I’m not one to panic. Overall, I keep a steady head in the face of the onslaught of IT demons out there.
Over the weekend the details of the latest world-wide ransomware attack have come to light. Temporarily a lucky work around was found to prevent propagation of the malicious application. The awful thing is – with all the news about that workaround being released – the creator(s) of said ransomware updated the files. The workaround to prevent the spread of the issue being no longer relevant means that *any* computer running Windows XP – Windows 10, any server from Server 2003 – Server 2016 is vulnerable. Once infected, the ransomware immediately spreads itself to any computer on your local network (home, work, coffee shop…). I spent time on the weekend patching any back end machines that are accessible to myself on VPN etc. for your organization.
(NB: I’m writing this message once for all clients, so some of this email may not be relevant to your configuration. It is best if you have questions to give me a quick call/email tomorrow to see if I have any quick instructions for you.)
The coles notes of this hack are as follows:
- The NSA had a bunch of information they kept to themselves about a known windows flaw in the SMB protocol (file sharing)
- The NSA had this and many other known vulnerabilities hacked, and uploaded online from a team of people dedicated to leaking this type of information to help secure the world’s computers and reveal that the NSA isn’t such a great organization
- With the public knowledge of this information, the evil of the IT world made worms, ransomware etc. to take advantage of this flaw
- Microsoft had posted an update to all currently supported operating systems a few weeks ago
- The ransomware in question (mostly known and referred to as variants of ‘wannacry’) spread like wildfire
- Someone found a workaround for stopping the spread of the ransomware by registering a specific domain that it looked online to find
- The ransomware was updated by its creator and released again into the wild to continue infecting the planet’s computers
- Microsoft release critical patches for all operating systems (even ones that have been dropped for support – XP, Server 2003, Vista…)
- I’ve placed reference material at the foot of this message.
This is where I have some instructions for you Windows users. You can manually install the update for your operating system via links at the bottom of this message. It is recommended to immediately update any Windows system you use completely. Most of you are already familiar with running updates manually. Many of you get updates pushed out to your computer automatically by servers I have on site. Even in that situation, you still need to check for updates in case your computer wasn’t online recently, or if it needs to be rebooted manually. I believe in all the companies that I manage you are running Windows 7 and higher.
Windows 7 – Click the start button. Go to Control panel. Hit Windows update. Run all the updates and reboot until you are completely patched and no more updates are available. In some cases you should click on the blue text that states ‘check for updates online’ just in case you don’t get the latest ones from a server that may be on site at your organization.
Windows 10 – Click the start button. Click the gear. Hit the Update and Security button. Click check for updates and install/reboot until you are complete patched and no more updates are available.
While this version of ransomware is specific to Windows flaws, that doesn’t mean there is no need for you to keep your machine patched. Please take this time to patch your machines as well. In most cases, you can click the Apple icon -> about this Mac. In the window that appears a link should exist that says ‘update’, ‘check for software updates’ etc. depending on your OS version. You should head over to the app on your device as well and update all the apps you have installed from there. Mac’s get viruses too – just as often as Windows PC’s do. Updates aren’t meant to hinder your computers on purpose or cause you grief. Most of the time they will improve the experience and stability – and more importantly the security of the platform.
The importance of backups:
I’ll take this time again to point out the importance of backing up your data. Ransomware specifically targets the files on your machine and encrypts them to prevent any access to it indefinitely. If you don’t have a backup your files are gone forever. The only workaround to most ransomware is to wipe the disk (or destroy it), reinstall your OS and software (update it!), and recover files from backups.
Safe browsing and email:
I’ve had many security rants before. Let’s cover in a few short notes the basics to safe browsing online:
- Use a modern browser like Chrome/Firefox
- Use uBlock Origin or similar adblock extension for your browser
- Don’t click external links to sites from social media (Twitter, facebook) – instead SEARCH THE TITLE OR THE CONTENTS OF THE ARTICLE ON GOOGLE AND CLICK THE LINK THERE
- NEVER open unexpected emails from Paypal, your bank etc. IF you didn’t initiate the process for the email, it’s probably spam.
- NEVER open attachments to emails unless you have verified the sender is legitimate, AND YOU WERE EXPECTING THE MESSAGE. I wrote a message on this recently, please refer to it for other email recommendations in catching spam.
Stay safe out there – and remember the wise words from Hitchhikers Guide to the Galaxy.
If you want to simply install the critical patch, you can use the below links to save some time. You will need to know a little bit about your computer to use these links (but don’t worry if you pick the wrong one – it will just tell you that it doesn’t support your platform):
Windows XP SP3
Windows Vista x86 (32 bit)
Windows Vista x64 (64 bit)
Windows 7 x64 (64 bit)
Windows 7 x86 (32 bit)
Windows 2003 x86
Windows 2003 x64 (64 bit)
Alternatively, you can review the different platform versions available from the Microsoft update catalog, in case I made a mistake above:
There are some recent updates to Server 2012 and R2 that have been causing lots of people issues in deploying Windows 10 to client computers as an upgrade. The most common issue is a loss of connectivity from the client computers to the local WSUS deployed and a no longer functioning admin interface for WSUS. Microsoft in their great wisdom has outlined the steps to resolve this, but didn’t make it particularly obvious prior to install. You can find the steps at the following link.
Pretty simple over all – you launch an elevated command prompt, run this line:
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing Following that, launch the local server manager dashboard and hit the 'add roles and features'. Under the add features portion, open up the .net framework section and add 'HTTP activation' to your server. This won't require a reboot, so follow though by hitting next and so on until it starts the task. Once completed, you can restart the server or simply restart the WSUS service. Like magic, you should be back in business. If you have SSL enabled on your WSUS server, you should review the above link for further details.
Did you get shivers down your sysadmin spine? I did. Years of practice, and I still run into the most intricate and ridiculous problems when administering or deploying a SP install. 15 years in production from MSFT and they still don’t have it right. Here are some lessons I learned in the last 24 hours of trying to deploy a SP 2013 SP1 server to 2012 R2.
“The tool was unable to install Application Server Role, Web Server (IIS) Role.”
- Don’t patch your 2012 R2 server before you try to deploy it. Why? If you aren’t paying close attention to different security patches obtained from MS or from your local WSUS, you can run into this issue right here. I thought I was being a smart fellow having my server set up and patched before running the SP 2013 SP1 (this even happens with the SP1 media) disc and the prerequisite installer. A few hours of arguing with “Error: The tool was unable to install Application Server Role, Web Server (IIS) Role” will eventually lead you down to a few things. You may have forgotten to allow your local server install to call home to MSFT to get installation packages; which you can edit the local group policy if you don’t have a gpo for it. The next is that you likely updated your .net 4.5 installation to 4.6 which causes this behaviour in a SP rollout.
- It’s going to be more efficient use of your time to wipe out the virtual machine and start over than try to patch the endless issues you can run into when trying to resolve some of the errors, such as this one. The post linked is a great resource if you want to try to pull out of the nosedive and it’s relatively easy to perform. I gave it a shot; to no avail. The errors persisted. I even ran the MSFT .net clean up tools. No love.
- In reference to point 1.; The SP install will run perfectly and reboot a few times if you aren’t up to date and have enabled appropriate package retrieval via GPO or security policy.
- Once you are all installed and running, you can safely patch the server and SP farm.
- Run the prerequisite installer first. It’s in the root folder of the ISO; and aptly named.
- If after using the script from the post over at SomeShinyObject still causes your installation to hang during the “Web Services IIS” portion of the preparation, close the ‘Server Manager’ Window. That will allow your installation to complete.
- Now you can run the setup.exe from the ISO. Punch in your key, accept the notes on the requirements (SQL 2008 etc.)
- Note that you can’t have a licensed copy of SP installed, and then use a trial version of Project Server on top of that. There is no workaround for that error. Again, you will be put back to the point where you need to wipe and start over – install SP as a trial so that you can install Project Server as a trial too.
- Try not to shed too many tears doing the same work over and over.
- Real devs do it in production. Sysadmins test it on dev first.
Trend Micro has announced two critical security vulnerabilities in Apple’s Quicktime for Windows. At this time it would be wise to remove any version of Quicktime from computers in a Windows operating system environment until a patch is available. There appears to be rumours of Apple advising that support for Quicktime on the Windows platform has been dropped; but for now Apple has yet to comment on the matter.
If you are apt to be safe than sorry, you can find the Quicktime uninstaller in the Programs and Features menu on current Windows platforms. Highlight the application and look for the ‘uninstall’ button near the top of the window.
Windows 10 has rolled out a new feature that allows you to group together tasks on virtual desktops. While the feature leaves a lot to be desired compared to other OSes – it’s not without merit for its usability. The purpose for most would be to separate open tabs in browsers and other applications by task, or by work and play.
Setting up the feature doesn’t take much effort – it’s already enabled for you, and pinned to the task bar in a default install of Windows 10. If you hover over all available icons in the task bar, look for the one labeled ‘Task view’, that has a picture of three rectangles with one centered in front of the other two. This task view will bring up two things – first being all the open applications arranged in a view for your currently selected desktop. The second will be below all this content – Desktop 1 and Desktop 2 (only one if you haven’t set up another yet). You can click the ‘New Desktop’ button on the far right to create extras as you please.
You can use the task view button to switch between your desktops – or the keyboard command of CTRL+WIN+ARROW (left or right). When you flip to another desktop you’ll note that there are no open applications. All your apps, files and settings are available to you from this virtual desktop. You can open up a set of tabs to work on a certain task for a while – and switch back to what you were doing on the other desktop instantly. Well implemented by MS, if simple.
The biggest missing feature from this service is the ability to map shortcuts and other files to the virtual desktop permanently. Unfortunately, MS missed the mark on this spot. If you remove a shortcut on the desktop from Desktop 1, it will be removed from all other Desktops you have opened. This hinders the ability for you to set up a desktop for yourself that is geared toward managing photos – with all those apps pinned to the desktop – and another with all your mail, office suite and personal links. Certainly not the end of the world, but it’s been available as a feature in Linux for a number of years.
Hopefully we will see this in an upcoming update soon – Windows 10 v 1511 and subsequent updates to it have yet to resolve the ‘problem’. I would suggest submitting feedback to Microsoft via the built in Windows 10 tools if you want this feature as much as I do. It requires that you sign into your MSFT account – but its well worth the effort to let the MSFT team know you want Virtual Desktops to work better. Click the start button, search for ‘Windows Feedback’ and click on the link. Follow the onscreen prompts to let them know what you think.
It’s been noted before that Windows 10 has been downloading in the background for users of Windows 7 and 8. Now it appears that the update is selected by default – allowing for accidental deployment of a massive update. The aggressive nature of the Windows 10 roll out is causing a lot of grief for users in all kinds of scenarios. It’s a large download – which would slow some networks and connections. This could also cause issues with available space on machines with little to spare (like some with smaller SSD’s). It’s a really good idea to pay attention to the optional updates on the list as you run them.
Microsoft’s quote on the matter:
As part of our effort to bring Windows 10 to existing genuine Windows 7 and Windows 8.1 customers, the Windows 10 upgrade may appear as an optional update in the Windows Update (WU) control panel. This is an intuitive and trusted place people go to find Recommended and Optional updates to Windows. In the recent Windows update, this option was checked as default; this was a mistake and we are removing the check.