Cloud Archives - Page 31 of 76 - Appunti dalla rete

How to disable TLS 1.0 and TLS 1.1 using Powershell on Windows 10

Transport Layer Security (TLS) – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC.

Similar other Blog posts:

Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell

We can easily disable TLS 1.0 and TLS 1.1 using Powershell. However its recommended to also disable SSL 2.0, SSL 3.0 as well. We will be using below powershell code to create registry keys and registry entries. Once the registry keys are created, a reboot of that device will be required to complete the change.

Please note below Powershell Code needs to be run as an administrator as it needs to perform changes in Windows registry.

To run Powershell code on Windows 10 computer. Please use below steps:

Login on a Windows 10 PC as administrator.
Open Powershell Console as an administrator.
Run below piece of powershell code to enable / disable SSL / TLS Protocols.

Powershell code to disable SSL 2.0

 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force
 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force    
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'Enabled'           -Value '0' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'DisabledByDefault' -value '1' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable SSL 3.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable TLS 1.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force                                                                                                                                                            
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable TLS 1.1

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force                                                                                                                                                                                 
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to Enable TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force                                       
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

Copy

Powershell code to Enable TLS 1.3

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server'-name 'Enabled'            -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

Copy

How to verify if TLS 1.0 and TLS 1.1 has been disabled on Windows 10

Please follow below steps to verify if SSL / TLS protocols are disabled or enabled.

Login on Windows 10 PC as an administrator.
Click on Windows Icon / Start Menu -> Search for Registry Editor.
Launch Registry Editor.
Browse to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

You should find below registry keys / registry entries:

Disable TLS 1.0 and TLS 1.1 registry key — *HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols*

Registry Keys to check if SSL 2.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if SSL 3.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.1 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.2 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.3 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

Copy

Conclusion

In this blog post, we have checked the powershell codes to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. We have checked the Powershell code to enable TLS 1.2 and TLS 1.3. It’s highly recommended to disable old unsupported protocols to reduce the security risk on your computer.

Source :
https://techpress.net/how-to-disable-tls-1-0-and-tls-1-1-using-powershell-on-windows-10/

Disable Modern Standby in Windows 10

There are two power models in Windows 10, S3 and S0 Low Power idle (Modern Standby). Modern Standby in Windows 10 provides Instant On/Off Experience like smartphones.

Modern Standby enables S0 low power idle power plan which keeps your laptop or desktop in lowest power mode and also allow apps to receive the latest content such as incoming email, VoIP calls, Windows updates etc.

The system will enter Modern Standby when the user take any of below actions:

Presses the system power button.
Closes the lid of the laptop / desktop / tablet.
Selects Sleep from the power button from the Windows Start menu.
Waits for the system to idle and enter sleep automatically, according to the Power and sleep settings.

The amount of battery saving in Modern Standby is calculated by knowing how much time the system was in DRIPS (Deepest run-time idle platform state). DRIPS occurs when the system is consuming the lowest amount of power possible. If there is any background task (like receiving of email, windows update etc.) consumes power, the system is not considered to be in DRIPS mode.

Total Modern Standby session time = DRIPS time + non-DRIPS time

How to disable Modern Standby in Windows 10

There could be a scenario where you do not want to enable Modern Standby on windows 10 and want to use another available and supported power plan for example S3. In that case, you can simply disable Modern standby by following below steps. The steps given requires changes in the registry of the system which will require administrator rights.

Login on the Windows 10 device.
Click on Start and search for Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power
Right click on the right hand side pane and click on New -> DWORD (32-bit) Value

Provide the name of registry entry PlatformAoAcOverride and set its value to 0.
As this registry change is in HKEY_LOCAL_MACHINE, A restart of the PC would be required.

PlatformAoAcOverride registry entry to disable Modern Standby

Disable Modern Standby on Windows 10 using Command line

In the previous section we have seen how to disable Modern standby using GUI Interface of registry editor. If you do not prefer GUI and want to use a command to disable Modern Standby then you can follow below steps:

Login on Windows 10 device.
Go to Start and search for Command prompt.
Right-click on Command prompt and click Run as administrator.
Type below command and press enter.
After this command is executed successfully, Restart your device.

reg add HKLM\System\CurrentControlSet\Control\Power /v PlatformAoAcOverride /t REG_DWORD /d 0

Disable Modern Standby on Windows 10 using Command line

How to check If Modern Standby is supported in Windows 10

Not all devices support Modern standby but the number of systems which support Modern standby are increasing. I have been using Microsoft Surface Pro 4 laptop which supports Modern standby. Here’s how you can check if your device supports Modern Standby.

Login on Windows 10 device.
Click on Start and search for Command Prompt.
Launch Command Prompt.
Type command powercfg -a to check if Modern standby is supported.

Powercfg -a lists the sleep states available on your computer.

In below screenshot, you can see that this Windows 10 device is on Standby (S0 Low Power Idle) Network Connected State which means that Modern Standby is supported and enabled on this device.

If you run powercfg -a command on your system and it shows that S0 Low power idle is not supported then this could be a a limitaton by system’s hardware to support Modern standby. There is nothing you can do to enable it. The alternative is to keep using Standby S3 or any other supported power plan.

powercfg -a to check if modern standby is supported

Modern Standby (S0 Low power idle) can be in Network Connected mode or Network Disconnected mode.

Standby (S0 Low Power Idle) Network Connected: This means that Modern standby with network connectivity in sleep mode.
Standby (S0 Low Power Idle) Network Disconnected: This means that Modern standby without network connectivity while in sleep mode and the system spends most of the time in DRIPS.

FAQs on Modern Standby

Below are some of the frequently asked questions on Modern Standby:

1. Which versions of Windows supports Modern Standby ?

Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 11 Operating system.

2. How to Re-enable Modern Standby after creating `PlatformAoAcOverride` reg entry ?

If your device supports Modern Standby and you have created PlatformAoAcOverride reg entry under HKLM\System\CurrentControlSet\Control\Power reg key. Simply delete this registry entry and restart your device to enable Modern Standby again.

You can delete PlatformAoAcOverride registry entry manually by using registry editor or launch powershell console as an administrator and run below command to delete it.

Remove-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Power' -Name PlatformAoAcOverride

3. Does my computer support Modern Standby ?

You can easily check this by running a command powercfg -a on the command prompt. If it says Standby (S0 Low Power Idle) Network Connected or Standby (S0 Low Power Idle) Network Disconnected then Modern Standby is supported and Enabled.

4. How to Identify and diagnose issues during a Modern Standby session ?

You can Identify and diagnose any issues related to Modern standby by running Powercfg /sleepstudy command on an elevated command prompt. You can then analyse the report which will be generated and saved at C:\WINDOWS\system32\sleepstudy-report.html location.

Please make sure to open command prompt as an administrator and then run powercfg /sleepstudy

5. How to find all the switches of powercfg command ?

To check the switches of powercfg command, you can run powercfg /? on the command prompt. This will list all available options with detailed information. I have run this command on my device which lists all the switches which can be used with powercfg command:

powercfg /?

C:\WINDOWS\system32>powercfg /?

POWERCFG /COMMAND [ARGUMENTS]

Description:
  Enables users to control power settings on a local system.

  For detailed command and option information, run "POWERCFG /? <COMMAND>"

Command List:
  /LIST, /L          Lists all power schemes.

  /QUERY, /Q         Displays the contents of a power scheme.

  /CHANGE, /X        Modifies a setting value in the current power scheme.

  /CHANGENAME        Modifies the name and description of a power scheme.

  /DUPLICATESCHEME   Duplicates a power scheme.

  /DELETE, /D        Deletes a power scheme.

  /DELETESETTING     Deletes a power setting.

  /SETACTIVE, /S     Makes a power scheme active on the system.

  /GETACTIVESCHEME   Retrieves the currently active power scheme.

  /SETACVALUEINDEX   Sets the value associated with a power setting
                     while the system is powered by AC power.

  /SETDCVALUEINDEX   Sets the value associated with a power setting
                     while the system is powered by DC power.

  /IMPORT            Imports all power settings from a file.

  /EXPORT            Exports a power scheme to a file.

  /ALIASES           Displays all aliases and their corresponding GUIDs.

  /GETSECURITYDESCRIPTOR
                     Gets a security descriptor associated with a specified
                     power setting, power scheme, or action.

  /SETSECURITYDESCRIPTOR
                     Sets a security descriptor associated with a
                     power setting, power scheme, or action.

  /HIBERNATE, /H     Enables and disables the hibernate feature.

  /AVAILABLESLEEPSTATES, /A
                     Reports the sleep states available on the system.

  /DEVICEQUERY       Returns a list of devices that meet specified criteria.

  /DEVICEENABLEWAKE  Enables a device to wake the system from a sleep state.

  /DEVICEDISABLEWAKE Disables a device from waking the system from a sleep
                     state.

  /LASTWAKE          Reports information about what woke the system from the
                     last sleep transition.

  /WAKETIMERS        Enumerates active wake timers.

  /REQUESTS          Enumerates application and driver Power Requests.

  /REQUESTSOVERRIDE  Sets a Power Request override for a particular Process,
                     Service, or Driver.

  /ENERGY            Analyzes the system for common energy-efficiency and
                     battery life problems.

  /BATTERYREPORT     Generates a report of battery usage.

  /SLEEPSTUDY        Generates a diagnostic system power transition report.

  /SRUMUTIL          Dumps Energy Estimation data from System Resource Usage
                     Monitor (SRUM).

  /SYSTEMSLEEPDIAGNOSTICS
                     The system sleep diagnostics report has been deprecated and
                     replaced with the system power report. Please use the command
                     "powercfg /systempowerreport" instead.

  /SYSTEMPOWERREPORT Generates a diagnostic system power transition report.

  /POWERTHROTTLING   Control power throttling for an application.

  /PROVISIONINGXML, /PXML    Generate an XML file containing power setting overrides.

Copy

Conclusion

Modern standby saves your laptop’s or desktop’s battery and keep your device active for longer. If you use your device intermittently or away from your device a lot then this can save a lot of energy. However, there could be a scenario where you do not want to enable Modern standby. In that case you can use the steps given in this blog post to create a registry entry and disable Modern standby.

Source :
https://techpress.net/disable-modern-standby-in-windows-10/

How to troubleshoot Volume shadow Copies on Windows

Vssadmin command

A quite useful built-in command which you can use as a starting point while troubleshooting the Shadow Copies is Vssadmin. Lets run this command with different parameters and check the results.

There are different switches / commands which can be used with vssadmin. To show / list the different commands, Open Powershell as Administrator or Command prompt as an Administrator and type vssadmin

Command	Description	Availability
Vssadmin add shadowstorage	Adds a volume shadow copy storage association.	Server only
Vssadmin create shadow	Creates a new volume shadow copy.	Server only
Vssadmin delete shadows	Deletes volume shadow copies.	Client and Server
Vssadmin delete shadowstorage	Deletes volume shadow copy storage associations.	Server only
Vssadmin list providers	Lists registered volume shadow copy providers.	Client and Server
Vssadmin list shadows	Lists existing volume shadow copies.	Client and Server
Vssadmin list shadowstorage	Lists all shadow copy storage associations on the system.	Client and Server
Vssadmin list volumes	Lists volumes that are eligible for shadow copies.	Client and Server
Vssadmin list writers	Lists all subscribed volume shadow copy writers on the system.	Client and Server
Vssadmin resize shadowstorage	Resizes the maximum size for a shadow copy storage association.	Client and Server
Source:Microsoft

Vssadmin commands

Ensure that the VSS writers are in Stable State

Run the Command vssadmin list writers and make sure that all the VSS writers are in [1] stable state. you may see different vss writers depending upon application server you are running this command e.g. If you are running this command on Microsoft Exchange Server, you will see [Writer name: ‘Microsoft Exchange Writer‘] in addition to the other vss writers. If Microsoft Exchange Writer status is not stable, Restart the Microsoft Exchange Information Store Service or restart Exchange Server and check the writer state again before re-starting the backup job.

Ensure that you can see Registered Shadow Copy Providers

To list the currently registered shadow copy providers, Run the command vssadmin list providers

If you do not see providers listed after running the above command it could be OS related issue or the Volume Shadow Copy Service is not running.

List existing Volume Shadow Copies

To list existing shadow Copies use the command vssadmin list shadows

Lists all shadow copy storage associations on the system.

Run below command to see all storage associations for the existing shadow copies. The default storage allocates 10% of the volume to the shadow copies.

You can also check the Shadow Copy Storage Association on the volume using GUI Method by Right Clicking the Volume -> Properties -> click Shadow Copies Tab.

Run the command vssadmin list shadowstorage /? to get more parameters which you can use with this command. For example you can use /for parameter to list all associations for a specified volume.

Delete Shadow Copies using command line

There are few options or commands you can use to delete the shadow copies. Shadow Copies data is stored in a folder called System Volume information which is a hidden system folder. If you see that the System volume information folder is quite big in size and consuming a lot of space then you can check if you got any stale shadow copies which might be stored in this system folder and which you may want to delete to free up the space. If you decided to get rid of shadow copies from the volume then follow below command line options to complete your task.

wmic command

Use wmic command to delete the shadow copies. When you run this command, you will be on the wmic:\root\cli> prompt. Type shadowcopy delete to delete the the shadow copies one by one. type Y to delete the shadow copy or N to skip to next shadow copy.

Note: To find the shadow copy ID use the command vssadmin list shadows. After using wmic command if you find that the shadow copies are not deleted or you get an error message as shown in the below screenshot, you can either use Vssadmin delete shadows command or Diskshadow command as shown in the next sections.

Vssadmin delete shadows

vssadmin delete shadows command can be used to delete all shadow copies or specific shadow copies from the volume. Use the /? in the end of the command to list parameters which you can use with this command. To delete all shadow copies using vssadmin delete shadows command, you can use below command.

Vssadmin delete shadows /all

diskshadow Command

You can also use diskshadow command to delete all the shadow copies from the system. Open command prompt as administrator -> Type diskshadow -> then on the DISKSHADOW> prompt type delete shadows all to delete / remove all shadow copies from the server.

Diskshadow command reference

Best Practices

Best Practice when configuring the Shadow Copy is to use a disk which will not be shadow copied and have enough free space to store the shadow copies as per the configuration. You get below message when setting it up which suggest the same.

More Information

Volume Shadow Copy Service | Microsoft Docs

Conclusion

In this blog post, we have seen how you can troubleshoot issues related to shadow copies. Vssadmin command is very handy to use on windows devices when you are working on windows devices. You can also find examples of the commands with screenshots.

Source :
https://techpress.net/how-to-troubleshoot-volume-shadow-copies-on-windows/

Exploited Windows zero-day lets JavaScript files bypass security warnings

An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.

A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.

Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.

The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called ‘Zone.Identifier,’ which can be viewed using the ‘dir /R’ command and opened directly in Notepad, as shown below.

**The Mark-of-the-Web alternate data stream**
*Source: BleepingComputer*

This ‘Zone.Identifier’ alternate data stream includes what URL security zone the file is from (three equals the Internet), the referrer, and the URL to the file.

When a user attempts to open a file with the Mark-of-the-Web flag, Windows will display a warning that the file should be treated with caution.

“While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows.

**Windows security warning when opening files with MoTW flags**
*Source: BleepingComputer*

Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.

Windows MoTW bypass zero-day flaw

The HP threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using JavaScript files.

To be clear, we are not talking about JavaScript files commonly used on almost all websites, but .JS files distributed by threat actors as attachments or downloads that can run outside of a web browser.

The JavaScript files seen distributed by the Magniber threat actors are digitally signed using an embedded base64 encoded signature block as described in this Microsoft support article.

**JavaScript file used to install the Magniber Ransomware**
*Source: BleepingComputer*

https://560aeee9b5a62b70c68af2cae4baaec2.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?upapi=true

After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the attackers signed these files with a malformed key.

**Malformed signature in malicious JavaScript file**
*Source: BleepingComputer*

When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware.

Dormann further tested the use of this malformed signature in JavaScript files and was able to create proof-of-concept JavaScript files that would bypass the MoTW warning.

Both of these JavaScript (.JS) files were shared with BleepingComputer, and as you can see below, they both received a Mark-of-the-Web, as indicated by the red boxes, when downloaded from a website.

Mark-of-the-Web on Dormann's PoC exploits — **Mark-of-the-Web on Dormann’s PoC exploits**
*Source: BleepingComputer*

The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature at all.

Dormann's PoC Exploits — **Dormann’s PoC Exploits**
*Source: BleepingComputer*

When the unsigned file is opened in Windows 10, a MoTW security warning is properly displayed.

However, when double-clicking the ‘calc-othersig.js,’ which is signed with a malformed key, Windows does not display a security warning and simply executes the JavaSript code, as demonstrated below.

**Demonstration of the Windows zero-day bypassing security warnings**
*Source: BleepingComputer*

Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.

BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11, the bug would only trigger when running the JS file directly from an archive.

Dormann told BleepingComputer that he believes this bug was first introduced with the release of Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOlsibGlua3RyLmVlIiwidHIuZWUiLCJ0ZXJyYS5jb20uYnIiLCJ3d3cubGlua3RyLmVlIiwid3d3LnRyLmVlIiwid3d3LnRlcnJhLmNvbS5iciJdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdGltZWxpbmVfMTIwMzQiOnsiYnVja2V0IjoidHJlYXRtZW50IiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9lZGl0X2JhY2tlbmQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3JlZnNyY19zZXNzaW9uIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19jaGluX3BpbGxzXzE0NzQxIjp7ImJ1Y2tldCI6ImNvbG9yX2ljb25zIiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9yZXN1bHRfbWlncmF0aW9uXzEzOTc5Ijp7ImJ1Y2tldCI6InR3ZWV0X3Jlc3VsdCIsInZlcnNpb24iOm51bGx9LCJ0Zndfc2Vuc2l0aXZlX21lZGlhX2ludGVyc3RpdGlhbF8xMzk2MyI6eyJidWNrZXQiOiJpbnRlcnN0aXRpYWwiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2V4cGVyaW1lbnRzX2Nvb2tpZV9leHBpcmF0aW9uIjp7ImJ1Y2tldCI6MTIwOTYwMCwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1583055972280324097&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fexploited-windows-zero-day-lets-javascript-files-bypass-security-warnings%2F&sessionId=ad0d187be79e9f0d5b7b04498fef77964be23c7f&siteScreenName=BleepinComputer&theme=light&widgetsVersion=1c23387b1f70c%3A1664388199485&width=550px

According to Dormann, the bug stems from Windows 10’s new ‘Check apps and files’ SmartScreen feature under Windows Security > App & Browser Control > Reputation-based protection settings.

“This issue is in the new-as-of-Win10 SmartScreen feature. And disabling “Check apps and files” reverts Windows to the legacy behavior, where MotW prompts are unrelated to Authenticode signatures,” Dormann told BleepingComputer.

https://560aeee9b5a62b70c68af2cae4baaec2.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?upapi=true

“So that whole setting is unfortunately currently a tradeoff. On one hand, it does scan for baddies that are downloaded.”

“On the other, baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled.”

The zero-day vulnerability is particularly concerning as we know threat actors are actively exploiting it in ransomware attacks.

Dormann shared the proof-of-concept with Microsoft, who said they could not reproduce the MoTW security warning bypass.

However, Microsoft told BleepingComputer that they are aware of the reported issue and are investigating it.

Update 10/22/22

After the publication of this article, Dormann told BleepingComputer that threat actors could modify any Authenticode-signed file, including executables (.EXE), to bypass the MoTW security warnings.

To do this, Dormann says that a signed executable can be modified using a hex editor to change some of the bytes in the signature portion of the file and thus corrupt the signature.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-1&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOlsibGlua3RyLmVlIiwidHIuZWUiLCJ0ZXJyYS5jb20uYnIiLCJ3d3cubGlua3RyLmVlIiwid3d3LnRyLmVlIiwid3d3LnRlcnJhLmNvbS5iciJdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdGltZWxpbmVfMTIwMzQiOnsiYnVja2V0IjoidHJlYXRtZW50IiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9lZGl0X2JhY2tlbmQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3JlZnNyY19zZXNzaW9uIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19jaGluX3BpbGxzXzE0NzQxIjp7ImJ1Y2tldCI6ImNvbG9yX2ljb25zIiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9yZXN1bHRfbWlncmF0aW9uXzEzOTc5Ijp7ImJ1Y2tldCI6InR3ZWV0X3Jlc3VsdCIsInZlcnNpb24iOm51bGx9LCJ0Zndfc2Vuc2l0aXZlX21lZGlhX2ludGVyc3RpdGlhbF8xMzk2MyI6eyJidWNrZXQiOiJpbnRlcnN0aXRpYWwiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2V4cGVyaW1lbnRzX2Nvb2tpZV9leHBpcmF0aW9uIjp7ImJ1Y2tldCI6MTIwOTYwMCwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=true&id=1582493426494636032&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fexploited-windows-zero-day-lets-javascript-files-bypass-security-warnings%2F&sessionId=ad0d187be79e9f0d5b7b04498fef77964be23c7f&siteScreenName=BleepinComputer&theme=light&widgetsVersion=1c23387b1f70c%3A1664388199485&width=550px

Once the signature is corrupted, Windows will not check the file using SmartScreen, as if a MoTW flag was not present, and allow it to run.

“Files that have a MotW are treated as if there were no MotW if the signature is corrupt. What real-world difference that makes depends on what type of file it is,” explained Dormann.

Magniber ransomware now infects Windows users via JavaScript files

Microsoft finally releases tabbed File Explorer for Windows 11

Windows Mark of the Web bypass zero-day gets unofficial patch

Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland

Microsoft Exchange servers hacked to deploy LockBit ransomware

Source :
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/

VMware bug with 9.8 severity rating exploited to install witch’s brew of malware

If you haven’t patched CVE-2022-22954 yet, now would be an excellent time to do so.

Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday.

SSL/TLS connection issue fix: out-of-band update status and affected applications (Oct. 21, 2022)

[German]As of October 17, 2022, Microsoft has released several unscheduled updates for Windows. These updates fix a connection problem that can occur with SSL and TLS connections. Affected by this problem are probably all Windows client and server. Below I have listed all available updates and also give some hints where problems occur without these updates.

Advertising

Out-of-band updates with TLS fix

Microsoft made a mistake with the last updates for Windows (preview updates from September, security updates from October). As a result, various problems with SSL and TLS connections can occur. Microsoft has therefore released some : out-of-band updates on October 17, 2022 to fix the problem.

I had reportedthat in the blog post Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022. However, Microsoft had not linked all the updates in its status pages (thanks to EP for pointing out the links), so that I could complete the list of updates for the affected Windows versions below:

KB5020387: Windows 11 21H2
KB5020435: Windows 10 22H2
KB5020435: Windows 10 20H2 – 21H2
KB5020438: Windows 10 Enterprise 2019 LTSC, Windows Server 2019
KB5020436: Windows Server 2022
KB5020439: Windows 10 1607 (LTSC) und Windows Server 2016
KB5020440: Windows 10 1507 (LTSC)
KB5020447: Windows 8.1, Windows Server 2012 R2
KB5020449: Windows Server 2012
KB5020448: Windows 7 SP1, Windows Server 2008 R2

The out-of-band updates KB5020439 and KB5020440 were added on October 18th. These updates are only available for download in the Microsoft Update Catalog and have to be installed manually (just search for the KB numbers). Details about these updates can be found in the linked KB articles.

So only Windows 11 22H2 is missing the corresponding fix update. EP writes here that this fix will be added with the upcoming update KB5018496. This is currently released in the Windows Insider program as a pre-release version in the Release Preview channel (see).

Problems fixed with the updates

People have asked in comments which applications are actually affected by the TLS bugs. I don’t have a complete list, but would like to give some hints below as to what has come to my attention as a fix. Thanks to blog readers for the pointers.

Advertising

Citrix connectivity issue

With the October 2022 updates, administrators found that Citrix clients could no longer communicate with Citrix netscalers. I had reported on this in the blog postCitrix connections broken after Windows update KB5018410 (October 2022) (TLS problem). Affected people who installed the above updates reported that this fixed the connection problem.

KB5020387 fixes TLS 1.3 problem on Windows 10

On Windows, there was also the issue that there TLS 1.3 implementation was buggy on Windows 10 (it only works in Windows 11). I had raised a conflict case in the blog post Bug: Outlook no longer connects to the mail server (October 2022). Microsoft suggested disabling TLS 1.3 via registry intervention as a workaround. In this comment, someone suggests uninstalling updates KB5018410 (Windows 10) and KB5018427 (Windows 11).

Blog reader Harvester asked here, whether TLS 1.3 works with Windows 10 after installing the special updates, and then followed up with the results of his own tests.

Self-reply after tests : Schannel is working properly after having applied KB5020387 on a LTSC 2021 IoT Enterprise image (21H2), where Schannel was previously broken (on build 19044.2130, from October 11 2022)
We initially guessed that the IoT Enterprise SKU wasn’t supporting TLS 1.3, but now we confirmed that we hit the bug mentioned in the post.
“Fun” fact : while it as initially reported that TLS 1.3 was available starting from Windows 10 1903, the Schannel documentation was changed recently, and now state that only Windows 11 and Server 2022 support TLS 1.3: Protocols in TLS/SSL (Schannel SSP)

VPN and WebEx Meetings App

Within this German comment blog reader Marten reported, that the WebEx Meetings App could no longer connect to the WebEx Server (OnPrem) via VPN. The issue has been fixed via update.

Quest Migration Manager for Exchange

On Twitter, enno0815de has sent the following tweet, which refers to my message about the out-of-band updates with TLS fix. It says, anyone planning a domain migration using Quest Migration Manager for Exchange should also install the updates. Otherwise, the account will be locked out for the migration.

In a follow up tweet he adds: By some circumstance the Atelia class (Quest component) is deleted from the registry. Without the TLS fix, you lock the user out of AD completely.

Confirmed: Metro Group victim of cyber attack

[German]Since Monday, October 17, 2022, many Metro stores worldwide have been struggling with severe IT problems. I had already suspected a cyber attack on the Metro Group in a post and I had reports from Austria, from France as well as comments from German Metro customers as well as employees. However, a cyber attack remained unconfirmed so far. Now Metro AG has confirmed such an attack to heise – and on its website.

Advertising

Metro Group with IT problems

I had already reported about the IT problems at Metro Group in the blog post Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected. Since Monday, October 17, 2022, Metro wholesales stores have been struggling with massive IT problems. No invoices or daily passes could be issued and online orders had also disappeared, Metro customers reported. A blog reader had provided me with the following photo of a Metro notice board.

IT-Störung bei Metro
Notification about IT disruption at a Metro wholesale store

The suspicion of a cyber attack has not been confirmed by company spokespersons till today (October 21, 2022). But I have had reports from German blog readers, reporting IT issues since days and some people told me, it’s a cyber attack as a root cause.

Not only Austria and France are affected, but Metro AG worldwide. In Germany, too, the same problem has existed since last Monday. No more stock or prices can be updated or checked in the store. The checkout system is still working but also sluggishly, resulting in long lines. If you want to reserve something digitally, that doesn’t work either.

One reader noted that from what he observed, the IT problems have been going on since Friday afternoon (October 14, 2022). A reader informed me on Facebook that their email systems had delivered a 442 connection Failed-Error when communicating with the Metro mail system last Monday. By the afternoon of October 19, 2022, communication with the Metro Group email system was working again – so something is happening.

Advertising

Metro confirms cyber attack

First a speaker from Metro AG confired to German IT magazine heise a cyber attack on it’s IT systems. After searching the Metro AG site today, I finally found the following statement. It says (translated in English):

Metro cyber attack confirmation (addenum: here is an English version)

T-Security Incident at METRO
METRO/MAKRO is currently experiencing a partial IT infrastructure outage for several technical services. METRO’s IT team, together with external experts, immediately launched a thorough investigation to determine the cause of the service disruption. The latest results of the analysis confirm a cyber attack on METRO systems as the cause of the IT infrastructure outage. METRO AG has informed all relevant authorities about the incident and will of course cooperate with them in every possible way.
During the operation of METRO stores and the regular availability of services, disruptions and delays may occur. The teams in the stores have quickly set up offline systems to process payments. Online orders via the web app and online store are being processed, but there may be individual delays here as well.
We will continue to analyze and monitor the situation intensively and provide updates if necessary.
METRO sincerely apologizes for any inconvenience this incident may cause to customers and business partners.

So they confirmed just a cyber attack, but stay tight lipped about the details. No information, whether it’s a ransomware infection nor about a possible attack vector.

Metro AG is a listed group of wholesale companies (for purchases in the gastronomy sector). Headquartered in Düsseldorf, the group employs more than 95,000 people in 681 stores worldwide, most of them in Germany. In Germany, the company mainly operates the Metro wholesale stores. Sales are 24.8 billion euros (2020).

Over 45,000 VMware ESXi servers just reached end-of-life

Over 45,000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract.

Lansweeper develops asset management and discovery software that allows customers to track what hardware and software they are running on their network.

As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.

The company analyzed data from 6,000 customers and found 79,000 installed VMware ESXi servers.

Of those servers, 36.5% (28,835) run version 6.7.0, released in April 2018, and 21.3% (16,830) are on version 6.5.0, released in November 2016. In total, there are 45,654 VMware ESXi servers reaching End of Life as of today

The findings of Lansweeper are alarming because apart from the 57% that enter a period of elevated risk, there are also another 15.8% installations that run even older versions, ranging from 3.5.0 to 5.5.0, which reached EOL quite some time ago.

In summary, right now, only about one out of four ESXi servers (26.4%) inventoried by Lansweeper are still supported and will continue to receive regular security updates until April 02, 2025.

However, in reality, the number of VMware servers reaching EOL today, is likely far greater, as this report is based only on Lansweeper’s customers.

**VMWare versions detected on net scans** *(Lansweeper)*

The technical guidance for ESXi 6.5 and 6.7 will carry on until November 15, 2023, but this concerns implementation issues, not including security risk mitigation.

The only way to ensure you can continue to use older versions securely is to apply for the two-year extended support, which needs to be purchased separately. However, this does not include updates for third-party software packages.

For more details about EOL dates on all VMware software products, check out this webpage.

What does this mean?

When a software product reaches the end-of-life date, it stops receiving regular security updates. This means that admins should have already planned ahead and upgraded all deployments to a newer release.

While it’s not unlikely that VMware will still offer some critical security patches for these older versions, it’s not guaranteed and certainly won’t release patches for all new vulnerabilities that are discovered.

Once an unsupported ESXi server has carried on for long enough without patches, it will have accumulated so many security vulnerabilities that attackers would have multiple ways to breach it.

Due to ESXi hosting virtual machines, attacking the server can potentially cause severe and wide-scale disruption to business operations, which is why ransomware gangs are so focused on targeting it.

This year, ESXi VMs were targeted by the likes of Black Basta, RedAlert, GwisinLocker, Hive, and the Cheers ransomware gangs.

More recently, Mandiant discovered that hackers found a new method to establish persistence on VMware ESXi hypervisors that lets them control the server and hosted VMs without being detected.

All that said, ESXi already enjoys ample attention from threat actors, so running outdated and vulnerable versions of the software would no doubt be a terrible idea.

VMware: 70% drop in Linux ESXi VM performance with Retbleed fixes

Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws

Microsoft adds new RSS feed for security update notifications

VMware vCenter Server bug disclosed last year still not patched

Windows 11 KB5018427 update released with 30 bug fixes, improvements

Source :
https://www.bleepingcomputer.com/news/security/over-45-000-vmware-esxi-servers-just-reached-end-of-life/

Set Port Trunking on your QNAP NAS to increase the bandwidth via 802.3ad protocol

Port Trunking, also known as LACP (Link Aggregation Control Protocol), allows you to combine multiple LAN interfaces for increased bandwidth and load balancing for multiple clients. It also provides failover capabilities to maintain network connectivity if a network port fails.

802.3ad (Dynamic Link Aggregation) is the No.5 mode according to the IEEE 802.3ad specification. It uses a complex algorithm to aggregate adapters by speed and duplex settings to provide load balancing and fault tolerance but requires a switch that supports IEEE 802.3ad with LACP mode properly configured.

Note: Your switch must support 802.3ad.
Note: A NAS with multiple LAN ports is required.

Follow these steps to set up your NAS.

Log into the NAS as an administrator. Go to “Main Menu” > “Network & Virtual Switch” > “Interfaces”. Click “Port Trunking”.
Click “Add” from the pop-up window.
Select the network interfaces to use and select 802.3ad for the Port Trunking Mode.
Click the settings button beside 802.3ad.
Select a HASH policy for 802.3ad:
The default setting is “layer 2 (MAC)“. This is compatible with every switch but only offers load balancing by MAC address. We recommend using “Layer 2+3 (MAC+IP)” for greater performance but you will need to check that your switch supports it.
Click “Apply” to finish.

Test Results:

The test results of before and after Port Trunking is as follows.

A Gigabit Ethernet Network
1. One user downloading a large video file from the NAS:
2. One user uploading a large video file to the NAS:
3. Two users downloading a large video file from the NAS at the same time:
  
  The throughput of the NAS reaches 108~110 MB/s (downloading):
4. Two users upload a large video file to the NAS at the same time:
  
  The throughput of NAS reaches 102~104 MB/s (uploading):
Aggregating two Gigabit Ethernet Networks on the NAS
1. One user downloads a large video file from the NAS:
2. One user uploads a large video file to the NAS:
3. Two users download a large video file from the NAS at the same time:
  
  The throughput of NAS reaches 210~223 MB/s (downloading):
4. Two users upload a large video file to the NAS at the same time:
  
  The throughput of NAS reaches 200~210 MB/s (uploading):

As displayed by the test results, Port Trunking can increase bandwidth on a QNAP NAS . But please note the following:

Port Trunking cannot break the speed limit of a single Ethernet device, but it offers a sufficient amount of bandwidth for multiple users connecting at the same time. For example, if two 1Gb NICs are used for Port Trunking, the aggregated network bandwidth will be increased to 2Gb, but the network speed will remain 1Gb.
Available system resources and the maximum read/write speeds of the storage devices on the NAS will greatly influence the overall bandwidth.

Source :
https://www.qnap.com/en/how-to/tutorial/article/set-port-trunking-on-your-qnap-nas-to-increase-the-bandwidth-via-802-3ad-protocol

Venus Ransomware targets publicly exposed Remote Desktop services

Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.

BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it.

Linuxct told BleepingComputer that the threat actors gained access to a victim’s corporate network through the Windows Remote Desktop protocol.

Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.

How Venus encrypts Windows devices

When executed, the Venus ransomware will attempt to terminate thirty-nine processes associated with database servers and Microsoft Office applications.

taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe

The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command:

wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE

When encrypting files, the ransomware will append the .venus extension, as shown below. For example, a file called test.jpg would be encrypted and renamed test.jpg.venus.

**Files encrypted by the Venus Ransomware**
*Source: BleepingComputer*

In each encrypted file, the ransomware will add a ‘goodgamer’ filemarker and other information to the end of the file. It is unclear what this additional information is at this time.

**Goodgamer file marker in an encrypted file**
*Source: BleepingComputer*

The ransomware will create an HTA ransom note in the %Temp% folder that will automatically be displayed when the ransomware is finished encrypting the device.

As you can see below, this ransomware calls itself “Venus” and shares a TOX address and email address that can be used to contact the attacker to negotiate a ransom payment. At the end of the ransom note is a base64 encoded blob, which is likely the encrypted decryption key.

**Venus Ransomware ransom note**
*Source: BleepingComputer*

https://6c29118eeb90b493fc8cae82084958c7.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?upapi=true

At this time, the Venus ransomware is fairly active, with new submissions uploaded to ID Ransomware daily.

As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall.

Ideally, no Remote Desktop Services should be publicly exposed on the Internet and only be accessible via a VPN

Magniber ransomware now infects Windows users via JavaScript files

Microsoft: Iranian hackers encrypt Windows systems using BitLocker

Ransom Cartel linked to notorious REvil ransomware operation

REvil ransomware returns: New malware sample confirms gang is back

Windows 10 22H2 is released, here’s what we know

Source :
https://www.bleepingcomputer.com/news/security/venus-ransomware-targets-publicly-exposed-remote-desktop-services/

hikvision	1234	win1dows	S2fGqNFs
root	tsgoingon	newsheen	12345
default	solokey	neworange88888888	guest
bin	user	neworang	system
059AnkJ	telnetadmin	tlJwpbo6	iwkb
141388	123456	20150602	00000000
adaptec	20080826	vstarcam2015	v2mprt
Administrator	1001chin	vhd1206	support
NULL	xc3511	QwestM0dem	7ujMko0admin
bbsd-client	vizxv	fidel123	dvr2580222
par0t	hg2x0	samsung	t0talc0ntr0l4!
cablecom	hunt5759	epicrouter	zlxx
pointofsale	nflection	admin@mimifi	xmhdipc
icatch99	password	daemon	netopia
3com	DOCSIS_APP	hagpolm1	klv123
OxhlwSG8

Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell

Powershell code to disable SSL 2.0

Powershell code to disable SSL 3.0

Powershell code to disable TLS 1.0

Powershell code to disable TLS 1.1

Powershell code to Enable TLS 1.2

Powershell code to Enable TLS 1.3

How to verify if TLS 1.0 and TLS 1.1 has been disabled on Windows 10

Registry Keys to check if SSL 2.0 is disabled

Registry Keys to check if SSL 3.0 is disabled

Registry Keys to check if TLS 1.0 is disabled

Registry Keys to check if TLS 1.1 is disabled

Registry Keys to check if TLS 1.2 is Enabled

Registry Keys to check if TLS 1.3 is Enabled

Conclusion

How to disable Modern Standby in Windows 10

Disable Modern Standby on Windows 10 using Command line

How to check If Modern Standby is supported in Windows 10

FAQs on Modern Standby

1. Which versions of Windows supports Modern Standby ?

2. How to Re-enable Modern Standby after creating PlatformAoAcOverride reg entry ?

3. Does my computer support Modern Standby ?

4. How to Identify and diagnose issues during a Modern Standby session ?

5. How to find all the switches of powercfg command ?

powercfg /?

Conclusion

Vssadmin command

Ensure that the VSS writers are in Stable State

Ensure that you can see Registered Shadow Copy Providers

List existing Volume Shadow Copies

Lists all shadow copy storage associations on the system.

Delete Shadow Copies using command line

wmic command

Vssadmin delete shadows

diskshadow Command

Best Practices

More Information

Conclusion

Windows MoTW bypass zero-day flaw

Related Articles:

FURTHER READING

Out-of-band updates with TLS fix

Problems fixed with the updates

Citrix connectivity issue

KB5020387 fixes TLS 1.3 problem on Windows 10

VPN and WebEx Meetings App

Quest Migration Manager for Exchange

Metro Group with IT problems

Metro confirms cyber attack

What does this mean?

Related Articles:

Test Results:

How Venus encrypts Windows devices

Related Articles:

2. How to Re-enable Modern Standby after creating `PlatformAoAcOverride` reg entry ?