Blog Archives

• Patch Lady – are you safe online?

  Posted on April 5th, 2020 at 12:13 Susan Bradley Comment on the AskWoody Lounge

  Just spotted this…

  It’s a series of 30 minute webinars next week put on by a company that normally does security assessments for companies.  Their https://s2me.io site walks you through a series of questions to review your personal computer risk.

  Some of the questions…… I never log into websites from links in emails. True or False? …. I never open a file attachment in an email unless I am specifically expecting one. True or False?

  So how secure are you?

  (edit:  I received a score of 812 – it was lowered because I have too many Windows devices (well duh), and I don’t encrypt all devices.  To be fair some of them are laptops I use for streaming needs and thus I don’t use them for sensitive tasks nor keep sensitive info on them)

  Windows Security Patch Lady Posts

• Patch Lady – Office 365 pushes off disabling Basic Auth

  Posted on April 3rd, 2020 at 21:32 Susan Bradley Comment on the AskWoody Lounge

  https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508

  While I totally understand why Microsoft is pushing off the due date for disabling basic authentication in their Office 365 platform/Exchange online I would recommend anyone using any sort of email platform these days (or online banking or anything online these days) to add multi factor authentication to anything you use online.  The attackers go after the weak links, weak passwords, reused passwords and you need to be aware of the attacks out there.

  Clearly COVID-19 is having a big impact.

  Windows Security Patch Lady Posts

• Patch Lady – should we be concerned about Zoom?

  Posted on April 1st, 2020 at 22:49 Susan Bradley Comment on the AskWoody Lounge

  I’ve seen several comments on various venues about the risk of Zoom meetings.  Some of them are valid, others are….. hang on … who in their RIGHT MINDS posts the URL to a non password protected zoom meeting on a social location?

  I was listening to a presentation today and the gentlemen presenting was talking about how in times like these one has to balance risk with making sure the business survived.

  Here’s another person I respect … Dave Kennedy on the topic of Zoom and security:  https://threadreaderapp.com/thread/1245536000819986432.html

  First off as Lawrence Abrams writes … make sure you put a password on the Zoom meeting.    Next Zoom is working on the issue whereby NTLM hash values can be exposed, and Lawrence gives the workaround in the blog, but I have a better workaround.  Be EXTREMELY careful of clicking on ANYTHING right now.  I am seeing a huge uptick of COVID related emails and scams.  I’m seeing these kinds of scams come into my inbox (well, the notifications that they are being cleaned out of my inbox anyway)

  Subject: MUST READ-TRUTH ABOUT COVID-19
  Sender: valeria.flores@ambiente.gob.ec

  Time received: 4/1/2020 11:41:20 PM
  Message ID:<1870826593.23469281.1585784413797.JavaMail.zimbra@ambiente.gob.ec>
  Detections found:
  Virologyfiles.doc RTF/CVE-2017-11882.C.gen!Camelot

  So… be careful and remember right now this is about balancing the needs of the business and the users.  Absolute security doesn’t exist.

  Windows Security Patch Lady Posts

• Patch Lady – Office 365 ATP this shouldn’t be missed

  Posted on March 25th, 2020 at 11:07 Susan Bradley Comment on the AskWoody Lounge

  

  Dear Office 365 Advanced Threat Protection.  You aren’t being that advanced today.

  1. that’s not my email address
  2. Short message and email attachment screams malware

  When I run it through virustotal.com and reverse.it sure enough

  

  Come on Microsoft (and all the other vendors who are missing this) we don’t need stupid stuff like this missed.  Not now.  Only Fortinet flags it right now 9:09 pacific time)

  https://www.hybrid-analysis.com/sample/ce7f61824f9b99ce1e96615b790f8e53e29d9e920cf1acb97956dfabf7031482?environmentId=100

  Windows Security Patch Lady Posts

• Patch Lady – remoting into a desktop without VPN

  Posted on March 21st, 2020 at 22:41 Susan Bradley Comment on the AskWoody Lounge

  If you are a small or medium business – or an IT consultant who helps small or medium businesses here’s a thought of a way to temporarily allow folks to remote into their desktops at the office without introducing more risk.  Many IT consultants are setting up Virtual Private Network connections from potentially insecure home pcs that are not secure to the firm network and may introduce more risk.  Especially if you have an unpatched Windows 7, this could introduce MORE risk to the network.

  Here’s an alternative:

  First off you’ll need either a spare server or spare room in a HyperV server.  You’ll need a domain with workstations joined to that domain.   Next download a trial version of either Windows Server 2016 or 2019.  Download an ISO to that hyperV Server.  Then follow these instructions (*)to set up a RDServer on that trial version.  That trial version – and the Remote desktop cals – will work for 180 days.

  Now from a home pc – even a Mac computer – launch the remote desktop connection program.  In the computer name section put in the name of the computer you want to remote into.  Click on show options.  Click on the advanced tab.  Click on the connect from anywhere settings box.  Click on use these RDgateway settings and put in the url of the server name you’ve created from the instructions above.

  

  Now click on “Use my RDGateway credentials for the remote computer.  Click on the experience tab and change the performance setting to modem (this will thin down the remote connection so that you get the best experience).

  

  Back on the first tab

  

  Back on the first tab you put in the actual workstation/computer name you want to get to and for the user name you put in DOMAINNAME\user name.  The remote user can now get to his or her exact workstation and remotely print.

  Note to anyone using SBS 2011, SBS 2008, Essentials Server 2012, Essential Server 2016 those servers all have RDgateway set up by default and you can use the same process above to bypass the RWA portal and go directly to the workstations.  Note this also works for Mac workstations as long as you download the new RDP client

  

  PC name would be the PC you’ll want to remote into.  In the Gateway setting, you’ll click on that blue icon on the right and put in the rdgateway url just like you do for the Windows machines.

  Again, this will work to let workers remote straight into the exact desktop they use, so it’s best for office workers and those have have a single computer assigned to them.

  Note if you have excess server computing power on that HyperV you can also use this to set up RDweb apps.  Put the date on your calendar as this will only work for 180 days or be prepared to license it before then.  But bottom line – this temporary solution can give your smaller clients a secure way to remote back into their offices with the Work from Home orders.

  Also remember if you are like me where you are suddenly putting an ancient Windows 7 back into remote service, you can still buy ESUs from Amy.

  (*) Huge thanks to Richard Kokoski for allowing me to post his step by step instructions.

  Note that this only works with “normal” GUI server 2019 not Essentials 2019.  Microsoft removed the RDgateway bits from Essentials 2019 so do not attempt to do this with that version.

  If you need a good VPN solution check out using OPENVPN.

  Windows Security Patch Lady Posts

• Patch Lady – we have an out of band on that SMBv3

  Posted on March 12th, 2020 at 10:48 Susan Bradley Comment on the AskWoody Lounge

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

  https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762

   

  At this time I”m not seeing active attacks and NO ONE should be STUPID enough to have port 445 a SMB file sharing port open to the web.  So I’m still in don’t panic, don’t install and let’s test mode.

  Windows Security

• Patch Lady – forget that crypto one, worry about this one

  Posted on January 14th, 2020 at 21:41 Susan Bradley Comment on the AskWoody Lounge

  If you are a IT consultant or admin with an Essentials 2012 (or later) server, or use the RDgateway role and expose it over port 443 to allow users to gain access to RDweb or their desktops, forget that crypt32.dll bug.  This one is one to worry about.

  Impacts 2012 and above – so no impact to SBS 2011 or SBS 2008, yes to Essentials 2012 and higher.

  Essentials 2012 exposes RDgateway over port 443 and 3389 is not open to the web (well, not normally) but given that this is a pre-authentication exploit, all an attacker has to do is to throw that crafted request to port 443 rather than 3389 (assuming I’m reading this right).

  So if you patch SMB servers that use RDgateway, worry about patching those servers this time faster than you would normally do.

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

  A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

  (edit:  for anyone asking, 2008 R2 is not vulnerable and thus SBS 2011 is not vulnerable.  It’s only vulnerable on Server 2012 and later, remember SBS 2011’s base operating system drops out of support today)

  Small Business Computing, Windows Patches/Security, Windows Security Patch Lady Posts

• Patch Lady – need a way for a device to email?

  Posted on January 1st, 2020 at 19:56 Susan Bradley Comment on the AskWoody Lounge

  With the demise of the Small Business Server platform, one of the changes I’ve made to my network is not using the same mail server that I use for the firm for the devices such as multi function printers in my office.  Too often these multi function devices only support basic authentication and having basic authentication still enabled in your Office 365 setup is not wise.

  Microsoft knows this as well and will be making changes in the new year to make 365 more secure.  One of the things they recommend is to disable basic authentication and enable multi-factor authentication.

  So if you have multi function devices that scan print and can send things to email, but clearly can’t support multi-factor authentication what’s a small business to do?  One solution I’m using in my business is a solution called SMTP2Go.  There’s a free plan and a silver plan that allows you to send 2,000 emails a month for $5 a month.  I then use the email address and (long strong) password I’ve set up in the service inside the printer.  This then allows me to still use the device to send to email but not risk opening up insecurity in my email setup for the rest of my firm.

  Bottom line if you are a small business, if you use Office 365 for your email hosting (and not just that you purchased Office to use, but actually use Microsoft to host your email), make sure you disable basic authentication and look for ways to make yourself more secure.   If you use a consultant make sure that they have enabled multi factor authentication or plan to in the near future.

  So if you migrated off of Small Business Server to another platform, what alternatives have you found to give you similar functionalities?

  Windows Security Patch Lady Posts
• « Older Entries