Shell RunAs

The guys(specifically Mark Russinovich) at what was Sysinternals and is now Microsoft have
created a new goodie called ShellRunas. What this small (50k) tool does is to add the option
to start an application with a different users credentials from the GUI.

The download is a command line interface tool that allows you to register the GUI shortcut
with the following options:
image

Simple registration process:
image

And Viola:

image

Group Policy Preferences – Client Side Extensions

If you want your clients to be able to process GPO Preferences then you will need the
following client side extension:

GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)

 

For an overview on Group Policy Preferences click here.

New user interfaces

Approximately a week ago, I wrote in a post that the next revolution in computing will
be in the way that we interact with computers. One of those major changes are already
under way and they are multi touch devices. One such device is the Microsoft Surface.

Nothing new there,except a new demo given to ‘Sarcastic Gamer’ showing off the
multi-touch abilities in a small game of firefly gathering:

Tarantion Mashup – James Hyman

By chance I stumbled upon this masterpiece of music, which is actually made out of
55 pieces of music, commentary and original pieces of Tarnation’s movies.

Anyway what I am trying to say is that it has been a long time since something managed
to get a rise out of me-all I can say is WOW. This mashup/mix is quite old (circa 2004 but
if you are a Tarantino movie lover you have got to hear it.

It’s everything you like about Tarantino movies transferred into one continuous audio track.

image

http://www.discogs.com/release/618853

http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=37219738

 

And we can’t really signoff this post without a link to the Muppet rendition of Pulp Fiction:
http://www.milkandcookies.com/link/61209/detail/

Bitlocker – The Theory (Part 1 of 3)

I will start with a disclaimer. I know, not a good way to start a post…
I intend to write a series of posts about Bitlocker, starting with the theory and turning
that theory into practical implementation. I am writing these posts based on my own personal
research and knowledge. I have no connection to the people that wrote Bitlocker so I may
make mistakes here…If I do,please send me a message or leave a comment pointing out
the mistakes and I will make sure to fix them.

I decided to write these posts since I couldn’t find any documentation about how Bitlocker
is supposed to work, how it’s implemented and how it behaves in different scenarios. The
majority of articles I found, provided good background information some usage tips and
that’s it… Now it’s my turn to give it a shot.


What is Bitlocker

Bitlocker is a technology released with Windows Vista(Enterprise and Ultimate) that enables the
users to encrypt the contents of a volume. Bitlocker’s role, in the pre-SP1 era, is to protect the
the system volume of a system by encrypting it. Since the encryption is at the volume level
the information is protected from a parallel installation attack.

The need for an encryption technology that protects a volume grew from the advent of mobile
computing and the threats of data theft (stealing a laptop is easier then stealing a desktop and
threats to a laptop are significantly higher considering that you use it in public places).

Bitlocker provides protection, yet you must remember that all encryption mechanisms can be
decrypted (otherwise we would be in a real bind) thus Bitlocker will slow down a potential data
thief not stop him.

You may be asking yourself at this stage what is the big deal here? Bitlocker is not the first
encryption technology to be released for Windows. Previous encryption mechanisms include the
Encrypting File System(EFS). How is Bitlocker different?


Bitlocker vs EFS

  1. Bitlocker encrypts volumes (as one unit),EFS encrypts files and directories
  2. Bitlocker encrypts system files,EFS can not encrypt system files
  3. Bitlocker uses symmetric encryption while EFS uses asymmetric encryption
  4. Bitlocker does not protect your data while a system is turned on, EFS does

Looking at this comparison, I hope that it is obvious to you that Bitlocker and
EFS are not adversaries or substitutes. Bitlocker and EFS are two technologies that can provide a
layered defense against data theft. That is if they are used correctly and together(hence the layered).

Since this post does not deal with data protection but with a specific part of it,namely
Bitlocker, lets continue by trying to understand what Bitlocker can do for you and what it can’t.

 

What Bitlocker can do

Bitlocker can do the following things:

  1. It makes it relatively very difficult to access data on a stolen disk or computer
  2. It can encrypt the entire contents of a volume, including OS files, paging files, hibernation files
    and temporary files
  3. Post SP1 it can also encrypt additional volumes not only the system volume
  4. Allows you to deploy and remove itself without destroying the data on the volume

What Bitlocker can’t do

Bitlocker will not do the following things:

  1. It does not protect the system from a network attack
  2. It does not protect the data while a system is on (read-has electricity, including standby)

 

How does Bitlocker work – Booting an encrypted OS

Ok,now that we have the formalities out of the way, lets try to understand how does Bitlocker achieve
what it does. Once enabled Bitlocker starts an encryption process that obscures the data on the volume
it is applied to. The first volume that must be encrypted is the system volume and thus arises the problem
of the chicken and the egg:
If Bitlocker is a mechanism used by the OS to encrypt data, to be able to decrypt(access) the data
the OS has to be loaded (or at least part of it) but since we encrypt its volume it can not load because
it is encrypted…

To solve this problem, an additional volume has to be created(which should not store user data).This volume will not
be encrypted and will  provide enough OS code to decrypt the system volume.Since in this part of the post
we are only discussing theory, take this as a given, an additional volume is created-the system boots from there
decrypts the encrypted volumes and allows the rest of the OS to boot.

 

How does Bitlocker work – Encrypting a Volume

Bitlocker encrypts a volume using a symmetric algorithm (Advanced Encryption Standard (AES) algorithm with
128-bit keys). The key length is controllable and their size can be increase to 256-bit yet that may cause performance
degradation.

The encryption process begins, and a key is created- this key is called the Full Volume Encryption Key (FVEK). The
FVEK is used to encrypt and decrypt the data. The FVEK is stored on the volume as part of the volumes metadata.
But wait-if the symmetric key that is used to encrypt/decrypt the data is stored on the volume it is meant to
protect what prevents a thief from picking it up and decrypting it…this sounds like locking a door and leaving the key
in the lock,from the outside…

To be honest, the door analogy is quite close to what happens with one small but major difference, instead of leaving
the key in the door, the key is placed inside a locked box that is welded to the door. In other words the FVEK, is
encrypted by an additional key called the Volume Master Key (VMK).

image

How does Bitlocker work – Decrypting a Volume

To decrypt a volume, you need to take the process used to encrypt it and reverse it (due to the use of symmetric
algorithm used): the OS boots, identifies the usage of Bitlocker, requests the VMK and uses it to access the FVEK
which in turn provides access to the encrypted data.


How does Bitlocker work – protecting the VMK (The Protectors!)

As you can see once you have access to the VMK, the game is over. Due to it’s importance the VMK has to be
closely guarded. The measures used to protect the VMK are called ‘protectors’. The role of the protectors is to prevent
unauthorized access to the VMK and it is assumed that if you have access to a protector you are authorized to use it
(this is a huge assumption but as the saying goes:”Who will guard the guards?”).

There are several protectors that can be used to store the VMK:

  1. Trusted Platform Module – A secure storage built into the system board that will store the VMK and release
    it for use only if an additional authenticator(such as a PIN) is provided and no major changes to the system
    have been identified.
  2. External media – This may be a disk on key upon which the startup key is stored.
  3. Recovery key – A manual process of entering 48 numbers to release the VMK.

More about the protectors in the second part of the Bitlocker series posts that will deal with implementation.


How does Bitlocker work – Why two keys?

There is one major reason for this-in the case of moving a hard drive to a different system or losing a protector
there is no need to re-encrypt the volume (a lengthy process). It is simply enough to re-key the FVEK by creating
a new VMK. In theory this is true, yet I have not found a way to do this.


Conclusion of part one

Bitlocker is part of a layered strategy to protect data from theft. The aim of this post was to lay down
foundations that will help with the implementation of Bitlocker. You should now be able to understand
the role of Bitlocker and it’s abilities and shortcomings.

The second part of the series will describe the methods to implement Bitlocker.

image

TCP/IP port range in Vista and Win2k8

According to KB929851 the dynamic range of TCP/UDP ports to be used by
applications on Vista or Win2k8 has changed from 1025 to 5000 to 49152 to
65535.

The port ranges can be viewed by using the following commands:

•netsh int ipv4 show dynamicport tcp

•netsh int ipv4 show dynamicport udp

•netsh int ipv6 show dynamicport tcp

•netsh int ipv6 show dynamicport udp


In addition to that the port ranges can be changed by using the following
commands:

•netsh int ipv4 set dynamicport tcp start=X num=Y

•netsh int ipv4 set dynamicport udp start=X num=Y

•netsh int ipv6 set dynamicport tcp start=X num=Y

•netsh int ipv4 set dynamicport udp start=X num=Y