Home » Security
Category Archives: Security
Congratulations. You have decided to implement a Folder Redirection policy on your domain. There are real advantages to this, not the least of which is that all of your users’ profile folders will get backed up centrally… and that when they change computers their files and settings are just there.
You have created a Group Policy Object (GPO) in Active Directory that you have called Folder Redirection, and you have applied it to the Organizational Unit (OU) that your user account is in, and as is so often the case with Desktop Administrators, you have made yourself the guinea pig. From Windows you run the command gpupdate /force, and are informed that in order for the Folder Redirection policy to be applied, you will have to log off and then log on again. You do.
It must have worked! Why do you I say that? Because unlike most of the time, when logging on takes a few seconds, it took a full ten minutes this time. As a seasoned Desktop Admin you understand that this is because all of the folders that you set to redirect – Documents, Pictures, Videos, Favorites, Downloads – are being copied to the server before you are actually allowed onto your desktop. However a few minutes later, once you are logged on, you open Windows Explorer, and in the navigation pane you right-click on Documents, and see that the My Documents folder is no longer at c:\Users\Mitch, but at \\Sharename\Mitch.
Unfortunately there is one step that you are now saying to yourself ‘Mitch, you missed one thing!’ Because you know that when you clicked on Windows Explorer in the task bar, you got a warning message that looked like this:
As a seasoned IT Pro you know that security warnings are a way of life, and it wouldn’t bother you if you had to accept this every time… but you know your end users are going to go ape, so you need a solution. No problem.
I should mention that while these steps will work for all versions of Windows since Windows Vista, the way you access the screens may be a little different.
1) Open Control Panel. Don’t be alarmed, you are going to get the same security warning when opening the CP.
2) In the Search window type Internet Options. When it comes up, click on it.
3) In the Internet Properties window select the Security tab.
4) On the Security tab click on Local Intranet. Then click on Sites. Note that the Sites button will be greyed out until you select Local Intranet.
6) In the Local Intranet window click the Advanced button.
5) In the Local Intranet (Advanced) window type the location of your folder redirection share into the box marked Add this website to the zone: Uncheck the box marked Require server verification (https://) for all sites in this zone. Click Add. Then click Close.
6) Close the Internet Properties window.
Now try opening Windows Explorer again. It should open without the security warning.
If You’re Gonna Do IT Then Do IT Right…
Okay, so you know how to configure this setting for your individual desktop… but you don’t really want to have to go to every desktop/laptop/tablet in the organization and do this, do you? Of course not, that is what Group Policy is for!
We are going to make one change to your Folder Redirection policy.
1) Open Group Policy Management Console.
2) Right-click on your Folder Redirection policy and click Edit…
3) Navigate to: User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page.
4) Right-click on Site to Zone Assignment List.
5) Enable the policy.
6) In the Options box click on Show…
7) In the Value name cell enter the UNC path of your file share.
8) In the Value cell next to the UNC path you just entered enter the value 1. (Where 1=Intranet/Local Zone, 2=Trusted Sites, 3=Internet/Public Zone, and 4=Restricted Sites). Click OK then click OK in the Site to Zone Assignment List dialogue box.
9) Close Group Policy Management Editor.
That should be it… remember you will have to re-run your gpupdate /force on your machine, but even if you don’t it will apply in the next few logoffs, right?
**Thanks to Joseph Moody for the list of settings for the Zone Value list!
I was sitting in a planning meeting with a client recently in which we were discussing ways of protecting end-user machines, especially laptops that were in and out of the office. The previous convention relied on BIOS locks that were proprietary to the hardware manufacturer, and required the end user to either enter two passwords or swipe their fingerprint on a sensor. As the company planned to migrate away from the dedicated hardware provider and toward a CYOD (Choose Your Own Device) type of environment this would no longer be a viable solution.
As the discussion started about what they were planning to use to provide a second layer of protection from unauthorized access to systems, I asked if the company was still intending to use BitLocker to encrypt the hard drives for these machines. When it was confirmed that they would, I presented the hardware agnostic solution: adding a PIN (Personal Identification Number) to BitLocker.
BitLocker is a disk encryption tool that was introduced with Windows Vista, and has been greatly improved upon since. It ties in to the TPM (Trusted Platform Module) in your computer (included mostly in Enterprise-class systems) and prevents protected hard drives from being hacked. Most people configure it and leave it there… which means that it is ‘married’ to the physical computer with the TPM chip. However there are a few additions you can add.
Authentication has not changed much in the last few thousand years. It is usually based on a combination of something you have and something you know. Beyond that is it just levels of complexity and degrees of encryption. So our TPM chip is something we have… but assuming the hard drive is in the computer, they go together. So we need another way of protecting our data. Smart cards and tokens are great, but they can be stolen or lost… and you have to have to implement the infrastructure with a cost (although with AuthAnvil from ScorpionSoft the cost is low and it is relatively easy to do).
Passwords work great… as long as you make them complex enough that they are difficult to hack, and ensure people change them often enough to stymie hackers… and don’t write them down, and so on. However even with all of that, operating system passwords are still going to be reasonably easy to crack – to the knowledgeable and determined. Hardware level passwords, on the other hand, are a different beast altogether. The advent of TPM technology (and its inclusion in most enterprise-grade computer hardware) means that an encryption tied to the TPM will be more secure… and by adding a PIN to it makes it even more so. Even though the default setting in Windows is to not allow passwords or PINs on local drives, it is easy enough to enable.
1. Open the Group Policy Editor (gpedit.msc).
2. Expand Computer Configuration – Administrative Templates– Windows Components – BitLocker Drive Encryption – Operating System Drives
3. Right-click the policy called Require additional authentication at startup and click Edit.
4. Select the Enabled radio button.
5. Select the drop-down Configure TPM startup PIN: and click Require startup PIN with TPM.
At this point, when you enable BitLocker, you (or your user) will be prompted to enter a PIN when enabling BitLocker.
**NOTE: This policy will apply when enabling drives for the first time. A drive that is already encrypted will not fall into scope of this policy.
By the way, while I am demonstrating this on a local computer, it would be the same steps to apply to an Active Directory GPO. That is what my client will end up doing for their organization, thereby adding an extra layer of security to their mobile devices.
Many of you know that I am a fanatic about changing passwords and password complexity. I have written time and again about the subject. (See Pass the Word…)
I am also a big hater of what my friend Dana Epp refers to as ‘Security Theatre.’ I have often berated people at Rogers, AT&T, and a plethora of other companies who ask me ‘and for security purposes can you please tell me your date of birth?’ REALLY? IT’S ON MY FACEBOOK PAGE! How about you ask me what colour tie I wore to the last Black Tie event I attended, or what colour was the hockey puck we used when I played ice hockey?
I came across an article written by fellow Microsoft MVP Bill Pytlovany. I have never met Bill but he makes some very good points about answering security questions (my mother’s maiden name is Brown by the way) that people should keep in mind when answering these questions. Bill’s MVP Award is in Consumer Security, and I can see why. Enjoy the article! –MDG
How often do you change your online passwords? If you are like the vast majority of us then the answer is not nearly often enough. Until recently I fell into the same category, and fixing that took a little bit of doing.
One day several months ago I looked at Theresa and said ‘I think I am going to change all of my on-line passwords today.’ Easier said than done.
The first problem that I encountered was not an easy one – what passwords do I have? I figured I must have dozens if not hundred of on-line accounts. The not so simple task of creating a list of all of them was a task I was not looking forward to.
Like so many other things that I discuss, the old truism applies: If you cannot measure it then you cannot manage it. I had to figure out a way to start tracking my on-line accounts. Where should I start?
Of course there are easy ones – the low-hanging fruit. My Microsoft Account (formerly Live ID) is tied to dozens of sits from Microsoft Learning to TechNet to Zune and Xbox and everything in between, not to mention my primary e-mail account. By changing that password I immediately changed nearly half of the sites that I log in to. Unfortunately the rest of them would not be that easy.
I decided to take a measured approach going forward. I opened a text document on my laptop and named it passwords.txt. Of course this file is not going to have any of my passwords in it – I have a pretty good memory, but some people like to use password vault software like AuthAnvil Password Server, which allows individuals and organizations to centrally organize, synchronize, and audit their passwords. The only thing that I am keeping in my password text file is a simple list of all of the sites that I either have to type my password into or, in many cases, that I have logged into previously and clicked the ‘Remember my Password’ option in Internet Explorer.
I kept this text file open for several days and was alarmed at how long it was getting. The obvious ones are sites like on-line banking, social networking sites, and of course my blogs. The next tier were sites like ebay (and PayPal), amazon.com, and YouTube. Sites for my travel rewards points accounts (Aeroplan, AirMiles) came next, followed by things like DNS sites and Prometric.com (where I take my Microsoft exams).
After a few days I thought I was done, but just in case I saved the file to my desktop. In the meantime the real work started. I logged on to each of these sites and started changing passwords. Of course I did not use the same password for each site, and for my own peace of mind I will not explain how I chose. However I did make sure that all of my passwords were long enough and complex enough to thwart the average hacker (and onlooker).
Next I watched my Inbox. Many sites will send you an e-mail confirming that you made changes to the account. I skimmed through each one carefully for two items: 1) Do I need to take any action (click a link, etc…) to confirm that I actually did make the changes, and 2) Does it say ‘You changed your password to P@$$w0rd.’
The first wasn’t a problem – I took the necessary steps. However the second is more important; if any site sends you an e-mail with you password in clear text then you know that they are storing them that way (rather than using a one-way encrypted verification method). I flagged these sites and made a notation to never use the same password on these as I do on any other site. In the event that their site gets hacked not only would my account there be compromised, but you could be sure that the hackers would then try to use the same password against my account on other sites. VERY DANGEROUS.
As I went from site to site I made notations on my text file list. A dash next to an entry meant that the password has been changed; an asterix meant that the site e-mailed me in clear text. An ampersand meant that it is an account that I share with my wife (I don’t share any accounts with anyone else), and so before I change that password I should let her know what it is going to be, lest she get locked out of anything important.
While I thought I was done, I left the text file on my desktop. It does not take up a lot of real estate (especially since Windows 8 helps me to keep my desktop clean of shortcut icons), and I knew that as the weeks went on I would stumble upon the occasional site that did indeed slip my mind.
I dated the file and e-mailed it to myself; I set up an occurring calendar reminder telling me to change my passwords on a schedule. While not all of my credentials need to be changed as often as others, it is still important to change them all a few times per year. Now that I have the procedures in place, I will be able to do it without the anxiety that I faced the first time I went through it!
NOTE: I did not write this article; in fact, it is copied word for word from an e-mail I received from Scorpion Software. However it is a solution I do believe in. I am not selling for Scorpion Software, nor do I receive any benefit from their sales, nor are the links herein set to track you back to me. I am friends with the owner of the company and a couple of their developers, but have not been asked to post this (nor have I been promised any remuneration for doing so). –Mitch
You can now use AuthAnvil to protect and streamline access to the cloud. We’re offering the world’s first strong, fully independent two-factor authentication and single sign-on solution for Office 365.
- Available for all Microsoft’s Office 365 plans, including their P1 and P2 plans for small businesses.
- Doesn’t require ADFS or DirSync – Microsoft’s complex system that requires extra servers and can take days to implement.
Phone: 1-888-407-4285 ext. 701
Free webinar: Introducing AuthAnvil for Office 365
We invite you to attend our free webinar and get a hands-on look at how you can gain
cloud-based trust with on-premise control.
September 24 at 10am PDT
Sign up for the free webinar >>