Microsoft and Symantec Endpoint Updates hit Internet Explorer

Posted by Ahmed Nabil In | 0 comments»
Microsoft Internet Explorer was heavily hit this week with the Latest Microsoft Endpoint Update as well as Symantec Endpoint updates. While Symantec released a fix, Microsoft is still working on updated version to fix this issue.



  1. The Latest Microsoft Protection breaks Internet Explorer downloads, for more details check the following article http://blogs.technet.com/b/configmgrteam/archive/2015/02/19/known-issue-endpoint-protection-blocks-internet-explorer-downloads.aspx                                                                                                                                                                                                                         
  2. Symantec Endpoint protection update crashes Microsoft Internet Explorer. For more details check the following article http://news.softpedia.com/news/Symantec-Confirms-Faulty-Antivirus-Update-That-Caused-Internet-Explorer-Crashes-473883.shtml





The Symantec update affected both Windows 7 and Windows 8 machines while the Microsoft Endpoint update was mainly observed on Windows 8.1 machines. Users should stay tuned for an expected quick fix from Microsoft.




How to Prevent users from changing EMET application settings by using Group Policy ?

Posted by Ahmed Nabil | 0 comments»
EMET is a very great tool for users seeking additional layer of security against Zero-day vulnerabilities. When configuring EMET for Enterprise it gets tricky as there are some gaps for deployment. The easiest way to control and push EMET settings on all users in your enterprise Active Directory is to use group policies however the EMET template is not covering all mitigation and has some limitations.


Problem/Scenario

We need to push the EMET configuration/settings for applications to all users in the network and prevent users from changing these settings (For Example: Removing ASR mitigation from the Internet Explorer). This issue gets worse with users who are admin on their machines and can open the EMET GUI and change any application setting.


Solution:

Users may change the EMET application GUI settings to disable a mitigation or remove specific application from the list. This change will result in an Event ID 11 written in the local application event log. We will use this Event as a trigger when its recorded to re-import/push back our EMET application settings on the client using Group policy.

  1. I am assuming EMET is already installed on all users (Can be done via SCCM or any other tool) which is another discussion.                                                                                                                
  2. We need to install EMET (Latest current version is 5.1) on a machine, add all popular applications (Located under EMET Installation folder - \EMET 5.1\Deployment\Protection Profiles) and company business applications if needed and apply/test different mitigation.                    
  3. After configuring and changing all wide system and application configuration and you are fully satisfied of deploying it on all clients, Export the settings (XML file) from the main EMET interface as shown below.                                                                                                                             
                                                                                                                                                                                                                                
  4. We need to create a GPO to import this XML file (exported in the previous step) on all computers in the domain. A very good article on TechNet that explains this step in details can be found at http://blogs.technet.com/b/kfalde/archive/2014/04/30/configuring-emet-via-gpo-gpp-w-o-using-the-admx-files.aspx                                                                                                                         
  5. Basically what we need to do as per the TechNet article is to create a new GPO, link it to your domain or computers OU and copy the XML file in the GPO folder.                                                      
  6. Create a Task scheduler using the group policy Preferences, for more details check this TechNet article http://blogs.technet.com/b/kfalde/archive/2014/03/13/automatically-refreshing-emet-gpo-s.aspx                                                                                                                                                            
  7. This scheduled task main action is to import the XML file to the machines as per the below screen shot. The program will be the EMET_Conf.exe and the path should reflect the current version of EMET used in your environment. The Arguments will be the Import of the XML command and it should be something like this:                                                                                                                                                                                                                                        --import \\domain.com\sysvol\domain.com\Policies\{2368E536-C9BA-41E6-A1D8-8AA1C7854275}\emetconfig.xml  (You need to replace the domain.com with your actual domain name, Unique ID of your policy and the XML name)                                                                                                                                                                                                                                                 
         
  8. The tricky part will be the trigger as when this import will occur (XML imported to the users). If any user changed, removed any application settings in the EMET GUI an EVENT ID 11 will be triggered in the application log of the user computer as shown below:                                                                        
                                                                                                                                                              So in this GPO we will use this Event ID as the trigger to re-import and push the settings back to the user.        

                                                                                            

This should do the trick and enforce the company EMET settings on all computers and ensure your users won't change them or actually if changed will be reverted back in the same second to ensure full protection.

Hopefully this article is helpful to anyone facing the same issue.





                  

Disable User Account Control in Server 2012/2012 R2 to run SQL Reporting URL

Posted by Ahmed Nabil In | 0 comments»
I was working on installing SQL2012 Server on a new machine as well as the reporting services, after configuring the reporting service i was trying to access the local reporting services URL when i got the attached below message






My account was an admin on the machine and SQL admin as well, i checked the UAC from Control panel and it was already turned off as shown below


Looks like in Server 2012 and 2012R2, even if you changed the setting "Never Notify" as shown above (which worked fine with 2008R2) the UAC is still active. In order to turn it completely you will need to edit registry as follows:


  1. Navigate  to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"
  2. Change the "EnableLUA" key value from 1 to 0                                                                                                                                      
                                                                       
  3. Restart the server/computer


Hopefully this can help anyone facing this issue.



Exchange 2013 Sign Out behavior on Microsoft UAG - To finish signing out, please close all open browser windows.

Posted by Ahmed Nabil In | 0 comments»
Recently we noticed with some Exchange 2013 customers having their OWA (Outlook Web access) published on Microsoft UAG (Latest SP4 Rollup update) that they can't sign out properly from their OWA session and instead they get the message "To finish signing out, Please close all open browser windows"




When the user hits OK, nothing happened and he is still logged in.

This issue is not related to the UAG OWA setup or the UAG authentication but rather the Exchange Virtual directories authentication. This behavior occurs because the Exchange OWA virtual directories are set to Windows Integrated Authentication.

In order to change this you will need to do the following:


  1. From Exchange Admin Center go to Servers - Virtual Directories (Pick your server if you have multiple servers.
  2. Edit the OWA (Default Web Site) Authentication.
  3. Uncheck "Use one or more standard authentication methods" and pick an option in the below FBA (Forms based authentication) as shown in the below image                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
  4. You will need to do the same for the ECP virtual directory (Actually it will display message with this)
  5. Reset/Restart the IIS and the logoff should be normal as expected.


Hopefully this can help anyone encountering this issue.





Your computer is not configured correctly for Directaccess. IPV6 is not enabled correctly

Posted by Ahmed Nabil In | 0 comments»
Few users reported recently that their DirectAccess is not working on their Laptops and its displaying the message "your computer is not configured correctly for directaccess. ipv6 is not enabled correctly"

I checked DirectAccess Group policy and the Machine certificate and they were all fine. Its mainly IPV6 in question. Microsoft added native support for IPV6 and its enabled by default starting from Windows Vista and Server 2008. Some users try to disable IPV6 by unchecking the IPV6 option/check box from the Network card properties however this won't disable IPV6.

Microsoft released several Fixit (One click file) to enable, disable or give preference for IPV6 on IPV4 or vice verse instead of digging deeply in the registry to enable or disable IPV6.

Please check these several Fixit on http://support.microsoft.com/kb/929852

In our case IPV6 was disabled and need to be enabled either by using one of the Fixit provided in the link above or by checking the registry as follows:

  1. Locate the following Registry key  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
  2. Check for  DisabledComponents under the above key.
  3. To Enable IPV6 make sure this key has value of Zero or just delete it. If it has any other value IPV6 won't work correctly.


Hopefully this can help anyone encountering the same issue.






Power/Shutdwon button missing from my Surface Pro 3 Start Screen

Posted by Ahmed Nabil | 0 comments»
I noticed on my Surface Pro 3 device that it doesn't have the Power/Shutdown Button on the Start Menu. This Surface is fully patched with Windows 8.1 Update 1 and all other subsequent updates.

My Surface device was upgraded from the Windows Professional version to the Enterprise version and I was suspecting that its a Windows issue till I came to a recent KB by Microsoft that its not enabled on Surface Pro 3 and it will mainly depend on the device Hardware not the Windows OS.

https://support.microsoft.com/kb/2959188?wa=wsignin1.0






Note: An entry of "Slate" in the Device Type column means that the hardware reported a Power Platform Role of PlatformRoleSlate. To determine what a system is reporting, run the powercfg /energy command and check the Platform Role in the output.


According to the above mentioned table Surface Pro 3 will not have a Power Button on the Start Screen.

To customize or change this behavior by adding the power button you will need to follow the following steps:


  1. Open the Registry (regedit)
  2. Navigate to HKEY_CURRENT_USER
  3. Create a new Key and name it "Launcher"
  4. In the Launcher key create new DWORD value named Launcher_ShowPowerButtonOnStartScreen
  5. Right click on the new DWORD - Properties
  6. Change the Decimal Value to 1 (0=default which means it won't appear)
  7. Reboot the machine


This issue was weird since Surface Pro 2 will get this Power button. Anyways hopefully this blog post can clear this issue.




Microsoft Minimal Server Interface tips, tricks and common tasks

Posted by Ahmed Nabil In | 0 comments»
Microsoft started back with Windows Server 2008 offering the server core interface versus the normal full GUI interface. Server core is server installation with No GUI and just normal command prompt as your interface. The main idea is to reduce the attack surface on Microsoft servers by removing all GUI options, Internet explorer..........etc which have been the target of several attacks during the last couple of years.

By default when you install the full blown server (Full GUI) you get the binaries and files of all features and services even if you are not using them. Server Core limits the roles and features installed (You can't install all roles on server core) and it strips any service or feature that is not needed by the core networking roles allowed on the Windows core version.

Starting with Windows server 2012 Microsoft introduced an intermediate solution which is the windows server  with minimal interface. Its an intermediate option between Full Windows GUI and Server core. Its not an option wen installing (you only get option for Windows server with GUI or Windows Core).

In order to configure your server with minimal interface you will either install server core then add features on it or install the Full GUI windows server then remove the Graphical Shell using the Remove Roles and Features Wizard as shown below.


This will remove the server graphical shell and Internet Explorer which will enhance the server safety and reduce the security attack surface and at the same time give you the command prompt (You get in server core) plus the Server Manager which is an added value for people who didn't like the pure server core with just bold command prompt.


Warning: You might have installed 3rd party software or special Microsoft application that depend on the server graphical shell. When you do the uninstall it will warn you. Also you may run Whatif option from the powershell if you are not sure what might be affected as shown below.

Uninstall-WindowsFeature Server-Gui-Shell -WhatIf


To check Windows Server Installation options, please refer to the following link

http://technet.microsoft.com/en-us/library/hh831786.aspx

Common Scenarios after you go for the server with minimal interface:

1. What if you mistakenly closed the CMD Prompt and/or Server Manager? How can you get them back ?

If you are connected physically on the server you can hit ALT+CTL+Del and then open Task Manager or if you are connected remotely (RDP/MSTSC) then you need to press CTL+ALT+END or Shift+CTL+ESC to open Task Manager then Click Run New Task under File Tab







Now you can type CMD or Server Manager to open them back.


2. How to run Windows Update on the server with minimal interface?

Since the control panel is not available in the windows with minimal interface we can use the sconfig.cmd from the command prompt as follows:


  • Type sconfig.cmd in the CMD prompt
  • When you get the below window, type 6 and press enter to search for updates then type "A" to download all updates and follow the next steps.



3. How to Log off, Reboot or Shutdown the Minimal Interface server ?

  • This can be done from the SCONFIG.CMD mentioned in the earlier Scenario. You have option "13" to Restart the Server and option "14" to Shutdown the server.
  • From a Normal Command Prompt you can shutdown or Reboot the server using the "Shutdown" Command. The below example will reboot the computer (/t switch) after 0 seconds.





Hopefully this post will be informative for the ones looking to tighten their servers security by moving to minimal interface.








Windows Media Player 12 Crash with EMET 5.0

Posted by Ahmed Nabil | 0 comments»
I am currently running Microsoft EMET (Enhanced Mitigation Experience Toolkit) version 5.0 (Latest Version) with the popular software list which protects other well known software as Google Chrome, Firefox, Windows Media Player............etc.

After upgrading EMET to the latest version 5.0, I noticed that the Windows Media Player (Latest Version 12) crashes and the below event log is reported.



My first suspect was EMET, I removed all mitigation for the Windows Media Player from the Apps Section as shown below.



Windows Media Player started working normal after removing all mitigation, I started checking them one by one till it crashes back again with the StackPivot Mitigation.

The StackPivot Mitigation is used to detect if the stack is pivoted and used to validate the stack register present in the context structure of certain APIs. For some reason its triggered with Windows Media player and you need to un-check it to work it out till Microsoft finds a solution since they are both Microsoft Products.



UAG Direct Access client Fail to connect. DA is configured and disabled.

Posted by Ahmed Nabil In , | 0 comments»
I got couple of users using Windows 7 reporting that they can't connect using Direct Access anymore whether its HTTPS or Teredo, DA just won't work. Upon further discussing the issue with them they mentioned that they enabled and disabled the Direct Access Connectivity assistant (DCA) Use Local DNS couple of times in an effort to work it out.

We started troubleshooting by checking the Name Resolution Policy table and we noticed that the NRPT was not getting applied on the DA client as shown below.





The next step was checking the DA resolution using the netsh dns show state command and it turned to be disabled.


Name Resolution Policy Table Options
--------------------------------------------------------------------

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Never use Direct Access settings

Machine Location                      : Outside corporate network

Direct Access Settings                : Configured and Disabled

DNSSEC Settings                       : Not Configured


The DA client already has the correct group policies, certificates but its disabled.

The next step was checking the below registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient EnableDAForAllNetworks"

The value of the key was set to 2 which means that DA is disabled !

Upon deleting the registry key, the DA started working normally without any problem.

For more information about the EnableDAForAllNetworks and its different values please check the below URL. 


On both cases that i have seen so far the reason was playing with the DCA settings (Use local DNS) which triggered the flipping of this registry key from Automatic to disabled.


Hopefully this could help someone with the same problem.