…well not so fast

Group Policy not working on SBS 2008, SBS 2011 and Windows Server 2008/2008R2 since MS16-072

Sigh.  I’ve seen this too.  Okay so my workaround isn’t so easy.  Hang tight.

After applying MS16-072


On SBS 2011 and 2008 certain preconfigured group policies provided by Microsoft no longer work.

Log into the server, and drill down into the event logs, and specifically the one for Group policy.   Look for Event 5313 and it will list the Group policies no longer working.


The three in particular that no longer work are:

Update Services Client Computers Policy

Windows SBS User Policy

Windows SBS CSE Policy

To fix this log into the Group policy console and in the security filtering section add the Domain Computers.

Literally click on add and type in domain computers in the window and click ok.


Do the same for each group policy indicating that it failed to process.



Heads up for impact to SBS 2011/2008 Group policies

The recent MS16-072 release makes changes in group policy.  As a result it now requires certain permissions that weren’t required before.  More info about the issue is here: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/

The Windows SBS user policy  – group policy does not have the right authenticated user rights in place.  This impacts deploying IE favorites.

I will be also investigating impact to the Ransomware Prevention kit group policies and will make revisions as necessary.

In place in the 10 era

You know when you type something and mean something but it’s not what you meant?

Enterprise now allows you to do an change in version like this:

How to Upgrade to Windows 10 Enterprise (Without Reinstalling Windows)

Cool reason for Windows 10

This is a feature that I’m honestly excited about….but.. wish that it wasn’t gated behind Enterprise sku.


Credential guard is one of the cool features of 10 that is limited to Enterprise and Education skus.

The listing of what you need specifically to support this is here:

Windows 10 Enterprise Feature: Credential Guard

  • Windows 10 Enterprise
  • Active Directory (any forest or domain level)
  • Physical device (i.e. virtual machines are not supported)
  • UEFI firmware 2.3.1 or higher
  • Secure firmware update process and MOR implementation
  • Secure Boot
  • Intel VT-x or AMD-V
  • Intel VT-d or AMD-Vi I/O memory management unit
  • Second Level Address Translation
  • 64-bit CPU
  • TPM 2.0

The main thing credential guard does is to protect domain credentials from pass the hash attacks and other attacks that steal the domain credentials inside the firm once an attacker has gained access to the network.

10 also allows you to inplace upgrade from Pro skus to Enterprise skus without having to reinstall the operating system.

Windows 10 and the forced release

Susan note: I need to get this off of my chest and then I’ll get on with going forward and dealing with the technology we need to deal with in SMB. One of which is handling Windows 10 in our networks.


First and foremost I think Microsoft is being a bully on the Internet. A big bully. The manner in which Windows 10 has been pushed out the patching channel has me seriously questioning if I want to be associated with this Company going forward. I certainly am naïve about the patching practices of this company. A few years ago I would have insisted that Microsoft would never ever allow a patch to be installed without express permission. I have and still do argue that Microsoft never changes your update settings when people claim that Microsoft has changed the WU settings. Often these settings are changed by third party software or office installations which flips the windows update settings to automatic. Long term I think the cumulative updating model of Windows 10 will be good for the ecosystem as it gets rid of that long term issue befalling Windows 7 today with the long scan times when one goes to Microsoft update as it gets rid of the supercedence problem we have with updates on the 7 and 8.1 platforms. [Mind you I say this knowing that short term we are going to have bumps and bruises getting our vendors used to the all or nothing updates and watching for potential side effects].

But I really don’t appreciate the heavy handedness of the Windows 10 push that has gotten to the point now that Microsoft is scheduling the 10 update for you. No update should install without your explicit permission to do so. I don’t appreciate that it’s being done with the justification of “from feedback from Microsoft customers”. No, Microsoft, we asked you for an easier way to say no, thank you. No one asked you to schedule the upgrade for us.

The side effects of Microsoft not supplying an easy fixit to block the update is that I’m seeing folks turn off Microsoft update in order to not get the 10 upgrade again. Not good. Not good at all. Yes there are programs like GWX control panel and Steve Gibson’s blocking tool, but there is no easy consumer fixit from Microsoft.

But Susan… you ask…. Shouldn’t you be doing all you can to move folks up to Windows 10?

To that I answer… it’s not that plain and simple. Windows is a messy ecosystem and if you could assure me that EVERY application would still work, all printers, all devices, everything worked 100% with Windows 10 I would say that I should be shutting up and be glad this is happening as it puts people on a patching model that won’t have supercedence issues in the future. But here’s the thing, people have old stuff. People can’t always afford to buy a new printer at the drop of a hat or buy new software every time there’s an major release that causes it to no longer work. And unless Microsoft can guarantee that they will work with every vendor to make every application and printer and device and driver work, then they shouldn’t be so heavy handed in pushing out Windows 10 like they should.

The technology world in which we live in is not a dictatorship. And these actions that Microsoft is taking is damaging the brand of Microsoft in all of the IT pro communities I am in and in all the patching communities I am in. There is no more Windows loyalty, no more trust that Microsoft doesn’t have an ulterior motive in it’s actions.

I’m saddened that Microsoft has done this. It’s changed the attitudes in the communities and it’s obviously changed mine.

Microsoft, you want Windows 10 on people’s machines? Then how about you work on getting Edge to be a functional browser. How about you keep working on the continuing issues I see where the start menu breaks or the live tiles stop working? How about you stop removing group policy ability to block the Windows Store in branch releases impacting the small to medium customer base? How about you reach out to the HP and the Canon’s and all the other printer vendors I see that are not releasing drivers for certain devices for Windows 10 leaving that user without their devices. How about you go about the old fashioned way of doing things that apparently isn’t good enough anymore: That of building a better mousetrap as the old saying goes. Building something so cool, so wow, so fantastic, so solid that we will madly volunteer to get the Windows 10 install on every single last Windows 7 and 8.1 out here.

So Microsoft? How about you go back and review your latest policy and really ask yourself if you really delivered on what customers were asking you to do? I’ll bet you’ll find that no one really asked you to schedule a Windows 10 install for them. What they really wanted you to do was to be a bit more polite and give a clearer “No, thank you, I have a justifiable reason to stay on this platform” option.

No, this isn’t a plot to get people to Windows 10


I will be first in line to beat up Microsoft when I think they’ve done something stupid.  Case in point not making it dead easy to say no to the Windows 10 update when you don’t want it.  But the tech media lately is getting ridiculous to the point of insanity in making a connection between one action and another.  Case in point is the headlines and stories regarding an Bitlocker update, an Asus bios setting that should never been set in the first place and a Windows 7 patch.

To claim that Microsoft is purposely breaking Windows 7 to force people to Windows 10…. please.  This is an optional non security update, the impact is not widespread at all, and to lay blame on Microsoft, when it was a bios setting decision set by Asus, it’s just a sad state of affairs of tech journalism when headlines are twisted this much.


Yeah I know…lame…no excuse

So I won’t even try to excuse myself for not blogging.

Stay tuned for more.

Are we drowning yet?

Too often in security there is a real issue that we need to address and then there is the headline theoretical issue.  An issue where, yes, someone, somewhere can be attacked by the threat, but to actually attack someone with this threat would take many resources, would take a lot of time, and an attacker will only use such threats against a high value target, not against a SMB server.

But because the risk makes headlines we all run around and fix something that …while yes, I have to say there is a flaw, but the reality is that we’re more likely to be attacked by some easier means to nail us.  It reminds me of a caller on the Rick Steves travel radio show that was asking about the risk of traveling to Paris in light of the terrorist attacks.  While the risk of terrorism is there, the reality is that we’re more likely to be killed in our good old USA than we are while vacationing overseas.  Yet, because the terrorists have grabbed the headlines, they make us frightened and less likely to protect ourselves from the thing we really should be protecting ourselves from.

Take as an example the recent drown attack in the news.

Firstly yes, any smb network with the defaults set on their IIS websites is at risk for this attack.  Yes, given the increasing broken-ness of SSL v1, 2 and 3, you should take action to disable SSL v1, 2 and 3 on your outward facing web server – or in the case of SBS and Essentials, that RWW/RWA web site.  (more on what to do in a bit).  In fact you may want to kick it up one more notch and disable TLS 1.0 with the caveat that it will break RDP gateway/RWW if your remote clients are Windows 7 machines.  If the remote workstations are Windows 8.1 or Windows 10, these will support the necessary TLS.

You can use the drown site to check if your server is vulnerable.  Go to https://test.drownattack.com and run a scan (note for me the site has been throwing off bad gateway reports so you may need to try it at a later time.

But here where the reality hits the theoretical.  So are a lot of other sites.  For example take – https://test.drownattack.com/?site=microsoft.com which at the time I am writing this has a ton of subdomains that are vulnerable.

While you are testing out your domain, also have a look at https://www.ssllabs.com/ssltest/ as it’s time to make sure your SSL cert is also what it should be.

I then highly recommend using this tool – https://www.nartac.com/Products/IISCrypto/ to disable SSL v1, 2 and 3.  For disabling TLS 1.0, however the story is a little bit different.  As this blog points out Exchange 2010 may have issues with TLS 1.0 disabled.  However, I’ve found that the biggest issue comes from RDgateway.  As Robert points out on his blog, the issue with disabling TLS 1.0 really impacts RDgateway.

So what’s a paranoid person to do?

First don’t panic.  This attack used cloud computing and time for it to be successful.  An attacker is much more likely to throw a malicious ransom-ware at you than to use this attack against your server.

That said, taking the time to run the https://www.ssllabs.com/ssltest/ test on your site and use the https://www.nartac.com/Products/IISCrypto/ tool to AT LEAST disable SSL v1, 2 and 3 is a bare minimum best practice to do.  Disabling TLS 1.0 requires additional analysis of the site to see if all external clients have migrated off of Windows 7.

This is an example of the tool on a web site I have (not an SBS box)


As you can see you have best practices and pci.  If you want to play it safe, do best practices.

And while I’m here on my soapbox, if you ask me what specifically to do to get a SBS box to pass a PCI scan I’ll point you to Robert’s blog post above – with the strong opinion that if you really read through the PCI documentation, you’d know in a heartbeat that a SBS box cannot possibly pass true PCI concepts and you are much better off and safer to move that credit card network traffic to it’s own network and not on the same network as a SBS box.

So bottom line.  Don’t panic.  Do disable SSL v1, 2 and 3 that won’t break anything.  Really think about how you are processing credit cards.  And then really think about what we all really should be worried about – better ransom-ware defenses.  Because that’s where we are really getting our attacks on a daily basis.


So how do I?

Just got a question on how to run a powershell script in Windows 10.  Here’s how I do it.

In the search/cortana box type in powershell. When the icon for powershell pops up, right mouse click and click on run as admin.

Now copy and paste the script from wherever you’ve found it on the web and see what response you get.

Featuring WPMU Bloglist Widget by YD WordPress Developer