In Windows 10, there are a few different ways to find and change your settings: Settings app, Control Panel, app settings, and search.
You can use Control Panel to change settings for Windows. These settings control nearly everything about how Windows looks and works, and you can use them to set up Windows so that it’s just right for you.
This tutorial will show you how to create or download a shortcut that will always open to the Control Panel in either category or icons view in Windows 10.
What is BackupGenie?
The Malwarebytes research team has determined that BackupGenie is nagware. This one typically gets bundled with other software or promoted heavily through dubious advertisers.
Once installed it keeps reminding the user to register the full version.
++ Ad.BetterBrowse + Ad.Linkular ++ Ad.Loffinam + BitAccelerator.DirectDownloader + bProtector + Firseria
++ Win32.Agent.jpn + Win32.Estiwir.gen ++ Win32.Powp.gen + Win32.VB.ik
Total: 2623275 fingerprints in 834413 rules for 7744 products.
All apps in the Start menu displays an alphabetical list of shortcuts to all installed Windows apps and desktop apps on your Windows 10 PC. Some of these shortcuts are grouped into folders with the folder name in the alphabetical list.
Internet Explorer allows you to add websites to Apps to be able to quickly open the site directly from your Start menu. When you open an added site from Apps, it will open in Internet Explorer and be the homepage.
This tutorial will show you how to add or remove websites from Internet Explorer to Apps in the Start menu for your account in Windows 10.
â€śMP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 401, Unauthorizedâ€ť
â€śMP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 401, Unauthorizedâ€ť
I have a Management Point that when I view it in Site Status in the Console (MonitoringOverviewSystem StatusSite Status) it’s Status is showing as Critical. It is also reporting Error Status Message ID 5436.
If I look in mpcontrol.log I am seeing:
Call to HttpSendRequestSync failed for port 80 with status code 401, text: Unauthorized Http test request failed, status code is 401, 'Unauthorized'.
I have tried all kinds of things such as removing and reinstalling the MP, running the prerequisite check for the MP to make sure I haven’t missed anything there, and even a Site Reset all without success.
What is Driver Updater Plus?
The Malwarebytes research team has determined that Driver Updater Plus is a “system optimizer”. These so-called “system optimizers” sometimes use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.
Some of you may be aware that my new book for Packt Publishing is out! It is titled Entity Framework Core Cookbook – Second Edition because it was meant to be the second edition of Entity Framework 4.1: Expertâ€™s Cookbook. In fact, it is mostly a full rewrite.
It is organized in chapters:
Chapter 1: Improving Entity Framework in the Real World
Chapter 2: Mapping Entities
Chapter 3: Validation and Changes
Chapter 4: Transactions and Concurrency Control
Chapter 5: Querying
Chapter 6: Advanced Scenarios
Chapter 7: Performance and Scalability
When I started writing it, .NET Core was still in early RC1. Things changed a lot from RC1 to RC2 and then again to RTM, so I had to revisit all chapters in the end. It was a pity that EF Core 1.1 was released shortly after the book was closed, because I could have talked about it too. Also, there are things that I could have covered, like extending Entity Framework Core, but there were so many of them! Maybe in a future time!
Those of you who are interested can get a copy from the Pack Publishing site or from other sellers, either as an e-book or in hardcopy.
The Groove app, on Xbox One, has restored music videos with a recent update. The feature is activated by turning on the video button, shown during the now playing screen. One thing to note is that when you activate music videos, the ability for background music is lost (most likely because wanting music videos is actively saying that you’re going to use Groove music as the primary application).
In real world use, the inclusion of music videos doesn’t slow much down. They load quickly and keep the momentum of the playlist going. It’s a great feature to have for a party (especially with the holidays coming up – you could have this running in the background).
There may be times when you may need to just reset Chrome settings to default, or completely reset Chrome to default like when first installed.
This tutorial will show you how to either reset Chrome settings to default or completely reset Chrome to default like when first installed for your account in Windows.
How do I run the â€śmplistâ€ť test to check my SCCM Client can connect to a Management Point?
In this post we explain how to run the mplist test to verify your ConfigMgr Client can connect to a Management Point.
The post How do I run the â€śmplistâ€ť test to check my SCCM Client can connect to a Management Point? appeared first on FAQShop.
What is the â€śmplistâ€ť test for SCCM Management Points?
Wondering what the â€śmplistâ€ť test for ConfigMgr Management Point troubleshooting/ connectivity is for? Let us explain in the post.
The post What is the â€śmplistâ€ť test for SCCM Management Points? appeared first on FAQShop.
What is PrivacyDr.?
The Malwarebytes research team has determined that PrivacyDr. is a “system optimizer”. These so-called “system optimizers” use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.
If you’re having problems with Firefox, refreshing it can help. The refresh feature fixes many issues by restoring Firefox to its default state while saving your essential information like bookmarks, passwords, and open tabs.
All of your Firefox settings and personal information are stored in a profile folder. The refresh feature works by creating a new profile folder for you while saving your important data.
Add-ons which are normally stored inside the Firefox profile folder, such as extensions and themes, will be removed. Add-ons stored in other locations, such as plugins, will not be removed but any modified preferences (such as plugins you have disabled) will be reset.
You can completely reset Firefox to default like when it was first installed. Resetting Firefox will include resetting all Firefox settings to default and deleting your profiles, themes, extensions, bookmarks, browsing history, passwords, cookies, and web form auto-fill information.
This tutorial will show you how to completely reset Mozilla Firefox back to default for your account in Windows.
- Browser updates for Pale Moon and 0-day for Firefox
- Linux updates; Microsoft changing command prompt in Windows 10
- General Security entries
Everyone uses a certificate when requiring authentication on an internet facing site. However it’s surprising how many folks don’t take the time to understand SSL/TLS. Securing SSL/TLS protocols is a pretty common thing to do on any Windows Server running IIS and web applications that uses HTTPS, especially if they require some sort of compliance. It is a good idea to do this on all of your servers in your SharePoint farm, to ensure your secure connections really are secure. It’s also important to note that while I have several SharePoint 2016 environments where I have removed both TLS 1.0/1.1. However, I have not removed TLS 1.1 from the any of my SharePoint 2013 environments. However, all of my clients with SharePoint 2013 are using a HW Load Balancer like the F5 and have offloaded SSL and removed TLS 1.0/1.1 using the HWâ€¦
All Microsoft Windows devices using SSL/TLS protocols use SCHANNEL, where you have to install something like OpenSSL on Linux. You may also notice that while OpenSSL has more security vulnerabilities they tend to respond quickly to them. However, Microsoft has been disappointingly slow in updating the cryptography stack in its OS and Applications. Note: there may be flags when running SSL Lab scans against your servers that you may not be able to resolve at this time. This may also apply to the availability of the latest cipher suites as well.
All of the configuration changes to SCHANNEL are stored in the registry: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
The first time I created a GPO to Configure SSL/TLS, and deploy to the farm. I spent a few days with Regedit and reading technet, I recommend using IISCrypto from Nartac to make the changes to ensure the process goes a smooth as possible on your first server then after reboot, exporting the SCHANNEL Key for use with a GPO to automate the deployment for all additional servers in your farm
You can use the following command to export up the SCHANNEL registry settings prior to making the changes and again after for use with the GPO, should you need to restore it: reg export HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL SChannel-Export.reg
There are a few gotchas when making modifications to SCHANNELL on Windows, please QA as necessary in the lab prior to deploying to production:
- SQL Server used to require TLS 1.0, when you disabled it your SharePoint Servers would not be able to communicate with the SQL Cluster. Please review the information about the SQL updates and additional known issues using the following link TLS 1.2 support for Microsoft SQL Server, then download and install the appropriate SQL Updates. All versions prior to SQL Server 2016 require the updates regardless of Service Pack or Cumulative Update
Please make sure you download and installed KB3080079 if you are running a version of Windows Server prior to Windows Server 2012 or RDS/RDP will break when after disabling TLS 1.0 and rebooting. Note: If you are using IISCrypto you may see a pop like the following screenshot after reviewing TLS 1.0/1.1
- Older clients > Windows XP and earlier may not be able to connect if they do not support the newer SSL/TLS technologies and you disable the older ones. Out of the box Windows Server is configured to be relatively compatible with older clients, which in turn makes it less secure. You can find a complete browser compatibility list here: https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers
- Qualys will ding you for supporting 1024 bit DHE groups, and will recommend DHE key exchanges be increased to 2048 bit or disabled, but 1024 is the limit on all versions of Windows prior to Windows 10 at this time.
- Be sure to thoroughly test your applications after making any changes, mainly looking for connection failures over HTTPS. The errors will be listed in the system event log with SCHANNEL as the source
The following configuration works with most modern software (Windows Vista and newer) while providing a relatively robust SSL/TLS configuration, and earning an A ranking on Qualys’s SSL Labs tester.
- Download IISCrypto and apply the “Best Practices” Template
- Use The Best Practice Template; Click Templates, Use the drop Down choose Best Practice, then click Apply
- Disable TLS 1.0 Assuming SQL updates have been applied and KB3080079for RDS/RDP has been applied
- Disable MD5 under Hashes enabled
- Click Apply
- Test your site with Qualys’s SSL Labs tester
QUALYS SSLLabs Ranking
First, a quick recap:
Credentials include a Claim and a Proof (possibly many).
The Claim is what states one or more facts about your identity.
A Username is one example of a Claim. So is Group Membership, Age, Eye Colour, Operating System, Installed Software, etcâ€¦
The Proof is what allows someone to reliably trust the Claim is true.
A Password is one example of a Proof. So is a Signature, a Passport, etcâ€¦
Claims are generally public, or at least non-secret, and if not unique, are at least specific (e.g. membership of the group â€śBrown eyesâ€ť isnâ€™t open to people with blue eyes).
Proofs are generally secret, and may be shared, but such sharing should not be discoverable except by brute force. (Which is why we salt passwords).
Now, the topic â€“ password resets
Password resets can occur for a number of reasons â€“ youâ€™ve forgotten your password, or the password change functionality is more cumbersome than the password reset, or the owner of the account has changed (is that allowable?) â€“ but the basic principle is that an account needs a new password, and there needs to be a way to achieve that without knowledge of the existing password.
Letâ€™s talk as if itâ€™s a forgotten password.
So we have a Claim â€“ we want to assert that we possess an identity â€“ but we have to prove this without using the primary Proof.
Which means we have to know of a secondary Proof. There are common ways to do this â€“ alternate ID, issued by someone you trust (like a government authority, etc). Itâ€™s important in the days of parody accounts, or simply shared names (is that Bob Smith, his son, Bob Smith, or his unrelated neighbour, Bob Smith?) that you have associated this alternate ID with the account using the primary Proof, or as a part of the process of setting up the account with the primary Proof. Otherwise, youâ€™re open to account takeover by people who share the same name as their target.
And you can legally change your name.
Whatâ€™s the most common alternate ID / secondary Proof?
Pretty much every public web site relies on the use of email for password reset, and uses that email address to provide a secondary Proof.
Itâ€™s not enough to know the email address â€“ thatâ€™s unique and public, and so it matches the properties of a Claim, not a Proof, of identity.
We have to prove that we own the email address.
Itâ€™s not enough to send email FROM the email address â€“ email is known to be easily forged, and so thereâ€™s no actual proof embodied in being able to send an email.
That leaves the server with the prospect of sending something TO the email address, and the recipient having proved that they received it.
You could send a code-word, and then have the recipient give you the code-word back. A shared secret, if you like.
And if you want to do that without adding another page to the already-too-large security area of the site, you look for the first place that allows you to provide your Claim and Proof, and you find the logon page.
By reusing the logon page, youâ€™re going to say that code-word is a new password.
[This is not to say that email is the only, or even the best, way to reset passwords. In an enterprise, you have more reliable proofs of identity than an email provider outside of your control. You know people who should be able to tell you with some surety that a particular person is who they claim to be. Another common secondary identification is the use of Security Questions. See my upcoming article, â€śSecurity Questions are Bullshitâ€ť for why this is a bad idea.]
So itâ€™s your new password, yes?
Well, yes and no. No, actually. Pretty much definitely no, itâ€™s not your new password.
Letâ€™s imagine what can go wrong. If I donâ€™t know your password, but I can guess your username (because itâ€™s not secret), I can claim to be you wanting to reset your password. That not only creates opportunity for me to fill your mailbox with code-words, but it also prevents you from logging on while the code-words are your new password. A self-inflicted denial of service.
So your old password should continue working, and if you never use the code-word, because youâ€™re busy ignoring and deleting the emails that come in, it should keep working for you.
Iâ€™ve frequently encountered situations in my own life where Iâ€™ve forgotten my password, gone through the reset process, and itâ€™s only while typing in the new password, and being told what restrictions there are on characters allowed in the new password, that I remember what my password was, and I go back to using that one.
In a very real sense, the code-word sent to you is NOT your new password, itâ€™s a code-word that indicates youâ€™ve gone the password reset route, and should be given the opportunity to set a new password.
Try not to think of it as your â€śtemporary passwordâ€ť, itâ€™s a special flag in the logon process, just like a â€śduress passwordâ€ť. It doesnâ€™t replace your actual password.
Itâ€™s a shared secret, so keep it short-lived
Shared secrets are fantastic, useful, and often necessary â€“ TLS uses them to encrypt data, after the initial certificate exchange.
But the trouble with shared secrets is, you canâ€™t really trust that the other party is going to keep them secret very long. So you have to expire them pretty quickly.
The same is true of your password reset code-word.
In most cases, a user will forget their password, click the reset link, wait for an email, and then immediately follow the password reset process.
Users are slow, in computing terms, and email systems arenâ€™t always directly linked and always-connected. But I see no reason why the most usual automated password reset process should allow the code-word to continue working after an hour.
[If the process requires a manual step, you have to count that in, especially if the manual step is something like â€ścontact a manager for approvalâ€ť, because managers arenâ€™t generally 24/7 workers, the code-word is going to need to last much longer. But start your discussion with an hour as the base-point, and make people fight for why itâ€™ll take longer to follow the password reset process.]
Itâ€™s not a URL
You can absolutely supply a URL in the email that will take the user to the right page to enter the code-word. But you canâ€™t carry the code-word in the URL.
Why? Check out these presentations from this yearâ€™s Black Hat and DefCon, showing the use of a malicious WPAD server on a local â€“ or remote â€“ network whose purpose is to trap and save URLs, EVEN HTTPS URLs, and their query strings.
Every URL you send in an email is an HTTP or HTTPS GET, meaning all the parameters are in the URL or in the query string portion of the URL.
This means the code-word can be sniffed and usurped if itâ€™s in the URL. And the username is already assumed to be known, since itâ€™s a non-secret. [Just because itâ€™s assumed to be known, donâ€™t give the attacker an even break â€“ your message should simply say â€śyou requested a password reset on an account at our websiteâ€ť â€“ a valid request will come from someone who knows which account at your website they chose to request.]
So, donâ€™t put the code-word in the URL that you send in the email.
Log it, and watch for repeats, errors, other bad signs
DONâ€™T LOG THE PASSWORD
I have to say that, because otherwise people do that, as obviously wrong as it may seem.
But log the fact that youâ€™ve changed a password for that user, along with when you did it, and what information you have about where the user reset their password from.
Multiple users resetting their password from the same IP address â€“ thatâ€™s a bad sign.
The same user resetting their password multiple times â€“ thatâ€™s a bad sign.
Multiple expired code-words â€“ thatâ€™s a bad sign.
Some of the bad things being signaled include failures in your own design â€“ for instance, multiple expired code-words could mean that your password reset function has stopped working and needs checking. You have code to measure how many abandoned shopping carts you have, so include code that measures how many abandoned password reset attempts you have.
In summary, hereâ€™s how to do email password reset properly
- Consider whether email is an appropriately reliable secondary proof of identification.
- A phone call from the user, to their manager, followed by the manager resetting the userâ€™s password is trustworthy, and self-correcting. A little slow and awkward, but stronger.
- Other forms of identification are almost all stronger and more resistant to forgery and attack than email.
- Bear in mind that, by trusting to email, youâ€™re trusting that someone who just forgot their password can remember their other password, and hasnâ€™t shared it, or used an easily-guessed password.
- When an account is created, associate it with an email address, and allow & encourage the validated account holder to keep that updated.
- Allow anyone to begin a password reset process â€“ but donâ€™t allow them to repeatedly do so, for fear of allowing DoS attacks on your users.
- When someone has begun a password reset process, send the user a code-word in email. This should be a random sequence, of the same sort of entropy as your password requirements.
- Encoding a time-stamp in the code-word is useful.
- Do not put the code-word in a URL in the message.
- Do not specify the username in the message, not even in the URL.
- Do not change the userâ€™s password for them yet. This code-word is NOT their new password.
- Wait for up to an hour (see item 4.1. â€“ the time stamp) during which youâ€™ll accept the code-word. Be very cautious about extending this period.
- The code-word, when entered at the password prompt for the associated user, is an indication to change the password, and thatâ€™s ALL it can be used for.
- Allow the user to cancel out of the password change, up to the point where they have entered a new password and its verification code and hit OK.
And hereâ€™s how youâ€™re going to screw it up (donâ€™t do these!)
- Youâ€™ll use email for password resets on a high-security account. Email is relatively low-security.
- Youâ€™ll use email when thereâ€™s something more reliable and/or easier to use, because â€śitâ€™s what everyone doesâ€ť.
- Youâ€™ll use email to an external party with whom you donâ€™t have a business relationship, as the foundation on which you build your corporate identity tower of cards.
- You wonâ€™t have a trail of email addresses associated with the user, so you donâ€™t have reason to trust youâ€™re emailing the right user, and you wonâ€™t be able to recover when an email address is hacked/stolen.
- Youâ€™ll think the code-word is a new password, leading to:
- Not expiring the code-word.
- Sending passwords in plain-text email (â€śbecause we already do it for password resetâ€ť).
- Invalidating the userâ€™s current password, even though they didnâ€™t want it reset.
- Youâ€™ll include the credentials (username and/or password) in a URL in the email message, so it can be picked up by malicious proxies.
- Youâ€™ll fail to notice that someoneâ€™s DoSing some or all of your users by repeatedly initiating a password reset.
- Youâ€™ll fail to notice that your password reset process is failing, leading to accounts being dropped as people can no longer get in.
- You wonâ€™t include enough randomness in your code-word, so an attacker can reset two accounts at once â€“ their own, and a victimâ€™s, and use the same code-word to unlock both.
- Youâ€™ll rely on security questions
- Youâ€™ll use a poor-quality generation on your code-words, leading to easy predictability, reuse, etc.
- You wonâ€™t think about other ways that your design will fail outside of this list here.
Let the corrections begin!
Did I miss something, or get something wrong? Let me know by posting a comment!
In Windows 10, having a camera as part of your device or system lets you make Skype video calls, take pictures, etc. Many apps and services request and use the camera, and Windows settings give you control over which apps can use your camera.
Some people worry about unknown apps, organizations, or malware using their camera. Whenever your camera is used, you should be in charge. Thatâ€™s why youâ€™re always told when your camera is turned on:
â€˘If your device or camera comes with a camera light, the light will turn on when the camera is in use.
â€˘If your system doesnâ€™t have a camera light, youâ€™ll get a notification to let you know when the camera turns on or off.
This tutorial will show you how to turn on or off to let apps use the PC camera for only your account or all accounts in Windows 10.