Cybersecurity Talk with Johan Arwidmark: How to secure your deployment & what can potentially go wrong (real cases)

Johan Arwidmark is the Chief Technology Officer with TrueSec, a consultant, author and all-around geek specializing in Systems Management and Enterprise Windows Deployment Solutions. He has been awarded Microsoft Most Valuable Professional (MVP) for more than 12 years.

If you want to see him in action, discussing deployment security, come on over here!

Welcome to another episode of Cybersecurity Talk part of a content series, where I’m absolutely proud to interview prominent personalities in the industry within IT. Today, I’ve got with me Johan Arwidmark. We’re going to cover subjects that are absolutely interesting because they’re going to be related to deployment and security. If you want to get more wisdom, more knowledge, learn that subject, make sure that you’re going to watch our interview.

Paula:

Let’s start. I’m pretty sure, guys, that you’ve met Johann before because you were engaged so much in different kinds of social media. You’ve got a blog, right?

>> Blog of Johan Arwidmark <<

Johan:

Yeah. I have the deployment research blog. This is where I post most of my findings from my consulting work, and I’ve been doing deployment since I was 16, and that was a few years ago.

Paula J:

Okay. That’s quite a long time, yeah?

Johan:

Yeah. A lot of good stuff there. I used to have a blog, back in the days, called Deploy Vista. It wasn’t so good.

Paula J:

Oh yeah.

Johan:

This one is better.

Paula J:

The fame is still out there, yeah?

Johan:

Yeah.

Johan Arwidmark – well-known deployment specialist

Paula J:

Of the Vista. Anyway, you also have a Twitter account, yeah?

>> Johan’s Twitter <<

Johan:

Yes. I’ve been tweeting a lot since about 2010, give or take, and it’s been my absolute main source for information these days. If you’re not on Twitter, get on Twitter. I say that in basically every session I ever present.

Paula J:

Cool. Make sure that you’re going to follow Johan on Twitter because he posts so many different things that you guys want to know, regarding deployment.

Johan:

Not only follow me. Also check the people that I follow, because I do follow people that are industry experts in the field, doing a lot of good postings, a lot of good information.

Paula J:

Perfect. Johan, of course, is speaking at Microsoft Ignite different TechEd, different kinds of conferences, so if people want to see you they can also see you over there, yeah?

Johan:

Yes. Absolutely. Absolutely.

Paula J:

Okay. Great. Time, I think, for a couple of disturbing questions.

Johan:

Okay.

Paula J:

If you don’t mind.

Johan:

Should I be worried?

Paula J:

No. It wouldn’t be that bad, actually, but there are a couple of things that I want to ask you since you do the deployments. One of those is that, from the security perspective, within the MDT and ConfigMgr, when you do the deployment, you are able to, and that’s what kind of people do, have the file where you put your username and password for the deployment purpose.

Does this have to happen?

Johan:

The thing is, both solutions are using credentials in one way or another, both to make sure that Windows P, when you start the deployment, can access remote file servers and things. And also for Windows to be able to go in the domain of things. That information can absolutely be encrypted, and ConfigMgr does that by default.

But if you know the right tools, the right scripts to call in Windows P, you can actually retrieve that information.

If you do have physical access to the machine, it’s kind of hard to prevent everything. That’s why you make a living.

Paula J:

It’s a full access, yeah?

Johan:

Yeah. But you can at least restrict those accounts, making sure that they, for example, cannot log in interactively to other machines. There are some plenty good articles out there on how to secure them, lock them down as much as you possibly can.

Paula J:

Okay. That’s cool. Another question that I have for you is that, well, it would be lovely to see security settings being deployed at the customer side.

Is this something that is happening from your perspective, in practice? Do customers actually ask for hardening of the image before the image is getting deployed?

Johan:

There is. It’s a bit of a mix. Some organizations, they’re actually enforced to do that, because of regulations, like federal rules that allow them to, or they have to do that, so Microsoft is releasing new baselines for Windows 10. They released just before Christmas. But if you work in that type of environment, you have to use them.

You basically have two ways of dealing with it. Either you try to lock down your image. The downside is, it becomes very static. The good news is, it also works in a workgroup environment. It turns out it’s quite tricky to have a workgroup client getting policies from a domain that is not the member of. You don’t have a choice.

But when you do have a domain join, then you can use central group policies from the director, and that’s much easier, from a deployment point of view.

Microsoft didn’t support in-place upgrades until now

Paula J:

That’s good to know. What about the machine that is steering the deployment? Are there any things to look at? When the image is being deployed. There have been recently some news about what can you do to that particular machine. What do you think about that?

Johan:

Are you talking about In-Place upgrades and things?

Paula J:

Yeah.

Johan:

Certain Finnish person? Sami?

Paula J:

Yeah.

Johan:

Yeah. Okay. Yeah. He will recently post a pretty… not pretty, really heavily visited blog post about security risk during the in-place upgrade, where an end user, anybody being in front of the machine, can press shift F10 during the entire in-place upgrade process.

Paula J:

But there has been there for a while, right?

Johan:

Almost since Vista.

Paula J:

Yeah.

Johan:

But thing is, Microsoft didn’t support in-place upgrades until now.

Paula J:

Okay.

Johan:

It’s not been used much. But now they are pushing out upgrades, and the user is there, waiting. They’re having lunch. They want to get back as soon as possible. They might be, “Hmm, interesting.” Click. Able to access the system.

Paula J:

But that’s not that easy because that can be managed, right?

Johan:

It can be dealt with. On my blog, if you search for the word F10, you can find a PowerShell script that disables the shift F10 permanently on that image. The only thing is you have to do it before you start the deployment obviously.

Paula J:

Could we summarize it this way? The deployment is done well, yes? Will just not have issues like this.

Johan:

Exactly. If you use the sequence to do the drive the upgrade that you also have the opportunity to do things before you start the deployment, during the deployment, after deployment, that’s how I like to deploy upgrades.

Deployments are not an easy thing!

Paula J:

If you’re ever guys thought the deployments are easy, it’s I don’t think it’s the case, actually.

Johan:

No. The challenge with deployments in the end roll is that they are touching into so many different systems, so you need to know a little bit of everything to work with deployments. It’s a lot of things to know.

New feature within Windows 10 – Credential Guard

Paula J:

Cool. What about the Credential Guard? Credential Guard, it’s a new feature within Windows 10.

Johan:

It’s a very nice security feature. It can be enabled automatically, throughout the deployment, so you can have a sequence, first of all, configure the machine for secure boot and all that, TPM enabled stuff. And then you can have the sequence installing Hyper-V, because it’s part of Hyper-V now, and enable it, and do additional reboots that are required to deal with it.

Something that customers have run into that they weren’t prepared for, for example, I did a Livestream event with two colleagues, Kent and Jergen 00:06:4], and we talked about security and Credential

Guard in that session.  He just came back from a customer visit up north. Their apps work perfectly fine with Windows 10, as is, but after enabling Credential Guard, 10 of their most critical apps did not work.

Paula J:

That’s quite crazy.

Johan:

Yeah. We had another customer, they’re using wireless with password access, also didn’t work anymore. They had to switch the certificate, just because of Credential Guard.

Credential Guard can be problematic

Paula J:

Oww.

Johan:

Yeah. I was like, oww.

Paula J:

It’s a good topic. We see customers that are asking about, “Let’s implement Windows 10 because we’ve got all the hardware in place and Credential Guard. We can enable this. Let’s roll out all the operating systems out there.” Application in general, probably will not be that much challenging, but if you enable Credential Guard, you can have a problem.

Johan:

Exactly. I usually say to customers, “Don’t worry too much about apps,” because in general if they do work in Windows 7, they will work in Windows 10. For this customer, they did work, just not with Credential Guard enabled. That’s like, oww.

Paula J:

But figured it out, that’s out of the challenge.

Johan:

Yes.

Interesting vulnerability within the deployment: right click in the left hand corner and…

Paula J:

Yeah. Obviously. In our discussions, you also mentioned that there has been an interesting vulnerability within the deployment that you were able to click in the corner and then you were able to get access somewhere. What is that about?

Johan:

I know what you’re looking for here. Normally in a ConfigMgr deployment, you have the ability to press F8 to get a command prompt, access the system. But a friend of mine, Jergen, the same guy as before, he and another Johann, there’s apparently a lot of them in Sweden, he wrote a background thing for the deployment. You have to right-click in the left-hand corner, and you get a password. You have to type in a password, and that password enables F8, so you cannot get access to the system without actually having to know that password.

Paula J:

But it could just be disabled, for example, within the deployment too? Can you turn it off?

Johan:

Yes, you can absolutely disable it completely, but then troubleshooting is a royal pain.

Paula J:

Oh. Okay. Hmm.

Johan:

You want to have it, but you don’t want to have it. You know this. Security, you give some, you lose some.

Paula J:

Absolutely. Comfort versus usability.

Johan:

Yeah.

If you want to jump into that deployment area, you need…

Paula J:

Okay. Cool. I’ve got two more questions to you. They are from the little bit more softer area. The first question will be related to young people. If they want to jump into that deployment area, what kind of stuff should they know? They are like seeing their career starting right now, and they’re like, “We want to do deployments as you do,” and so on. They’re like, “What am I supposed to look at to get more information?” What do you think?

Johan:

First of all, I recommend, if you want to start in working the deployment field, you should start by learning things that are a little bit outside of it. Learn the connecting systems. Learn about servers and Hyper-V and Active Directory and group policies, and things that deployments are connecting to. Because that will give you a lot better understanding of the process, and once you know that, then you can start to focus down more narrow to the deployment stuff.

Obviously, you need to love change. You need to love automation. If you don’t like that, I don’t think deployment is for you.

Learn PowerShell!

Paula J:

Stuff like PowerShell?

Johan:

PowerShell is very shiny, yes. We should know that. Yes.

Paula J:

Okay. Do you find PowerShell is a useful tool in the deployments? I bet it absolutely is, yeah?

Johan:

It’s useful, I’d say it’s critical. It’s absolute, you need it.

If you want to go to the higher level in deployment…

Paula J:

It’s a good tip for the starting guys, that PowerShell is definitely something that can be used everywhere in deployment too, and it’s very important, I think, to know out there. Okay. What about the guys that are within enterprises, and they’re super big of like, some deployment already made, they manage their applications, and so on. They just want to be perfect. What kind of skills would you recommend for them?

Johan:

First of all, especially if you work in the ConfigMgr platform, I recommend you guys to learn what’s going on behind the scenes. Learn the processes, because that allows you to troubleshoot things in the right location.

If Microsoft got in like ten complex support calls for ConfigMgr, you can bet that five of them are related to OSD, because again, it’s touching so many different systems. Learn what’s going on. Learn the processes. Learn to debug efficiently, and typically life is a little bit easier, in terms of deployment.

Paula J:

Okay. Perfect. Thank you so much. A couple of words for the summary. Today we have talked about the different types of interesting security issues and different useful tips that we can use within the deployment.

Johan:

Yes.

Paula J:

And basically what is the key message, that within the deployment, obviously there is a lot of automation going on, and in order to make the deployment well, you have to really have a deep knowledge of what’s happening within the operating system.

Johan:

Yes, and also behind the scenes of the deployment solution. Absolutely.

Paula J:

That’s the basics. Then on the top of that, comes over ConfigMgr, which by the way, I’ve noticed that whoever has something to do with the ConfigMgr, it must be a super patient person. Isn’t it like that?

Johan:

It kind of help, because ConfigMgr is a little bit slow in doing things. If you are a little bit impatient, you can always open up all the log files, because they will be rolling in the background, so at least you can follow what’s going on. That helps.

Paula J:

It’s not that like, you do deployment, and then you are like reading the news. There is something to do during that time, right?

Johan:

If you really want to, you can absolutely review the log files.

Paula J:

Cool. Very cool. Yeah. Thank you so much for the great interview.

deployment

If you’ve got some questions, absolutely post them in the comment section, so we hope you enjoyed it, and make sure that you follow Johann on Twitter, and you check out his blog because there’s a lot of wisdom out there.

Did you like this interview? See how much YOU really know about cybersecurity! Test yourself against Paula Januszkiewicz. 

>>>Take Her HARDCORE Windows Security Quiz<<<

Comments