Distant Desktop ( Free Remote Desktop Software)

It was so utterly stupid, and damaging to Microsoft
Yes. But you have to agree they're still doing it with deceptive dialog boxes as I described (although with less serious ramifications). A simple user with local account and their choice of password complexity (e.g. no password), perhaps they use a Microsoft account for email or OneDrive or Solitaire, and they're deceived into changing their login to their hotmail account for no benefit to them. The benefit is to Microsoft hence the deceptive dialog that I described above.
 
I'm not about to disagree that Microsoft is trying to cajole, through some extraordinary means, people to go to using a Microsoft account linked Windows 10 user account. I don't know that I'd consider what's happening truly deceptive, though it certainly borders on it.

I'm one of the few here who will not, except under the most exceptional of circumstances, even set up a local account under Windows 10 anymore. I find the plusses of using a MS Account linked Win10 user account really outweighs any minuses, in many respects that I am not going to even try to list as what I consider plusses others will consider minuses (which is fine, but arguing it gets no one anywhere).
 
Oh, contraire, you absolutely can. You should be keeping any protected information only in encrypted folders (and, thus, the files in them are encrypted, too).

They cannot "prove" that you're telling the truth no matter what you tell them, absent the device in question being recovered.

You cannot prove end users don't randomly keep files ANYwhere on the drive..can't prove they ONLY were in the folder.

If the full disk is encrypted...there's nothing to prove...because, it's obvious...anything/anything/anywhere on that drive was encrypted, no if's, ands, or buts! Frequent monitoring of the status of the bitlocker on each computer, logged by an RMM or a server via group policy, maintains that happiness for the audits. <===and there is that proof!!!

I've been through audits on the IT compliance side...along side those who audit my clients...heard it from their mouths...hence my stance.
 
OneDrive backup is a good idea for many people, I suggest it and help people with it all the time. There are however some legitimate complaints about technical issues, e.g.

An outlook PST file in Documents\Outlook Files (the default place for them for the last 10 years) prevents OneDrive from backing up the Documents folder. It won't even skip the file and back up the rest!

Back when PST files were more popular, it was against Microsofts recommendations to have PSTs across a network. Some amateur techs would think they were being smart by having end users PSTs on a servers mapped drive...so they could get backed up. But..a PST is a busy database file, Outlook sinks so many fingers into it, it's brutal over a network. And unsupported. I think they just ignore it with OneDrive since...PSTs are pretty much a 1990's dial up days thing..POP email is residential email, not really used in business setups in the past 25+ years. Heck or even residential..since for residential email systems IMAP has pretty much taken over that.
 
You cannot prove end users don't randomly keep files ANYwhere on the drive..can't prove they ONLY were in the folder.

You cannot prove a negative. Unless a breach is clearly detected by data appearing where it shouldn't, you cannot say that there has been a breach.

I'm not going to argue with what you're saying as far as CYA, but it is simply not possible, legally, to prove a breach without evidence of a breach. And no court is going to find in favor of someone who attempts to do so.
 
And yet again...

Everyone is upset that Microsoft is doing what Google and Apple do every day...

You cannot use an iPhone or an Android device without the above accounts... It simply cannot be done!

So honestly, I'm shocked that Home edition even lets you get going without one! Pro is a different mess, because it has to be able to work as a light duty server with its own account database, connect to an Active Directory, or an Azure Active Directory. With three different supported authentication options out of the box, and buckets more available via 3rd party plugs... Windows Hello is a distraction at best, a catastrophic nightmare at worse.

Now, I'm rather glad of this separation. Because I despise that I don't actually own my phone. If you don't have root, it's not yours!
 
And yet again...

Everyone is upset that Microsoft is doing what Google and Apple do every day...

You cannot use an iPhone or an Android device without the above accounts... It simply cannot be done!

So honestly, I'm shocked that Home edition even lets you get going without one! Pro is a different mess, because it has to be able to work as a light duty server with its own account database, connect to an Active Directory, or an Azure Active Directory. With three different supported authentication options out of the box, and buckets more available via 3rd party plugs... Windows Hello is a distraction at best, a catastrophic nightmare at worse.

Now, I'm rather glad of this separation. Because I despise that I don't actually own my phone. If you don't have root, it's not yours!

Indeed.

And I'd say that even if you do have root, it's still not "yours" in any meaningful sense of the word. You still need to have a Google or Apple account in order to use it in any meaningful way that most people do. Root gives you a lot more control, but that's all.
 
You cannot prove a negative.
Every time I hear someone say this my knee-jerk reaction is to say "Prove it!".

"Among professional logicians, guess how many think that you can’t prove a negative? That’s right: zero. Yes, Virginia, you can prove a negative, and it’s easy, too. For one thing, a real, actual law of logic is a negative, namely the law of non-contradiction. This law states that that a proposition cannot be both true and not true. Nothing is both true and false. Furthermore, you can prove this law. It can be formally derived from the empty set using provably valid rules of inference. (I’ll spare you the boring details). One of the laws of logic is a provable negative. Wait... this means we’ve just proven that it is not the case that one of the laws of logic is that you can’t prove a negative. So we’ve proven yet another negative! In fact, ‘you can’t prove a negative’ is a negative so if you could prove it true, it wouldn’t be true!"

-- Steven D. Hales

Or is this another of those "not true but I'm saying it for emphasis" things?
 
Indeed.

And I'd say that even if you do have root, it's still not "yours" in any meaningful sense of the word. You still need to have a Google or Apple account in order to use it in any meaningful way that most people do. Root gives you a lot more control, but that's all.

Yes but with that control, a proper audit can be performed. Without it... well the bad guys have better access than we do! I mean yeah it's still not "ours", but we can at least be relatively certain of what's actually running on it.
 
will not, except under the most exceptional of circumstances, even set up a local account under Windows 10 anymore.
Do you need to ask a customer for a Microsoft account, or help them set one up, if setting up a new computer for them?

I only need to do that with people who have later Office versions, the minority, and if they don't know at least they can still use their computer and LibreOffice! I also setup refurbished computers (and sometimes new ones) without knowing who the customer will be, local account is the only option here.
 
Every time I hear someone say this my knee-jerk reaction is to say "Prove it!".

And those who would say this, should get the response, "It's axiomatic!"

That being said, there's definite validity in the observation, "Absence of evidence does not mean evidence of absence."

Life, and the circumstances involved in it, are complicated.
 
@britechguy @Computer Bloke That exchange just makes my brain jump to "This statement is false"

@fincoder You don't! But with Home edition during initial setup the unit has to be offline for that to happen. And once it's online it'll nag... why? Because setup isn't "complete" without that account. An account we as technical providers are not supposed to have access to, or any involvement with! Which are the most famous of last words in our industry right now...
 
Do you need to ask a customer for a Microsoft account, or help them set one up, if setting up a new computer for them?

Yes.

Like I said earlier, there are rare exceptions. On the very rare occasion where I'm wiping a machine for later transfer to some unknown other, I will set up a local account with admin privileges.

Most of my work is with residential or small (very small) business customers who are either setting up entirely new machines or moving from an older one to a newer one. If they don't already have a Microsoft account then I do create one for them as part of that process. My main reason for doing so is that it has saved my (and their) bacon more than once when they can't remember what software they had or keys they had and I can get 'em straight out of their accounts. I've also had much better success with password resets when I can use the "Forgot Password" on a Microsoft Account that's linked to a Windows 10 account and have it propagate down to the machine.

I just don't see the point in choosing a local account except in atypical circumstances. Others, of course, feel differently. Each of us to his or her own practices.
 
I just don't see the point in choosing a local account except in atypical circumstances.
Agreed.

One of the nice things about Microsoft Accounts is that there are a lot of tools around that will forcibly downgrade them to local accounts if necessary. It doesn't solve the BitLocker problem but it's a useful trick otherwise.
 
You cannot prove a negative. Unless a breach is clearly detected by data appearing where it shouldn't, you cannot say that there has been a breach.

I don't need to prove a breach. I need to cover my clients arse....if a laptop is "lost". A home visiting nurse from a Hospice/VNA agency for example, if she goes to her car and finds the window was left open, and...OMG...her laptop is missing! Aside from her not being smart to lock her car (not my problem at all), the next problem for her employer is that a laptop went missing. And technically they have to report that, unless they are 100% positive that there is zero risk of data missing. FDE gives that 100% comfort in "I am not worried in the slightest degree that any information 'might be at risk'". You cannot say that if only a folder/couple of folders was encrypted. You can only say "Well I hope she kept all her files in the encrypted vault"...while in the back of your head, you know that some people plop files on the desktop, or you find some in the root of the user libraries, or even in the root of the C drive, and possibly saved credentials for websites in various browser folders, and possibly the emails OST file, etc. Partial encryption is only...partial security, you might get a 2 maybe 3 out of 5 on the score card. I'll go for a 5 out of 5 on the score card for the audit. I'm very deep in NIST 800-171/DFARS/CMMC stuff with quite a few clients this year so....what the auditors look for, and focus on with great details, I have very fresh in my mind. CMMC is like..a thousand times heavier than HIPAA....but the whole industry of compliance is picking up and following CMMC as their goal.

Granted, I don't do residential...so, eh, whatever is "partial" is probably fine based on whatever ones standards are. But for businesses, any service providers can get hauled into court if a breach happens...if you sign up to provide for them, you also sign up to put your butt on the line with them, so...I'm not crazy about being lax with "partial"...I'd rather go the full distance with the highest score I can get my client on the score card of the audit.
 
@YeOldeStonecat

In other words, you've laid out, in detail, what I already asserted back in #57:

What may be desirable for ease of coverage is a completely separate thing from what is required for compliance with the law, depending on with what law it is one is trying to comply. And full drive encryption is thought of (and incorrectly, in my opinion) way to "cover all bases."

In the instances you describe, and for good reason audit-wise, it is definitely a "cover all bases"/CYA thing, which makes perfect business sense. I've never asserted otherwise. Whether, depending on setting and sensitivity of data, it's required to meet the requirements of the law is a separate issue. And it really doesn't matter, as it only makes business sense to do what is a complete covering of one's posterior rather than partially.

But one should, and clearly, differentiate what one is doing for ease of covering all bases versus what one is doing for legal compliance reasons. CYA by overkill is a valid approach.
 
Or is this another of those "not true but I'm saying it for emphasis" things?

No.

If you can figure out a way to prove that something has not happened (a negative, in this case) using absence of evidence then have at it. This is the "negative" that most mean when, "You cannot prove a negative," is stated. Perhaps you cannot prove that something has not occurred would be a better phrasing.

Prove the statement, "there has not been a data breach." You can infer that it's true, and pretty darned well, but you can't prove it. Absolute proof requires evidence of occurrence, and if something has not occurred there is an absence of evidence.
 
So I know this fork of the thread derailed it quite a bit...I a curious, what is a single advantage to just encrypting a folder or three, versus FDE? What does it gain either the IT guy, and/or the end user? I can guess at one answer: For unmanaged, undocumented...residential users, who might lose their encryption key/ or never know it, if something needs repair, you can get to the whole drive (minus the encrypted vaults) since the entire drive isn't encrypted. But for a business, where things are managed, modern full disk encryption is not an issue, it's all documented, so we can always unlock things if needed.

I will say, years ago...pre SSD days, in the days of spindles, software full disk encryption wasn't fun, had a performance impact, and...spinner drives got beat on and easily corrupted...and encryption put so much load/stress on them they failed at higher rates. Back then we often used a centrally managed encryption product based on Checkpoint.

But these days, with Bitlocker being a VERY light load on drives, and with SSDs being all we do, with rock solid reliability, I've not had corruption increases from encryption. Just...no problems. And of course...we manage storing the encryption keys, so nothing is lost "if" needed.
 
Back
Top