Office 365 - TLS 1.0 and 1.1 no longer supported from 2021, 11Th January #Windows 7 #Outlook 2010 #Windows 2008 R2 server

Microsoft announced (MC229914) that TLS 1.0 and 1.1 will no longer be supported, from Exchange Online beginning January 11th 2021. 

This change will impact endpoints too.

Final Notice for disabling of TLS1.0 and TLS 1.1 Support for Exchange Online Mail Flow

We will no longer support TLS 1.0 and TLS 1.1 from Exchange Online mail flow endpoints beginning January 11th 2021. As those versions of TLS are already retired (most recently communicated in MC218794, July '20), Exchange Online customers and their partners should already be using TLS1.2 to protect SMTP connections between their email servers or devices and Exchange Online.

https://admin.microsoft.com/AdminPortal/Home?ref=MessageCenter&id=MC229914

Client side you should verify that devices are connecting to Exchange Online using TLS 1.2

About Outlook 2010/Windows 7/Windows 2008 R2 be aware that TLS 1.2 is not enabled by default, these are register modifies that you should apply ( to override problem)

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

More details can be found at below blog article:

Security - TLS 1.0 & 1.1 End of Life/support for several products

https://www.alessandromazzanti.com/2020/03/security-tls-10-11-end-of-lifesupport.html

BTW be aware about this other deadline (2021, 1th November):

Effective November 1, 2021, the following versions of Outlook for Windows, as part of Office and Microsoft 365 Apps, will not be able to connect with Office 365 and Microsoft 365 services.

https://community.spiceworks.com/topic/2299344-update-to-microsoft-365-and-outlook-for-windows-connectivity-mc229143

[Other related articles]

https://jaapwesselius.com/2018/09/23/outlook-2010-disconnected-with-tls-1-2/

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#security-updates

Server - DHCP Relay #Network #Windows Server side

During these months we worked on Network redisign project and ESX server substitution.

We had two projects convergence due to entirely infrastructure renewal (making zero point for our company).

About DHCP relay, that is the ability to lease IP to different VLANs here it the theoretically and operative part:

1. On your L3 router o switch you must create VLAN interface with this row
   ip address helper Server_IP
   
   In this case you are pointing all DHCP requesta to Server_IP
   
   https://blog.udemy.com/ip-helper-address/
   
   https://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9
   
   
2. Configure DHCP Server (that usually is on another Server VLAN) to accept DHCP IP requests.
   
   The Key point is to indicate, in below window, VLAN gateway IP.
   This information is important to understand, dhcp server side, from which VLAN DHCP request is arriving from
   
   http://gborgese.wikidot.com/dhcp-relay
   
   https://www.itechguides.com/dhcp-relay-agent-configuration-in-windows-server-2016/
   
   https://thesolving.com/server-room/how-to-configure-a-multiscope-dhcp-server-to-work-with-vlans-on-windows-server-2012/
   
   
   
   

Antivirus - Endpoint Console with error code a049001e - 'Deadlock detected while asynchronously scanning....

During these weeks, on Sophos Enterprise Console, we faced below error on several computers and servers:

Error code a049001e saying 'Deadlock detected while asynchronously scanning....

This issue was affecting clients and servers with Citrix installed (clients or server components):

Symptoms or Error

While login or launching a ICA session , UPM profile takes long time to login due Sophos Anti Virus 

Solution

Created registry change to disable asynchronous Scanning for Sophos Anti Virus: 

Instructions: 

Under: 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application 

Create a new REG_DWORD called: DisableAsyncScans with a value of: 1 

DisableAsyncScans registry fix (https://support.citrix.com/article/CTX241246)

[original article]

https://community.sophos.com/on-premise-endpoint/f/sophos-enterprise-console/122257/deadlock-detected-scanning#pi2151=2

Office 2010 - Support Ended (like Office 2016 for Mac)

Be aware about end of support for Office 2010 and Office 2016 for Mac. Microsoft will no longer provide technical support, bug fixes, or security updates for these products, at the same time organizations, that continue to use them, may face increased security risks (and compliance issues over time)

Here it is a Microsoft article with more details:

https://www.microsoft.com/en-us/microsoft-365/blog/2020/10/13/support-for-office-2010-and-office-2016-for-mac-has-ended-heres-what-you-need-to-know/

Tips - Event Viewer Error on Server Windows 2008 R2 #hotfix KB4503277

During these time period we faced below errors when we was trying to browse eventviewer

MMC has detected an error in a snap-in and will unload it

This problem occurred on Windows 2008 R2 server

MS Article https://support.microsoft.com/en-us/help/4508640/event-viewer-may-close-or-you-may-receive-an-error-when-using-custom-v suggest hotfix KB4503277 (Preview of Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) 

Futhermore was released newer hotfix versions:

2019-07 Preview of Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4507437)

2019-07 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4507449)

Microsoft - Microsoft Edge Browser: Security, Compatibility, and Update Management

Here it is an interesting video that give you an idea about Edge advantages, features and update management.

Network - Iperf tool & Speed test

During this time period I had necessity to stress and measure MPLS network connectivity without using internet connectivity available on line.

In this case speed test or any other internet web site tool was not useful.

Solution was using Iperf in command line mode launching a server session in remote site and a client session on another site.

In this way there was possibility to stress network and measure relative performances.

Here they are some video examples:

http://www.iperfwindows.com/screencasts.html

Meanwhile I am taking note about a good website dedicated to test internet performances.

https://fast.com/

[update 2022.08.31]

https://4sysops.com/archives/free-network-speed-test-tools/

ESX - How to enable SNMP ON VMWARE 6.7

During these days I had necessity to enable SNMP community on Cluster ESXi Server 6.7 U2.

Here they are steps that I did for each host:

1. Enable SSH on each server.
   
   
2. Through command line giving these commands:
   
   esxcli system snmp set --communities ruffinoro
   esxcli system snmp set --enable true
   
   
3. Verify Firewall rules and enable traffic:
   
   esxcli network firewall ruleset set --ruleset-id snmp --allowed-all true
   esxcli network firewall ruleset set --ruleset-id snmp --enabled true
   
   
4. To restrict IP access to SNMP community to a specific range you might use below commands:
   
   esxcli network firewall ruleset set --ruleset-id snmp --allowed-all false
   esxcli network firewall ruleset allowedip add --ruleset-id snmp --ip-address 10.155.0.0/16
   esxcli network firewall ruleset set --ruleset-id snmp --enabled true
   
   
5. Start SNMP Service via GUI or command line:
   
   /etc/init.d/snmpd (re)start
   
   
6. Be aware that snmp is case sensitive
   
   
7. Disnable SSH on each server.

[Related articles 

https://tylermade.net/2017/04/28/how-to-enable-snmp-monitoring-for-vmware-esxi-6-06-5/]

Cisco - How to enable custom SNMP community on SF200

Here it is a simple and straight article that guide you through SNMP custom community configuration on Cisco SF200 and other models like (Cisco Small Business devices)

https://support.auvik.com/hc/en-us/articles/204310474-How-to-enable-SNMP-and-login-on-Cisco-Small-Business-devices

Cloud - Microsoft Tutorial

Today I would like to share this Microsoft Training that explain cloud concepts and principles:

https://docs.microsoft.com/en-us/learn/modules/principles-cloud-computing/

SCCM - Video Tutorial about Microsoft Edge pushing to Hundreds/Thousands of Devices

Here it is an interesting tutorial that explain how to massive push Edge to several devices.

Edge download must be launched using below link:

https://www.microsoft.com/it-it/edge/ 

But for enteprise and massive pushing here it is correct download link:

https://www.microsoft.com/it-it/edge/business/download

Server - USB Anywhere

Today I would like to focalize on USB Anywhere devices that permit to connect USB devices over the network in virtualized environments such as Vmware.


This solution is ideal for connecting USB devices over the network in virtualized environments such as VMware.

• AnywhereUSB 24 Plus is rack mountable with two power supplies and Ethernet connections for failover redundancy (2x Ethernet and 2 x SFP+).
• Access and monitor USB and serial devices over TCP/IP connection.
• Supports multi-host connectivity for each USB port or group independently.
• USB 3.1 Gen 1 Type A.
• Charging ability.
• Connection encrypted with TLS 1.2.

Videos and documentations are here located:

https://www.digi.com/products/networking/usb-connectivity/usb-over-ip/anywhereusb#resources

 

Here it is datasheet:

https://www.digi.com/pdf/anywhereusb-plus-ds

 

Here they are some screenshots:

Original link:

https://www.digi.com/products/networking/usb-connectivity/usb-over-ip/anywhereusb

NETWORK - CISCO how to open a case #TAC

If you need to open a Cisco CASE hou need to:

1.) Logon here:

https://www.cisco.com/c/en/us/index.html

Support --> Contact Support --> Open New Case

Or using below link

https://mycase.cloudapps.cisco.com/case 

2.) Open a new case

3.) Insert Serial Number, click on search button and then Next

4.) Final next page you need to fullfill case required fields (like title, problem description, email contacts etc. etc.)

Windows 10 - Version 20H2 & Windows Update for Business

Here it is a direct link about new features available on Windows 10 Version 20H2,

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-20h2/ba-p/1800132

I would like to mention  an alternative patch management tool to Windows Server Update Services (WSUS) named Windows Update for Business:

1. https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
   
2. https://techcommunity.microsoft.com/t5/windows-blog-archive/what-is-windows-update-for-business/ba-p/167033
   
3. https://techcommunity.microsoft.com/t5/configuration-manager-blog/third-party-updates-and-windows-update-for-business/ba-p/1660970
   

SERVER - How to enable printed documents logs (PRINT SERVER)

Print server role, installed on Windows Server, does not automatically logs, in event viewer, each printed document.

You need to proceed as below to keep track, in event viewer, about this information (Disable Log/Enable Log)

Windows 10 - How to increase Jump list number (pinned items)

 

More details at below blog article link:

https://www.alessandromazzanti.com/2018/09/windows-10-how-to-increase-jump-list.html

Please review below article if you like to increase jump list show items:

Windows 10 - How to increase Jump list items number

Vmware - Installing Cisco ISE VM on ESX farm using OVF tool

Cisco ISE is an excellent product in conjuntion with cisco devices (such as Switches, core switches, WLC, AP and so on)

About VM installation we faced a situation where Cisco ISE 2.6 .OVA file was necessary to be imported in ESX 6.X (6.7 U3) Vmware farm.

We used OVF tool to do that, here there they are actions done about ISE 2.60 .OVA:

1. Download Cisco ISE:
   
   https://software.cisco.com/download/home/283801620/type/283802505/release/2.6.0
   
2. Follow below Cisco articles:
   
   https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Installing_ISE_on_a_VMware_Virtual_Machine.html#task_326DAB6CBB544238B05768EAB3C18C6E
   
   https://www.lookingpoint.com/blog/ise-getting-started
   
3. You must download and install OVF tools:
   
   https://my.vmware.com/web/vmware/details?downloadGroup=OVFTOOL400&productId=353
   
   https://code.vmware.com/web/tool/4.4.0/ovf
   
4. start --> command prompt with administrative rights.
   
   C:\WINDOWS\system32>CD C:\Program Files\VMware\VMware OVF Tool
   
   C:\Program Files\VMware\VMware OVF Tool\ovftool.exe --acceptAllEulas -ds=
   
5. To view .OVA content:
6. C:\Program Files\VMware\VMware OVF Tool>ovftool.exe C:\=UTILITY\=NETWORK\ISE\ISE-2.6.0.156-virtual-SNS3615-SNS3655-600.ova
   OVF version:   1.0
   VirtualApp:    falseName:          ISE-2.6.0.156-virtual-SNS3615-SNS3655-600
   Operating System:   rhel7_64guest
   Virtual Hardware:
   Families:         vmx-09
   Number of CPUs:   16
       Cores per socket: 4
       Memory:           32.00 GB
       Disks:
         Index:          0
         Instance ID:    9
         Capacity:       600.00 GB
         Disk Types:     SCSI-VirtualSCSI
       NICs:
         Adapter Type:   E1000
         Connection:     VM Network
   
         Adapter Type:   E1000
         Connection:     VM Network
   
         Adapter Type:   E1000
         Connection:     VM Network
   
         Adapter Type:   E1000
         Connection:     VM Network
   
         Adapter Type:   E1000
         Connection:     VM Network
   
         Adapter Type:   E1000
         Connection:     VM Network
   
   Deployment Options:
     Id:          small
     Label:       Small
     Description: Use this configuration for small deployments. This deployment
                  will need 16 vCPUs and 32768 Memory for the vApp.
   
     Id:          medium
     Label:       Medium
     Description: Use this configuration for small deployments. This deployment
                  will need 24 vCPUs and 98304 Memory for the vApp.
   
7. C:\Program Files\VMware\VMware OVF Tool>ovftool.exe --acceptAllEulas -ds="datastore1" --net:"VM Network"="VM Network" C:\=UTILITY\=NETWORK\ISE\ISE-2.6.0.156-virtual-SNS3615-SNS3655-600.ova vi://ip_esx
   
8. Opening OVA source: C:\=UTILITY\=NETWORK\ISE\ISE-2.6.0.156-virtual-SNS3615-SNS3655-600.ova
   The manifest validates
   Accept SSL fingerprint (xxxxxx) for host ip_esx as target type.
   Fingerprint will be added to the known host file
   Write 'yes' or 'no'
   yes
   Enter login information for target vi://ip_esx/
   Username: root
   Password: ********
   Opening VI target: vi://root@ip_esx:443/
   Warning:
    - Line 109: Unable to parse 'enableMPTSupport' for attribute 'key' on element 'Config'.
   Deploying to VI: vi://root@ip_esx:443/
   Transfer Completed
   Completed successfully
9. After this operation would be available on ESX Farm

Server - Domain Users can join computers to domain (up to 10) #It is a default domain policy

Few months I discovered that normal AD users are able to join computers to domain (up to 10) without particular grants or settings.

It was a very unexpected news for me.

Default limit to number of workstations a user can join to the domain

"By default, Windows 2000 allows authenticated users to join ten machine accounts to the domain.

This default was implemented to prevent misuse, but can be overridden by an administrator by making a change to an object in Active Directory.

Note that users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation."

Here it is AD attribute that define 10 maximum join numbers (you need to to use ADSIEdit.msc):

MS-DS-Machine-Account-Quota

https://docs.microsoft.com/en-us/windows/win32/adschema/a-ms-ds-machineaccountquota?redirectedfrom=MSDN

It is highly recommended to disable this features due to obviously security reasons:

https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain

REMEDIATION:

Due to security reasons is preferable that Authenticated Users cannot join domain computers.

You must modify "Default Domain Policy" permitting domain joins to specifics user or group.

Rafal Sosnowski (Microsoft Dubai Security PFE Team's member) says:

During my numerous Security Audits and Assessments I deliver to customers, I usually discover too wide permissions and user rights configured in Active Directory. One of them is “Add Workstation to the Domain”

It is important to control who can add new machines to our AD environment. Although we can enforce various security settings via GPO on newly added machines, user could join machine which is not configured according to our security standards and at the same time having ownership of various objects in the system (local admin account, ACLs on file system etc.).

<==================>

Here it is full article:

https://www.devadmin.it/2017/07/25/consentire-ad-utenti-non-amministratori-di-aggiungere-computer-a-dominio/

[update 2022.11.02]

KB5020276—Netjoin: Domain join hardening changes

Extra IT - Legnovivo #carpentry company

Oggi vorrei raccomandare questo sito web ed azienda di falegnameria

www.falegnamefirenze.it

I loro prodotti di alta qualita' e la loro professionalita' sono due punti chiave di quest'azienda.

Ho gia' acquistato, nei precedenti anni, diversi prodotti con grande soddisfazione. 

Mi sento di raccomandarli fortemente 

<====================>

Today I would like to endorse below website and carpentry company:

www.falegnamefirenze.it

High quality wood products and professionalism are their two company key points strength.

I already purchased, in previous years, several products with excellent satisfaction. I strongly suggest them:

201X - Print Server migration/fault/DR management

If you want manage Windows 200X/201X print server fault and relative DR (without having to reconfigure all clients) you have to proceed in this way:

1. Create a properly DNS alias (on DC) pointing to old print server 
   for example: PrintersMilan
   
   
2. Configure a new print server. (201X)
   
   
3. Export all printers on old print server.
   
   2003 migration - How to migrate print server from 2003 server to 2008/2008 R2/2012
   
   
4. Import previous printer queues on new Server:
   
   2003 migration - How to migrate print server from 2003 server to 2008/2008 R2/2012
   
   
5. To avoid below error trying to add new printers (using DNS Alias):
   
   \\PrintersMilan\
   
   
   
   
   
   
   
   
   
   
   
   
   
6. On old and new server you must add this register key:
   
   reg add HKLM\SYSTEM\CurrentControlSet\Control\Print /v DnsOnWire /t REG_DWORD /d 1
   
   
   
   
7. Restart Print spooler service:
   
   
   
8. On your PC add new printers and check that is working properly (you still are pointing to old print server)
   \\PrintersMilan\
   
   
9. Change DNS Alias PrintersMilan (on your DC) to point new print server.
   
   
10. If everything is working fine DR and print server fault management was succesfully done

[Original Article]

https://www.raffaelechiatto.com/impossibile-aggiungere-una-stampante-collegata-ad-un-print-server-microsoft-usando-il-cname/

https://support.microsoft.com/en-us/help/979602/error-message-when-you-try-to-connect-to-a-printer-by-using-an-alias-c

Tuning - Patch My PC

In previously years I used several tools to check no O.S. software updates.

Unfortunately FileHippo App Manager is no longer working fine as in the past.

So I found that Patch My Pc Updater is working excellently, user interface is not so easy but, after you configured properly it work very fine.

About Enterprise companies easily extend Microsoft Configuration Manager to deploy and patch an extensive list of third-party applications.

About SCCM here they are old blog articles

https://www.alessandromazzanti.com/search/label/SCCM%202012

Here it is lifewire article where are indicated similar software.

11 Best Free Software Updater Programs

https://www.lifewire.com/free-software-updater-programs-2625200