Click here to read this mailing online.

Your email updates, powered by FeedBlitz

 
Here is a sample subscription for you. Click here to start your FREE subscription


"Small Business Susan" - 5 new articles

  1. Are we drowning yet?
  2. So how do I?
  3. Are we getting all of our updates?
  4. About that wmi filter
  5. Survey on Essentials
  6. More Recent Articles
  7. Search Small Business Susan
  8. Prior Mailing Archive

Are we drowning yet?

Too often in security there is a real issue that we need to address and then there is the headline theoretical issue.  An issue where, yes, someone, somewhere can be attacked by the threat, but to actually attack someone with this threat would take many resources, would take a lot of time, and an attacker will only use such threats against a high value target, not against a SMB server.

But because the risk makes headlines we all run around and fix something that …while yes, I have to say there is a flaw, but the reality is that we’re more likely to be attacked by some easier means to nail us.  It reminds me of a caller on the Rick Steves travel radio show that was asking about the risk of traveling to Paris in light of the terrorist attacks.  While the risk of terrorism is there, the reality is that we’re more likely to be killed in our good old USA than we are while vacationing overseas.  Yet, because the terrorists have grabbed the headlines, they make us frightened and less likely to protect ourselves from the thing we really should be protecting ourselves from.

Take as an example the recent drown attack in the news.

Firstly yes, any smb network with the defaults set on their IIS websites is at risk for this attack.  Yes, given the increasing broken-ness of SSL v1, 2 and 3, you should take action to disable SSL v1, 2 and 3 on your outward facing web server – or in the case of SBS and Essentials, that RWW/RWA web site.  (more on what to do in a bit).  In fact you may want to kick it up one more notch and disable TLS 1.0 with the caveat that it will break RDP gateway/RWW if your remote clients are Windows 7 machines.  If the remote workstations are Windows 8.1 or Windows 10, these will support the necessary TLS.

You can use the drown site to check if your server is vulnerable.  Go to https://test.drownattack.com and run a scan (note for me the site has been throwing off bad gateway reports so you may need to try it at a later time.

But here where the reality hits the theoretical.  So are a lot of other sites.  For example take – https://test.drownattack.com/?site=microsoft.com which at the time I am writing this has a ton of subdomains that are vulnerable.

While you are testing out your domain, also have a look at https://www.ssllabs.com/ssltest/ as it’s time to make sure your SSL cert is also what it should be.

I then highly recommend using this tool – https://www.nartac.com/Products/IISCrypto/ to disable SSL v1, 2 and 3.  For disabling TLS 1.0, however the story is a little bit different.  As this blog points out Exchange 2010 may have issues with TLS 1.0 disabled.  However, I’ve found that the biggest issue comes from RDgateway.  As Robert points out on his blog, the issue with disabling TLS 1.0 really impacts RDgateway.

So what’s a paranoid person to do?

First don’t panic.  This attack used cloud computing and time for it to be successful.  An attacker is much more likely to throw a malicious ransom-ware at you than to use this attack against your server.

That said, taking the time to run the https://www.ssllabs.com/ssltest/ test on your site and use the https://www.nartac.com/Products/IISCrypto/ tool to AT LEAST disable SSL v1, 2 and 3 is a bare minimum best practice to do.  Disabling TLS 1.0 requires additional analysis of the site to see if all external clients have migrated off of Windows 7.

This is an example of the tool on a web site I have (not an SBS box)

iiscryp

As you can see you have best practices and pci.  If you want to play it safe, do best practices.

And while I’m here on my soapbox, if you ask me what specifically to do to get a SBS box to pass a PCI scan I’ll point you to Robert’s blog post above – with the strong opinion that if you really read through the PCI documentation, you’d know in a heartbeat that a SBS box cannot possibly pass true PCI concepts and you are much better off and safer to move that credit card network traffic to it’s own network and not on the same network as a SBS box.

So bottom line.  Don’t panic.  Do disable SSL v1, 2 and 3 that won’t break anything.  Really think about how you are processing credit cards.  And then really think about what we all really should be worried about – better ransom-ware defenses.  Because that’s where we are really getting our attacks on a daily basis.

 

    

So how do I?

Just got a question on how to run a powershell script in Windows 10.  Here’s how I do it.

In the search/cortana box type in powershell. When the icon for powershell pops up, right mouse click and click on run as admin.

Now copy and paste the script from wherever you’ve found it on the web and see what response you get.

    

Are we getting all of our updates?

Mark Berry brought this up in the partner forum and we’ve been discussing it on the patchmanagement.org listserve:

There are optional driver updates that windows 10 does not show you/offer up to you/and there’s no way in the software update screen to see that these updates even exist.  The only way to know they are there is to either run a powerpoint script or use the KB to block drivers to expose that there are drivers hiding.

On a physical Windows 10

http://www.mcbsys.com/blog/2015/03/updated-powershell-script-to-show-windows-update-settings/

Use that or

$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$SearchResult = $UpdateSearcher.Search(“IsInstalled=0”)
$NotHiddenUpdates = $SearchResult.updates | Where-Object {$_.IsHidden -eq $false}
$NotHiddenUpdates | format-list

You’ll see that there’s updates that haven’t been installed.

 

    

About that wmi filter

https://blogs.technet.microsoft.com/sbs/2016/01/22/wmi-group-policy-filter-issue-on-windows-10-breaks-folder-redirection-windows-server-2012-r2-essentials-windows-server-2012-essentials-and-windows-small-business-server-2011-essentials/

I think there’s a slight problem with the WMI filter on that post.

In fact it’s listed in the comments:

select * from Win32_OperatingSystem where (Version like “6.%” OR Version like “10.%”) and ProductType = “1”

or you can do it like this:

select * from Win32_OperatingSystem where (Version >= “6.1%” or Version like “10.%”) and ProductType = “1”

    

Survey on Essentials

Want to provide feedback to Microsoft regarding Essentials?

Check out this post and click on the survey link:

https://blogs.technet.microsoft.com/sbs/2016/02/23/survey-windows-server-essentials-features/

    

More Recent Articles


You Might Like

Click here to safely unsubscribe from "Small Business Susan."
Click here to view mailing archives, here to change your preferences, or here to subscribePrivacy