Author Archives: ArmgaSys

Provision Samsung EVO SSD drives for BitLocker

Samsung EVO SSD drives (Such as the 850 EVO and 850 PRO) now support Microsoft’s eDrive hardware encryption.  With a correctly provisioned device, you can now encrypt your entire drive without the ugly performance impacts BitLocker normally extracts.

…And there was much rejoicing!  … Wait a second, he said “With a correctly provisioned device”…

It seems provisioning Samsung EVO SSDs is a non-trivial task.  The high-level steps to provision a Samsung EVO SSD are:
(We are conveniently ignoring things like UEFI BIOS settings, TPM, Drive Passwords, etc.)

  1. Create a Secure Erase bootable USB/DVD from the Samsung Magician software
  2. Soft install the SSD in your device (Don’t screw it in just yet… you’ll need to fiddle with it in step#6)
  3. Install a version of Windows which supports full drive BitLocker.  Keep this install simple and quick.  Don’t even bother to activate!
  4. Install Samsung Magician software
  5. Launch Samsung Magician software and set the Encrypted Drive (eDrive) to “Ready to Enable”
  6. Reboot into the Secure Erase bootable USB/DVD created in step#1 above and perform a Secure Erase
    1. This can require some fiddling with the BIOS to allow you to boot the USB/DVD
    2. You will almost always have to “reset” the SSD by powering it off / removing it during Secure Erase
  7. Reboot and install a version of Windows which supports full drive BitLocker
  8. Screw the SSD in and replace all device covers

Did you catch the fact you have to install Windows two separate times?  You caught that right, install Windows TWICE!

This is a nightmare made real if you have to provision, say, 10+ devices for your company.

Large Scale Provisioning Made (slightly) Easier
For users provisioning multiple devices within a corporate environment, there is a slightly easier way.  These steps will allow you to skip the second install of Windows!

Preparation Step#1: Create a bootable USB Drive
The goal is to create a Windows 7 install on a USB 3.0 Drive which we can perform initial provisioning on our hardware.

  1. Download and install WinToUSB
    http://www.easyuefi.com/wintousb/
  2. Locate a Windows 7 x64 ISO (Pro or better is recommended)
    Why Windows 7?  As of this writing, several features of the Samsung Magician do not work in Windows 8.
  3. Create a fully bootable Windows 7 install on your USB 3.0 drive using WinToUSB and your Windows 7 ISO
  4. Boot from your newly created Windows 7 install and install Samsung Magician software on the instance

Preparation Step#2: Create a bootable DVD/USB with Secure Erase installed

Provisioning Your Devices
(We are conveniently ignoring things like UEFI BIOS settings, TPM, Drive Passwords, etc.)

  1. Soft install the SSD in your device (Don’t screw it in just yet… you’ll need to fiddle with it in step#4)
  2. Boot from the USB 3.0 drive created in Preparation Step#1
  3. Launch the Samsung Magician software and set the Encrypted Drive (eDrive) to “Ready to Enable”
    NOTE: You may need to reset your resolution to 1024×764.  Magician is somewhat picky about resolutions
  4. Reboot into the Secure Erase bootable USB/DVD created in Preparation Step#2 above and perform a Secure Erase
    1. This can require some fiddling with the BIOS to allow you to boot the USB/DVD
    2. You will almost always have to “reset” the SSD by powering it off / removing it during Secure Erase
  5. Reboot and install a version of Windows which support full drive BitLocker
  6. Screw the SSD in and replace all device covers

 

Our recommendation to Samsung
The Secure Erase bootable USB/DVD needs to have an option to perform the “Ready to Enable” step as part of the Secure Erase procedure.
This simply change would allow provisioning of the SSD for eDrive functionality directly from Secure Erase USB/DVD in one easy step!

 

 

Exchange UM Voice Auto-Attendant custom greeting and those pesky system prompts

Microsoft Exchange Unified Messaging is a very cool tool to put into your corporate telephony arsenal.  You get a very nice, voice activated auto-attendant with some very nice features.
One feature the Exchange UM team didn’t get fully right is customization of the initial greeting.

Out of the box, your voice enabled AA (auto-attendant) will say:

Thank you for calling [your company name] To reach a specific person, just tell me their name

If you are like ArmgaSys, you will want to customize your greeting via the ECP (Exchange Admin Center).  You hire voice talent and record a really nice greeting along the lines of “Thank you for calling my company, if you know your parties extension, you may dial it now or simply tell me their name”.  You then upload your greeting in the UM and are shocked to hear the following:

Thank you for calling my company, if you know your parties extension, you may dial it now or simply tell me their name. To reach a specific person, just tell me their name.

You just discovered a UM system prompt, specifically the Voice AA prompt which says (in a female voice) “To reach a specific person, just tell me their name”

At this point, you have only one option:  You must replace the system prompt with a audio file containing silence.*  Fortunately, this is very easy to do!

The solution:

  1. On your Exchange UM server, navigate to
    C:\Program Files\Microsoft\Exchange Server\V[#]\UnifiedMessaging\prompts\en\
  2. Delete the file vuiAADsearch_Yes_Custom_No_main.1.wav
  3. Make a copy of Silence-250ms.wav
    (This .wav file is also located in the prompts\en directory)
  4. Rename your copy of the silence file to vuiAADsearch_Yes_Custom_No_main.1.wav

That is it!

Warning! Warning! Warning!
Installing cumulative updates (CU) and service packs will revert this file back to its original state.  You will need to repeat these steps after each CU and Service Pack!

 

*Some of you will be asking “Why not just delete the file”.  Well, it is a system prompt which means Exchange UM pretty much requires the file to be there.  Deleting the file can (and will) cause your UM service to fail.

WordPress file and directory security for IIS 7.0 and greater

It seems when we setup a new WordPress site on IIS (for whatever reason) the question always arises: “What is the directory and file security again?”.  We haven’t pulled the actual metrics, but we suspect this is one of the top 100 most asked questions of all times.

To help our own rather leaky memories, we are putting together this blog entry on our own internal best practices.  Hopefully it helps you as well!

 

Our Best Practices Overview

  • Modify level security is only allowed on .\[WordPress]\wp-content\uploads
  • All other directories are read only
    Why?  This helps prevents malware from infecting your site.
  • During updates (plugin or WordPress itself), the entire WordPress site is set for Modify permissions.
    Important:  Manual updates (XCOPY) are safer but not necessarily easier.  That being said, if you are already on the box setting permissions, you are already in position for an XCOPY update!

 

Initial Setup Details

  1. At the WordPress root directory (.\[WordPress])
  1. Remove all inheritance from the parent objects
    Why?  This prevents the parent directory objects from changing your security without you knowing about it!
  2. Replace all child object permissions with inheritable permissions from your WordPress root directory
    Why?  This guarantees that all WordPress directories get your explicit permissions!
  3. Grant the user IUSR the following permissions: Read & Execute, List folder contents, Read
  4. Grant the group IIS_IUSRS the following permissions: Read & Execute, List folder contents, Read
  5. Grant the group Administrators the following permissions: Full control
  6. Recommended:  Remove the group Users (I.E. grant the Users group no rights to the WordPress directory)
  • At the WordPress upload directory (.\[WordPress]\wp-content\uploads)
    1. Remove all inheritance from the parent objects
      Why?  This configures your upload directory for specific permissions to allow publishing of content!
    2. Replace all child object permissions with inheritable permissions from your \uploads directory
    3. Grant the user IUSR the following permissions: Modify, Read & Execute, List folder contents, Read, Write
    4. Grant the group IIS_IUSRS the following permissions: Read & Execute, List folder contents, Read
    5. Grant the group Administrators the following permissions: Full control
    6. Recommended:  Remove the group Users (I.E. grant the Users group no rights to the \uploads directory)

     

    Update Time Details
    When it becomes time to update your WordPress site, perform the following steps:

    1. At the WordPress root directory (.\[WordPress])
    1. Grant the user IUSR the following permissions: Modify
      Why?  Permissions inheritance will automatically set all WordPress directories to allow modification by the IUSR account.  This will allow updates to be performed

    Important: Be sure to remove both the Modify and Write permissions from IUSR when you are done with your updates!