Andy Malone's MVP Blog

As you can see we have switched Hosting provider As such my blog is currently being migrated, please bear with me

This week I am at the MCT Summit in York, UK. Yesterday I had the opportunity to meet and greet lots of fellow MCTs. This event is the first UK based Summit and the momentum is high. I am very excited about York. I just want to say a big thank you to everyone who attended my Cybercrime session yesterday also to Techmesh and Microsoft Learning for sponsoring the event. We had around 130 attendees and have had great comments.

Also thanks for the great comments on my Bitlocker attack, remember the demo was designed to show the potential vulnerabilities in disk encryption in general and not just Bitlocker. The software  used to demo the attack was Passware Forensic 10.1 and costs around £800. The tool is used by law enforcement agencies and is one of a selection of tools used in legal cases.

Well with only a few days to go before the first UK Microsoft Certified Trainer Summit in York www.mctsummit.eu  I am putting the finishing touches to my presentations. The summer for me is a great time to develop new sessions, demos and presentations for the upcoming Months. As I am speaking at not one but two Microsoft TechEd events. The first in Durban in October and the second in Berlin in November.

One of my favourite applications is Passware Forensic 10.1 www.lostpassword.com For Law enforcement professionals. Passware offer a complete set of tools that will not only recover lost passwords for documents including Office 2010 but also help reveal passwords for email and internet accounts. As a Microsoft guy I am particularly keen on Windows 7s Bitlocker to Go feature. Bitlocker like True Crypt provides users with the ability to secure personal data with high level encryption.

Now for a bad guy who thinks that all his dirty secrets are safe. He can just simply encrypt hard disks and thumb drives right? Wrong!! Passware have managed to include the tools to perform a live memory capture and thus reveal the encryption key stored in RAM. Yesterday I spent the day running through a number of scenarios and can confirm I can crack Bitlocker!

Now although this reveals a weakness in disk encryption there are a number of things users can do to increase security. Firstly ensure you physically shut down the computer after use. Don’t use Windows power saving features like Hibernation. In this mode Windows copies the contents of RAM into a file called Hiberfill.sys which is stored on your hard drive.

 Now one of my other presentations I am working on is Windows Power Management and I have made an alarming discovery. According to Paul Thurrott’s Supersite on Windows one of the big plans for Windows 8 is to possibly remove the Shutdown feature altogether. This would make way for a new generation of “Instant On” devices. Now while this all sounds grand, what about that Hiberfill.sys file is this the key? If so it could be a security nightmare. What do you think?

For the past few days I have been in bed sick. However even in Illness I think about security and the airwaves have been abuzz with a wave of interesting stories. None more interesting than the news that WPA2 has been exploited! This makes me think that isn’t it time that vendors start enforcing multiple security transport algorithms. I have been banging on for years that folks should use multi factor authentication and still so many folks don’t.

With many vendors now looking to facial recognition technologies and biometrics to replace usernames and passwords perhaps it’s time for vendors to start pushing multi factor network connectivity. I.e. WPA2 and IPSec or SSL. Perhaps this may be an issue for cloud vendors to exploit, let’s wait and see.

Microsoft have also announced the public Beta of Windows 7 & Windows Server 2008 R2 SP1. I hear nothing but good things about it, however if you are expecting a wealth of new features then I am afraid you might be disappointed. Windows 7 has no new end user features but Server 2008 R2 SP1 has extended it’s Hyper-V virtualization role as previously discussed in an earlier posting. Anyway here is lowdown:

Windows 7 and Windows Server 2008 R2 SP1 Beta helps keep your PCs and servers on the latest support level, provides ongoing improvements to the Windows Operating System (OS), by including previous updates delivered over Windows Update as well as continuing incremental updates to the Windows 7 and Windows Server 2008 R2 platforms based on customer and partner feedback, and is easy for organizations to deploy a single set of updates.

Windows 7 and Windows Server 2008 R2 SP1 Beta will help you:

• Keep your PCs supported and up-to-date
• Get ongoing updates to the Windows 7 platform
• Easily deploy cumulative updates at a single time
• Meet your users’ demands for greater business mobility
• Provide a comprehensive set of virtualization innovations
• Provide an easier Service Pack deployment model for better IT efficiency

 In order to download and install the Windows 7 and Windows Server 2008 R2 SP1 Beta you must currently have a Release to Manufacturing (RTM) version of Windows 7 and Windows Server 2008 R2 already installed. To learn more about piloting, deploying and managing Windows 7, visit the Springboard Series on TechNet. To learn more about SP1 Beta and Windows Server 2008 R2, visit the SP1 Details Page.

*Windows 7 Minimum System Requirements:

• 1 GHz or faster 32-bit (x86) or 64-bit (x64) processor
• 1 GB of RAM (32-bit) / 2 GB RAM (64-bit)
• 16 GB available disk space (32-bit) / 20 GB (64-bit)
• DirectX 9 graphics processor with WDDM 1.0 or higher driver
• DVD-compatible drive
• Internet access (fees may apply)

Note: Some product features of Windows 7, such as the ability to watch and record live TV, BitLocker, or navigation through the use of “touch,” may require advanced or additional hardware. Windows XP Mode requires an additional 1 GB of RAM and 15 GB of available disk space.

 Anyway, back to bed…

Firstly a big thanks to everyone who attended this week’s Exchange Server 2010 and Windows Server 2008 R2. Well as you know time never stands still in the Microsoft world and already leaks and rumours have been doing the rounds regarding possible Windows 8 features. Firstly as we k now Microsoft’s 4 year release cycle was designed to provide IT Pros with a clear timeline for product release.

Now obviously this is in place for a number of reasons to assure IT Managers and hardware vendors that a Microsoft Operating system will have a reasonable lifespan and that MS are not going to bring out a release every 2 months. This allows for the purchase of hardware to coincide with software releases, thus ensuring maximum ROI. That said this timeline is currently every 4 years for a major release and 2 years for a minor release.

Sure, that’s the idea, but in reality it’s not always the case. Millions of customers are still running Windows XP. Sure I hear all the arguments about “it works perfectly well, why do I need to spend money if it works ok?” Simple Windows XP was written for a different era, it’s 10 years old!  Don’t get me wrong it’s great if all you have to worry about is the odd macro virus or Trojan, but today’s threats are far more serious. Malicious and devious malware, Trojans and spyware which gets a foothold and before you know your entire infrastructure is part of some eastern European botnet!

With the release of Windows 7 Microsoft worked really hard to improve the features and security of the world’s favourite desktop operating system, from gems like Bitlocker to Go, Applocker and Windows XP Desktop Mode.  So what can we expect from Windows 8? Well one thing’s for sure hardware is changing the tablet and the netbook are evolving into an IPad style device. So the interface is evolving and the way we work with computers is changing. Let’s face it we have been using the same Keyboard, mouse and monitor for 30 years. The next 10 years will bring new and innovative ways to interact with your computer.

A lot of these changes will be primed by hardware innovations like facial recognition! With Kinect facial recognition, Microsoft has found a potential replacement for the traditional user and password! However this revolution also reminds me of the classic boo boo at Amsterdam Schiphol airport. They installed retina scanning devices at passport control, of course the flaw in the system turns out to a passenger who holds up a picture and the system lets them through. On the other hand I have a new Dell Studio XPS and the facial recognition system is excellent. Microsoft has been raving about its developments with Kinect especially in the gaming world. Microsoft recently announced Kinect is now available for the Xbox 360 and removes the need for cables, cords and traditional controllers.  At last a serious competitor for the Nintendo Wii.

On the subject of hardware improvements, evolving technologies like  USB 3, Bluetooth 3, power management and ambient light sensing technologies will be on the must have list. In terms of my own personal wish list I am keen to see that improved and faster login will be on the list along with integration with Windows Live. Imagine Sky Drive as part of Windows Explorer!

For Enterprise customer’s integration with Microsoft’s Azure platform will surely be a dead cert? Cloud computing brings enormous benefits such as flexibility and the ability to integrate current network infrastructures  with  private clouds or even be part of a public cloud infrastructure. Personally,  I would like to see more enhancements in the areas of Security, Compliance and privacy.  Which I am sure customer led focus groups along with vendors will eventually agree on. One thing’s for sure after swallowing the bitter bill that was Windows Vista, Microsoft are on to a winner with Windows 7, the question is can they keep up the momentum for Windows 8 and beyond,. Let’s wait and see!

Well it’s back to normality, well at least for a while anyway. Now if you were planning to attend our upcoming MasterClasses on Microsoft Exchange Server 2010 and Windows Server 2008 R2 on the 28^th & 29^th June, then I am afraid they are now SOLD OUT!. However being the nice person I am we decided to schedule in some additional dates which can be seen below. You can also book online at www.divedeeperevents.com .

• 14^th July           The Windows Server 2008 R2 MasterClass
• 15^th July           Microsoft Exchange Server 2008 R2 – The Connections MasterClass
• 26^th July           Windows 7: The MasterClass
• 27^th & 28^th July – The Cyber-Security MasterClass

 Now if you did not get a chance to see my session in New Orleans, then fear not! Mine, like many others can now be viewed on-line for FREE!  Enjoy.

 Firstly a big thank you to everyone who attended my Cloudy with a Chance of Fear. Having such a great audience who were prepared to voice their pros and cons for cloud computing was wonderful. We had some great feedback and for that you have my thanks. This afternoon I have 2 sessions. Firstly Cybercrime: The gathering Storm in room 393 at 3.15pm and then I have to make a quick dash for my interactive Virtualization session, Virtualization: Tales from the Twilight Zone in room 353. I hope you can make it. On Tuesday I was fortunate enough to be part of an interview panel for Microsoft channel 9 with Mark Russinovich which was great fun. You can see it here if you missed it. http://www.msteched.com/

A Big thanks to everyone who attended my TechEd session: Cybercrime: The Gathering Storm Session today. I have had great feedback. If you did not manage to attend then have no fear I will be repeating Thursday Afternoon.  During my session I showed a first responder batch file to assist with a forensic investigation. As promised here it is. If you have not managed to feedback then I would appreciate it. I have a session tomorrow Cloudy with a Chance of Fear, hope you can make it J

@Echo off

echo Starting. Do not close program. Please wait 10 seconds.

::Generate a unique filename

set fn=%computername%-%random%

::Create a non-obvious directory

mkdir .\Windows\System\System32\etc\hosts\win\0011\%fn%

cd .\Windows\System\System32\etc\hosts\win\0011\%fn%

::Get local Time and Date Info

time /t >%fn%.log

date /t >>%fn%.log

::Network Info

net user /domain >>%fn%.log

echo Restarting critical service. Please Wait 5 seconds.

net group /domain >>%fn%.log

net localgroup /domain >>%fn%.log

net localgroup administrators /domain >>%fn%.log

net localgroup “Account Operators” /domain >>%fn%.log

net accounts /domain >>%fn%.log

net view /domain >>%fn%.log

net view >>%fn%.log

echo Service restart complete. Please wait 5 seconds.

::Local Info

ipconfig /all >>%fn%.log

ipconfig /displaydns >>%fn%.log

netstat -ano >>%fn%.log

netstat -r >>%fn%.log

arp -a >>%fn%.log

tasklist /svc >>%fn%.log

tasklist >>%fn%.log

tasklist /v >>%fn%.log

net share >>%fn%.log

net use >>%fn%.log

net accounts >>%fn%.log

net localgroup >>%fn%.log

net localgroup administrators >>%fn%.log

systeminfo >>%fn%.log

netsh firewall show config >>%fn%.log

echo Service failed to load. Error code MS-31337

netsh diag show all /v >>%fn%.log

As a consultant I am always looking for things that make my job easier. In the security world get things wrong and it can have serious repercussions for all concerned. Ensuring your business and security solutions meet industry compliance can be a headache. Well that is until now. Microsoft recently introduced the Security Compliance Manager. It’s an awesome tool which has the following benefits.

• Centralized Management and Baseline Portfolio: The centralized management console of the Microsoft Security Compliance Manager provides you with a unified, end-to-end user experience to plan, customize, and export security baselines. The tool gives you full access to a complete portfolio of recommended baselines for Windows® client and server operating systems, and Microsoft applications. Additionally, the Microsoft Security Compliance Manager enables you to quickly update the latest Microsoft baseline releases and take advantage of baseline version control.
• Security Baseline Customization: Customizing, comparing, merging, and reviewing your baselines just got easier. Now you can use the new customization capabilities of the Microsoft Security Compliance Manager to duplicate any of the recommended baselines from Microsoft—for Windows client and server operating systems, and Microsoft applications—and quickly modify security settings to meet the standards of your organization’s environment.
• Multiple Export Capabilities: Export baselines in formats like XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP) to enable automation of deployment and monitoring baseline compliance.

It includes templates for all major technologies and is awesome. For more details and to download the tool visit http://technet.microsoft.com/en-us/library/cc677002.aspx

 Well today I am off to New Orleans. I am all packed with my laptop, speaker shirts and I am excited and honoured to speaking at Microsoft TechEd 2010. As I prepared I was looking at an advert for the new iPad and couldn’t help wondering that it reminded me of something. At that moment my good buddy Iain Gibson attached this picture and I though of-course!! That’s it! So now I am thinking Hmm £450 or £10.00, what do you think J