Attackers Use Legacy IMAP Protocol to Bypass Multifactor Authentication in Cloud Accounts, Leading to Internal Phishing and BEC


Threats to cloud-based applications
 have been growing, and passwords — the traditional method used to secure accounts — are often no longer enough to protect users from the dangers that they potentially face. The need for more comprehensive security in cloud-based applications has led to vendors offering multifactor authentication (MFA) as an integral feature of their products and services. By using MFA, users limit the risk that an attacker will gain control of their accounts by spreading authentication across multiple devices.

However, while MFA provides an additional layer of security for protecting account access, it’s not a fool-proof feature. For example, a recent study from Proofpoint examined brute-force attacks against user accounts in major cloud services. The attacks reportedly took advantage of legacy email protocols, phishing, and credential dumps to bypass MFA.

Notably, attackers were able to abuse legacy protocols — most commonly the IMAP authentication protocol — to bypass even multifactor authentication. The study noted that the IMAP protocol can be abused under certain situations, such as when users employ third-party email clients that do not have modern authentication support. IMAP abuse can also be performed in two other cases: when the targets do not implement applications passwords and when it is done against shared email accounts where IMAP is not blocked and/or MFA cannot be used. The report also said these attacks can often go undetected, instead looking like failed logins rather than external attempts. Threat actors use these accounts as entry points into the system, after which lateral movement is carried out via internal phishing and BEC to expand their reach within the organization.

The six-month study saw over 72 percent of cloud tenants being targeted at least once by attackers, while 40 percent had at least one compromised account within their system. Even more concerning, 15 out of every 10,000 active user accounts were successfully breached. Hijacked servers and routers were used as the main attack platforms, with the network devices gaining access to approximately one new tenant every 2.5 days during a 50-day period.

Roughly 60 percent of the tenants involved in the study that were using Microsoft Office 365 and G Suite were targeted with the password-spraying attacks via IMAP, and 25 percent fell victim to a successful breach.

As more companies across industries adopt cloud-based services, it’s expected that cybercriminals will go after accounts for cloud-based platforms. Once an account has been compromised, whether through hacking or brute force, the account could be used to communicate with executives and their staff. Internal BEC emails could trick the targets into transferring funds and personal or corporate data or downloading malicious files. Compromised email accounts, for example, had been found replying to email threads to deliver malware. These BEC attempts can be difficult to detect given that they come from legitimate (though compromised) email accounts.

A feature such as MFA is only one part of an effective multilayered security implementation. Organizations looking to boost their security can start with these best practices:

  • Passwords still have a role to play as a component of multifactor authentication. Ensure that users have passwords that are strong and regularly changed to stay protected from brute-force attacks. This could mean includes using at least 12 characters with a mix of upper and lowercase letters, numbers, and special characters. Ask users to avoid common or easily-guessable passwords or passwords that show obvious information such as names or birthdates.
  • Educate employees on how to identify phishing attacks. Common indicators that an email is a phishing attempt include suspicious-looking email addresses and the presence of misspellings and typographical errors.
  • Furthermore, attackers often try to make their phishing attempts as convincing as possible. Thus, users should avoid giving out personal and company information unless they are absolutely certain that the person or group they are communicating with is legitimate.

Given that cybercriminals use compromised accounts and internal BEC emails, organizations should also consider the use of security solutions designed to combat the growing threat. Trend Micro’s existing BEC protection uses AI, including expert rules and machine learning to analyze email behavior and intention. The new and innovative Writing Style DNA technology goes further by using machine learning to recognize the DNA of an executive’s writing style based on past written emails. Designed for high-profile users who are prone to being spoofed, Writing Style DNA technology can detect forged emails when the writing style of an email does not match that of the supposed sender. The technology is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions to cross-match the email content’s writing style to the sender’s by taking into account the following criteria: capital letters, short words, punctuation marks, function words, word repeats, distinct words, sentence length, and blank lines, among 7,000 other writing characteristics.

Source
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/attackers-use-legacy-imap-protocol-to-bypass-multifactor-authentication-in-cloud-accounts-leading-to-internal-phishing-and-bec

Easier Wi-Fi Planning, Security and Management from the Cloud

Wi-Fi access is ubiquitous, but it’s not always easy to plan, deploy, secure and manage, especially for distributed businesses and enterprises.

SonicWall believes there’s an easier approach. Our product teams have revamped our Wi-Fi management solutions with innovation at its foundation. Top-of-mind during the entire process, our focus was on evolving our Wi-Fi technology in four key areas: security, performance, simplicity and intuitiveness.

On paper, those sound obvious. But we wanted to be sure the execution matched the vision — to remove all the complexity without impacting the end-user experience. The outcome of this effort is four new SonicWall wireless solutions:

  • SonicWall WiFi Cloud Manager
  • SonicWall SonicWave 200 Series Wireless Access Points
  • SonicWiFi Mobile App
  • SonicWall WiFi Planner

Intuitive wireless management for the next era

One of the constant nightmares for network admins is an unmanageable network. As your network expands, policies change and threats increase, it is often difficult to keep pace.

Discovering an outage only after it has happened — or malware after it has creeped into your network — is disastrous. SonicWall arms you with the right tool to gain insights into your network to keep pace with changing network requirements.

SonicWall WiFi Cloud Manager is an intuitive, scalable and centralized Wi-Fi network management system suitable for networks of any size. With simplified management, wireless analytics is richer and easily accessible from anywhere with an internet connection. The cloud-based management solution is designed to be user-friendly and resilient while simplifying access, control and troubleshooting capabilities.

With a fresh UI, WiFi Cloud Manager can be accessed via SonicWall Capture Security Center to deliver powerful features and simplified onboarding via the cloud from a single pane of glass. Centralized visibility and control over SonicWall’s wired and wireless networking hardware reduces complexity and the need for costly overlay management systems. It also can be deployed across multiple regions for greater network visibility into disturbed enterprises.

For network admins on the go, SonicWall introduces SonicWiFi mobile app to set up and monitor your network. Easily onboard your APs and setup mesh with this app. It is available on iOS and Android.

Advanced wireless security — with or without a firewall

Organizations, big and small, need secure wireless solutions for extending connectivity to employees, customers and guests. The new SonicWave 200 series wireless access points deliver enterprise-level performance and security with the range and reliability of 802.11ac Wave 2 technology at an affordable price.

Built on industry-leading next-gen security, these APs features a dedicated third radio for security scanning. In fact, advanced security features like Content Filtering Service (CFS) and the Capture Advanced Threat Protection (ATP) sandbox service can be performed on the AP itself, enabling organizations to mitigate cyberattacks even where firewalls aren’t deployed.

SonicWave 200 access points are available in three options, including 231c for indoor, 231o for outdoor and 224w for wall-mount requirements.

Manage dozens or even thousands of SonicWave wireless access points from anywhere you have an internet connection via the cloud or through the firewalls, providing you ultimate flexibility.

The SonicWall WiFi Cloud Manager provides you a single-pane-of-glass view of your entire wireless network. SonicWave access points also support SonicWall Zero-Touch Deployment, which allows the access points to be automatically identified and registered. SonicWiFi mobile app also lets you set up, manage and keep track of your network.

SonicWave access points leverage mesh technology to negate complexity from wireless expansion, especially at remote or distributed locations. Mesh networks are easy to set up, effortless to expand, and require fewer cables and less manpower to deploy, reducing installation costs. The new push-and-snap mounting bracket further adds to the ease of installation.

Easily plan, deploy your wireless networks

IT administrators often hear complaints about unreliable Wi-Fi connectivity leading to poor user experiences. This is mostly because Wi-Fi networks are not designed correctly to begin with. AP placements could be wrong, there may be radio frequency barriers or there simply isn’t enough capacity and coverage.

SonicWall WiFi Planner is a simple, easy-to-use, advanced wireless site survey tool that enables you to optimally design and deploy a wireless network for enhanced wireless user experience.

This tool lets you customize your settings per your surroundings and requirements to obtain maximum coverage with the fewest number of access points. You can prevent interference in your deployment on a best-effort basis through auto-channel assignment.

With a cloud-based UI, you also have the flexibility to collaborate with global teams. It is ideal for new access point deployments or to ensure excellent coverage in your wireless network. Available at no added cost, SonicWall WiFi Planner is accessible through WiFi Cloud Manager.
Together, these products deliver a powerful wireless solution, paving way for the next era of wireless security. Welcome to the future of wireless security.

 

Source
https://blog.sonicwall.com/en-us/2019/02/easier-wi-fi-planning-security-management-from-the-cloud/

Use a Local Administrator Account for Remote Administration

Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account.

The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.

For more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit.

Despite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain.

Local Accounts for Remote Administration

In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. Otherwise you should continue to block remote use of local accounts.

Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. If the local admin password is compromised, any damage is limited to that device. Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.

If you decide to unblock remote use of local accounts, there are three Group Policy settings that need to be changed:

  • Deny access to this computer from the network
  • Deny log on through Remote Desktop Services
  • Apply UAC restrictions to local accounts on network logon

The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty. The third is a custom setting that’s part of the baseline templates (SecGuide.admx). It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.

As you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. You can work around this by enabling auditing of access to LAPS passwords in AD and resetting passwords after each use. Both these tasks can be accomplished using the PowerShell Set-AdmPwdAuditing and Reset-AdmPwdPassword cmdlets respectively.

 

Source
https://www.petri.com/use-a-local-administrator-account-for-remote-administration

Multi-Cloud Disaster Recovery Benefits and Challenges

The cloud has definitely changed both operations and data protection requirements for almost all businesses today. Not only is the cloud the basis for popular SaaS applications like Office 365, it is also used as a backup and DR target by many organizations.

Using the cloud opens up new possibilities for DR. However, one growing complication for DR and the cloud is the use of multiple clouds. Today, many businesses have adopted multiple clouds – many use both Amazon AWS and Microsoft Azure or in some cases Google Cloud or IBM Cloud. According to research done by the IBM Institute for Business Value, 85% of today’s enterprises operate in multi-cloud environments. Further, most of those organizations that don’t currently have a multi-cloud IT strategic plan to do so in the near future.  The IBM research estimates that by 2021, 98% of business will move to multiple hybrid clouds. Similarly, an ESG study found that 81% of enterprises are utilizing more than one public cloud infrastructure service provider and only 15% were using a single cloud provider.

Multi-Cloud Advantages

Using multiple clouds definitely has its advantages. Cost is one of the primary driving factors. The IBM study which consisted of 1016 executives from 19 different industries reported that 66% said multi-cloud is crucial to reducing costs. Using multiple clouds not only allows you to pick the most cost-effective options, it also allows you to pick the best cloud services to fill your own specific business needs. Adopting a multi-cloud strategy can also enable businesses to avoid vendor lock-in decreasing their dependence on a single cloud provider.

Multi-Cloud DR Planning

As a general rule, the big public cloud providers like AWS and Azure are more reliable than your own local data centers. Even so, a large-scale disaster could potentially impact both your organization and your cloud provider. Using multi-cloud disaster recovery enables you to replicate your resources to a second cloud provider in another geographic region. Typically, it’s best to use a second cloud provider that is within the same country. Crossing international boundaries can potentially bring up legal and regulatory constraints that you are probably better off without. Locating the second cloud provider in a different geographic region ensures that there is virtually no chance that both cloud providers will undergo a major outage at the same time. For instance, you could use one provider in the United States west coast region and then the east coast region with your other cloud provider.

There are challenges in using multi-cloud DR. Each different cloud provider has its own management portal and different services which require different skill sets. For IaaS implementations, you need to be aware that the different cloud providers each use different on-disk formats for their VMs. Microsoft Azure uses the VHD format while AWS uses the AMI format. As a general rule, each cloud provider’s DR services are not designed to deal with multiple cloud providers. However, some third party DR solutions are able to bridge multiple clouds making it far easier to implement a multi-cloud DR strategy. If you’re looking to implement your multi-cloud DR plan it’s best to begin with a smaller scoped POC before expanding to the rest of your organization. And like all DR plans, regular testing is a must.

Source
https://www.petri.com/multi-cloud-disaster-recovery-benefits-and-challenges

Migration Tools for the Azure Hybrid Cloud

Migration Tools for the Azure Hybrid Cloud

While the hybrid cloud offers a number of benefits, moving to the hybrid cloud isn’t the easiest of tasks. To get there, you need to perform an analysis of the workloads and services that you are considering moving to the hybrid cloud to ensure that they are suitable candidates for running in the cloud.

Next, you need to perform an initial cost analysis. Cost saving is one of the main benefits of moving to the hybrid cloud. However, accurately estimating the cost savings can be difficult. Sometimes you may not really know the real costs until you actually make the move. Finally, you need a way to move all or select parts of your on-premise workloads into the cloud. Fortunately, if you’re considering a move to the Azure hybrid cloud then Microsoft provides several tools that can help you with the different aspects of your hybrid cloud migration. Let’s take a closer look at some of Microsoft’s most important hybrid cloud migration tools.

Cloud Migration Assessment

Accessing your current environment is the first step in moving to the hybrid cloud and Microsoft Assessment and Planning toolkit (MAPs) can help you discover the servers across your IT environment. MAPs can automatically collect data and analyze your on-premise system hardware configuration. MAPs primarily uses WMI to collect information from Windows and Linux based servers as well as Hyper-V and VMware environments.  When it’s finished it generates an Inventory Results Report that can be opened in Excel and passed on to other tools.

Estimating Costs

Understanding the impact of a move to the cloud is vital for both your company’s operational efficiencies as well as its bottom line. Cost is often the number one factor that will prompt businesses to move into the cloud. To help evaluate the costs of moving to Azure Microsoft provides their Azure Total Cost of Ownership Calculator (TCO Calculator). The TCO Calculator is a web-based tool that prompts you to enter the details of your on-premise server infrastructure. First, you tell it your workloads and their details like the type of servers they are running on. Next, you enter the details of your on-premises database and storage infrastructure. Finally, you supply the amount of network bandwidth you are currently consuming. The results of your MAPs analysis can be feed into the TCO Calculator.

Azure Hybrid Use Benefit

Another tool that can help in your hybrid cloud migration is the Azure Hybrid Use Benefit. The Azure Hybrid Use Benefit allows customers with Software Assurance to run Windows VMs on Azure at a reduced rate potentially providing significant cost savings. Azure Hybrid Use Benefit can be used with Windows Server Datacenter and Standard edition licenses that are covered by Software Assurance or Windows Server Subscriptions. Windows Server Datacenter Edition customers can use licenses both on-premises and in Azure. Windows Server Standard Edition customers can assign the Azure Hybrid Use Benefit for licenses on Azure. However, if they do they cannot use the Standard Edition license on-premise. While the actual savings depends on the Azure usage and size and type of VMs, one example Microsoft touts is that for every 100 Window Server licenses you can run up to 200 virtual machines with a potential savings of over $300,000 a year (based on the D3-V2 VM size).

Azure Migrate Service

The Azure Migrate service is a paid Azure service that assesses migrating on-premise VMware workloads to Azure. The Azure Migrate service can only work with on-premises VMware VMs. The VMware VMs must be managed by vCenter Server. To use the Azure Migrate service you must install a local virtual collector appliance that analyzes on-premises VMware VMs. The service performs performance-based sizing as well as cost estimates for moving the VMs to Azure. If you want to analyze Hyper-VMs or physical servers you need to use the Azure Site Recovery Deployment Planner for Hyper-V. The Azure Migrate service has a free 180 day trial period.

Azure Site Recovery and Azure Database Migration

While its main purpose is disaster recovery, Azure Site Recovery (ASR) is can also be used to migrate VMs to Azure. ASR is a paid service and it can migrate a number of different systems types to Azure including VMs on AWS, VMware, Hyper-V or physical servers. You can configure ASR to take advantage of your Azure Hybrid Use Benefit with PowerShell. If you want to migrate databases then you can use the Azure Database Migration Service which is also a paid service that can migrate SQL Server, Amazon RDS SQL and Oracle to Azure SQL Database.

Source
https://www.petri.com/migration-tools-for-the-azure-hybrid-cloud

How to disable SMBv1 Windows

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Applies to: Windows 7 EnterpriseWindows 7 Home BasicWindows 7 Home Premium More

Summary


This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

  • Request compounding - allows for sending multiple SMB 2 requests as a single network request
  • Larger reads and writes - better use of faster networks
  • Caching of folder and file properties - clients keep local copies of folders and files
  • Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • Support for symbolic links
  • Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Large MTU support - for full use of 10-gigabye (GB) Ethernet
  • Improved energy efficiency - clients that have open files to a server can sleep

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

  • Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out – concurrent access to shared data on all file cluster nodes
  • Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
  • Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • Directory Leasing - Improves application response times in branch offices through caching
  • Performance Optimizations - optimizations for small random read/write I/O

More Information


The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

For more information about the capabilities of SMBv2 and SMBv3 capabilities, go to the following Microsoft TechNet websites:

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016


Windows Server 2012 R2 & 2016: PowerShell methods

SMB v1
Detect:Get-WindowsFeature FS-SMB1
Disable:Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enable:Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB v2/v3
Detect:Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB2Protocol $true

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

SMB v1
Server Manager - Dashboard method

 

Windows 8.1 and Windows 10: PowerShell method

SMB v1 Protocol

Windows 8.1 and Windows 10: Add or Remove Programs method

Add-Remove Programs client method

How to detect status, enable, and disable SMB protocols on the SMB Server


For Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB v1 on SMB Server
Detect:Get-SmbServerConfiguration | Select EnableSMB1Protocol
Disable:Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB1Protocol $true

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server
Detect:Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB2Protocol $true

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell methods

SMB v1 on SMB Server

Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server

Detect:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

Registry Editor

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note You must restart the computer after you make these changes.

How to detect status, enable, and disable SMB protocols on the SMB Client


For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

SMB v1 on SMB Client
Detect:sc.exe qc lanmanworkstation
Disable:sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable:sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

For more information, see Server storage at Microsoft

SMB v2/v3 on SMB Client
Detect:sc.exe qc lanmanworkstation
Disable:sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
Enable:sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto

Notes

  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

Disable SMBv1 Server with Group Policy


This procedure configures the following new item in the registry:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.
    Registry - New - Registry Item

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0
New Registry Properties - General

This disables the SMBv1 Server components. This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

Note WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

Disable SMBv1 Client with Group Policy


To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: = Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”

Note The default included MRxSMB10 which is now removed as dependency

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.
Registry - New - Registry Item

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4
Start Properties - General

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note These three strings will not have bullets (see the following screen shot).

DependOnService Properties

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note When you use Group Policy Management Console, you don't have to use quotation marks or commas. Just type the each entry on individual lines.

Restart required

After the policy has applied and the registry settings are in place, the targeted systems must be restarted before SMB v1 is disabled.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

Group Policy Management Editor - Registry

Testing and validation

After these are configured, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.

Windows Start Run commands

Accessibility Options		utilman
				or
				control access.cpl

Add Hardware Wizard		hdwwiz
Programs and Features		appwiz.cpl
(Add New Programs)		control appwiz.cpl,,1
(Add Remove Windows Components)	control appwiz.cpl,,2
(Set Program Access & Defaults) control appwiz.cpl,,3


Administrative Tools	        control admintools
Advanced User Accounts 
Control Panel	                netplwiz
Authorization Manager	        azman.msc
Automatic Update control        wuaucpl.cpl
Backup and Restore Utility	sdclt
Bluetooth Transfer Wizard	fsquirt
Calculator	                calc
Certificate Manager	        certmgr.msc
Character Map	                charmap

Check Disk Utility	        chkdsk
Clear Type (tune or turn off)	cttune
Color Management	        colorcpl.exe
Command Prompt	                cmd
Component Services	        dcomcnfg
	                        or
	                        comexp.msc
Computer Management	        CompMgmtLauncher.exe
	                        or 
	                        compmgmt.msc
Control Panel	                control

Credential (passwords) Backup
and Restore Wizard	        credwiz
Data Execution Prevention	SystemPropertiesDataExecutionPrevention
Date and Time Properties	timedate.cpl
Device Manager	                hdwwiz
	                        or
	                       devmgmt.msc
Device Pairing Wizard	       DevicePairingWizard
Digitizer Calibration Tool
(Tablets/Touch screens)	       tabcal
Direct X Control Panel
(if installed)	              directx.cpl
Direct X Troubleshooter	      dxdiag
Disk Cleanup Utility	      cleanmgr
Disk Defragmenter	      dfrgui
	                      defrag
Disk Management	              diskmgmt.msc
Disk Partition Manager	      diskpart
Display Color Calibration     dccw
Display DPI / Text size	      dpiscaling
Display Properties (Themes,
Desktop, Screensaver)	      control desktop
Display Properties
(Resolution, Orientation)     desk.cpl
Display Properties
(Color & Appearance)	      control color
Documents (open
'My Documents' folder)	      documents
Downloads (open
'Downloads' folder)	     downloads
Driver Verifier Utility	     verifier
DVD Player	             dvdplay

Edit Environment Variables   rundll32.exe sysdm.cpl,EditEnvironmentVariables
Encrypting File
System Wizard (EFS)	     rekeywiz
Event Viewer	             eventvwr.msc
File Signature Verification
Tool (Device drivers)	     sigverif
Files and Settings
Transfer Tool	            %systemroot%\system32\migwiz\migwiz.exe
Firewall Control Panel	    firewall.cpl
Folders Properties	    control folders
Fonts list	            control fonts
Font preview	            fontview arial.ttf
Game Controllers	    joy.cpl
Local Group Policy Editor   gpedit.msc
Internet Properties	    inetcpl.cpl
IP Configuration	    ipconfig
iSCSI Initiator
configuration	            iscsicpl
Keyboard Properties	    control keyboard
Language Pack Installer	    lpksetup
Local Security Policy	    secpol.msc
Local Users and Groups	    lusrmgr.msc
Log out	                    logoff
Microsoft Malicious
Software Removal Tool	    mrt
Microsoft Management
Console	                   mmc
Access (Microsoft Office)  msaccess
Excel (Microsoft Office)   Excel
Powerpoint
(Microsoft Office)         powerpnt
Word (Microsoft Office)	   winword
Microsoft Paint            mspaint

Microsoft Support
Diagnostic Tool	          msdt
Mouse Properties	  control mouse
	                  or 
	                  main.cpl
Network Connections	  control netconnections
	                  or 
	                  ncpa.cpl
Projector:	          netproj
Connect to Network
Projector Switch
projector display	  displayswitch
Notepad	                  notepad
ODBC Data Source Admin	
Default ODBC driver:	  C:\windows\system32\odbcad32.exe
32-bit ODBC driver
under 64-bit platform:	  C:\windows\sysWOW64\odbcad32.exe
ODBC configuration
Install/configure MDAC
drivers	                 odbcconf
On Screen Keyboard	 osk
OOB Getting Started	 gettingstarted
Password - Create a
Windows Password Reset
Disk (USB)	        "C:\Windows\system32\rundll32.exe" keymgr.dll,PRShowSaveWizardExW


Pen and Touch
(Tablet/Pen input
configuration)	        tabletpc.cpl
Performance Monitor	perfmon.msc
Phone and Modem Options	telephon.cpl
Phone Dialer	        dialer
Power Configuration	powercfg.cpl and powercfg.exe
Presentation Settings	PresentationSettings
Problem Steps Recorder	psr
Program Access and
Computer Defaults 
browser / email / media	computerdefaults
Printers and Faxes	control printers
Print Management (.msc)	PrintManagement
Printer Migration
(backup/restore)	printbrmui and printbrm.exe
Printer user interface
(List all printui.dll
options)	        printui
Private Character
Editor	                eudcedit
Regional Settings
Language, Date/Time
format, keyboard	intl.cpl
Registry Editor	        regedit
Remote Assistance	msra

Remote Desktop	        mstsc
Resource Monitor	resmon
Resultant Set of Policy	rsop.msc
Settings (Windows 10)	ms-settings:
Scheduled Tasks	control schedtasks
Screenshot
Snipping Tool	        snippingtool
Security Center	        wscui.cpl
Services	        services.msc
Shared Folder Wizard	shrpubw
Shared Folders	        fsmgmt.msc
Shut Down Windows	shutdown
Software Licensing
Activation	        slui
Sounds and Audio	mmsys.cpl
Sound Recorder	        soundrecorder
Sound Volume	        sndvol
Syncronization Tool
(Offline files)	        mobsync
System Configuration
Utility	                msconfig
System File Checker
Utility (Scan/Purge)	sfc
System Information	msinfo32
System Properties	sysdm.cpl SystemProperties
	                or
	                sysdm.cpl DisplaySYSDMCPL

System Properties
Performance	        SystemPropertiesPerformance
System Properties
Hardware	        SystemPropertiesHardware
System Properties
Advanced	        SystemPropertiesAdvanced
System Repair
Create a System
Repair Disc	       recdisc
System Restore	       rstrui
Task Manager	       taskmgr
Task Scheduler	       taskschd.msc
Telnet Client	       telnet
Trusted Platform
Module Initialization
Wizard	               tpmInit
User Accounts
(Autologon)	       control userpasswords2
User Account
Control (UAC) Settings UserAccountControlSettings
User Profiles
Edit/Change type       C:\Windows\System32\rundll32.exe sysdm.cpl,EditUserProfiles
Windows Disc Image
Burning Tool	       isoburn C:\movies\madmax.iso
Windows Explorer       explorer
Windows Features       optionalfeatures
Windows Firewall       firewall.cpl
Windows Firewall with
Advanced Security      wf.msc
Windows Image
Acquisition (scanner)  wiaacmgr
Windows Magnifier      magnify
Windows Management
Infrastructure         wmimgmt.msc
Windows Memory
Diagnostic Scheduler   mdsched
Windows Mobility
Center (for notebook)  mblctr
Windows PowerShell     powershell
Windows PowerShell ISE powershell_ise
Windows Security
Action Center	       wscui.cpl
Windows Script Host
(VBScript)	       wscript NAME_OF_SCRIPT.VBS
Windows System
Security Tool
Encrypt the SAM database. syskey (boot password.)	
Windows Update         wuapp
Windows Update
Standalone Installer   wusa
Windows Version
(About Windows)	      winver
WordPad	              write




Unless indicated otherwise, all the commands above work in all versions of Windows from Vista upwards.	
Most of these utilities can be found in %systemroot%\System32\	

soruce

https://ss64.com/nt/run.html

Microsoft Office Customization Tool

The Office Customization Tool creates the configuration files that are used to deploy Office in large organizations. These configuration files give you more control over an Office installation: you can define which applications and languages are installed, how those applications should be updated, and application preferences. After creating the configuration files, you can use them with the Office Deployment Tool to deploy a customized version of Office.

 Note

The Office Customization Tool is part of the deployment process for installing Office on hundreds or thousands of computers. To follow this process end-to-end, we recommend completing the assessment and planning phases for your Office deployment. If you're not an enterprise administrator and are looking to install Office 365 in your home or business, see Install Office with Office 365.

Get started

To work with the service, go to Office Customization Tool and choose the products, languages, and application settings you want to configure. For example, you can create a configuration file that downloads the 64-bit English version of Office 365 ProPlus, or you can create a file that installs the 64-bit English and German version of Office without Access and Publisher and with the EULA automatically accepted. When you're done, you export the configuration file, which you can then use with the Office Deployment Tool or another software distribution solution to deploy Office in your organization.

 Note

If you use System Center Configuration Manager (Current Branch) to deploy Office, we recommend using the Office 365 Installer wizard in the Configuration Manager console. That wizard includes a customized version of the Office Customization Tool. For more details, see Deploy Office 365 ProPlus with System Center Configuration Manager (Current Branch).

Create a configuration file

Follow these steps to create a configuration file that can be used by the Office Deployment Tool or another software distribution solution to install Office. Note that a product and language must be selected before you can export the configuration file.

  1. Go to Office Customization Tool.
  2. In the General section, type your organization name and a description for this particular configuration. For example, you might want to use this file to install the 64-bit version of Office for your finance department.
  3. In the Product and releases section, choose the architecture you want to deploy. Each configuration file can only deploy one architecture. For details on which architecture to choose, see Choose the 32-bit or 64-bit version of Office.
  4. Choose the products and applications you want to deploy, and then click Add. Note that you can create a package that includes Office, Visio, and Project by selecting each and adding them separately.
  5. Choose the update channel you want to deploy. The update channel determines how frequently your client devices are updated with new features. For best practice recommendations, see Step 3 - Choose your update channels.
  6. Choose which version you want to deploy. Unless you require a particular version, we recommend choosing the latest. For details on previous versions, see Update history for Office 365 ProPlus.
  7. In the Language section, choose which languages to include. You can include multiple languages and you can select Match operating system to automatically install the same languages that are in use on the client device. For more details, see Overview of deploying languages in Office 365 ProPlus.
  8. In the Installation section, choose whether to install the Office files directly from the cloud or from a local source on your network. For more details, see Choose how to deploy.
  9. Choose whether to display the installation from your end users and whether to pin the Office icons to the taskbar. For more details on these options, see Display element and PinIconsToTaskBar property.
  10. In the Update and upgrade section, choose whether to install updates directly from the cloud, from a local source on your network, or with Configuration Manager. If you want to update your client devices automatically, choose CDN and Automatically check for updates. For best practice recommendations, see Choose your update channels.
  11. Choose whether to automatically upgrade from 2013 versions of Click-to-Run versions of Office, whether to automatically remove all MSI-versions of Office, and whether to automatically install the same language as the removed MSI-version of Office. For more details, see Install the same languages from a previous MSI installation.
  12. If you are deploying a volume-licensed version of Office, Visio, or Project, specify the appropriate license key in Licensing and activation settings. Note that Office 365 ProPlus is not volume licensed and does not require a KMS or MAK activation. For more details, see Overview of volume activation of Office.
  13. Choose whether to automatically accept the EULA.
  14. In the Application preferences section, choose what settings to apply when deploying Office. You can search for a setting, filter the settings by Office app, and learn more about each setting by clicking it and reviewing the detailed description.
  15. Click Finish, review the configured settings in the righthand pane, and then click Export.
  16. Accept the terms in the license agreement, name the confguration file, and then click Export.
  17. You can now use the configuration file in your deployment workflow with the Office Deployment Tool or another software distribution solution.

Edit an existing configuration file

Follow these steps to import and edit an existing configuration file.

  1. Go to Office Customization Tool.
  2. Click Import, and then select the configuration file you want to edit.
  3. Change the settings you want, and then export the updated file.

Define application preferences

As part of the Office Customization Tool, you can define application prefences for Office 365 ProPlus, including VBA macro notifications, default file locations, and default file formats. When you define these preferences, you can apply them as part of deploying Office or you can apply them to an existing installation of Office without changing any other deployment settings. For more details, see Apply application prefences and Apply application preferences to an existing installation of Office.

Notes

When creating a configuration file, the Office Customization Tool includes two attributes for the Configuration element: The ID attribute, which identifies the deployment method, and the Host attribute, which identifies the deployment options that have been selected. These attributes don't contain any personally identifiable information (PII), but Click-to-Run sends the attribute values to Microsoft so that we can better understand what configurations customers use and make customization even easier. Because of these insights, we recommend keeping the attributes. They are optional, however, and can be removed without affecting your deployment.

 

source
https://docs.microsoft.com/en-us/DeployOffice/overview-of-the-office-customization-tool-for-click-to-run

Microsoft Office default installation folders for Windows

Installation Paths

All the applications provided by the Office suite (WordExcelOutlookAccessPowerpoint), if installed, can be found within the given folder(s). The executable files have kept the same names since Office XP, which are the following:

  • Word:
  • Excel:
  • PowerPoint:
  • Access:
  • Outlook:
  • Visio:
  • Project:

Office XP

  • Windows 64-bit:
  • Windows 32-bit:

Office 2003

  • Windows 64-bit:
  • Windows 32-bit:

Office 2007

  • Windows 64-bit:
  • Windows 32-bit:

Office 2010

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

Office 2013

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

Office 2016

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

If you never heard of Click-To-Run installation mode, read here.

GUID

In case you also need the installation GUIDs, for example to retrieve some Office-related installation data from Windows Installer and/or Registry Editor, I’m also enumerating those (source: https://support.microsoft.com/en-us/kb/234788):

Office XP

  • Word: {8E46FEFA-D973-6294-B305-E968CEDFFCB9}
  • Excel: {5572D282-F5E5-11D3-A8E8-0060083FD8D3}
  • PowerPoint: {FC780C4C-F066-40E0-B720-DA0F779B81A9}
  • Access: {CC29E967-7BC2-11D1-A921-00A0C91E2AA3}
  • Office: {20280409-6000-11D3-8CFE-0050048383C9}

Office 2003

  • Word: {1EBDE4BC-9A51-4630-B541-2561FA45CCC5}
  • Excel: {A2B280D4-20FB-4720-99F7-40C09FBCE10A}
  • PowerPoint: {C86C0B92-63C0-4E35-8605-281275C21F97}
  • Access: {F2D782F8-6B14-4FA4-8FBA-565CDDB9B2A8}
  • Office: {90110409-6000-11D3-8CFE-0150048383C9}

Office 2007

  • Word: {0638C49D-BB8B-4CD1-B191-051E8F325736}
  • Excel: {0638C49D-BB8B-4CD1-B191-052E8F325736}
  • PowerPoint: {0638C49D-BB8B-4CD1-B191-053E8F325736}
  • Access: {0638C49D-BB8B-4CD1-B191-054E8F325736}
  • Office: {0638C49D-BB8B-4CD1-B191-050E8F325736}

Office 2010

32-bit

  • Word: {019C826E-445A-4649-A5B0-0BF08FCC4EEE}
  • Excel: {538F6C89-2AD5-4006-8154-C6670774E980}
  • PowerPoint: {E72E0D20-0D63-438B-BC71-92AB9F9E8B54}
  • Access: {AE393348-E564-4894-B8C5-EBBC5E72EFC6}
  • Office: {398E906A-826B-48DD-9791-549C649CACE5}

64-bit

  • Word: {C0AC079D-A84B-4CBD-8DBA-F1BB44146899}
  • Excel: {8B1BF0B4-A1CA-4656-AA46-D11C50BC55A4}
  • PowerPoint: {EE8D8E0A-D905-401D-9BC3-0D20156D5E30}
  • Access: {02F5CBEC-E7B5-4FC1-BD72-6043152BD1D4}
  • Office: {E6AC97ED-6651-4C00-A8FE-790DB0485859}

source https://www.ryadel.com/en/microsoft-office-default-installation-folders-versions/

How to increase maximum size Microsoft Outlook pst files and ost files

In Outlook 2003 and 2007 the maximum recommended size of a Unicode pst-file and ost-file has been limited to 20 gb

In Outlook 2010, 2013 and 2016, the maximum recommended limit has been set to 50 gb

you can increase the limit with Group Polices and Registry

Registry
Outlook 2003
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\PST
Outlook 2007
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\PST
Outlook 2010
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\PST
Outlook 2013
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\PST
Outlook 2016
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\PST

create new DWORD with value MaxLargeFileSize
Don’t set this higher than 4294967295 (decimal) or ffffffff (hexadecimal)

Group Polices
User Configuration-> Administrative Templates-> Microsoft Outlook <version>-> Miscellaneous-> PST Settings