Replies

Another mitigation layer to consider:  Use a DNS service that attempts to delist all known malware addresses.

 

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

 

~ Group "Weekend" ~

2 users thanked author for this post.

oldfry, E Pericoloso Sporgersi

Hey Susan!

Wanted to thank you for posting this.  I was trying to conduct a live migration today to move several VM’s over to a new Hyper-V host on an AD network that had taken the November patches.

The Kerberos constrained delegation trust relationship between the old host and the new Hyper-V host was completely broken by the Nov 12th patch on the domain controller. Kept getting errors that one host could not connect to the other. (WinRM failures)

I installed the hot fix listed (KB  KB5021655 from the MS download catalog for Server 2019) on the MS Status page link you provided on the Domain Controller and also applied the LSASS memory leak mitigation reg-key mentioned on the same page – again on that same DC.

It completely fixed the issue with my migration failures.

Weirdly, this particular customer informed me that all their workstations had been popping up an odd notification since Nov 12th asking them to lock and unlock their computer to refresh a password change . . .  but none of them had recently changed their passwords.  If the user complied with the lock/unlock process, the popup would repeat anyway at some random time – several times a day.  That issue also went away once I installed this hotfix on the DC.

~ Group "Weekend" ~

Cheap, effective mitigation for the current highest risk on new cars with remote start key fobs:  a faraday box.

I got one that actually works for about $20 . . .  tested by putting keys inside and trying to open a car that uses the near field to unlock doors when I touch the handle.

~ Group "Weekend" ~

3 users thanked author for this post.

rc primak, Cybertooth, Charlie

That was a source of confusion for a long time, as the tool allowed an invalid combination by accident that would not work . . .  Glad they fixed it finally!

~ Group "Weekend" ~

I just had a chance to try this out for a new install of Windows 11 22H2, on a VM with networking disabled during setup, and am happy to report the bypass to allow creating a local account worked perfectly.

~ Group "Weekend" ~

3 users thanked author for this post.

alejr, Alex5723, Paul T

Just a quick visual aid for GPEdit.msc using PKCano’s settings above:

~ Group "Weekend" ~

1 user thanked author for this post.

glnz

In my past life had a very clunky but effective way to do this.  Create a uniquely named txt file on the USB drive root, make sure it’s not on any other drive.

Then in the BAT script use ‘if exist d:\someweirdfilename.txt then xxx” checks for that file on likely drive letters to find it.  I did this to manage a home brewed backup solution for spanning multiple external drives back in the day.

~ Group "Weekend" ~

If you have MS Office (any current version) on Windows – I might suggest taking some aggressively proactive prevention steps. (See Susan’s post above.)

Two new factors:

1) .LNK files are also able to call this vuln.

2) Renaming a word document to .RTF can cause this vuln to trigger on file preview in File Explorer. No file opening needed.

 

~ Group "Weekend" ~

I remember a certification class several years ago on AD where this topic came up.  The instructor was very adamant that we should never – ever – touch this account nor it’s properties.

Does not surprise me at all that internal MS testing on patches would assume this account to be unmodified.  Although I am dismayed at the apparent lack of error handling around this issue.  A LSASS level system crash is difficult to recover from!  Most admins I know would want to restore a cold metal backup on this event, but with AD in the mix that’s fraught with additional challenges.

~ Group "Weekend" ~

Honestly, unless there’s a new feature you must have?  I might wait until October 2025.

Office 2016 for Windows will get security updates until October 14, 2025.
The mainstream support end date is October 13, 2020, while the extended support end date is October 14, 2025.

“What’s new in Office 2021” (but note some new features are missing in the Long Term license.)

https://support.microsoft.com/en-us/office/what-s-new-in-office-2021-43848c29-665d-4b1b-bc12-acd2bfb3910a

 

~ Group "Weekend" ~

1 user thanked author for this post.

HE48AEEXX77WEN4Edbtm

I feel this so much.  I took on a couple small storefront clients several years ago and the same pattern.  Plus, the inexpensive (relatively – it was not cheap in cost) software they used was  . . .  how to say it politely?  “Not well written.”

~ Group "Weekend" ~

I wonder if the USB port on the slow system is the older speed standard. Look at the ports and see if it’s black, or blue or yellow. If you can find a blue port, try that and see if the speed is better.

USB 2 = typically black ports (sometimes white)

USB 3 = typically blue ports (sometimes yellow)

Speeds between the types are dramatically different.

~ Group "Weekend" ~

I prefer to turn the following notification settings off during setup.

Start >> Settings >> System >> Notifications

(Yellow highlights = uncheck)

 

~ Group "Weekend" ~

1 user thanked author for this post.

R-Type

Well, I do have a special boxed software edition that I keep for the memories.  Part of a collection from years of working on certain projects.

Blast from the past:

~ Group "Weekend" ~

1 user thanked author for this post.

Charlie

. . . and that’s worse. Now it’s dropping the required live feeds. Trying to edit and redo line feeds results in . . . no improvement.

Bah. Some days I wish I didn’t feel the need to help.

~ Group "Weekend" ~