Upcoming change (March 2020) – Microsoft to disable use of unsigned LDAP port 389

In March 2020, Microsoft is going to release a update which will essentially disable the use of unsigned LDAP which will be the default. This means that you can no longer use bindings or services which binds to domain controllers over unsigned ldap on port 389. You can either use LDAPS over port 636 or using StartTLS on port 389 but it still requires that you addd a certificate to your domain controllers. This hardening can be done manually until the release of the security update that will enable these settings by default.

How to add signed LDAPS to your domain controllers

You can read more about the specific change here –> https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows you can also read more here –> https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536

After the change the following features will be supported against Active Directory.

clipboard_image_0.png

How will this affect my enviroment?

Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. This also applies for 3.party solutions which rely on LDAP such as Citrix NetScaler/ADC or other Network appliances, Vault and or authentication mechanisms also rely on LDAP. If you haven’t fixed this it will stop working. This update will apply for all versions.

Windows Server 2008 SP2,
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2,
Windows 10 1507,
Windows Server 2016,
Windows 10 1607,
Windows 10 1703,
Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019,
Windows 10 1903,
Windows 10 1909

How to check if something is using unsigned LDAP?

If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary under eventid 2888 one time every 24 hours when such bind attempts occur. Microsoft advises administrators to enable LDAP channel binding and LDAP signing as soon as possible before March 2020 to find and fix any operating systems, applications or intermediate device compatibility issues in their environment.

You can also use this article to troubleshoot https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs

Credits: https://msandbu.org/upcoming-change-microsoft-to-disable-use-of-unsigned-ldap-port-389/

Important information before upgrading to vSphere 6.7 (KB53704)

This article provides important documentation and upgrade information that must be reviewed before upgrading to vSphere 6.7.


Resolution


Compatibility considerations

TLS protocols

These products are not compatible with vSphere 6.7 at this time:

  • VMware NSX
  • VMware Integrated OpenStack (VIO)
  • VMware vSphere Integrated Containers (VIC)
  • VMware Horizon

Environments with these products should not be upgraded to vSphere 6.7 at this time. This article and the VMware Product Interoperability Matrixes will be updated when a compatible release is available.

Upgrade Considerations

Before upgrading your environment to vSphere 6.7, review these critical articles to ensure a successful upgrade
For vSphere

Upgrades to vSphere 6.7 are only possible from vSphere 6.0 or vSphere 6.5. If you are currently running vSphere 5.5, you must first upgrade to either vSphere 6.0 or vSphere 6.5 before upgrading to vSphere 6.7.

For vCenter Server

For Distributed Virtual Switches

VMware OS Optimization Tool Version b1097 Released

2018-03-30, VMware announced a new version of the VMware OS Optimization Tool meaning the latest and greatest version is now b1097.

Fixes and enhancements to this version includes:

  • [Template] Issue fix – DELETEVALUE actions do not do anything
  • [Template] Issue fix – DISM commands missing /NoRestart switch
  • [Tool] Issue fix – Switching to another tab loses all unsaved changes
  • [Tool] Enhancement – Simplify user interaction in Template Editor. Now editing template no longer requires repeated Update button click. Mac style editing is applied (Automatically save changes along with edit)

For those of you not aware of this tool it is used to optimise Windows 7/8/2008/2012/10 for Horizon View deployments and it performs the following actions:

  • Local Analyze/Optimize
  • Remote Analyze
  • Optimization History and Rollback
  • Managing Templates

Read more and download VMware OS Optimization Tool Version b1097 here.

Install VMware PowerCli

1. Install the Powershell Get Module

Installing items from the Gallery requires the latest version of the PowerShellGet module, which is available in Windows 10, in Windows Management Framework (WMF) 5.0, or in the MSI-based installer (for PowerShell 3 and 4).

With the latest PowerShellGet module, you can:

Supported Operating Systems

The PowerShellGet module requires PowerShell 3.0 or newer.

Therefore, PowerShellGet requires one of the following operating systems:

  • Windows 10
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise
  • Windows 7 SP1
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2 SP1

PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above from here.

2. Find-Module -Name VMware.PowerCLI

3. Install-Module -Name VMware.PowerCLI -Scope CurrentUser

4. When you start Powershell VMware.Powershell is automatically loaded

Imported Hotfixes for Windows 2008 R2 Clustering

Imported Hotfixes for Windows 2008 R2 Clustering:

NTFS.sys

2814923          “0x0000009E” Stop error and disk volumes cannot be brought online on a Windows Server 2008 R2-based failover cluster
http://support.microsoft.com/kb/2814923/EN-US

MPIO

2754704          A hotfix is available that provides a mechanism for DSM to notify MPIO that a particular path is back to online in Windows Server 2008 and Windows Server 2008 R2
http://support.microsoft.com/kb/2754704/EN-US

storport.sys

2780444          “0x0000012E” Stop error occurs when an application sends a 12-byte SCSI opcode to an iSCSI target in Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1
http://support.microsoft.com/kb/2780444/EN-US

msiscsi

2684681          Iscsicpl.exe process stops responding when you try to reconnect a storage device to a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
http://support.microsoft.com/kb/2684681/EN-US

rdbss

2670567 “0x000000027” Stop error when you copy a file from a redirected folder in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2670567/EN-US

Kernel

2805853          “0x0000008E” Stop error on a computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/2805853/EN-US

RPCSS

2756999 Handle leak occurs on a COM client that is running on a Windows 7 or Windows Server 2008 R2 computer
http://support.microsoft.com/kb/2756999/EN-US

Mrxsmb10

2727324 Computer stops responding after you connect to an SMB 1 server in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2727324/EN-US

Mrxsmb20

2778834          File becomes corrupted when you try to overwrite the file while it is opened by another user on a computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/2778834/EN-US

TCPIP

2519644          Stop code in the tcpip.sys driver on a computer that is running Windows Server 2008 R2: 0x000000D1
http://support.microsoft.com/kb/2519644/EN-US

2524478          The network location profile changes from “Domain” to “Public” in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2524478/EN-US

IIS Crypto the best tool to configure SSL/TLS cipher suites

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Features

– Single click to secure your website using best practices
– Create custom templates that can be saved and run on multiple servers
– Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
– Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
– Enable TLS 1.1 and 1.2
– Enable forward secrecy
– Reorder cipher suites
– Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
– Site scanner to test your configuration
– Command line version

Screenshot1

WMI Filters for OS version

DESKTOPS

ANY WINDOWS DESKTOP OS

  • Any Windows Desktop OS – 32-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND NOT OSArchitecture = “64-bit”
  • Any Windows Desktop OS – 64-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND OSArchitecture = “64-bit”

WINDOWS 7

  • Windows 7
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″
  • Windows 7 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 7 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 10

  • Windows 10
    select * from Win32_OperatingSystem WHERE ‘Version like ‘10.0.%’ AND ProductType=”1″
  • Windows 10 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.% AND ProductType=”1” AND NOT OSArchitecture = “64-bit”
  • Windows 10 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.%””6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

SERVERS

ANY WINDOWS SERVER OS

  • Any Windows Server OS
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”)
  • Any Windows Server OS – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server OS – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “2”)
  • Any Windows Server – Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “3”)
  • Any Windows Server – Non- Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND OSArchitecture = “64-bit”

WINDOWS SERVER 2008 R2

  • Windows Server 2008 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”2″
  • Windows Server 2008 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”3″

WINDOWS SERVER 2012 R2

  • Windows Server 2012 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”2″
  • Windows Server 2012 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”3″

WINDOWS SERVER 2016

Announcing Open Live Writer – An Open Source Fork of Windows Live Writer

Today is the day. An independent group of volunteers within Microsoft has successfully open sourced and forked Windows Live Writer. The fork is called Open Live Writer (also known as OLW) and it is part of the .NET Foundationand managed by this group of volunteers. Read the fantastic announcement at the .NET Foundation Blog! Download Open Live Writer now!

Windows Live Writer 2012 was the last version Microsoft released and can still be downloaded from http://www.windowslivewriter.com. If you’re not comfortable using Open Source Software, I recommend you stick with classic WLW.

If you’re willing to put up with some bugs, then join us in this brave new world, you can download Open Live Writer from http://www.openlivewriter.org. We’re calling today’s release version 0.5.

Here’s some of the added features, the removed features, the stuff that doesn’t work, and our plans for the future:

  • REMOVED: Spell Checking. The implementation was super old and used a 3rd party spell checker we didn’t have a license to include an open source release. Going forward we will add Spell Check using the built-in spell checker that was added in Windows 8. Open Live Writer on Windows 7 probably won’t have spell check.
  • REMOVED: The Blog This API. It was a plugin to Internet Explorer and Firefox and was a mess of old COM stuff.
  • REMOVED: The “Albums” feature. It uploaded photos to OneDrive but depended on a library that was packaged with Windows Live Mail and Live Messenger and we couldn’t easily get permission to distribute it in an open source project.
  • ADDING VERY SOON: Google runs the excellent Blogger blog service. We’ve worked with the Blogger Team within Google on this project, and they’ve been kind enough to keep an older authentication endpoint running for many months while we work on Open Live Writer. Soon, Google and Blogger will finally shut down this older authentication system. Blogger will use the more modern OAuth 2 and Open Live Writer will be updated to support OAuth 2. Windows Live Writer will never support this new OAuth 2 authentication system, so if you use Blogger, you’ll need to use Open Live Writer.
  • BROKEN/KNOWN ISSUES: We are actively working on supporting Plugins. We have an plan in place and we are looking for your feedback on the most popular plugins that you want brought over from the Windows Live Writer ecosystem.

Our roadmap for the future is published here on GitHub.

 

image

Windows Update KB3097877 crashes Outlook

A recent update for Windows may cause Outlook to crash.

The update that causes this is KB3097877 and it appears to be limited to only some Windows 7 installations when downloading online images for a HTML message. The version of Outlook that you are using doesn’t seem to matter and other applications may also be affected.

Thanks to Howto-Outlook

MS15-122 Security Update for Kerberos to Address Security Feature Bypass (Bitlocker)

This security update resolves a security feature bypass in Microsoft Windows. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer.

This security update is rated Important for all supported editions of Windows. For more information, see the Affected Software section.

The update addresses the bypass by adding an additional authentication check that will run prior to a password change. For more information about the vulnerability, see theVulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3105256.

Translate »