Vol. 23, #39 - October 1, 2018 - Issue #1201
WServerNews Spotlight: Ask Our Readers about bloatware, small SSDs, and password crackers
- Editor's Corner
- HOT!! - Interview with Rick Vanover of Veeam
- Ask Our Readers - Dealing with bloatware (responses and a follow-up question)
- Ask Our Readers - Small SSDs and Windows/Office (some responses)
- Ask Our Readers - Why are brute force crackers still used? (a follow up question)
- Tip of the Week
- How Healthy is your LAPS Environment?
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Beware of the dragon's breath!
- Conference calendar
- North America
- New on Techgenix.com
- Step-by-step guide: Digging deep into Azure Service Map
- Top in-demand tech jobs for the present and near future
- How to get a handle on Microsoft Windows patch management
- PowerShell quick hits: Cmdlets and scripts for managing Windows Failover
- AI technology will change how you go about these everyday activities
- Fun videos from Flixxy
- Will Smith Bungee Jumps Out Of A Helicopter
- Laser Projection Keyboard
- Airbus Trying To Land During Gusty Winds
- Tribute To Elon Musk And Tesla By A Fan
- More articles of interest
- Not sure how to start with DevOps? Here's one option
- AWS development services push apps from code to production
- Optimize load balancing for a hybrid cloud architecture
- Checklist for mobile app testing: 12 gaps to look out for
- Need help from the IT pro community?
- Send us your feedback
- WServerNews - Product of the Week
- 100% Freeware: Tool for Active Directory Monitoring
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter focuses on three Ask Our Readers items we published last week and which have garnered a number of responses and some follow-up questions from our readers. Feel free to email us at [email protected] if you have any further insight or recommendations on any of these topics. Remember, we're all in it together as IT pros so cast your bread upon the waters and someday maybe it'll come back at ya :-)
But before we here from our readers on these three topics we have a HOT ITEM for you to read about below!
I recently had a chance to talk with Rick Vanover of Veeam Software about what businesses need to do these days to ensure their availability strategy fully addresses their needs. Rick is the director of product strategy at Veeam, where he leads a team of technologists and analysts that brings Veeam solutions to market and works with customers, partners, and R&D teams around the world, and you can read my interview with Rick here on our TechGenix website:
Free Altaro Webinar - What's New in Windows Server 2019?
On Wenesday, October 3rd, Microsoft MVPs Andy Syrewicze and Rob Corradini, alongside former Microsoft Senior Technical Evangelist Symon Perriman will be presenting a free to attend webinar covering some of the most interesting new features in Windows Server 2019. For those that have questions about this latest release from Microsoft, you'll have the opportunity to get answers from these experts during the webinar Q&A. Only 1,000 seats are available so be sure to book your seat here:
Anya from Tennessee asked us the following question last week:
Hi! I've recently been asked to take on doing part-time IT for the small business where I work in administration. We recently decided to hire new staff and I'm going to need to buy a few new desktops and laptops from them from our local Office Depot. I have a question about bloatware (crapware?) that maybe some of your readers can help me out with please. When you buy a new computer for your business is it really important to remove any preinstalled software you don't need before you give the computer to an employee for doing work? What kind of bloatware should be removed and which is OK to leave on the computer?? What's the best way to find and remove bloatware from a computer? Is there a tool available for doing this?? Or is all this a non-issue waste of time? Please help, I'm proficient in using Windows but not much else! Thanks!
Several of our readers responded to Anya's question. For example, a reader named Vlade says:
Hi Mitch, I can share only my limited experience which consist in two parts:
- Working as network/system admin or manager on variety of jobs with small companies usually less then 50 employees - after receiving any new computer I rebuild system with only company used apps and trimming startup processes and etc. Then creating a custom image of it and distribute to the rest of computers.
- As a field/remote tech with large organization - work individually with each computer, trimming processes, power setting, updating/upgrading software.
Mike from New Mexico, USA offered this two-step solution for dealing with the bloatware problem:
I always do a clean install. Windows 10 is really good at automatically installing drivers so it's very rare to need to go driver hunting.Then run the decrapifier script listed below which removes all of the Microsoft Store junk:
Note: the script can be edited to leave things you need to keep.
Super clean fresh build we make.
Another reader (anonymous) agrees about fresh installs being the best way to go:
The best option is to always do a fresh install of windows using either:
- Your corporate microsoft product code
- The one on the machine.
This of course, leads to the topic of imaging. This is where you build a single generic windows image, capture it and deploy it to all PC's. Plenty of opensource utilities like drbl or clonezilla, and you can also using imagex from Microsoft in a windows PE environment. Depending on how many GB your image is you might be able to get away with 8,16,32, or 64gb USB stick.
While these are all great suggestions (and the best way to proceed, really) I'm wondering still whether anyone might have any recommendations for Anya the original questioner who seems to be implying that she's not ready or not savvy enough IT-wise to follow a wipe-and-reimage approach to removing bloatware from the OEM PCs she purchases retail. Does anyone have anything more to say about this that might help her out? Like which commonly preinstalled third-party software one should remove and which can simply be left in place with no overarching business concerns. Email me at [email protected]
This question comes to us from Robert who works in IT for a company in Toronto, Canada:
What's the minimum disk size needed for a laptop with SSD that has Windows 10 and Office 2016 installed? Reason I ask is because we have two Lenovos with 128 gb drives that came with Office 2016 preinstalled and we're having trouble updating them because of low disk space. My boss wants to buy more of these machines because they're a cheap but IME upgrading/upgrading them is a nightmare even when I try to follow this support article:
What do other WServerNews subscribers do and recommend on this matter? Thanks.
A number of readers responded to this question. Mike from New Mexico, USA offered the following suggestion:
I start by running TFC. If that doesn't do the trick then boot from USB and flush out the C:\Windows\SoftwareDistribution. Have seen it accumulate 60g of crud which makes space tight. on a 128 SSD. The reason we have to do it from bootable USB is Windows permissions prevent us from touching the folder while Windows is running.
TFC stands for Temp File Cleaner, a Windows application from Addpcs that is designed to rid your PC of the temporary files that accumulate on your hard drive because other applications leave them behind. You can download the latest version free for personal use or purchase a license for one dollar (!) that activates some additional features:
Another reader named Vlade had a simple and practical suggestion for Robert:
Keep all multimedia data off hard drive, remove c:\Old Windows (typically 20-30gb)
Several readers responded however that they thought installing Windows with Office on a 128 GB SSD shouldn't really be that much of a problem. Glen for example who works at a university said:
In my experience, a 120gig ssd should be more than adequate for windows 10 and office 16.
Two suggestions for Robert:
- Make sure he is seeing all the files and folders. In file explorer, View, Options, View tab, check Show hidden files and folders and un check Hide protected operation system files. Look in the root of the system drive, usually C: for a windows.old folder. This would be a leftover from previous windows upgrades/updates. Win 7 or 8 to 10 or 10 1609 to 1703 or any other major updates.
- If that isn't it, then get one of the free programs, windirstat, treesize, diskhog or some such tool to see what is taking up all the space. Windows and office can be installed on a 40gig SSD although there wont be much free space, it can be done, so 120 should be plenty. If he finds that documents, pictures, music or some such is eating all the space, then temporarily move them off the system drive while doing the update.
And another reader named Bill responded by saying:
A Windows 10 and Office 365 installation requires 35-40 GB disk space. Leaving more than useful room for data files on an 128GB drive (unless they are video files, tsk!). Data file storage can be extended with an external USB drive (Have you seen the Samsung USB 3.0 Flash Drive Fit? ).
Windows 10 update problems can usually be repaired with the Update Troubleshooter. I remember there was an article in the newsletter 2 or 3 issues ago about a program, run from a CMD prompt, to repair Windows update. Some times Windows update does not tidy after update and previous version are left behind. Disk Cleanup, including system files may help. Storage Sense and Disk Maintenance in the background may help keep the system efficient. Finally, if update fails because of disk space, move the data files to an external drive.
If any other readers would like to add their suggestions on this topic, please email me at [email protected]
The original question received from a reader named Michael was this:
Something that I do not understand, why brute force password crackers are still a thing. All that a website needs to do is institute a small time out between unsuccessful logins. As an example, for the first 5 login attempts, there is a 15 second delay between each attempt. After that, for the next five attempts, a 30 second delay between each attempt. You don't need to lock down the account, just keep increasing the time out delay until one is waiting a couple of minutes or more between each attempt. This gives the true owner of the account time to figure out what was miss typed, support does not need to use time to unlock accounts, and people with nefarious intentions will give up because the wait time just keeps getting longer and longer between single attempts at guessing a password. Maybe I'm naive, but perhaps some one in the security field would know why this time out strategy is not used.
Last week a reader named Jeffrey responded to Michael's question by saying:
I have several responses to the question of password crackers:
- Michael is correct if he is only worried about casual attackers. But the toolkits out there are adaptive to such controls, and can throttle their attacks to work around those time delays, often by connecting from multiple sources that make it appear each one is a separate client making a different request.
- If the site's password hash store is compromised, then an attacker can identify passwords without fear of any such application controls.
- Once one site's password hash is cracked, the attackers can attempt to access other sites for password reuse using the recovered passwords that were brute-forced.
Here is a fascinating article about how Tesla keyfobs were hacked using a brute force attack:
After reading this Michael sent us another email asking if any readers might have any further insight into why simply inserting a login time delay might not solve a lot of security issues faced by network admins and website operators. Here is what Michael asks concerning this subject:
Thank Jeffrey for taking the time to respond to my question. Fortunately, September 28th is both "Ask a Stupid Question" day AND is "International Right to Know" day, so here are some more thoughts on the topic. Jeffrey's 2nd and 3rd points - if a site's password hash store is compromised, well… all bets are off and all that one can do is send out the SOS signal and deploy the lifeboats. The crown jewels have been stolen.
However, the first point is brilliant if security is seen from a normal, average, human behavioral viewpoint. There's a lot of people, out there, who do not use password managers. At a site's login page, they type, rather slowly so no mistakes are made, their username and password, then click enter. If they made a mistake, the process is repeated. At best, there might be 2 attempts made in a minute. A brute force attack would be a huge multiple of that. If a small time delay is also imposed, and the attacker connects from multiple sources to get around the delay, is that normal behavior? Not in any sense of the word, and both scenarios should be raising red flags all over the place. The site could then lock the account, but only for 30 seconds, displaying a message that says "account is temporarily locked, please try again in : " and display a countdown timer from thirty to zero seconds, at which time the page refreshes and another password could be tried. If the hammering continues, it gets immediately detected and another 30 secondlock down, rinse and repeat. IP addresses get logged every where one goes on the internet, and targeted advertising follows you around every where, so I would find it hard to believe that web site software is incapable of detecting abnormal behavior on login pages. Once detected, a small, temporary locThe small time delay could also be used for other things. People with iPhones type in a passphrase to unlock their phones. With fat fingers, and going between the letter keyboard and the number keyboard, it easily takes 10 to 15 seconds to successfully type in the passphrase. Let's say that Apple decided to introduce a 5 second time delay between unsuccessful attempts. Apple's thinking here would be that the input field is always active because typing on a phone takes forever, just the Go button would be inactive for the 5 seconds. Shoot, most people would not even notice the inactive Go button because typing in their passphrase takes much longer than 5 seconds. Then let's say that the iPhone gets stolen and the bad guys have it hooked up to the MABFPCM, Magnificently Awesome Brute Force Password Cracker Machine. But with the 5 second delay, the bad guys get 12 attempts per minute instead of 1000. k down should be all that is needed, and can be immediately imposed as many times as necessary.
The small time delay could also be used for other things. People with iPhones type in a passphrase to unlock their phones. With fat fingers, and going between the letter keyboard and the number keyboard, it easily takes 10 to 15 seconds to successfully type in the passphrase. Let's say that Apple decided to introduce a 5 second time delay between unsuccessful attempts. Apple's thinking here would be that the input field is always active because typing on a phone takes forever, just the Go button would be inactive for the 5 seconds. Shoot, most people would not even notice the inactive Go button because typing in their passphrase takes much longer than 5 seconds. Then let's say that the iPhone gets stolen and the bad guys have it hooked up to the MABFPCM, Magnificently Awesome Brute Force Password Cracker Machine. But with the 5 second delay, the bad guys get 12 attempts per minute instead of 1000.
Look, I'm sure there is a magical black box out there that can unlock any iPhone, even one encased in a block of cement. This day and age, every one talks about having multiple layers of defense, because, you know, those bad guys are always one step ahead. I would think that a small time delay would have value in any line of defense. These days, it's all iris scanners, fingerprint scanners, facial recognition, and I'm willing to bet that blood type is not far behind. All very private and unique features for each of us. If I was truly paranoid, I would just assume that the government is pushing the security companies to recommend and implement these security measures just so they could collect all of this private and unique information on its citizens. But I tend to believe that a small time delay between unsuccessful login attempts, be it web sites, smart phones, operating systems, it's just not glamorous or sophisticated, and never given a second thought. But what do I know. I'm just a normal, average guy, who types slowly, and feels that coding login pages to detect obvious abnormal human behavior should not be all that difficult.
Are there any security experts among our newsletter readership who would like to carry this conversation further? I think Michael has an interesting point here, what do other readers think? Email me at [email protected]
Got any IT pro tips you'd like to share with other readers of our newsletter? Email us at [email protected]
How Healthy is your LAPS Environment?
This blog post by Microsoft PFE Michael Rendino examines the topic of securing the local administrator password on your servers using a free tool from Microsoft. It's definitely worth a read for sysadmins concerned about the security their environments.
Admin Tools We Think You Shouldn't Be Without
GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at [email protected]
This free tool reports on all accounts that have been inactive for more than a specified number of days and can even automatically deactivate those accounts.
Put your mind at rest with Altaro VM Backup. Excellent performance & powerful features to meet your disaster recovery needs. Download a 30-day trial now for unlimited VMs & get 2 FOREVER FREE VMs!
Last week's factoid and question was this:
Fact: Physicists recently found a way to implement a version of Maxwell's famous thought experiment for reducing entropy.
Question: Assuming that it might be possible to construct a device that could reduce the entropy of a system, and that you could buy such a device from Amazon, what would be the first thing you would do with it once it arrived on your doorstep?
No one tried to answer that question so let me answer it myself: I'd build or buy a machine that could change poop back into tasty, nourishing food.
For more on reversing entropy see this short story by Isaac Asimov called The Last Question:
And speaking of tasty food, last week we published some reader responses to this factoid from a previous issue:
Fact: New study reveals that mice hate cheese.
Question: If mice hate cheese then what do mice love to eat?
Most of these readers recommended peanut butter for attracting mice to a mouse trap. But another reader named Susann who works for a company that supplies chemical feeding equipment and instrumentation used by industries requiring water and wastewater treatment offered a different take on a mouse's last meal based on what a pest control expert taught her:
My pest control man always uses dry dog food on bait traps. (doesn't matter if it's the cheap brand or expensive brand!!!)
Fascinating, gotta try that some time. Or maybe run an experiment to test whether mice prefer cat or dog food…
Now let's move on to this week's factoid:
Fact: The U.S. Food and Drug Administration alerts consumers and retailers of the potential for serious injury from eating, drinking, or handling food products prepared by adding liquid nitrogen at the point of sale, immediately before consumption.
Question: Have any readers ever used or played with liquid nitrogen? As an undergraduate Honors Physics student back in my university days I had the fun of pouring a small amount of liquid nitrogen into my hand and swishing it around as it quickly evaporated. Do any other readers have fun stories about doing crazy stuff like this when they were young?
Email your answer to [email protected]
>> Got an IT conference happening in North America that you'd like to promote in our newsletter? Email us at [email protected]
Microsoft Ignite -- September 24-28, 2018 in Orlando, Florida USA
IoT Security Summit -- Oct 15-18 in Dallas, Texas
IT/Dev Connections -- Oct 15-18 in Dallas, Texas USA
>> Got an IT conference happening in North America that you'd like to promote in our newsletter? Email us at [email protected]
Gartner Catalyst Conference -- Sept 26-27 in London, England
VMworld Europe -- Nov 5-8 in Barcelona, Spain
Cybersecurity Leadership Summit -- Nov 12-14 in Berlin, Germany
European SharePoint, Office 365 & Azure Conference -- Nov 26-29 in Copenhagen, Denmark
>> Got an IT conference happening in Australia or Asia that you'd like to promote in our newsletter? Email us at [email protected]
No conferences listed at present.
Step-by-step guide: Digging deep into Azure Service Map
Continuing our in-depth look at Microsoft Azure Service Map, here we explore the functionalities available in this excellent service.
Top in-demand tech jobs for the present and near future
Every business wants to transform itself digitally, creating an opportunity for IT pros in an array of industries. Which tech jobs should you target?
Can't keep up with updating your Windows servers and clients? Is patching spinning out of control? Here's how you can get a handle on patch management.
PowerShell quick hits: Cmdlets and scripts for managing Windows Failover
Here's an overview of Windows Failover Cluster modules and a few PowerShell cmdlets and scripts to get you started and make your life easier.
AI technology will change how you go about these everyday activities
AI technology is at an early stage but we are seeing how it will be life-changing for humans. Let's peer into this amazing future, which will soon be here.
Will Smith Bungee Jumps Out Of A Helicopter
Laser Projection Keyboard
A laser projection keyboard that can turn any flat surface into a keyboard or piano within seconds:
Airbus Trying To Land During Gusty Winds
An Air France Airbus A319 trying to land during gusty winds at Birmingham Airport in England:
Tribute To Elon Musk And Tesla By A Fan
An emotional tribute to Elon Musk, SpaceX and Tesla by Chris Collins. Never give up in life!
Not sure how to start with DevOps? Here's one option
A new consulting firm with roots in Netflix and Amazon aims to help even legacy-heavy companies ship software faster. It starts with 15 metrics and small wins. Learn more here.
AWS development services push apps from code to production
To create an AWS deployment pipeline, developers use various tools, including CodeCommit and CodeDeploy, to build and rigorously test their applications.
Optimize load balancing for a hybrid cloud architecture
Load balancing plays a critical role in ensuring application availability and high performance in hybrid cloud. Follow these general rules to get it right.
Checklist for mobile app testing: 12 gaps to look out for
One of the most commonly misunderstood version control commands is git cherry-pick, and that's a real shame because the ability to git cherry-pick a commit is one of the most useful skills a developer can employ when trying to isolate a software bug or fix a broken build.
WServerNews goes out each week to more than 500,000 IT pro subscribers worldwide! That's a lot of expertise to tap into. Do you need help with some technical problem or are looking for expert advice on something IT-related? Ask Our Readers by emailing your problems and/or questions to us at [email protected]
>> Got feedback about anything in this issue of WServerNews? Email us at [email protected]
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7www.mtit.com.Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.