Clearos - ClearOS 7 is now available!

During thes years I have installed a lot of ClearOs Server.

I find it very easy and useful for small companies.


So, if I have some free time, I will try to eviscerate this new release.


If you are interested to take a look to all ClearOs blog articles you can follow below link:


http://www.alessandromazzanti.com/search/label/ClearOS


ClearOs 7 Community edition:

https://www.clearos.com/clearfoundation/software/clearos-7-community


Compare editions

https://www.clearos.com/products/clearos-editions/clearos-7-compare-editions

Microsoft - ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

There is an important/Critical Microsoft Font vulnerability (still un-patched) that is affecting Adobe Type Manager Library.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially drafted document or viewing it in the Windows Preview panel with Explorer.


Here it is Microsoft Security Advisory (ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006

About Patch release most probably it will be released on Microsoft Update Tuesday (the second Tuesday of each month)

Affected operative systems are below indicated, consider that windows 10, due to mitigations that were put in place with the first version released in 2015 is considered with low risk impact.

Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.

Microsoft recommends upgrading to the Windows 10 family of clients and servers.


Here they are O.S. impacted briefly indicated:


Product 
Impact 
Severity
Windows 10 All versions Remote Code Execution  Important
Windows 7 All versions Remote Code Execution  Critical
Windows 8,1 All versions Remote Code Execution  Critical
Windows RT 8.1 All versions Remote Code Execution  Critical
Windows Server 2008 & R2 All Versions Remote Code Execution  Critical
Windows Server 2012 e R2 All Versions Remote Code Execution  Critical
Windows Server 2016 All Versions Remote Code Execution  Important
Windows Server 2019 All versions Remote Code Execution  Important

Here they are workaround applicable (be Aware that about windows 10 these are deprecated):


Workaround Applicability
Disable the Preview Pane and Details Pane in Windows Explorer Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
Disable the WebClient service Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
Rename ATMFD.DLL Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases

In Microsoft Advisory ADV 200006 It is indicated how to disable wbeclient service to protect you against attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. 

Impact of workaround.

When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.


Workaround effects and how to implement it is indicated in Microsoft advisory.

Consider that Windows 7  and Windows 2008 are no longer supported, it is highly probable that patch would not be available except for customers that subscribed extended patch support:

- Extended Security Update Program di Microsoft (ESU) windows 7
Extended Security Updates (ESU) Licensing Preparation Package for Windows 7 SP1 and Windows Server 2008 R2 SP1
- Extended Security Updates (ESU) Windows 2008 and 2008 R2 
Extended Security Updates (ESU) SQL 2008 and 2002 R2


[references articles]

https://www.cwi.it/cio/windows-server-2008-non-e-ancora-morto-ecco-perche_42124905 

https://www.hdblog.it/microsoft/articoli/n518582/windows-10-8-7-hacker-vulnerabilita-critica-patch/ 

https://www.hdblog.it/microsoft/articoli/n515774/windows-7-germania-costi-supporto/ 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006 


[Update 2020.04.15]


Microsoft released patches and new workarounds to mitigate problem:



https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020


Be aware about this information:

"Do I need an ESU license to receive the update for Windows 7, Windows Server 2008 and Windows Server 2008 R2 for this vulnerability?
Yes, to receive the security update for this vulnerability for Windows 7, Windows Server 2008, or Windows Server 2008 R2 you must have an ESU license. See 4522133 for more information."

Anvitirus - COVID-19 & FREE Sophos Home Commercial Edition for employees's personal PCs and Macs Sophos Customers

I am taking note about opportunity given, COVID-19 time period, by Sophos to all customers.

Sophos Customers can protect their emplyees's personal PCs and Macs with Sophos Home Commercial Edition for free.


Indeed here they are all blog articles that relate to Sophos products, issues or technical information.
https://www.alessandromazzanti.com/search?q=SOPHOS

[UPDATE 2020.04.03]


Security - TLS 1.0 & 1.1 End of Life/support for several products

I would like to share news that TLS 1.0 and 1.1 will no longer be supported after 31 Th March 2020.

Reading whole article you will see that it would not be a sort of "Big Bang" but in any case I hope that these information would be useful for someone  (*)


CISCO UMBRELLA


All endpoints with Cisco umbrella will require TLS 1.2 after that date (*)


https://support.umbrella.com/hc/en-us/articles/360033350851-End-of-Life-for-TLS-1-0-1-1-


CISCO ANYCONNECT


"Cisco Umbrella will continue to support Cisco Any Connect and Cisco Umbrella Roaming Client versions that require TLS 1./0/1.1 until September 30th 2020. All other uses of TLS 1.0 and 1.1 will be discontinued as planned on March 31st. "


https://support.umbrella.com/hc/en-us/articles/360033350851-End-of-Life-for-TLS-1-0-1-1-


TLS 1.0 & 1/1 - Deprecated


Protocols are deprecated



BROWSER MICROSOFT, APPLE, GOOGLE & MOZILLA


Microsoft, Apple, and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020. 


TLS 1.2 #HOW TO VERIFY


You can use this website to verify your browser health:


https://www.ssllabs.com/ssltest/viewMyClient.html


Otherwise if you want to verify website using FQDN you can use same website but at below link/section:

https://www.ssllabs.com/ssltest/


.NET (Note: Any Connect requires .NET)


Native TLS 1.2 requires .NET framework 4.6.2+. Prior versions require registry edits (4.x) or Registry edits and manual hot fix patches (3.5).

More information can be found here:

https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client.

This applies to Umbrella software running on .NET framework - currently AD Connector and Roaming client.


.NET #Check your version


Follow this article

https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed


DISABLE #TLS 1.0 and TLS v1.1 DISABLE at #O.S level


It can be disabled at the O.S. level (IIS)https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat


TLS 1.2 #HOW TO ENABLE on earlier versions .NET 3.5.1


The .NET framework version 3.5.1 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5.1.


Check these register tips


[whole article here]


TLS 1.2 #HOW TO ENABLE on NEWER versions .NET 4.6.2+


Apply these register tips


[whole article here]


UMBRELLA #OLD clients #FORCE TLS 1.2


If you are unable to update Umbrella/Any Connect client to use TLS 1.2 you need to follow these article steps.


https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client


MOZILLA FIREFOX 74chante


With 74.0 release TLS 1.0 is disabled, but you can re-enable it about:config --> Tls and change below values




https://www.trishtech.com/2020/03/how-to-enable-tls-1-0-and-tls-1-1-in-mozilla-firefox-74/



Pay attention to below advice:



GOOGLE CHROME 81


Google chrome version 81 will remove TLS 1.0 and TLS 1.1 support:


https://developers.google.com/web/updates/2020/02/chrome-81-deps-rems



APPLE/SAFARI


Will remove support for TLS 1.0 and 1.1 from Safari in March 2020 via updates to Mac OS and iOS.


INTERNET EXPLORER/EDGE


There are rumors that support will be removed in early 2020


SECURITY AWARENESS/WEAKNESS


These old protocols are not patch-able (NIST) versus actual vulnerabilities such as poodlebeeast and others.

- Checking client-side vulnerability:

   https://www.poodletest.com/


- Checking server-side vulnerability:


   http://www.poodlebleed.com


(*) I strongly believe on this assumptions but at the same time I am aware that I am too naive.



George Bernard Shaw

"If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas."


[Update 2020.03.27]

Here it is Microsoft article that explain if and how to disable TLS 1.0 and 1.1 on windows 2012 R2 for exemplificative purpose:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)



[update 2020/04/06]

Due to Covid-19 there are more delays than expected, here it is an interesting article that give you more explanations.

https://nakedsecurity.sophos.com/2020/04/02/covid-19-forces-browser-makers-to-continue-supporting-tls-1-0/ 

2012 - How to install .NET 3.5 Framework

During these years I had necessity to install .NET 3.5 framework on server 2012 R2/Windows 10.

One problem that I faced was that DVD installation media was unable to locate installation binaries and server/client relates to WSUS server (that it hadn't binaries).

To discard WSUS pointing and to force internet download binaries you need register key change and us proper command.

Here they are some errors prompted:



Windows couldn’t complete the requested changes.

The changes couldn’t be completed. Please reboot your computer and try again.

Error code: 0x800F0954

Executing this command

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

C:\Windows\system32>DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

Deployment Image Servicing and Management tool
Version: 6.3.9600.19408

Image Version: 6.3.9600.19397

Enabling feature(s)
[===========================66.6%======                    ]

Error: 0x800f0906

The source files could not be downloaded.
Use the "source" option to specify the location of the files that are required t
o restore the feature. For more information on specifying a source location, see
 http://go.microsoft.com/fwlink/?LinkId=243077.

The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

Fix is to:
  1. Execute regedit.exe with Administrative rights.
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  3. Search for UseWUServer and set it to 0
  4. Restart PC/Server.


More information could be found at below article:

Extra IT - Corona Virus Self-certification web site #Italy Legislation only

E' stato registrato recentemente un sito web sul quale poter scrivere (per recepire i DL italiano sul Corona Virus) l'autocertificazione dei propri spostamenti da portarsi sul proprio smartphone.

Tale sito offre due app (android ed IPAD) per avere sempre sul proprio cellulare tale copia compilata e da presentare se richiesta:

<==============>

It was recently registered, only for Italy legislation (corona virus), a website that permit to have self-certification  filled up about any movement. Mobile phone app for Android and iOS are also available.

You might interested about these articles (mainly in italian language)


Windows 10 - Automatic metric & Change network adapters priority

On Windows 10 each network interface receives a different priority (network metric) that will define primary connection that your system will use.

Sometimes configuration should be manually, especially when you have more than a network cards both connected.

start --> ncpa.cpl





Using powershell:

Get-NetIPInterface

Identify your network cards (changing  -InterfaceIndex value accordingly) based on previously output list and assigning -InterfaceMetric  nn value:

Set-NetIPInterface -InterfaceIndex 17 -InterfaceMetric 15

and later use this command to enable configuration

Set-NetIPInterface -InterfaceIndex 17 -InterfaceMetric 15 enabled