|
thebigcow posted:What does it break? Its pending me finally rebooting.... http://www.infoworld.com/article/28...il-defende.html It basically breaks all code signing verification and even makes built in Windows components like cmd.exe and taskmgr.exe report that they come from an "untrusted publisher" on Windows 7 x64 and Server 2008 R2.
|
# ¿ Dec 10, 2014 23:15 |
|
|
# ¿ May 14, 2024 02:58 |
|
Here's some more details on why KB3004394 might be busted: https://www.virtualbox.org/ticket/13677#comment:6 quote:From what I can tell, the KB3004394 update does not install a catalog file on 64-bit windows 7. It does on Windows 8.1 (C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB3004394~31bf3856ad364e35~amd64~~6.3.1.0.cat), so VBox works fine there.
|
# ¿ Dec 10, 2014 23:32 |
|
CLAM DOWN posted:I love my job some days. This is not one of those days. Thankfully I had only deployed and installed it on my pre-test stations. It was in the list going out to the update preview users but I managed to pull it back before it hit the install deadline. I ca only imagine what this must be doing to places that don't have a update review process
|
# ¿ Dec 11, 2014 18:41 |
|
It looks like the following updates are all bad this month: KB3004394 - the root certificate one that breaks all code signing validation KB3008923 - MS14-080 - this IE security update will make IE crash on some web pages that heavily use modal dialogs KB3011970 - Silverlight update - breaks Silverlight's DRM KB2553154 - MS14-082 - this security update for Excel 2007/2010/2013 will cause ActiveX macros to stop functioning KB2986475 - CU8 for Exchange 2010 SP3 will prevent some (all?) Outlook clients from connecting I'm guessing that a lot of people are going to be getting very drunk this week. e: the Silverlight one was wrong Number19 fucked around with this message at 19:45 on Dec 11, 2014 |
# ¿ Dec 11, 2014 19:01 |
|
Gyshall posted:I had a brand new 2008 R2 VM install yesterday that failed sfc /scannow after initial install of Windows Updates, which is just grand. Yeah, sfc /scannow will fail after KB3004394 is installed because it can't verify the signatures on most if not all of the system files. I really can't believe this one actually got released as it.
|
# ¿ Dec 11, 2014 19:46 |
|
Do you have users with domain attached laptops? If yes then this very serious. If not it's still possible for an attack but it would have to be inside your LAN so you can just patch normally. An attacker would have to be able to compromise your network infrastructure and impersonate your domain controllers. If that's the case you probably have a lot more to worry about than this.
|
# ¿ Feb 11, 2015 19:11 |
|
I have been renaming AD joined computers for years and have yet to have a trust issue occur. SCCM sometimes does strange things though...
|
# ¿ Feb 26, 2015 03:36 |
|
Thalagyrt posted:I've always done it with the system properties control panel, just rename the computer like you normally would. Never once had a problem, not even back in the Windows 2000 days. This is what I'm doing and it has never caused a problem.
|
# ¿ Feb 26, 2015 04:14 |
|
I use the users and groups GP client extension along with item level targeting to grant a single user local admin on specific workstations. It's a huge pain to set up the first time but once it's done it's pretty good.
|
# ¿ Jul 11, 2015 22:29 |
|
It's Patch Tuesday which means it's time to start drinking: https://technet.microsoft.com/library/security/MS15-080quote:This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType or OpenType fonts.
|
# ¿ Aug 11, 2015 18:51 |
|
CLAM DOWN posted:I hate my life At least there's no known exploits but I suppose that doesn't mean much in this day and age.
|
# ¿ Aug 11, 2015 19:02 |
|
CLAM DOWN posted:MS15-081 (Office) and MS15-085 (Windows USB vuln) are under active attack according to Dustin Childs who I completely trust on this stuff I'm shoving all the criticals out the door today. I guess I'll toss in 085 as well for good measure.
|
# ¿ Aug 11, 2015 19:28 |
|
A new out of band security bulletin has been published: https://technet.microsoft.com/en-us/library/security/ms15-093.aspx It's an Internet Explorer RCE with active exploits but no public disclosure. Probably want to patch all workstations ASAP.
|
# ¿ Aug 18, 2015 22:12 |
|
2012 -> 2012R2 was definitely not a free upgrade. They even raised the prices when R2 came out.
|
# ¿ Sep 11, 2015 04:16 |
|
I always try to detect Windows Installer versions as I find them to be more reliable overall. That way I don't have to keep track of file paths and can usually get my detection rule working without having to do a trial install of the software.
|
# ¿ Dec 2, 2015 00:19 |
|
If you're using Server 2012 R2 as your DHCP server you can follow this article to serve the correct PXE boot file to BIOS or UEFI computers using DHCP Policy and VendorClass: https://wiki.fogproject.org/wiki/index.php?title=BIOS_and_UEFI_Co-Existence
|
# ¿ Feb 19, 2016 06:22 |
|
FISHMANPET posted:Two questions: I offer, boot from and run OSD deploys using BIOS or UEFI with no issues. I've been doing it for a while too. Before I had a 2012R2 DHCP server I had two VLANs for PXE boot with different DHCP scopes. It all worked perfectly.
|
# ¿ Feb 20, 2016 08:18 |
|
beepsandboops posted:We just started bringing our deployment methodology into this decade and I'm still learning the ropes. We bought a Windows volume license and are starting to use MDT/WDS. 8/8.1 share the same license. e: so long as you are upgrading to the same version. Pro -> Pro is fine, Pro -> Enterprise is a new license.
|
# ¿ Mar 10, 2016 00:11 |
|
BadLock is coming and it looks horrendously bad. Here's the marketing BS site: http://badlock.org/ Here's some other links with impact analysis: http://www.computerworld.com/article/3047227/security/prepare-to-patch-a-critical-flaw-in-windows-and-samba-file-sharing.html https://www.riskbasedsecurity.com/2016/03/bad-luck-over-the-upcoming-badlock-vulnerability/ Hopefully we get to April 12th without this breaking embargo or someone making an exploit that targets it. Regardless, the next Patch Tuesday is going to be a crazy one.
|
# ¿ Mar 24, 2016 18:04 |
|
Happy Badlock day Just a little over an hour until we know how much scotch we're going to need today
|
# ¿ Apr 12, 2016 16:50 |
|
Walked posted:oh boy oh boy oh boy Disclosure breaks when patches are released and the discloser is saying exploits will be easily reversed from the patch data So if the exploit is truly awful it could be a patch now thing
|
# ¿ Apr 12, 2016 17:14 |
|
Yes. They are disclosing responsibly. The embargo ends when the patch is out.
|
# ¿ Apr 12, 2016 17:21 |
|
Here's Badlock: https://technet.microsoft.com/library/security/MS16-047 It doesn't look as bad as it was feared, but I think it still requires testing and patching quickly.
|
# ¿ Apr 12, 2016 18:14 |
|
Internet Explorer posted:Wait until you apply the patch and find all the nice Microsoft bugs that come with rushed patches! It looks like someone can sit a computer passively in a network and MITM user logins to harvest credentials by forcing a security downgrade on the protocol. It is definitely exploitable but it also feels like if someone is already far enough into your network to do this then you have worse problems. It needs patching but it's not "holy poo poo the world is burning down" levels of bad.
|
# ¿ Apr 12, 2016 18:28 |
|
CLAM DOWN posted:Am I reading this correctly, or is this not even an SMB protocol problem as earlier hinted? It looks like it's LSAD and SAMR. From the article: quote:My application or product uses the SMB protocol, does this issue affect me? So no, not SMB related at all.
|
# ¿ Apr 12, 2016 18:32 |
|
If you have any Server 2012/2012 R2 domain controllers (or DNS servers) you probably want to patch them now. There an unauthenticated root-level RCE in Windows DNS Server on those platforms:quote:https://technet.microsoft.com/library/security/MS16-071
|
# ¿ Jun 14, 2016 18:14 |
|
The problem appears to be that group policy is read by the computer account first. The computer then decides if the user's security group has the rights to apply the policy. The change to the GPO system involved the Kerberos system and preventing a MitM attack against the GPO authentication system that could result in privilege escalation. I'm guessing that the computer was impersonating the user for the purposes of reading the policy and this update changes that mechanism or causes it to no longer function as it once did, causing the processing of these policies to fail. Adding Read permissions to Authenticated Users on the GPOs gives the computer the ability to see the GPO again and perform the follow up checks it needs to apply the policy if needed. This doesn't affect computer targeted GPOs with security filtering since you'd expect the computer to not need to read the GPO to see if it needs to process it. It can ignore it completely since it's clearly not applicable. edit: Internet Explorer posted:Yeah, we were talking about this in the Small Shop thread, but Enterprise is probably a better place. This just adds more fuel to the "maybe they shouldn't have fired all those QA people" fire. This update either clearly wasn't tested enough to find an obvious use case where it would fail, or this failure was found and workaround was not added to the KB article. Either way, it's a pretty bad gently caress up by MS. Number19 fucked around with this message at 21:28 on Jun 15, 2016 |
# ¿ Jun 15, 2016 21:25 |
|
Internet Explorer posted:That's all well and good, but again, Microsoft's communication on issues is awful. They know that people use this setting. Like I said, GPM shows that's... what you use the setting for. There's no other reason for it to even exist. If it is as you said, I would hope that Microsoft would have known that this was going to bite people, and they should have come out before the patch telling people to make the Delegation changes. Or you know, even after. We still get to rely on a lovely forum full of other users to play "figure it out." This is bad communication for sure. It's also actually in some ways making environments less secure as well. In that Reddit thread, a user points out that in some higher security organizations, having every GPO readable by Authenticated Users is undesirable. It gives an attacker who gains a foothold on any domain joined computer the ability to poke through all the policies in SYSVOL, looking for network drives and other potentially sensitive settings that you don't want everyone to see. I think MS is going to have to rethink this update since for many organizations the fix might be worse than the vulnerability.
|
# ¿ Jun 15, 2016 21:32 |
|
I've been designing an AD revamp lately and I decided to brush up on my best practices. I found some presentations at a MS conference and one of them by one of the top guys that designs complex ADs for a living outright said "GPO by OU is rigid and inflexible, stop doing it. Use security filtering instead and use OUs for administrative delegation only." Even the experts on this topic can't agree so how in the gently caress are the sysadmins in the field supposed to know how things should be done anymore? As you said, security filtering did exactly what it said on the box, until yesterday when suddenly it doesn't anymore and the silence from MS on the topic is very irritating.
|
# ¿ Jun 15, 2016 21:48 |
|
Update on the GPO thing: MS updated the KB to confirm that the machine account is now used to read user policies and that you need to add read permissions for either Authenticated Users or Domain Computers to each policy you remove the default security filtering from. The behaviour change in this update will not be revised and this is the new normal. Nice of them to let us know that one in advance
|
# ¿ Jun 16, 2016 17:15 |
|
Wrath of the Bitch King posted:I can tell you that in my organization we only own SCCM, nothing else. We didn't itemize for it either, it was part of the EA. If WSUS, SCCM and SQL are all running on the same server you are allowed to use SQL for WSUS. Also for parts of MDT is it is also all hosted on the same server. It's really convoluted but That's Microsoft
|
# ¿ Oct 4, 2016 01:16 |
|
It's Patch Tuesday and it looks like we've got a root level RCE in the font renderer again (surprise!!!) with an active exploit: https://technet.microsoft.com/en-us/library/security/MS16-132 Time to start patching.
|
# ¿ Nov 8, 2016 19:44 |
|
CLAM DOWN posted:¯\_(ツ)_/¯
|
# ¿ Nov 8, 2016 19:51 |
|
A quick heads up for anyone with WSUS: you might not be able to sync with Microsoft Update right now if you have the Upgrades classification selected. Turning it off makes syncing function again. It must have something to do with the Creator's Update.
|
# ¿ Apr 11, 2017 21:17 |
|
GreenNight posted:Also if you are on v1507 of Windows 10 and not Enterprise, welp.. We started our Windows 10 upgrade at v1511 thankfully due to all the initial problems with v1507. I'm just about to push through v1607 next week and I'm holding my breath that my successful deployment tests were a positive omen for the rest of the fleet...
|
# ¿ Apr 13, 2017 17:47 |
|
A CA will use either the expiry in the template or it’s own expiry date when issuing a cert, whichever is sooner. This prevents a cert from expiring after the CA cert and causing a cert chain validity issue.
|
# ¿ Sep 3, 2018 00:39 |
|
This Microsoft blog article explains it pretty well: https://blogs.technet.microsoft.com/kammertime/2018/07/13/servicing-channels-explained/ Windows Server SAC is basically for containers where you can redeploy containerized apps quickly, instead of using in place upgrades. It also only comes in Server Core and Nano (if that's still alive). It's not a good Hyper-V host and MS says you shouldn't do it.
|
# ¿ Oct 22, 2018 19:09 |
|
Hey, if you still have Windows Server 2008 R2 (or earlier ) in your networks, get to patching pretty much ASAP. There's a CVSS3 Base 9.8 score, pre-authentication, wormable attack against RDP:quote:A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
|
# ¿ May 14, 2019 19:42 |
|
incoherent posted:yikes. what if you got RDP gateway? Same deal? I just rolled it anyways even with NLA on. I only have a couple of 2008R2s left anyways so why not get it over with.
|
# ¿ May 14, 2019 20:14 |
|
|
# ¿ May 14, 2024 02:58 |
|
Sickening posted:Why on earth would anyone still have rdp gateway? Why would anyone still have Windows xp/server 2003? Enough must that MS pushed updates for a long dead product.
|
# ¿ May 14, 2019 20:43 |