1-2-3-4-5 BitLocker 9-8-7-6-5

BitLocker Drive Encryption

BitLocker Drive Encryption (Photo credit: Wikipedia)

I was sitting in a planning meeting with a client recently in which we were discussing ways of protecting end-user machines, especially laptops that were in and out of the office.  The previous convention relied on BIOS locks that were proprietary to the hardware manufacturer, and required the end user to either enter two passwords or swipe their fingerprint on a sensor.  As the company planned to migrate away from the dedicated hardware provider and toward a CYOD (Choose Your Own Device) type of environment this would no longer be a viable solution.

As the discussion started about what they were planning to use to provide a second layer of protection from unauthorized access to systems, I asked if the company was still intending to use BitLocker to encrypt the hard drives for these machines.  When it was confirmed that they would, I presented the hardware agnostic solution: adding a PIN (Personal Identification Number) to BitLocker.

BitLocker is a disk encryption tool that was introduced with Windows Vista, and has been greatly improved upon since.  It ties in to the TPM (Trusted Platform Module) in your computer (included mostly in Enterprise-class systems) and prevents protected hard drives from being hacked.  Most people configure it and leave it there… which means that it is ‘married’ to the physical computer with the TPM chip.  However there are a few additions you can add.

Authentication has not changed much in the last few thousand years.  It is usually based on a combination of something you have and something you know.  Beyond that is it just levels of complexity and degrees of encryption.  So our TPM chip is something we have… but assuming the hard drive is in the computer, they go together.  So we need another way of protecting our data.  Smart cards and tokens are great, but they can be stolen or lost… and you have to have to implement the infrastructure with a cost (although with AuthAnvil from ScorpionSoft the cost is low and it is relatively easy to do).

Passwords work great… as long as you make them complex enough that they are difficult to hack, and ensure people change them often enough to stymie hackers… and don’t write them down, and so on.  However even with all of that, operating system passwords are still going to be reasonably easy to crack – to the knowledgeable and determined.  Hardware level passwords, on the other hand, are a different beast altogether.  The advent of TPM technology (and its inclusion in most enterprise-grade computer hardware) means that an encryption tied to the TPM will be more secure… and by adding a PIN to it makes it even more so.  Even though the default setting in Windows is to not allow passwords or PINs on local drives, it is easy enough to enable.

untitled1. Open the Group Policy Editor (gpedit.msc).

2. Expand Computer Configuration – Administrative Templates– Windows Components – BitLocker Drive Encryption – Operating System Drives

3. Right-click the policy called Require additional authentication at startup and click Edit.

4. Select the Enabled radio button.

5. Select the drop-down Configure TPM startup PIN: and click Require startup PIN with TPM.

At this point, when you enable BitLocker, you (or your user) will be prompted to enter a PIN when enabling BitLocker.

**NOTE: This policy will apply when enabling drives for the first time.  A drive that is already encrypted will not fall into scope of this policy.

By the way, while I am demonstrating this on a local computer, it would be the same steps to apply to an Active Directory GPO.  That is what my client will end up doing for their organization, thereby adding an extra layer of security to their mobile devices.

Still on XP? There should be a reason…

For the past year or so I have been counting down (on Twitter) the days left until the #EndOfDaysXP… as of the date of this article it stands at 591 days.  Some of my followers think it is silly, others thank me for it.  Some want to know why it matters, and there are a few who not only understand why it matters, but have taken up the cause… to a degree.

John Marshall is a Microsoft MVP in Microsoft Office Visio, and is (usually) on the side of right – meaning that he thinks that companies should upgrade already.  He chides me about it of course… I am reasonably sure that following an accident as a child a doctor sutured his tongue into his cheek.  However when it comes down to brass tax, he knows that XP is the past, and it’s time to bury it… mostly.

Recently he sent me this e-mail about his position… why he still does have Windows XP running on one machine, and what companies who claim fiscal hardship (especially charities) can do to get off the old and onto… if not the new, then at least up to Windows 7.

During the Vista days, I was one of the MVPs who pushed for (and got) a five year extension to the XP end of life. At the time, the problem was that we were trying to protect those first time computer users on the trailing edge. They were first time users who could not afford new machines. The ones they had were donated. Parents, kids and charitable organizations. Now, the quality of donated computers is far superior and there is no longer as much a need. XP still has more than a year to go and even then, it does not mean that the machines will automatically stop, they just will not get the support.

I still have one machine running XP and it runs only one program that prints labels. The label printer I have uses the parallel port and the software has not been updated since the XP days. A few years back, my favourite store for PC support went into receivership. The store was very profitable, but they were a part of a group and the receivers refused to split the group. So I picked up a lifetime supply of labels when the company was dissolved and lost great support.

So if I do find anyone running XP I fervently recommend they upgrade. Most are unaware that there newer versions of Windows. To them, it is a computer and it works. For charitable organizations I recommend that they investigate one of the local companies who can donate used machines that are far better.

So it will come as good news to the people that are running Windows XP that if they want to upgrade to Windows 8 when it comes out they will be able to… for $40.  Yes, that is ten x four… FORTY dollars.  Of course, if you have the means to invest in a new system I strongly recommend taking a look at some of the cool toys that are going to be released with Windows 8… but the newest Microsoft client OS works great on older hardware as well.  You can download it today to evaluate for 90 days.  See for yourself how fast it really is!

My Certification History, and the Importance of Multi-Vendor Certifications

In 2001 I had an intern working for me at IGS Security whose name I cannot recall, but she was a student at LaSalle College, and was working toward earning her Microsoft Certified Systems Engineer (MCSE) certification. She and I did not get along very well, and she left early with a bad attitude… although some of it was justified.

One of the conversations that we had was around certifications, and she was working on hers, but didn’t have any yet. I told her (stupidly) that I could get my MCSE if I wanted to, but didn’t have the time nor see the value in it. When she quit she wrote a letter to my boss and among other accusations (which were not true) she brought this one up (which was). I felt bad about it, but never contacted her to apologize. I did, however, make the decision to start working toward that credential, and with a little help from friends and family embarked upon an incredible journey that has changed my life.

clip_image001Since I earned my first certification on March 31, 2003 I have been extremely proud to hold industry certifications. It was on that day that I passed exam 70-210 and was officially (and still am) a Microsoft Certified Professional (MCP). That afternoon I went out and downloaded the MCP logo (I may have had to wait a few days until I got the confirmation e-mail from Microsoft Learning), and went into the company where I worked and resigned my position as Director of M.I.S. I knew that I could now demand a much higher salary… and I was right, to a point.

clip_image002I needed to pass a number of other exams in order to achieve my next certification, which was the Microsoft Certified Systems Administrator. I earned the one on Windows 2000 on May 27, 2005, and a year later (June 30, 2006) I passed the upgrade exam to be an MCSA on Windows Server 2003. I now had a senior certification, and was as proud as a peacock. Within the Microsoft world I was on my way!

clip_image003With my senior certification under my belt, it did not take long before I was able to qualify as a Microsoft Certified Trainer (MCT). This took a little more work, because in those days I didn’t have a credit card, and unlike regular certifications, there is a $400/year fee to being an MCT. As well I had not taken the Train the Trainer class, so I had to get proof from a Certified Partner for Learning Solutions (CPLS) that they wanted me to train for them. Versalys in Montreal provided the letter, and in August, 2006 I earned that right.

clip_image004In the same month – August 29, 2006 to be exact – I earned my Microsoft Certified Desktop Support Technician (MCDST) cert. It was, to date, the easiest senior cert that I had achieved, but that is probably because it was two exams on Windows XP, a platform that I had been using and supporting for five years. That was the first time that I had passed two exams on consecutive days… the truth was I thought about taking one in the morning and the next in the afternoon, and do not remember why I didn’t… it was probably either because I was busy in the afternoon (or did not want to schedule a full day away from clients) or because I was simply afraid that if I failed the first exam I would never be able to pass the next. That achievement – multiple exams passed in a single day – would have to wait a little while longer!

clip_image005I knew that that with Windows Server 2008 and Windows Vista that Microsoft was evolving their certifications model… there would no longer be an MCSE, MCSA, or MCP… rather most exams would earn the candidate an MCTS (Microsoft Certified Technology Specialist), and the PRO exams, in conjunction with the TS exams, would earn a senior cert. My first MCTS was on Windows Vista (Configuration). I believe that was the first exam that I ever took in beta (pre-release) and I took it the first morning that it was available, which was October 31, 2006. I would not get confirmation that I passed it until January of 2007, but according to my certification transcript I earned it on the day I took the test, making it the first (of many) certifications to which I had the honour of being a Charter Member. I don’t know how many become charter, but it means I was one of the first.

clip_image006

The only two certifications I would earn in 2007 were my first two senior certifications of the new model… My first Microsoft Certified IT Professional (MCITP) was MCITP: Consumer Support Technician, which I earned April 2, 2007. For reasons that I cannot recall it took two more months to be accredited as an MCITP: Enterprise Support Technician, which I was awarded on June 18th of that year. However I actually passed the qualifying exam for it several times – including once dating back to the first beta – December 22, 2006 – but I was never able to get Microsoft to change the date of the award on the transcript. I am, however, still a Charter Member of that cert.

clip_image007Over the course of the next few years I earned several other Microsoft certifications – several MCTSes and a handful of MCITPs – but in December, 2010 I decided that I had put off my original goal for too long. I had always said that I wanted to be an MCSE, and despite that being an older certification on legacy technology, I think I knew deep down that it meant something, because it was my original goal. I think that it is important to set goals, and although there is nothing wrong with modifying them along the way, sometimes our goals have a significance other than the obvious.

I know that over the years I have lost contracts and jobs because I didn’t have the MCSE… even though by a certain point I DID know the material… at least most of it! I can think of two companies where I was told ‘Sorry, we really do need someone with the MCSE after their name.’ I mean, in 2010? Really? Ok, so be it. It may have been meaningless going forward as people started to understand that MCITP was the new MCSE, but I decided in December of 2010 to do it. I looked at my transcript, used the Certification Planner (which is a great tool on the MCP site that lets you know what requirements are left for any given certification), and realized I was short two exams… both of which I had failed once before.

I wouldn’t say that 70-293 (Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure) was the hardest exam I had even taken, but it was the one I struggled with most. I had failed it not once but three times, twice dating back to 2008, and once earlier (February) of 2010. I decided to really dedicate myself to passing this time. I studied my butt off, and when the final screen showed ‘Congratulations you passed’ and that my score was 866, I was thrilled! Now all I had to do was…

I had failed 70-297 (Designing a Microsoft Server 2003 Active Directory and Network Infrastructure) before, in 2008. It was then that I learned about testlets… and how much I did not like them. I was worried because the format of the exam was so different, but again, I was a lot more experienced than I had been in 2008, and I wrote the exam the day after I passed the previous one… and for the first time in a very long time I took nearly all of the allowed time. I am generally a fast test writer, but I made sure I left nothing on the field for this one. When the screen said that I passed I was relieved… but when the score report showed that I scored a perfect 1000, I gasped! I had never done that before, and was shocked, thrilled, elated… and surprised! On December 15, 2010 I was finally able to proudly call myself a Microsoft Certified Systems Engineer (MCSE).

it would take a few more months for me to earn the last Microsoft certifications that I wanted… MCITP on Windows Server 2008 (there are two – Server Administrator and Enterprise Administrator). I had already earned the MCITP: Virtualization Administrator, but that was a specialty cert, while the SA and EA were essentially the 2008 versions of MCSA and MCSE. I wrote the three requisite MCTS exams in one day – the first and last time that I will ever try that again! I passed them all, but it was nerve wracking. The following month I went into the testing center prepared for exam 70-696 PRO: Windows Server 2008, Server Administrator. It was another bear – a testlet-type exam like the 297 Design exam, and although I was not prepared for that, I did know the material, and was glad that I was able to pass it. The following day I went back confidently to pass 70-697… and failed.

clip_image008You should never underestimate or take a certification exam lightly… it is a recipe for failure, as I discovered that day. It was, in my humble opinion, one of the toughest exams I had ever written. As I wrote recently in an article Wow that certification exam was TOUGH! exams are not meant to be easy, and the more valued the certification the tougher the exam should be. It took me a few more months to both find the time and the energy to prepare for and re-take the exam, but on December 20, 2011 – a year after finally earning my MCSE, I became an MCITP: Enterprise Administrator on Windows Server 2008. Not since my early days of certifications had I been as proud of a credential as this one.

clip_image010clip_image012Of course, I have discussed my journey to Microsoft certifications, but I have not discussed the others… I am also certified in VMware – both by VMware themselves, and by VMTraining, a third party training company that has their own course called the vSphere Ultimate Bootcamp. Both of these companies have their own certification exams, and I am proud to have passed both of them for both vSphere 4 and the current vSphere 5. I have said for years that IT should never be about religion, it should be about the best tool for the job. Until recently Microsoft was a bit-player in the server virtualization space, and while that has changed and will change more with the release of Hyper-V 3.0 with Windows Server 8, VMware is still the industry leader in that space, and I could never represent and discuss Microsoft Virtualization properly without knowing the competition, and besides, the certification has helped me get a number of consulting gigs in VMware shops!

The point is I have never been hurt by certifications, and when people ask me if they are still relevant or important I point to both the gigs I have gotten because of them… and the ones I have not gotten. I tell them that when I am asked to consult on a hire (which I do from time to time) one of my first qualifiers is always ‘What certifications does the candidate have?’ I consider certifications proof that the professional has the respect for their field to not only do things the right way, but to prove it. So if you are not certified, I think it is time to seriously consider getting so… your career will thank me for it!