February 2008 - Posts
Ok,so it seems that I am in that mood today...one more marketing website
I found (and liked) is the serverunleashed.com . It showcases Windows 2008
in a very original way...
[once a week it helps out in HR...] good one...
The guys(specifically Mark Russinovich) at what was Sysinternals and is now Microsoft have
created a new goodie called ShellRunas. What this small (50k) tool does is to add the option
to start an application with a different users credentials from the GUI.
The download is a command line interface tool that allows you to register the GUI shortcut
with the following options:
Simple registration process:
Approximately a week ago, I wrote in a post that the next revolution in computing will
be in the way that we interact with computers. One of those major changes are already
under way and they are multi touch devices. One such device is the Microsoft Surface.
Nothing new there,except a new demo given to 'Sarcastic Gamer' showing off the
multi-touch abilities in a small game of firefly gathering:
Yes I am a fan of Maccabi Tel-Aviv (basketball),so their new commercial with Nike
made me laugh...take a look:
By chance I stumbled upon this masterpiece of music, which is actually made out of
55 pieces of music, commentary and original pieces of Tarnation's movies.
Anyway what I am trying to say is that it has been a long time since something managed
to get a rise out of me-all I can say is WOW. This mashup/mix is quite old (circa 2004 but
if you are a Tarantino movie lover you have got to hear it.
It's everything you like about Tarantino movies transferred into one continuous audio track.
And we can't really signoff this post without a link to the Muppet rendition of Pulp Fiction:
If you ever wondered what the process is, Microsoft (Israel) created a new website
called a apointofu.com that describes the work and people at the R&D center. On the
website they have a short(but funny) movie about the process:
Since the website is targeted at the Israeli market the movie is in Hebrew...
Found this on the web...made me smile:
I will start with a disclaimer. I know, not a good way to start a post...
I intend to write a series of posts about Bitlocker, starting with the theory and turning
that theory into practical implementation. I am writing these posts based on my own personal
research and knowledge. I have no connection to the people that wrote Bitlocker so I may
make mistakes here...If I do,please send me a message or leave a comment pointing out
the mistakes and I will make sure to fix them.
I decided to write these posts since I couldn't find any documentation about how Bitlocker
is supposed to work, how it's implemented and how it behaves in different scenarios. The
majority of articles I found, provided good background information some usage tips and
that's it... Now it's my turn to give it a shot.
What is Bitlocker
Bitlocker is a technology released with Windows Vista(Enterprise and Ultimate) that enables the
users to encrypt the contents of a volume. Bitlocker's role, in the pre-SP1 era, is to protect the
the system volume of a system by encrypting it. Since the encryption is at the volume level
the information is protected from a parallel installation attack.
The need for an encryption technology that protects a volume grew from the advent of mobile
computing and the threats of data theft (stealing a laptop is easier then stealing a desktop and
threats to a laptop are significantly higher considering that you use it in public places).
Bitlocker provides protection, yet you must remember that all encryption mechanisms can be
decrypted (otherwise we would be in a real bind) thus Bitlocker will slow down a potential data
thief not stop him.
You may be asking yourself at this stage what is the big deal here? Bitlocker is not the first
encryption technology to be released for Windows. Previous encryption mechanisms include the
Encrypting File System(EFS). How is Bitlocker different?
Bitlocker vs EFS
- Bitlocker encrypts volumes (as one unit),EFS encrypts files and directories
- Bitlocker encrypts system files,EFS can not encrypt system files
- Bitlocker uses symmetric encryption while EFS uses asymmetric encryption
- Bitlocker does not protect your data while a system is turned on, EFS does
Looking at this comparison, I hope that it is obvious to you that Bitlocker and
EFS are not adversaries or substitutes. Bitlocker and EFS are two technologies that can provide a
layered defense against data theft. That is if they are used correctly and together(hence the layered).
Since this post does not deal with data protection but with a specific part of it,namely
Bitlocker, lets continue by trying to understand what Bitlocker can do for you and what it can't.
What Bitlocker can do
Bitlocker can do the following things:
- It makes it relatively very difficult to access data on a stolen disk or computer
- It can encrypt the entire contents of a volume, including OS files, paging files, hibernation files
and temporary files
- Post SP1 it can also encrypt additional volumes not only the system volume
- Allows you to deploy and remove itself without destroying the data on the volume
What Bitlocker can't do
Bitlocker will not do the following things:
- It does not protect the system from a network attack
- It does not protect the data while a system is on (read-has electricity, including standby)
How does Bitlocker work - Booting an encrypted OS
Ok,now that we have the formalities out of the way, lets try to understand how does Bitlocker achieve
what it does. Once enabled Bitlocker starts an encryption process that obscures the data on the volume
it is applied to. The first volume that must be encrypted is the system volume and thus arises the problem
of the chicken and the egg:
If Bitlocker is a mechanism used by the OS to encrypt data, to be able to decrypt(access) the data
the OS has to be loaded (or at least part of it) but since we encrypt its volume it can not load because
it is encrypted...
To solve this problem, an additional volume has to be created(which should not store user data).This volume will not
be encrypted and will provide enough OS code to decrypt the system volume.Since in this part of the post
we are only discussing theory, take this as a given, an additional volume is created-the system boots from there
decrypts the encrypted volumes and allows the rest of the OS to boot.
How does Bitlocker work - Encrypting a Volume
Bitlocker encrypts a volume using a symmetric algorithm (Advanced Encryption Standard (AES) algorithm with
128-bit keys). The key length is controllable and their size can be increase to 256-bit yet that may cause performance
The encryption process begins, and a key is created- this key is called the Full Volume Encryption Key (FVEK). The
FVEK is used to encrypt and decrypt the data. The FVEK is stored on the volume as part of the volumes metadata.
But wait-if the symmetric key that is used to encrypt/decrypt the data is stored on the volume it is meant to
protect what prevents a thief from picking it up and decrypting it...this sounds like locking a door and leaving the key
in the lock,from the outside...
To be honest, the door analogy is quite close to what happens with one small but major difference, instead of leaving
the key in the door, the key is placed inside a locked box that is welded to the door. In other words the FVEK, is
encrypted by an additional key called the Volume Master Key (VMK).
How does Bitlocker work - Decrypting a Volume
To decrypt a volume, you need to take the process used to encrypt it and reverse it (due to the use of symmetric
algorithm used): the OS boots, identifies the usage of Bitlocker, requests the VMK and uses it to access the FVEK
which in turn provides access to the encrypted data.
How does Bitlocker work - protecting the VMK (The Protectors!)
As you can see once you have access to the VMK, the game is over. Due to it's importance the VMK has to be
closely guarded. The measures used to protect the VMK are called 'protectors'. The role of the protectors is to prevent
unauthorized access to the VMK and it is assumed that if you have access to a protector you are authorized to use it
(this is a huge assumption but as the saying goes:"Who will guard the guards?").
There are several protectors that can be used to store the VMK:
- Trusted Platform Module - A secure storage built into the system board that will store the VMK and release
it for use only if an additional authenticator(such as a PIN) is provided and no major changes to the system
have been identified.
- External media - This may be a disk on key upon which the startup key is stored.
- Recovery key - A manual process of entering 48 numbers to release the VMK.
More about the protectors in the second part of the Bitlocker series posts that will deal with implementation.
How does Bitlocker work - Why two keys?
There is one major reason for this-in the case of moving a hard drive to a different system or losing a protector
there is no need to re-encrypt the volume (a lengthy process). It is simply enough to re-key the FVEK by creating
a new VMK. In theory this is true, yet I have not found a way to do this.
Conclusion of part one
Bitlocker is part of a layered strategy to protect data from theft. The aim of this post was to lay down
foundations that will help with the implementation of Bitlocker. You should now be able to understand
the role of Bitlocker and it's abilities and shortcomings.
The second part of the series will describe the methods to implement Bitlocker.
According to KB929851 the dynamic range of TCP/UDP ports to be used by
applications on Vista or Win2k8 has changed from 1025 to 5000 to 49152 to
The port ranges can be viewed by using the following commands:
•netsh int ipv4 show dynamicport tcp
•netsh int ipv4 show dynamicport udp
•netsh int ipv6 show dynamicport tcp
•netsh int ipv6 show dynamicport udp
In addition to that the port ranges can be changed by using the following
•netsh int ipv4 set dynamicport tcp start=X num=Y
•netsh int ipv4 set dynamicport udp start=X num=Y
•netsh int ipv6 set dynamicport tcp start=X num=Y
•netsh int ipv4 set dynamicport udp start=X num=Y
This has been floating around for some time now but since Windows
2008 and Vista use the same core Windows 2008 has SP1 already integrated
So,all those people that want to wait for SP1 will have to find a new mantra...
Found this relatively useful tool from Microsoft (still in Beta) that allows you to share
your desktop in a virtual meeting with friends colleagues or anyone else for that matter.
The installation is simple (very lightweight-4MB), easy to setup with a Windows Live ID
and you can start creating sessions (check out the feature that adds a name tag to a mouse
pointer-so you know who is who...):
Download it at:
A lot has changed in the world of computers. Systems have evolved from being very
basic to very complex, the communication revolution and other less notable changes.
One thing that was relatively stable is the way we interact with computers: keyboard,
mouse, joystick...nothing too exciting.
Lately several new technologies that threaten to change the way we interact with
computers have appeared- touch screens and now mind control(!?!).
A company called Emotiv Systems, is working on a headset (Epoc) that will enable the user to
control games by thought...I have got to get me one of those!
This came as no surprise to me, yet when you see something theoretical being applied
it always manages to give you a jolt...especially if you consider the timing.
During the last week I was (and still am) planning a series of posts about Bitlocker.
In (very) short,Bitlocker is a Windows Vista technology that encrypts your hard drive
as a unit. To access the data you need to provide some type of a key that releases the
key used to decrypt (and encrypt) your data into RAM.
The main advantage of Bitlocker is it's ability to protect your data even if someone manages
to gain physical access to your system(by stealing it) and boots the system form a parallel
In the past I have read a research paper(still looking for it), stating that in contrary to popular
belief when you cut power to a RAM module the data it has stored is not lost. In addition to that,
the data inside RAM can be preserved by cooling the RAM modules.
Considering that your encryption/decryption keys are saved in RAM if someone gains access to
your system while it is still turned on(or shortly after you have cut power to it) they may be able
to access your encryption/decryption keys and additional sensitive information such as documents
you worked had open.
This concept has been demonstrated (to some extent in a video and a research paper) by a group of
people mainly from Princeton at their website:
In my opinion, it is extremely important to point out that Bitlocker protects your data only
if the computer is turned off or is hibernated (if your system is on, the data is not protected).
I am humbled to correct people from Princeton but it is something that I must do in this case, during the
video, the narrator mentions that in some cases Bitlocker can be attacked even if a system is turned off and
the way to discern between such cases is if a system asks for a key/pin(you are protected) or a password(you are
The first part is very inaccurate and may cause unnecessary confusion.
There is only one way for a system to be off-there is no power running to it. Either it is shut down
or it is hibernated all the other methods do not shut a system down.
Anyway- it is still a cool concept to demonstrate...
Not the clearest of titles yet I am guessing that most of you understand where I am
going with this...Outlook has a very useful feature that caches the used e-mail address
to enable fast access to them.
In other words, once you use an address it is cached by Outlook. When you start typing
a new address Outlook will provide you with a list of cached addresses based on the partial
information you provide (hence the autocomplete part).
So,hopefully at this stage you must be asking yourself where is this cache stored??
Enter N2K-the cache is actually saved in a file called Outlook.N2K (Outlook 2007) located at
the following path:
Controlling the cache
The simplest way to control the cache is to manually delete entries by choosing the address you
would like to delete and pressing 'Delete'.
You can clear the cache altogether by deleting the aforementioned file, it will be recreated and
repopulated based on the new addresses.
Migrating the cache
If you want to continue using the cache when you move to a new system all you need to do is copy it...
Getting additional power
We all love power,so getting more is a no-brainer...
Nirsoft has a very useful tool called N2KView, which will allow you to edit the file, add entries to it and a
few additional goodies...
Schnitzel Dcat rulez!
Most of us had to kill explorer.exe (the Windows shell) once in a while. At times
you have to kill it as it misbehaves and at others you simply want to see the results
of the customization you have applied.
The most familiar way to do it is to open the Task Manager and kill the explorer.exe.
Yesterday I found a new way,press the Start button (orb) hold Control+Shift down
and right click on an empty area in the Start Menu...Presto! You have an option called
'Exit Explorer' (personally I would have preferred Kill Explorer,but hey...).
Credit should be given where credit is due, I "discovered" this neat option by chance when I
stumbled upon a blog/site (can't really tell the difference these days) called 'the How-To Geek'
that has a large number of very cool tips for the computer user,check it out!
I wrote about this approximately a week ago,saying that I could not understand why
SP1 can not be slipstreamed. Well, a week passed an I noticed a post from Kevin Remde
that explains why it can't be done (Thanks Kevin!).
In essence what Kevin is saying is that since the mechanism that facilitates seamless integration
of updates into offline WIM images is being updated by SP1 you can't update an offline WIM image.
In other words you can't replace a broken pipe while the water is still flowing...trust me,I tried it.
To be honest,I understand the logic-am I happy about it? Nope...It might not be "as a big a set-back
as some of you seem to think it is" (quoted from Kevin's comments) but it is still very annoying if you
have a large number of customized images that you need to deploy SP1 to...
Let me rephrase that,not annoying but costly. Rebuilding each image takes approximately three to five
hours,now consider this in the light of having almost every IT department work under the mantra of "do
more with less..." and you have a lot of work to be handled by teams that are already overworked...
Since most of us use RSS feeds, we always look for enhancements in the way we read them.
The RSS team at Microsoft released a nice tool that provides additional features to the IE7 built-in
reader. My favorite is the ability to receive alerts about new items in a specific feed.
You can get the add-in here.
Based on a post from the TechNet Plus team SP1 for vista is available for subscribers. In addition
to that it is also available to MSDN subscribers:
This was an annoying one. In Windows 2003 you have the Administrative Mode terminal that
allows you to have two standard connection and one "console" connection using RDP (a total of
three (3) concurrent connections).
Well, that is true if the server has not decided to misbehave.
In my case it did. After having two connections to the server (in any combination,console and standard)
the server would not allow a third. Not only would it not allow a third connection but the client also
provided the oddest error message:
Once one of the two connected would disconnect all of sudden the server was found again...
So,at this stage I ruled out any concurrent violations,since if it would be a concurrence limitation
I would have expected the following error message:
At first, I thought that this might be a networking/security issue of limited RDP connections to this specific
server (no more then 2)...
After some continued digging,researching and registry comparing(with a well behaved server) I noticed a difference
between the two:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MaxInstanceCount was set
to "2" instead of "ffffffff"
Once I changed the key I had no problem to connect...and thus the mystery of only two administrative connections
(instead of three) was solved...
[Now comes the question of how or why was this value changed. The server was a clean installation with SP2 on it.]
More Posts Next page »