Vol. 19, #33 - August 18, 2014 - Issue #993
Securing Boot Volumes
- Editor's Corner
- Ask our Readers - Vipre firewall and 3CX Phone System
- Ask our Readers - Help for Windows 8.1 noobs
- From the Mailbag
- Securing Boot Volumes
- Tip of the Week - Update rollups for Microsoft products
- Recommended for Learning
- Microsoft Virtual Academy
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Asia Pacific
- Webcast Calendar
- MSExchange.org Ask the Expert Webinar: MS Office 365, Azure, and More
- Register for Webcasts
- Tech Briefing
- Cloud Computing
- Enterprise IT
- Small Business IT
- Windows Server
- Recommended TechGenix Articles
- Recommended articles from websites in TechGenix Network
- Windows Server News
- Private cloud is private, but security is no guarantee
- Get your VDI for free
- You can’t avoid hardware failure entirely, so plan for it
- How to modify a vApp for smoother deployments
- WServerNews FAVE Links
- The Difference Between Time Lapse And Hyper-Lapse
- Hot Crazy Matrix - A Man's Guide to Women
- Budapest Airshow 2014 Highlights
- A Different Way To Cut A Watermelon
- WServerNews - Product of the Week
- SolarWinds® Permissions Analyzer for Active Directory™ - Identify Misconfigured Permissions in Active Directory for Free
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about safeguarding the boot volume of your Windows servers and workstations. Unfortunately I searched in vain for a Dilbert comic that might have something humorous to say about the word "boot" so instead of the usual comic strip here's a joke about boots I found on JokeBuddha.com:
Awww, kids are so cute, aren't they?
Ask our Readers - Vipre firewall and 3CX Phone System
In the previous Issue #992 Troubleshooting Strategies, a reader named Paul asked:
Does any reader use the 3CX Phone System? I have been unable to configure the Vipre firewall to allow 3CX software for UDP/TCP port forwarding. If anybody has succeeded doing this, I would appreciate some help.
A reader named JanChris from the Netherlands had the following suggtestion:
Is he sure the port is available from his provider? I had a 4 month row with my provider because they keep the designated port for SIP for themselves and do not allow the user to use 5060. Remedy: configure sip on 5061 and document well for all equipment.
Ask Our Readers - Help for Windows 8.1 noobs
In Issue #990 The Importance of Roadmaps, we included the following request from a reader named Marguerite:
Is there a newsletter for non-server ordinary win8.1 users?
In the two issues that followed that one several readers identified the following as useful resources:
This week a reader named Mark who is a Technical Architect in the UK suggested one additional resource:
We're in the middle of deploying 1300 Windows 8.1 Tablets and have found [this] invaluable:
Ask Our Readers: WServerNews has 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at [email protected]
From the Mailbag
In Issue #992 Troubleshooting Strategies, we talked about strategies for troubleshooting problems with PCs and servers running Windows. Several readers shared their feedback concerning this topic, and here's a short sampling:
- The other strategy I would have tried in your situation would have been to see if the problem duplicated itself using a different logon. Sometimes the problem is isolated to a particular user profile rather than the OS or the application in question and rebuilding either the entire profile or a portion of it will fix the problem. --George, a System Administrator based in Tallahassee, Florida USA
- About Chrome certificate errors: Something we learned just on Friday was that Chrome does not have its own certificate store (like Firefox); it leverages the Windows system certificate store. So using Chrome or IE would have resulted in the same certificate error (if the error was caused by a certificate, or in this case, a date issue; the error occurred because the date preceded the valid on date in the certificate). Another way to resolve the timing error is to set up a NTP time source (we use 0.pool.ntp.org) so Windows automatically resets the time; ensure that you also set the Windows registry key to accept any time skew; otherwise, if the time difference exceeds the default limit, it will not reset the clock. --Jeffrey
And now on to the main topic of this issue...
Securing Boot Volumes
There was a big discussion on tech forums around two years ago about Microsoft's inclusion of UEFI Secure Boot technology in Windows 8. Linux gurus complained that Secure Boot would prevent users who purchased Windows 8 pre-installed on OEM PCs from wiping their machines and installing Linux should they want to do so. In the end the reality was a bit more prosaic since it's only on Windows RT machines that Secure Boot can't be disabled as this TechNet article explains:
But this discussion does raise an important question: How can a PC be configured so it can only be booted from its boot volume?
There are lots of threat vectors in today's world where Windows PCs and other types of end-user computing devices are ubiquitous. One of those vectors is where an attacker who has access to a PC can boot it to a bootable Linux installation on CD or DVD media. Wikipedia has a good article on this topic:
There are zillions of kinds of such live CDs available:
Naturally, this can work with USB removable drives as well:
Windows To Go, a technology introduced in Windows 8.1 that allows a portable Windows installation to be booted from a USB-connected external drive, has some of the capabilities of a live CD but in other ways it's different. For example, the internal hard disks of the host PC are offline when you boot the host into Windows To Go. This means you can't use Windows To Go to copy sensitive data from the internal drives of a PC. See this TechNet article for a good description of what Windows To Go can and can't do:
But getting back to the live CD threat vector, it's tempting to say that if the PC secured then of course it's vulnerable to this kind of attack which circumvents the normal Windows boot process. But the reality however is that physical security isn't an absolute black-and-white form of protection. There is actually a spectrum of different levels of physical security ranging from not very secure to very secure indeed. For example:
- PC is in a locked room (not very secure if lock can be picked)
- PC is in a locked room and has no CD/DVD drive (a bit harder to boot from a live CD)
- PC is in PC is in a locked room, has no CD/DVD drive, and has had epoxy glue poured into all of its USB ports (but someone who picked the lock could still pick up the PC and walk out the door with it)
- PC is in PC is in a locked room, has no CD/DVD drive, and has had epoxy glue poured into all of its USB ports, and is securely locked in a vault whenever its user isn't making use of the PC (the user got so frustrated with this that he opened up his PC during lunch hour and removed the hard drive so he could take it home to finish his project over the weekend)
The moral of course is that if you push too hard on ensuring security you're simply going to end up weakening security instead of strengthening it.
But let's get back to securing the boot volume to ensure that a PC can only be booted to its own Windows installation or be overwritten by installation of another operating system. This is a very big requirement in some environments. For example, an educational organization wants to prevent students from installing or booting from any other operating system on their PCs. How can they do this?
Basically, the good old two-step method is best:
- Configure a password in the BIOS of the machine
- Configure the BIOS so that it can only boot from (or boots first from) its internal hard drive.
Keep in mind however that:
- Keeping track of BIOS passwords of large numbers of PCs can be a pain.
- Using only one BIOS password for many PCs is a single point of vulnerability
- Applying a BIOS update on some systems can reset all the BIOS settings to their defaults including resetting the BIOS password to null.
Send us feedback
Do you configure the BIOS password on your organization's PCs to secure their boot volumes? Or do you have some other solution you can recommend on this issue? Let us know at [email protected]
Tip of the Week - Update rollups for Microsoft products
From time to time Microsoft releases "update rollups" that contain batches of fixes for some of their products. An example of this was the enterprise hotfix rollup available for Windows 7 SP1 and Windows Server 2008 R2 SP1 which is described in this KB article:
Note that while applying a rollup is supposed to fix multiple problems at once, as you can see from reading the above article sometimes further fixes are released to fix new problems that were introduced by the earlier fix. Regardless of this, it's important to try to ensure that Microsoft products you're using in your environment are up to date with updates and hotfixes released for that product. A good place to find recent updates is on the Microsoft Download Center, and this link lists update rollups that have been released by their date of availability:
GOT TIPS you'd like to share with other readers? Email us at [email protected]
Want to test-drive Microsoft software without having to commit hardware from your lab? Explore the TechNet Virtual Labs at:
Microsoft Virtual Academy
Two announcements from the Microsoft Virtual Academy:
August 26: The Modern Web Platform Jump Start
Quote of the Week
"If you don't know where you are going, you'll end up someplace else." -- Yogi Berra
Until next week,
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
Do you know which users have access to sensitive files or directories? Using Permissions Analyzer, you’ll be able to easily see what permissions a user or group of users has for an object and why.
Veeam Task Manager for Hyper-V is a portable, standalone performance monitoring tool. Improve troubleshooting in your Hyper-V environment by seeing what Windows Task Manager doesn’t show you.
Amazon Web Services and Metalogix Virtual Private Cloud provide organizations with a highly secure and scalable Exchange and Files archive solution. Take it for an Instant Test Drive Today.
The PUREX Technology tablet multi-flex tablet mount lets you adjust to any position you like and just enjoy using your tablet comfortably.
ExifToolGUI for Windows lets you view and edit metadata inside image files.
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
TechEd Europe on October 27-31, 2014 in Barcelona, Spain
TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact [email protected]
MSExchange.org Ask the Expert Webinar: MS Office 365, Azure, and More
Join our expert panel of Exchange MVPs to benefit from their insights into Office 365, Azure and other top issues and questions facing Exchange Administrators, as obtained by a July 2014 survey of the TechGenix audience.
This live online event, sponsored by Kemp Technologies and hosted by MSExchange.org, takes place on Wednesday, August 20, 2014, at 12N EDT | 9AM PDT. You'll hear a wide range of topics discussed by this panel of experts which includes MS Exchange MVP Steve Goodman, MS Exchange MVP Michael Van Horenbeeck, and MVP and MCM Bhargav Shukla of KEMP Technologies.
Just a few examples include:
- How does federation work in a hybrid environment?
- How do you deploy a Site Failover in Windows Azure?
- When does Office 365 and Azure make financial sense?
- How useful is DLP in Office 365?
You'll also be able to get your live questions answered by the experts. Don't miss this unique opportunity.
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]
Cloud Computing Guide for Legal (Microsoft Download Center)
Oracle Becomes Data-as-a-Service Provider (Data Center Knowledge)
Enabling Hybrid Cloud Today with Microsoft Technologies whitepaper (Microsoft Download Center)
Configuring AD users and managers with PowerShell (4sysops)
Explore enterprise social scenarios (Microsoft Download Center)
How to Register for Dell Firmware Updates (Dell TechCenter Blog)
Small business IT
Save and share files in the cloud by using OneDrive for Business (Microsoft Download Center)
Quick Start to Office 365 for Small to Medium Businesses (Microsoft Download Center)
Migrating Windows SBS 2003 to Windows SBS 2011 Essentials (Microsoft Download Center)
Easy Print Anomaly (Third Tier)
Cluster-Aware Update Runs: How Long? (Third Tier)
Allowing Expired or Forced Password Changes on RDWeb (Third Tier)
Windows Networking Tricks and Tips
Getting started with SaltStack
Planning Considerations for BYOD and Consumerization of IT (Part 1)
Managing mailbox features with corporate profiles (Part 1)
Private cloud is private, but security is no guarantee
It’s easy to associate private cloud with security and privacy, but it’s not always the case. To ensure your private cloud is secure and really private, you need a well-crafted and carefully monitored plan to avoid a potential disaster. Find out what steps to take inside.
Get your VDI for free
As surprising as it sounds, free VDI is not a joke. Though VDI has a costly reputation, free VDI products do exist for specific environments. Learn how to evaluate your options and choose the one that will best match your current and future needs by understanding and comparing their features, limitations, and capabilities.
You can’t avoid hardware failure entirely, so plan for it
In a perfect world, hardware failure wouldn’t be a concern, but unfortunately, planning for recovery is an absolute must. Learn about several different and easy-to-implement ways you can start to plan for hardware failure to ensure you’re prepared for unexpected interruptions.
How to modify a vApp for smoother deployments
With OVA and OVF files, you can deploy and create multiple complex and useful vApps, or a collection of VMs to make up an appliance group. Doing so can save you time and reduce a variety of potential problems. Learn how to start building VMware vApps today so you can ward off potential problems tomorrow.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
The Difference Between Time Lapse And Hyper-Lapse
Microsoft has developed a new way to condense long, often boring first-person videos into a ultra-smooth 'hyperlapse':
Hot Crazy Matrix - A Man's Guide to Women
The 'Hot - Crazy Matrix' - a funny guide to dating women. Also includes the 'Cute vs Rich Matrix' for women dating men:
Budapest Airshow 2014 Highlights
Highlights from the Budapest Airshow 2014 featuring planes flying through the beautiful city and taking off from and flying under the bridges of the Danube river:
A Different Way To Cut A Watermelon
Taking 'How to slice up a watermelon into bite-size chunks' to the next level:
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.