Short takes: super-sized Windows desktop icons; LastPass multifactor authentication; MTP on Windows 10 1607

A collection of short posts that don’t justify their own blog post!

Fixing super-sized Windows desktop icons

Mostly, I don’t get on with track pads – there’s just something about them that I find awkward and before I know it the cursor is shooting off somewhere that I don’t want it to be, icons are being resized, or something equally annoying.

I recently found myself in a situation where an errant trackpad response to my hot hands hovering over it whilst typing had left me with super-sized desktop icons but I couldn’t work out how/why. Luckily this Lifehacker article helped me put things right – a simple Ctrl + mouse scroll got my icons back to the size they should be…

LastPass Multifactor Authentication

For many years, I’ve used LastPass as my Password Manager. I don’t normally reuse passwords and have gradually been increasing the complexity of my passwords but these days I don’t know the password for the majority of the sites I visit – LastPass fills it in for me. The one weakness in all of this though is my master password for LastPass. It’s a long and secure passphrase but what if it was compromised? Well, now I have multifactor authentication enabled for LastPass too. It’s really simple to set up (just a couple of minutes) and options include Google Authenticator as well as LastPass’ own Authenticator app.

MTP not working on Windows 10 anniversary update (1607)

My son has an Elephone P9000 smartphone, running Android Marshmallow.  He was struggling to get it working with our family PC to import his pictures until I found this forum post that explains the process. It seems that, on the Windows 10 Anniversary Update (1607), the Media Transfer Protocol (MTP) driver needs to be manually installed:

  1. Go to C:\Windows\INF
  2. Type “wpdmtp.inf” in search bar provided to the right of the address bar in Windows.
  3. Once you found it, just right click on it and select install. It will take a very few seconds.
  4. Connect your device to the PC.

Short takes: a password generator; cybercrime 101 and an HTML table generator

Some more browser tabs turned into mini-snippets of blog post…

Password generator and cybercrime advice

The Random number service (random.org) has a useful password generator (though I tend to let LastPass generate mine, this is useful when creating passwords in customer implementations).

And, whilst on the subject of security – Microsoft Researcher Shawn Loveland has written a useful introduction to understanding cybercrime.

HTML table generator

I know that HTML tables fell out of fashion when we started to use CSS but they do still have a place – for displaying tabular data on a web page – just not for controlling page layouts!

I needed to create a table for a blog post recently and I found this HTML Table Generator that did a fair chunk of the legwork for me…

A “Snooper’s Charter” for the postal system?

I spotted this on my Facebook feed today, from an old University friend, who now works as a Senior Cyber Security Consultant:

“I will shortly be writing to my MP urging him to push the Cabinet to extend it’s Investigatory Powers Bill to mandate that all mail carriers must open all letters they collect, scan their contents, and store those images in an archive for a given period in case law enforcement agencies needed to review their contents. Furthermore, I think it would be reasonable outlaw glue on envelopes altogether…with a recommendation to allow postcards only.

I urge the rest of the UK to do the same as a matter of priority due to concerns around National Security.”

He always had a wicked sense of humour but for those who think this is just banter, it really is the postal mail equivalent of what the UK Government is proposing for email in the Investigatory Powers Bill (nicknamed “The Snooper’s Charter”). The staggering thing is that the UK public is largely unaware – generally engagement with politics here is low and I’d wager that the combination of politics and technology has a particularly high “snooze factor”.

[Perhaps Parliament needs to be transformed to involve some kind of “bake-off” type element with MPs getting voted out each week based on their performance. The Westminster Factor. Britain’s Got Legal Talent. Would that get the public involved?]

Putting aside low social engagement in politics (or anything that’s not a big competition on TV) this quote highlights how out of touch our legislators are with the realities of digital life – and how ridiculous the new law would be if applied to analogue communications…

Short takes: calculating file transfer times; Internet breakout from cloud datacentres; and creating a VPN with a Synology NAS

Another collection of “not-quite-whole-blog-posts”…

File transfer time calculations

There are many bandwidth/file transfer time calculators out there on the ‘net but I found this one particularly easy to work with when trying to assess the likely time to sync some data recently…

Internet breakout from IaaS

Anyone thinking of using an Azure IaaS environment for Internet breakout (actually not such a bad idea if you have no on-site presence, though be ready to pay for egress data) just be aware that because the IP address is in Holland (or Ireland, or wherever) location-aware websites will present themselves accordingly.

One of my customers was recently caught out when Google defaulted to Dutch after they moved their client Internet traffic over to Azure in the West Europe region… just one to remember to flag up in design discussions.

Creating a VPN with a Synology NAS

I’ve been getting increasingly worried about the data I have on a plethora of USB hard disks of varying capacities and wanted to put it in one place, then sync/archive as appropriate to the cloud. To try and overcome this, I bought a NAS (and there are only really two vendors to consider – QNAP or Synology).  The nice thing is that my Synology DS916+ NAS can also operate many of the network services I currently run on my Raspberry Pi and a few I’ve never got around to setting up – like a VPN endpoint for access to my home network.

So, last night, I finally set up a VPN, following Scott Hanselman’s (@shanselman) article on Setting up a VPN and Remote Desktop back into your home. Scott’s article includes client advice for iPhone and Windows 8.1 (which also worked for me on Windows 10) and the whole process only took a few minutes.

The only point where I needed to differ from Scott’s article was the router configuration (the article is based on a Linksys router and I have a PlusNet Hub One, which I believe is a rebadged BT Home Hub). L2TP is not a pre-defined application to allow access, so I needed to create a new application (I called it L2TP) with UDP ports 500, 1701 and 4500 before I could allow access to my NAS on these ports.

Creating an L2TP application in the PlusNet Hub One router firewall

Port forwarding to L2TP in the PlusNet Hub One router firewall

Copy NTFS permissions from one folder/file to another

I’m working with a customer who is migrating from on-premises datacentres to the cloud – using a virtual datacentre in Microsoft Azure. One of the challenges we have is around the size of the volumes on a file server: Azure has a maximum disk size of 1023GB and the existing server has a LUN attached that exceeds this size.

We can use other technologies in Windows to expand volumes over multiple disks (breaking the <1TB limit) but the software we intend to use for the migration (Double Take Move) needs the source and target to match. That means that the large volume needs to be reduced in size, which means moving some of the data to a new volume (at least temporarily).

One of my colleagues moved the data (using a method that retained permissions) but the top level folders that he created were new and only had inherited permissions from their parent. After watching him getting more and more frustrated, manually configuring access control lists and comparing them in the Windows Explorer GUI, I thought there had to be a better way.

A spot of googling turned up some useful information from forums and this is what I did to copy NTFS permissions from the source to the target (thanks to Kalatzis Stefanos for his answer on Server Fault).

First of all, export the permissions from the source folder with the icacls.exe command:

icacls D:\data /save perms.txt [/t /c]

/c is continue on error; /t is to work through subfolders too

Then, apply these permissions to the target volume. They can be applied at volume level, because the export includes the file names and an associated ACL (i.e. it only applies to matching files)

icacls D:\ /restore perms.txt

But what if the source and destination folders/files have different names? That’s answered by Scott Chamberlain in another post, which tells me I can just edit my perms.txt file and change the file/folder name before each ACL.

By following this, I was able to export and re-apply permissions on several folders in a few minutes. Definitely a time saver!

Have I been pwned?

You’re probably aware that LinkedIn suffered a major security breach, in which something like 164,611,595 sets of user credentials were stolen. Surprisingly, you won’t find anything about this in LinkedIn’s press releases.

In less enlightened times (and before I started using LastPass), I may have re-used passwords. That’s why breaches like the one at LinkedIn are potentially bad. Re-using that identity means someone can potentially log in as me somewhere else – I could be pwned.

Microsoft Regional Director and MVP, Troy Hunt (@troyhunt) has set up an extremely useful site called HaveIBeenPwned. Entering your email address (yes, that means trusting the site) checks it against a number of known lists and yes, it seems mine was compromised in three hacks (at LinkedIn, Adobe and Gawker). In all of those cases, I’ve since changed my passwords and for popular sites – where they offer the option – I’ve started to use second factor authentication solutions (Azure MFA has been on my Office 365 subscription for a long time, I use Google two-step verification too and, since tonight, I’ve added LinkedIn’s two-step verification and Facebook Login Approvals).

So, I guess the two points of this post are:

  1. For heavens sake stop re-using passwords on multiple sites – you can’t rely on the security of others.
  2. Turn on 2FA where it’s available.

Hopefully one day soon, passwords will be consigned to the dustbin of technology past…

Windows 10 PC stuck in BitLocker loop (and recovering details of open tabs in the Edge browser)

I try not to reboot my PCs too often – frankly I thought I’d left the days of daily reboots behind with Windows 95 – but, faced with a display driver bug on my Surface Pro 3 (that seems to be triggered by the Azure Portal), a change of password that led to repeated authentication prompts (and OneDrive refusing to sync), together with some software updates pushed to my PC from SCCM, I had little choice this afternoon.

Unfortunately that “quick reboot to get things working again” turned into a disaster, with an hour long support call, followed by a desperate attempt to recover the last few hours’ work.

Stuck in a BitLocker loop

After rebooting, I found that a Windows 10 update hadn’t properly applied. Each time I entered my BitLocker PIN, I was faced with a message that invited me to use the BitLocker key to recover my PC. My IT support team gave me my key… and then after a restart we went round the loop again. We tried hard resets, turning the TPM on and off in the BIOS and more, until I found a TechNet wiki article that seemed to describe the issue (or at least something very like it).

To terminate this BitLocker recovery loop, I needed to suspend BitLocker from within the Windows Recovery Environment (WinRE). That’s OK, as long as you have the recovery key and, following the advice in the article linked above, I chose the “Skip this drive” link at the bottom of the page that requests entry of the recovery key, before selecting Advanced options/Troubleshoot/Advanced options/Command Prompt.

Next, I disarmed BitLocker using the following commands:

manage-bde -status c:
manage-bde -unlock c: -rp recoverypassword
manage-bde -protectors -disable c:

With BitLocker disabled, I hoped to be able to restart the PC and boot Windows, but unfortunately it was still not playing ball. I’ll be driving to the office on Monday for someone to take a look at my PC and I suspect a rebuild will be on the cards…

Work in progress

Despite the support team’s assurances that all of my data is on servers, I’m pretty sure it’s not. All of my data until I changed my password is on servers but anything since then has been failing to sync. If the sync engine can’t authenticate, I’m pretty sure I must be working from a local copy – which will be lost if the PC is rebuilt!

The items of most concern to me were some scripts I’d finally got working this afternoon; and any notes in OneNote.  I wrote last year about issues with OneNote and OneDrive (now overcome by doing it properly) but goodness knows where the unsynced changes are (again, I found a backup, but it doesn’t have the latest changes in it).

Again, using the WinRE Command Prompt, I backed up the files I thought were most likely to be missed. I tracked down the scripts that I’d finally completed and that had led to a few late nights this week (phew!) – and made a backup copy of my user profile, just in case.

The last worry for me was my browser. Forced by policy to use a Microsoft browser, I had lots of open tabs in Edge, as well as a few in Internet Explorer. The ones in Edge included the various posts I’d found that had helped me to complete my scripts – and I wanted to go back through them to blog about what I found…

Edge does recover sessions after a crash but, with a potential PC rebuild on the cards, I’m not sure I’ll ever get the chance so I tried tracking down the location of the recovery data.  Brent Muir’s fascinating look at Windows 10 – Microsoft Edge Browser Forensics told me where to find the recovery files (in %userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active) but they are binary. Gleb Derzkij’s answer to a Stack Overflow forum post looked useful but I couldn’t get it to work.  What I could do though was open each of the (115!) .dat files in the Active Recovery folder using Notepad and see enough information in there to identify the URIs, then manually copy and paste them to a text file (ready to open when I’m back at my PC).

So that’s recaptured my work and the PC is ready to be completely razed to the ground if necessary. And the moral of the story? Never apply updates on Friday the 13th!

Reset the password for a Windows virtual machine in Azure

Imagine the scenario: you have a virtual machine running in Azure but something’s gone wrong and you don’t have Administrative credentials to log in to Windows. That’s a more common occurrence than you might expect but there is a workaround: in Azure there an option to reset the local administrator password.

Unfortunately, that capability hasn’t been implemented yet in the management portal for Azure Resource Manager but it is available in Microsoft Azure PowerShell.

Reset Password - Coming Soon

I found the following commands worked for me (based on a blog post by Dan Patrick), resetting the built-in administrator account for the defined server in the defined Resource Group to be called DisabledAdmin (after which it won’t be disabled any more but after unlocking the server and creating an alternative administrator, the built in account can be disabled again) with a GUID for the password:

$rgName = "Example-Resource-Group"
$vmName = "SERVERxxx"
$extName = "VMAccessAgent"
$userName = "DisabledAdmin"
$password = [guid]::newguid()
$location = "westeurope"
Set-AzureRmVMAccessExtension -ResourceGroupName $rgName -VMName $vmName -Name $extName -UserName $userName -Password $password -Location $location

(of course, you’ll need to take a note of that GUID if you want to log in to the account!).

The VM Access Extension can be called anything you like (the MSDN reference for Set-AzureRmVMAccessExtension gives more information); however, as noted in the Microsoft Azure documentation (How to reset the Remote Desktop service or its login password in a Windows VM):

“You can reset remote access to your VM by using either Set-AzureRmVMExtension or Set-AzureRmVMAccessExtension

“Both commands add a new named VM access agent to the virtual machine. At any point, a VM can have only a single VM access agent. To set the VM access agent properties successfully, remove the access agent set previously by using either Remove-AzureRmVMAccessExtension or Remove-AzureRmVMExtension. Starting from Azure PowerShell version 1.2.2, you can avoid this step when using Set-AzureRmVMExtension with a -ForceRerun option. When using -ForceRerun, make sure to use the same name for the VM access agent as set by the previous command.”

So, by using a known name for the VM Access Extension (VMAccessAgent), I can avoid potential issues later.

Extending Azure network security with a Barracuda NextGeneration F-Series firewall

I’ve been working on a project to move a customer’s IT infrastructure and application services to the cloud – in this case Microsoft Azure and Office 365.

Azure allows the creation of sophisticated virtual networks with multiple virtual networks, subnets, load balancers, network security groups (NSGs), VPN connections over the public Internet or using a dedicated MPLS link. It also operates with high levels of security (more details in the Microsoft Trust Center).

My customer is a public sector organization and had some specific security requirements that needed a greater level of monitoring of traffic between subnets than we could provide with Network Security Groups alone – essentially the ability to perform logging and to provide application-level awareness. The customer’s security team were keen that it should be possible to identify malicious activity and we confirmed that NSGs have minimal monitoring without any deep packet inspection.

So, in this case, we needed to turn to a network virtual appliance (NVA) solution. The Azure Marketplace has a variety of NVAs, including products from major player like Checkpoint, Cisco, Fortinet, F5 networks, Sophos, etc. The one we selected though (partly from technical requirements, and partly based on advice from Microsoft) was the Barracuda NextGeneration F-Series firewall.

I’m no network architect, but from my position in the world of Microsoft technology, just needing a network solution that could provide the flexibility, reliability and security that my customer needed, the Barracuda solution looks pretty outstanding. We’ve got an advanced firewall with Intrusion Detection System, VPN concentrator and proxy server – all in a single appliance running in Azure under a bring your own licence arrangement.

There’s a great video from Microsoft Channel 9 and Barracuda, talking about the NextGeneration F-Series firewalls, including some of the capabilities available if we put another device on-premises for VPN failback, etc. Well worth a look if you’re considering implementing an IaaS (or indeed PaaS) solution on Azure.

Short takes: ADFS certificate expiry; Azure Authenticator setup on Windows Phone; checking if a MSOL tenant name exists

Some more snippets of randomness pulled together to make a blog post…

ADFS certificate expiry

One of my colleagues spotted this in a customer’s Office 365 tenant recently:

Office 365 - Renew your certificates

Thankfully, it wasn’t one we were managing… but I did feel the need to flag it to the incumbent service provider. If this happens to you, my colleague Gavin Morrison (@GavinMorrison) flagged a potentially useful blog post from Jack Stromberg about renewing ADFS Certificates.

Azure Authenticator Setup on Windows Phone

Whilst setting up additional authentication for Office 365 (in effect, Azure AD MFA) I found that I couldn’t add an account until the Windows Phone Azure Authentication app had enabled push notifications. Despite repeatedly enabling it in Settings, completing setup of the account needed a phone reboot, at which point it was ready for me to scan a QR code and continue.  Even then the option to allow notifications doesn’t seem to stick!

Checking if a Microsoft Online Services tenant name exists

My colleague Gareth Larter found a neat trick this week for checking if a Microsoft Online Services (MSOL) tenant exists (e.g. for Office 365).

Gareth’s advice is to browse to https://login.windows.net/tenantname.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml and, if you get an error, it should show “No service namespace named ‘tenantname.onmicrosoft.com’ was found in the data store” at the bottom right meaning that the tenant name is available:

On the other hand, if you get a bunch of XML data returned, then that tenant already exists.