Have to test a c# application from client that is to work on a machine that has FIPS enbaled
First, be aware of what actually happens when you enforce FIPS140-2 complient encryption within Windows. Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx. However, the main 'gotcha' (old SSL website's don't work in IE anymore) is detailed in the article linked below.
The official instructions to enable FIPS 140-2 complience are at http://support.microsoft.com/kb/811833, but can be summarised as follows:
Using an account that has administrative credentials, log on to the computer.
Click Start, click Run, type gpedit.msc, and then press ENTER.
In the Local Group Policy Editor, under the Computer Configuration
node, double-click Windows Settings, and then double-click Security
Settings.
Under the Security Settings node, double-click Local Policies, and
then click Security Options.
In the details pane, double-click System cryptography: Use
FIPS-compliant algorithms for encryption, hashing, and signing.
In the System cryptography: Use FIPS-compliant algorithms for
encryption, hashing, and signing dialog box, click Enabled, and then
click OK to close the dialog box.
Close the Local Group Policy Editor.
If you wish to do this manually, you can also simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1
Finally, to repeat, it is very important that you read through the documentation before you enable this - it changes cryptography system wide, including how the file system (both EFS and Bitlocker) and network (IE, Remote Desktop and the main cryptographic libraries) are allowed to encrypt, as well as if you allowed to recover lost encryption keys.
As an alternative, for Windows 7 users (with admin rights), this is one of the "Network Properties". Step by step:
click on the "Network" icon on task bar.
right click > Properties on the specific Network connection
switch to the "Security" tab.
click on "Advanced Settings" button.
click the checkbox labeled "Enable Federal Information Processing Standards (FIPS) compliance for this network.
Also, have in mind:
Recommended reading: http://technet.microsoft.com/en-us/magazine/ff847520.aspx
This setting sepends on what you have selected as "Security Type" on the Security Tab
Your wireless network adapter card might be doing this encryption in hardware already. This checkbox will switch from that to rather performing AES encryption in software.
Related
To install Sophos Endpoint on MacOS, it requires adding Sophos Files to Full Disc Access.
I have a beginning script to open Security Preferences, go to Security & Privacy, go to the Privacy tab, Unlock, and the ability to put a check in existing applications in Full Disk Access. I however am stuck in "adding an application" where i can add the application to the existing list.
I would need to pull from /Library/ and from /Applications/Sophos/
The script I have gets me into Privacy\Full Disk Access and unlocked, but I can't get it to click the "Add an application".
How do I edit Group Policy Object "Prevent installation of removable devices" (https://technet.microsoft.com/en-us/library/cc753539(v=ws.10).aspx) in CMD?
I have a server (Windows Server 2008 R2) that is locked out as I am unable to use keyboard or mouse to as input devices when the windows login requires me to press ctrl+alt+delete. This Policy is the one causing this locked out situation as the old keyboard and mouse which I am trying to solve.
Current situation only allows me to use CMD to make changes to the system when I boot up with a bootable CD.
My server doesn't have PS2 port for the old type keyboard. Any other solution that can help me solve this locked out situation is also welcome :)
"Prevent installation of removable devices" is part of "Administrative Templates" and therefore corresponds to a Registry key.
To find out that registry key, I searched for "Prevent installation of removable devices" within C:\Windows\PolicyDefinitions\en-US\, found <string id="DeviceInstall_Removable_Deny">Prevent installation of removable devices</string> in C:\Windows\PolicyDefinitions\en-US\DeviceInstallation.adml. Then I searched for DeviceInstall_Removable_Deny in C:\Windows\PolicyDefinitions\ and found it in C:\Windows\PolicyDefinitions\DeviceInstallation.admx. The registry key is:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions
valueName: DenyRemovableDevices
enabled Value: decimal 1
disabled Value: decimal 0
If you change that value, it will be overridden when the group policy is applied the next time -- most likely at boot time.
According to http://learnthat.com/prevent-group-policy-from-applying-to-your-computer/ you can avoid this by denying write permissions to that specific registry key. (Note, I did not test this!)
To change the registry offline, you can boot from a windows install CD, press Shift+F10 simultaneously to open cmd, type regedit, select HKEY_LOCAL_MACHINE key, click Menu File -> Load Hive..., navigate to your installations \Windows\System32\Config\ folder and select the file named SOFTWARE.
Chose any key name, that doesn't already exist (e.g. Offline_Software) and then change the registry under that key. (e.g. HKEY_LOCAL_MACHINE\Offline_Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions)
When you're done, select your loaded Hive (e.g. HKEY_LOCAL_MACHINE\Offline_Software) and click File -> Unload Hive...
To shutdown properly, just close all windows, including the setup window.
Im trying to allow another computer in the same network so acces a server I have local on my computer.
As far as I know, this should be administrated in Componentservices (accesing it by running dcomcnfg.exe). I then rightclick on My Computer and click on the Properties option. Then i click on the tab called Standardproperties and then I check "Activate distributed COM on this computer".
Then I go to COM-safety and click on EDIT. But Distrubuted COM is not in that list for me to administer.
What am I missing?
After modifying my "hosts" file I have appended the location for "testunc" to "127.0.0.1". When I type in the path "\testunc\share" into "Run" (I have a shared folder on my C:\ drive called "share") I receive an authentication prompt. I am asked for the credentials to the "Guest" account on my local machine. Though the "Guest" account does not have a password, it always fails.
I am coding an application locally for use on a standalone network. I need to simulate the UNC path locally so that I can see if the application will work on the actual network.
\127.0.0.1\share works great, \localhost\share yields the following alert: "You were not connected because a duplicate name exists on the network."
Edit & Answer
Since I only have 9 rep at the moment I can't self answer for 6 more hours. I will self answer later on. Answer is as follows:
Ok, figured it out. I don't advise doing this if there are security concerns on the local PC that you will be using. I.E. undo this once you've done what you need.
Do all this after modifying your C:\windows\system32\drivers\etc\hosts file with the new hostname and IP.
Required Steps Overiew
Install Loopback adapter from Microsoft (might not matter)
Modify registry to disable loopback authentication
Modify registry to disable strict name checking.
Step Breakdown
First install the loopback adapter following these instructions (this is on Windows XP mind you). Go into the properties for this adapter and change its static IP address and gateway if you like. It will work the same way as Localhost but use a different IP.
Follow the instructions in the technet post referenced in my comments above (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Next open your registry (windows + r, 'regedit' in the run prompt).
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After reboot you must now disable strict name checking following the instructions from this article (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
On the Edit menu, click Add Value, and then add the following registry DWORD value: DisableStrictNameChecking
Right-click DisableStrictNameChecking, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After the last restart you will be able to path to a "simulated" unc location on your localhost computer. This should help in testing network deployed applications / scripts on a standalone system.
Self answering this one. Answer is also included in original question text.
I don't advise doing this if there are security concerns on the local PC that you will be using. I.E. undo this once you've done what you need.
Do all this after modifying your C:\windows\system32\drivers\etc\hosts file with the new hostname and IP.
Required Steps Overiew
Install Loopback adapter from Microsoft (might not matter)
Modify registry to disable loopback authentication
Modify registry to disable strict name checking.
Step Breakdown
First install the loopback adapter following these instructions (this is on Windows XP mind you). Go into the properties for this adapter and change its static IP address and gateway if you like. It will work the same way as Localhost but use a different IP.
Follow the instructions in the technet post referenced in my comments above (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Next open your registry (windows + r, 'regedit' in the run prompt).
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After reboot you must now disable strict name checking following the instructions from this article (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
On the Edit menu, click Add Value, and then add the following registry DWORD value: DisableStrictNameChecking
Right-click DisableStrictNameChecking, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After the last restart you will be able to path to a "simulated" unc location on your localhost computer. This should help in testing network deployed applications / scripts on a standalone system.
I have an application that handles WM_DEVICECHANGE, and is interested in DBT_DEVICEARRIVAL.
When a new device is inserted, it needs to know if the AutoPlay dialog will pop-up. In order to find out, I am checking the values of NoDriveAutoRun and NoDriveTypeAutoRun in
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
under HKCU and HKLM.
However, if a user goes to the "Control Panel -> AutoPlay" and unchecks "Use AutoPlay for all media and devices", then the AutoPlay is effectively disabled, but those registry values are not set. On my test box they aren't even there by default. And I believe that most users would use the Control Panel approach to disable the AutoPlay, rather than the Local Group Policy Editor.
So, my question is, what is that check mark setting (a registry value somewhere i suppose?). No matter what I try, I can't seem to (reliably) figure out if the AutoPlay is enabled or not.
It seems like an "AutoPlay" verb appears on the CD-ROM drive context menu when AutoPlay is enabled. So you could test for that.
Get an interface pointer to the shell IContextMenu for your CD-ROM drive, using IShellFolder::GetUIObjectOf
Use GetCommandString to walk through the list of verbs, looking for "AutoPlay"