Monday

Category: Windows

Disabling or Uninstalling Unnecessary Services and Apps in Windows 10

Windows 10 is a powerful and versatile operating system that offers many features and functionalities. However, not all of them are necessary or useful for every user. In fact, some of the services and apps that come preinstalled or run in the background can pose security risks or slow down your system performance.

In this blog post, we will describe which unnecessary services and apps you should disable or remove from Windows 10 for security reasons. We will also explain how to do it safely and easily.

What Are Windows Services?

Windows services are programs that run in the background and provide essential functions for the operating system, such as networking, security, printing, etc. They usually start automatically when you boot up your computer and run until you shut it down.

What Are Windows Apps?

Windows apps are applications that you can install from the Microsoft Store or other sources. They are designed to work with the modern user interface of Windows 10 and offer various functionalities, such as games, productivity tools, social media, etc.

Why Should You Disable or Remove Unnecessary Services and Apps?

There are several reasons why you may want to disable or remove unnecessary services and apps from Windows 10:

  • Security – Some services and apps may have vulnerabilities that can be exploited by hackers or malware. For example, the Remote Desktop service can allow remote access to your computer if it is not configured properly. The Bluetooth service can expose your device to wireless attacks if you don’t use it. Some apps may also collect your personal data or display unwanted ads.
  • Performance – Some services and apps may consume a lot of system resources, such as CPU, RAM, disk space, etc. This can affect your system speed and responsiveness, especially if you have a low-end device or multiple programs running at the same time.
  • Privacy – Some services and apps may send your data to Microsoft or other third-party servers for various purposes, such as diagnostics, feedback, advertising, etc. This can compromise your privacy and expose your online activities to others.
  • Storage – Some services and apps may take up a lot of disk space on your device, especially if they are rarely used or updated. This can limit your available storage space for other files and programs.

Which Services and Apps Should You Disable or Remove?

Continue reading “Disabling or Uninstalling Unnecessary Services and Apps in Windows 10”

10 Steps to Securely Configuring Windows 10

Windows 10 is the most popular operating system in the world, but it also comes with some security risks. If you want to protect your data and privacy, you need to configure Windows 10 for security. Here are 10 steps you can follow to make your Windows 10 more secure.

  1. Update Windows 10 regularly – Windows 10 updates often include security patches and bug fixes that can prevent hackers from exploiting vulnerabilities in your system. To check for updates, go to Settings > Update & Security > Windows Update and click on Check for updates. If there are any available updates, install them as soon as possible.
  2. Use a strong password and a PIN – A strong password is one that is long, complex, and unique. It should include a mix of uppercase and lowercase letters, numbers, and symbols. A PIN is a four-digit code that you can use to unlock your device instead of typing your password. To set up a password and a PIN, go to Settings > Accounts > Sign-in options and choose Password and PIN. Make sure you don’t use the same password or PIN for other accounts or devices.
  3. Enable BitLocker encryption – BitLocker is a feature that encrypts your hard drive, making it unreadable to anyone who doesn’t have the right key. This can protect your data in case your device is lost, stolen, or hacked. To enable BitLocker, go to Settings > System > About and click on Device encryption. If your device supports BitLocker, you will see a Turn on button. Click on it and follow the instructions.
  4. Use Windows Defender Firewall and antivirus – Windows Defender Firewall is a feature that blocks unauthorized network connections, preventing hackers from accessing your device or data. Windows Defender antivirus is a feature that scans your device for malware and removes any threats. To use Windows Defender Firewall and antivirus, go to Settings > Update & Security > Windows Security and click on Firewall & network protection and Virus & threat protection. Make sure they are both turned on and up to date.
  5. Enable two-factor authentication – Two-factor authentication is a feature that adds an extra layer of security to your online accounts. It requires you to enter a code or use an app on your phone after entering your password, verifying your identity. To enable two-factor authentication, go to Settings > Accounts > Sign-in options and click on Security key or Windows Hello. Follow the instructions to set up your preferred method of two-factor authentication.
  6. Use a VPN service – A VPN service is a feature that encrypts your internet traffic, hiding your IP address and location from prying eyes. This can protect your privacy and security when you use public Wi-Fi or access geo-restricted content. To use a VPN service, you need to download and install a VPN app from the Microsoft Store or a trusted website. Then, launch the app and connect to a server of your choice.
  7. Disable unnecessary services and apps – Some services and apps that come with Windows 10 may not be essential for your needs, but they can consume resources and pose security risks. To disable unnecessary services and apps, go to Settings > Apps > Apps & features and click on the service or app you want to uninstall or modify. You can also go to Settings > Privacy and review the permissions that each app has access to.
  8. Use a secure browser and extensions – A secure browser is one that protects your online activity from trackers, ads, and malicious websites. A secure extension is one that enhances the functionality of your browser without compromising your security or privacy. To use a secure browser and extensions, you can choose one of the following options:
    • Use Microsoft Edge, which is the default browser for Windows 10. It has features like SmartScreen, Tracking Prevention, InPrivate mode, and Password Monitor that can improve your security and privacy.
    • Use Google Chrome, which is the most popular browser in the world. It has features like Safe Browsing, Incognito mode, Password Checkup, and Sync that can improve your security and privacy.
    • Use Mozilla Firefox, which is the most privacy-focused browser in the world. It has features like Enhanced Tracking Protection, Private Browsing mode, Lockwise, and Monitor that can improve your security and privacy.
  9. Backup your data regularly – Backing up your data is a feature that copies your files to another location, such as an external hard drive or a cloud service. This can protect your data from accidental deletion, corruption, or ransomware attacks. To protect your data regularly, go to Settings > Update & Security > Backup and click on Add a drive or Backup options. Choose where you want to store your backup files and how often you want to backup.
  10. Educate yourself on cyber threats and best practices – The most important feature for securing your Windows 10 is your own knowledge and awareness. You need to learn how to recognize and avoid common cyber threats, such as phishing, malware, or social engineering. You also need to follow best practices, such as using strong passwords, updating your software, and locking your device when not in use. You can find more information and tips on how to secure your Windows 10 on the Microsoft website or other reputable sources.

Check Email Addresses Listed in Active Directory

One of the tasks that administrators often need to perform is to verify that each active directory user account has a valid email address. This is important for ensuring that users can receive notifications, access online services, and communicate with other users. There are different ways to verify the email addresses of active directory users, but in this article, we will focus on one method that uses PowerShell.

PowerShell is a scripting language that allows administrators to automate tasks and manage systems. PowerShell can interact with active directory through the ActiveDirectory module, which provides cmdlets for querying and modifying objects in the directory. To use PowerShell to verify the email addresses of active directory users, we need to follow these steps:

Continue reading “Check Email Addresses Listed in Active Directory”

Different Ways to Reboot Windows 10 Computer

Rebooting a Windows 10 computer is a common and simple operation that can help you fix some software issues or apply the changes you have made to your computer. However, do you know how to reboot Windows 10 properly? In this blog post, I will show you four different ways to restart your Windows 10 computer in a professional and safe manner.

Many might find these instructions too simple or too well known to even list, but some users are just learning how to use Windows 10 and might find these instructions useful.

Method 1: Reboot in a Normal Way

This is the conventional and most widely used method. You can follow these steps to reboot your Windows 10 computer in a normal way:

  1. Open Start on Windows 10.
  2. Press the Power button and select Restart from the popup menu.
  3. Wait for your computer to restart.

Alternatively, you can also use the Power User Menu to perform a normal restart of Windows 10. Here are the steps:

  1. Right-click on the Start button or press the Windows key and the X key at the same time to open the Power User Menu.
  2. Go to Shut down or sign out.
  3. Select Restart from the popup sub-menu of Shut down or sign out.
  4. Wait for your computer to restart.

Method 2: Reboot using Ctrl+Alt+Del

You can also use the keyboard shortcut Ctrl+Alt+Del to restart your Windows 10 computer. This method works on all Windows 10 computers. Here is how to do it:

  1. Press Ctrl+Alt+Del at the same time on your keyboard to open the shutdown dialog box.
  2. Click on the Power button that is on the lower-right side of your computer screen.
  3. Select Restart from the pop-out menu.
  4. Wait for your computer to restart.

Method 3: Restart from Command Prompt

The third method is to restart your Windows 10 computer from Command Prompt. This method requires you to use the shutdown command to reboot Windows 10. You can follow these steps to do it:

  1. Open Command Prompt as an administrator. You can do this by typing cmd in the Start menu, right-clicking on Command Prompt, and selecting Run as Administrator.
  2. In the Command Prompt window, type “shutdown /r” (without the quotes) and press Enter. This will initiate a restart of your computer.
  3. Wait for your computer to restart.

Continue reading “Different Ways to Reboot Windows 10 Computer”

How to Create a Secure Windows 10 Workstation for Beginners

If you are new to Windows 10 and want to create a secure workstation for your personal or professional use, this blog post is for you. In this post, I will show you how to set up a Windows 10 workstation with some basic security features that will help you protect your data and privacy. Here are the steps you need to follow:

Continue reading “How to Create a Secure Windows 10 Workstation for Beginners”

How to Detect a New Domain Controller in Your Network

Some malware can create a Domain Controller to infect your network and steal data. DCShadow is a late-stage kill chain attack that allows an attacker with compromised privileged credentials to register a rogue Active Directory (AD) domain controller (DC). Then the adversary can push any changes they like via replication — including changes that grant them elevated rights and create persistence. It can be extremely difficult to detect a new Domain Controller, so you need to know how to find one if you suspect an infection.

Overview

A domain controller is a server that manages the security and authentication of users and computers in a domain. A domain is a logical grouping of network resources that share a common name and directory database. A new domain controller can be added to a domain for various reasons, such as increasing redundancy, improving performance, or expanding the network.

However, a new domain controller can also pose a security risk if it is not authorized or configured properly. An unauthorized domain controller can compromise the security of the entire domain by granting access to unauthorized users or computers, or by intercepting and modifying network traffic. Therefore, it is important to detect and monitor any new domain controllers in your network.

In this blog post, we will show you how to detect a new domain controller in your network using some simple tools and techniques. We will assume that you have administrative privileges on your network and that you are familiar with basic Windows commands and PowerShell.

Use the Netdom Command

The netdom command is a Windows command-line tool that can be used to manage domains and trust relationships. One of the functions of the netdom command is to list all the domain controllers in a domain. To use the netdom command, you need to open a command prompt as an administrator and type the following command:

netdom query dc

This command will display all the domain controllers in your current domain. You can also specify a different domain name after the dc parameter if you want to query another domain. For example:

netdom query dc example.com

The output of this command will look something like this:

List of domain controllers with accounts in the domain:

DC1DC2DC3The command completed successfully.

You can compare this output with your previous records or expectations to see if there is any new or unexpected domain controller in your domain. If you find one, you should investigate further to determine its origin and purpose.

Use the Get-ADDomainController PowerShell Cmdlet

The Get-ADDomainController PowerShell cmdlet is another tool that can be used to retrieve information about domain controllers in a domain. To use this cmdlet, you need to open a PowerShell window as an administrator and type the following command:

Get-ADDomainController -Filter *

This command will display all the domain controllers in your current domain along with some additional information, such as their name, site, operating system, IP address, and roles. You can also specify a different domain name after the -Server parameter if you want to query another domain. For example:

Get-ADDomainController -Filter * -Server example.com

The output of this command will look something like this:

DistinguishedName : CN=DC1,OU=Domain Controllers,DC=eexample, DC comDNSHostName : DC1.example.comEnabled : TrueName : DC1ObjectClass : computerObjectGUID : 12345678-1234-1234-1234-123456789012SamAccountName : DC1$SID : S-1-5-21-1234567890-1234567890-1234567890-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : 192.168.1.1IPv6Address : fe80::1234:5678:90ab:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}DistinguishedName : CN=DC2,OU=Domain Controllers,DC=example, DC ComDNSHostName : DC2.example.comEnabled : TrueName : DC2ObjectClass : computerObjectGUID : 23456789-2345-2345-2345-234567890123SamAccountName : DC2$SID : S-1-5-21-2345678901-2345678901-2345678901-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : 192.168.1.2IPv6Address : fe80::1235:5678:90ac:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}

You can also use Event ID 4742 in your Security log to monitor the changes to your registered Domain Controllers. This event shows which user initiated the change, so you know which Domain Administrator account is being used to perform the attack.

Active Directory Security Overview

Active Directory (AD) is a directory service that manages the identities and access rights of users and devices in a network. AD security settings are the policies and configurations that define how AD objects, such as users, groups, computers, and organizational units, are protected from unauthorized access or modification.

AD security settings are essential for any organization that uses AD as their directory service. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management. However, not all AD security settings are equally important. Some settings have a greater impact on the security posture and compliance status of the network than others.

In this post, I will discuss the importance of the top 5 security settings in AD, namely:

  • Password policy
  • Account lockout policy
  • Group policy
  • Permissions and auditing
  • Kerberos policy

Password Policy

Password policy is the set of rules that govern how passwords are created, changed, and stored in AD. Password policy affects the security of user accounts and the authentication process. A strong password policy should enforce the following requirements:

  • Minimum password length
  • Password complexity
  • Password history
  • Password expiration
  • Password encryption

A strong password policy helps prevent password cracking, guessing, or phishing attacks by making passwords harder to break or steal. It also reduces the risk of password reuse or sharing by requiring users to change their passwords regularly and use different passwords for different accounts. You should look at minimum password length of 10-12 characters with complexity requirements enabled, remembering at least the last 5 passwords, etc.

Account Lockout Policy

Account lockout policy is the set of rules that govern how AD responds to failed logon attempts. Account lockout policy affects the security of user accounts and the authentication process. A reasonable account lockout policy should enforce the following requirements:

  • Account lockout threshold
  • Account lockout duration
  • Account lockout reset

A reasonable account lockout policy helps prevent brute force attacks by locking out accounts after a certain number of failed logon attempts. It also reduces the risk of denial-of-service attacks by unlocking accounts after a certain period of time or by allowing administrators to manually reset them. You should look at disabling a user account if they guess their password incorrectly 10 times in 30 minutes, and automatically enabling their account after it has been locked for 30 minutes.

Group Policy

Group policy is the set of rules that govern how AD objects are configured and managed. Group policy affects the security of users, devices, and data. A comprehensive group policy should enforce the following requirements:

  • Security settings
  • Software settings
  • Administrative templates
  • Preferences

A comprehensive group policy helps enforce consistent and secure configurations across the network by applying security settings to users, devices, and data. It also helps automate and simplify the deployment and management of software, policies, and preferences across the network.

You should minimize any GPOs linked at the root domain level as these policies will apply to all users and computers in the domain. You should also avoid blocking policy inheritance and policy enforcement.

Permissions and Auditing

Permissions and auditing are the set of rules that govern how AD objects are accessed and monitored. Permissions and auditing affect the security of users, devices, and data. A granular permissions and auditing policy should enforce the following requirements:

  • Least privilege principle
  • Role-based access control
  • Object ownership
  • Inheritance and propagation
  • Audit policy

A granular permissions and auditing policy helps ensure the confidentiality, integrity, and availability of AD objects by granting only the necessary access rights to authorized users or groups based on their roles and responsibilities. It also helps detect and deter unauthorized access or modification by recording and reporting any changes or activities on AD objects.

Kerberos Policy

Kerberos policy is the set of rules that govern how AD uses Kerberos as its primary authentication protocol. Kerberos policy affects the security of user accounts and the authentication process. A secure Kerberos policy should enforce the following requirements:

  • Ticket lifetime
  • Ticket renewal
  • Maximum tolerance for computer clock synchronization

A secure Kerberos policy helps prevent replay attacks by limiting the validity and renewability of Kerberos tickets. It also helps prevent man-in-the-middle attacks by requiring a close synchronization of computer clocks within the network. It’s advisable to set Maximum lifetime for service ticket to 600 minutes and Maximum lifetime for user ticket renewal to 7 days.

In conclusion, AD security settings are vital for any organization that uses AD as their directory service. Among them, password policy, account lockout policy, group policy, permissions and auditing, and Kerberos policy are the most important ones. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management.

Top 10 Ways to Prevent Active Directory Attacks

Active Directory is a Microsoft solution for providing on-premises identity management in an enterprise environment. It is also one of the primary targets of most modern cyber-attacks. Fortunately, there are a few things you can do to help protect your Active Directory environment.

With a few actions, an organization can significantly reduce their attack surface and help protect the Active Directory environment from attack. Since attackers want to steal Active Directory credentials or compromise Active Directory with malicious software, you have to structure your defenses to match their attack strategy.

Continue reading “Top 10 Ways to Prevent Active Directory Attacks”

Understanding VSS and SQL Server

In the early days of SQL Server and Windows, backups weren’t always easy to create. Sometimes you had to completely stop the SQL Server services to get full backups. It could be difficult to backup everything without a pre-backup script to stop required services and post-backup scripts to get everything running again.  In the last 10 years, however, a lot has changed. Microsoft has included a few technologies in Windows Server that facilitate the conversation between these different components to allow them to work better together. The main component behind all this success is the Volume Shadow Copy Service (VSS) introduced in Windows Server 2003. The idea is actually quite simple: create a Windows service that is able to coordinate the actions required to create a consistent shadow copy (also known as a snapshot or a point-in-time copy) of the data you want to backup. VSS operates at the block level of the file system. You can then use those shadow copies as your backup or you can take them to another disk or to tape as required, without affecting the running application at that point.

Continue reading “Understanding VSS and SQL Server”

Enable Windows Defender Application Guard in Windows 10

Windows Defender Application Guard is an extra security feature of Windows 10 that rolled out several years ago. When enabled, it implements a sandbox for the Microsoft Edge browser, including Internet Explorer supported sites using Edge. Windows Defender Application Guard for Microsoft Edge is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating systems, apps, and data.

Three core features of Windows Defender Application Guard:

  • Isolated Browsing – Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
  • Help Safeguard your PC – Windows Defender Application Guard starts up every time you visit a website that isn’t work-related to help keep potentially malicious attacks away from your PC.
  • Malware Removal – Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.

Windows Defender Application Guard uses Hyper-V virtualization technology to provide protection against targeted threats. It adds a special virtual layer between the browser and the OS, preventing web apps and the browser from accessing the actual data stored on the disk drive and in memory.

Prior to Windows 10 build 17063, the feature was exclusively available to Enterprise editions of Windows 10. Now, the feature is available to Windows 10 Pro users.

If you are running Windows 10 Pro build 17063 and above, you can try it in action.
Continue reading “Enable Windows Defender Application Guard in Windows 10”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Windows Security Checklist for Home Systems

While your IT Department may have a handle on enterprise security, not everyone is technical enough to feel confident that their home computer systems are secure from attack. Many people wonder where is the best place to start, what steps they can take that will make the most impact, and which systems are most likely to need attention.

While there are literally hundreds of settings you can alter and fine tune to adjust your specific system settings, we are going to focus on general security actions you can look into, each helping build a general security mindset that will hopefully get you started without feeling overwhelmed. As you begin with general security changes, you will become more confident in your abilities and less worried that you are breaking anything.

General Considerations

  1. Router – All the devices on your home network communicate with the router. This is the device usually supplied by your internet provider, that allows your home computers to access the internet. This is the access point where most attacks are going to come from, so you want to start here to make sure you have a secure connection to the internet.
    • The router has an administrator-level account, and you must change the default password so that an attacker can’t access your router and disable any security settings.
    • You’ll also want to check if the router is updated with the latest firmware. As vulnerabilities are discovered, the router vendor will provide updated software and you want to make sure your router is patched. This can usually be configured so the router will automatically install new patches, but sometimes this must be manually performed. You’ll want to make sure you investigate these settings and configure them appropriately.
    • You should also disable remote administrator access to your router. This will prevent an attacker from logging into your router unless they are directly connected to the router from your home network. If you need help from your internet provider, they will contact you anyway, so you can grant them access if you need their remote help.
    • You can search the internet with the specific make and model of your router to get the user’s manual or recommended settings.
  2. Wi-Fi Security Settings – Many routers include Wi-Fi, which allows your home computers to connect to the router wirelessly so you can easily access the internet. You’ll need to check the security on your wireless network to enable the basic security features.
    • In Security Settings, create a name for the Wi-Fi network (SSID) and a complex password, and then select a type of encryption, like WAP2. Do not name your Wi-Fi network something that can easily be associated with you, such as your last name or address.
    • When possible, you’ll want to use AES on top of WPA2. Advanced Encryption Standard is a newer encryption standard that should be available on routers built after 2006.
    • Wi-Fi Protected Setup (WPS) was created with the intention of making the user experience easier and quicker when connecting new devices to the network. It works on the idea that you press a button on the router and a button on the device. This makes both devices attempt to pair automatically. You’ll want to disable this feature, if possible, because it has a history of security issues.
    • You can also sometimes create a separate guest Wi-Fi network, if supported by your router. A separate guest network has some advantages, like not having access between the two networks. It not only provides your guests with a unique SSID and password, but it also restricts guests from accessing your primary network where your connected devices live. You never have to disclose your main Wi-Fi network password to guests or visitors since they only need to know the guest Wi-Fi password. You can easily change the guest Wi-Fi password when your guest leaves without having to log all your other devices back into the network.
    • You might also want to consider the Wi-Fi signal power. If people can detect your Wi-Fi from across the street or in a nearby home, there is a risk that they will also attempt to log into your network. You can sometimes adjust the router signal strength or physical placement of the hardware to reduce that risk.
  3. System Update – Now that you have a relatively secure network, you can start looking at the devices connected to that network. It used to be a network used from a laptop or desktop computer, but today you can have a multitude of devices that are connected for internet access. You can have a smart thermostat, doorbell camara, video game console, cellphone, coffeemaker, etc.
    • For each system involved, you’ll need to log into the device and make sure you understand how to check for firmware and operating system updates and attempt to configure the device to automatically check for and apply vendor updates, if possible.
    • For each system involved, review the available security and privacy settings to make sure the device meets recommended settings. Vendor websites are a good resource to help you complete this step.
    • This might also be a good time to determine if the device really needs internet access. If the device is using internet access just to allow you to remotely access the device from the internet, for example, you need to ask yourself if you ever plan on using this feature. If you don’t need the feature, you may be able to disconnect the device from your network and reduce your overall risk profile.
  4. Security Suite – For your major devices like laptops and desktops, you should install and properly configure anti-malware and anti-virus software. There are various free versions available, so research a few vendors and find a solution that meets your needs. Make sure you use a vendor that you can trust.
    • Installing an anti-virus solution with default settings is rarely enough to really protect your computer. You’ll want to look at the available settings and properly configure the solution to provide the security you are expecting. Many vendors will guide you to using the best settings.
  5. Installed Programs – Review each program installed on the computers on your network and determine if those programs are still needed.
    • Maybe you installed a game a few years ago and haven’t used it since that one boring weekend. Now is a good time to uninstall or delete all the unneeded programs that are not essential.
    • If the program doesn’t look like something you need, and an internet search doesn’t answer the question around why it is installed, now is a good time to remove the program. It can be difficult to research something you don’t recognize, but a good internet search should answer your questions.
    • Now that you know what should be installed, a periodic check would help you quickly recognize when something new and unauthorized has been installed. If you do a periodic visual scan of installed applications every couple of months, this will be an easy security check to keep the device as clean and secure as possible.
  6. Program Updates – On your computer, you probably have several programs installed that you may not use very frequently. This could include word processing or spreadsheet suites, but it might also include specialized utilities or even games. All of these need to be patched because vendors periodically update their software to add new features and remove security vulnerabilities.
    • Check each application to see if patching can be automated. There should be a way to manually check for updates, but an automated check will make this process much easier.
    • If the program is older or doesn’t support regular updates, you should consider uninstalling or deleting the application. Each situation is unique, but you need to evaluate the risk if that one old program were compromised and allowed remote access to your computer.
  7. Password Hygiene – Now is also a good time to determine if you need to change your passwords. Easy to remember passwords are usually easy to guess passwords. You should really think about what makes a good password and make sure you change all your passwords to meet current best practice guidelines.
    • You can read more about selecting a better password here. You’ll want to select a really good and unique password for every account. You may need a password manager to store all your passwords, which can encourage longer and more random password selection.
    • Never use the same password for two different accounts. If you are using the same password for LinkedIn as you use for Netflix, if one account is compromised the attacker can use that same password to log into potentially sensitive information from a different account.
    • If you haven’t changed the password recently (within the last 90 days) then change the password now. That will make sure that starting today you are following best practice with your password selection.
    • If you hear one of your online accounts may have been compromised, don’t wait for the service to contact you with the bad news. It takes only a couple of minutes to change a password.
    • If you no longer use the online service, see if the online account allows you to delete or disable the account to reduce your online risk profile.
  8. Firewall Rules – Each computer you use probably has a firewall installed. The Windows Firewall is rarely used and it can be a great tool for limiting online access to your computer. You can essentially use the Windows Firewall to block remote access to your computer using specific ports and protocols, which can make a remote attack very difficult. It can be a little technical on how to configure the Windows Firewall correctly, so make sure you do your research and take notes on any changes you make so you can undo the changes if you find something has stopped working.
    • You can read more about how to get started with the Windows Firewall here. Don’t be afraid to do some internet searches to find some recommended settings.
  9. File Backup – So you have your home network secured, and the devices on that network are also more secure, and the accounts used to log into those devices are more secure. That is all great news, and you can continue to improve on that security as you learn more and have more technical confidence. But you are not completely safe, because a determined attacker is probably more technical than you and knows more tricks to successfully attack your systems. All is not lost, because you can create a fail-safe plan for recovery even if your files are deleted, scrambled, or encrypted to prevent your immediate access.
    • Backup your important files to a safe location. You can manually backup your files to an external disk drive or thumb drive. While not perfect, it can be a cheap and effective way to keep an external copy of important files where an attacker can’t find them. Just be sure to remove the external drive every time you finish the manual backup. Some people store the external drive in a fireproof safe.
    • An online backup service can make automated backups to a secure folder on the internet fast, easy, and low cost. While the amount of space available and cost can vary widely, a little shopping around can allow your entire family to back up their computers for about $100 a year. That is an inexpensive insurance policy if things go sideways.
  10. New Devices – While all the about steps will take some time and energy, you have to remember that this isn’t a one-time effort. As you add new devices to your home network, you have to review these steps again to make sure the new device isn’t the weakest link in your home network.

Protecting your family starts with taking responsibility for your home security, and that includes your home network. If you perform all these steps, you are well on your way to a safer and more reliable home network.

Common Active Directory Mistakes

Because of the need for Windows-based security, we commonly use Active Directory (AD) to manage user privileges. This also presents numerous challenges for administrators tasked with managing that environment and keeping critical business files safe and secure. Damage can be done by those accounts with elevated privileges, but sometimes vulnerabilities are introduced by administrators poorly managing AD. The best practices outlined by Sarbanes-Oxley and PCI audit requirements can help prevent some security issues, if you follow those best practices in a consistent and reliable way all the time. Sometime people make mistakes, and we have listed common mistakes:

  1. Users as domain administrators. Non-administrative users should not have administrative rights. Even administrative users should have a normal account that they use all the time, and a separate administrative account they only use when actually performing functions requiring elevated privileges. Ignoring the concept of least privilege is a major security issue.
  2. Accounts with elevated credentials. Most security aware organizations avoid this common mistake by giving users with elevated privileges, such as a domain administrators, a normal account to log onto their machine and a privileged account for elevated access. The main reason for the separation is to avoid security breaches such as a simple drive-by download or email attack. This also includes keeping the user accounts out of the local administrator account.
  3. Disable Object Protection. Make sure you do not disable simple warning asking you if you are sure you want to delete objects in AD. You don’t want to accidentally delete an object if it can be avoided. A better option would be to never turn off object protection.
  4. Keep obsolete accounts. Enabled user accounts that aren’t actively being used are one of biggest security threats in any organization. Develop a plan to disable and ultimately delete obsolete accounts within 60-90 days of inactivity. This can be accomplished with an automation script to third-party tools.
  5. Single Expert. A mistake many small organizations make when it comes to mission critical operations is having all their eggs in the basket of a single expert who is the only one that can make changes to AD.  You need to make sure at least two people understand, have access to, and can create and modify any AD settings in your environment.  This prevents the single point of failure in case the person who is the expert leaves the organization or is out of town for a few days and can’t be reached in an emergency.
  6. Poor Active Directory Design. Create a simple to understand and simple to maintain AD structure that is difficult to use incorrectly. Complexity breeds mistakes, so keep the structure and objects as simple as possible.
  7. No Incident Recovery plans. If someone deletes 10,000 directory objects today, how quickly can you recover AD back to normal? If an automated script improperly disables thousands of users, how do you plan to recover? Planning and testing recovery options are a must for all organizations to quickly recover from mistakes. Plan for the worse possible scenarios, and hope for the best. Have a written plan, and test different scenarios at least once per calendar year.
  8. Don’t modernize. Do not allow your core of network security to fall behind on technology. You may not want to upgrade your users to the latest version of Windows, but you should keep your AD environment up to date and never allow your environment to fall behind with the latest security improvements and features. Each and every security patch and Windows update needs to be tested and applied as a top priority.
  9. Share Accounts.  Each and every user should have their own network account. There should never be users sharing user accounts.
  10. No Password Changes. Users will never change their password if you don’t force them to change their passwords. You should force your users to change their password at least every 90 days, especially if your compliance rules require this setting.

You can get more information about Active Directory here.

History of SQL Server

Have you seen the video on the history of SQL Server?

Microsoft released its first version of SQL Server in 1988. It was designed for the OS/2 platform and was jointly developed by Microsoft and Sybase. During the early 1990s, Microsoft began to develop a new version of SQL Server for the NT platform.

This post has really useful information on the subject of SQL Server history, written by Euan Garden.

The SAF (SQL Admin Facility) interface from SQL Server 1.1:

This article lists some early notes about the development:

“While it was under development, Microsoft decided that SQL Server should be tightly coupled with the NT operating system. In 1992, Microsoft assumed core responsibility for the future of SQL Server for NT. In 1993, Windows NT 3.1 and SQL Server 4.2 for NT were released. Microsoft’s philosophy of combining a high-performance database with an easy-to-use interface proved to be very successful. Microsoft quickly became the second most popular vendor of high-end relational database software. In 1994, Microsoft and Sybase formally ended their partnership. In 1995, Microsoft released version 6.0 of SQL Server. This release was a major rewrite of SQL Server’s core technology. Version 6.0 substantially improved performance, provided built-in replication, and delivered centralized administration. In 1996, Microsoft released version 6.5 of SQL Server. This version brought significant enhancements to the existing technology and provided several new features. In 1997, Microsoft released version 6.5 Enterprise Edition. In 1998, Microsoft released version 7.0 of SQL Server, which was a complete rewrite of the database engine. In 2000, Microsoft released SQL Server 2000. SQL Server version 2000 is Microsoft’s most significant release of SQL Server to date. This version further builds upon the SQL Server 7.0 framework. According to the SQL Server development team, the changes to the database engine are designed to provide an architecture that will last for the next 10 years.”

If you are just interested in the sequence of events the following timeline by Raksh Mishra summarizes the development history of SQL Server:

  • 1987 Sybase releases SQL Server for UNIX
  • 1988 Microsoft, Sybase, and Aston-Tate port SQL Server to OS/2
  • 1989 Microsoft, Sybase, and Aston-Tate release SQL Server 1.0 for OS/2
  • 1990 SQL Server 1.1 is released with support for Windows 3.0 clients. Aston-Tate drops out of SQL Server development
  • 1991 Microsoft and IBM end joint development of OS/2
  • 1992 Microsoft SQL Server 4.2 for 16-bit OS/2 1.3 is released
  • 1992 Microsoft and Sybase port SQL Server to Windows NT
  • 1993 Windows NT 3.1 is released
  • 1993 Microsoft and Sybase release version 4.2 of SQL Server for Windows NT
  • 1994 Microsoft and Sybase co-development of SQL Server officially ends
  • Microsoft continues to develop the Windows version of SQL Server
  • Sybase continues to develop the UNIX version of SQL Server
  • 1995 Microsoft releases version 6.0 of SQL Server
  • 1996 Microsoft releases version 6.5 of SQL Server
  • 1998 Microsoft releases version 7.0 of SQL Server
  • 2000 Microsoft releases SQL Server 2000
  • SQL Server 2000 Service Pack 1 – Release date: June 12, 2001
  • SQL Server 2000 Service Pack 2 – Release date: November 30, 2001
  • SQL Server 2000 Service Pack 3 – Release date: January 17, 2003
  • SQL Server 2000 Service Pack 3a – Release date: May 19, 2003
  • SQL Server 2000 Service Pack 4 – Release date: May 6, 2005
  • 2005 Microsoft releases SQL Server 2005 on November 7th, 2005
  • SQL Server 2005 Service Pack 1 – Release date: March 18, 2006
  • SQL Server 2005 Service Pack 2 – Release date: March 5, 2007
  • SQL Server 2005 Service Pack 3 – Release date: December 15, 2008
  • 2008 Microsoft releases SQL Server 2008 RTM on August 2008
  • SQL Server 2008 Service Pack 1 – Release date: August 27, 2009
  • SQL Azure
  • Microsoft released SQL Server 2008 R2 RTM on April 21, 2010
  • SQL Server 2008 Service Pack 2 – Release date: September 29, 2010
  • SQL Server 2011, Code name Denali CTP1 Release date: November 8, 2010
  • SQL Server 2005 Service Pack 4 – Release date: December 17, 2010

These are also some (humorous) details from Kevin Kline at this site.

Scripts for listing all SQL Server Databases and Objects using PowerShell

This powerful script lists all objects in an instance and scripts them into a network folder, by date and instance, so you can keep a record of the objects.

Installing PowerShell the SqlServer module:

Install-Module -Name SqlServer

If there are previous versions of the SqlServer module on the computer, you may be able to use Update-Module, or provide the -AllowClobber parameter:

Install-Module -Name SqlServer -AllowClobber

This article by Angel Gomez gives you the script and some information on how to use it.

Continue reading “Scripts for listing all SQL Server Databases and Objects using PowerShell”

Windows Sandbox in Windows 10

Added to Windows 10 version 1903 (May 2019 Update), Microsoft introduced the Windows Sandbox feature. Windows Sandbox feature helps you run programs in isolation without affecting your Windows 10 host. The Sandbox feature is designed to allow you to test unknown or suspicious programs in an environment that cannot make changes to the Windows 10 host or the data on that host machine.

Using the Sandbox

Step 1: Launch typing “Windows Sandbox” in the Start/Taskbar search field and then hitting the Enter key.

Step 2: After the Sandbox is launched, copy and paste the program setup file that you want to run into Sandbox. You can also use the Edge browser in the Sandbox to download the program you want to test.

Step 3: Run the setup file and install any program. Use the Start menu in the Sandbox to launch any program. Use any program like you would do in the regular desktop environment.

Step 4: Once you are done testing the program, just close the Sandbox to delete any program installed in the Sandbox. This will also delete any data from the Sandbox. Any program or file that you downloaded during the Sandbox session will be removed permanently.

Note: If you cannot find the Windows Sandbox, it’s likely because the feature is turned off or you don’t have a version of Windows 10 that includes this feature.

Outlook Mistakes that May Disrupt Your Life

Helpful tips for getting more out of Outlook.

Just about everyone I know uses Microsoft Outlook for business email, and just about everyone I know uses about 5% of what Outlook can do to help with your email. There is an article by Eric Simson that lists some steps you can take to reduce the headaches caused by emails and when using Outlook.

  1. Regretting after Sending the Email
  2. Verifying the Recipient
  3. Set up MailTips Alerts for Common Mistakes

There are also some helpful tips here.

How to disable macros in Microsoft Office

Not everyone has the level of technical expertise to understand why macros are dangerous, or how to disable them. Macros are a really powerful feature in Microsoft Office, allowing you to do many difficult things with the click of a button. These complicated tasks might be formatting a spreadsheet, inserting a standard block of text in Word documents, etc. The problem is malicious code, like a macro virus, can automatically be executed as a standard macro when the user opens a document from an untrusted source.

The creators of these malicious code segments attempt to prevent users from catching on by disguising their malicious document (usually sent as an email attachment) as something seemingly routine. There are malware efforts that are actively infecting user computers right now, with examples like PowerSniff! or other examples that have been around in one form or another for many years.

There are three things will prevent about 90% of all infection attempts:

  • Disable macros in Microsoft Office. This is fairly easy for even non-technical users to accomplish.
  • Another great way to prevent infections is to never open an attachment from an untrusted source.
  • You should also be running anti-virus and anti-malware software on your computer.

These three simple things will prevent almost 90% of infection attempts, and they are easy and inexpensive solutions to a growing problem.

Disabling Macros in Microsoft Office

  1. Click File > Options.
  2. Click Trust Center, and then click Trust Center Settings.
  3. In the Trust Center, click Macro Settings, where you can now make the change you want, and save them by clicking OK.

Enterprise Efforts

As a technical person, there are several things you can do at your company to help prevent a successful malware attack. These steps will get you closer to stopping about 100% of attack efforts.

  • Security Training – Make sure you create a policy that outlines user responsibilities for cybersecurity. This includes be aware of potential cyber threats, not opening attachments from untrusted sources, selecting strong passwords, etc. This includes the potential risks of opening macro-enabled office documents.
  • Anti-Malware and Anti-Virus – While software will never be 100% effective in detecting and blocking infections, it can be more effective than nothing.
  • Anti-Spam – Build rules in your spam tool to automatically restrict email attachments with a .zip or other file extensions used for compressing files.
  • Default Microsoft Office Security – Use the default setting of “High” for Macro security on all Microsoft Office applications.
  • PowerShell – Publish a Group Policy Object that restricts the use of PowerShell for most users. Allow PowerShell for specific power users on a case-by-case basis.
  • Monitor Activity – Look for unexpected pings from internal computers and keep an eye on unusual network activity. Only by understanding normal network activity can you detect and stop unusual activity.

Limit SMB Traffic in Windows Environments

Microsoft recently posted an article talking about reducing your SMB traffic, and thereby reducing the risk of compromise on your systems. Before you think we’re saying this one change is the solution to all network security issues, even Microsoft states “We are not trying to make the entire network impervious to all threats. We are trying to make your network so irritating to an attacker that they just lose interest and go after some other target.”

Many times we know a security change doesn’t completely fix an issue, we are just making another small change in a series of small changes to make things slightly more secure. A group of small changes often work together to create an overall more secure environment.

If nothing else you’ll have a better understanding of what systems need SMB enabled and where SMB traffic is common on your network.

Server Message Block (SMB) Traffic

Reducing your SMB traffic can really help your risk profile. Server Message Block (SMB) traffic is a communication protocol for providing shared access to files, printers, and serial ports between devices on your network. It also provides an authenticated inter-process communication (IPC) mechanism. There are also security issues in Microsoft’s implementation of the protocol. Many vendors have security vulnerabilities in their solutions because of their lack of support for newer authentication protocols like NTLMv2 and Kerberos. Recent attacks show that SMB is one of the primary attack vectors for many intrusion attempts. Recently two SMB high-severity vulnerabilities were disclosed which can provide RCE (Remote Code Execution) privileges to systems that allow SMB traffic.

Recommendations
  1. Block inbound SMB access at the corporate firewalls – This means block inbound SMB traffic at the corporate firewall before it is on your LAN. This is usually the easiest way to block unauthorized traffic to your network and corporate systems. This will not work for remote systems that aren’t behind a managed firewall, but you can use this to help protect servers and other devices on the corporate network.
  2. Block outbound SMB access at the corporate firewall with exceptions for specific IP ranges – Sometimes, rarely, you need outbound SMB traffic. If you don’t know, block the traffic and monitor logs for anything that might break.
  3. Inventory for SMB usage and shares – It is understandable that employees need to connect to file servers to access file shares, as one example. Great, then allow inbound SMB traffic to just those servers, and block inbound SMB traffic to all Windows 10 clients or other servers. Start looking at your environment and begin blocking traffic unless it is required.
  4. Configure Windows Defender Firewall to block inbound and outbound traffic on the workstations – Use the  client firewall to block traffic except to required devices. There are several references to how to make this work, but it is past the time to start working out the details.
  5. Disable SMB Server if unused – If you know the device doesn’t require SMB services, you may be able to stop the SMB Server service on Windows clients and even many of your Windows Servers.
  6. Test at a small scale – Test the changes and make sure you understand the impact before you just deploy changes into production and break everything. As always, test twice and make sure you understand the changes (and have a rollback plan) before you deploy any changes into production.

Finding Last Login Date for an Active Directory User Account

You can check the Last Login Date information for a user account in Active Directory. The information for last login date is stored in an attribute called “lastLogonTimestamp”. You can check the value of “lastLogonTimestamp” using the Microsoft “ADSI Edit” tool.

  Continue reading “Finding Last Login Date for an Active Directory User Account”

Windows 11 Alpha-Themed Malware Attacks

With the newest version of Windows, named Windows 11, just a few months away and criminals have started distributing malware with content targeting a user’s interest in the newest version of Microsoft’s desktop operating system.

Using the same tactics that work (asking users to perform tasks they should know is dangerous) these criminals are attempting to get users interested in Windows 11 information to willingly disable security features on their current computer to view what they assume is Windows 11 themed content.

Security researchers at Anomali, who observed a recent malware campaign from the group that used six different Word documents in an attempt to attack employees at a point-of-sale provider called Clearmind, say the cyber criminals attempted to get users to disable their workstation security so they could view content supposedly showing Windows 11 content.

The attack was attributed to FIN7, an Eastern European threat group, that primarily targets US-based companies that operate on a global scale. Anomali says the infection chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the user to Enable Editing and Enable Content to begin the next stage of malicious activity.

It’s interesting how the VBA code is stored to make analysis difficult, but it attempts to drop a JavaScript backdoor that appears to have similar functionality with other backdoors reportedly used by FIN7. It is interesting that if the script finds eastern-European specific languages in use (Russian, Ukrainian, etc.) or a virtual machine is currently running, it doesn’t drop its payload and immediately stops executing.

While it might be mildly interesting that they used Windows 11 as a hook to grab the user’s attention, it is still the same basic methods that are used every day to convince users to do something (disable security or violate procedures) to allow the attacker into the user’s workstation. Users have to be educated on what not to do, and the basic security controls have to be in place, to help block this type of attack from being successful.

 

Responding to Ransomware Attacks

In the event that your personal computer or even the computers on your corporate network fall victim to a successful ransomware attack, an effective response plan determine the difference between disaster and successful recovery. If you are impacted by a company-wide malware infection that takes down multiple endpoints, it could mean a permanent business closure if you are unable to recover critical data.

We will discuss  how you might respond in the beginning of an attack to help remediate any issues before you make some wrong decisions.

How to respond to a ransomware attack

If preventative measures fail, like hardening your systems from Mimikatz attacks (links here and here), making users more cybersecurity aware with Security Awareness Training tips, and all the Windows 10 hardening tips didn’t work, then your organization should take the following actions immediately after identifying a successful ransomware infection.

If you have an Incident Recovery Plan, execute the notification process and get all the teams required started communicating and remediating the systems impacted by the attack.

1. Quarantine Infected Systems

The majority of ransomware attacks will include a function to scan the target network, identifying other systems on the same network that can also be targeted for attack, and then encrypting all the files stored on network shares or other computers as the attackers movers laterally across the network. To help contain any  infection and to prevent the ransomware from spreading to all infected systems the infected systems must be removed from the network as soon as possible. This will significantly slow the spread and buy you time for analysis and troubleshooting before everything is rendered useless.

Note: This includes blocking them from wired and wireless network access.

This will also help prevent infected system from access resources like internal email, backup systems, employee record systems, critical databases, etc.

2. Block Internet Access

Every system on the network may already have the malware copied to the system and it just might not have started the encryption process yet because it hasn’t been able to access the command and control server on the internet. Disconnect all systems from the internet. Those that are still working will not start encrypting the drives, and those already encrypting have been removed from their ability to communicate to the safe systems by the step listed above.

Note: This includes blocking internet access from wired and wireless networks.

Now you have known bad systems (they are actively encrypting the user files or have already encrypted all the user files) isolated from the network (can’t see other systems on your network) and are blocked from the internet (can’t see other systems on the internet). You also have suspected good systems that are blocked from accessing the internet and are disconnected from the bad systems. You can now verify those clean looking systems are definitely clean and return them to normal as you are sure they are not infected. More about that in Step  5 below.

3. Identify Ransomware

Identify the “brand” of ransomware that has infected your systems. While this might seem strange, there are many types of ransomware from many different malware groups. Knowing which one has infected your systems could help you better identify the methods used in the attack, how to stop the spread, and how you might be able to get your data back without paying a ransom.

There have been instances of law enforcement agencies shutting down a  ransomware authors “business” and releasing the decryption keys. Also older  ransomware from groups that no longer are actively infecting new systems have sometimes released their decryption keys.

You can visit a  website like this to help identify which malware has infected your systems so you can get help stopping, removing, and decrypting your locked files. To get a better understanding of the volume of internet threats that exist today, a visual threat map can be helpful. This threat map from Fortinet helps visualize the threats in a more “real-time” visual presentation.

4. Disable Scheduled Tasks

You  should immediately disable any automated or system-scheduled maintenance tasks such as user or system clean-up routines, log deletion tasks,  deleting old backup files, etc. because these automated tasks can remove files you might wish you had later, might be something  your forensic teams might need, or you might perform an action that could prevent a successful remediation from the ransomware attack.

5. Remove Ransomware from Infected Systems

You can use available antivirus tools to identify and successfully remove the ransomware from your computer. If you are already using anti-virus and it didn’t stop the infection, this is probably a good time to investigate your current configuration issues or get a better solution. Once you have scanned and cleaned the system, it is ready to restore your files.

Once you find the right software to scan and detect the malware, run the scanner on all your systems, not just the infected systems. You might think you know which systems are infected, but the scanner can help you determine which systems are actually infected.  You want to do the clean-up and remediation just one time, so do it right the first time.

6. Don’t Pay the Ransom

Note: Only restore your files to systems that you know are clean.

I realize you may not have an option if your critical business files are encrypted, you don’t have good backups you can recover, and you can’t find a free decryption tool. If backups are unavailable or damaged and there is no free decryption tool available, you will be tempted to pay the ransom and recover your files. Just remember you may pay the ransom and still not get your files back. These people are criminals looking for easy money, they are not in the business of being your friend.

While paying the ransom may seem like an easy answer, only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in your company going out of business. Paying the ransom might also get you into trouble with the law, so be very careful and consult an attorney.

7. Restore Your Backups

Note: Only restore your files to systems that you know are clean.

Hopefully you were able to jump right past Step 6 (Don’t Pay the Ransom) because you know not to pay a ransom to a criminal because it only encourages them and finances their next attack. You don’t need to pay the ransom because you either don’t need the files that were encrypted, you were able to find a free decryption tool, or you had good backups ready for you to use.

Restoring backups can take a long time, be difficult to perform, and you still might lose some data. If you have been verifying your backups, practicing the restore process at least once a year, and have a well documented process the effort will be less likely to fail.

If your user files are also backed up to the cloud using a tool like OneDrive, this might also be useful and a quick way to restore a user’s personal files including documents, music, and pictures.

8. Restore Network

Now that you know which systems are clean, the cleaned machine can have access to the internet and other network resources. The infected machines can be cleaned one at a time, files can be restored, then the systems can be returned to the proper network.

Don’t forget to restore internet access for the clean systems. Once you have verified your backup files won’t be over-written, the log files are intact, and what files are required for the audit and forensics teams are saved, you can re-enable scheduled tasks that you have reviewed and know are safe to enable.

9. Change Passwords

Now that you know someone has had access to your systems, you can’t be sure they did not steal your user and system passwords. Have all users reset their passwords. Reset the passwords for all service accounts, accounts used to run scheduled tasks, the KRBTGT account (used by Active Directory), and any enabled accounts used by your systems. Make sure all administrator-level users also change their passwords. Do a full inventory of accounts, looking at the last time the password was changed, and either change the password or disable the account.

10. Investigate Intrusion

Things are now back to normal. Users are back onto their computers, the files are all back where they should be, and users are back to work and not on the telephone with you. That doesn’t mean you are done.

You have to look at what happened so you can make sure it doesn’t happen again.

  • How was the ransomware able to get past your computer controls and be easily installed onto a user’s computer without being detected? Was it a user bypassing a control (authorized or unauthorized), or did the ransomware just not get stopped by any existing security control?
  • Are there changes required to your anti-virus software to make it a stronger defense against ransomware? Is it time to remove the existing solution and replace it with something more powerful or can you just change the configuration of the solution you already own to make it work better?
  • Do you need to make changes to the hardening of your Windows 10 devices to make it harder to bypass your security controls and encrypt the users files?
  • Do you need to alter or improve your corporate firewall controls? What about the security of your remote users and they way they connect to the Virtual Private Network (VPN)?
  • Do you need to make changes to your network to make it harder for software running on the user’s computer to get access to systems like Domain Controllers, Database Servers, File Servers, Web Servers, etc.?
  • Do you need to change the way you perform (or don’t perform) backups of user and system files? How about changes to the way you restore files? Do you have adequate documentation of the procedures used for backing up and restoring files?
  • Do user accounts have the correct level of authorization? Maybe now is a good time to remove elevated permissions from normal users, limit who has elevated permissions, and lock down the use of all admin-level accounts?

Summary

If you need help, now is the time to really get some help figuring out the changes that can help prevent a repeat of the security event. A ransomware incident can stop a company from normal business for days, weeks, or forever.  It can chase away customers, compromise business critical data, and cost you a lot of money to remediate.

Looking at the steps required now can help you practice and plan for a future incident. Careful planning, remediation of security gaps, and technical training can help prevent a successful ransomware attack, shorten the remediation timeline, and help promote confidence in your Information Technology team.

Enable Reserved Storage Using DISM or PowerShell on Windows 10

How to Enable Reserved Storage on Windows 10

Windows Updates will fail to install if your PC doesn’t have enough free disk space. Before reserved space, the only workaround is to free up some storage space before continuing with your update effort. With the May 2019 Update to Windows 10, Microsoft fixed this problem by reserving disk space for future updates.

With “reserved storage,” Microsoft sets aside at least 7 gigabytes of space on your hard drive to ensure updates can download—regardless of how much normal disk space you have.

When not being used by update files, Reserved Storage will be used for apps, temporary files, and system caches, improving the day-to-day function of your PC.

When enabled, it keeps some disk space for Windows Update, apps, temporary files, and system caches because without enough disk space Windows and applications may stop working properly.

Users installing a fresh copy of Windows 10 1903 or later, or receiving a device with the OS preinstalled, should see Reserved Storage enabled out-of-the-box. Some device manufacturers choose not to enable Reserved Storage because it reduces the available disk space to users.

Those upgrading from a previous version of Windows don’t get Reserved Storage, unless the ShippedWithReserves registry key is set to 1 before the upgrade. You can find the key under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager

Windows Update and Reserved Storage

Windows Update gives priority access to Reserved Storage. Before an update, temporary files that are no longer needed in Reserved Storage are deleted and the remaining space is then given exclusively to Windows Update. If Reserved Storage still doesn’t have enough space, Windows Update can also spill into free disk space that is available to the user. On systems where disk space is severely limited, Windows Update might also prompt to attach external storage to complete the update process.

DISM updated with new Reserved Storage options

Admins are able to query the amount of space reserved and even disable Reserved Storage. The state of Reserved Storage is preserved across OS upgrades once it has been enabled or disabled using DISM. The following DISM command enables Reserved Storage for the online Windows image:

Enable or Disable Reserved Storage using PowerShell

If you don’t want to mess around with DISM, Windows 10 version 2004 supports a new PowerShell cmdlet that will let you enable or disable Reserved Storage for online images.

Continue reading “Enable Reserved Storage Using DISM or PowerShell on Windows 10”

%d bloggers like this: