Category Archives: News

Are we drowning yet?

Too often in security there is a real issue that we need to address and then there is the headline theoretical issue.  An issue where, yes, someone, somewhere can be attacked by the threat, but to actually attack someone with this threat would take many resources, would take a lot of time, and an attacker will only use such threats against a high value target, not against a SMB server.

But because the risk makes headlines we all run around and fix something that …while yes, I have to say there is a flaw, but the reality is that we’re more likely to be attacked by some easier means to nail us.  It reminds me of a caller on the Rick Steves travel radio show that was asking about the risk of traveling to Paris in light of the terrorist attacks.  While the risk of terrorism is there, the reality is that we’re more likely to be killed in our good old USA than we are while vacationing overseas.  Yet, because the terrorists have grabbed the headlines, they make us frightened and less likely to protect ourselves from the thing we really should be protecting ourselves from.

Take as an example the recent drown attack in the news.

Firstly yes, any smb network with the defaults set on their IIS websites is at risk for this attack.  Yes, given the increasing broken-ness of SSL v1, 2 and 3, you should take action to disable SSL v1, 2 and 3 on your outward facing web server – or in the case of SBS and Essentials, that RWW/RWA web site.  (more on what to do in a bit).  In fact you may want to kick it up one more notch and disable TLS 1.0 with the caveat that it will break RDP gateway/RWW if your remote clients are Windows 7 machines.  If the remote workstations are Windows 8.1 or Windows 10, these will support the necessary TLS.

You can use the drown site to check if your server is vulnerable.  Go to https://test.drownattack.com and run a scan (note for me the site has been throwing off bad gateway reports so you may need to try it at a later time.

But here where the reality hits the theoretical.  So are a lot of other sites.  For example take – https://test.drownattack.com/?site=microsoft.com which at the time I am writing this has a ton of subdomains that are vulnerable.

While you are testing out your domain, also have a look at https://www.ssllabs.com/ssltest/ as it’s time to make sure your SSL cert is also what it should be.

I then highly recommend using this tool – https://www.nartac.com/Products/IISCrypto/ to disable SSL v1, 2 and 3.  For disabling TLS 1.0, however the story is a little bit different.  As this blog points out Exchange 2010 may have issues with TLS 1.0 disabled.  However, I’ve found that the biggest issue comes from RDgateway.  As Robert points out on his blog, the issue with disabling TLS 1.0 really impacts RDgateway.

So what’s a paranoid person to do?

First don’t panic.  This attack used cloud computing and time for it to be successful.  An attacker is much more likely to throw a malicious ransom-ware at you than to use this attack against your server.

That said, taking the time to run the https://www.ssllabs.com/ssltest/ test on your site and use the https://www.nartac.com/Products/IISCrypto/ tool to AT LEAST disable SSL v1, 2 and 3 is a bare minimum best practice to do.  Disabling TLS 1.0 requires additional analysis of the site to see if all external clients have migrated off of Windows 7.

This is an example of the tool on a web site I have (not an SBS box)

iiscryp

As you can see you have best practices and pci.  If you want to play it safe, do best practices.

And while I’m here on my soapbox, if you ask me what specifically to do to get a SBS box to pass a PCI scan I’ll point you to Robert’s blog post above – with the strong opinion that if you really read through the PCI documentation, you’d know in a heartbeat that a SBS box cannot possibly pass true PCI concepts and you are much better off and safer to move that credit card network traffic to it’s own network and not on the same network as a SBS box.

So bottom line.  Don’t panic.  Do disable SSL v1, 2 and 3 that won’t break anything.  Really think about how you are processing credit cards.  And then really think about what we all really should be worried about – better ransom-ware defenses.  Because that’s where we are really getting our attacks on a daily basis.

 

So how do I?

Just got a question on how to run a powershell script in Windows 10.  Here’s how I do it.

In the search/cortana box type in powershell. When the icon for powershell pops up, right mouse click and click on run as admin.

Now copy and paste the script from wherever you’ve found it on the web and see what response you get.

Are we getting all of our updates?

Mark Berry brought this up in the partner forum and we’ve been discussing it on the patchmanagement.org listserve:

There are optional driver updates that windows 10 does not show you/offer up to you/and there’s no way in the software update screen to see that these updates even exist.  The only way to know they are there is to either run a powerpoint script or use the KB to block drivers to expose that there are drivers hiding.

On a physical Windows 10

http://www.mcbsys.com/blog/2015/03/updated-powershell-script-to-show-windows-update-settings/

Use that or

$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$SearchResult = $UpdateSearcher.Search(“IsInstalled=0”)
$NotHiddenUpdates = $SearchResult.updates | Where-Object {$_.IsHidden -eq $false}
$NotHiddenUpdates | format-list

You’ll see that there’s updates that haven’t been installed.

 

About that wmi filter

https://blogs.technet.microsoft.com/sbs/2016/01/22/wmi-group-policy-filter-issue-on-windows-10-breaks-folder-redirection-windows-server-2012-r2-essentials-windows-server-2012-essentials-and-windows-small-business-server-2011-essentials/

I think there’s a slight problem with the WMI filter on that post.

In fact it’s listed in the comments:

select * from Win32_OperatingSystem where (Version like “6.%” OR Version like “10.%”) and ProductType = “1”

or you can do it like this:

select * from Win32_OperatingSystem where (Version >= “6.1%” or Version like “10.%”) and ProductType = “1”

Survey on Essentials

Want to provide feedback to Microsoft regarding Essentials?

Check out this post and click on the survey link:

https://blogs.technet.microsoft.com/sbs/2016/02/23/survey-windows-server-essentials-features/

Not so fast, some of us need EMET

http://www.zdnet.com/article/microsoft-windows-10-edge-so-secure-they-dont-need-our-emet-anti-zero-day-shield/

Posts like these make me angry.  Don’t get me wrong there are some key things I like about Windows 10.  The security enhancements are key.  But what makes me angry is that the key features they are pointing out here – Device Guard and Applocker are not available on the Pro or Home skus.  They are only available on the Enterprise sku.  Then if you want to use group policy to limit access to Windows store, a feature that used to be able to be controlled with Windows 8 pro, now you have to have Enterprise in order for the group policy to be enforced.
https://support.microsoft.com/en-us/kb/3135657

These decisions disappoint me.

Three posts of interest to those managing SMB servers

WSUS folks have finally published their WSUS 3.2 guidance – bottom line you won’t be able to manage the “build to build” upgrades via WSUS.  You will have to manually do the update or point the workstations to Microsoft update.

http://blogs.technet.com/b/wsus/archive/2016/01/22/what-to-do-if-you-re-on-wsus-3-0-sp2-or-sbs-2011.aspx

Then review this post about issues with the connector and how it has to be reinstalled each build to build process (for the time being)

http://blogs.technet.com/b/sbs/archive/2016/01/22/windows-10-feature-upgrade-breaks-client-connector-for-window-server-2012-r2-essentials-windows-server-2012-essentials-and-windows-small-business-server-2011-essentials.aspx

and finally check out

http://blogs.technet.com/b/sbs/archive/2016/01/22/wmi-group-policy-filter-issue-on-windows-10-breaks-folder-redirection-windows-server-2012-r2-essentials-windows-server-2012-essentials-and-windows-small-business-server-2011-essentials.aspx

 

Windows 10 and CIFS/SMB/Samba issues

Found a couple of posts indicating that 1511 is having issues with network discovery:

Synology Forum • View topic – Windows 10 Version 1511 and SMB3:
http://forum.synology.com/enu/viewtopic.php?f=49&t=106924

 

https://social.technet.microsoft.com/Forums/en-US/2131750e-d589-41f0-b6a3-1c7dac2361d9/cannot-connect-to-cifs-smb-samba-network-shares-shared-folders-in-windows-10-after-update

Hi All,

I wanted to provide an update on this thread to let you know that we are currently investigating this issue and I am working with the product group to determine root cause. The issue we are investigating is in regards to ‘Network Discovery’ not locating devices on the network.

The issue appears that Windows 10 is not broadcasting out an NetBT or RAP requests when searching for the devices on the network and only uses WSD protocol. If you navigate to Explorer > Network and changed to Details view and then add ‘Discovery Method’ to the column bar you should see that if you are discovering any devices they are more than likely only being found via WSD. 

So what about the other SBS’s with Windows 10?

I bet you are wondering what about the OTHER SBS releases and their interaction with windows 10, right?

AH HA I have them over on the Thirdtier.net blog

Introducing Windows 10 into your SBS 2011 Standard Network

Introducing Windows 10 SBS 2011 Essentials Networks

Introducing Windows 10 into your Essentials 2012 Networks

 

 

Introducing Windows 10 into your SBS 2011 Essentials

NEEDED FIXES FOR SBS 2011 ESSENTIALS

Adjust the group policy wmi filter to fix the issue where folder redirection does not work:

Instead of the WMI filter included in Essentials R2, please adjust it as follows:

Instead of select * from Win32_OperatingSystem where (Version >= “6.1%”) and ProductType= “1”

Change it to select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″

Go to start box, type in gpedit.msc. Once you launch the group policy editor, scroll to the bottom where the wmi filters reside. Right mouse click and click edit, and bring up the filter. Now click on edit and adjust it as noted.

wmi1

Alternatively remember that if you want to set up a unique wmi filter just for Windows 10 you can use to select * from Win32_OperatingSystem where Version like “10.%”

Note that you may have to edit the quotes and retype them as cut and pasting from this document may not copy over the right formatting.

 

Adjust the group policy to allow RDP access to Windows 10 machines

As noted in http://windowsserveressentials.com/2015/08/06/sbs-2011-essentials-windows-10/ SBS 2011 Essentials (and standard) need an adjustment to allow for remote desktop and also RWA into these workstations. To add this ability a new policy and ensure it has a wmi filter so that it applies to Windows 10. Go into the WMI section, right mouse click on new. Add a new WMI filter.   Call it Windows 10, For the filter value click add and merely use select * from Win32_OperatingSystem where Version like “10.%”

Click to save the filter.

sbe2

 

Now build a new policy. Go up to the policy settings and add a new policy. Right mouse click and click on create a GPO in this domain and link it here. Name your policy. Windows 10 computers (or something equality descriptive).

The policy setting is found at :

Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Connections >

‘Allow users to connect remotely using Remote Desktop Services’

sbe3

Also set

Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Security >

‘Set Client Encryption Level’

To Enabled and High.

sbe4

As the final step, change the wmi filter to be the Windows 10 filter you set up before

sbe5

For more discussion and testing with SBS 2011 essentials see http://windowsserveressentials.com/2015/08/06/sbs-2011-essentials-windows-10/

Change Windows 10’s default printer changes.

Due to a change in Windows 10 Build 1511, each time you select a new printer it will make that the default printer. To adjust this perform the following:

  1. Click on Windows icon (lower left) then click Settings
  2. From the Settings window, click Devices
  3. From the Devices window, click Printers & scanners
  4. From the Printers & scanners window, scroll down and locate the section Let Windows manage my default printer
  5. You can click on the toggle button to turn the option on or off, as desired.

See here for more details: http://kwsupport.com/2015/12/windows-10-new-feature-changes-your-default-printer-to-the-last-printer-used/

RWA functionality:

No issues reported with RWA. You can use the Edge browser to connect to the remote web access.

For a post regarding all tests made to ensure functionality see http://windowsserveressentials.com/2015/08/06/windows-server-2012-essentialswindows-10/

Featuring WPMU Bloglist Widget by YD WordPress Developer