Application Whitelisting Using Software Restriction Policies

Software Restriction Policies (SRP) allows administrators to manage what applications are permitted to run on Microsoft Windows. SRP is a Windows feature that can be configured as a local computer policy or as a domain policy through Group Policy with Windows Server 2003 domains and above. The use of SRP as a white-listing technique will increase the security feature of the domain by preventing malicious programs from running since the administrators can manage which software or applications are allowed to run on client PCs.

Blacklisting is a reactive technique that does not extend well to the increasing number and variety of malware. There have been many attacks that cannot be blocked by the blacklisting techniques since it uses undiscovered vulnerabilities known as zero-day vulnerabilities.

On the other hand, Application white-listing is a practical technique where only a limited number of programs are allowed to run and the rest of the programs are blocked by default. It makes it hard for attackers to get in to the network since it needs to exploit one of the allowed programs on the user’s computer or get around the white-listing mechanism to make a successful attack. This approach should not be seen as replacement standard security software such as anti virus or firewalls – it is best used in conjunction with these.

Since Microsoft Windows operating systems have SRP functionality built in, administrators can readily configure an application white-listing solution that only allows specific executable files to be run. Service Restriction Policies can also restrict which application libraries are permitted to be used by executable’s.

There are certain recommended SRP settings by NSA Information Assurance Directorate’s (IAD) Systems and Network Analysis Center (SNAC). It is advised to test any configuration changes on a test network or on a small set of test computers to make sure that the settings are correct before implementing the change on the whole domain.

There is known issues on certain Windows versions to consider: for example minor usability issue such as when double-clicking a document, it may not open the associated document viewer application, another is the software update method that allows users to manually apply patches may not function well once SRP is enforced. We may see these issues addressed with a hotfix provided by Microsoft. Automatic updates are not affected by SRP white-listing and will still function correctly. SRP settings should be tested thoroughly due to issues like this to prevent causing a widespread problem in your production environment.

The use of path-based SRP rules are recommended since it has shown unnoticeable performance impact on host after a good deal of testing. Other rules may provide greater security benefits than path-based rules but it has an increased impact on host performance. Other rules like file hash rules are more difficult to manage and needs constant updates each time any files are installed or updated, another is the certificate rules which is somehow limited since not all the applications’ files are digitally signed by their software publishers.

There are certain steps to follow in implementing SRP in Active Directory domain which can be done through the steps below:

1. Review the domain to find out which applications are operating on domain computers.

2. Configure SRP to work in white-listing approach.

3. Choose which applications must be permitted to run and make extra SRP rules as required.

4. Test the SRP rules and form additional rules as needed.

5. Install SRP to sequentially larger Organizational Units until SRP is functional to the entire network.

6. Observe SRP continuously and adjust the rules when needed.

SRP configuration as described above can drastically increase security stance of a domain while continuously letting users to run the applications they need to remain productive for their work.

A note on Group Policy and gpudate

When I first started learning about Active Directory, Group Policy always seemed very fickle. Sometimes I could run GPUpdate, other times I had to append the /force option.


As it turned out, Group Policy was always working –  I just didn’t understand it. So what’s the difference between GPUpdate and GPUpdate /force? Well –

GPUpdate: Applies any policies that is new or modified

GPUpdate /force: Reapplies every policy, new and old.

So which one should I use? 99% of the time, you should only run gpupdate. If you just edited a GPO and want to see results immediately, running gpupdate will do the trick. In fact, running GPUpdate /force on a large number of computers could adversely affect network resources. This is because these machines will hit a domain controller and reevaluate every GPO applicable to them.

Notice the Group Policy Update option for OUs:



Windows 10 – To Upgrade or Not to Upgrade

Since last year, we’ve been telling our clients to hold off on upgrading.  We even used Group Policy and our Management Agents to disable the upgrade patch.  It’s been a long and treacherous journey, but we finally believe Windows 10 is ready for Prime Time.  We’ve even seen it increase performance in some older machines.  We are now recommending our clients to upgrade to Windows 10 to take advantage of the free licensing and extended support for the OS.  With all the major bugs fixed, we’re confident you will find it to be stable and useful.  Applications are also compatible more often than not.  In fact, all of NetCal’s employees are now on Windows 10.  We did all the testing so our clients don’t have to worry.

Contact us so we can evaluate your environment.


Q: If I upgrade, can I use Windows 7/8/8.1 again?

A: You can always reinstall using existing media or downgrade using the built-in Windows 10 recovery process (only works for 1 month after upgrade).

Q: What if I don’t upgrade in time?  How much would a Windows 10 license cost then?

A: Although Microsoft has been rather vague thus far, the general consensus would be that the license would cost $120 for Win10Home and $200 for Win10Pro.

Q: How would I upgrade after the expiration date?

A: For those that fail to upgrade in time or simply chose not to, Windows 10 can be purchased via the Microsoft Store or through Retail Partners.

Q: If I need to reinstall Windows 10, what key can I use?

A: All Windows 7 and Windows 8/8.1 keys will work with the latest Windows 10 installation media.

Q: If I upgrade, will I be charged a subscription service fee after that?

A: According to Microsoft, if you upgrade before July 29th, Windows 10 will continue to be free and supported for the rest of the life of the device.  This is also similar to how your OEM Windows licenses work.

Microsoft on Upcoming SQL Server 2016; Goes After Oracle

Data professionals might have been expecting a launch date for SQL Server 2016 at the Data Driven event held today in New York City, but what they got was a recap of the flagship database system’s capabilities and a full-out assault on rival Oracle Corp.

Exec Judson Althoff detailed a SQL Server 2016/Oracle comparison involving a scenario where various capabilities built into SQL Server 2016 were matched up against the Oracle database. “When we say everything’s built in, everything’s built in,” he said. When the built-in capabilities were pitted against similar functionality offered by Oracle products, “Oracle is nearly 12 times more expensive,” he said.

That specific scenario was envisioned with a project starting from scratch. Althoff said not everybody does that, as they have invested in “other technologies.”

Free Licenses for Oracle Switchers
“So if you are willing to migrate off of Oracle, we will actually give you free SQL Server licenses to do so,” Althoff said in his presentation. “For every instance of Oracle you have, free SQL Server licenses. All you have to do is have a Software Assurance agreement with Microsoft. If you’re willing to take this journey with us before the end of June, we’ll actually help and invest in the migration costs, put engineers on the ground to help you migrate off of Oracle.”

 He noted that in the wake of some newspaper ads about the offer, he received e-mails asking just who was eligible. “Everyone is eligible for this,” Althoff said. “We’re super excited to help you migrate off of Oracle technology, lower your overall data processing costs and actually really be enabled and empowered to build the data estate that we’ve been talking about.”

More details on the offer were unveiled in a ” Break free from Oracle ” page on the Microsoft site. “This offer includes support services to kick-start your migration, and access to our SQL Server Essentials for the Oracle Database Administrator training,” the site says. “Dive into key features of SQL Server through hands-on labs and instructor-led demos, and learn how to deploy your applications — on-premises or in the cloud.”

Microsoft also went after Oracle on the security front, citing information published by the National Institute of Standards and Technology that lists databases and their vulnerabilities. On average, over the past few years, exec Joseph Sirosh said in his presentation, SQL Server was found to have 1/10th the vulnerabilities of Oracle.

Always Encrypted
Sirosh also highlighted new security capabilities of SQL Server 2016. “In SQL Server 2016, for the first time, you will hear about a capability that we call Always Encrypted,” he said. “This is about securing data all the way from the client, into the database and keeping it secure even when query processing is being done. At the database site, the data is never decrypted, even in memory, and you can still do queries over it.”

He explained that data is encrypted at the client, and sent to the database in its encrypted form, in which it remains even during query processing. No one can decrypt credit card data, for example, while it’s in the database, not even a DBA. “That’s what you want,” Sirosh said of the functionality enabled by homomorphic encryption.

During today’s event, Microsoft CEO Satya Nadella and other presenters focused on a series of customer success videos and live presentations, reflecting Nadella’s belief that Microsoft “shouldn’t have launch events, but customer success events.”

Those success stories leveraged new ground-breaking capabilities of SQL Server 2016, including in-memory performance across all workloads, mission-critical high availability, business intelligence (BI) and advanced analytics tools.

“We are building this broad, deep, digital data platform,” Nadella said. “This platform is going to help every business become a software business, a data business, an intelligence business. That’s our vision.”

Exec Scott Guthrie took the stage to discuss the new support for in-memory advanced analytics and noted that for these kinds of workloads, data pros can use the R programming language, which he described as the leading open source data science language in the industry. Coincidentally, Microsoft yesterday announced R Tools for Visual Studio for machine learning scenarios.

SQL Server on Linux
Providing one of the few real news announcements during the presentation, Guthrie also noted that a private preview of SQL Server on Linux is available today, following up onsurprising news earlier in the week that SQL Server was being ported to the open source Linux OS, which is expected to be completed in mid-2017. Guthrie said that unexpected move was part of the company’s strategy of bringing its products and services to a broader set of users and “to meet customers where they’re at.”

Another focus of the event was the new “Stretch Database” capability, exemplifying SQL Server 2016’s close connection to the Microsoft Azure cloud.

“SQL Server is also perhaps the world’s first cloud-bound database,” Sirosh said. “That means we build the features of SQL Server in the cloud first, ship them with Azure SQL DB, and customers have been experiencing it for six to nine months and a very large number of queries have been run against them.”

Sirosh expounded more on this notion in a companion blog post published during the event. “We built SQL Server 2016 for this new world, and to help businesses get ahead of today’s disruptions,” he said. “It supports hybrid transactional/analytical processing, advanced analytics and machine learning, mobile BI, data integration, always encrypted query processing capabilities and in-memory transactions with persistence. It is also perhaps the world’s only relational database to be ‘born cloud-first,’ with the majority of features first deployed and tested in Azure, across 22 global datacenters and billions of requests per day. It is customer tested and battle ready.”

Stretch Database
Features shipped with SQL server, Sirosh said, “allow you to have wonderful hybrid capabilities, allowing your workload to span both on-premises and the cloud. So Strech Database is one of them. Data in a SQL Server, cold data, can be seamlessly migrated into databases in the cloud. So you have in effect a database of very large capacity, but it’s always queryable. It’s not just a backup. That data’s that’s migrated over is living in a database in the cloud, and when you issue queries to the on-premises database, that query is just transported to the cloud and the data comes back — perhaps a little slower, but all your data is still queryable.”

The new capabilities for querying data of all kinds in various stages and forms were a focal point for Sirosh.

“We have brought the ability to analyze data at incredible speed into the transactional database so you can do not only mission-critical transactional processing, but mission-critical analytic processing as well,” Sirosh said. “It is the database for building mission-critical intelligent applications without extracting and moving the data, and all the slowness that comes with doing so. So you can now build real-time applications that have sophisticated analytical intelligence behind them. That is the one thing that I would love all of you to take away from this presentation.”

 On-Demand Videos for More
At the Data Driven Web site, Microsoft has provided a comprehensive series of videos that explore various separate aspects of SQL Server, with topics ranging from “AlwaysOn Availability Groups enhancements in SQL Server 2016” to others on R services, in-memory OLTP, PolyBase, the Stretch Database, Always Encrypted and many more.

Still some attendees — virtual or otherwise — were disappointed by the lack of real significant news.

“Did this whole thing just finish without so much as a release date?” asked one viewer in a Tweet. “Sigh.”



Source :


Microsoft Is Killing Support for Internet Explorer 8, 9 and 10 On January 12th

Microsoft is ending the support for Internet Explorer 8,9, and 10 on January 12th. This news has come as a breath of fresh air as it was considered a bane for many web developers, thanks to the endless security holes in the software.

On Tuesday, a new “End of Life” patch will go live that will ping the Internet Explorer users asking them to upgrade their browsers. This End of Life patch will mean that these older Internet Explorer versions will no longer get regular technical support and security fixes.

This step also means that Internet Explorer 11 is the last version of Microsoft’s vintage browser that’ll be supported. This patch will be delivered as a cumulative security update for these versions:

On Windows 7 Service Pack 1 and Windows 7 Service Pack 1 x64 Edition

  • Internet Explorer 10
  • Internet Explorer 9
  • Internet Explorer 8

On Windows Server 2008 R2 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 x64 Edition

  • Internet Explorer 10
  • Internet Explorer 9
  • Internet Explorer 8

However, if you want to disable this update notification, follow these steps mentioned on Microsoft’s support page.

It’s expected that millions of users will choose to avoid these upgrade notifications, and thus will be prone to security risks. So, you are advisable to either upgrade your browsers, or switch to another web browser altogether.

Windows 10 Major Update Highlights

  • Windows Update for Business enables control over the deployment of updates within organizations while ensuring devices are kept current and security needs are met, at reduced management cost. Features include setting up device groups with staggered deployments and scaling deployments with network optimizations.
  • Windows Store for Business provides a flexible way to find, acquire, manage and distribute both Windows Store apps and custom line of business apps to Windows 10 devices. Organizations can choose their preferred distribution method by directly assigning apps, publishing apps to a private store, or connecting with management solutions.
  • Mobile Device Management gives IT access to the full power of Enterprise Mobility Management to manage the entire family of Windows devices, including PCs, tablets, phones, and IOT. Windows 10 is the only platform that can manage BYOD scenarios from the device to the apps to the data on those devices – safely and securely. And of course, Windows 10 is fully compatible with the existing management infrastructure used with PCs, giving IT control over how they bridge between two capabilities.
  • Azure Active Directory Join allows IT to maintain one directory, enabling people to have one login and securely roam their Windows settings and data across all of their Windows 10 devices. AAD Join also enables any machine to become enterprise-ready with a few simple clicks by anyone in the organization.

Windows 10 Upgrade Path

Now that Windows 10 Version 1511 (first major patch) is out, we can look at potential upgrade paths for the OS.  For those of you that didn’t know, this version allows for the use of keys from Windows 7/8 during the installation of Windows 10.



Office 2013 Activation error of death solved!

O365 Office 2013 Activation error code 0x8004FC12

This is something that has been annoying me for a while.  It only happens on my home computer and will not go away.  I’ve tried reinstalling setting up new profiles, un-associating my personal O365 account, repairing Office.  I even gave up and started using Office 2010.

The problem doesn’t occur on any of my other Windows 10 machines, yet a search on the Internet shows I’m not alone.  All the forums show frustrated people trying everything, only to end up being told to reinstall a clean copy of Windows 10 (uhh…no).

Luckily, on a tangent day, I decided to check up on the error messages.  To my surprise, I found a promising Microsoft article:

Are you ready for Windows 10?

Recently we started disabling the Windows 10 pop-ups for our MSP clients. We just feel that Windows 10 isn’t ready for the corporate environment. There are a few troubling things about it.

  • The interface. Most people can get used to it relatively quickly, but the desktop environment is more of a touch interface than prior versions.
  • Compatibly. A few days ago I saw a statement from our bank saying not to install Windows 10 for use with their software and products. This totally made sense, as from past experience getting banking and payroll software to work is very tricky.

Home users appear to be enjoying Windows 10, but they aren’t worried about making money based on their computer working. Check back soon for more to come on this topic!

Remote Desktop Services

With businesses attaining more WAN bandwidth and businesses trust with hosted services increasing, Microsoft is investing heavily in Remote Desktop Services.  Renamed from Terminal Services to Remote Desktop Services, it encompasses multiple ways to deliver application access from any location.  Below, you will find information on some of the features and requirements in an RDS deployment.

WAN Optimization
RDP Client / Server features cross reference

Why RDS?

  1. Local-lan connectivity when using applications (e.g. Quickbooks) and when accessing the LAN resources (i.e. loading large files)
  2. Improved security for remote users
    1. Data is stored on the servers, not on laptops. This also means data is backed up consistently.
  3. New user setup is quickly done and without the need to “reimage” existing computers
  4. Portability for remote work
  5. Thin Client support
  6. Business Continuity and Disaster Recovery
  7. Green computing (more effective use of resources)
  8. Non-compliant PCs can connect with minimal security compromises
  9. Encrypted connectivity and application-level access limitation for compliance purposes or restricted access for external partners
  10. Centralize application management (updates, configuration is done in one place)


On the surface, RDS can be broken down into 2 Functions: Session Hosts and Virtual Desktop Infrastructure (VDI).  When breaking down the session hosts function further, we can include features such as RemoteApps and Remote Session Host (Terminal Services).  Similarly, VDI provides us with Personal Virtual Desktops and Pooled Virtual Desktops.

Virtual Desktop Infrastructure

Personal Desktops
This is geared for full desktop replacement deployments. The user will treat this is as their own personal computer in a VM.

Pooled Desktops
Pooled desktops are similar to deploying VMs in an academic environment. This usually means the VMs are preinstalled with generic applications and users have full administrative access to install their custom applications.  Of course, after they log off, the VM is reverted to it’s original state for the next user. An example usage would be to provide a pool of 10 Windows XP VMs for users to use intermittently due to legacy software incompatibilities.

Remote Session Host (aka Terminal Services)

Web Access – Single sign-on web portal showing RemoteApps

RemoteApp  – A more seamless integration between remote applications and local desktop

    1. Does not require Windows 7 computer to be joined to domain
    2. Updates automatically when the feeds are updated by administrators
    3. Users have to log on only once to create the connection
    4. XML – so can be used in other ways

Capacity Planning

It’s better to purchase 2 Server than it is to purchase 1 loaded with more memory. The reason is you can load balance between 2 RDS servers and the cost of smaller memory modules is a lot less than of larger ones. Scaling OUT instead of UP is more cost effective, increases Disk IO paths, and creates redundancy.

Unfortunately, adding processors isn’t a 1:1 improvement. Usually, going from 1 to 2 processors will achieve a 1.8:1 gain, while going from 2 to 4 processors will achieve a 1.65:1 improvement.
If you have each user session taking up 10% of CPU, then the server’s CPU can handle up to 10 users at full load. If you added more CPUs to get a total of 4 CPUs, it would be 10*1.8 (1 => 2 cpu)*1.65 (2 => 4 cpu) = 30 users total. As you can see, it’s not 40 users.

  • Use a processor with SLAT support

Usually, allocate about 500MB per session for a 64-bit OS. Of course, the best thing to do is to find the working set of a user’s session.

Hardware Integration


This feature in Windows Server 2008, Vista+ coordinates actions with the hypervisor to make sure that they’re interacting with the hardware as efficiently as possible.  The kernel basically only asks for instructions to be carried out within the confines of it’s child partition instead of all the partitions.  It reduces wasted CPU usage.

VM integration components

These components accelerate VM access to devices.  Without it, the VM will configure hardware device drivers with the emulated devices that the hypervisor presents to it.


AMD-V Rapid Virtualization Indexing (RVI) and Intel VT Extended Page Tables (EPT)

Although running RDS in a VM isn’t a problem, it does take up additional CPU cycles to maintain a “shadow” page table.  When this is updated in the VM, the Hypervisor has to update it’s “shadow” page table also.  This can take away precious CPU cycles that will slow down your server.  This is where SLAT-enabled processors mitigate this issue.  It maintains the address mappings in hardware, not software.  Just as hardware raid is file management using hardware, SLAT provides memory address management using hardware.  In the end, both memory usage and processor overhead will decrease.  This enables you to host more VM sessions by a factor of 1.6-2.5 times.  It’s highly recommended to have this for memory intensive workloads like RDS, SQL, IIS, Exchange, etc.

Improved Application Compatibility

  1. MSI package installation – Prevention of simultaneous first-time uses of applications based on MSI installs from blocking each other
  2. Dynamic Fair Share Scheduling – A better way of preventing a single session from starving other sessions for processor cycles
  3. IP Virtualizaton – Allows a session or application within a session to have a unique IP.  Applications with requirements of a discreet IP address can be used.

High-Fidelity User Experience

  1. True multi-monitor support, including varying layouts and landscape/portrait orientations
  2. Aero remoting for single-monitor sessions on Windows 7
  3. Cilent-side rendering of multimedia and audio Windows Media Player files
  4. Improved display of video from Silverlight and WIndows Media Foundation
  5. Bi-directional audio remoting, including sound recording to a remote session