Home » Posts tagged 'Windows Vista'
Tag Archives: Windows Vista
I was sitting in a planning meeting with a client recently in which we were discussing ways of protecting end-user machines, especially laptops that were in and out of the office. The previous convention relied on BIOS locks that were proprietary to the hardware manufacturer, and required the end user to either enter two passwords or swipe their fingerprint on a sensor. As the company planned to migrate away from the dedicated hardware provider and toward a CYOD (Choose Your Own Device) type of environment this would no longer be a viable solution.
As the discussion started about what they were planning to use to provide a second layer of protection from unauthorized access to systems, I asked if the company was still intending to use BitLocker to encrypt the hard drives for these machines. When it was confirmed that they would, I presented the hardware agnostic solution: adding a PIN (Personal Identification Number) to BitLocker.
BitLocker is a disk encryption tool that was introduced with Windows Vista, and has been greatly improved upon since. It ties in to the TPM (Trusted Platform Module) in your computer (included mostly in Enterprise-class systems) and prevents protected hard drives from being hacked. Most people configure it and leave it there… which means that it is ‘married’ to the physical computer with the TPM chip. However there are a few additions you can add.
Authentication has not changed much in the last few thousand years. It is usually based on a combination of something you have and something you know. Beyond that is it just levels of complexity and degrees of encryption. So our TPM chip is something we have… but assuming the hard drive is in the computer, they go together. So we need another way of protecting our data. Smart cards and tokens are great, but they can be stolen or lost… and you have to have to implement the infrastructure with a cost (although with AuthAnvil from ScorpionSoft the cost is low and it is relatively easy to do).
Passwords work great… as long as you make them complex enough that they are difficult to hack, and ensure people change them often enough to stymie hackers… and don’t write them down, and so on. However even with all of that, operating system passwords are still going to be reasonably easy to crack – to the knowledgeable and determined. Hardware level passwords, on the other hand, are a different beast altogether. The advent of TPM technology (and its inclusion in most enterprise-grade computer hardware) means that an encryption tied to the TPM will be more secure… and by adding a PIN to it makes it even more so. Even though the default setting in Windows is to not allow passwords or PINs on local drives, it is easy enough to enable.
1. Open the Group Policy Editor (gpedit.msc).
2. Expand Computer Configuration – Administrative Templates– Windows Components – BitLocker Drive Encryption – Operating System Drives
3. Right-click the policy called Require additional authentication at startup and click Edit.
4. Select the Enabled radio button.
5. Select the drop-down Configure TPM startup PIN: and click Require startup PIN with TPM.
At this point, when you enable BitLocker, you (or your user) will be prompted to enter a PIN when enabling BitLocker.
**NOTE: This policy will apply when enabling drives for the first time. A drive that is already encrypted will not fall into scope of this policy.
By the way, while I am demonstrating this on a local computer, it would be the same steps to apply to an Active Directory GPO. That is what my client will end up doing for their organization, thereby adding an extra layer of security to their mobile devices.
Unlike most people I was (and am) a big fan of User Account Control (UAC) in Windows 7 (and even Vista). I have often referred to it as the ‘Are you really sure you want to do something stupid?’ button; it let you know that you were about to do something that would affect your PC, and to proceed with caution.
In Windows 7 Microsoft improved the UAC experience by allowing us to control it beyond the simple O/I settings. Combine that with the fact that ISVs stopped programming their applications around security holes in Windows, and the UAC experience in Windows 7 was a much less annoying one than it had been in its first iteration.
Windows 8 introduces a new concept that is similar in nature, called SmartScreen. It monitors your system for software installations. If you try to install an unrecognized application it pops up a warning message. It is another way Windows helps to keep your computer secure.
Don’t misunderstand… this is not Big Brother. If you really want to install the application then it will still let you. SmartScreen is just another way Windows has to let you know that you should be careful. Of course there are people who would say ‘Let me do my thing, and stop pestering me!’ For those people you can simply turn off SmartScreen.
For the rest of us, there are two settings for ‘On’. The first, which those of us who administer systems for others will appreciate, is the ‘Get Admin approval’ setting. That way your users will not be able to install applications from shady developers.
The second ‘On’ setting is ‘Warn but proceed’. In other words it will let the user know that there may be rough roads ahead, but doesn’t prevent you from taking them. Those of us who administer systems for others will likely prefer this setting for our own computers.
SmartScreen is even configured from the same screen as User Account Control… or at least you access the settings from the same Action Center screen. Notice that next to both ‘Change User Account Control settings’ and ‘Change Windows SmartScreen settings’ both have the little ‘shield’ icon next to them. That indicates that they are both protected by UAC, and that if you are not an administrator you will not be able to make changes to them. This is one more reason why you should not disable UAC… especially if you administer systems for others – even your family. Protecting your systems is easy, but it is a slippery slope to unsafe, and that slope is easy to avoid… but turning off UAC is akin to walking up to a cliff and tearing down the fence that prevents people from falling over.
We have come a long day from the days when running Windows required third-party add-ons to keep us safe. Today we only need to use a little common sense… or better yet, leave things the way they are, because most of these security features in Windows 8 are enabled out of the box, and you would have to actively reconfigure it to subject yourself to the malwares and Trojans of the IT world.
In 2001 I had an intern working for me at IGS Security whose name I cannot recall, but she was a student at LaSalle College, and was working toward earning her Microsoft Certified Systems Engineer (MCSE) certification. She and I did not get along very well, and she left early with a bad attitude… although some of it was justified.
One of the conversations that we had was around certifications, and she was working on hers, but didn’t have any yet. I told her (stupidly) that I could get my MCSE if I wanted to, but didn’t have the time nor see the value in it. When she quit she wrote a letter to my boss and among other accusations (which were not true) she brought this one up (which was). I felt bad about it, but never contacted her to apologize. I did, however, make the decision to start working toward that credential, and with a little help from friends and family embarked upon an incredible journey that has changed my life.
Since I earned my first certification on March 31, 2003 I have been extremely proud to hold industry certifications. It was on that day that I passed exam 70-210 and was officially (and still am) a Microsoft Certified Professional (MCP). That afternoon I went out and downloaded the MCP logo (I may have had to wait a few days until I got the confirmation e-mail from Microsoft Learning), and went into the company where I worked and resigned my position as Director of M.I.S. I knew that I could now demand a much higher salary… and I was right, to a point.
I needed to pass a number of other exams in order to achieve my next certification, which was the Microsoft Certified Systems Administrator. I earned the one on Windows 2000 on May 27, 2005, and a year later (June 30, 2006) I passed the upgrade exam to be an MCSA on Windows Server 2003. I now had a senior certification, and was as proud as a peacock. Within the Microsoft world I was on my way!
With my senior certification under my belt, it did not take long before I was able to qualify as a Microsoft Certified Trainer (MCT). This took a little more work, because in those days I didn’t have a credit card, and unlike regular certifications, there is a $400/year fee to being an MCT. As well I had not taken the Train the Trainer class, so I had to get proof from a Certified Partner for Learning Solutions (CPLS) that they wanted me to train for them. Versalys in Montreal provided the letter, and in August, 2006 I earned that right.
In the same month – August 29, 2006 to be exact – I earned my Microsoft Certified Desktop Support Technician (MCDST) cert. It was, to date, the easiest senior cert that I had achieved, but that is probably because it was two exams on Windows XP, a platform that I had been using and supporting for five years. That was the first time that I had passed two exams on consecutive days… the truth was I thought about taking one in the morning and the next in the afternoon, and do not remember why I didn’t… it was probably either because I was busy in the afternoon (or did not want to schedule a full day away from clients) or because I was simply afraid that if I failed the first exam I would never be able to pass the next. That achievement – multiple exams passed in a single day – would have to wait a little while longer!
I knew that that with Windows Server 2008 and Windows Vista that Microsoft was evolving their certifications model… there would no longer be an MCSE, MCSA, or MCP… rather most exams would earn the candidate an MCTS (Microsoft Certified Technology Specialist), and the PRO exams, in conjunction with the TS exams, would earn a senior cert. My first MCTS was on Windows Vista (Configuration). I believe that was the first exam that I ever took in beta (pre-release) and I took it the first morning that it was available, which was October 31, 2006. I would not get confirmation that I passed it until January of 2007, but according to my certification transcript I earned it on the day I took the test, making it the first (of many) certifications to which I had the honour of being a Charter Member. I don’t know how many become charter, but it means I was one of the first.
The only two certifications I would earn in 2007 were my first two senior certifications of the new model… My first Microsoft Certified IT Professional (MCITP) was MCITP: Consumer Support Technician, which I earned April 2, 2007. For reasons that I cannot recall it took two more months to be accredited as an MCITP: Enterprise Support Technician, which I was awarded on June 18th of that year. However I actually passed the qualifying exam for it several times – including once dating back to the first beta – December 22, 2006 – but I was never able to get Microsoft to change the date of the award on the transcript. I am, however, still a Charter Member of that cert.
Over the course of the next few years I earned several other Microsoft certifications – several MCTSes and a handful of MCITPs – but in December, 2010 I decided that I had put off my original goal for too long. I had always said that I wanted to be an MCSE, and despite that being an older certification on legacy technology, I think I knew deep down that it meant something, because it was my original goal. I think that it is important to set goals, and although there is nothing wrong with modifying them along the way, sometimes our goals have a significance other than the obvious.
I know that over the years I have lost contracts and jobs because I didn’t have the MCSE… even though by a certain point I DID know the material… at least most of it! I can think of two companies where I was told ‘Sorry, we really do need someone with the MCSE after their name.’ I mean, in 2010? Really? Ok, so be it. It may have been meaningless going forward as people started to understand that MCITP was the new MCSE, but I decided in December of 2010 to do it. I looked at my transcript, used the Certification Planner (which is a great tool on the MCP site that lets you know what requirements are left for any given certification), and realized I was short two exams… both of which I had failed once before.
I wouldn’t say that 70-293 (Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure) was the hardest exam I had even taken, but it was the one I struggled with most. I had failed it not once but three times, twice dating back to 2008, and once earlier (February) of 2010. I decided to really dedicate myself to passing this time. I studied my butt off, and when the final screen showed ‘Congratulations you passed’ and that my score was 866, I was thrilled! Now all I had to do was…
I had failed 70-297 (Designing a Microsoft Server 2003 Active Directory and Network Infrastructure) before, in 2008. It was then that I learned about testlets… and how much I did not like them. I was worried because the format of the exam was so different, but again, I was a lot more experienced than I had been in 2008, and I wrote the exam the day after I passed the previous one… and for the first time in a very long time I took nearly all of the allowed time. I am generally a fast test writer, but I made sure I left nothing on the field for this one. When the screen said that I passed I was relieved… but when the score report showed that I scored a perfect 1000, I gasped! I had never done that before, and was shocked, thrilled, elated… and surprised! On December 15, 2010 I was finally able to proudly call myself a Microsoft Certified Systems Engineer (MCSE).
it would take a few more months for me to earn the last Microsoft certifications that I wanted… MCITP on Windows Server 2008 (there are two – Server Administrator and Enterprise Administrator). I had already earned the MCITP: Virtualization Administrator, but that was a specialty cert, while the SA and EA were essentially the 2008 versions of MCSA and MCSE. I wrote the three requisite MCTS exams in one day – the first and last time that I will ever try that again! I passed them all, but it was nerve wracking. The following month I went into the testing center prepared for exam 70-696 PRO: Windows Server 2008, Server Administrator. It was another bear – a testlet-type exam like the 297 Design exam, and although I was not prepared for that, I did know the material, and was glad that I was able to pass it. The following day I went back confidently to pass 70-697… and failed.
You should never underestimate or take a certification exam lightly… it is a recipe for failure, as I discovered that day. It was, in my humble opinion, one of the toughest exams I had ever written. As I wrote recently in an article Wow that certification exam was TOUGH! exams are not meant to be easy, and the more valued the certification the tougher the exam should be. It took me a few more months to both find the time and the energy to prepare for and re-take the exam, but on December 20, 2011 – a year after finally earning my MCSE, I became an MCITP: Enterprise Administrator on Windows Server 2008. Not since my early days of certifications had I been as proud of a credential as this one.
Of course, I have discussed my journey to Microsoft certifications, but I have not discussed the others… I am also certified in VMware – both by VMware themselves, and by VMTraining, a third party training company that has their own course called the vSphere Ultimate Bootcamp. Both of these companies have their own certification exams, and I am proud to have passed both of them for both vSphere 4 and the current vSphere 5. I have said for years that IT should never be about religion, it should be about the best tool for the job. Until recently Microsoft was a bit-player in the server virtualization space, and while that has changed and will change more with the release of Hyper-V 3.0 with Windows Server 8, VMware is still the industry leader in that space, and I could never represent and discuss Microsoft Virtualization properly without knowing the competition, and besides, the certification has helped me get a number of consulting gigs in VMware shops!
The point is I have never been hurt by certifications, and when people ask me if they are still relevant or important I point to both the gigs I have gotten because of them… and the ones I have not gotten. I tell them that when I am asked to consult on a hire (which I do from time to time) one of my first qualifiers is always ‘What certifications does the candidate have?’ I consider certifications proof that the professional has the respect for their field to not only do things the right way, but to prove it. So if you are not certified, I think it is time to seriously consider getting so… your career will thank me for it!