As time passes, computers become more of an commodity and less unusual. When I
started using computers, people regarded them with some suspicion. Nobody really
understood what that box and screen will be used for in the future and some even thought
that we were wasting our time using it.
Today, everyone uses a computer. The computer has become a tool that helps you do
your work, watch TV, listen to music, pay your bills and play.
The user interface that turns a computer (that is essentially a heap of metal and plastic) into
a usable tool is the OS and software running on top of it. Considering the fact that the computer
has become a commodity (meaning that non-geeks are using it), the more intuitive the OS
and software are the better thus the OS that is going to be more user friendly will prevail.
The big question is how can we determine which OS is easier to use?
The answer to this, is a simple experiment (which I always wanted to do but never got around
to it...): provide a list of standard tasks to a "standard" person and asses the degree of success
in completing the task for each OS.
As I mentioned above,I never got around to do this experiment but a blogger (Content Consumer)
did in a post called The Great Ubuntu-Girlfriend Experiment.
At this stage the experiment was conducted only with Ubuntu but it will be interesting to see
how this progresses.
As a photographer in the past (and from time to time at present) this is a dream
come true for me. This tool from Microsoft enables the user to add metadata to
his photographs...at this stage you might say that it's no big deal,this was possible
in the past, yet with this application the amount of metadata that you can add to
a photograph is HUGE.
In addition to the standard metadata , you can also add location
information from a GPS and you can place the information on a Microsoft Virtual Earth
map building your route and pictures.
Download:Microsoft Pro Photo Tools V1 (x86)
One of the major changes in Office 2007 is in the user interface. The old
user interface has been replaced by ribbons. Each ribbon represents a set
of commands,and to be honest at first(and sometimes still) I found it annoying
since I couldn't find commands I previously could.
On the other hand, a very welcomed change in the Vista user interface is the search
box in the start menu. You type the first few letters of a command or a file name
and the interfaces presents possible options using a previously created index.
So why isn't there such a tool for Office, a tool that will enable me to find the commands
I am looking for by entering the first few letters of the command? Well,there is and it's
called Search Commands from Microsoft Office Labs.
The tool adds a new ribbon to Word,Excel and PowerPoint that adapts to what you
write and displays the closet commands to what you wrote:
Download it from here.
If you have been following my blog you know that I have a series of posts
about BitLocker. The third part is still missing in action, but a new tool
from Microsoft will be sure to make a guest appearance in that post:
BitLocker Repair Tool.
This tool helps access data encrypted with BitLocker if the hard disk has been
physically damaged. This tool attempts to reconstruct critical data from the drive
and salvage any recoverable data.
To decrypt the data, a recovery password or recovery key is required. In some
cases, a backup of the key package is also required.
Use this command-line tool if the following conditions are true:
• A volume has been encrypted by using BitLocker Drive Encryption.
• Windows does not start, or you cannot start the BitLocker recovery console.
• You do not have a copy of the data that is contained on the encrypted volume
Download it here.
Lately everywhere I look everything is turning green. We are all becoming very aware
of how our actions affect our planet and how bad we are by not recycling and buying
stuff that is green. Heck,there's even a whole new industry and consulting firms
that will help you be greener!
Lately, I took part in a project to erect a new (small) office. Among other things we had
to provide the computer equipment to be used in that office. When we were finished with installing it,we
were standing in front of a huge pile of cardboard boxes,plastic wrappers, warranty booklets and
CD-ROMs (for the drivers offcourse...). At this point I asked myself, how does it help
to have all of these 'green' initiatives that are mainly focused on consumers (in some cases
to soothe their conscience) when the large conglomerates create huge amounts of junk
with excessive packaging?!?
Why can't these companies minimize the packaging? Why does a mouse or a webcam have
come in a cardboard and plastic box that is twice (if not more) the size of the product itself?
Wouldn't the reducing of unnecessary packaging contribute more to our planet then
investing in campaigns saying how green you are?
[I do understand the importance of packaging for branding and sales,but still-so much junk for
one mouse/keyboard/webcam/phone?!?!?]
One of the most annoying things in the world (ok,I may be exaggerating a bit),
is to install a new server and forget to enable remote desktop (extra points for a
remote site).
If this happens you can either use some type of IPKVM to connect to the server and
enable remote desktop or, with some Registry editing, you can enable it remotely.
- Open the registry editor (Start>Run>REGEDIT)
- File>Network Registry
- Enter the name of the computer you want to enable Remote Desktop on
- Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
- Edit (or create) fDenyTSConnection
- Set it's value to 0
- Restart the remote system (shutdown -m \\remoteserver -r)
- Connect to the server after it starts...
To me, the sidebar was an odd feature of Vista. It reminded of the old Office
toolbar(which I never used), yet as time passes it is starting to grow on me
mainly to the useful gadgets people build for it.
One such useful gadget is the Control System gadget that allows you to
shut down(including all iterations:standby,hibernate etc.) your system from
the sidebar:
Download it here.
Continuing the BitLocker related posts, I wanted to reveal a tip I intend to discuss
in the third part of my BitLocker post series: accessing BitLocker encrypted volumes
by using WinPE.
If something went terribly wrong with your Windows installation you are in a bad
situation since not only can you not load Windows but since you can't load Windows
you can't access you data (since it is protected by BitLocker that is a feature of
Windows).
You may attempt to access your data by loading WinPE, yet obviously since the
data is encrypted you will see the drives blank...interesting bind.
Have no fear though, your data is safe and if you have your recovery key or password
handy you will have access at no time. First of all you need to make sure that you
have the scripting package install on your WinPE,once this is done you will use the
BitLocker command line interface to access the data:
cscript manage-bde.wsf -unlock <drive letter> -recoverykey <path to BEK file>
cscript manage-bde.wsf -unlock <drive letter> -recoverypassword <48 digit password>
Note that the drive letter you may be looking for might be different then you one
that you assume it is. The S: drive will most likely take the letter C: and the rest will use
consecutive letters.
It has been a while since I wrote the first part, much longer then I planned but as
the saying goes: Man plans,God smiles...
In the first part of the series I have described what is Bitlocker and how it works,
now it's time to get your hands dirty and implement it. As with any process, planning/preparing
will increases the chances of success and in the case of Bitlocker it doesn't really
matter wether you plan to implement it on one system or one thousand systems some
planning is necessary.
Planning/preparing the process
The preparations for Bitlocker implementation concentrate on two major areas:
- Choosing the the protector- in my previous post I have pointed out that there are
two types of protectors (I wouldn't count the recovery key/password as standard protectors).
Before you begin the process you should choose the protector you plan to use.
The decision is dependent on what your system(s) supports. - Facilitating recovery- If your protector is lost or damaged you should be ready to provide
a recovery process, if you can't you will be stuck with a very large and useless brick...
Recovery can be provided by either saving the text file (which stores the 48 character
recovery key) or storing the same information in Active Directory. An additional option is to
carry an additional key with you.
I will describe all options and their use later in this post.
Starting the process - Creating a new boot volume
The process for creating a new boot volume can be executed manually or with a tool provided by Microsoft
(found in Vista Ultimate). The description and methods of obtaining the tool can be found at:
http://support.microsoft.com/kb/930063
- Start the 'Bitlocker Drive Preparation Tool'
- Accept the license
- Note the warnings described by the wizard. The last one is especially important, do not store any data
on the newly created partition as it will not be encrypted. Press 'Continue'.
- At this stage the wizard starts the actual work by shrinking drive C, creating a new volume (S: unless already
in use in which case it will use the next available letter-Thanks Eli!), copying the necessary files and turning it
into the active drive.
- At this stage you will be requested to restart the system.
Starting the process - Configuring the local GPO
Unless you are in an enterprise environment you need to configure your local GPO settings to enable the usage
of BitLocker and to customize it.
- Start>Run>gpedit.msc [acknowledge the UAC prompt]
- Go to: Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption
- Even though it may seem a bit daunting (and not to mention that each of the options has significant impact on the
way BitLocker is implemented) the options are relatively straight forward: - Turn on BitLocker backup to Active Directory Domain Services- As the name implies, this option
controls wether a backup to AD should be made, wether it is mandatory and what should be backed
up (48 digit key and/or key packages-that will enable the creation of keys later on). - Control Panel Setup:Configure recovery folder- allows you to set the default path provided by the
wizard when saving the recovery password. - Control Panel Setup:Configure recovery options- enables you to specify the recovery key type. Note
that since Bitlocker must have a recovery method if you disallow both key types (48 and 256) then AD
recovery must be enabled (if not a policy error occurs). - Control Panel Setup:Enable advanced startup options-Now this one is important. To enable Bitlocker
this setting must be enabled as it determines which protector will be used and how: - Allow BitLocker without a compatible TPM - if your system does not have a supported TPM (1.2).
- If the computer does have a TPM then you can set the mechanism needed to access the information
stored on the TPM (either a PIN code or a key, you can't have both).
- Configure Encryption Method - self explanatory
- Prevent memory overwrite on restart- If enabled, it will overwrite memory before restarting. This
destroys the key stored in RAM to access encrypted material or in other words increases safety at the
cost of performance. - Configure TPM platform validation profile- one major advantage of using a system with TPM is
the added security a Trusted Platform Module provides. This added security comes in the form of
verification of boot time parameters, if those parameters changed the TPM will not allow access to the
encryption keys and the system will enter recovery mode.
Starting the process - Enabling BitLocker
Up to this point no encryption mechanisms have been enabled. Your system has been changed, yet the changes did
not enable or apply any encryption to the system,so lets get to it:
- Once the settings have been configured we can finally start the encryption process. This is done by starting the
BitLocker Drive Encryption tool.
- Choose 'Turn On BitLocker'. The screenshots have been taken from a system that has a compatible
TPM. If your system doesn't have one, the steps will be a bit different but the concept will be the same.
- If you haven't turned the TPM on yet you will receive a warning message about it- Vista turns it on but it still
needs some interaction from you- Shutdown the system and turn it on.
- After restarting, on the system I used (Lenovo X61) I received a message requesting me to acknowledge the
request to turn the TPM on.
- After acknowledging the request, I logged into the system and I could finally start the encryption process.
- Ownership of the TPM is taken.
- At this stage (if you configured the system to use a PIN to protect the TPM) you will be asked for that PIN.
If you chose to use a key you will be asked to use a removable storage device to store the key.
- As you may remember, BitLocker needs a recovery mechanism. This is where you configure it.
Note that you can create additional keys later one but you need to create at least one at this stage
to continue.
- Once the recovery key is saved, the encryption can start...well almost. After creating the recovery
key I would advise that you make sure that it is tested by marking the checkbox for 'Run BitLocker
System Check'. This will restart your system and the recovery key you created will be tested.
If the test fails, encryption will not commence.
- After the system starts up, you finally get to the promised land...or encryption.
A few Observations about the process
- The encryption process can be paused and continued at a later stage by different users of the same system.
The process will continue over restarts form the point it left off, and the decryption key will be required after
every restart and hibernation.
- During the encryption process, the free space on the volume being encrypted drops dramatically to approximately
6 GB. This happens due to the way BitLocker balances between security and performance while encrypting a volume. Free
space on a hard drive is rarely empty, when you delete data on a volume you do not destroy the data, you simply
hide it from plain view. In other words, free disk space may still hold valuable data and it too needs to be encrypted
or destroyed. When deciding on a method (encrypting or destroying the data) encrypting the data stored in free space
seems to be a waste of time and performance so the logical solution is destroying the data. This is achieved by creating
a huge file (called the wipe file) that covers all free space, except 6GB (to avoid full disk messages) which are encrypted.
- The process bar (percentage) doesn't seem to reflect the time left-so don't base your time calculations on it. It seems to
start out at a slower pace and the pick up.
Managing BitLocker
Once BitLocker is applied there is not much to do, it's simply there.Nevertheless, there are a few additional tasks that
you should be aware of and both are reachable by starting the 'BitLocker Drive Encryption Tool':
- Save additional copies of the Recovery key
- Reset the TPM PIN
- Encrypt additional volumes- once the first volume (typically C:) is encrypted, additional volumes (except S:)
can be encrypted.
- Turn off BitLocker- You may want to turn off BitLocker for two main reasons:
- Remove BitLocker from the system - This can be done by choosing 'Turn Off Bitlocker'
and then 'Decrypt the drive'. This is a lengthy process as the drive needs to be fully decrypted.
- Disable Bitlocker for driver installations and BIOS updates - In some cases you might be instructed to
help in facilitating BIOS updates or driver installations by disabling BitLocker. When you disable BitLocker
you do not remove the encryption, you simply put it on hold...the key needed to decrypt the data is freely
available to the OS.
Managing BitLocker - Recovery
Recovery mode can be triggered by several factors:
- If you use TPM and the boot environment has been tampered with (automatically)
- You lost your TPM PIN or key (manually)
- On a TPM protected system, the system board needs to be replaced
- On a TPM protected system, the disk is moved to a different system
If recovery mode is triggered you will need to use either the recovery key you have created or the recovery
password that is stored with the recovery key you created. Basically they are both protectors in different
forms, one provides the key by a file saved on removable storage while the other provides the key by
entering a 48 digit long password. Both can be used by you if you have access to the removable storage
while the password can be used by a helpdesk representative helping you remotely.
Lets take a closer look at these protectors:
- BEK (Backup Encryption Key?) file - This is an unreadable (to human eyes) file that stores the key needed
by BitLocker to decrypt the volume in question. - TXT (Text) file - Holds the 48 digit password which is the key to the volume.
To use these recovery options, you should choose recovery mode (or reach it automatically) when your system
by pressing ESC
Note that once you reach recovery you are requested to provide the key (note the file name in the screenshot). If
you do not have the key with you you can press Enter which will provide you with the user interface needed to
enter the 48 digit password:
Note that after booting through recovery mode you can continue working normally. As I mentioned in the first post
of this series, recovery mode is not different from a standard boot mode. Recovery mode simply uses different
protectors to provide the decryption.
Even though you can continue working normally using recovery mode to boot every time you should recreate your
original method of booting the system,either by creating a new key (on a removable storage device) or on your
TPM(which may be a bit more complicated then it seems,more about this in part three).
2nd part conclusions
In this part of the series I tried to describe the hands on process of configuring BitLocker and using it, we are not
done though. In part three, I plan to show you how to use the command line interface to control BitLocker
and a few additional tips and tricks.
As usual,any feedback/corrections are welcome.
...or saving yourself some embarrassment after making a mistake in an outgoing
message...
I ma guessing that this has happened to all of you, and it has obviously happened
to me- you press the Send button on an e-mil and notice that [replace with your own
experience] you have placed an incorrect recipient in the To/CC/Bcc fields . You
feel your stomach sink, you rush to your Outbox folder(it has a tendency to hide
when this happens) and you find out that it's gone...Then you need to write a message
explaining/apologizing for the previous message...
By configuring a few rules in Outlook you can actually save yourself the hassle by
asking Outlook to delay an outgoing message. Bye delaying it, if you press the
Send button noticing that you have made a mistake you are given a chance to fix that
mistake by accessing the message in your Outbox. Given, there is a one minute
delay before your message is actually sent, that delay may be worth it.
If you have an urgent message that must leave you can configure an exception to the
delaying rule-so how is this done?
- Open Outlook
- Tools>Rules and Alerts>New Rule
- At the bottom, choose 'Start from a blank rule>Check Messages after sending'
- Press Next, and press Next again on the Conditions window
- On the 'Actions' window choose the 'defer the delivery by a number of minutes'
- At the bottom of the window click the 'a number of line' and choose the number
of minutes you would like messages to be deferred for.
- Press Next.
- If you want to configure any exceptions now is the time. As an example you may
want all messages marked with 'High Importance' to be sent immediately.
- Finish configuring the rule by finalizing and enabling it.
That's it, every message sent will be delayed for a minute (except the ones marked
with high importance)...Note that you can configure additional exceptions, basing them
on categories or configuring longer delays for specific messages...
P.S.
A message I sent by mistake on Wednesday triggered the writing of this post, and I noticed
that the Outlook team's blog has a post about this too...
A couple of days I had a long discussion about who would I trust to take correct
decisions,man or machine?
I held the opinion that a man should always be taking the decisions since I sometimes
prefer prefer decisions that are actually based on gut feelings or emotions. My
counterpart to the discussion claimed that machines have the ability to take rational
decisions since they are not affected by emotions and they are driven by pure logic.
We never reached the point of discussing a hybrid system, but oddly enough I bumped
into the following piece of news that shows the result of a hybrid decision making system:
Yet another GPS induced mistake where a man blindly follows a machines recommendation even
though it defies logic.
For the full story, take a look at:
http://seattlepi.nwsource.com/local/359497_bus18.html?source=rss
So,who would you prefer to take the decisions?
Ever wondered what is the status of the Windows Indexing service? How many
items did it go through,in what state it is?
Well,now you can view it's status by simply looking at a sidebar gadget created by
Brandon Paddock.
Download it from here.
More Posts
Next page »