-
In UK there actually a decision already made that these white/blacklisting terms are being deprecated. So yes, in the future this will be changed.
-
Sami Laiho wrote a new post 2 years, 11 months ago
In this last part of my AppLocker series, I explain how you can harden AppLocker. Although AppLocker can dramatically reduce the amount of work required to secure your network, it doesn’t mean that AppLocker doesn’t need maintenance. Your job is not just adding rules but also keeping AppLocker safe against found weaknesses; that is, you have to harden AppLocker.
-
Sami Laiho wrote a new post 2 years, 11 months ago
If you haven’t done so already, you should first read my previous AppLocker article, where we created our AppLocker rules from event log data. We can now move from AppLocker Audit mode to AppLocker Enforced mode.
-
Sami Laiho wrote a new post 2 years, 11 months ago
In my last post, I discussed some AppLocker best practices and concluded that you have to start with gathering event log data first. After 3–4 weeks, it’s time to start creating the first rules.
-
Sami Laiho wrote a new post 2 years, 11 months ago
In my last post, I explained why I prefer AppLocker whitelisting over blacklisting. In this article, I will describe the best practices I’ve learned from deploying AppLocker in a few-man company to an organization with 500,000+ seats, both military-grade and not.
-
For me that sounds like not running Anti-Malware and just educating to not touch bad things. Of course it's more important not to let them use admin rights – Surely hope you are not doing that.
For parental advice – I'd rather leave that to another forum.
-
There's five posts that will drop one by one in the future. I've written all already so just in the publishing queue.
-
Absolutely! I use family safety on Windows for screentime and it only works with Edge and IE. So AppLocker blocks the others.
-
Sami Laiho wrote a new post 2 years, 12 months ago
I have deployed AppLocker for hundreds of thousands of computers and customers ranging from a nuclear plant and military-level establishments to cloud-only startups. I wrote this series of five posts to share my most important tips and realities learned from the field. Today, I am writing about my take on the AppLocker whitelisting and blacklisting discussion.
-
I will try to do that!
The answer is to always use the _NT_SYMBOL_PATH variable.
-
Sami Laiho wrote a new post 3 years, 1 month ago
When an error is escalated, one of the most common requests is to get a full memory dump of the computer. This can be achieved easily by blue-screening the computer; however, that is not always possible. Sometimes you also don’t have a big enough pagefile or a dedicated dump file configured. Let me show you how to do this without booting the computer and without tweaking the pagefile.
-
Sami Laiho commented on Reset Windows 10 password by disabling Windows Defender 3 years, 1 month ago
And you copied the cmd.exe on top of sethc.exe just like in the blog post? I’m just asking cause you refer to ”renaming”
-
Sami Laiho commented on Reset Windows 10 password by disabling Windows Defender 3 years, 1 month ago
I’ve been able to do this even with a new insider build… Maybe he has another anti-malware installed? Or a policy to block this.
-
Sami Laiho wrote a new post 3 years, 1 month ago
Many people think the built-in Administrator account is the most powerful account in Windows, which is not true. If you wanted to find something in Windows like root is for Linux, it would be the SYSTEM user account. This account can see and do things an admin can’t. This makes it essential for all troubleshooting, like when you want to access the SAM and SECURITY hives in the Registry.
-
Sami Laiho wrote a new post 3 years, 1 month ago
Before troubleshooting anything, we need to know what the problem is. However, we often don’t really speak the same language as our end users. We need end users to send us good, descriptive messages about the problems they have.
-
Sami Laiho wrote a new post 3 years, 2 months ago
To start any troubleshooting case, I always ask for two things. I ask for a Process Monitor trace, which you can get remotely by following this blog post, and a network trace. In this article, I will show you how to get a network trace from a remote computer without installing Wireshark or something similar on it.
-
Thanks! Fixed it!
-
Sami Laiho wrote a new post 3 years, 2 months ago
When I need to troubleshoot a problem in Windows, the first things I ask my customer to provide are a Process Monitor trace and a network trace. Process Monitor is the second most downloaded tool from the Sysinternals toolkit. You can download it as part of the Sysinternals Suite. Sometimes you don’t have access to the computer to run the tool interactively, or you don’t want the end user seeing Procmon running on the computer. In the next post, I will show how you can acquire a Process Monitor trace from a remote computer.
- Load More