News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • NetDef

    Forum Replies Created

    Viewing 15 posts - 1 through 15 (of 622 total)
    • Author
      Posts
    • in reply to: Easiest way to make it easy for attackers #2312892
      NetDef
      AskWoody_MVP

      Via https://xkcd.com/936/

      password_strength

      ~ Group "Weekend" ~

      Attachments:
      1 user thanked author for this post.
      in reply to: Repeated Modem & Router Failures #2312549
      NetDef
      AskWoody_MVP

      When the network stack dies like this, it’s almost always a return ground loop through the ethernet cables.

      Some other piece of equipment is improperly or weakly grounded, using the network cable as an easier ground return back into the router.  I’ve seen this so many times.

      The part that will fool you is the self diagnostic light on your surge protectors is likely showing that you’re fine . . .

      Another cause is a split ground in the building wiring . . .

      ~ Group "Weekend" ~

      2 users thanked author for this post.
      in reply to: Why does Windows still generate registry junk? #2312174
      NetDef
      AskWoody_MVP

      netdefsscore11152020

      I am . . . disappointed.  That — or they are wrong on the correct answer for one question.

      Leaning towards the latter.

      ~ Group "Weekend" ~

      Attachments:
      in reply to: A changing of the guard at AskWoody.com #2310418
      NetDef
      AskWoody_MVP

      So . . .  you’re coming to visit in Colorado post pandemic where the drinks are on me?

       

      (Seriously!)

      ~ Group "Weekend" ~

      3 users thanked author for this post.
      in reply to: The September 2020 Microsoft patches #2294986
      NetDef
      AskWoody_MVP

      Two articles about a month apart are — to me — revealing a serious (and so far un-announced) vuln in WSUS that’s being mitigated quietly.

       

      From August we got this post:

      ( Microsoft recommends using HTTPS with Windows Server Update Services (WSUS).)

      https://techcommunity.microsoft.com/t5/windows-it-pro-blog/security-best-practices-for-windows-server-update-services-wsus/ba-p/1587536

      It’s interesting because HTTPS internally has long been considered a best practice, but not enforced in any way should the sysadmins choose to use HTTP between the server and client machines.

      Now today we see:

      https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547

      Referring to this line:  “To ensure that your devices remain inherently secure, we are no longer allowing HTTP-based intranet servers to leverage user proxy by default to detect updates”

      My suspicion is high here.  This only makes sense on an internal environment where a bad actor could spoof updates via a software proxy.  And malware proxies are nothing new, but this indicates that perhaps the cert check on updates packages is not as secure as we’ve assumed.

       

      ~ Group "Weekend" ~

      1 user thanked author for this post.
      in reply to: Does an Ethernet connection need to be Surge Protected? #2292577
      NetDef
      AskWoody_MVP

      If the equipment connected via the Ethernet cables are all grounded to a single common ground (which – if your building is up to code they should already be this way) then no. *

      • But this could change in future revisions of the NFPA code and standards.

      If there is an Ethernet cable that runs outdoors, then that cable should be using a grounded port system back to the buildings common ground – and all devices connected via that cable must also be grounded to that same ground. Example:  we install outdoor Wi-Fi AP’s and they MUST be grounded.

      If you have two buildings with Ethernet running between them, with two separate grounding systems – then yes.  Or better yet use a fiber link to prevent cross talk between the electrical systems on that shared connection.

      Of higher concern than traditional surge protection for low voltage wiring is static discharge arrest and mitigation.

      Plain english version: no static sparks please!

      ~ Group "Weekend" ~

      in reply to: ISP-provided nationwide wifi hotspots #2292523
      NetDef
      AskWoody_MVP

      Thoughts and facts:

       

      Facts:  for Xfinity and certain smaller providers that do this it’s important to remember their local hot spots are on separate networks from your home LAN. They are completely isolated.  So a person that connects to the hotspot being provided from your ISP’s router in your home does NOT have a way to scan or directly connect to devices on your LAN.

      For customers of that ISP this seems like a pretty great idea and has the potential to benefit everyone.

       

      Thoughts:  I don’t like using the ISP’s equipment – preferring control over my connection at a far greater level than their stuff allows.  And self-owned equipment cannot participate in the open Wi-Fi system from that ISP.  Additionally — in crowded Wi-Fi areas these hot spots make channel congestion much worse.

      ~ Group "Weekend" ~

      in reply to: How can a Win10 1903 user keep 2004 off their machine? #2285433
      NetDef
      AskWoody_MVP

      The REG key solution on Windows 10 Home to defer feature updates potentially works today.  But it might not keep working.

      I’m going to take a moment and translate Microsoft speak in their official documentation based on both experience and IT policy guidelines.

      First: when MS says something is not supported, it doesn’t mean it won’t work today.  It may very well work fine right now.  But it can (and often does) mean that the thing might break, or be changed, or be dropped without any warning.  Conversely when they say something is supported, we at least have some assurance that it “should work” on that platform, and that if it’s changed in the future we should in theory get some advance notification about the change.  (Yes I know, their track record on this last is somewhat lacking.)

      Second: this means that a REG key change that is “supported” in Pro, but marked as “NOT supported” in Home – may or may not work based on a bewildering set of combinations of patch status.   It might work on Joe’s machine on 1903 today, but maybe Joe’s been using other hacks to prevent patching.  At the same time it might NOT work on Cheryl’s machine, which is fully patched at 1903-current.  Or vice-versa!

      (Thanks for volunteering to be class examples Cheryl and Joe, a round of applause for our victims please!  You may return to your seats now . . . )

      Shorter version of this point:  You cannot rely on it long term.

      Third: Even though it works today, a future non-feature patch could (and very likely will) break the feature on W10-Home. And then you’ll be facing trying to block the feature update another way.  In Pro – because it’s supported as an official feature – we at least have some sort of commitment from Microsoft that the REG key or GP setting will work.  (It might still break from a buggy future patch, but hey – it’s still a stronger sense of trust than zero support.)

      TL:DR Given that this specific REG key setting is for a feature deferral that may take place up to 18 months from now – I cannot conscientiously recommend that you trust this setting will work on Windows 10 Home for the entire time remaining until your current build expires.

      Cheers!

      ~ Group "Weekend" ~

      1 user thanked author for this post.
      in reply to: Time for a new router #2284402
      NetDef
      AskWoody_MVP

      If you have a larger home, you might want to check out https://store.amplifi.com/products/amplifi-mesh-wi-fi-system for a distributed solution.

      It can be managed locally only, or via a cloud account – so choices.

      ~ Group "Weekend" ~

      in reply to: How can a Win10 1903 user keep 2004 off their machine? #2284155
      NetDef
      AskWoody_MVP

      Not supported in Windows 10 Home Edition.

       

      See https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion

       

      ~ Group "Weekend" ~

      in reply to: Tales from the trenches #2283892
      NetDef
      AskWoody_MVP

      In support for what Paul said:

      https://www.techrepublic.com/article/disk-wiping-and-data-forensics-separating-myth-from-science/

      Key points:  For modern HDD’s a single pass is enough.  Caveat, outdated regulations for certain industries still hold to the myths.  Follow their procedures as required and get a certification for each drive shredded.  (sigh)

      Modern SSD’s on systems that implement TRIM are quite likely already secure.  I know in my business retrieving deleted files on SSD’s is really hit or miss depending on when the last TRIM pass was conducted.

      ~ Group "Weekend" ~

      in reply to: Patch Lady – Use the domain of remotewebaccess.com? #2283015
      NetDef
      AskWoody_MVP

      SO glad that for all my clients that use RWA on Server 2012 R2 and 2016v Essentials we chose to use custom “vanity” domain names instead of the generic one offered by MS.

      We had zero problems today during this event.  Feel like I dodged a bullet.

      ~ Group "Weekend" ~

      NetDef
      AskWoody_MVP

      So I had a thought and went to spin that HyperV machine back up to check on something — and it’s a good thing I did!  It powered up on the second phase install of the July Rollup and presented me with this:

      failed

      Once it recovered, the Update history shows:

      failed2

      I suspect either a per-requisite patch after Jan 2020 is missing (in spite of the fact that roll-ups are supposed to include that stuff) OR this patch doesn’t check ESU status until the reboot – which is playing nasty since this is openly available on the Microsoft Catalog.

      If I have time will dig deeper in a few days.

      ~ Group "Weekend" ~

      Attachments:
      NetDef
      AskWoody_MVP

      That was a fun ride.

      Spun up an orphaned HyperV image of an old Server 2008 R2 application server.  I want to emphasize this is a pretty plain-jane server config:  It does NOT have any advanced roles like Active Directory / Domain Controller installed.  It was a print and application server only.  Also of note is I let Windows Update catch it up to January 2020 before the following experiment.

      1) Downloaded the MSU via Catalog link for Server 2008 R2 listed at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

      2) Tried to install it and failed with this message:

      prereqwarning

      Note: Clicking that blue link in the error took me to a VERY outdated Microsoft page, which subsequently led down a rabbit hole of obsolete downloads for Service Stack editions dating circa 2011 . . . (in other words, don’t bother!)

      3) Circled around and found the Server 2008 R2 July 2020 Service stack update for ESU customers at http://www.catalog.update.microsoft.com/Search.aspx?q=KB4565354 and successfully installed that. (Note: I do not have ESU on this machine, nor was ESU simulated per other sources available on this site.)

      4) After that step, I was able to successfully install the July 2020 Rollup on this machine.

      Might_work

      success
      (It did provide a success message, but that window didn’t include the KB number.)

      Remember class, this was NOT on a production server – after this test I shut it down and relegated the HyperV image back to storage. All disclaimers apply here.

      TL:DR – it appears Microsoft is not blocking this update for Server 2008 R2.

      But – it failed on reboot (see next message)

      ~ Group "Weekend" ~

      • This reply was modified 4 months, 1 week ago by NetDef.
      • This reply was modified 4 months, 1 week ago by NetDef.
      Attachments:
      NetDef
      AskWoody_MVP

      I saw that too, and wish I had an old Server 2008 R2 to play with still.  My guess is that it would manually update from the download fine.  Uncertain I would want to test on a production server.  Then again, if you have a 2008 R2 production server, try it, and it fails . . . it might be the kick needed to upgrade.  😉

       

       

      Wait a minute . . . I have a HyperV image backup of an old 2008 R2 from a couple years ago from a retired machine.  Stand by.

      ~ Group "Weekend" ~

    Viewing 15 posts - 1 through 15 (of 622 total)