Veeam 11 - CDP (RPO= 0) and immutable storage backup against ransomware

 Veeam 11 released new features, here they are two that, imo, are very interesting:


  1. Continuous Data Protection (CDP) with RPO equal to zero:

    https://community.veeam.com/blogs-and-podcasts-57/veeam-v11-continuous-data-protection-cdp-configuration-265

    Using vSphere APIs for IO Filtering (VAIO)

  2. Immutable primary backup storage with a hardware-agnostic touch: enables you to store your short-term retention backups locally onsite for fast recovery with the protection of immutability. In addition, you can now tier those backups into an immutable object storage offering offsite, giving you additional protection against unforeseen malicious activity or accidental deletion. (protecting you against ransomware and malicious acts)

    The new hardened repositories are compliant with the SEC 17a-4(f), FINRA 4511(c), and CFTC 1.31(c)-(d) regulations. They can effectively prevent ransomware encryption or accidental/malicious deletions. The great thing about the new feature is it is based on "bring your own" Linux, so there is no vendor hardware lock-in.

    The new hardened Linux-based repositories with immutable backups will take ransomware protection to the next level for on-premises backup storage. Businesses can ensure business-critical backups are protected for the time specified for the immutable backup repository.

    https://www.veeam.com/blog/v11-immutable-backup-storage.html

    https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110



Other articles:



Pubblicato da
Link a questo post Etichette: , , ,

Tips - Network Configuration Operators Group

If you have normal user permissions and you need to change network adapters TCP/IP configuration you can do that without having administrative rights. 

Infact you need to simple add your user to below local group

Network Configuration Operators






For your reference: https://technet.microsoft.com/en-us/library/cc754921(v=ws.10).aspx

A Description of the Network Configuration Operators Group:
https://support.microsoft.com/en-us/help/297938/a-description-of-the-network-configuration-operators-group

Description of Group Policy Restricted Groups:
https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups


Pubblicato da
Link a questo post Etichette: , , ,

Software - FastStone Capture #Screenshots tool

There is an interesting tool that works fine taking desktop screenshots (a.e. using keyboard combinations)

https://www.faststone.org/FSCaptureDetail.htm

Normally I utilize 5.3 version picking up only .exe file (taken after a software fresh installation).

Furthermore I am coping, previously .exe file, on any other pcs where screenshots are necessary to be taken.


FastStone Capture 5.3

http://www.oldversion.com/windows/faststone-capture-5-3

Here they are older versions links:

http://www.oldversion.com/windows/faststone-capture/

P.S. I knew this tool during my pharmaceutical working experiences and it was a nice discovery, indispensable for GMP Validations and any other importants IT activities

Pubblicato da
Link a questo post Etichette: ,

DNS - Security

Some services can also block access to phishing or infected sites, and a few offer content filtering to keep your kids away from the worst of the web.

OpenDNS


Primary, secondary DNS servers: 208.67.222.222 and 208.67.220.220

With filtering or pre-configured protection, you can safeguard your family against adult content and more. It’s the easiest way to add parental and content filtering controls to every device in your home.

Cloudflare


Primary, secondary DNS servers: 1.1.1.1 and 1.0.0.1

Privacy is another major highlight. Cloudflare doesn't just promise that it won't use your browsing data to serve ads; it commits that it will never write the querying IP address (yours) to disk. Any logs that do exist will be deleted within 24 hours. And these claims aren't just reassuring words on a website. Cloudflare has retained KPMG to audit its practices annually and produce a public report to confirm the company is delivering on its promises

Google Public DNS
Primary, secondary DNS servers: 8.8.8.8 and 8.8.4.4


Quad9





<======================>

DNS Jumper is a portable freeware tool which tests multiple public DNS services to find out which delivers the best performance for you.

The program has a lot of options, but isn't difficult to use. Launch it, click Fastest DNS > Start DNS Test, and within a few seconds you'll be looking at a list of DNS services sorted by speed.

DNSPerf tests multiple DNS services every minute from 200+ locations around the world and makes the results freely available on its own website

[original Article]
Pubblicato da
Link a questo post Etichette: ,

Windows 10 - Activation overview

Here it is an interesting Microsoft article that give an overview about windows 10 activation approaches.

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-10-volume-activation-in-the-era-of-working-from-home/ba-p/1954768?ocid=AID3017125&MC=Windows&MC=EntMobile&MC=SecSys&MC=SysMagSof

Pubblicato da
Link a questo post Etichette:

Microsoft 365 - Apps activation on shared computer

About environments accessed by multiple users you can keep in mind below Microsoft article.

Be aware that shared computer activation is required for scenarios where multiple users share the same computer and the users are logging in with their own account. 

Infact, normally, users can install and activate Microsoft 365 Apps only on a limited number of devices, such as 5 PCs.

To enable Shared computer activation you should have Office 365 E3, E5 or business premium.

If you want to enable shared computer activation during the initial installation of Microsoft 365 Apps, you can instruct the Office Deployment Tool to do so during installation.

In case you already installed Miscrosoft 365 Apps there are 3 method to change activation ways (GPO, Register modify or download Microsoft Support and Recovery assistant)

more details can be found here:

https://docs.microsoft.com/en-us/deployoffice/overview-shared-computer-activation

In case you want to verify type of Microsoft 365 Apps activation are in plase you can review below article:

https://docs.microsoft.com/en-us/deployoffice/troubleshoot-shared-computer-activation#Enabled

Licensing token renewal The licensing token that is stored on the shared computer is valid only for 30 days. As the expiration date for the licensing token nears, Microsoft 365 Apps automatically attempts to renew the licensing token when the user is logged on to the computer and using Microsoft 365 Apps.

Activation limits Normally, users can install and activate Microsoft 365 Apps only on a limited number of devices, such as 5 PCs. Using Microsoft 365 Apps with shared computer activation enabled doesn't count against that limit.

Licensing token roaming Starting with Version 1704 of Microsoft 365 Apps, you can configure the licensing token to roam with the user's profile or be located on a shared folder on the network. Previously, the licensing token was always saved to a specific folder on the local computer and was associated with that specific computer. In those cases, if the user signed in to a different computer, the user would be prompted to activate Microsoft 365 Apps on that computer in order to get a new licensing token. The ability to roam the licensing token is especially helpful for non-persistent VDI scenarios.




Pubblicato da
Link a questo post Etichette: , ,

Security - Exchange Zero Date Vulnerability #CVE-2021-26855

These vulnerabilities permits to access, without any authentication, to all Exchange mailboxes contents.

This is possible on all Exchange servers that are published, on internet, through OWA (attacker need onlty to know user account name)

Afterward attackers created several backdoors, through aspx webshell, creating AD credentials dump. (having horizontal attacks possibility)

There are two scenarios:

  1. Standalone: require single user (SID) (more difficult)
  2. Cluster (DAG) only end user email name is required.

Attack is possibile only if you know server FQDN (but this is easy to be knwon sending an http post call to Exchange Web Services)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855

Patches are here available: (for Exchange 2010 too)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

Other articles:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-2016-and-the-end-of-mainstream-support/ba-p/1574110

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues

[original articles]

https://www.windowserver.it/2021/03/exchange-server-sotto-attacco-cosa-sta-succedendo/

https://www.wired.it/internet/web/2021/03/05/microsoft-exchange-hacker-cina/


[update 2021.03.19]

Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/

[update 2021.03.24]

https://edge9.hwupgrade.it/news/security/attacco-ad-exchange-server-anche-tim-business-colpita-e-intanto-microsoft-teme-la-fuga-di-notizie-interna_96269.html

[update 2021.03.29]

How to Recover Exchange Server after Black KingDom Ransomware Attack?

https://www.stellarinfo.com/blog/recover-exchange-server-after-black-kingdom-ransomware-attack/


Pubblicato da
Link a questo post Etichette: , ,

Ransomware - QNAP affected #eCh0raix

Today I would like to mention Ransomware eCh0raix. 

Qnap devices are affected and need firmware updates.

Old QTS and Photo Station versions are affected.

https://www.qnap.com/it-it/security-advisory/qsa-20-02

It should be available on line a decryptor tool too.

Other than firmware upgrade it is highly suggested to use strenght passwords, enablbe NAP (Network Access Procection against brute force attacks, disable SSH and Telnet)

Evaluate Qnap snapshot tool too:

https://www.qnap.com/solution/snapshots/en/

More information are available here:

https://www.tomshw.it/hardware/nas-qnap-sotto-attacco-fate-attenzione/

Pubblicato da
Link a questo post Etichette: ,

Server - Active Directory Time syncronization problems

During these years I faced, on server and clients, several authentication problems due to wrong time and date.

Here they are some commands and tips useful for this troubleshottoing purpose:

 1. Command useful on DC to see any time differences in place and relative (offset)

 w32tm /monitor 

 2. Run the following command on the PDC emulator:  

 w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update

 Once done, restart W32Time service.

 net stop w32time | net start w32time 

 3. Run the following command on all other DCs (that are not PDC):  

 w32tm /config /syncfromflags:domhier /update

 Once done, restart W32Time service:

 net stop w32time | net start w32time 

 I have often, in recent years, to solve problems of e-mail or authentication domain generated from misconfigurations time servers. 

 4. To check the source time server: 

 w32tm /query /status

5. You can check registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):
Find the value of Type under 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

reg query 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

 6. re-sync the w32time service using the following command:

 w32tm /resync /rediscover

 <---------->
7. Execute the following command to actually perform a time synchronization with the external source

 w32tm.exe /config /update


 Some articles and tools

port query Tool GUI

 https://www.microsoft.com/en-us/download/details.aspx?id=24009

 Technet - Windows Time Service Tools and Settings

 https://technet.microsoft.com/en-us/library/cc773263(v=ws.10).aspx

 Time Configuration in Active Directory

 http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

Configure DC to synchronize time with external NTP server

 https://community.spiceworks.com/how_to/65413-configure-dc-to-synchronize-time-with-external-ntp-server


[update 2021.03.04]

Here they are register keys related to date and time Windows services

Microsoft Registry
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer


Pubblicato da
Link a questo post Etichette: , , , , , , , , , , , ,

SQL - Dbatools SQL Server PowerShell module

Here it is an interesting Tutorial about SQL Server powershell module named Dbatools used primarly about disaster recovery. (it is free dbatools.io/download)

Estensive documentation:

dbatools.io/Test-DbaLastBackup

dbatools.io/Set-DbaSpn

Some videos:

dbatools.io/youtube

https://channel9.msdn.com/Shows/Data-Exposed/How-to-Automate-Disaster-Recovery-in-SQL-Server-On-Prem

<iframe src="https://channel9.msdn.com/Shows/Data-Exposed/How-to-Automate-Disaster-Recovery-in-SQL-Server-On-Prem/player" width="960" height="540" allowFullScreen frameBorder="0" title="How to Automate Disaster Recovery in SQL Server On-Prem - Microsoft Channel 9 Video"></iframe>

Have a look to below screenshots:









Pubblicato da
Link a questo post Etichette: , , ,
Iscriviti a: Post (Atom)