What is DNSSEC and Why Is It Important?

If you’re like most companies, you probably leave your DNS resolution up to your ISP. But as employees bypass the VPN, and even more organizations adopt direct internet access, it’s more than likely that you have a DNS blind spot. So what steps can you take to ensure your visibility remains free and clear?

One simple and easy thing you can start doing right away is to mine your DNS data. Each time a browser contacts a domain name, it has to contact the DNS server first. Since DNS requests precede the IP connection, DNS resolvers log requested domains regardless of the connection’s protocol or port. That’s an information gold mine! Just by monitoring DNS requests and subsequent IP connections you will eliminate the blind spot and easily gain better accuracy and detection of compromised systems and improve your security visibility and network protection.

But what about those pesky cache poisoning attacks, also known as DNS spoofing?

DNS cache poisoning attacks locate and then exploit vulnerabilities that exist in the DNS, in order to draw organic traffic away from a legitimate server toward a fake one.This type of attack is dangerous because the client an be redirected, and since the attack is on the DNS server, it will impact a very large number of users.

Back in the early nineties, the era of the world-wide-web, Sony Discmans and beepers (we’ve come a long way kids!), the Internet Engineering Task Force, or IETF started thinking about ways to make DNS more secure. The task force proposed ways to harden DNS and in 2005, Domain Name System Security Extensions, aka DNSSEC, was formally introduced.

DNS Security Extensions, better known as DNSSEC, is a technology that was developed to, among other things, protect against [cache poisoning] attacks by digitally ‘signing’ data so you can be assured [the DNS answer] is valid. DNSSEC uses cryptographic signatures similar to using GPG to sign an email; it proves both the validity of the answer and the identity of the signer. Special records are published in the DNS allowing recursive resolvers or clients to validate signatures. There is no central certificate authority, instead parent zones provide certificate hash information in the delegation allowing for proof of validity.

Cisco Umbrella now supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. Customers can have the confidence that Cisco Umbrella is protecting their organization from cache poisoning attacks, without having to perform validation locally.

Cisco Umbrella supports DNSSEC

Cisco Umbrella delivers the best, most reliable, and fastest internet experience to every single one of our more than 100 million users. We are the leading provider of network security and DNS services, enabling the world to connect to the internet with confidence on any device.

Get the details on how Cisco Umbrella supports DNSSEC.

Source :
https://umbrella.cisco.com/blog/2020/01/28/what-is-dnssec-and-why-is-it-important/

Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims

Emotet, the notorious trojan behind a number of botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks.

According to researchers at Binary Defense, the newly discovered Emotet sample leverages a "Wi-Fi spreader" module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them.

The cybersecurity firm said the Wi-Fi spreader has a timestamp of April 16, 2018, indicating the spreading behavior has been running "unnoticed" for close to two years until it was detected for the first time last month.

The development marks an escalation of Emotet's capabilities, as networks in close physical proximity to the original victim are now susceptible to infection.

How Does Emotet's Wi-Fi Spreader Module Work?

The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords.

On obtaining the information for each network this way, the worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It's not immediately clear how this list of passwords was put together.

But if the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource.

After having successfully brute-forced users and their passwords, the worm moves to the next phase by installing malicious payloads — called "service.exe" — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService).

In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host.

The fact that Emotet can jump from one Wi-Fi network to the other puts onus on companies to secure their networks with strong passwords to prevent unauthorized access. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

Emotet: From Banking Trojan to Malware Loader

Emotet, which was first identified in 2014, has morphed from its original roots as a banking Trojan to a "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how it's deployed.

Over the years, it has also been an effective delivery mechanism for ransomware. Lake City's IT network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot trojan and Ryuk ransomware.

Although Emotet-driven campaigns largely disappeared throughout the summer of 2019, it made a comeback in September via "geographically-targeted emails with local-language lures and brands, often financial in theme, and using malicious document attachments or links to similar documents, which, when users enabled macros, installed Emotet."

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," Binary Defense researchers concluded. "Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords."

Source :
https://thehackernews.com/2020/02/emotet-malware-wifi-hacking.html

Coronavirus Affecting Business as Remote Workforces Expand Beyond Expected Capacity

The novel coronavirus epidemic is a major global health concern. To help prevent the spread of the new virus, organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. This practice helps limit individual contact with large groups or crowds (e.g., restaurants, offices, transit) where viruses can easily spread.

As such, ‘stay at home’ is a common phrase in many health-conscious regions this week. According to the BBC, the city of Suzhou said businesses would remain closed until Feb 8, if not longer. As of 2018, Suzhou had a population of more than 10.7 million people.

On Jan. 30, the World Health Organization labeled the outbreak as a global health emergency. In response, the U.S. Department of issued a Level 4 travel advisory to China (do not travel).

Precautions like these are causing unexpected increases in mobile workers; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

Organizations and enterprises in affected areas should review their business continuity plans. The National Law Review published a useful primer for employers and organizations managing workforces susceptible to coronavirus outbreaks. In addition, leverage SonicWall’s ‘5 Core Practices to Ensure Business Continuity.”

FREE VPN SPIKE LICENSES

If you are a current SonicWall SMA 100 or 1000 series customer, or have Central Management Server (CMS) licenses, SonicWall will help implement complimentary 10-day spike licenses to help temporarily manage the increase in VPN capacity. Contact SonicWall or your SonicWall SecureFirst partner for assistance.

What is the coronavirus?

Coronavirus (2019-nCoV) is a respiratory illness first identified in Wuhan, China, but cases have since been reported in the U.S., Canada, Australia, Germany, France, Thailand, Japan, Hong Kong, and nine other countries. In an effort to contain the virus, the Chinese authorities have suspended air and rail travel in the area around Wuhan.

According to Centers for Disease Control and Prevention (CDC), early patients in the outbreak in China “reportedly had some link to a large seafood and animal market, suggesting animal-to-person spread. However, a growing number of patients reportedly have not had exposure to animal markets, indicating person-to-person spread is occurring. At this time, it’s unclear how easily or sustainably this virus is spreading between people.”

The latest situation summary updates are available via the CDC: 2019 Novel Coronavirus, Wuhan, China.

THE CLEAN VPN APPROACH FOR THE MOBILE WORKFORCE

To protect the corporate network, IT must recognize that no mobile device should be trusted and that all access outside the corporate network is beyond IT control.

A combined Clean VPN approach delivers all of the security and SSL VPN elements of an integrated Clean VPN deployment, plus the additional SonicWall SMA capability to perform device interrogation and enforce policy-based endpoint controls.

GET THE BRIEF

source :
https://blog.sonicwall.com/en-us/2020/02/coronavirus-affecting-business-as-remote-workforces-expand/

Smarter Cybersecurity: How SecOps Can Simplify Security Management, Oversight & Real-Time Decision-Making

Organizations continue to be alarmed by how easily cybercriminals can circumvent security defenses as malware, ransomware, cryptojacking and phishing attacks make headline news.

In addition, security operations lack visibility and awareness of unsafe network and user activities, network traffic irregularities, and unusual data access and utilization. This exacerbates the situation and creates a dangerous condition where security teams are too late or unable to:

Respond to security alerts or incidents at the speed and accuracy they need
Conduct thorough and effective investigations
Find answers fast enough to take corrective actions

Through close engagements with our top channel partners and key customers, SonicWall learned and understood these challenges first-hand. And through that collaboration, SonicWall developed and introduced the SonicWall Capture Security Center and two powerful risk management tools — Analytics and Risk Meters — to help customers solve these difficult problems.

Govern, comply and manage risk

The Capture Security Center is grounded on three core objectives:

‘Govern Centrally’ focuses on improving operational efficiencies and reducing overhead, while ‘Compliance’ and ‘Risk Management’ concentrate on the business value. These core objectives are interdependent as each leverages a common set of information, processes and technologies that help SecOps establish and deliver a strong, federated security defense and response services at the core of their security program.

Work faster and smarter — with less effort

Capture Security Center is a cloud solution organizations use to avoid operational overhead associated with software and hardware installation, upgrades and maintenance. This solution provides SecOps teams secure single sign-on (SSO) access to license, provision and manage their entire SonicWall security suite, including network, wireless, endpoint, email, mobile and cloud security products and services.

Think of it as a high-productivity tool that provides authorized users access to all available security services based on their role and access rules. The command console is assessible from any location and from any web-enabled PC. Once signed in, users are automatically granted access to everything — and are able do everything securely — using one cloud app.

The different tiles (shown below) are exactly what you’ll see when you log in to your Capture Security Center account. Users can easily navigate between tenants presented on the left panel and, on the right panel, manage any licensed cloud services registered to that tenant.

Available in January 2020, Capture Security Center version 1.8 adds capabilities for security teams to:

Access and manage SonicWall Email Security, Web Application Firewall (WAF) and Secure Mobile Access (SMA) products centrally
Push pre-defined configurations and security policies automatically to all zero-touch-enabled firewalls and wireless devices at scale to multiple sites globally

Study risks and threats in real time with real-world data

SonicWall Risk Meters is a threat monitoring and risk-rating tool we’ve integrated into the Capture Security Center. The tool is available to all SonicWall Capture Security Center customers at no additional cost.

Risk Meters, shown below, gives a direct line of sight into the cyberattacks affecting your security posture. Threat vectors are represented by colored arrows while threat types are shown as icons.

Clicking on an icon pops up an information panel that provides a detailed description of the threat. A tenant drop-down list allows you to view threat metrics at the tenant level. Visibility into the attacks targeting various defense layers helps guide your response to where immediate defensive actions are needed for a specific environment.

The first defense layer captures attacks blocked by the firewalls, Capture Advanced Threat Protection (ATP) sandbox and WAF.

The second defense layer reveals attacks targeting your SaaS appliances and email environments.

The third defense layer shows threats attacking your users’ devices. The DEFCON and Shield Level ratings displayed at the top-right corner provide the computed risk scores based on existing defense layers. Scores are adjusted as you toggle to activate or deactivate available services.

Taking this a step further, Risk Meters gains several important improvements in Capture Security Center 1.8. A new control panel presents users with customization functionalities to run analysis on a variety of threat data.

This new feature allows for experimenting “what-if” simulations at a more granular level to see how the risk score dynamically changes when sub-components of certain layer or multiple layers are added or removed.

Up until this release, risk scores were calculated based solely on security services from SonicWall. To give a more accurate account of customer security environments, CSC now factors in all security controls when calculating the risk scores, including non-SonicWall services.

The Risk Meters Control Panel allows users to configure and weigh third-party security controls into the calculated risk scores. Users can now review trends of different threat types and then compare them against regional and global averages to help identify which threat vectors to focus on and where to prepare their defenses.

Transforming threat data into decisions, decisions into actions

In conjunction with Capture Security Center 1.8, SonicWall releases Analytics 2.5 to introduce a new user-based analytics and reporting function to helps security teams visualize and conduct investigations into users’ actions and application and data usage.

Security teams can monitor or drill-down into the security data for more details about the user network traffic, access and connections, and what applications are being used and websites are frequently visited.

Also, security teams can investigate attacks that target a certain group of users and bandwidth costs associated with resource utilization to determine if policy-tuning or added configurations are needed to reduce their risk profile or optimize network performance.

About the SonicWall Capture Security Center

Capture Security Center is a scalable cloud security management system that’s a built-in and ready-to-use component of your SonicWall product or service. It features single-sign-on and ‘single-pane-of-glass’ management. It integrates the functionality of the Capture Cloud Platform to deliver robust security management, analytics and real-time threat intelligence for your entire portfolio of network, email, endpoint, mobile and cloud security resources.

Capture Security Center delivers a valuable team resource to help organizations control assets and defend entire networks from cyberattacks. Unify and synchronize updates and support, monitor security risks and fulfill regulatory compliance — all with greater clarity, precision and speed.

source :
https://blog.sonicwall.com/en-us/2019/12/smarter-cybersecurity-how-secops-can-simplify-security-management/

Amazon Echo Hacked at Pwn2Own Tokyo 2019 and Ransomware Attacks Hit Spanish Companies

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a ransomware that is attacking Spanish companies and how nearly 50 adware apps were found on Google Play. Also, read about how an Amazon Echo was hacked on the first day of Pwn2Own Tokyo 2019.

Read on:

Facebook Portal Survives Pwn2Own Hacking Contest, Amazon Echo Got Hacked

Amazon Echo speakers, Samsung and Sony smart TVs, the Xiaomi Mi9 phone, and Netgear and TP-Link routers were all hacked on the first day of ZDI’s Pwn2Own Tokyo 2019 hacking contest.

New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse

In October 2019, Trend Micro discovered a new exploit kit named Capesand, which attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer. Based on our investigation, it also exploits a 2015 vulnerability for Internet Explorer.

Inside the Microsoft Team Tracking the World’s Most Dangerous Hackers

Microsoft’s latest win over cloud rival Amazon for the lucrative military contact means that an intelligence-gathering apparatus among the most important in the world is based in the woods outside Seattle. Now in this corner of Washington state, dozens of engineers and intelligence analysts are watching and stopping the government-sponsored hackers proliferating around the world.

Halloween Exploits Scare: BlueKeep, Chrome’s Zero-Days in the Wild

On October 31, Chrome posted that a stable channel security update for Windows, Mac, and Linux versions of Chrome will be rolled out in order to fix two use-after-free flaws in audio and PDFium. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a statement advising users and administrators to apply the updates.

A Stranger’s TV Went on Spending Spree with My Amazon Account – and Web Giant Did Nothing About it for Months

After a fraudster exploited a bizarre weakness in Amazon’s handling of customer devices to hijack an account and go on spending sprees with their bank cards, it was discovered that it is possible to add a non-Amazon device to your Amazon customer account and it won’t show up in the list of gadgets associated with the profile.

Ransomware Attacks Hit Spanish Companies, Paralyzes Government Services in Canadian Territory of Nunavut

A ransomware campaign recently hit companies in Spain, including Cadena Sociedad Española de Radiodifusión (SER), the country’s largest radio network. In another part of the globe, threat actors managed to infect government systems with ransomware in the Canadian territory of Nunavut.

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network.

Unpatched Remote Code Execution rConfig Flaws Could Affect Millions of Servers and Network Devices

Details on the proof-of-concept (PoC) exploit for two unpatched, critical remote code execution (RCE) vulnerabilities in the network configuration management utility rConfig have recently been disclosed. At least one of the flaws could allow remote compromise of servers and connected network devices.

California DMV Data Breach Exposed Thousands of Drivers’ Information, Agency Says

A data breach at the California Department of Motor Vehicles may have exposed some drivers’ Social Security number information to seven government entities, according to the DMV. The breach affects about 3,200 individuals over at least the last four years, the agency said in a statement.

49 Disguised Adware Apps with Optimized Evasion Features Found on Google Play

Trend Micro recently found 49 new adware apps on Google Play, disguised as games and stylized cameras. These apps are no longer live, but before they were taken down by Google, the total number of downloads was more than 3 million. This Trend Micro blog discusses solutions and security recommendations for protecting against adware apps.

CVE-2019-2114: Patched Android Bug That Allows Possible Installation of Malicious Apps

An Android bug that could allow threat actors to bypass devices’ security mechanisms was discovered by Nightwatch Cybersecurity. Successful abuse of the bug can allow threat actors to transfer a malicious application to a nearby Near Field Communication (NFC)-enabled device via the Android Beam. The bug affects Android version 8 (Oreo) or higher.

Surprised by the devices that were hacked on the first day of Pwn2Own Tokyo 2019? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

Source :
https://blog.trendmicro.com/this-week-in-security-news-amazon-echo-hacked-at-pwn2own-tokyo-2019-and-ransomware-attacks-hit-spanish-companies/

WSUS synchronization fails with SoapException

Applies to: WSUS - All versionsWindows Server 2016Windows Server 2012 R2Windows Server 2012 Less

Symptoms

Windows Server Update Services (WSUS) synchronization fails, and you receive the following error message:

SoapException: Fault occurred
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetUpdateData(Cookie cookie, UpdateIdentity[] updateIds)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.WebserviceGetUpdateData(UpdateIdentity[] updateIds, List`1 allMetadata, List`1 allFileUrls, Boolean isForConfig)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetUpdateDataInChunksAndImport(List`1 neededUpdates, List`1 allMetadata, List`1 allFileUrls, Boolean isConfigData)
at Microsoft.UpdateServices.ServerSync.Cat

Additionally, an error message that resembles the following is logged in the WSUS log file (%ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log) on the WSUS server:

<Date> <Time> Error WsusService.25 SoapUtilities.LogException USS ThrowException: Actor = https://fe2.update.microsoft.com/v6/ServerSyncWebService/ServerSyncWebService.asmx, Method = "http://www.microsoft.com/SoftwareDistribution/GetUpdateData", ID=<ID>, ErrorCode=InternalServerError, Message=
at Microsoft.UpdateServices.Internal.SoapUtilities.LogException(SoapException e)
at Microsoft.UpdateServices.Internal.WebServiceCommunicationHelper.ProcessWebServiceProxyException(SoapHttpClientProtocol& webServiceObject, Exception exceptionInfo)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.WebserviceGetUpdateData(UpdateIdentity[] updateIds, List`1 allMetadata, List`1 allFileUrls, List`1& updatesWithSecureFileData, Boolean isForConfig)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetUpdateDataInChunksAndImport(List`1 neededUpdates, List`1 allMetadata, List`1 allFileUrls, Boolean isConfigData)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetAndSaveUpdateMetadata(List`1 updates)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcess()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
<Date> <Time> Error WsusService.25 SoapUtilities.LogException USS ThrowException: Actor = https://fe2.update.microsoft.com/v6/ServerSyncWebService/ServerSyncWebService.asmx, Method = "http://www.microsoft.com/SoftwareDistribution/GetUpdateData", ID=<ID>, ErrorCode=InternalServerError, Message=
at Microsoft.UpdateServices.Internal.SoapUtilities.LogException(SoapException e)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcess()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

Cause

This issue occurs if the WSUS servers are configured to use the old synchronization endpoint, https://fe2.update.microsoft.com/v6. This endpoint was fully decommissioned and is no longer reachable after July 8, 2019.

Resolution

To fix the issue, change the synchronization endpoint in WSUS configuration to https://sws.update.microsoft.com.

To do this, follow these steps on the topmost WSUS server that connects directly to Microsoft Update, such as the root WSUS server in a WSUS hierarchy:

Close all WSUS consoles.
At an elevated PowerShell command prompt, run the following PowerShell scripts.
Note Don't run the scripts on a WSUS server that’s not the topmost server. If the server isn’t connected to the Internet, synchronization may fail.
For WSUS version 3.x:
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $server = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer() $config = $server.GetConfiguration() # Check current settings before you change them $config.MUUrl $config.RedirectorChangeNumber # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6 $config.MUUrl = "https://sws.update.microsoft.com" $config.RedirectorChangeNumber = 4002 $config.Save(); iisreset Restart-Service *Wsus* -v
Note WSUS servers that are running Windows Server 2008 (without the latest update) or earlier versions may be using the https://update.microsoft.com/v6 or https://www.update.microsoft.com synchronization endpoints. Because these versions of Windows don’t support SHA256 certificate authentication, use the following settings in the PowerShell scripts:
$config.MUUrl = " https://sws1.update.microsoft.com"
$config.RedirectorChangeNumber = 3011
For WSUS on Windows Server 2012 and later versions:
$server = Get-WsusServer $config = $server.GetConfiguration() # Check current settings before you change them $config.MUUrl $config.RedirectorChangeNumber # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6 $config.MUUrl = "https://sws.update.microsoft.com" $config.RedirectorChangeNumber = 4002 $config.Save() iisreset Restart-Service *Wsus* -v
Verify that WSUS synchronization succeeds.

More Information

For more information about how to run PowerShell scripts, see PowerShell Scripting.

Source:
https://support.microsoft.com/en-us/help/4482416/wsus-synchronization-fails-with-soapexception

Windows Server 2008 End of Support: Are you Prepared?

On July 14^th, 2015, Microsoft’s widely deployed Windows Server 2003 reached end of life after nearly 12 years of support. For millions of enterprise servers, this meant the end of security updates, leaving the door open to serious security risks. Now, we are fast approaching the end of life of another server operating system – Windows Server 2008 and Server 2008 R2, which will soon reach end of support on January 14, 2020.

Nevertheless, many enterprises still rely on Windows Server 2008 for core business functions such as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on these workloads for critical business applications and to support their internal services like Active Directory, File Sharing, and hosting internal websites.

What does this mean for you?

End of support for an operating system like Windows Server 2008 introduces major challenges for organizations who are running their workloads on the platform. While a small number may be ready to fully migrate to a new system or to the cloud, the reality is that most organizations aren’t able to migrate this quickly due to time, budgetary, or technical constraints. Looking back at Windows Server 2003, even nine months after the official EOS, 42% of organizations indicated they would still be using Windows Server 2003 for 6 months or more, while the remaining 58% were still in the process of migrating off of Windows Server 2003 (Osterman Research, April 2016). The same is likely to occur with the Server 2008 EOS, meaning many critical applications will continue to reside on Windows Server 2008 for the next few years, despite the greatly increased security risks.

What are the risks?

The end of support means organizations must prepare to deal with missing security updates, compliance issues, defending against malware, as well as other non-security bugs. You will no longer receive patches for security issues, or notifications of new vulnerabilities affecting your systems. With constant discovery of new vulnerabilities and exploits – 1,450 0days disclosed by the ZDI in 2018 alone – it’s all but guaranteed that we will see additions to the more than 1300+ vulnerabilities faced by Windows Server 2008. The lack of notifications to help monitor and measure the risk associated with new vulnerabilities can leave a large security gap.

This was the case for many organizations in the wake of the 2017 global WannaCry ransomware attack, which affected over 230,000 systems worldwide, specifically leveraging the EternalBlue exploit present in older Windows operating systems. While Microsoft did provide a patch for this, many weren’t able to apply the patches in time due to the difficulty involved in patching older systems.

What can security and IT teams do?

The most obvious solution is to migrate to a newer platform, whether that’s on-premise or using a cloud infrastructure-as-a-service offering such as AWS, Azure, or Google Cloud.

However, we know many organizations will either delay migration or leave a portion of their workloads running in a Windows Server 2008 environment for the foreseeable future. Hackers are aware of this behavior, and often view out-of-support servers as an easy target for attacks. Security teams need to assess the risk involved with leaving company data on those servers, and whether or not the data is secure by itself. If not, you need to ensure you have the right protection in place to detect and stop attacks and meet compliance on your Windows Server 2008 environment.

How can Trend Micro help?

Trend Micro Deep Security delivers powerful, automated protection that can be used to secure applications and workloads across new and end of support systems. Deep Security’s capabilities include host-based intrusion prevention, which will automatically shield workloads from new vulnerabilities, applying an immediate ‘virtual patch’ to secure the system until an official patch is rolled out – or in the case of EOS systems – for the foreseeable future.

Deep Security also helps monitor for system changes with real-time integrity monitoring and application control, and will secure your workloads with anti-malware, powered by the Trend Micro Smart Protection Network’s global threat intelligence. Deep Security’s broad platform and infrastructure support allows you to seamlessly deploy security across your physical, virtualized, cloud, and containerized workloads, and protecting your end of life systems throughout and beyond your migration.

Learn how easy it is to deploy virtual patching to secure your enterprise and address patching issues.

Source
https://blog.trendmicro.com/windows-server-2008-end-of-support-are-you-prepared/

Use a Local Administrator Account for Remote Administration

Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account.

The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.

For more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit.

Despite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain.

Local Accounts for Remote Administration

In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. Otherwise you should continue to block remote use of local accounts.

Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. If the local admin password is compromised, any damage is limited to that device. Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.

If you decide to unblock remote use of local accounts, there are three Group Policy settings that need to be changed:

Deny access to this computer from the network
Deny log on through Remote Desktop Services
Apply UAC restrictions to local accounts on network logon

The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty. The third is a custom setting that’s part of the baseline templates (SecGuide.admx). It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.

As you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. You can work around this by enabling auditing of access to LAPS passwords in AD and resetting passwords after each use. Both these tasks can be accomplished using the PowerShell Set-AdmPwdAuditing and Reset-AdmPwdPassword cmdlets respectively.

Source
https://www.petri.com/use-a-local-administrator-account-for-remote-administration

How to disable SMBv1 Windows

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Applies to: Windows 7 EnterpriseWindows 7 Home BasicWindows 7 Home Premium More

Summary

This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

Warning

We recommend that you do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

Request compounding - allows for sending multiple SMB 2 requests as a single network request
Larger reads and writes - better use of faster networks
Caching of folder and file properties - clients keep local copies of folders and files
Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
Support for symbolic links
Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
Large MTU support - for full use of 10-gigabye (GB) Ethernet
Improved energy efficiency - clients that have open files to a server can sleep

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
Scale Out – concurrent access to shared data on all file cluster nodes
Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
Directory Leasing - Improves application response times in branch offices through caching
Performance Optimizations - optimizations for small random read/write I/O

More Information

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

For more information about the capabilities of SMBv2 and SMBv3 capabilities, go to the following Microsoft TechNet websites:

Server Message Block overview

What's New in SMB

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016

Windows Server 2012 R2 & 2016: PowerShell methods

SMB v1

Detect:	Get-WindowsFeature FS-SMB1
Disable:	Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enable:	Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol

SMB v2/v3

Detect:	Get-SmbServerConfiguration \| Select EnableSMB2Protocol
Disable:	Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:	Set-SmbServerConfiguration -EnableSMB2Protocol $true

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

SMB v1

Windows 8.1 and Windows 10: PowerShell method

SMB v1 Protocol

Detect:	Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
Disable:	Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Enable:	Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

SMB v2/v3 Protocol

Detect:	Get-SmbServerConfiguration \| Select EnableSMB2Protocol
Disable:	Set-SmbServerConfiguration –EnableSMB2Protocol $false
Enable:	Set-SmbServerConfiguration –EnableSMB2Protocol $true

Windows 8.1 and Windows 10: Add or Remove Programs method

How to detect status, enable, and disable SMB protocols on the SMB Server

For Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

Note

When you enable or disable SMBv2 in Windows 8 or Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB v1 on SMB Server

Detect:	Get-SmbServerConfiguration \| Select EnableSMB1Protocol
Disable:	Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable:	Set-SmbServerConfiguration -EnableSMB1Protocol $true

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server

Detect:	Get-SmbServerConfiguration \| Select EnableSMB2Protocol
Disable:	Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:	Set-SmbServerConfiguration -EnableSMB2Protocol $true

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell methods

Note

This method requires PowerShell 2.0 or later version of PowerShell.

SMB v1 on SMB Server

Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server

Detect:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

Registry Editor

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note You must restart the computer after you make these changes.

How to detect status, enable, and disable SMB protocols on the SMB Client

For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

SMB v1 on SMB Client

Detect:	sc.exe qc lanmanworkstation
Disable:	sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled
Enable:	sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb10 start= auto

For more information, see Server storage at Microsoft

SMB v2/v3 on SMB Client

Detect:	sc.exe qc lanmanworkstation
Disable:	sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled
Enable:	sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb20 start= auto

Notes

You must run these commands at an elevated command prompt.
You must restart the computer after you make these changes.

Disable SMBv1 Server with Group Policy

This procedure configures the following new item in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled

To configure this by using Group Policy:

Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Item.

In the New Registry Properties dialog box, select the following:

Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value name: SMB1
Value type: REG_DWORD
Value data: 0

This disables the SMBv1 Server components. This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

Note WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

Caution

Be careful when you make these changes on domain controllers on which legacy Windows XP or older Linux and third-party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.

Disable SMBv1 Client with Group Policy

To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: 4 = Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”

Note The default included MRxSMB10 which is now removed as dependency

To configure this by using Group Policy:

Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Item.

In the New Registry Properties dialog box, select the following:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
Value name: Start
Value type: REG_DWORD
Value data: 4

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

Action: Replace
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
Value name: DependOnService
Value type REG_MULTI_SZ
Value data:
- Bowser
- MRxSmb20
- NSI

Note These three strings will not have bullets (see the following screen shot).

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note When you use Group Policy Management Console, you don't have to use quotation marks or commas. Just type the each entry on individual lines.

Restart required

After the policy has applied and the registry settings are in place, the targeted systems must be restarted before SMB v1 is disabled.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

Group Policy Management Editor - Registry

Testing and validation

After these are configured, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.

Caution

Do not forget to restart the target systems.

Source
https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server

Windows Start Run commands

Accessibility Options		utilman
				or
				control access.cpl

Add Hardware Wizard		hdwwiz
Programs and Features		appwiz.cpl
(Add New Programs)		control appwiz.cpl,,1
(Add Remove Windows Components)	control appwiz.cpl,,2
(Set Program Access & Defaults) control appwiz.cpl,,3


Administrative Tools	        control admintools
Advanced User Accounts 
Control Panel	                netplwiz
Authorization Manager	        azman.msc
Automatic Update control        wuaucpl.cpl
Backup and Restore Utility	sdclt
Bluetooth Transfer Wizard	fsquirt
Calculator	                calc
Certificate Manager	        certmgr.msc
Character Map	                charmap

Check Disk Utility	        chkdsk
Clear Type (tune or turn off)	cttune
Color Management	        colorcpl.exe
Command Prompt	                cmd
Component Services	        dcomcnfg
	                        or
	                        comexp.msc
Computer Management	        CompMgmtLauncher.exe
	                        or 
	                        compmgmt.msc
Control Panel	                control

Credential (passwords) Backup
and Restore Wizard	        credwiz
Data Execution Prevention	SystemPropertiesDataExecutionPrevention
Date and Time Properties	timedate.cpl
Device Manager	                hdwwiz
	                        or
	                       devmgmt.msc
Device Pairing Wizard	       DevicePairingWizard
Digitizer Calibration Tool
(Tablets/Touch screens)	       tabcal
Direct X Control Panel
(if installed)	              directx.cpl
Direct X Troubleshooter	      dxdiag
Disk Cleanup Utility	      cleanmgr
Disk Defragmenter	      dfrgui
	                      defrag
Disk Management	              diskmgmt.msc
Disk Partition Manager	      diskpart
Display Color Calibration     dccw
Display DPI / Text size	      dpiscaling
Display Properties (Themes,
Desktop, Screensaver)	      control desktop
Display Properties
(Resolution, Orientation)     desk.cpl
Display Properties
(Color & Appearance)	      control color
Documents (open
'My Documents' folder)	      documents
Downloads (open
'Downloads' folder)	     downloads
Driver Verifier Utility	     verifier
DVD Player	             dvdplay

Edit Environment Variables   rundll32.exe sysdm.cpl,EditEnvironmentVariables
Encrypting File
System Wizard (EFS)	     rekeywiz
Event Viewer	             eventvwr.msc
File Signature Verification
Tool (Device drivers)	     sigverif
Files and Settings
Transfer Tool	            %systemroot%\system32\migwiz\migwiz.exe
Firewall Control Panel	    firewall.cpl
Folders Properties	    control folders
Fonts list	            control fonts
Font preview	            fontview arial.ttf
Game Controllers	    joy.cpl
Local Group Policy Editor   gpedit.msc
Internet Properties	    inetcpl.cpl
IP Configuration	    ipconfig
iSCSI Initiator
configuration	            iscsicpl
Keyboard Properties	    control keyboard
Language Pack Installer	    lpksetup
Local Security Policy	    secpol.msc
Local Users and Groups	    lusrmgr.msc
Log out	                    logoff
Microsoft Malicious
Software Removal Tool	    mrt
Microsoft Management
Console	                   mmc
Access (Microsoft Office)  msaccess
Excel (Microsoft Office)   Excel
Powerpoint
(Microsoft Office)         powerpnt
Word (Microsoft Office)	   winword
Microsoft Paint            mspaint

Microsoft Support
Diagnostic Tool	          msdt
Mouse Properties	  control mouse
	                  or 
	                  main.cpl
Network Connections	  control netconnections
	                  or 
	                  ncpa.cpl
Projector:	          netproj
Connect to Network
Projector Switch
projector display	  displayswitch
Notepad	                  notepad
ODBC Data Source Admin	
Default ODBC driver:	  C:\windows\system32\odbcad32.exe
32-bit ODBC driver
under 64-bit platform:	  C:\windows\sysWOW64\odbcad32.exe
ODBC configuration
Install/configure MDAC
drivers	                 odbcconf
On Screen Keyboard	 osk
OOB Getting Started	 gettingstarted
Password - Create a
Windows Password Reset
Disk (USB)	        "C:\Windows\system32\rundll32.exe" keymgr.dll,PRShowSaveWizardExW


Pen and Touch
(Tablet/Pen input
configuration)	        tabletpc.cpl
Performance Monitor	perfmon.msc
Phone and Modem Options	telephon.cpl
Phone Dialer	        dialer
Power Configuration	powercfg.cpl and powercfg.exe
Presentation Settings	PresentationSettings
Problem Steps Recorder	psr
Program Access and
Computer Defaults 
browser / email / media	computerdefaults
Printers and Faxes	control printers
Print Management (.msc)	PrintManagement
Printer Migration
(backup/restore)	printbrmui and printbrm.exe
Printer user interface
(List all printui.dll
options)	        printui
Private Character
Editor	                eudcedit
Regional Settings
Language, Date/Time
format, keyboard	intl.cpl
Registry Editor	        regedit
Remote Assistance	msra

Remote Desktop	        mstsc
Resource Monitor	resmon
Resultant Set of Policy	rsop.msc
Settings (Windows 10)	ms-settings:
Scheduled Tasks	control schedtasks
Screenshot
Snipping Tool	        snippingtool
Security Center	        wscui.cpl
Services	        services.msc
Shared Folder Wizard	shrpubw
Shared Folders	        fsmgmt.msc
Shut Down Windows	shutdown
Software Licensing
Activation	        slui
Sounds and Audio	mmsys.cpl
Sound Recorder	        soundrecorder
Sound Volume	        sndvol
Syncronization Tool
(Offline files)	        mobsync
System Configuration
Utility	                msconfig
System File Checker
Utility (Scan/Purge)	sfc
System Information	msinfo32
System Properties	sysdm.cpl SystemProperties
	                or
	                sysdm.cpl DisplaySYSDMCPL

System Properties
Performance	        SystemPropertiesPerformance
System Properties
Hardware	        SystemPropertiesHardware
System Properties
Advanced	        SystemPropertiesAdvanced
System Repair
Create a System
Repair Disc	       recdisc
System Restore	       rstrui
Task Manager	       taskmgr
Task Scheduler	       taskschd.msc
Telnet Client	       telnet
Trusted Platform
Module Initialization
Wizard	               tpmInit
User Accounts
(Autologon)	       control userpasswords2
User Account
Control (UAC) Settings UserAccountControlSettings
User Profiles
Edit/Change type       C:\Windows\System32\rundll32.exe sysdm.cpl,EditUserProfiles
Windows Disc Image
Burning Tool	       isoburn C:\movies\madmax.iso
Windows Explorer       explorer
Windows Features       optionalfeatures
Windows Firewall       firewall.cpl
Windows Firewall with
Advanced Security      wf.msc
Windows Image
Acquisition (scanner)  wiaacmgr
Windows Magnifier      magnify
Windows Management
Infrastructure         wmimgmt.msc
Windows Memory
Diagnostic Scheduler   mdsched
Windows Mobility
Center (for notebook)  mblctr
Windows PowerShell     powershell
Windows PowerShell ISE powershell_ise
Windows Security
Action Center	       wscui.cpl
Windows Script Host
(VBScript)	       wscript NAME_OF_SCRIPT.VBS
Windows System
Security Tool
Encrypt the SAM database. syskey (boot password.)	
Windows Update         wuapp
Windows Update
Standalone Installer   wusa
Windows Version
(About Windows)	      winver
WordPad	              write




Unless indicated otherwise, all the commands above work in all versions of Windows from Vista upwards.	
Most of these utilities can be found in %systemroot%\System32\	

soruce

https://ss64.com/nt/run.html