Force Replication of all Domain Controllers on all Sites

If you want to replicate all Domain Controllers, then you have to start replication on each of them separately. This may take a while. To save time there is an easier way to force replication on all Domain Controllers of all Active Directory Sites.

Log on to one of your Domain Controllers. Start Windows PowerShell with administrative privileges. Using the Get-ADDomain cmdlet we can get the domain name and the domain partition.

function Replicate-AllDomainControllers {
(Get-ADDomainController -Filter *).Name | Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null}; Start-Sleep 10; Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
}

Replicate-AllDomainControllers

function Replicate-AllDomainControllers {

(Get-ADDomainController -Filter *).Name | Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null}; Start-Sleep 10; Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess

}

Replicate-AllDomainControllers

Now depending on the size of your environment the results may take some time to appear. The final output should be something like this:

Date September 14, 2018
Author mo wasay
Comments No Comments

Oracle to charge for Java Updates & how you can disable them

Prepare for 2019

Oracle has announced that, effective January 2019, Java SE 8 public updates will no longer be available for “Business, Commercial or Production use” without a commercial license.

End of Public Updates for Oracle JDK 8

Oracle will not post further updates of Java SE 8 to its public download sites for commercial use after January 2019. Customers who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 8 or previous versions can get long term support through Oracle Java SE Advanced Desktop, or Oracle Java SE Suite. For more information, and details on how to receive longer term support for Oracle JDK 8, please see the Oracle Java SE Support Roadmap.

Is Oracle Java still free?

The current version of Java – Java SE 9 as well as Java SE 8 – is free and available for redistribution for general purpose computing. Java SE continues to be available under the Oracle Binary Code License (BCL) free of charge.

Java Runtime Environment (JRE) use for embedded devices or use of commercial features may require a license fee from Oracle. Read more about embedded use of Java SE, or contact your local Oracle sales representative to obtain a license.

What releases of Java technology are currently available?

The Java Platform, Standard Edition (Java SE) and Oracle Java SE Advanced and Suite products are currently shipping from Oracle in the form of the Java Development Kit (JDK), and Java Runtime Environment (JRE). The current releases of the software and links to older versions are available from the Java SE download page.

What are the Oracle Java licensing changes?

Due to the Oracle Java license cost changes, companies will need to collect and identify every application that is running Java SE 8 before the beginning of 2019. Doing so will ensure an accurate forecast of costs and potential non-compliance risk for future software audits in upcoming years.

What about the Java license costs?

The Oracle Technology Global Price List as of May 1, 2018 provides information about current pricing (in dollars):

Products & Metrics	Named User Plus (NUP)	Software Update (License & Support)	Processor (Proc)	Software Update (License & Support)	*Note
Java SE Advanced Desktop	$40	$8.80	–	–	A
Java SE Advanced	$100	$22.00	$5,000	$1,100	B
Java SE Suite	$300	$66.00	$15,000	$3,300	B

*Note:

A: The Named User Plus minimum for this program is 2,000 NUP licenses.

B: The Named User Plus minimum for this program is 10 NUP per Processor.

What should you do now?

In light of Oracle’s recent announcement, companies should begin considering:

How to anticipate the situation?
How many Java installations do we have, where and why?
Are there usages embedded?
Can we replace Java with another technology?
What will the cost be in January 2019?

Oracle suggests running a tool to ﬁnd Java installations using a Java package called Java Usage Tracker. This will report information like:

The Java versions
Application name
Type (applet, command line, etc).
Location and more

However, the Oracle Java Usage Tracker requires a commercial license 🙂 – even though it’s included in the installer that comes with the free components.

Disabling Java Updates

Small to Medium sized organizations may not want to pay and should consider disabling updates altogether.

Windows Server 2008R2/2012/2012R2/2016 (x64)

There’s a registry setting in HKEY_LOCAL_MACHINE that will allow you to completely disable both update notifications and the update functionality.

The full path of the key is HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy

The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates.

When updates are enabled:

64-bit registry redirection:

There is a subkey located at HKLM\Software\Wow6432Node that contains the relevant settings for 32-bit applications, and within here, is the expected JavaSoft registry key. This is similar to the automatic system controlled C:\Windows\SysWOW64 directory for 32-bit compatiblity.

To disable updates, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\

Create a new DWORD value called EnableAutoUpdateCheck , and set it to 0.

Change the key EnableJavaUpdate to 0; this stops any needing to install updates, and annoying prompts that non-admin users get for installing updates.

Windows Server 2003/2008 (x86)

Stop the update utility from running by deleting the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched

Reboot the server.

In rare cases the control panel needs to be opened as administrator. To do this follow the steps below:

Save this as Java32_Fix.reg and run and it will fix those javacpl.exe as Administrator/Control Panel issues once and for all:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

"C:\Program Files\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

Alternately, this is for 64bit OS’s running 32bit Java:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

"C:\Program Files (x86)\Java\jre6\bin\javacpl.exe"="RUNASADMIN"

Date August 7, 2018
Author mo wasay
Comments No Comments

Windows (10 & 2016) Build 1709 & 1803 cannot connect to SMB Shares

Applies to: Windows 10, version 1803, Windows Server version 1803, Windows 10, version 1709, Windows Server Datacenter Core, and Windows Server Standard Core

As users and organizations are upgrading to Windows 10 Build 1709/1803 they should be aware that SMB 1.0 is no longer installed by default. Among other things, this is going to start a lot of problems especially for the networking and security departments where they might be trying to figure out if it is a firewall that is blocking or an AV program that is limiting the access to the share.

In Windows 10 Fall Creators Update (1709), and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. It was superseded by SMBv2 and later protocols starting in 2007. Microsoft publicly deprecated the SMBv1 protocol in 2014.

SMBv1 has the following behavior in Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3):

SMBv1 now has both client and server sub-features that can be uninstalled separately.
Windows 10 Enterprise and Windows 10 Education no longer contain the SMBv1 client or server by default after a clean installation.
Windows Server 2016 no longer contains the SMBv1 client or server by default after a clean installation.
Windows 10 Home and Windows 10 Professional no longer contain the SMBv1 server by default after a clean installation.
Windows 10 Home and Windows 10 Professional still contain the SMBv1 client by default after a clean installation. If the SMBv1 client is not used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.
In-place upgrades and Insider flights of Windows 10 Home and Windows 10 Professional do not automatically remove SMB1 initially. If the SMBv1 client or server is not used for 15 days in total (excluding the time during which the computer is off), they each automatically uninstall themselves.
In-place upgrades and Insider flights of Windows 10 Enterprise and Windows 10 Education do not automatically remove SMB1. An administrator must decide to uninstall SMB1 in these managed environments.
Automatic removal of SMB1 after 15 days is a one-time operation. If an administrator re-installs SMB1, no further attempts will be made to uninstall it.
The SMB version 2.02, 2.1, 3.0, 3.02, and 3.1.1 features are still fully supported and included by default as part of the SMBv2 binaries.
Because the Computer Browser service relies on SMBv1, the service is uninstalled if the SMBv1 client or server is uninstalled. This means that Explorer Network can no longer display Windows computers through the legacy NetBIOS datagram browsing method.
SMBv1 can still be reinstalled in all editions of Windows 10 and Windows Server 2016.

If you try to connect to devices that support only SMBv1, or if these devices try to connect to you, you may receive one of the following errors messages:

You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

The specified network name is no longer available.

Unspecified error 0x80004005

System Error 64

The specified server cannot perform the requested operation.

Error 58

I don’t recommend using SMBv1 but businesses are using legacy hardware/software that might have SMBv1 as the only option. Please plan on upgrading as there are serious security vulnerabilities with SMB1

Work Around:

To work around this issue, contact the manufacturer of the product that supports only SMBv1, and request a software or firmware update that support SMBv2.02 or a later version. For a current list of known vendors and their SMBv1 requirements, see the following Windows and Windows Server Storage Engineering Team Blog article:

SMBv1 Product Clearinghouse

Leasing mode

If SMBv1 is required to provide application compatibility for legacy software behavior, such as a requirement to disable oplocks, Windows provides a new SMB share flag that’s known as Leasing mode. This flag specifies whether a share disables modern SMB semantics such as leases and oplocks.

You can specify a share without using oplocks or leasing to allow a legacy application to work with SMBv2 or a later version. To do this, use the New-SmbShare or Set-SmbShare PowerShell cmdlets together with the -LeasingMode None parameter.

Note You should use this option only on shares that are required by a third-party application for legacy support if the vendor states that it is required. Do not specify Leasing mode on user data shares or CA shares that are used by Scale-Out File Servers. This is because the removal of oplocks and leases causes instability and data corruption in most applications. Leasing mode works only in Share mode. It can be used by any client operating system.

Explorer Network Browsing

The Computer Browser service relies on the SMBv1 protocol to populate the Windows Explorer Network node (also known as “Network Neighborhood”). This legacy protocol is long deprecated, doesn’t route, and has limited security. Because the service cannot function without SMBv1, it is removed at the same time.

However, if you still have to use the Explorer Network in home and small business workgroup environments to locate Windows-based computers, you can follow these steps on your Windows-based computers that no longer use SMBv1:

Start the “Function Discovery Provider Host” and “Function Discovery Resource Publication” services, and then set them to Automatic (Delayed Start).
When you open Explorer Network, enable network discovery when you are prompted.

All Windows devices within that subnet that have these settings will now appear in Network for browsing. This uses the WS-DISCOVERY protocol. Contact your other vendors and manufacturers if their devices still don’t appear in this browse list after the Windows devices appear. It is possible they have this protocol disabled or that they support only SMBv1.

I recommend that you map drives and printers instead of enabling this feature, which still requires searching and browsing for their devices. Mapped resources are easier to locate, require less training, and are safer to use. This is especially true if these resources are provided automatically through Group Policy. An administrator can configure printers for location by methods other than the legacy Computer Browser service by using IP addresses, Active Directory Domain Services (AD DS), Bonjour, mDNS, uPnP, and so on.

If you cannot use any of these workarounds, or if the application manufacturer cannot provide supported versions of SMB, you can re-enable SMBv1 manually by following the steps in KB 2696547. I am listing the PowerShell and GUI steps below.

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.
The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

Enabling/Disabling SMBv1 & SMBv2 – SMBv3

Windows Server 2012 R2 & 2016:

SMBv1

Detect: Get-WindowsFeature FS-SMB1
Enable: Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

SMB v2/v3 (listing these just in case)

Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Enabled: Set-SmbServerConfiguration -EnableSMB2Protocol $true
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false

Windows 8.1 and Windows 10:

SMBv1

Detect: Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
Enable: Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

SMB v2/v3 (listing these just in case)

Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Enable: Set-SmbServerConfiguration –EnableSMB2Protocol $true
Disable: Set-SmbServerConfiguration –EnableSMB2Protocol $false

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

SMBv1

Detect: Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Enable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

You must restart the computer after you make these changes.

Disable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

SMB v2/v3 (listing these just in case)

Detect: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Enable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

You must restart the computer after you make these changes.

Disable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

GUI:

Enabling SMBv1

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

Windows 8.1 and Windows 10: Add or Remove Programs method

Important: I strongly recommend that you do not reinstall SMBv1. This is because this older protocol has known security issues regarding ransomware and other malware.

Date August 2, 2018
Author mo wasay
Comments No Comments

All of Windows Cipher Suites

Working on a security project and I needed a reference guide as to what cipher suites are supported on what OS.

So I have documented a list of the default cipher suites and their preferred order for every Windows Server version. These were gathered from fully patched operating systems.

These are the server defaults for reference only. I do not recommend using the default cipher suites or the order listed.

Windows Server 2003

TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA

Windows Server 2008

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA

Windows Server 2008 R2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Windows Server 2012

TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA

Windows Server 2012 R2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Windows Server 2016

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5

Date May 15, 2018
Author mo wasay
Comments No Comments

Deploying the SCCM Client with VMware Client Windows Guest Customization

Since SCCM is our configuration management tool of choice, the SCCM client needs to get installed on all of our newly provisioned VMs.

I created a service account that only has read permission to the \\sccmserver\sms_sitecode\client share on the SCCM server. The client is installed from this location to ensure that we are always using the latest version and get rid of any need to manually copy files or put it in the template.

1. Make sure that you have your customization spec configured to log in once as administrator:

2. Add the following lines to you customization spec.

cmd.exe /c net use i: \\sccmserver\SMS_sitecode\Client /user:username password
cmd.exe /c i:\ccmsetup.exe <options>
timeout 60
cmd.exe /c shutdown -r -t 00

cmd.exe /c net use i: \\sccmserver\SMS_sitecode\Client /user:username password

cmd.exe /c i:\ccmsetup.exe <options>

timeout 60

cmd.exe /c shutdown -r -t 00

This maps a drive to your SCCM share using the service account, installs the client, and then reboots the virtual machine. I put a timeout (sleep) for 60 seconds in there to make sure the install has time to do what it needs to do and it is working well at this point.

3. Once the VM is created and customized and rebooted you should have a service ‘SMS Agent’ started (Automatic Delayed Start).

Date April 19, 2018
Author mo wasay
Comments No Comments

List Domain Admins & Enterprise Admins in a domain

If you want to find out how many domain/ enterprise admins are active/inactive in domain you can use the following PowerShell command to figure out:

Get the list of domain admins and check if they are enabled.

Get-ADGroupMember -Identity "Domain Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Select Name, Enabled

1	Get-ADGroupMember -Identity "Domain Admins" -Recursive \| %{Get-ADUser -Identity $_.distinguishedName} \| Select Name, Enabled

Get the list of enterprise admins and check if they are enabled.

Get-ADGroupMember -Identity "Enterprise Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Select Name, Enabled

1	Get-ADGroupMember -Identity "Enterprise Admins" -Recursive \| %{Get-ADUser -Identity $_.distinguishedName} \| Select Name, Enabled

Date April 19, 2018
Author mo wasay
Comments No Comments

What version of SQL Server do I have?

Working with so many versions of SQL a quick reference list is always helpful that shows the versions numbers and service packs.

A downloadable version of an Excel workbook that contains all the build versions together with their current support lifecycle stage for 2005 through the current version is available. Click to download this Excel file now. (File name: SQL Server Builds V3.xlsx)

This unofficial build chart lists all of the known Service Packs (SP), Cumulative Updates (CU), patches, hotfixes and other builds of MS SQL Server 2017, 2016, 2014, 2012, 2008 R2, 2008, 2005, 2000, 7.0, 6.5 and 6.0 that have been released.

Useful articles:

Quick summary:

All SQLServer service packs are cumulative, meaning that each new service pack contains all the fixes that are included with previous service packs and any new fixes.

	RTM (no SP)	SP1	SP2	SP3	SP4
SQL Server 2017 codename vNext	14.0.1000.169 *new
SQL Server 2016	13.0.1601.5	13.0.4001.0 or 13.1.4001.0
SQL Server 2014	12.0.2000.8	12.0.4100.1 or 12.1.4100.1	12.0.5000.0 or 12.2.5000.0
SQL Server 2012 codename Denali	11.0.2100.60	11.0.3000.0 or 11.1.3000.0	11.0.5058.0 or 11.2.5058.0	11.0.6020.0 or 11.3.6020.0	11.0.7001.0 or 11.4.7001.0
SQL Server 2008 R2 codename Kilimanjaro	10.50.1600.1	10.50.2500.0 or 10.51.2500.0	10.50.4000.0 or 10.52.4000.0	10.50.6000.34 or 10.53.6000.34
SQL Server 2008 codename Katmai	10.0.1600.22	10.0.2531.0 or 10.1.2531.0	10.0.4000.0 or 10.2.4000.0	10.0.5500.0 or 10.3.5500.0	10.0.6000.29 or 10.4.6000.29
SQL Server 2005 codename Yukon	9.0.1399.06	9.0.2047	9.0.3042	9.0.4035	9.0.5000
SQL Server 2000 codename Shiloh	8.0.194	8.0.384	8.0.532	8.0.760	8.0.2039
SQL Server 7.0 codename Sphinx	7.0.623	7.0.699	7.0.842	7.0.961	7.0.1063

All SQLServer service packs are cumulative, meaning that each new service pack contains all the fixes that are included with previous service packs and any new fixes.

Date April 5, 2018
Author mo wasay
Comments No Comments

NSLookup still showing IP of demoted Domain Controller

So had an interesting issue today where a Domain Controller (DC) was demoted yet the IP of the demoted DC was still showing up when running nslookup internaldomain.local

Demoted DC: MWDC04 / IP: 10.14.111.111

I had done the metadata cleanup and tried many suggestions when googling the subject. To my surprise none of the solutions I found worked.

I had removed the IP address from the Primary DNS Server and saw entries for:

(same as parent folder) Host(A) 10.14.111.111
(same as parent folder) NameServer (NS) 10.14.111.111

I also looked under internaldomain.local > _msdcs and deleted entries from there.

After clearing the cache and waiting for replication, did a nslookup again and the IP was still there.

Well, there are some good and bad things about Microsoft DNS.

The BAD:

You cannot search DNS values in DNS Management. You are limited to searching just the names.

THE GOOD:

All DNS entries are stored in a flat file on the DNS Server “C:\WINDOWS\system32\dns\internaldomain.local.dns” (The default location). JACKPOT!

I opened it up in Notepad++, did a search for IP and DNS name of the demoted server(MWDC04-10.14.111.111) and started deleting matched entries. I was so surprised to find entries that were deeply buried under “domaindnszones” & “forestdnszones” and a few other subzones.

Cleared the cache again and waited for replication. Once replication completed I tried nslookup internaldomain.local and this time it didn’t list the demoted DC anymore.

I hope this saves others time, because finding a record in DNS might be like searching for a needle in a haystack!

Date March 23, 2018
Author mo wasay
Comments No Comments

ConfigMgr 2012 R2 – WSUS sync fails with HTTP 503 errors

Ran into this issue with ConfigMgr 2012 R2 where it was unable to synchronize Software Update Point with the WSUS server. A review of the component status messages for the SMS_WSUS_SYNC_MANAGER component on the primary site server reveals errors related to WSUS synchronization which are similar to the following:

Message ID: 6703 WSUS Synchronization failed. Message: The request failed with HTTP status 503: Service Unavailable. Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer.

Got the following error when trying to open Update Services on the WSUS server

Error: Connection Error An error occurred trying to connect to the WSUS server. This error can happen for a number of reasons. Please contact your network administrator if the problem persists. Click the Reset Server Node to connect to the server again.

In addition to the above, attempts to access the URL for the WSUS Administration website (i.e., http://CMCASSERVER:8530) fails with the error:

HTTP Error 503. The service is unavailable

In this situation, the most likely cause is that the WsusPool Application Pool in IIS is in a stopped state, as shown below.

Also, the Private Memory Limit (KB) for the Application Pool is probably set to the default value of 1843200 KB.

If you encounter this problem, increase the Private Memory Limit to 4GB (4000000 KB) and restart the Application Pool. To increase the Private Memory Limit, select the WsusPool Application Pool and click Advanced Settings under Edit Application Pool. Then set the Private Memory Limit to 4GB (4000000 KB).

After the Application Pool has been restarted, monitor the SMS_WSUS_SYNC_MANAGER component status, wcm.log and wsyncmgr.log for failures. Please note that it may be necessary to increase the Private Memory Limit to 8GB (8000000 KB) or higher depending on the environment.

Now WSUS is back online!

Date March 19, 2018
Author mo wasay
Comments No Comments

Ways to Mitigate the Meltdown & Spectre Problem

To mitigate the flaws of the two large vulnerabilities vendors have been scrabbling to come out with updates to provide consumers with a fix.

If exploited, these vulnerabilities can give hackers unprecedented access to compromised systems and widespread liberty to steal a broad variety of confidential, sensitive data. Their severity, complexity and scope puts them among the most dangerous ever.

Namely, the vulnerabilities affect virtually all processors made by all big chip makers (Intel, AMD, Apple, etc.) dating back to 1995.

No Easy Fix as all of it is “Work in Progress”

There is a lot of confusion and compatibility issues that have been reported with the fixes that are coming out and vendors seem to be having a hard time working them out which is causing frustrations to a lot of consumers. I am listing the steps I have taken to mitigate the vulnerabilities.

The updates have been broken down by:

OS
- Windows
- macOS
- Linux
Browser
Firmware
Cloud Platforms

Meltdown and Spectre Overview

Meltdown (rogue data cache load — CVE-2017-5754)

Meltdown is a CPU vulnerability that allows a user mode program to access privileged kernel-mode memory. It affects all out-of-order Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.

Of the two bugs, Meltdown is the easier one to fix, and can largely be addressed with operating system updates.

Spectre variant 1 (bounds check bypass — CVE-2017-5753) &Spectre variant 2 (branch target injection CVE-2017-5715)

Spectre isn’t so much a specific vulnerability as it’s a new class of attack. It’s enabled by the unintended side effects of speculative execution (something processors do to speed things up by predicting what instructions they’re about to recieve and executing them ahead of time).

There are two flavors of Spectre — variant 1 (bounds check bypass, CVE-2017-5753) and variant 2 (branch target injection, CVE-2017-5715). Both can potentially allow attackers to extract information from other running processes (ex: stealing login cookies from browsers).

Intel, ARM, and AMD processors are all reportedly affected by Spectre to some degree, and it poses significant patching problems. While operating system and browser updates have helped mitigate the risk of Spectre to some degree, experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for years to come.

Source: SANS / Rendition Infosec. See the full presentation here

It’s important to note that both vulnerabilities put information disclosure at risk. Neither are remote execution vulnerabilities — in other words, they don’t allow attackers to run malware.

Updates:

Windows:

Microsoft’s process for releasing Windows updates addressing Meltdown and Spectre has been a bumpy road, marred by high-profile incompatibility issues with third-party antivirus (AV) software and AMD processors. In some cases, delivery of the latest security update has been restricted or suspended.

More details and direct download links to the updates below:

Windows 10

Windows 8 and Windows Server 2012
- Windows 8.1 and Server 2012 R2— KB4056898 (issued 1/3/18)
- Update that disables Intel’s Spectre variant 2 mitigation (which has caused issues) — KB4078130 (issued 1/27/18)
- No patches available for Windows Server 2012 non-R2 version
Windows 7 and Windows Server 2008
- Windows 7 SP1 and Server 2008 R2 SP1 — KB4056897 (Security only, issued 1/3/18)
- Windows 7 SP1 and Server 2008 R2 SP1 — KB4056894 (Monthly rollup, issued 1/4/18)
- Update that disables Intel’s Spectre variant 2 mitigation (which has caused issues) — KB4078130 (issued 1/27/18)
- No patches available for Windows Server 2008 non-R2 version

Windows Server 2000, 2003 & Windows XP, Vista
- Large enterprises may still be using systems that are over a decade old and they are still working! That said, there has been no official word from Microsoft on providing any security updates to older OS(s), because all of them have crossed their support lifecycle and are vulnerable.
- Looking at industry trends looks like vendors are only going back 5 years for hardware microcode update and not supporting older generations processors.
- Considering Microsoft did put out a security patch for Windows 2003 for WannaCry, it would be very surprising if they did not release a security update if there is an active exploit in the wild.

Microsoft has added capabilities to its free Windows Analytics service to help IT pros better track and manage their Meltdown and Spectre patching process. The new features include a dashboard that highlights the status of antivirus compatibility, Windows security updates, and firmware updates — all in one place for every Windows device you manage.

What the Windows updates address:

Spectre variant 1, bounds check bypass (CVE-2017-5753)

Meltdown, rogue data cache load (CVE-2017-5754)Windows patches for 32-bit systems (x86-based systems) do not provide Meltdown mitigations.
Per Microsoft:

The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.

What they don’t address:

Spectre variant 2, branch target injection (CVE-2017-5715) — firmware updates are required to fully address Spectre variant 2.Microsoft has issued an emergency out of band update (KB4078130) that disables the mitigation for Spectre variant 2 (branch target injection) that was included in Intel’s buggy microcode updates. Microsoft justified the move by pointing to reports that Intel’s new microcode can cause higher than expected reboots which may result in data loss or corruption (confirmed in Intel’s Q4 2017 financial results statement).Microsoft’s update is available for Windows 7 (SP1), Windows 8.1, and all versions of Windows 10. In can be downloaded here. Alternatively, the company has also provided instructions for helping customers manually disable and enable Spectre variant 2 mitigation via registry setting changes. You can find the instructions for server customers here, and for all other customers here.

Known issues:

AV compatibility issues: During tests, Microsoft discovered that a compatibility issue with “a small number of antivirus software products” was causing system crashes. As a result, the company has made delivery of the Windows security updates linked to above contingent on the presence of a special registry key, which it has instructed all AV vendors to add to customer devices only after they’ve confirmed their products are compatible.
Microsoft will not deliver the Windows update unless the following registry key exists (more details here)

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”

1 2	Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”

This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it, themselves, manually. The situation only gets more complicated considering many organizations have more than one AV solution installed.

Update: Microsoft has clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the update and do set the required registry key.

That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.

Big caveat: If you are using third party software that Microsoft offically recognizes as AV, it is important to note that, by default, Windows Defender and Microsoft Security Essentials will turn themselves off. That means the registry key won’t be added unless you or your AV actively do it.

If you are unsure, set the registry keys. You will at least be current on all Windows Updates. Even if you have an AV Provider you are just duplicating the effect. Not fully protected until the microcode/firmware update from the chip provider is applied, but you are half way there.

All that said, here is a flow chart that can help you determine your situation:

Windows users who aren’t using a third party antivirus and don’t have Windows Defender or Microsoft Security Essentials enabled will need to set the registry key themselves, manually. To help, Bleeping Computer has put together a .reg file that automates that task here. Note: They also issue a warning to make absolutely sure you’re not running an AV that isn’t compatible with the update before using it.

If you are using an AV and haven’t received the Windows patch yet, you are advised to wait until your AV vendor either issues an update that sets the registry key for you or specifically recommends that you do so, yourself.

AMD compatibility issues: As first reported at the Verge, Microsoft has received numerous reports of PCs running AMD processors not booting after installing the latest Windows security update. After investigating, the company confirmed there were issues, and temporarily stopped delivering the update to AMD devices. Affected users needed to visit Microsoft’s support site for instructions on getting their machines back up and running.Update (1/18/18): Microsoft has announced it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and Windows 10, version 1709. Updates for four versions of Windows 10 — 1511, 1607, and 1703 — are still paused. As are updates for Windows Server 2016 and Windows 10 Enterprise.
Group or MDM policy configuations may be disabling updates: According to Microsoft, if you have Group or MDM policy settings configured to disable preview builds, your machines may not be receiving updates (see what those settings are here). To fix that, Microsoft recommends temporarily changing Group/MDM policy settings to “Not Configured” and changing them back once the updates have been installed.
Performance impact: As with the other operating systems, patches addressing Meltdown and Spectre are expected to take a non-insignificant toll. In a blog post, Microsoft Executive VP Terry Myerson explains the impact of these fixes can vary depending on the version of Windows running and the age of the machine:
- Windows 10 on 2016-era PCs with Skylake, Kabylake, or newer CPU: Single-digit slowdowns, which most users won’t notice.
- Windows 10 on 2015-era PCs with Haswell or older CPU: Slowdown can be more significant. Some users may notice a decrease in performance.
- Windows 8 or Windows 7 on 2015-era PCs with Haswell or older CPU: Most users will likely notice a decrease in system performance.
- Windows Server (any CPU): Mitigations to isolate code within a Windows Server intance results in a more significant performance impact. According to Myerson, “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.”

Enabling protections for Windows Server

Microsoft has also advised Windows Server customers that they need to take the additional step of adding the following registry keys in order to enable patch protections.

Keep in mind that the above registry key is also required.

To enable the fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).

Restart the server for changes to take effect.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).

Restart the server for changes to take effect.

To disable this fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the server for the changes to take effect.

(There is no need to change MinVmVersionForCpuBasedMitigations.)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the server for the changes to take effect.

(There is no need to change MinVmVersionForCpuBasedMitigations.)

Microsoft also notes that for Hyper-V hosts, live migration between patched and unpatched hosts may fail. The company also points to an alternative protection mechanism you can use on hosts that don’t have updated firmware yet.

Additional guidance from Microsoft:

Verifying new Windows protections are enabled:

To help confirm whether updates have been implemented correctly Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.

The following command will install the PowerShell module:

PS > Install-Module SpeculationControl

1	PS > Install-Module SpeculationControl

Note: There are a couple of requirements for running this command. First, you’ll need to be running PowerShell with admin privileges and may need to adjust execution policy. Also, the Install-Module command was introduced to PowerShell in version 5.0. Most Windows 7 machines will not have this version, due to the upgrades being optional and unrelated to security. Any machine with an outdated version of PowerShell can still run the Get-SpeculationControlSettings function below, however, as long as you can obtain the contents of the script and run it ad-hoc.

Once installed, the following command will run the test to check your system:

PS > Get-SpeculationControlSettings

1	PS > Get-SpeculationControlSettings

The output will look something like this:

Results for Spectre protections

The first grouping — “Speculation control settings for CVE-2017-5715 [branch target injection] — refer to protections in place for the Spectre vulneralbility. If the value for “Windows OS support for branch target injection mitigation is present” is “True” then the Windows Security update has been successfully installed.

The other red lines in that section simply confirm that more complete mitigation for Spectre requires firmware updates, which Intel says it’s in the process of rolling out. According to the company, updates for more than 90 percent of its processor products should be introduced by the end of next week.

Results for Meltdown protections

The second grouping — “Speculation control settings for CVE-2017-5754 [rogue data cache load] — refer to protections in place for the Meltdown vulneralbility. If you see the following results and no red lines then you’ve confirmed the Windows Security update has been successfully implemented and the machine is protected:

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID optimization is enabled: True

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID optimization is enabled: True

If you see any red lines in this section then that means the update has not been successfully applied. For more details on interpreting the PowerShell script output, Microsoft has a full results key here.

MacOS & iOS

Apple included mitigations to address Meltdown in its macOS 10.13.2 and iOS 11.2 updates released in December. It has since followed up with additional mitigations addressing Spectre with the just-issued macOS High Sierra 10.13.2 Supplemental Update and iOS 11.2.2 update.

What they address:

Meltdown (rogue data cache load — CVE-2017-5754)
Spectre variant 1 (bounds check bypass — CVE-2017-5753) to some degree
Spectre variant 2, (branch target injection — CVE-2017-5715) to some degree

What they dont’ address:

Spectre variants 1 and 2 — to some degree
While Apple says its latest updates to macOS, iOS, and Safari help mitigate the risk of Spectre being exploited, the company acknowleges it will be continuing to develop and test further mitigations.

No reported compatibility or performance issues

Linux:

After being left out of the loop, Linux developers are making significant progress on patches, even if they’re not particularly happy about being put in this position. The latest update of the stable Linux kernel (4.14.13) includes patches designed to mitigate Meltdown with Kernel Page Table Isolation (KPTI). More comprehensive patches (including fixes for ARM64 processors) will be available in 4.15, scheduled for release in two weeks.

Patches have also been added to the 4.4 and 4.9 stable kernel trees.

Canonical has released a second update for Ubuntu 16.04 LTS Xenial users after the first caused boot issues. You can find the new update with Linux kernel image 4.4.0-109 here.

What they address:

Meltdown (rogue data cache load — CVE-2017-5754), though not currently for 32bit (x86) machines
Spectre variant 1 (bounds check bypass — CVE-2017-5753) to some degree
Spectre variant 2, (branch target injection — CVE-2017-5715) to some degree

What they dont’ address:

Meltdown for 32bit (x86) machines
Spectre variants 1 and 2 — to some degree
Patches have now been released that mitigate both variants of Spectre, but variant 2 mitigation also requires firmware/microcode updates to be in place. Because those updates are still being (re)developed and rolled out — keep in mind the latest recommendation from Intel was not to apply its firmware patches — variant 2 mitigation is currently incomplete.Work is underway to implement Retpoline, a workaround mitigation technique introduced by Google specifically for dealing with Spectre variant 2. The big advantage of Retpoline appears to be that it results in less of a performance impact than the microcode fixes, but, that said, it does have limitations.For one thing, Retpoline does not work on Intel Skylake processors. More importantly, it requires that code be recompiled in order to “immunize” it. While recompiling the kernel with Retpoline is one thing, updating every userspace application is anything but a quick fix. As this FAQ on the Ubuntu Wiki puts it, “until every piece of code on a system is rebuilt with retpoline the kernel must use microcode-based mitigations to protect userspace.” In other words, Retpoline isn’t a complete substitution for applying microcode updates — yet.

Known issues:

Patches haven’t been released for machines running ARM64 processors: They are expected to be supported with the release of 4.15 in a couple of weeks.
Patches bricking Ubuntu 16.04 computers: According to Bleeping Computer, boot issues have been reported by a large number of Ubuntu users running the Xenial 16.04 series after updating to kernel image 4.4.0-108. New updates with kernel image 4.4.0-109 have since been released which address the issue.
No Meltdown fix is currently available for 32bit (x86): Moving to a 64-bit kernel is the only currently recommended mitigation.
Spectre version 2 mitigations still reliant on firmware updates: As Intel and AMD continue to work through update difficulties mitigation remains incomplete.
Performance impact: Based on initial testing, performance penalties for the patches are expected to range from single to double digits, depending primarily on how much interaction applications/workloads have with the kernel. You can find more details in benchmark studies conducted by Phoronix and Red Hat.

Checking Linux for Spectre and Meltdown vulnerability:

A simple script has been developed to help determine whether Linux kernel installations are still vulnerable to Meltdown and Spectre after applying patches. You can find it along with installation instructions here.

Browsers:

According to researchers, the most likely exploitation of Spectre appears to be web-based attacks using JavaScript (say in a malicious ad) to leak information, session keys, etc. cached in the browser. As such, Google, Mozilla, Apple, and Microsoft have all either issued or schedule new updates for their browsers to reduce that risk.

What browser updates address:

Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What browser updates dont’ address:

Meltdown (CVE-2017-5754)
You’ll need to apply OS updates to mitigate Meltdown.

Chrome

Google Chrome users are advised to turn on site isolation, which can help prevent a site from stealing data from another site.

Google has officially released Chrome 64 for Windows, Mac, and Linux. The update does include a patch to address Spectre, although Google did not provide technical details, stating simply “this release contains additional mitigations against speculative side-channel attack techniques.” In addition to those mitigations, the update also addresses other flaws (there are a total of 53 security fixes in all).

Firefox

Mozilla has already issued Firefox version 57.0.4, which helps address Spectre by disabling or reducing Firefox’s internal timer functions and disabling the SharedArrayBuffer feature. Firefox users can take additional precaution by enabling site isolation, as well.

Safari

Apple has released Safari 11.0.2 to specifically mitigate the effects of Spectre.

IE and Edge

Microsoft has made changes to both Internet Explorer 11 and Microsoft Edge to mitigate Spectre. In addition to removing support for SharedArrayBuffer from Edge, it has made changes to reduce the precision of several time sources to make successful attacks more difficult.

Firmware

OS and browser updates only partially mitigate Meltdown and Spectre. Organizations need to be prepared for UEFI firmware and BIOS updates, as well. When and whether updates will be pushed out will vary from vendor to vendor, adding another layer of complexity and uncertainty to patching. In some cases, admins may have to proactively check for updates from their PC makers periodically over the next few days or weeks.

Intel

Note: The saga surrounding Intel updates is long and ongoing. For the lastest news, skip down to “Known issues” and scroll to the bottom of the list.

UPDATE 1/12/18: Intel has released new Linux Processor microcode data files that can be used to add Meltdown and Spectre mitigations without having to perform a BIOS update.

Intel went on record promising firmware updates for 90 percent of affected processors made in the past five years on January 15. So far, it looks as though these microcode fixes apply to a specific list of processors provided here.

The microcode updates can be downloaded directly from Intel, and Bleeping Computer has provided instructions and a video example to help walk admins through the install process here. It should be noted that some issues have already been reported with the updates, specifically around unwanted reboots. While Intel initially confirmed machines with Broadwell and Haswell CPUs were experiencing that issue, later the company said machines running newer processors were affected, too (more details below).

Windows users need to wait until Microsoft finishes testing the microcode and releases an additional update.

Known issues:

Performance impact: Statements regarding the potential performance impact of those updates have been inconsistent, but the company has most recently said the patches are slowing processors down by six percent in certain situations. Intel has shared more details on performance impact based on specific workloads in a chart you can find here.
Older Broadwell and Haswell CPUs experiencing sudden reboots: Intel is already confirming the company has received reports of glitches resulting from the firmware update on systems running Intel Broadwell and Haswell CPUs.
Machines with newer CPUs also experiencing sudden reboots: Intel has since confirmed the firmware update is causing machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake processors to suffer unwanted reboots, too. Intel now recommending customers NOT apply firmware update: The company has reportedly discovered the root cause of the Broadwell and Haswell boot issues, and is testing an updated patch. In the meantime, it is recommending customers stop deployment of the current patch to avoid reboots and other “unpredictable system behavior.” Recently Intel has issued a new microcode update for Skylake processors that addresses Spectre variant 2. Skylake system owners should expect firmware updates soon. Fixes for other chips remain in beta testing.
HP and Dell have removed latest BIOS updates until Intel issues new stable firmware: Following Intel’s advice, both companies have halted deployment of Intel’s buggy microcode.
Microsoft has issued an emergency out of band update (KB4078130) that disables Intel’s mitigation for Spectre variant 2: Microsoft justified the move by pointing to reports that Intel’s new microcode can cause higher than expected reboots which may result in data loss or corruption (confirmed in Intel’s Q4 2017 financial results statement).
UPDATE 2/21/18: Additional microcode updates addressing Spectre variant 2 available: Intel reports its microcode update for Skylake processors is stable, and additional updates for Kaby Lake and Coffee Lake are being rolled out, as well. Considering the problems experienced with the initial firmware updates, many experts are advising caution and careful testing before installing the new updates, however. According to Intel, fixes for Sandy Bridge, Ivy Bridge, Broadwell, and Haswell processors are still in beta. You can find the micocode patch update schedules for all Intel chips here.

AMD

AMD has officially acknowledged that its processors are vulnerable to both variants of Spectre, but not Meltdown. While the company says OS patches are enough to mitigate Spectre variant 1, it will be rolling out optional microcode updates this week, starting with fixes for Ryzen and EPYC processors.

Known issues:

Windows OS update compatibility issues: As first reported at the Verge, Microsoft has received numerous reports of PCs running AMD processors not booting after installing the latest Windows security update. After investigating, the company confirmed there are issues — specifically with AMD Opteron, Athlon, and AMD Turion X2 Ultra families — and temporarily stopped delivering the update to AMD devices. AMD says it is working with Microsoft to resolve the issue. In the meantime, affected users need to visit Microsoft’s support site for instructions on getting their machines back up and running.Microsoft has announced it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and Windows 10, version 1709. Updates for four versions of Windows 10 — 1511, 1607, and 1703 — are still paused. As are updates for Windows Server 2016 and Windows 10 Enterprise.

IBM

According to IBM, firmware patches for POWER7+, POWER8, and POWER9 platforms are all currently available via FixCentral. The company says Power7 patches will be available February 7. In addition, it estimates IBM i operating system patches (also available via FixCentral) will finish rolling out on February 12, and AIX patches are available since January 26.

Cloud

There is special worry about the cloud platforms that collectively host mission-critical workloads from millions of businesses, and data from hundreds of millions of consumers. First, the vulnerabilities can allow an attacker to bypass virtualized partitions, making it possible to steal data from all virtual machines on a single server. Second, there’s concern that in massive data center environments, the performance degradation from the patches would be exponentially replicated, leading to serious slowdowns of applications and web services.

As would be expected, cyber criminals have started to attempt to trick users into installing fake Spectre and Meltdown patches that are really malware, as Malwarebytes Labs recently warned.

What to do…What not to do?

Don’t Panic! The patches that have been issued so far by the OS vendors amount to mitigations and workarounds. The patches themselves are complex, and compatibility issues should be expected. For example, anti-virus software is deeply embedded in systems and kernels. A change in how kernel memory is stored will certainly affect anti-virus products.

Every company will have their own risks in terms of operational risk versus security risk. For that reason, I believe that it may be better for some organizations not to patch and instead use a different compensating control to mitigate exposure as much as possible.

Start and prepare for benchmark testing when patches come out to see how big of a performance impact it is going to make. Before you start, BACKUP, TEST YOUR BACKUP, and BACKUP AGAIN!

There’s a greater sense of urgency with Spectre, because exploiting Meltdown requires having a foothold on the targeted system. Spectre opens up certain types of remote attack scenarios, which could result in compromising credentials and session keys, allowing hackers to bypass many security protections.

Reading other blogs it is apparent that applying patches to migtigate the risk may slow down the systems performance. This is not the case with everyone. It will vary for each business and type of operation. For example, SQL is one of the most common type of database that are being used by businesses large and small. There is a significant I/O hit weather on-premise or in the Cloud. Read more about SQL Server performance with Spectre and Meltdown patches at SolidQ, but there are ways to address it.

For home users with newer Windows and Mac computers, the impact may be negligible. Systems with older processors are expected to see a bigger slowdown. Some servers could see a greater slowdown than PCs.

Over the next several months vendors will release and refine fixes. Only then can we be sure of the performance impact on various systems and configurations.

Keep in mind this is a Two-Part Solution

The specific solution for each system will vary by vendor and product. In most cases, two updates are needed to protect a system:

OS updates are coming fast from all major vendors.
Chipmaker microcode updates are being released as well. Most processors will need updates, but there are some exceptions.

Note that while Meltdown/Spectre can’t crash systems, some fixes can. Early problems have been reported with OS fixes in some scenarios. Also, some fixes require updates from app vendors, particularly antivirus solutions.

The Good News

There are no known exploits in the wild … yet! You still have time to get ahead of this thing.

Next Step

Secure your systems from Meltdown/Spectre vulnerabilities before sensitive data is exposed.

For even more info, Bleeping Computer has put together a good list of official advisories, notices, patches, and updates organized by vendor.

Date February 22, 2018
Author mo wasay
Comments No Comments

mo wasay

Force Replication of all Domain Controllers on all Sites

What releases of Java technology are currently available?

What are the Oracle Java licensing changes?

What about the Java license costs?

What should you do now?

Work Around:

Leasing mode

Explorer Network Browsing

Enabling/Disabling SMBv1 & SMBv2 – SMBv3

Windows Server 2012 R2 & 2016:

SMBv1

SMB v2/v3 (listing these just in case)

Windows 8.1 and Windows 10:

SMBv1

SMB v2/v3 (listing these just in case)

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

SMBv1

SMB v2/v3 (listing these just in case)

GUI:

Enabling SMBv1

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

Windows 8.1 and Windows 10: Add or Remove Programs method

All of Windows Cipher Suites

Deploying the SCCM Client with VMware Client Windows Guest Customization

What version of SQL Server do I have?

Quick summary:

NSLookup still showing IP of demoted Domain Controller

ConfigMgr 2012 R2 – WSUS sync fails with HTTP 503 errors

Mohammed Wasay

Dallas based Design Technologist & Hybrid Developer

Categories

Archives

Meta