WannaCrypt Malware

Of course you have heard about the new malware, which yesterday created a lot of problems in industry. Unfortunately it is not an unknown problem.
Microsoft released a patch for this type of vulnerability already in March, but it seems once again that administrators are not patching their systems.
So, if you haven’t patched your systems at least every month, if you haven’t patched your system from March, is time to do it. And don’t forget to have a good defense system (antivirus and other prevention mechanisms). Update them to!
You can find additional information in this link.

Here is a link to post how was neutralized and who did this.
Anyway, we have already a version 2.0; you can read about this version here.
Again, please patch your systems! This update will solve a vulnerability. And don’t forget: this is not the first malware who was written on known vulnerability – patch your systems constantly!
Additionally, please disable SMB1 protocol – it is not new that it is not secure. Here and here are some guidelines how to do it via GPO.

Export and import DHCP settings with netsh

Sometimes you will have to transfer DHCP settings via netsh command. This could be useful for a couple of reasons and it is fine to know how to approach it. Anyway, this is the quickest way to do a DHCP migration.
First you have to login to source server (it could be also a failover clustered DHCP service) and open CMD as Administrator. Then you have to enter in netsh mode with typing:
netsh
Now you have to select server with typing:
dns server \\servername
Where servername is the name of the old DHCP server or clustered service name. This will connect you to DHCP server and you are ready to export settings with this command:
export filename all        to export the entire configuration or
export filename 192.168.222.0    to export only a scope configuration (in my case 192.168.222.0)
Of course, you have to replace the filename with full path and name of the file where you want to save exported data. This file now must be transferred to target – new server and we are ready to import the configuration. Of course, priory you import the configuration, the new server has to be authorized in AD. To begin an import procedure, we have to do the same steps as on the old server; open command prompt, enter into netsh mode and select DHCP server. After this, we have just a step to import settings with this command:
Import filename all        to import all settings or
Import filename 192.168.222.0    to import just a scope
That’s all. Just be sure to double-check if the import did its job, disable and unautorize the old server (you can do it also with netsh: netsh dhcp delete server ServerIP). Of course, don’t forget to uninstall the service on the old computer.
You have finished. Good work!

Using FSRM against Ransomware

Every administrator is afraid about Ransomware software. We want to protect our systems with so many different approaches and at many layers, but almost always we try to use complicate techniques to archive basic objectives. I found on TechNet an article, which sounds good for me and I am also confidential using Windows embedded functionalities for trying to prevent an attack.
Are there positive and negative sides? Of course they are, the most important negative thing I recognize is that we are using technology based on file type. Actually we are trying to prevent to write all known file extensions that can be written on our system. This will work if we know the extension and we have to search for new used file extensions and add them as blocked file types. But there are also positive things: we don’t need to buy anything, we have all we need ready on our server – we have just to use it! It is very simple to configure and maintain and it works!
When I read this article, I was surprised why I have to do all those steps thru GUI? We can simply use PowerShell that is quicker and it will do exactly the same things every time we will start it. Well, I made a script that you can run on every server you have to protect and for every share or partition you want to protect. There is only one think that you cannot protect: system drive if you try to prevent whole drive. In this case, the protection will be passive and not active and there is no way to change it (but I hope that you don’t share system drive).
Things that you have to know are basic, just few data:
  • Path to protect
  • SMTP server for sending mail (and be careful with authentication! Test it!)
  • Mail address form which mail will be sent
  • Mail address from administrator
  • Script that you want to run after detection (if you want)
You can run it as many times you want, on every server you want (version 2008 and newer) and you will be able to protect your data. It is a secure way to do it because you just prevent to change the data transformation and not the malware itself. I recommend also to use a script published on TechNet article for disabling the AD user or deny user access to server (It is also zipped into my file; including subinacl.msi).
To prevent malware, you can use an additional build in function: AppLocker and also this is explained here. And by the way, the approach is tested on Server 2016 TP5 – it’s working!
Enjoy!

Forgot ILO Password?

No problem. You can reset it via software from your operating system. It is possible to do it from almost any Windows server system and from Linux (from Linux I didn’t try).
To do this, you have to install HP Lights-Out Online Configuration Utility for the system that you are using. You can download it form HP web page, where the drivers are located.
After you have installed this software, you will need a XML file with this content:

<ribcl VERSION=”2.0″>
 <login USER_LOGIN=”Administrator” PASSWORD=”boguspassword”>
   <user_INFO MODE=”write”>
    <mod_USER USER_LOGIN=”Administrator”>
     <password value=”YourNewPassword”/>
    </mod_USER>
   </user_INFO>
 </login>
 </ribcl>

I know, that the login password (the old one) is not correct, but you don’t need to know it (scary…), it will work.
Save this file into the folder C:\Progam Files\HP\hponcfg and launch the command prompt as Administrator. Navigate to the folder and type:
Hponcfg /f YourFile.xml /l YourLogFile.txt
You will be noticed that script worked correctly. Now you have just to login into ILO with the new password.
Easy to do it. Maybe too easy.

More reading:
Export ILO configuration

ILO Scripting guide.

Step-by-step DC migration from SBS 2003 to Essentials 2012R2

Almost all of us, administrators of SBS servers, did a migration from one version to another several times. But in this moment we have at least two problems: SBS doesn’t exist anymore (and we have to do a hybrid deployment) and the new situation – the Essentials server 2012R2 doesn’t have a migration mode. So, I decided to write a blog how to migrate the SBS 2003 AD to the Essentials Server 2012R2 step by step.

Maybe in this steps there is a restart that is not really necessary, but please, do it. This is the only way that grants you success to migrate the AD and finally install the Essentials role successfully. Take your time and go through this steps:

 

  • Start with uninstalling or disabling features of the SBS 2003. The first thing to do is to uninstall the ISA server (if it is installed – not covered in this article) and run the Connect to internet wizard again.
  • Restart the SBS Server. If you have enabled the VPN, run the Configure Remote Access Wizard and disable the VPN access. Don’t forget it! You will not be able to disable it later!SBS_Mig1
  • Shutdown the SBS Server and remove the second NIC (the NIC that is connected to Internet).
  • Add the router to the network and configure the port redirection (for now to the SBS server – you need this step because you must receive E-Mails, grant remote access,…Do not forget to forward ports 80, 443, 25 and 987 – not covered in this article).
  • Start the SBS Server and run the Connect to Internet Wizard again:
    • Select the Broadband connection.SBS_Mig2
    • From the dropdown menu select I have a router device with an IP address.SBS_Mig3
    • Add DNS names from your ISP and the gateway address (the IP of the router).SBS_Mig4
    • Finish the wizard with defaults settings.SBS_Mig5
  • From C:\Windows\Sysvol\Sysvol\DomainName\scripts delete the SBS_LOGIN_SCRIPT.bat file. This file is present in any SBS user as logon script and you have to delete it from all of the users as well.
  • Form the Start Menu > Administrative tools, start the Active Directory Domains and Trusts. In the left panel, right click on Active Directory Domains and Trusts and select Raise Forest Functional Level. Raise the forest level to the Windows Server 2003 version.SBS_Mig6
  • Restart the SBS Server.
  • On the Essentials server, on the Configure Windows Server Essentials wizard, press Cancel.SBS_Mig8
  • Open the Control Panel > System and Security > System and change Computer name. Leave the compute member of workgroup. Be careful: you have to rename the computer in this step, you cannot rename it after the Configure Windows Server Essentials wizard is finished.SBS_Mig9
  • My suggestion: From Start > Run type ncpa.cpl, right click on the network connection. Select properties and configure the static IPv4 address. As a DNS server, add a SBS Server IP address.SBS_Mig10
  • Restart the Essentials Server.
  • Open the Server Manager (not Dashboard!) and select Add roles and features. In the Add Roles and Features Wizard, install the Active Directory Domain Services role.
  • Restart the Essentials server.
  • On the Configure Windows Server Essentials wizard, press Cancel again and start the Server Manager again.
  • From Server Manager > Notifications (up right corner) run Promote this server to a domain controller task.
  • When the wizard is open, on the first page select Add a domain controller to an existing domain and enter the SBS admin credentials. When you will confirm this credentials, the Domain field will fill automatically. Click Next.SBS_Mig11
  • The next step is to enter the DSRM password (complex, 8 or more characters) and be careful to check the checkbox of the DNS server! Click Next.SBS_Mig12
  • Clear the checkbox on Update DNS delegation and click Next.SBS_Mig13
  • In the next few steps click Next. In the Review Options check that all options are OK and click Next once again. SBS_Mig14
  • In the Prerequisites Check step, you will receive some warnings. This is nothing serious and you are ready to promote this server as an additional DC in the SBS domain. Click Install.SBS_Mig15
  • During the installation, the domain schema and the forest schema will be automatically upgraded. The process could take a while. After the installation is finished, the server will restart.
  • Logon to the server with the SBS administrator domain credentials.
  • Complete the Configure Windows Server Essentials wizard.SBS_Mig16SBS_Mig17
  • My suggestion: Install the DHCP server on the Essentials Server. Do not use the router as DHCP server. Check forwarders in the DNS server. You have to use only the ISP DNS servers as forwarders or, if you prefer, you could not use any forwarder.

At this point, the Essentials Server 2012R2 is added as an additional DC in the SBS domain. Be careful, because you have only 21 days to complete the migration and you still have a lot of work. You have to transfer all the shared folders data, the Exchange mailboxes, the SharePoint data,… Please do not forget to control and change some settings on the GPO. Remove some GPO (some are set strictly for the SBS).

Be aware, that all workstations have to be added to the “new” domain once again true the connect site.

Be careful also when you will turn off your old server. You cannot just turn it off. You have to uninstall at least the Exchange and the DC role, but I prefer to uninstall all the installed roles, remove the server from the domain (make it part of a workgroup) and after this I turn it off.

Please let me know if you want me to write additional blog posts on migrating other functionalities of SBS..