Transport Layer Security (TLS) – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.
Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows devices.
If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC.
Create a GPO in Active Directory to disable TLS 1.0 and TLS 1.1
We will be creating a Group policy object in Active directory to disable TLS 1.0 and TLS 1.1. You will need to create given registry keys and registry entries to control TLS protocols. Please find below steps to disable TLS 1.0 and TLS 1.1 on windows servers.
How to create a GPO in Active Directory to disable TLS 1.0 and TLS 1.1
Login on a domain controller as a domain administrator.
Open Group policy management console (Go to Start -> Run and type gpmc.msc and press Enter)
Expand Group Policy Objects Folder. Right-click on it and Select New.
Provide a Name of the GPO. For Example: Disable TLS 1.0 and TLS 1.1 Windows servers
Right click on the Group policy “Disable TLS 1.0 and TLS 1.1 Windows Servers” and click on Edit.
Go to Computer Configuration -> Preferences -> Windows settings -> Registry.
Right click on Registry -> click on New -> click on Registry Item.
In the next step, we will create registry keys and registry entries to Disable TLS 1.0 and TLS 1.1. Its recommended to disable SSL 2.0 and SSL 3.0 as well. Most of the newer Windows operating systems have TLS 1.2 enabled by default. However, If you want to control TLS 1.2 and TLS 1.3 then you can use the given registry keys for TLS 1.2 and TLS 1.3.
After you click on Registry Item, A window will show where you can enter Information about the registry Item which you want to create. You need to provide below information about the registry Item:
Action: Select Update from the drop-down. Selecting Update will create the registry keys and registry entries if its not found on end users devices.
Hive: Select HKEY_LOCAL_MACHINE
Key Path: You can either browse to the registry path or provide a registry key to create / update.
Value Name: We will be creating two registry entries for each protocol. DisabledbyDefault and Enabled.
Value type: Select REG_DWORD.
Value type: Select 1 to Enable an 0 to disable.
Go through the process of creating an entry for each registry Item. Below screenshot shows that we have Disabled TLS 1.0, TLS 1.1 protocols and Enabled TLS 1.2 and TLS 1.3.
Once you create all the registry Items in the Group policy management console for Disable TLS 1.0 and TLS 1.1 Windows Servers GPO. You can link the GPO to the Organization Unit (OU) containing windows servers.
Please note that as this group policy object contains settings in Computer configuration which will target the Devices. A restart of the computer will be required so that registry entries can be created.
Disable TLS 1.0 and TLS 1.1 using IIS Crypto Tool
If your windows servers are not domain joined or you do not want to create group policy object in Active directory to disable deprecated SSL and TLS protocols. You can download and Install IIS Crypto tool on Windows server and manually select the checkboxes to Disable / Enable SSL / TLS protocols.
Please follow below steps to disable TLS 1.0 and TLS 1.1 using IIS Crypto Tool:
Login on Windows Server using administrator credentials.
Uncheck SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 from Server Protocols.
Uncheck SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 from Client Protocols.
Reboot the server.
Repeat Steps 1 to 6 on each server where you want to disable deprecated SSL and TLS protocols.
Disable deprecated SSL and TLS protocols using IIS Crypto Tool
Conclusion
In this blog post, we have seen how to disable TLS 1.0 and TLS 1.1 on windows servers. Its highly recommended to disable SSL 2.0 and SSL 3.0 as well. Newer Windows server operting systems have TLS 1.2 and TLS 1.3 enabled but you can still control these protocols using the given registry keys.
If you have only couple of servers and you do not want to create the Active directory group policy or your windows servers are standalone servers and not domain joined. You can use IIS Crypto tool to disable deprecated SSL and TLS protocols.
Transport Layer Security (TLS) – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.
Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.
If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC.
Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell
We can easily disable TLS 1.0 and TLS 1.1 using Powershell. However its recommended to also disable SSL 2.0, SSL 3.0 as well. We will be using below powershell code to create registry keys and registry entries. Once the registry keys are created, a reboot of that device will be required to complete the change.
Please note below Powershell Code needs to be run as an administrator as it needs to perform changes in Windows registry.
To run Powershell code on Windows 11 computer. Please use below steps:
Login on a Windows 11 PC as administrator.
Open Powershell Console as an administrator.
Run below piece of powershell code to enable / disable SSL / TLS Protocols.
In this blog post, we have checked the powershell codes to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. We have checked the Powershell code to enable TLS 1.2 and TLS 1.3. Its highly recommended to disable old unsupported protocols to reduce the security risk on your computer.
Transport Layer Security (TLS) – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.
Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.
If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC.
Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell
We can easily disable TLS 1.0 and TLS 1.1 using Powershell. However its recommended to also disable SSL 2.0, SSL 3.0 as well. We will be using below powershell code to create registry keys and registry entries. Once the registry keys are created, a reboot of that device will be required to complete the change.
Please note below Powershell Code needs to be run as an administrator as it needs to perform changes in Windows registry.
To run Powershell code on Windows 10 computer. Please use below steps:
Login on a Windows 10 PC as administrator.
Open Powershell Console as an administrator.
Run below piece of powershell code to enable / disable SSL / TLS Protocols.
In this blog post, we have checked the powershell codes to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. We have checked the Powershell code to enable TLS 1.2 and TLS 1.3. It’s highly recommended to disable old unsupported protocols to reduce the security risk on your computer.
There are two power models in Windows 10, S3 and S0 Low Power idle (Modern Standby). Modern Standby in Windows 10 provides Instant On/Off Experience like smartphones.
Modern Standby enables S0 low power idle power planwhich keeps your laptop or desktop in lowest power mode and also allow apps to receive the latest content such as incoming email, VoIP calls, Windows updates etc.
The system will enter Modern Standby when the user take any of below actions:
Presses the system power button.
Closes the lid of the laptop / desktop / tablet.
Selects Sleep from the power button from the Windows Start menu.
Waits for the system to idle and enter sleep automatically, according to the Power and sleep settings.
The amount of battery saving in Modern Standby is calculated by knowing how much time the system was in DRIPS (Deepest run-time idle platform state). DRIPS occurs when the system is consuming the lowest amount of power possible. If there is any background task (like receiving of email, windows update etc.) consumes power, the system is not considered to be in DRIPS mode.
Total Modern Standby session time = DRIPS time + non-DRIPS time
How to disable Modern Standby in Windows 10
There could be a scenario where you do not want to enable Modern Standby on windows 10 and want to use another available and supported power plan for example S3. In that case, you can simply disable Modern standby by following below steps. The steps given requires changes in the registry of the system which will require administrator rights.
Login on the Windows 10 device.
Click on Start and search for Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power
Right click on the right hand side pane and click on New -> DWORD (32-bit) Value
Provide the name of registry entry PlatformAoAcOverride and set its value to 0.
As this registry change is in HKEY_LOCAL_MACHINE, A restart of the PC would be required.
Disable Modern Standby on Windows 10 using Command line
In the previous section we have seen how to disable Modern standby using GUI Interface of registry editor. If you do not prefer GUI and want to use a command to disable Modern Standby then you can follow below steps:
Login on Windows 10 device.
Go to Start and search for Command prompt.
Right-click on Command prompt and click Run as administrator.
Type below command and press enter.
After this command is executed successfully, Restart your device.
How to check If Modern Standby is supported in Windows 10
Not all devices support Modern standby but the number of systems which support Modern standby are increasing. I have been using Microsoft Surface Pro 4 laptop which supports Modern standby. Here’s how you can check if your device supports Modern Standby.
Login on Windows 10 device.
Click on Start and search for Command Prompt.
Launch Command Prompt.
Type command powercfg -a to check if Modern standby is supported.
Powercfg -a lists the sleep states available on your computer.
In below screenshot, you can see that this Windows 10 device is on Standby (S0 Low Power Idle) Network Connected State which means that Modern Standby is supported and enabled on this device.
If you run powercfg -a command on your system and it shows that S0 Low power idle is not supported then this could be a a limitaton by system’s hardware to support Modern standby. There is nothing you can do to enable it. The alternative is to keep using Standby S3 or any other supported power plan.
Modern Standby (S0 Low power idle) can be in Network Connected mode or Network Disconnected mode.
Standby (S0 Low Power Idle) Network Connected: This means that Modern standby with network connectivity in sleep mode.
Standby (S0 Low Power Idle) Network Disconnected: This means that Modern standby without network connectivity while in sleep mode and the system spends most of the time in DRIPS.
FAQs on Modern Standby
Below are some of the frequently asked questions on Modern Standby:
1. Which versions of Windows supports Modern Standby ?
Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 11 Operating system.
2. How to Re-enable Modern Standby after creating PlatformAoAcOverride reg entry ?
If your device supports Modern Standby and you have created PlatformAoAcOverride reg entry under HKLM\System\CurrentControlSet\Control\Power reg key. Simply delete this registry entry and restart your device to enable Modern Standby again.
You can delete PlatformAoAcOverride registry entry manually by using registry editor or launch powershell console as an administrator and run below command to delete it.
You can easily check this by running a command powercfg -a on the command prompt. If it says Standby (S0 Low Power Idle) Network Connected or Standby (S0 Low Power Idle) Network Disconnected then Modern Standby is supported and Enabled.
4. How to Identify and diagnose issues during a Modern Standby session ?
You can Identify and diagnose any issues related to Modern standby by running Powercfg /sleepstudy command on an elevated command prompt. You can then analyse the report which will be generated and saved at C:\WINDOWS\system32\sleepstudy-report.html location.
Please make sure to open command prompt as an administrator and then run powercfg /sleepstudy
5. How to find all the switches of powercfg command ?
To check the switches of powercfg command, you can run powercfg /? on the command prompt. This will list all available options with detailed information. I have run this command on my device which lists all the switches which can be used with powercfg command:
powercfg /?
C:\WINDOWS\system32>powercfg /?
POWERCFG /COMMAND [ARGUMENTS]
Description:
Enables users to control power settings on a local system.
For detailed command and option information, run "POWERCFG /? <COMMAND>"
Command List:
/LIST, /L Lists all power schemes.
/QUERY, /Q Displays the contents of a power scheme.
/CHANGE, /X Modifies a setting value in the current power scheme.
/CHANGENAME Modifies the name and description of a power scheme.
/DUPLICATESCHEME Duplicates a power scheme.
/DELETE, /D Deletes a power scheme.
/DELETESETTING Deletes a power setting.
/SETACTIVE, /S Makes a power scheme active on the system.
/GETACTIVESCHEME Retrieves the currently active power scheme.
/SETACVALUEINDEX Sets the value associated with a power setting
while the system is powered by AC power.
/SETDCVALUEINDEX Sets the value associated with a power setting
while the system is powered by DC power.
/IMPORT Imports all power settings from a file.
/EXPORT Exports a power scheme to a file.
/ALIASES Displays all aliases and their corresponding GUIDs.
/GETSECURITYDESCRIPTOR
Gets a security descriptor associated with a specified
power setting, power scheme, or action.
/SETSECURITYDESCRIPTOR
Sets a security descriptor associated with a
power setting, power scheme, or action.
/HIBERNATE, /H Enables and disables the hibernate feature.
/AVAILABLESLEEPSTATES, /A
Reports the sleep states available on the system.
/DEVICEQUERY Returns a list of devices that meet specified criteria.
/DEVICEENABLEWAKE Enables a device to wake the system from a sleep state.
/DEVICEDISABLEWAKE Disables a device from waking the system from a sleep
state.
/LASTWAKE Reports information about what woke the system from the
last sleep transition.
/WAKETIMERS Enumerates active wake timers.
/REQUESTS Enumerates application and driver Power Requests.
/REQUESTSOVERRIDE Sets a Power Request override for a particular Process,
Service, or Driver.
/ENERGY Analyzes the system for common energy-efficiency and
battery life problems.
/BATTERYREPORT Generates a report of battery usage.
/SLEEPSTUDY Generates a diagnostic system power transition report.
/SRUMUTIL Dumps Energy Estimation data from System Resource Usage
Monitor (SRUM).
/SYSTEMSLEEPDIAGNOSTICS
The system sleep diagnostics report has been deprecated and
replaced with the system power report. Please use the command
"powercfg /systempowerreport" instead.
/SYSTEMPOWERREPORT Generates a diagnostic system power transition report.
/POWERTHROTTLING Control power throttling for an application.
/PROVISIONINGXML, /PXML Generate an XML file containing power setting overrides.
Copy
Conclusion
Modern standby saves your laptop’s or desktop’s battery and keep your device active for longer. If you use your device intermittently or away from your device a lot then this can save a lot of energy. However, there could be a scenario where you do not want to enable Modern standby. In that case you can use the steps given in this blog post to create a registry entry and disable Modern standby.
If you haven’t patched CVE-2022-22954 yet, now would be an excellent time to do so.
Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday.
FURTHER READING
2 vulnerabilities with 9.8 severity ratings are under exploit. A 3rd loomsCVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that carries a severity rating of 9.8 out of a possible 10. VMware disclosed and patched the vulnerability on April 6. Within 48 hours, hackers reverse-engineered the update and developed a working exploit that they then used to compromise servers that had yet to install the fix. VMware Workspace ONE access helps administrators configure a suite of apps employees need in their work environments.
In August, researchers at Fortiguard Labs saw a sudden spike in exploit attempts and a major shift in tactics. Whereas before the hackers installed payloads that harvested passwords and collected other data, the new surge brought something else—specifically, ransomware known as RAR1ransom, a cryptocurrency miner known as GuardMiner, and Mirai, software that corrals Linux devices into a massive botnet for use in distributed denial-of-service attacks.
“Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it,” Fortiguard Labs researcher Cara Lin wrote. Attackers, she added, were using it to inject a payload and achieve remote code execution on servers running the product.
The Mirai sample Lin saw getting installed was downloaded from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64 and relied on a command and control server at “cnc[.]goodpackets[.]cc. Besides delivering junk traffic used in DDoSes, the sample also attempted to infect other devices by guessing the administrative password they used. After decoding strings in the code, Lin found the following list of credentials the malware used:
hikvision
1234
win1dows
S2fGqNFs
root
tsgoingon
newsheen
12345
default
solokey
neworange88888888
guest
bin
user
neworang
system
059AnkJ
telnetadmin
tlJwpbo6
iwkb
141388
123456
20150602
00000000
adaptec
20080826
vstarcam2015
v2mprt
Administrator
1001chin
vhd1206
support
NULL
xc3511
QwestM0dem
7ujMko0admin
bbsd-client
vizxv
fidel123
dvr2580222
par0t
hg2x0
samsung
t0talc0ntr0l4!
cablecom
hunt5759
epicrouter
zlxx
pointofsale
nflection
admin@mimifi
xmhdipc
icatch99
password
daemon
netopia
3com
DOCSIS_APP
hagpolm1
klv123
OxhlwSG8
In what appears to be a separate campaign, attackers also exploited CVE-2022-22954 to download a payload from 67[.]205[.]145[.]142. The payload included seven files:
phpupdate.exe: Xmrig Monero mining software
config.json: Configuration file for mining pools
networkmanager.exe: Executable used to scan and spread infection
phpguard.exe: Executable used for guardian Xmrig miner to keep running
init.ps1: Script file itself to sustain persistence via creating scheduled task
clean.bat: Script file to remove other cryptominers on the compromised host
encrypt.exe: RAR1 ransomware
In the event RAR1ransom has never been installed before, the payload would first run the encrypt.exe executable file. The file drops the legitimate WinRAR data compression executable in a temporary Windows folder. The ransomware then uses WinRAR to compress user data into password-protected files.
The payload would then start the GuardMiner attack. GuardMiner is a cross-platform mining Trojan for the Monero currency. It has been active since 2020.
The attacks underscore the importance of installing security updates in a timely manner. Anyone who has yet to install VMware’s April 6 patch should do so at once.
Port Trunking, also known as LACP (Link Aggregation Control Protocol), allows you to combine multiple LAN interfaces for increased bandwidth and load balancing for multiple clients. It also provides failover capabilities to maintain network connectivity if a network port fails.
802.3ad (Dynamic Link Aggregation) is the No.5 mode according to the IEEE 802.3ad specification. It uses a complex algorithm to aggregate adapters by speed and duplex settings to provide load balancing and fault tolerance but requires a switch that supports IEEE 802.3ad with LACP mode properly configured.
Note: Your switch must support 802.3ad. Note: A NAS with multiple LAN ports is required.
Follow these steps to set up your NAS.
Log into the NAS as an administrator. Go to “Main Menu” > “Network & Virtual Switch” > “Interfaces”. Click “Port Trunking”.
Click “Add” from the pop-up window.
Select the network interfaces to use and select 802.3ad for the Port Trunking Mode.
Click the settings button beside 802.3ad.
Select a HASH policy for 802.3ad: The default setting is “layer 2 (MAC)“. This is compatible with every switch but only offers load balancing by MAC address. We recommend using “Layer 2+3 (MAC+IP)” for greater performance but you will need to check that your switch supports it.
Click “Apply” to finish.
Test Results:
The test results of before and after Port Trunking is as follows.
A Gigabit Ethernet Network
One user downloading a large video file from the NAS:
One user uploading a large video file to the NAS:
Two users downloading a large video file from the NAS at the same time: The throughput of the NAS reaches 108~110 MB/s (downloading):
Two users upload a large video file to the NAS at the same time: The throughput of NAS reaches 102~104 MB/s (uploading):
Aggregating two Gigabit Ethernet Networks on the NAS
One user downloads a large video file from the NAS:
One user uploads a large video file to the NAS:
Two users download a large video file from the NAS at the same time: The throughput of NAS reaches 210~223 MB/s (downloading):
Two users upload a large video file to the NAS at the same time: The throughput of NAS reaches 200~210 MB/s (uploading):
As displayed by the test results, Port Trunking can increase bandwidth on a QNAP NAS . But please note the following:
Port Trunking cannot break the speed limit of a single Ethernet device, but it offers a sufficient amount of bandwidth for multiple users connecting at the same time. For example, if two 1Gb NICs are used for Port Trunking, the aggregated network bandwidth will be increased to 2Gb, but the network speed will remain 1Gb.
Available system resources and the maximum read/write speeds of the storage devices on the NAS will greatly influence the overall bandwidth.
If you’re new to the world of virtualization, networking configuration can be one of the toughest concepts to grasp. Networking is also different in Hyper-V than in other hypervisors, so even those with years of experience can stumble a bit when meeting Hyper-V for the first time. This article will start by looking at the conceptual design of virtual networking in Hyper-V, configuration and then work through implementation best practices.
Networking Basics
Before beginning, it might be helpful to ensure that you have a solid grasp of the fundamentals of Ethernet and TCP/IP networking in general. Several articles that explain common aspects begin with this explanation of the OSI model.
The Hyper-V Virtual Switch
The single most important component of networking in Hyper-V is the virtual switch. There’s an in-depth article on the Hyper-V Virtual Switch on this blog, but for the sake of this article I’ll give you a basic introduction to the concept, within the bigger picture.
The key to understanding is realizing that it truly is a switch, just like a physical switch. It operates in layer 2 as the go-between for virtual switch ports. It directs packets to MAC addresses. It handles VLAN tagging. It can even perform some Quality of Service (QoS) tasks. It’s also responsible for isolating network traffic to the virtual adapter that is supposed to be receiving it. When visualized, the Hyper-V network switch should be thought of in the same way as a standard switch:
The next part of understanding the virtual switch is how it interacts with the host. To open that discussion, you must first become acquainted with the available types of virtual switches.
Virtual Switch Modes
There are three possible modes for the Hyper-V switch: private, internal, and public. Do not confuse these with IP addressing schemes or any other virtual networking configuration in a different technology.
Hyper-V’s Private Switch
The private switch allows communications among the virtual machines on its host and nothing else. Even the management operating system is not allowed to participate. This switch is purely logical and does not use any physical adapter in any way. “Private” in this sense is not related to private IP addressing. You can mentally think of this as a switch that has no ability to uplink to other switches.
Hyper-V’s Internal Switch
The internal switch is similar to the private switch with one exception: the management operating system can have a virtual adapter on this type of switch. This allows the management operating system to directly communicate with any virtual machines that also have virtual adapters on the same internal switch. Like the private switch, the internal switch does not have any relation to a physical adapter and therefore also cannot uplink to any another switch.
Hyper-V’s External Switch
The external switch type must be connected to a physical adapter. It allows communications between the physical network and the management operating system and the virtual adapters on virtual machines. Do not confuse this switch type with public IP addressing schemes or let its name suggest that it needs to be connected to an Internet-facing system. You can use the same private IP address range for the adapters on an external virtual switch that you’re using on the physical network it’s attached to. External in this usage means that it can connect to systems that are external to the Hyper-V host.
How to Conceptualize the External Virtual Switch
Part of what makes understanding the external virtual switch artificially difficult is the way that the related settings are worded. In the Hyper-V Manager GUI, it’s worded as Allow management operating system to share this network adapter. In PowerShell’s New-VMSwitch cmdlet, there’s an AllowManagementOS parameter which is no better, and its description — Specifies whether the parent partition (i.e. the management operating system) is to have access to the physical NIC bound to the virtual switch to be created. — makes it worse. What seems to happen far too often is that people read these and think of the virtual switch and the virtual adapters like this:
Unfortunately, this is not at all an accurate representation of Hyper-V’s virtual network stack. Once the virtual switch is bound to a physical adapter, that adapter is no longer used for anything else. TCP/IP, and most other items, are removed from it. The management operating system is quite simply unable to “share” it. If you attempt to bind anything else to the adapter, it’s quite probable that you’ll break the virtual switch.
In truth, the management operating system is getting a virtual network adapter of its own. That’s what gets connected to the virtual switch. That adapter isn’t exactly like the adapters attached to the virtual machines; it’s not quite as feature-rich. However, it’s nothing at all like actually sharing the physical adapter in the way that the controls imply. A better term would be, “Connect the management operating system to the virtual switch”. That’s what the settings really do. The following image is a much more accurate depiction of what is happening:
As you can see, the management operating system’s virtual adapter is treated the same way as that of the virtual machines’ adapters. Of course, you always have the option to take one or more physical adapters out of the virtual switch. Those will be used by the management operating system as normal. If you do that, then you don’t necessarily need to “share” the virtual switch’s adapter with the management operating system:
How to Use Physical NIC Teaming with the Hyper-V Virtual Switch
As of Windows Server 2012, network adapter teaming is now a native function of the Windows Server operating system. Teaming allows you combine two or more adapters into a single logical communications channel to distribute network traffic. Hyper-V Server can also team physical adapters.
When a teamed adapter is created, the individual adapters still appear in Windows but, in a fashion very similar to the virtual switch, can no longer be bound to anything except the teaming protocol. When the team is created, a new adapter is presented to the operating system. It would be correct to call this adapter “virtual”, since it doesn’t physically exist, but that can cause confusion with the virtual adapters used with the Hyper-V virtual switch. More common terms are team adapter or logical adapter, and sometimes the abbreviation tNIC is used.
Because teaming is not a central feature or requirement of Hyper-V, it won’t be discussed in detail here. Hyper-V does utilize native adapter teaming to great effect and, therefore, it should be used whenever possible. As a general rule, you should choose the Dynamic load balancing algorithm unless you have a clearly defined overriding need; it combines the best features of the Hyper-V Port and Transport Ports algorithms. As for whether or not to use the switch independent teaming mode or one of the switch dependent modes, that is a deeper discussion that involves balancing your goals against the capabilities of the hardware that is available to you. For a much deeper treatment of the subject of teaming with Hyper-V, consult the following articles in the Altaro blog:
How to Set Up a Native Team in Hyper-V Server 2012 – This article is mostly focused on the “how-to”. It was written too early to include a discussion of the new Dynamic algorithm. You can choose it as an alternative to the Hyper-V Port and hash algorithms.
Load-Balancing Algorithms – This article includes a complete discussion of all of the available load-balancing algorithms.
[thrive_leads id=’17165′]
Hyper-V and Network Convergence
Network convergence simply means that multiple traffic types are combined in a single communications channel. To a certain degree, Hyper-V always does this since several virtual machines use the same virtual switch, therefore the same network hardware. However, that could all technically be classified under a single heading of “virtual machine traffic”, so it’s not quite convergence.
In the Hyper-V space, true convergence would include at least one other role and it would include at least two physical network adapters. The simplest way to achieve this is by teaming two or more adapters as talked about in the preceding section and then creating a virtual switch atop the team adapter. When the virtual switch is created, use the “share” option or PowerShell to create a virtual adapter for the management operating system as well. If that adapter is used for anything in the management operating system, then that is considered convergence. Other possible roles will be discussed later on.
While the most common convergence typically binds all adapters of the same speed into a single channel, that’s not a requirement. You may use one team for virtual machine traffic and another for the management operating system if you wish.
Hyper-V and Networking within a Cluster
Failover Clustering has its own special networking needs, and Hyper-V extends those requirements further. Each node begins with the same requirements as a standalone Hyper-V system: one management adapter and a virtual switch. A cluster adds the need for cluster-related traffic and Live Migration.
In versions prior to 2012, the only supported configuration required that all of these roles be separated into unique gigabit connections. With the enhancements introduced in 2012 and 2012 R2, these requirements are much more relaxed. There aren’t any published requirements with the new versions (although it could be argued that the requirements for 2008 R2 were never officially superseded, so they are technically still enforced). In practice, it’s been observed that it is absolutely necessary for there to be at least two unique cluster paths, but the rest can be adjusted up or down depending on your workloads.
The following describes each role and gives a brief description of its traffic:
Management: This role will carry all traffic for host-level backups and any host-related file sharing activities, such as accessing or copying ISO images from a remote system. During other periods, this role usually does not experience a heavy traffic load. The typical usage is for remote management traffic, such as RDP and WS-Man (PowerShell), which are very light.
Cluster Communications: Each node in the cluster continually communicates with all the other nodes in a mesh pattern to ensure that the cluster is still in operation. This operation is commonly known as the “heartbeat”, although network configuration information is also traded. Heartbeat traffic is typically very light, but it is extremely sensitive to latency. If it does not have a dedicated network, it can easily be drowned out by other operations, such as large file copies, which will cause nodes to lose quorum and fail over virtual machines even though nothing is technically wrong.
Cluster Shared Volumes: CSV traffic is not a unique role; it travels as part of standard cluster communications. When all is well, CSV traffic is fairly minimal, only passing CSV metadata information between the nodes. If a CSV goes into Redirected Access mode, then all traffic to and from that CSV will be handled by the owner node. If any other node needs to access that CSV, it will do so over a cluster network. The cluster will ensure that the normal cluster communications, such as heartbeat, are not sacrificed, but any struggles for bandwidths will cause virtual machines to perform poorly – and possibly crash. If your cluster does not use CSVs, then this traffic is not a concern.
Live Migration: Without constraints, a Live Migration operation will use up as much bandwidth as it can. The typical configuration provides a dedicated adapter for this role. With converged networking, the requirement is not as strict.
Virtual Machine traffic: VM traffic is arguably the most important in the cluster, but it also tends to not be excessively heavy. The traditional approach is to dedicate at least one adapter to the virtual switch.
While legacy builds simply separated these onto unique, dedicated gigabit pipes, you now have more options at your disposal.
SMB Enhancements for Cluster Communications
Cluster communications have always used the SMB protocol. The SMB protocol was upgraded substantially in 2012 and now has the ability to multichannel. This feature will auto-negotiate between the source and destination host and will automatically spread SMB traffic across all available adapters.
Whereas it used to be necessary to set networks for cluster communications and then modify metric assignments to guide traffic, the preferred approach in 2012 R2 is to simply designate two or more networks as cluster networks. The hosts will automatically balance traffic loads.
SMB Enhancements for Live Migration
If the cluster’s nodes are all set to use SMB for Live Migration, then it will take advantage of the same SMB enhancements that the standard cluster communications use. In this way, management traffic, cluster communications traffic, and Live Migration could all be run across only two distinct networks instead of two. This is potentially risky, especially if Redirected Access mode is triggered.
Converged Networking Benefits for Clustering
By using converged networks, you gain substantially more options with less hardware. SMB multichannel divides traffic across distinct networks – that is, unique subnets. By using converged networks, you can create more subnets than you have physical adapters.
This is especially handy for 10GbE adapters since few hosts will have more than two. It also has its place on 1GbE networks. You can simply combine all physical adapters into one single large team and create the same number of logical networks that you would have for a traditional role, but enable each of them for cluster communications and Live Migration. This way, SMB multichannel will be able to automatically load balance its needs. Remember that even with converged networking, it’s best to not combine all roles onto a single virtual or teamed adapter. SMB multichannel requires distinct subnets to perform its role and teaming balances some traffic according to the virtual adapter.
Quality of Service Benefits for Clustering
While the concern is rarely manifested, it is technically possible for one traffic type to fully consume a converged team. There are a number of QoS (Quality of Service) options available to prevent this from occurring. You can specifically limit SMB and/or Live Migration traffic and set maximums and minimums on virtual adapters.
Before you spend much time investigating these options, be aware that most deployments do not require this degree of control and will perform perfectly well with defaults. Hyper-V will automatically work to maintain a balance of traffic that does not completely drown out any particular virtual network adapter. Because the complexity of configuring QoS outweighs its benefits in the typical environment, this topic will not be investigated in this series. The most definitive work on the subject is available on TechNet.
How to Design Cluster Networks for Hyper-V
The one critical concept is that cluster networks are defined by TCP/IP subnet. The cluster service will detect every IP address and subnet mask on each node. From those, it will create a network for each unique subnet that it finds. If any node has more than one IP address in a subnet, the cluster service will use one and ignore the rest unless the first is removed. If the service finds networks that only some nodes have IP addresses for, the network will be marked as partitioned. A network will also be marked as partitioned if cluster communications are allowed but there are problems with inter-node traffic flow. The following diagram shows some sample networks and how clustering will detect them.
In the illustration, the only valid network is Cluster Network 2. The worst is Cluster Network 4. Due to the way the subnet is configured, it overlaps with all of the other networks. The cluster service will automatically lock the node 2 adapter with IP address 192.168.5.11 out of cluster communications and mark the network as None to indicate that it is disallowed for cluster communications.
Before building your cluster, determine the IP subnets that you’ll be using. It’s perfectly acceptable to create all-new networks if necessary. For cluster communications, the nodes will not intentionally communicate with anything other than the nodes in the same cluster. The minimum number of unique networks is two. One must be marked to allow client and cluster communications; this is the management network. One must be marked to allow cluster communications (client communications optional but not recommended). Further networks are optional, but will grant the cluster the opportunity to create additional TCP streams which can help with load-balancing across teamed adapters.
Hyper-V Networking Best Practices – Configuration in Practice
There isn’t any single “correct” way to configure networking in Hyper-V any more than there is a single “correct” way to configure a physical network. This section is going to work through a number of best practices and procedures to show you how things are done and provide guidance where possible. The best advice that anyone can give you is to not overthink it. Very few virtual machines will demand a great deal of networking bandwidth.
There are a few best practices to help you make some basic configuration decisions:
A converged network results in the best overall bandwidth distribution. It is extremely rare to have any situation in which a single network role will be utilizing an entire gigabit connection constantly. By dedicating one or more adapters to a single role, you prevent any other role from using that adapter, even when its owning role is idle.
A single TCP/IP stream can only use a single physical link. One of the most confusing things about teaming that new-comers face is that combining multiple links into a single team does not automatically mean that all traffic will automatically use all available links. It means that different communications streams will be balanced across available. Or, to make that more clear, you need at least four different communications streams to fully utilize four adapters in a team.
Avoid using iSCSI or SMB 3 directly with teaming. It is supported for both, but it is less efficient than using MPIO (for iSCSI) or SMB multichannel. It is supported to have multiple virtual network adapters on a team that are configured for iSCSI or SMB multichannel. However, you will always get the best performance for network storage by using unteamed adapters that are not bound to a virtual switch. This article explains how to configure MPIO.
If iSCSI and/or SMB connections are made through virtual adapters on a converged team, they will establish only one connection per unique IP address. Create multiple virtual adapters in order to enable MPIO and/or SMB multichannel.
For Failover Clustering, plan in advance what IP range you want to use for each role. For example:
Management: 192.168.10.0/24
Cluster communications/CSV: 192.168.15.0/24
Live Migration: 192.168.20.0/24
SMB network 1: 192.168.30.0/24
SMB network 2: 192.168.31.0/24
The only adapter in the management operating system that should have a default gateway is the management adapter. Assigning default gateways to other adapters will cause the system unnecessary difficulty when choosing outbound connections.
If cluster nodes have adapters that will only be used to communicate with back-end storage (iSCSI or SMB), exclude their networks from participating in cluster communications.
Only the management adapter should register itself in DNS.
Except for the one created by checking Allow the management operating system to share this network adapter, you cannot use the GUI to create virtual network adapters for the management operating system’s use.
You cannot use the GUI to establish a QoS policy for the virtual switch. The only time this policy can be selected is during switch creation.
If desired, virtual machines can have their IP addresses in the same range as any of the cluster roles. Failover Clustering does not see the ranges in use by virtual machines and will not collide with them.
The management operating system will allow you to team network adapters with different feature sets and even different speeds, but it is highly recommended that you not do this. Different features can result in odd behaviors as communication are load balanced. The system balances loads in round-robin fashion, not based on adapter characteristics (for instance, it will not prioritize a 10GbE link over a 1GbE link).
Networking QoS only applies to outbound communications. Inbound traffic will flow as quickly as it is delivered and can be processed.
10GbE links have the ability to outpace the processing capabilities of the virtual switch. A single virtual adapter or communications stream may top out at speeds as low as 3.5 Gbps, depending upon the processing power of the CPU. Balanced loads will be able to consume the entire 10GbE link, especially when offloading technologies, primarily VMQ, are in place and functional.
When teaming, choose the Dynamic load balancing algorithm unless you have a definite, verifiable reason not to. Do not prefer the Hyper-V Port mode simply based on its name; Dynamic combines the best aspects of the Hyper-V Port and Hash modes.
You can use iSCSI on a virtual machine’s virtual adapter(s) to connect it/them directly to network storage. You will have better performance and access to more features by connecting from the host and exposing storage to the guests through a VHDX. Virtual machines can have multiple network adapters, which enables you to connect the same virtual machine to different VLANs and subnets.
Avoid the creation of multiple virtual switches. Some other hypervisors require the administrator to create multiple virtual switches and attach them to the same hardware. Hyper-V allows only a single virtual switch per physical adapter or team. Likewise, it is not advisable to segregate physical adapters, whether standalone or in separate teams, for the purpose of hosting multiple virtual switches. It is more efficient to combine them into a single large team. The most common exception to this guideline is in situations where physical isolation of networks is required.
If your system is running a GUI edition of Windows Server, you can configure TCP/IP for all adapters using the traditional graphical tools. For all versions, you can also use sconfig.cmd for a guided process. This section shows how to perform these tasks using PowerShell. To keep the material as concise as possible, not all possible options will be shown. Refer to the introductory PowerShell article for assistance on using discovering the capabilities of cmdlets using Get-Help and other tools.
See Adapter Status (and Names to Use in Other Cmdlets)
Get-NetAdapter
Rename a Physical or Team Adapter
Rename-NetAdapter Name CurrentName NewName NewName
One final option that you may wish to consider is setting Jumbo Frames on your virtual adapters. A Jumbo Frame is any TCP/IP packet that exceeds the base size of 1514 bytes. It’s most commonly used for iSCSI connections, but can also help a bit with SMB 3 and Live Migration traffic. It’s not useful at all for traffic crossing the Internet and most regular LAN traffic doesn’t benefit much from it either. If you’d like to use it, the following post explains it in detail: https://www.altaro.com/hyper-v/how-to-adjust-mtu-jumbo-frames-on-hyper-v-and-windows-server-2012/. That particular article was written for 2012. The virtual switch in 2012 R2 has Jumbo Frames enabled by default, so you only need to follow the portions that explain how to set it on your physical and virtual adapters.
Configuring Virtual Switches and Virtual Adapters
All of the graphical tools for creating a virtual switch and setting up a single virtual adapter for the management operating system were covered in this previous article in the series. You cannot use the graphical tools to create any further virtual adapters for use by the management operating system. You also must use PowerShell to create your virtual switch if you want to control its QoS policy. The following PowerShell commands deal with the virtual switch and its adapters.
There are several things to note about this particular cmdlet:
The “InterfaceAlias” parameter shown above is actually an alias for “NetAdapterName”. The alias was chosen here because it aligns with the parameter name and output of Get-NetAdapter.
The cmdlet was typed with “vSwitch” as the virtual switch’s name, but you’re allowed to use anything you like. If your chosen name has a space in it, you must enclose it in single or double quotes.
If you do not specify the “AllowManagementOS” parameter or if you set it to true, it will automatically create a virtual adapter for the management operating system with the same name as the virtual switch. Skipping this automatic creation gives you greater control over creating and setting your own virtual adapters.
If you do not wish to enable SR-IOV on your virtual switch, it is not necessary to specify that parameter at all. It is shown here as a reminder that if you’re going to set it, you must set it when the switch is created. You cannot change this later.
The help documentation for Get-VMSwitch indicates that the default for “MinimumBandwidthMode” is “Weight”. This is incorrect. The default mode is “Absolute”. As with SR-IOV support, you cannot modify this setting after the switch is created.
Create a Private Virtual Switch
New-VMSwitch Name Isolated SwitchType Private MinimumBandwidthMode Weight
Many of the notes from the creation of the external switch apply here as well. The “EnableIOV” switch is not applicable to a private or internal switch at all. The “AllowManagementOS” switch is redundant: if the switch type is “Private” then no virtual adapter is created; if the switch type is “Internal”, then one is created. Adding one virtual adapter to the management OS on a Private switch will convert it to internal; removing all management OS virtual adapters from an Internal switch will make it Private.
Permanently Remove a Virtual Switch
Remove-VMSwitch Name vSwitch
This operation is permanent. The entire switch and all of its settings are lost. All virtual adapters in the management operating system on this switch are permanently lost. Virtual adapters in virtual machines connected to this switch are disconnected.
Add a Virtual Adapter to the Management OS
Add-VMNetworkAdapter ManagementOS SwitchName vSwitch Name 'New vAdapter'
The first thing to note is that, for some reason, this cmdlet uses “Add” instead of the normal “New” verb for creating a new object. Be aware that this new adapter will show up in Get-NetAdapter entries as vEthernet (New vAdapter) and that is the name that you’ll use for all such non-Hyper-V cmdlets. Use the same cmdlets from the previous section to configure
Retrieve a List of Virtual Adapters in the Management OS
Get-VMNetworkAdapter –ManagementOS
Rename a Virtual Adapter in the Management OS
Rename-VMNetworkAdapter ManagementOS Name CurrentName NewName NewName
How to Set VLAN Information for Hyper-V Virtual Adapters
Adapters for the management operating system and virtual machines can be assigned to VLANs. When this occurs, the Hyper-V virtual switch will handle the 802.1q tagging process for communications across the virtual switches and for packets to and from physical switches. As shown in the article on Virtual Machine settings, you can use Hyper-V Manager to change the VLAN for any of the adapters attached to virtual machines. You can only use PowerShell to change the VLAN for virtual adapters in the management operating system.
Retrieve the VLAN Assignments for All Virtual Adapters on the Host
GetVMNetworkAdapterVlan
You can use the “ManagementOS” parameter to see only adapters in the management operating system. You can use the “VMName” parameter with an asterisk to see only adapters attached to virtual machines.
Set the VLAN for a Virtual Adapter in the Management Operating System
Remove VLAN Tagging from all of a Virtual Machine’s Adapters
Set-VMNetworkAdapterVlan -VMName svtest –Untagged
If a virtual machine has more than one virtual adapter and you’d like to operate on it separately, that might require a bit more work. When the GUI is used to create virtual adapters for a virtual machine, they are always named Network Adapter, even if there are several. So, you’ll have to use PowerShell to rename them as they are created or you won’t be able to use the “VMNetworkAdapterName” to distinguish them. Instead, you can use Get-VMNetworkAdapter to locate other distinguishing features and pipe the output to cmdlets that accept VMNetworkAdapter objects. For example, you want to change the VLAN of only one adapter attached to the virtual machine named “svtest”. By using the tools inside the guest operating system, you’ve determined that the MAC address of the adapter you want to change is “00-15-5D-19-0A-24”. With the MAC address, you can change the VLAN of only that adapter by using the following PowerShell construct:
It is possible to use PowerShell to configure networking for your Failover Cluster, but it’s very inelegant with the current status of those cmdlets. At this time, they are not well-configured, so you must directly manipulate object property values and registry settings in fashions that are risky and error-prone. It is much preferred that you use Failover Cluster Manager to make these settings as explained in this article earlier on in the series.
Continue Exploring Networking
There’s a lot to digest in Hyper-V virtual networking. What you’ve seen so far truly is only the fundamentals. For a relatively simplistic deployment with no more than a few dozen virtual machines, you might not ever need any more information. As densities start to climb, the need to more closely tune networking increases. With gigabit adapters, your best option is to scale out. 10GbE adapters allow you to overcome physical CPU limitations with a number of offloading techniques, chief among these being VMQ. Begin your research on that topic by starting with the definitive article series on the subject, VMQ Deep Dive.
Otherwise, your best next steps are to practice with the PowerShell cmdlets. For example, learn how to use Set-VMNetworkAdapter to modify virtual adapters in similar fashion to the procedures you saw in the earlier GUI articles. With a little effort, you’ll be able to change groups of adapters at once. Hyper-V’s networking may be multi-faceted and complicated, but the level of control granted to you is equally vast.
Microsoft says the Windows 11 2022 Update is breaking provisioning, leaving Windows 11 enterprise endpoints partially configured and failing to finish installing.
According to Microsoft, this known issue most likely affects provisioning packages (.PPKG files used to configure new endpoints on enterprise or school networks without imaging) during the initial setup phase.
“Using provisioning packages on Windows 11, version 22H2 (also called Windows 11 2022 Update) might not work as expected,” Redmond explained.
“Windows might only be partially configured, and the Out Of Box Experience might not finish or might restart unexpectedly.”
Microsoft added that this issue would not impact IT administrators provisioning Windows devices on their network. The list of unaffected devices also includes Windows systems used in home or small office networks.
Windows admins have been experiencing provisioning problems for more than a week, as confirmed by multiple reports on Microsoft’s Q&A platform.
“Sadly that is true, packages working fine on 21H2 but fail miserably on 22H2 with error 0x800700b7,” one report reads.
“Seems that the package gets indeed installed, just not processed and then errors out for whatever reason.”
Installing Windows 11 provisioning packages (Microsoft)
Workaround available
Microsoft says it’s currently investigating this newly acknowledged issue and will provide an update with an upcoming release.
Until an official fix for these provisioning problems is available, Redmond suggests provisioning end-user devices before the Windows 11 22H2 upgrade.
“If you can provision the Windows device before upgrading to Windows 11, version 22H2, this will prevent the issue,” Microsoft said.
The company is also investigating user reports of issues with Remote Desktop after installing the Windows 11 22H2 update, causing Remote Desktop clients not to connect, randomly disconnect, or freeze without warning.
Microsoft has also added compatibility holds to block the Windows 11 2022 Update on some systems due to printer issues or blue screens.
Since Tuesday, October 4, Windows 11 22H2 has entered a new deployment phase as it is now available to all seekers on eligible devices.
Actions to Help Protect Against APT Cyber Activity:
• Enforce multifactor authentication (MFA) on all user accounts. • Implement network segmentation to separate network segments based on role and functionality. • Update software, including operating systems, applications, and firmware, on network assets. • Audit account usage.
From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.
This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.
Download the PDF version of this report: pdf, 692 KB
For a downloadable copy of IOCs, see the following files:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the APT cyber activity mapped to MITRE ATT&CK for Enterprise framework.
From November 2021 through January 2022, CISA conducted an incident response engagement on a DIB Sector organization’s enterprise network. The victim organization also engaged a third-party incident response organization for assistance. During incident response activities, CISA and the trusted –third-party identified APT activity on the victim’s network.
Some APT actors gained initial access to the organization’s Microsoft Exchange Server as early as mid-January 2021. The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (“Admin 1”) to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN).
Four days later, the APT actors used Windows Command Shell over a three-day period to interact with the victim’s network. The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\he\debug directory. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.
During the same period, APT actors implanted Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system.
In early March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Later in March, APT actors installed HyperBro on the Exchange Server and two other systems. For more information on the HyperBro and webshell samples, see CISA MAR-10365227-2 and -3.
In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. See the Use of Custom Exfiltration Tool: CovalentStealer section for additional information.
APT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.
Use of Impacket
CISA discovered activity indicating the use of two Impacket tools: wmiexec.py and smbexec.py. These tools use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, respectively, for creating a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.
The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization’s multifunctional devices. The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:
This command gave the service account the ability to access other users’ mailboxes.
The APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common for these threat actors. According to CISA’s analysis of the victim’s Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS. EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.
Use of Custom Exfiltration Tool: CovalentStealer
The threat actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files.
CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim’s documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption. See CISA MAR-10365227-1 for additional technical details, including IOCs and detection signatures.
MITRE ATT&CK Tactics and Techniques
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. CISA uses the ATT&CK Framework as a foundation for the development of specific threat models and methodologies. Table 1 lists the ATT&CK techniques employed by the APT actors.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Actors abused PowerShell commands and scripts to map shared drives by specifying a path to one location and retrieving the items from another. See Appendix: Windows Command Shell Activity for additional information.
Command and Scripting Interpreter: Windows Command Shell
Actors abused the Windows Command Shell to learn about the organization’s environment and to collect sensitive data. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.The actors used Impacket tools, which enable a user with credentials to run commands on the remote device through the Command Shell.
Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Actors used Windows command shell commands to detect and avoid virtualization and analysis environments. See Appendix: Windows Command Shell Activity for additional information.
Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID.
Actors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine.The threat actor used route print to display the entries in the local IP routing table.
System Network Configuration Discovery: Internet Connection Discovery
Actors checked for internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways.
Actors attempted to identify the primary user, currently logged in user, set of users that commonly use a system, or whether a user is actively using the system.
Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine.The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers.”
Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine.
Actors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dircommand to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest.The actors used dir.exe to display a list of a directory’s files and subdirectories matching a certain text string.
Actors used a non-application layer protocol for communication between host and Command and Control (C2) server or among infected hosts within a network.
Actors used the certutil command with three switches to test if they could download files from the internet.The actors employed CovalentStealer to exfiltrate the files.
Actors scheduled data exfiltration to be performed only at certain times of day or at certain intervals and blend traffic patterns with normal activity.
Exfiltration Over Web Service: Exfiltration to Cloud Storage
The actor’s CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder.
DETECTION
Given the actors’ demonstrated capability to maintain persistent, long-term access in compromised enterprise environments, CISA, FBI, and NSA encourage organizations to:
Monitor logs for connections from unusual VPSs and VPNs. Examine connection logs for access from unexpected ranges, particularly from machines hosted by SurfShark and M247.
Monitor for suspicious account use (e.g., inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts). To detect use of compromised credentials in combination with a VPS, follow the steps below:
Review logs for “impossible logins,” such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
Search for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: This detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
Search for one IP used across multiple accounts, excluding expected logins.
Take note of any M247-associated IP addresses used along with VPN providers (e.g., SurfShark). Look for successful remote logins (e.g., VPN, OWA) for IPs coming from M247- or using SurfShark-registered IP addresses.
Identify suspicious privileged account use after resetting passwords or applying user account mitigations.
Search for unusual activity in typically dormant accounts.
Search for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
Review the YARA rules provided in MAR-10365227-1 to assist in determining whether malicious activity has been observed.
Monitor for the installation of unauthorized software, including Remote Server Administration Tools (e.g., psexec, RdClient, VNC, and ScreenConnect).
Monitor for anomalous and known malicious command-line use. See Appendix: Windows Command Shell Activity for commands used by the actors to interact with the victim’s environment.
Monitor for unauthorized changes to user accounts (e.g., creation, permission changes, and enabling a previously disabled account).
CONTAINMENT AND REMEDIATION
Organizations affected by active or recently active threat actors in their environment can take the following initial steps to aid in eviction efforts and prevent re-entry:
Report the incident. Report the incident to U.S. Government authorities and follow your organization’s incident response plan.
Report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).
For DIB incident reporting, contact the Defense Cyber Crime Center (DC3) via DIBNET at dibnet.dod.mil/portal/intranet or (410) 981 0104.
Reset all login accounts. Reset all accounts used for authentication since it is possible that the threat actors have additional stolen credentials. Password resets should also include accounts outside of Microsoft Active Directory, such as network infrastructure devices and other non-domain joined devices (e.g., IoT devices).
Monitor SIEM logs and build detections. Create signatures based on the threat actor TTPs and use these signatures to monitor security logs for any signs of threat actor re-entry.
Enforce MFA on all user accounts. Enforce phishing-resistant MFA on all accounts without exception to the greatest extent possible.
Audit accounts and permissions. Audit all accounts to ensure all unused accounts are disabled or removed and active accounts do not have excessive privileges. Monitor SIEM logs for any changes to accounts, such as permission changes or enabling a previously disabled account, as this might indicate a threat actor using these accounts.
Mitigation recommendations are usually longer-term efforts that take place before a compromise as part of risk management efforts, or after the threat actors have been evicted from the environment and the immediate response actions are complete. While some may be tailored to the TTPs used by the threat actor, recovery recommendations are largely general best practices and industry standards aimed at bolstering overall cybersecurity posture.
Segment Networks Based on Function
Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for ransomware and other threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Infographic on Layering Network Security Through Segmentation and NSA’s Segment Networks and Deploy Application-Aware Defenses.)
Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt Zero Trust (ZT) principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration.
Manage Vulnerabilities and Configurations
Update software, including operating systems, applications, and firmware, on network assets. Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
Implement a configuration change control process that securely creates device configuration backups to detect unauthorized modifications. When a configuration change is needed, document the change, and include the authorization, purpose, and mission justification. Periodically verify that modifications have not been applied by comparing current device configurations with the most recent backups. If suspicious changes are observed, verify the change was authorized.
Search for Anomalous Behavior
Use cybersecurity visibility and analytics tools to improve detection of anomalous behavior and enable dynamic changes to policy and other response actions. Visibility tools include network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Monitor the use of scripting languages (e.g., Python, Powershell) by authorized and unauthorized users. Anomalous use by either group may be indicative of malicious activity, intentional or otherwise.
Restrict and Secure Use of Remote Admin Tools
Limit the number of remote access tools as well as who and what can be accessed using them. Reducing the number of remote admin tools and their allowed access will increase visibility of unauthorized use of these tools.
Use encrypted services to protect network communications and disable all clear text administration services(e.g., Telnet, HTTP, FTP, SNMP 1/2c). This ensures that sensitive information cannot be easily obtained by a threat actor capturing network traffic.
Implement a Mandatory Access Control Model
Implement stringent access controls to sensitive data and resources. Access should be restricted to those users who require access and to the minimal level of access needed.
Audit Account Usage
Monitor VPN logins to look for suspicious access (e.g., logins from unusual geo locations, remote logins from accounts not normally used for remote access, concurrent logins for the same account from different locations, unusual times of the day).
Closely monitor the use of administrative accounts. Admin accounts should be used sparingly and only when necessary, such as installing new software or patches. Any use of admin accounts should be reviewed to determine if the activity is legitimate.
Ensure standard user accounts do not have elevated privileges Any attempt to increase permissions on standard user accounts should be investigated as a potential compromise.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA, FBI, and NSA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA, FBI, and NSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 1).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze the performance of your detection and prevention technologies.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA, FBI, and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.
U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov.
ACKNOWLEDGEMENTS
CISA, FBI, and NSA acknowledge Mandiant for its contributions to this CSA.
APPENDIX: WINDOWS COMMAND SHELL ACTIVITY
Over a three-day period in February 2021, APT cyber actors used Windows Command Shell to interact with the victim’s environment. When interacting with the victim’s system and executing commands, the threat actors used /q and /c parameters to turn the echo off, carry out the command specified by a string, and stop its execution once completed.
On the first day, the threat actors consecutively executed many commands within the Windows Command Shell to learn about the organization’s environment and to collect sensitive data for eventual exfiltration (see Table 2).
Command
Description / Use
net share
Used to create, configure, and delete network shares from the command-line.[1] The threat actor likely used this command to display information about shared resources on the local computer and decide which directories to exploit.
powershell dir
An alias (shorthand) for the PowerShell Get-ChildItem cmdlet. This command maps shared drives by specifying a path to one location and retrieving the items from another.[2] The threat actor added additional switches (aka options, parameters, or flags) to form a “one liner,” an expression to describe commonly used commands used in exploitation: powershell dir -recurse -path e:\<redacted>|select fullname,length|export-csv c:\windows\temp\temp.txt. This particular command lists subdirectories of the target environment when.
systeminfo
Displays detailed configuration information [3], tasklist – lists currently running processes [4], and ipconfig – displays all current Transmission Control Protocol (TCP)/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings, respectively [5]. The threat actor used these commands with specific switches to determine if the system was a VMware virtual machine: systeminfo > vmware & date /T, tasklist /v > vmware & date /T, and ipconfig /all >> vmware & date /.
route print
Used to display and modify the entries in the local IP routing table. [6] The threat actor used this command to display the entries in the local IP routing table.
netstat
Used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.[7] The threat actor used this command with three switches to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP: netstat -anp tcp.
certutil
Used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.[8] The threat actor used this command with three switches to test if they could download files from the internet: certutil -urlcache -split -f https://microsoft.com temp.html.
ping
Sends Internet Control Message Protocol (ICMP) echoes to verify connectivity to another TCP/IP computer.[9] The threat actor used ping -n 2 apple.com to either test their internet connection or to detect and avoid virtualization and analysis environments or network restrictions.
taskkill
Used to end tasks or processes.[10] The threat actor used taskkill /F /PID 8952 to probably disable security features. CISA was unable to determine what this process was as the process identifier (PID) numbers are dynamic.
PowerShell Compress-Archive cmdlet
Used to create a compressed archive or to zip files from specified files and directories.[11] The threat actor used parameters indicating shared drives as file and folder sources and the destination archive as zipped files. Specifically, they collected sensitive contract-related information from the shared drives.
On the second day, the APT cyber actors executed the commands in Table 3 to perform discovery as well as collect and archive data.
Command
Description / Use
ntfsinfo.exe
Used to obtain volume information from the New Technology File System (NTFS) and to print it along with a directory dump of NTFS meta-data files.[12]
WinRAR.exe
Used to compress files and subsequently masqueraded WinRAR.exe by renaming it VMware.exe.[13]
On the third day, the APT cyber actors returned to the organization’s network and executed the commands in Table 4.
Command
Description / Use
powershell -ep bypass import-module .\vmware.ps1;export-mft -volume e
Threat actors ran a PowerShell command with parameters to change the execution mode and bypass the Execution Policy to run the script from PowerShell and add a module to the current section: powershell -ep bypass import-module .\vmware.ps1;export-mft -volume e. This module appears to acquire and export the Master File Table (MFT) for volume E for further analysis by the cyber actor.[14]
set.exe
Used to display the current environment variable settings.[15] (An environment variable is a dynamic value pointing to system or user environments (folders) of the system. System environment variables are defined by the system and used globally by all users, while user environment variables are only used by the user who declared that variable and they override the system environment variables (even if the variables are named the same).
dir.exe
Used to display a list of a directory’s files and subdirectories matching the eagx* text string, likely to confirm the existence of such file.
tasklist.exe and find.exe
Used to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers”.[16][17][18]
ping.exe
Used to send two ICMP echos to amazon.com. This could have been to detect or avoid virtualization and analysis environments, circumvent network restrictions, or test their internet connection.[19]
del.exe with the /f parameter
Used to force the deletion of read-only files with the *.rar and tempg* wildcards.[20]
In this article, we are going to start by describing what the Windows Firewall feature is and what it is used for. This information will then allow you to enable and manage the Windows Firewall on your Windows PC or laptop. We will cover all the different versions of the Windows operating system that are currently supported by the Secure Remote Worker Validation Tool.
Lets first describe what a firewall actually is.
What is a firewall?
A firewall can be either a physical hardware device, software-based application that you install on your PC, or in the case of the Windows Firewall, an integrated feature of the operating system that is designed to protect your PC against the attack of malicious files. The firewall checks information and data sent across the internet or other networks to your PC. If the firewall detects that the information may contain malicious files then it will block them from reaching your PC, therefore protecting your PC from that threat. Equally, it can prevent you PC sending malicious content to other PCs.
Windows Firewall is an integrated firewall solution that is part of the Windows operating system. In this article, we are going to configure the Windows Firewall to work with Secure Remote Worker. In the following sections, we are going to discuss the process for each of the different version of the Windows operating, starting with Windows 10.
Important configuration note:
You should only have one software firewall solution installed at any one time. If you install additional security software on your PC that also has its own software-based firewall solution, then you will need to disable this if you are to use the Windows Firewall solution.
Enabling the firewall on Windows 10 devices
In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 10. Follow the steps below to work through the process of enabling the firewall:
Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel App appear at the top of the list as the best match, highlighted (2). Click on the Control Panel App to launch it as shown in the following screenshot:
Click to Zoom
2. You will now see the Control Panel as shown in the following screenshot:
Click to Zoom
3. Now click on System and Security as highlighted (3) in the screenshot above.
4. You will now see the System and Security configuration options as shown in the following screenshot:
Click to Zoom
5. Click on Windows Defender Firewall as highlighted (4) in the above screenshot.
6. You will now see the Windows Defender Firewall configuration screen as shown in the following screenshot:
Click to Zoom
7. Click on Turn Windows Defender Firewall on or off as highlighted (5) in the above screenshot.
8. You will now see the Customize settings for each type of network as shown in the following screenshot:
Click to Zoom 9. First, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Private network settings section as highlighted (6) in the previous screenshot.
10. Next, enable the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewallunder the Publicnetwork settings section as highlighted (7) in the previous screenshot.
11. The other thing to configure is to make sure that you check the box for Notify me when Windows Defender Firewall blocks a new app for both network settings, so Public and Private. This means that you will be notified when something potentially malicious is blocked.
12. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.
You have now successfully enabled the Windows Firewall for Windows 10 operating systems.
Enabling the firewall on Windows 8.1 devices
In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 10. Follow the steps below to work through the process of enabling the firewall:
1. Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel icon appear at the top left of the screen in the Results section, highlighted (2). Double click on the Control Panel icon to launch it as shown in the following screenshot:
Click to Zoom
2. You will now see the Control Panel as shown in the following screenshot:
Click to Zoom
3. Now click on System and Security as highlighted (3) in the screenshot above.
4. You will now see the System and Security configuration options as shown in the following screenshot:
Click to Zoom
5. Click on Windows Firewall as highlighted (4) in the above screenshot.
6. You will now see the Windows Firewall configuration screen as shown in the following screenshot:
Click to Zoom
7. Click on Turn Windows Firewall on or off as highlighted (5) in the above screenshot.
8. You will now see the Customize settings for each type of network as shown in the following screenshot:
Click to Zoom
9. First, enable the firewall for domain networks. To do this click the radio button for Turn on Windows Defender Firewall under the Domainnetwork settings section as highlighted (6) in the previous screenshot.
10. Next, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Privatenetwork settings section as highlighted (7) in the previous screenshot.
11. The final one to enable is the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewall under the Publicnetwork settings section as highlighted (8) in the previous screenshot.
12. The other thing to configure is to make sure that you check the box for Notify me when Windows Firewall blocks a new app for domain settings, public settings, and private settings. This means that you will be notified when something potentially malicious is blocked.
13. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.
You have now successfully enabled the Windows Firewall for Windows 8.x operating systems.
Enabling the firewall on Windows 7 devices
In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 7. Follow the steps below to work through the process of enabling the firewall:
1. Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel icon appear at the top of the screen under Programs(1), highlighted (2). Double click on the Control Panel icon to launch it as shown in the following screenshot:
Click to Zoom
2. You will now see the Control Panel as shown in the following screenshot:
Click to Zoom
3. Now click on System and Security as highlighted (3) in the screenshot above.
4. You will now see the System and Security configuration options as shown in the following screenshot:
Click to Zoom
5. Click on Windows Firewall as highlighted (4) in the above screenshot.
6. You will now see the Windows Firewall configuration screen as shown in the following screenshot:
Click to Zoom
7. Click on Turn Windows Firewall on or off as highlighted (5) in the above screenshot.
8. You will now see the Customize settings for each type of network as shown in the following screenshot:
Click to Zoom
9. First, enable the firewall for domain networks. To do this click the radio button for Turn on Windows Defender Firewall under the Domainnetwork location settings section as highlighted (6) in the previous screenshot.
10. Next, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewallunder the Home or work (private)network location settings section as highlighted (7) in the previous screenshot.
11. The final one to enable is the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewallunder the Publicnetwork location settings section as highlighted (8) in the previous screenshot.
12. The other thing to configure is to make sure that you check the box for Notify me when Windows Firewall blocks a new program for domain settings, public settings, and private settings. This means that you will be notified when something potentially malicious is blocked.
13. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.
You have now successfully enabled the Windows Firewall for Windows 7 operating systems.
