Windows 10

From Segfault
Jump to navigation Jump to search

Bitlocker

For some reason Windows Bitlocker would not prompt for the decryption password that was set when Bitlocker was initialized. This may be related to TPM and somehow the password is handed off to the TPM chip and the user is no longer prompted for passwords.[1]. To prevent that and to restore the password prompt:

  1. Open gpedit.msc
  2. Open Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
  3. Select and enable Require additional authentication at startup
    1. Allow BitLocker without a compatible TPM: Yes
    2. Configure TPM startup: Do not allow TPM
    3. Configure TPM startup PIN: Require startup PIN with TPM
    4. Configure TPM startup key: Do not allow startup key with TPM
    5. Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
    6. Allow enhanced PINs for startup: Enabled
    7. Configure use of passwords for operating system drives: Enabled
    8. Configure password complexity for operating system drives: Allow password complexity

For non-system drives, the following needs to be set:

  1. Open Fixed Data Drives
  2. Enable Configure use of passwords for fixed data drives
    1. Require password for fixed data drive: Checked

Miscellaneous

Cygwin & SSH Keys

Unsolved as of yet:

$ ssh -i .ssh/key 10.0.0.2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for '.ssh/key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key ".ssh/key": bad permissions

$ ls -ld /home{,/dummy{,/.ssh{,/key}}}
drwxr-xr-x+ 1 admin None    0 Oct 12 00:00 /home
drwx------+ 1 dummy None    0 Oct 17 01:31 /home/dummy
drwx------+ 1 dummy Users   0 Oct 13 19:04 /home/dummy/.ssh
-rwx------  1 dummy None  444 Oct 13 19:04 /home/dummy/.ssh/key

And getfacl is of no help here, because it's some weird Windows ACL[2] that needs to be corrected here.[3]

Disable 3D Objects

Remove the key {0DB7E03F-FC29-4DC6-9020-FF41B59E513A} from the registry locations to disable that useless 3D Objects directory:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace

Disable Web Search

Disable the (Bing) Web Search[4] in the start menu:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
"CortanaConsent"=dword:00000000
"BingSearchEnabled"=dword:00000000

Import Certificates

Root certificates, and intermediates:

Get-ChildItem -Path "*crt" | Foreach-Object { certutil.exe -addstore -user root $_.FullName }
Get-ChildItem -Path "*crt" | Foreach-Object { certutil.exe -addstore -user CA   $_.FullName }

If there are subdirectories involved:

Get-ChildItem -Path "." -Recurse -Filter *.crt | Foreach-Object { echo $_.Name }

Generate a Java keystore from the certificates:

Get-ChildItem -Path "*crt" | Foreach-Object {  keytool -import -alias $_.Name -keystore ..\keystore.pfx -file $_.FullName -storepass XXX -noprompt }

List the certificates in the keystore:

keytool -v -list -keystore .\keystore.pfx -storepass XXX | Select-String "Alias"

Samba Guest Logins

To access SMB2 guest logins with Windows 10, we may need to enable "insecure guest logons" in the Group Policy[5]:

  • Start gpedit.msc
  • Enter Computer Configuration > Administrative Templates > Network > Lanman Workstation
  • Enable "Enable insecure guest logons"

Startup Items

According to their support site[6]:

  • open shell:startup via Windows+R to open the Startup items directory.
  • place whatever needed here, for example pagent shortcuts[7]:
> Create a shortcut to the pageant.exe
> Right click on the shortcut and open 'Properties'
> Target: "<path to>/pageant.exe" key.ppk
> Start in: "<path to key.ppk>"

Verbose Boot

To enable verbose boot[8], via the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DWORD32:VerboseStatus=1

Or via a Group Policy:

  1. Open gpedit.msc
  2. Select Computer Configuration > Administrative Templates > System
  3. Select and enable Display highly detailed status messages

Links

References