Blog

OpenDns setup on IOS 11 devices

This Knowledge Base article will show you how to set up your IOS device in order to use OpenDNS.

 

Note:

These instructions only work for Wi-Fi connections because iOS does not allow you to change the DNS servers when connected to cellular networks. Also, the changes are network specific, so you'll need to change the DNS servers every time you connect to a new wireless network. The good news is that iOS remembers the settings, so you won't have to repeat these changes whenever you reconnect to a known network.

Also, this works the same on all iOS devices.

 

Changing your IOS device DNS settings:

  1. From the IOS device home screen, tap Settings.
  2. Tap Wi-Fi, ensure it is enabled and your wireless network is connected.
  3. Click the i.jpg symbol next to your wireless network, as shown below.

    iPad_1.png

  4. The screen shown below appears. Tap the Configure DNS field.

    iPad_2.png

  5. Ensure Manual is selected and delete the current DNS servers by tapping on the Delete.png symbol.

    iPad_3.png

  6. Tap Add Server and enter OpenDNS resolvers 208.67.222.222. Repeat this process to add another DNS server as follows 208.67.220.220, as shown below.

  7. Tap Save to exit the menu.

    iPad_4.png

 

That's it! You've updated your IOS device DNS servers!

 

source:
https://support.opendns.com/hc/en-us/articles/228008947-IOS-11-Configuration-for-OpenDNS

OpenDns setup on Windows Server 2012 and 2012 R2

Setting up DNS Forwarding for Windows Server 2012 and 2012 R2

 

The basic instructions are as follows, with screenshots of what you should expect to see included below.

 

1. From the Start menu, start typing DNS, then select DNS from the search results.

1.jpg

2. Choose the server you want to edit, then select Forwarders.

2.jpg

3. Click the edit button.

1.jpg

4. Add OpenDNS addresses in the IP address list.

Please write down your current DNS settings before switching to OpenDNS, in case you want to return to your old settings for any reason.

The addresses for Open DNS are:

  • 208.67.222.222
  • 208.67.220.220
  • 208.67.222.220
  • 208.67.220.222

Then click OK.

4.jpg
6. Click OK once more

5.jpg

source:

https://support.opendns.com/hc/en-us/articles/228008907-Windows-Server-2012-and-2012-R2

Sonicwall Zero Touch Deployment Firewall

SonicWall® Zero-Touch
Deployment Guide
March 2019
SonicWall network security appliances are Zero-Touch enabled. Zero-Touch makes
it easy to register your unit and add it to SonicWall Capture Security Center or
SonicWall GMS On-Premise for management and reporting. This document
describes the Zero-Touch deployment process.
Topics:
• Deploying with Zero-Touch (CSC Management)
• Deploying with Zero-Touch (GMS On-Premise)
Deploying with Zero-Touch (CSC Management)
1) Register:
• Point your browser to https://cloud.sonicwall.com and log into your MySonicWall account or create an
account.
• In Capture Security Center, click the mySonicWall tile to launch the MySonicWall Dashboard.
• Click the Add Product button to launch the QUICK REGISTER dialog and then type in the serial
number of your SonicWall appliance. Click Confirm.
You can find the serial number and authentication code on the shipping box or appliance label.
• In the REGISTER A PRODUCT dialog, fill in the Friendly name and Authentication code, and select the
Tenant Name. By default, all products are placed under SonicWall Products Tenant.
• Click Register.
2) Enable Zero-Touch and CSC Management and Reporting:
• MySonicWall recognizes your appliance model and displays the Zero Touch option. Enable Zero Touch
and then click Register again. A success message is displayed to indicate Zero-Touch readiness.
• In MySonicWall, navigate to Product Management > My Products, select the appliance, and click the Try
button to enable the license for CSC Management and Reporting (if not enabled already). A success
message displays.
3) Connect and Power On:
• For a wireless appliance, connect the antennas.
NOTE: The appliance must be able to obtain an IP address via DHCP from the WAN connection or ISP
modem. If you need to use a static IP address, refer to the Quick Start Guide for your appliance.
SonicWall Zero-Touch
Deployment Guide
2
• Connect the X1 interface to your WAN network.
• Power on the unit.
CSC Management automatically acquires the unit (it can take up to 30 minutes for initial acquisition). Once the
unit is acquired, you can begin management.
To view the status of your appliance:
• In MySonicWall, pull down the curtain for Capture Security Center.
• Using the same Tenant as you selected during registration, click the Management tile.
• Click the appliance serial number or friendly name under DEVICE MANAGER to display its status.
Getting the Latest Firmware for the Firewall
1 In Capture Security Center, click the mySonicWall tile.
2 Navigate to Resources & Support > My Downloads and select your product firmware from the Product
Type drop-down menu.
3 Click the link for the firmware you want and save the file to a location on your computer.
4 Pull down the curtain for Capture Security Center.
5 Using the same Tenant as you selected during registration, click the Management tile.
6 In DEVICE MANAGER, click on the appliance in the left pane.
7 In the center pane, go to the Register/Upgrades > Firmware Upgrade page.
8 Click the Choose File button to select the firmware you just downloaded, then click Upgrade from Local
File.
SonicWall Zero-Touch
Deployment Guide
3
Deploying with Zero-Touch (GMS On-Premise)
1) Register:
• Log into your MySonicWall account or create an account at www.mysonicwall.com.
• Click the Add Product button to launch the QUICK REGISTER dialog and then type in the serial
number of your SonicWall appliance. Click Confirm.
You can find the serial number and authentication code on the shipping box or appliance label.
• In the REGISTER A PRODUCT dialog, fill in the Friendly name and Authentication code, and select the
Tenant Name. By default, all products are placed under SonicWall Products Tenant.
• Click Register.
2) Enable Zero-Touch:
• MySonicWall recognizes your appliance model and displays the Zero Touch option. Enable Zero Touch.
• Select the desired GMS Public IP from the GMS Server Public IP/FQDN drop-down list. The ZeroTouch
Agent Public IP/FQDN field is populated with the associated IP address.
• Click Register.
3) Connect and Power On:
• For a wireless appliance, connect the antennas.
• Connect the X1 interface to your WAN network.
PREREQUISITE: GMS 8.7 or higher is required. Be sure that your GMS system is Zero-Touch enabled. Refer
to the knowledge base article at:
https://www.sonicwall.com/support/knowledge-base/?sol_id=190205183052590
IMPORTANT: Verify that both of these IP addresses are the same as those you configured during
the prerequisite process.
NOTE: The appliance must be able to obtain an IP address via DHCP from the WAN connection or ISP
modem. If you need to use a static IP address, refer to the Quick Start Guide for your appliance.
SonicWall Zero-Touch
Deployment Guide
4
• Power on the unit.
GMS automatically acquires the unit (it can take up to 30 minutes for initial acquisition). Once the unit is
acquired, you can begin management.
To view the status of your appliance:
• Log into GMS and navigate to the FIREWALL view.
• Click on the appliance in the left pane to display the status.
Getting the Latest Firmware for the Firewall
1 In a web browser, navigate to www.mysonicwall.com.
2 Navigate to Resources & Support > My Downloads and select your product firmware from the Product
Type drop-down menu.
3 Click the link for the firmware you want and save the file to a location on your computer.
4 In GMS, navigate to the FIREWALL view and click on the appliance in the left pane.
5 In the center pane, go to the Manage > Register/Upgrades > Firmware Upgrade page.
6 Click the Choose File button to select the firmware you just downloaded, then click Upgrade from Local
File.
SonicWall Zero-Touch
Deployment Guide
5
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance
contract and to customers who have trial versions.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.
The Support Portal enables you to:
• View knowledge base articles and technical documentation
• View video tutorials
• Access MySonicWall
• Learn about SonicWall professional services
• Review SonicWall Support services and warranty information
• Register for training and certification
• Request technical support or customer service
To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.

 

Source:
https://www.sonicwall.com/support/technical-documentation/zero-touch-deployment-guide.pdf

Configure Google Drive File Stream

Configure Drive File Stream

You can specify custom options for Drive File Stream, including the default drive letter on Windows, the mount point on macOS, the cache location, bandwidth limits, and proxy settings. These configurations can be set at the user or host level, and persist when Drive File Stream restarts.

Where to update settings

To set the Drive File Stream options, you update registry keys (Windows) or use the defaults command (macOS). If you’re not familiar with making these updates, contact your administrator or check your operating system documentation. Additionally, administrators can choose to set override values that end users can't change.

Windows

Host-wide HKEY_LOCAL_MACHINE\Software\Google\DriveFS
User only HKEY_CURRENT_USER\Software\Google\DriveFS
Override HKEY_LOCAL_MACHINE\Software\Policies\Google\DriveFS

macOS

Host-wide /Library/Preferences/com.google.drivefs.settings
User only ~/Library/Preferences/com.google.drivefs.settings
Override /Library/Managed Preferences/com.google.drivefs.settings.plist

macOS examples

Host-wide mount point:
sudo defaults write /Library/Preferences/com.google.drivefs.settings DefaultMountPoint '/Volumes/Google Drive File Stream'

Host-wide trusted certificates file:
sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootCertsFile /Library/MyCompany/DriveFileStream/MyProxyCert.pem

User maximum download bandwidth:
defaults write com.google.drivefs.settings BandwidthRxKBPS -int 100

User-enabled browser authentication:
defaults write com.google.drivefs.settings ForceBrowserAuth -bool true

Settings

Set these name/value pairs using the registry keys or defaults command, as described above. On Windows, create the registry keys if they don't already exist. On macOS, the defaults command maintains a plist file for settings. You should not modify the plist file directly, as some changes might not be applied.

Setting name Value type Value description
AutoStartOnLogin* DWORD (Windows)
Bool (macOS)		 Start Drive File Stream automatically on session login.
BandwidthRxKBPS DWORD (Windows)
Number (macOS)		 Maximum downstream kilobytes per second.
BandwidthTxKBPS DWORD (Windows)
Number (macOS)		 Maximum upstream kilobytes per second.
ContentCachePath String Sets the path to the content cache location on a connected APFS, HFS+, or NTFS file system.

When Drive File Stream restarts, local data in the old content cache will move to the new content cache location. If you delete your custom setting, data will move back to the default location.

The default cache location is:

Windows: %LOCALAPPDATA%\Google\DriveFS
Mac: ~/Library/Application Support/Google/DriveFS
ContentCacheMaxKbytes QWORD (Windows)
Number (macOS)		 Sets the limit on content cache size in kilobytes. The limit is capped at 20% of the available space on the hard drive (regardless of the setting value).The setting does not apply to files made available offline or files that are in the process of uploading.

This setting is only available for admins, as an override or host-wide setting.
DefaultMountPoint String Windows: Set the mounted drive letter.
You can use an environment variable to specify the drive letter.

macOS: Set the mounted drive path. You can include tilde (~) or environment variables in the path.
DisableRealTimePresence* DWORD (Windows)
Bool (macOS)		 Disables real-time presence in Microsoft Office.

This can also be disabled for organizational units from the Admin console. See step 3 of Deploy Drive File Stream.
ForceBrowserAuth* DWORD (Windows)
Bool (macOS)		 Use browser authentication.

If your organization uses security keys or SSO, this setting may resolve sign-in problems.
MinFreeDiskSpaceKBytes QWORD (Windows)
Number (macOS)		 Controls the amount of local space used by Drive File Stream's cache. Stops writing content to the disk when free disk space gets below this threshold, in kilobytes.
Proxy settings:
DisableSSLValidation* DWORD (Windows)
Bool (macOS)		 This disables validating SSL traffic. Traffic will still be encrypted, but we will not validate that the SSL certificates of the upstream servers are all valid.

Only settable host-wide.
TrustedRootCertsFile String This is the full path to an alternate file to use for validating host SSL certificates. It must be in Privacy Enhanced Mail (PEM) format. Set this if your users are on networks with decrypting proxies.

The file should contain the contents of the roots.pem file shipped with Drive File Stream, plus the certificates used to authenticate your proxy. These additions should correspond to the proxy-signing certificates you added to the certificate stores in your fleet of machines.

You can find roots.pem in:

\Program Files\Google\DriveFS\<version>\config\roots.pem
(Windows)

or

/Applications/Google\ Drive\ File\ Stream.app/Contents/Resources/roots.pem
(macOS)

Only settable host-wide.
DisableCRLCheck* DWORD (Windows)
Bool (macOS)		 This disables checking Certificate Revocation Lists (CRLs) provided by certificate authorities.

If not explicitly set, this defaults to true if TrustedRootCertsFile is provided, otherwise false. Sites that use self-signed certificates for their content inspection proxies typically don’t provide a CRL.

Enterprises that specify a CRL in their proxy certificate can explicitly set DisableCRLCheck to 0 for the added check.

For boolean values, use 1 for true and 0 for false (Windows), or use true and false (macOS).

Related topics

Source:

https://support.google.com/a/answer/7644837

Attackers Use Legacy IMAP Protocol to Bypass Multifactor Authentication in Cloud Accounts, Leading to Internal Phishing and BEC


Threats to cloud-based applications have been growing, and passwords — the traditional method used to secure accounts — are often no longer enough to protect users from the dangers that they potentially face. The need for more comprehensive security in cloud-based applications has led to vendors offering multifactor authentication (MFA) as an integral feature of their products and services. By using MFA, users limit the risk that an attacker will gain control of their accounts by spreading authentication across multiple devices.

However, while MFA provides an additional layer of security for protecting account access, it’s not a fool-proof feature. For example, a recent study from Proofpoint examined brute-force attacks against user accounts in major cloud services. The attacks reportedly took advantage of legacy email protocols, phishing, and credential dumps to bypass MFA.

Notably, attackers were able to abuse legacy protocols — most commonly the IMAP authentication protocol — to bypass even multifactor authentication. The study noted that the IMAP protocol can be abused under certain situations, such as when users employ third-party email clients that do not have modern authentication support. IMAP abuse can also be performed in two other cases: when the targets do not implement applications passwords and when it is done against shared email accounts where IMAP is not blocked and/or MFA cannot be used. The report also said these attacks can often go undetected, instead looking like failed logins rather than external attempts. Threat actors use these accounts as entry points into the system, after which lateral movement is carried out via internal phishing and BEC to expand their reach within the organization.

The six-month study saw over 72 percent of cloud tenants being targeted at least once by attackers, while 40 percent had at least one compromised account within their system. Even more concerning, 15 out of every 10,000 active user accounts were successfully breached. Hijacked servers and routers were used as the main attack platforms, with the network devices gaining access to approximately one new tenant every 2.5 days during a 50-day period.

Roughly 60 percent of the tenants involved in the study that were using Microsoft Office 365 and G Suite were targeted with the password-spraying attacks via IMAP, and 25 percent fell victim to a successful breach.

As more companies across industries adopt cloud-based services, it’s expected that cybercriminals will go after accounts for cloud-based platforms. Once an account has been compromised, whether through hacking or brute force, the account could be used to communicate with executives and their staff. Internal BEC emails could trick the targets into transferring funds and personal or corporate data or downloading malicious files. Compromised email accounts, for example, had been found replying to email threads to deliver malware. These BEC attempts can be difficult to detect given that they come from legitimate (though compromised) email accounts.

A feature such as MFA is only one part of an effective multilayered security implementation. Organizations looking to boost their security can start with these best practices:

  • Passwords still have a role to play as a component of multifactor authentication. Ensure that users have passwords that are strong and regularly changed to stay protected from brute-force attacks. This could mean includes using at least 12 characters with a mix of upper and lowercase letters, numbers, and special characters. Ask users to avoid common or easily-guessable passwords or passwords that show obvious information such as names or birthdates.
  • Educate employees on how to identify phishing attacks. Common indicators that an email is a phishing attempt include suspicious-looking email addresses and the presence of misspellings and typographical errors.
  • Furthermore, attackers often try to make their phishing attempts as convincing as possible. Thus, users should avoid giving out personal and company information unless they are absolutely certain that the person or group they are communicating with is legitimate.

Given that cybercriminals use compromised accounts and internal BEC emails, organizations should also consider the use of security solutions designed to combat the growing threat. Trend Micro’s existing BEC protection uses AI, including expert rules and machine learning to analyze email behavior and intention. The new and innovative Writing Style DNA technology goes further by using machine learning to recognize the DNA of an executive’s writing style based on past written emails. Designed for high-profile users who are prone to being spoofed, Writing Style DNA technology can detect forged emails when the writing style of an email does not match that of the supposed sender. The technology is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions to cross-match the email content’s writing style to the sender’s by taking into account the following criteria: capital letters, short words, punctuation marks, function words, word repeats, distinct words, sentence length, and blank lines, among 7,000 other writing characteristics.

Source
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/attackers-use-legacy-imap-protocol-to-bypass-multifactor-authentication-in-cloud-accounts-leading-to-internal-phishing-and-bec

Easier Wi-Fi Planning, Security and Management from the Cloud

Wi-Fi access is ubiquitous, but it’s not always easy to plan, deploy, secure and manage, especially for distributed businesses and enterprises.

SonicWall believes there’s an easier approach. Our product teams have revamped our Wi-Fi management solutions with innovation at its foundation. Top-of-mind during the entire process, our focus was on evolving our Wi-Fi technology in four key areas: security, performance, simplicity and intuitiveness.

On paper, those sound obvious. But we wanted to be sure the execution matched the vision — to remove all the complexity without impacting the end-user experience. The outcome of this effort is four new SonicWall wireless solutions:

  • SonicWall WiFi Cloud Manager
  • SonicWall SonicWave 200 Series Wireless Access Points
  • SonicWiFi Mobile App
  • SonicWall WiFi Planner

Intuitive wireless management for the next era

One of the constant nightmares for network admins is an unmanageable network. As your network expands, policies change and threats increase, it is often difficult to keep pace.

Discovering an outage only after it has happened — or malware after it has creeped into your network — is disastrous. SonicWall arms you with the right tool to gain insights into your network to keep pace with changing network requirements.

SonicWall WiFi Cloud Manager is an intuitive, scalable and centralized Wi-Fi network management system suitable for networks of any size. With simplified management, wireless analytics is richer and easily accessible from anywhere with an internet connection. The cloud-based management solution is designed to be user-friendly and resilient while simplifying access, control and troubleshooting capabilities.

With a fresh UI, WiFi Cloud Manager can be accessed via SonicWall Capture Security Center to deliver powerful features and simplified onboarding via the cloud from a single pane of glass. Centralized visibility and control over SonicWall’s wired and wireless networking hardware reduces complexity and the need for costly overlay management systems. It also can be deployed across multiple regions for greater network visibility into disturbed enterprises.

For network admins on the go, SonicWall introduces SonicWiFi mobile app to set up and monitor your network. Easily onboard your APs and setup mesh with this app. It is available on iOS and Android.

Advanced wireless security — with or without a firewall

Organizations, big and small, need secure wireless solutions for extending connectivity to employees, customers and guests. The new SonicWave 200 series wireless access points deliver enterprise-level performance and security with the range and reliability of 802.11ac Wave 2 technology at an affordable price.

Built on industry-leading next-gen security, these APs features a dedicated third radio for security scanning. In fact, advanced security features like Content Filtering Service (CFS) and the Capture Advanced Threat Protection (ATP) sandbox service can be performed on the AP itself, enabling organizations to mitigate cyberattacks even where firewalls aren’t deployed.

SonicWave 200 access points are available in three options, including 231c for indoor, 231o for outdoor and 224w for wall-mount requirements.

Manage dozens or even thousands of SonicWave wireless access points from anywhere you have an internet connection via the cloud or through the firewalls, providing you ultimate flexibility.

The SonicWall WiFi Cloud Manager provides you a single-pane-of-glass view of your entire wireless network. SonicWave access points also support SonicWall Zero-Touch Deployment, which allows the access points to be automatically identified and registered. SonicWiFi mobile app also lets you set up, manage and keep track of your network.

SonicWave access points leverage mesh technology to negate complexity from wireless expansion, especially at remote or distributed locations. Mesh networks are easy to set up, effortless to expand, and require fewer cables and less manpower to deploy, reducing installation costs. The new push-and-snap mounting bracket further adds to the ease of installation.

Easily plan, deploy your wireless networks

IT administrators often hear complaints about unreliable Wi-Fi connectivity leading to poor user experiences. This is mostly because Wi-Fi networks are not designed correctly to begin with. AP placements could be wrong, there may be radio frequency barriers or there simply isn’t enough capacity and coverage.

SonicWall WiFi Planner is a simple, easy-to-use, advanced wireless site survey tool that enables you to optimally design and deploy a wireless network for enhanced wireless user experience.

This tool lets you customize your settings per your surroundings and requirements to obtain maximum coverage with the fewest number of access points. You can prevent interference in your deployment on a best-effort basis through auto-channel assignment.

With a cloud-based UI, you also have the flexibility to collaborate with global teams. It is ideal for new access point deployments or to ensure excellent coverage in your wireless network. Available at no added cost, SonicWall WiFi Planner is accessible through WiFi Cloud Manager.
Together, these products deliver a powerful wireless solution, paving way for the next era of wireless security. Welcome to the future of wireless security.

 

Source
https://blog.sonicwall.com/en-us/2019/02/easier-wi-fi-planning-security-management-from-the-cloud/

Use a Local Administrator Account for Remote Administration

Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account.

The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.

For more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit.

Despite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain.

Local Accounts for Remote Administration

In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. Otherwise you should continue to block remote use of local accounts.

Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. If the local admin password is compromised, any damage is limited to that device. Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.

If you decide to unblock remote use of local accounts, there are three Group Policy settings that need to be changed:

  • Deny access to this computer from the network
  • Deny log on through Remote Desktop Services
  • Apply UAC restrictions to local accounts on network logon

The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty. The third is a custom setting that’s part of the baseline templates (SecGuide.admx). It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.

As you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. You can work around this by enabling auditing of access to LAPS passwords in AD and resetting passwords after each use. Both these tasks can be accomplished using the PowerShell Set-AdmPwdAuditing and Reset-AdmPwdPassword cmdlets respectively.

 

Source
https://www.petri.com/use-a-local-administrator-account-for-remote-administration

Multi-Cloud Disaster Recovery Benefits and Challenges

The cloud has definitely changed both operations and data protection requirements for almost all businesses today. Not only is the cloud the basis for popular SaaS applications like Office 365, it is also used as a backup and DR target by many organizations.

Using the cloud opens up new possibilities for DR. However, one growing complication for DR and the cloud is the use of multiple clouds. Today, many businesses have adopted multiple clouds – many use both Amazon AWS and Microsoft Azure or in some cases Google Cloud or IBM Cloud. According to research done by the IBM Institute for Business Value, 85% of today’s enterprises operate in multi-cloud environments. Further, most of those organizations that don’t currently have a multi-cloud IT strategic plan to do so in the near future.  The IBM research estimates that by 2021, 98% of business will move to multiple hybrid clouds. Similarly, an ESG study found that 81% of enterprises are utilizing more than one public cloud infrastructure service provider and only 15% were using a single cloud provider.

Multi-Cloud Advantages

Using multiple clouds definitely has its advantages. Cost is one of the primary driving factors. The IBM study which consisted of 1016 executives from 19 different industries reported that 66% said multi-cloud is crucial to reducing costs. Using multiple clouds not only allows you to pick the most cost-effective options, it also allows you to pick the best cloud services to fill your own specific business needs. Adopting a multi-cloud strategy can also enable businesses to avoid vendor lock-in decreasing their dependence on a single cloud provider.

Multi-Cloud DR Planning

As a general rule, the big public cloud providers like AWS and Azure are more reliable than your own local data centers. Even so, a large-scale disaster could potentially impact both your organization and your cloud provider. Using multi-cloud disaster recovery enables you to replicate your resources to a second cloud provider in another geographic region. Typically, it’s best to use a second cloud provider that is within the same country. Crossing international boundaries can potentially bring up legal and regulatory constraints that you are probably better off without. Locating the second cloud provider in a different geographic region ensures that there is virtually no chance that both cloud providers will undergo a major outage at the same time. For instance, you could use one provider in the United States west coast region and then the east coast region with your other cloud provider.

There are challenges in using multi-cloud DR. Each different cloud provider has its own management portal and different services which require different skill sets. For IaaS implementations, you need to be aware that the different cloud providers each use different on-disk formats for their VMs. Microsoft Azure uses the VHD format while AWS uses the AMI format. As a general rule, each cloud provider’s DR services are not designed to deal with multiple cloud providers. However, some third party DR solutions are able to bridge multiple clouds making it far easier to implement a multi-cloud DR strategy. If you’re looking to implement your multi-cloud DR plan it’s best to begin with a smaller scoped POC before expanding to the rest of your organization. And like all DR plans, regular testing is a must.

Source
https://www.petri.com/multi-cloud-disaster-recovery-benefits-and-challenges

Migration Tools for the Azure Hybrid Cloud

Migration Tools for the Azure Hybrid Cloud

While the hybrid cloud offers a number of benefits, moving to the hybrid cloud isn’t the easiest of tasks. To get there, you need to perform an analysis of the workloads and services that you are considering moving to the hybrid cloud to ensure that they are suitable candidates for running in the cloud.

Next, you need to perform an initial cost analysis. Cost saving is one of the main benefits of moving to the hybrid cloud. However, accurately estimating the cost savings can be difficult. Sometimes you may not really know the real costs until you actually make the move. Finally, you need a way to move all or select parts of your on-premise workloads into the cloud. Fortunately, if you’re considering a move to the Azure hybrid cloud then Microsoft provides several tools that can help you with the different aspects of your hybrid cloud migration. Let’s take a closer look at some of Microsoft’s most important hybrid cloud migration tools.

Cloud Migration Assessment

Accessing your current environment is the first step in moving to the hybrid cloud and Microsoft Assessment and Planning toolkit (MAPs) can help you discover the servers across your IT environment. MAPs can automatically collect data and analyze your on-premise system hardware configuration. MAPs primarily uses WMI to collect information from Windows and Linux based servers as well as Hyper-V and VMware environments.  When it’s finished it generates an Inventory Results Report that can be opened in Excel and passed on to other tools.

Estimating Costs

Understanding the impact of a move to the cloud is vital for both your company’s operational efficiencies as well as its bottom line. Cost is often the number one factor that will prompt businesses to move into the cloud. To help evaluate the costs of moving to Azure Microsoft provides their Azure Total Cost of Ownership Calculator (TCO Calculator). The TCO Calculator is a web-based tool that prompts you to enter the details of your on-premise server infrastructure. First, you tell it your workloads and their details like the type of servers they are running on. Next, you enter the details of your on-premises database and storage infrastructure. Finally, you supply the amount of network bandwidth you are currently consuming. The results of your MAPs analysis can be feed into the TCO Calculator.

Azure Hybrid Use Benefit

Another tool that can help in your hybrid cloud migration is the Azure Hybrid Use Benefit. The Azure Hybrid Use Benefit allows customers with Software Assurance to run Windows VMs on Azure at a reduced rate potentially providing significant cost savings. Azure Hybrid Use Benefit can be used with Windows Server Datacenter and Standard edition licenses that are covered by Software Assurance or Windows Server Subscriptions. Windows Server Datacenter Edition customers can use licenses both on-premises and in Azure. Windows Server Standard Edition customers can assign the Azure Hybrid Use Benefit for licenses on Azure. However, if they do they cannot use the Standard Edition license on-premise. While the actual savings depends on the Azure usage and size and type of VMs, one example Microsoft touts is that for every 100 Window Server licenses you can run up to 200 virtual machines with a potential savings of over $300,000 a year (based on the D3-V2 VM size).

Azure Migrate Service

The Azure Migrate service is a paid Azure service that assesses migrating on-premise VMware workloads to Azure. The Azure Migrate service can only work with on-premises VMware VMs. The VMware VMs must be managed by vCenter Server. To use the Azure Migrate service you must install a local virtual collector appliance that analyzes on-premises VMware VMs. The service performs performance-based sizing as well as cost estimates for moving the VMs to Azure. If you want to analyze Hyper-VMs or physical servers you need to use the Azure Site Recovery Deployment Planner for Hyper-V. The Azure Migrate service has a free 180 day trial period.

Azure Site Recovery and Azure Database Migration

While its main purpose is disaster recovery, Azure Site Recovery (ASR) is can also be used to migrate VMs to Azure. ASR is a paid service and it can migrate a number of different systems types to Azure including VMs on AWS, VMware, Hyper-V or physical servers. You can configure ASR to take advantage of your Azure Hybrid Use Benefit with PowerShell. If you want to migrate databases then you can use the Azure Database Migration Service which is also a paid service that can migrate SQL Server, Amazon RDS SQL and Oracle to Azure SQL Database.

Source
https://www.petri.com/migration-tools-for-the-azure-hybrid-cloud

How to disable SMBv1 Windows

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Applies to: Windows 7 EnterpriseWindows 7 Home BasicWindows 7 Home Premium More

Summary

This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

  • Request compounding - allows for sending multiple SMB 2 requests as a single network request
  • Larger reads and writes - better use of faster networks
  • Caching of folder and file properties - clients keep local copies of folders and files
  • Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • Support for symbolic links
  • Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Large MTU support - for full use of 10-gigabye (GB) Ethernet
  • Improved energy efficiency - clients that have open files to a server can sleep

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

  • Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out – concurrent access to shared data on all file cluster nodes
  • Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
  • Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • Directory Leasing - Improves application response times in branch offices through caching
  • Performance Optimizations - optimizations for small random read/write I/O

More Information

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

For more information about the capabilities of SMBv2 and SMBv3 capabilities, go to the following Microsoft TechNet websites:

Server Message Block overview

What's New in SMB

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016

Windows Server 2012 R2 & 2016: PowerShell methods

SMB v1
Detect: Get-WindowsFeature FS-SMB1
Disable: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enable: Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB v2/v3
Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB2Protocol $true

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

SMB v1
Server Manager - Dashboard method

 

Windows 8.1 and Windows 10: PowerShell method

SMB v1 Protocol
Detect: Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Enable: Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
SMB v2/v3 Protocol
Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration –EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration –EnableSMB2Protocol $true

Windows 8.1 and Windows 10: Add or Remove Programs method

Add-Remove Programs client method

How to detect status, enable, and disable SMB protocols on the SMB Server

For Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB v1 on SMB Server
Detect: Get-SmbServerConfiguration | Select EnableSMB1Protocol
Disable: Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB1Protocol $true

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server
Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB2Protocol $true

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell methods

SMB v1 on SMB Server

Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server

Detect:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

Registry Editor

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note You must restart the computer after you make these changes.

How to detect status, enable, and disable SMB protocols on the SMB Client

For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

SMB v1 on SMB Client
Detect: sc.exe qc lanmanworkstation
Disable: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

For more information, see Server storage at Microsoft

SMB v2/v3 on SMB Client
Detect: sc.exe qc lanmanworkstation
Disable: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
Enable: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto

Notes

  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

Disable SMBv1 Server with Group Policy

This procedure configures the following new item in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.
    Registry - New - Registry Item

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0
New Registry Properties - General

This disables the SMBv1 Server components. This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

Note WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

Disable SMBv1 Client with Group Policy

To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: = Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”

Note The default included MRxSMB10 which is now removed as dependency

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.
Registry - New - Registry Item

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4
Start Properties - General

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note These three strings will not have bullets (see the following screen shot).

DependOnService Properties

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note When you use Group Policy Management Console, you don't have to use quotation marks or commas. Just type the each entry on individual lines.

Restart required

After the policy has applied and the registry settings are in place, the targeted systems must be restarted before SMB v1 is disabled.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

Group Policy Management Editor - Registry

Testing and validation

After these are configured, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.