Want to see ransomware in action?

This is an analysis of an email that I got….

Check it out here: https://www.reverse.it/sample/0adc7a9b3173d6db061d1c354864cecd9e43bd2b8cc25f977783921448349e95?environmentId=100#

Or a shorter link to it is here:

http://tinyurl.com/igniteransomware

Packing the geek stuff

Getting ready to get on a plane tomorrow for Atlanta.  Philip Elder is heading there as well and I’m looking forward to getting his SMB and cluster views first hand.

By the way have you seen the upcoming SMB virtual sessions with the new technology heading our way?

SMB Tech Jumpstart: Hybrid Identity:
https://www.microsoftevents.com/profile/form/index.cfm?PKformID=0x645146868f

Date: Oct 03, 2016  |  Time: 10:00 AM – 11:00 AM  |  Location: Skype Meeting

SMB Tech Jumpstart: Hybrid Identity

Are you interested in EMS and Azure, but you aren’t sure where to start? Do you feel like you don’t quite know the technologies you’re selling? Maybe you just don’t know where to begin to understand all of the Microsoft tools?

 

Our new SMB JumpStart: Hybrid Identity program kicks off on October 3rd, and you won’t want to miss this great opportunity designed to help your team comprehend, adopt, and deploy Microsoft Technologies to expand your business opportunities.

This four-week program includes weekly webinars focused on a new aspect of the chosen technology, as well as hands-on independent learning assignments and Office Hours sessions, to help insure engagement and individual comprehension. If you have additional questions, there will be a members-only Yammer group where you can consult technical experts. At the end of the series, you will be your company’s Identity technical champion, ready to identify, pitch, and implement new customer services.

Benefits to you:

In this 4-week program on Hybrid Identity, you’ll receive step-by-step guidance and resources each week on the following topics:

  • Choosing a Champion and Activating Your Internal Use Rights
  • Connecting your On Premises Active Directory with Office 365 and Azure
  • Using Multi-Factor Authentication and Single Sign-on for other Software as a Service solutions
  • Custom Portal Branding, Password Writeback, and other enhanced Azure Active Directory Premium benefits

Who should participate: This program is best-suited for companies who are ready to commit to starting a EMS or Azure practice today. We recommend your company’s Office 365 technical lead attend the sessions.

 

Ready to get started?

The program kicks off on Monday, October 3rd.

Register for the program and you will receive access to the webinars, private Yammer group, and resources webpage.

 

Webinar (10-11am PST) Office Hours (10-11am PST)
October 3 October 7
October 10 October 14
October 17 October 21
October 24 October 28

Come and talk with me about Ransomware

I’ll be in two locations in September and October talking about Ransomware

The first is at Microsoft’s Ignite – https://myignite.microsoft.com/sessions/20567

The second is a birds of a feather session on Ransomware at ITDEV connections in Las Vegas.  http://www.itdevconnections.com/dc16/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=1016761&SessionDateID=1000992

Ignite is sold out and ITDEV is almost sold out… so hurry fast

A new updating model

Further simplifying servicing models for Windows 7 and Windows 8.1

Get ready for a big change to how we install updates for Windows 7 and 8.1.  If you receive updates via windows update, your 7 and 8.1 updates are going to a cumulative 10 model.

If you are managing updates with WSUS and/or SCCM you’ll see one security update bundle and one non security update bundle each month.

Just a reminder – if you adding Windows 10

Adding Windows 10 to SBS 2008

Adding Windows 10 to SBS 2011

Adding Windows 10 to SBS 2011 Essentials

Adding Windows 10 to Windows Server 2012 Essentials

Adding Windows 10 to Windows Server 2012 R2 Essentials

There are some edits you need to make to get all of this to work.

 

Windows 10 anniversary update and Essentials R2

Steps to take (assuming you haven’t upgraded to Anniversary edition yet)

Step one on your Essentials R2 machine:  Ensure https://support.microsoft.com/en-us/kb/3172614is installed.  It’s the July non security update rollup.

On your clients, uninstall the OLD connector (it will be listed as a windows update) and then go to http://servername/connect and manually reinstall/reconnect your workstations to the server.  This will install the NEW connector as a program not as an update.

Install the anniversary update.  You may (you will) find that the newly revised connector appears to be gone.  It really isn’t it’s just an issue with the notification area cache.  Thanks to Mike (The Office Maven) we have a fix:

EssentialsTrayApp.exe doesn’t work after KB3172614:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/2c21527e-4f91-4513-98d3-6db8d3f83a9b/essentialstrayappexe-doesnt-work-after-kb3172614?forum=winserveressentials

Hi All,

Apparently the “Notification Area Icons” cache becomes (somewhat???) corrupted when installing the Windows 10 Anniversary Update (1607), and this in turn is causing EssentialsTrayApp.exe to error out when it attempts to reset the Essentials notification area icon (as is indicated by the errors that are shown in the EssentialsTrayApp.<SID>.log file).

In order to correct the issue, you simply need to reset the Notification Area Icons cache for each user who is missing the Essentials notification area icon on their Windows 10 client computer. I have tested this on three separate Windows 10 client computers (Pro and Home), and it has corrected the problem on all of them.

To reset the Notification Area Icon cache, simply download the “Reset_Notification_Area_Icons_Cache.bat” file from the following web page (props go out to Shawn Brink and the Windows Ten Fourms for their excellent tutorial!):

How to Reset Notification Area Icons in Windows 10

After the client computer has restarted, you will find the Essentials notification area icon has returned to the notification area of your Windows 10 client computer.

I hope this helps everyone out that is currently experiencing the problem on their Windows 10 client computers.

— MIKE (The Office Maven)

Now here’s step two:

Vote

Hi All,

While you’re at it you might also want to fix the “Alert Evaluations” task in the Task Scheduler as it is also messed up by the new client connector that gets installed by KB3172614.

To do so, open the Task Scheduler (on the client computer), and go to:

Task Scheduler Library -> Microsoft -> Windows -> Windows Server Essentials

Double-click on the “Alert Evaluations” task and click on the “Actions” tab in the Properties window that appears.

Double-click on the “Start a program” action and change the “Program/script” value to:

C:\Program Files\Windows Server\Bin\RunTask.exe

And change the “Add arguments (optional)” value to:

/asm:”C:\Program Files\Windows Server\Bin\AlertFramework.dll” /class:Microsoft.WindowsServerSolutions.NetworkHealth.AlertFramework.HealthScheduledTask /method:EvaluateAlertsByTriggerTaskAction /task:”Alert Evaluations”

NOTE: Adjujst the location of your client computer’s “C:\Program Files” folder as required (for locals other than English, etc.).

Click OK, answer Yes to the confirmation message that appears, and then click OK again to close the Properties window.

After that, you can manually run the task to make sure that it now works properly (note that you may need to hit Refresh in order to see the updated run result).

— MIKE (The Office Maven)

Susan note:  I realize that all of this is extremely confusing and requires way too many manual steps.  I too wish that Microsoft could release an update that didn’t require a manual uninstall and reinstall.  I find this discouraging (to say the least).

Windows 10 anniversary update and SMB server impact

The R2 problem is being investigated at this time – will keep you posted

Issues seen with:

Essentials R2:

I think the old connector isn’t being uninstalled and we’re getting two connectors installed.  I think.  Under investigation.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/36a1e1bc-5948-4058-9372-07e9e96a9fa4/windows-10-clients-and-server-2012r2-essentials?forum=winserveressentials

Bottom line the symptom if it was installed before, you went through the AU release, the connector is lost.  You go to reinstall the connector and it won’t find the server.

See the resolution here:

Windows 10 anniversary update and Essentials R2

SBS 2008:

https://social.technet.microsoft.com/Forums/en-US/1932302f-b31c-4c8b-8dec-d0554852800b/windows-10-version-1607-build-1439310-rww-error-50331656?forum=smallbusinessserver

RWW doesn’t work.  The error points to a mismatch in RDP protocol.  In the past the only way I’ve seen to fix that is to roll back a RDP update which obviously we can’t do in Windows 10.

Bypassing RWW with Rdgateway works.  Given that SBS 2008 is no longer under a support window….

Bottom line use the bypass until we can figure out a workaround.

Working:

SBS 2011 Standard

RWA still works

Unknown:

SBS 2011 Essentials:

No reports yet

Tilting at windmills again

https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-for-enterprise-and-education-editions

If you look at that list it pretty much makes it that group policy doesn’t allow you to block consumerish apps or to customize the start menu.

And be aware that if you go in the group policy some of these aren’t documented inside the group policy editor or listed as needing a certain version in the spreadsheet.

Yes, this change.org is tilting at windmills, but one should at least try.

 

Making lemonade out of ransomware

http://www.thirdtier.net/women-in-it-scholarship-program/

When life gives you lemons, you make lemonade.  Or in the case of Amy Babinchak, when attackers go after your clients, you get this brainy idea to take the ransomware protection kit project and use it as a fundraiser to get women into technology.

Kudos to Amy for taking the kit and making it pay off for others – but in a good way.

Look for new content soon about blocking javascript files.

Essentials connector update for Windows 10

Windows 8.1 and Windows Server 2012 R2 update history:
https://support.microsoft.com/en-us/help/24717/windows-8-1-windows-server-2012-r2-update-history

Updated the inbox component in Windows Server 2012 R2 Essentials to use
the new client connector, so that the inbox component won’t get
uninstalled during Windows 10 upgrades.

July 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2:
https://support.microsoft.com/en-us/kb/3172614

It’s in that update rollup just out today.

And may I say… finally!

Note that the fix gets installed ON THE SERVER, not on the clients/Windows 10.