducing DevOps chapter from DevOps with Windows Server 2016 book (All Things Geeky)


Office 365

EMAT 3.0 is here (EMAT 3.0)


New Test Lab Guide shows the integration of Dynamics 365 within an Exchange Online mailbox (Cloud Adoption Advisory Board)



GDPR: Data Protection Impact Assessment (WindowsSecurity.com)


Windows 10 & HIPAA Compliance (Chris Jones)



Step-by-Step: Deploy Windows Server 2016 Storage Spaces Direct (S2D) Cluster in Microsoft Azure (Keith Mayer)


To RDMA, or not to RDMA – that is the question (Server Storage at Microsoft)


WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]

Would You Qualify To Drive The President's Limo? This Driver Certainly Would!

Do you think you are a good driver? Check out this guy doing a backward drift with a presidential limo:


The Futuristic Flyboard Air

is now the main sponsor of the amazing flying machine that hat allows a man in an upright position to whizz through the air powered by jet engines:


Gravity Illusions On The Streets Of San Francisco

San Francisco's steep hills inspired a gravity-bending dance tribute to the music: 'I Don't Feel Like Dancing' by the Scissor Sisters:


Second Oldest Trick in Sleight of Hand

Magician and comedian Chris Hannibal is proud to perform the second oldest trick in sleight of hand:



WServerNews - Product of the Week

Deep Packet Inspection for Quality of Experience Monitoring

Read this whitepaper to get a detailed description of packet analysis techniques to measure high network response times, network delay, server processing times, client processing time, traffic distribution, and overall quality of experience.

Download Now>>


WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his  outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.