Chocolatey and security

I decided to use Chocolatey to install applications to my freshly installed Windows 10 machine. My original idea was to use OneGet, which is the new package-manager manager introduced in Windows 10, and which has a preview Chocolatey provider, however I didn’t have much success with it, so I stepped back and used Chocolatey directly.

The first step is to install Chocolatey, which is very simple, just run the 1-line script from the chocolatey.org homepage in an admin command prompt:

C:\> @powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((new-object net.webclient).DownloadString(‘https://chocolatey.org/install.ps1’))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

With this single command you actually do three things:

1. You download a PowerShell script.
2. You run the downloaded script with administrative privileges.
3. You extend your PATH environment variable.

I don’t know about you, but step 2 freaks me out. And this can be a good time to take a deep breath and think through what you are going to do: you will install applications from unknown source to your machine! When you execute a command like

choco install adobereader

you have no idea what it will download and install to your computer.

So what can you do?

First, install only those choco packages that are approved by moderators. Moderation is a manual process, and it may have human errors, but it is a validation after all. In the detail page of a package that was approved by a moderator, for example the Adobe Reader package, you can see this in a green box:

This package was approved by moderator gep13 on 6/11/2015.

If a package was not checked by a moderator, for example Notepad2, you can see this in a red box:

This package was submitted prior to moderation and has not been approved. While it is likely safe for you, there is more risk involved.

If you already opened the detail page of a package, you better read everything you can find there. For example in the 7-zip package page you can find this warning:

NOTE: The installer for 7-Zip is known to close the explorer process. This means you may lose current work.

Here you can also find useful options too, for example the Firefox package allows you to specify the language of the application to install:

choco install Firefox -packageParameters "l=en-US"

If you scroll down, you can find references in the comments which may make you choose not to install a certain package. For example OpenCandy is mentioned in the comments of the CDBurnerXP package, and you can probably also recall installers that install unwanted software if you just blindly go through them with next-next-finish.

In the middle of the page you can find the installer PowerShell script as well, which might be worth to take a look at, because there you can see, what EXE or MSI is downloaded and from what server. In case of the Adobe Reader package this script is only 6 lines, you can clearly see the URL in the middle, and you can very easily understand what is actually happening. One cannot say the same about the 117-line script of the Firefox package, or the script of the Node.js package which is only 1 line, but refers to two other packages.

In summary, I don’t feel Chocolatey can be used securely, it is all about trust. You can do these manual checks, you can update your operating system, install antivirus and antimalware, deny access to unwanted hosts, but at the end of the day you will run code from an unknown source, which – at least from security perspective – doesn’t seem to be a good idea.

I installed these packages, and they didn’t burn down the house (yet):

adobereader
7zip
emet
fiddler
filezilla
firefox -packageParameters "l=en-US"
gitextensions
google-chrome-x64
join.me
keepass
nodejs
paint.net
silverlight
skype
sysinternals
vlc

So what do you think, do you use similar tools, are you brave enough to use Chocolatey, and if yes, what other packages do you install?

 

Technorati-címkék: Chocolatey,install,security

Use Bitlocker without TPM

Contrary to the popular belief, you can use Windows’ built-in Bitlocker to encrypt your hard disk content, even if you don’t have a TPM chip in your computer. You can easily encrypt your data disks; you just have to enter a password, and you have the option to save your recovery key to file, a USB drive or even to the cloud. However when you try to encrypt your OS volume with Bitlocker, you will see the following error message:

This device can’t use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.

It is quite a good error message, because it not only states what the problem is, but also helps you to recover from it. If it would say exactly where you can find that setting, it would be perfect!

If you search for the word “policy”, you will find Local Security Policy, but it is not what you really want. What you need is the Group Policy Object Editor, even if your computer is not domain joined.

Start a Microsoft Management Console (mmc), and add the Group Policy Object Editor snap-in (click for the full image):

Then within then Local Computer Policy –> Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives branch you can find the setting the error message referred to:

Open the setting, then first select Enabled, and then click the Allow Bitlocker without a compatible TPM checkbox below:

After you have closed all windows, you have to refresh your security policy, which you can do without restarting your computer by running gpupdate from the command prompt:

Now you can encrypt your OS volume just as you did with your data disks.

 

Technorati-címkék: Bitlocker,Windows 10,error

Windows 10 install: UEFI, secure boot, USB, GPT, error

I’ve tried to install Windows 10, so I have downloaded the ISO from MSDN, and used the Windows USB/DVD Download Tool to write it to a pendrive. However, my computer refused to recognize the installation media, so I didn’t have to option to boot from it. In my BIOS the boot options were set to UEFI boot ON, secure boot ON, which worked well for the previous Windows 8.1, but now these settings caused the problem. If I changed that setting to Legacy boot ON, secure boot OFF, the boot from USB option appeared, and the Windows installer successfully started. Unfortunately this is not the happy end of the story, because the installer later stopped with this error:

Windows cannot be installed to this disk. The selected disk is of the GPT partition style.

 

After some googling I’ve found several methods to convert a GPT partition to MBR (with loosing all data on the whole disk, or by using a 3rd party boot CD), but fortunately there is a much easier method.

 

The much easier method

The real issue is that UEFI boot does not work with NTFS pendrives (at least not in my machine), so the solution is to

use a FAT32 pendrive.

Unfortunately the Windows 7 USB/DVD Download Tool always reformats the pendrive to NTFS, even if it was formatted previously, so you need another tool to prepare the installer pendrive.

You can use diskpart for example, which is a built-in command line tool in Windows.

Let’s start it:

diskpart

Get a list of the available drives:

list disk

You will see the pendrive in the list (because hopefully you previously inserted it), you can recognize it from its size. Tell the tool that you want to work with that disk:

select disk 2 (use the correct number instead of 2)

Remove every content from the disk (you will lose your existing data on the pendrive!):

clean

Create a new FAT32 partition:

create partition primary
select partition 1
active
format quick fs=fat32
assign

Now you can quit from diskpart:

exit

The last step is to copy the installer to the pendrive. First, mount to ISO, and copy its content to the disk, for example with xcopy (in this example D: is the mounted ISO drive, F: is the target pendrive):

xcopy d:\* f:\ /s /e

With that your BIOS will hopefully recognize the pendrive, so you will be able to boot from it, and you will not have any problem with the GPT partition, even if UEFI and secure boot is turned on.

 

Technorati-címkék: Windows 10,install,USB