Various cool software and more
Quad9 the free secure DNS service is in trouble and need our help.
https://www.quad9.net/letter-of-support-for-quad9-and-freedom-of-dns-resolution/
Explainer
If you dont know what Quad9 is, then here is a short explainer. Quad9 is a free DNS services much like Googles well known 8.8.8.8 and 8.8.4.4, Quad9 (9.9.9.9 and 149.112.112.112) however add a very cool FREE security layer to the solution (a bit like Ciscos Umbrella, just not quite as customizable). If you use Quad9s DNS as your DNS service and you get infected by malware (eg. ransomware etc.) then chances are that the malware will try to “phone home” to its command and control server – Quad9 will blocks communication to known command and control DNS addresses thus disrupting many botnets or ransomware “providers”.
Anyhow, Sony has in Germany started a court case to force Quad9 to censor DNS resolution, Sony want Quad9 to block access to pages that Sony claim contain copyright protected content. In Denmark (where I live) we have a similar DNS blocking mandatory for national DNS services, it was originally introduced to block access to child phonography (something all of us could support) – but quickly the music industry and other rights owners/lobbyists saw this as a golden opportunity to block whatever they did not like and succeeded in convincing courts to add to the blocklist.
I support working against crime and child phonography however I do not think DNS blocking is the solution (perhaps against terrorism, pedophilia and violent crimes – but not for immaterial rights), experiences have shown, that what starts as a noble initiative quickly become a tool for lobbyists and huge enterprises to suppress whatever they dont like on the internet.
In general I think that more police, and more crossborder police collaboration is the way forth – not letting Sony and other dictate what is on the internet.
I supported the DNS blocking back in the days when the goal was to protect children against misuse, but now when it is a tool for mega companies and lobbyists my respect is gone.
Did you know:
Quad 9 offers free DNS services with malware filtering – to use just set your DNS (and or DNS servers) to query 9.9.9.9 and 149.112.112.112, then block all other DNS traffic outbound and presto you added a free additional security layer to your setup (company or personal). It is important to add the blocking for other DNS queries in your firewall as malware otherwise could easily bypass your protection. Read more here: https://www.quad9.net/service/service-addresses-and-features
Backblaze has something similar – here you use 1.1.1.2 (blocks malware like Quad9) and 1.1.1.3 (blocks both malware and pornography).
Read more here; https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
To whom it may concern:
We believe that the act of recursive DNS resolution is not within the justifiable legal boundaries of control by rightsholders during infringement litigation. In order for the DNS to remain a stable, secure, and trusted platform, we would urge policymakers and regulators to clarify and reiterate the long-standing understanding that recursive resolution is a neutral technical function that should not be subject to blocking demands imposed by private parties based on data that has not been ruled upon by a suitable and fair court process.
Further, we believe that systems that are designed for providing cybersecurity (be they DNS-based or otherwise) should not be made available to be repurposed for other goals against the interest and intent of the service operator or the end user. This type of corruption of core internet infrastructure risks eroding the trust in both the operators and a technology that is core to the continued well-being of the internet and that of the citizens who use it.
We support Quad9 in their objection to the ruling of the Hamburg Court of (Case 310 O 99/21), and hope that the court finds in favor of the defendant.
So, you recieve this text from someone which they for some reason or other has written in ALL CAPS – *sigh*, what to do – well if it is just a few words then its easy enough, just rewrite the darn thing. But what if it is several pages :-O
Well, there likely is some function in word or notepad++ I dont know about, but there is ALSO a site (there is almost always a site)..
https://convertcase.net/
I mean, who would not LOVE to get their text back in “Morse Code” 😉
Enjoy
#BlockAutoUpgradeToWindows11
So, at long last someone did something smart with Winwows 10 update.. Not exactly breaking news as it happened a year or so ago, but hey -now I needed it…
Anyhow, it is now possible to freeze a Windows 10 build – you COULD (to some degree) do this before also, but it was anything but trivial.
Anyhow, what you need to do is to upgrade your ADMX (Group policy templates) to 21H1, you do this by downloading them from here;
https://www.microsoft.com/en-us/download/details.aspx?id=103124
after unpacking (installing) them, copy them to your DC (most likely here);
c:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
And now we are ready to rock’n roll.
Open: “Group Policy Management Editor”.
Navigate to: Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update – Windows Update for Business
Here you select: “Select the target Feature Update version”
Now you can set the “Target Version”:
I would expect this to freeze Windows 10 at the 21H1 version and hopefully block automatic upgrades to Windows 11 – but after the Windows 10 bonanza, who knows.
The above settings will trigger these registry settings on the target machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
I am not quite sure how these new settings work with existing Windows Update (and or wsus) settings, as you may see we have some WSUS settings below.
One question you may ask yourself, with Windows 11 comming why bother? Well, there is a reason I am looking at this now, and that is precisely Windows 11 – as you may have heard Windows 11 is about to hit-the-fan around October 2021, and we DONT want company machines going berserk upgrading left and right.. So looking for ways to combat automatic upgrades (you may remember the horrific Windows 10 upgrade circus – where Microsoft did anything but to put a gun to your face to trick you into clicking upgrade-now). The above policy ought to help block this (if Microsoft is true to the spirit of the policies).
So what does these new settings mean?
TargetReleaseVersion DWORD
Well the “TargetReleaseVersion” is more or less a toggle switch that tell Windows you wish to control the Windows Version/build. Whereas the “TargetReleaseVersionInfo” tell Windows WHICH version you are aiming at.
TargetReleaseVersionInfo STRING
If you enter a “TargetReleaseVersionInfo” that is higher than the currently installed build, windows will attempt to upgrade to this build. If you set a version number that is NOT the latest, Windows will attempt to upgrade to this and will stay there at least until “end of service” – it is unclear if Windows will autoupgrade to a later build after “end of service” is reached, but I would not suspect so.
Where can I read about Windows builds available and their status (end of service dates)?
aka.ms/ReleaseInformationPage
or this link: https://docs.microsoft.com/en-us/windows/release-health/release-information
Anyhow, dont take my word for it alone, here are links to a few other sites on the subject..
https://www.ghacks.net/2020/06/27/you-can-now-set-the-target-windows-10-release-in-professional-versions
Bad news for the Windows server admins, it would appear that at zero day exploit has surfaced that is extraordinary bad if you have Domain Controllers with the print-spooler service running (eg. printer role). The exploit allow an attacker to execute code as system via a normal domain user account. As of this post there is no patch available.
Potential Mitigation
Stop and disable the “Printer Spooler” service on servers where it is not required (especially DC’s).
Read more here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
Do you use Cisco AnyConnect VPN? You may want to check up on your build :-O you need at least Release 4.9.00086
Download fixed build here;
https://software.cisco.com/download/home/286281283/type/282364313/release/4.9.00086
So we had this problem, several of our Windows 2008 R2 fileservers were running full and due to technical issues (old hardware) replacing the disks became VERY expensive.
So alternatives, I started to thing – hey, lets create an “ISCSI drive” on a remote datacenter server, mount the ISCSI drive into the directory structure as a mountpoint named “Archive” or something. Now users could put “old” archival data here, thus removing it from the server but still being available – clever 😀 A few issues crept up however, when creating an ISCSI target on a Windows 2008 R2 server this is “terminated” as a VHD file – this proved annoying (eg for backup etc), besides a friend of mine pointed out that they had tried something similar once – sadly if connectivity was sketchy this could cause the fileserver to hang as it was unable to connect to the iscsi target.
My friend however pointed out that he had had success with using “Links”, right – I have heard of these Junction points and symbolic links, but never really found any real good use for it. But it turn out you can create a symbolic link from the directory structure on one server, pointing to a share on a different server.
So eg. O:\ could have a lot of directories, however we also make a Symbolic Link there named “Archive” – if you now perform a dir you will find all the subdirectories, however you will also find O:\Archive which looks just like a directory (the icon gets a screwy arrow but thats all) however it’s not, it is instead a “pointer” to a share on a different server (this share we can easily backup and maintain).
So the command to use is;
MKLINK /D <NAME> \\<SERVERNAME>\Sharename
eg, MKLINK /D HyperVisor5 \\SECRETSERVER\aarhus
HyperVisor5 is the name the directory will get locally the /D indicate it is a directory junction, and the link will point to \\SECRETSERVER\aarhus (aarhus is the share name on the SECRETSERVER)..
Ohh that was easy you say, yeah – well – it did not work 🙁
When a workstation attempted to access a mapped drive (eg. O:\Archive) it would get the above error.
A bit of googleing let to;
https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/
And the solution was simple enough, you need to execute this command on the workstation that has the problem;
(the command above the yellow one show the state of your computer)
And now your workstation can browse the directory (which is actually a pointer to a share on a different server) just like it was on the local server.
This should also be controllable via Group Policy, however I have not had the chance to test it yet;
https://technet.microsoft.com/en-us/library/5c7ffdb9-7066-4bdf-bc7d-eded8db2ce82
The symlink evaluation settings can also be controlled via Group Policy. Go to Computer Configuration > Administrative Templates > System > Filesystem and configure “Selectively allow the evaluation of a symbolic link”.
BeamGun – So what is it all about, and do I need it?
Well, to answer the latter first – “maybe”, if you could ever see yourself inserting a USB key you found somewhere, or if other people have access to your computer….
Background;
All modern computers have USB ports, you can attach all sorts of wonderful devices to USB ports – like mouse and keyboards, well imagine if someone made a device that looked like a USB key, however it actually emulated a keyboard – when you would plug this into your USB port it would tell your computer “Hey, I am totally a USB keyboard, honestly..”, and your computer would say “Hey that is cool, go ahead and be my second keyboard…”. So far so good, however, now this totally honest “keyboard” would start typing commands and your computer not knowing any better would think that it was you typing. So, long story short – any device looking like a USB key that is inserted into your computer has a chance to be an evil “Rubber Ducky USB” (that is the name under which many of these are actually sold), so someone either hands you a USB device and convince you to insert it (hey can you look at the report I just made) – or distracts you for a second and insert the USB device to your computer – BOOM and you are owned – in benign cases it just adds some practical joke (like switch your desktop background etc), but if evil it steals passwords etc. and it is very likely your Antivirus will not pick it up as it will look like commands issued from the local keyboard.
Sadly “no”, this is not Sci-Fi nor expensive, the script kiddie version of USB keys like this cost around 50$ but if you have real coding skills you can do it for 1-3$ 🙁
Ok, so anyone inserting a foreign USB device to your machine could be “hacking you”, or if you find an abandoned/lost USB key and insert it you may cause yourself to be hacked/compromised.
The tool;
https://github.com/JLospinoso/beamgun
BeamGun to the rescue – BeamGun is actually rather nifty, it will monitor your computer – and the moment a new “keyboard” (or something emulating a keyboard) is inserted, it will lock your computer and block the device, it will also show anything this device was trying to do in a popup window.
Mind you, it is an early version and seem a bit rough around the edges, but if you are in the “risk” group this may be a tool you would want to install. But it works (yes I tested it, however it is difficult to show screenshots as the software does a great job of protecting your computer while it display its warning).
Want to see more about these “Rubber Ducky USB” devices, take a look at this video;
https://youtu.be/4kX90HzA0FM
Something similar is also shown in the popular tv-show “Mr Robot”
Want to aspire as an evil hacker (or totally own your friends), buy your own “USB Rubber Ducky” here (yes its actually that simple);
https://hakshop.com/products/usb-rubber-ducky-deluxe
Links;
https://github.com/JLospinoso/beamgun
https://hakshop.com/products/usb-rubber-ducky-deluxe
MDM or Mobile Device Management has become increasingly popular over the last few years. I was surprised to find, that when we implemented it in the company I work for we discovered that there actually was a few users without a pin or password on their mobile device (to be expected out of a few thousand users I guess, but still – NO PIN on your phone, REALLY!!!)!?
Anyhow, there are several reasons to dive into this area – AND the good news is that (depending on the size of your setup) you can actually do much for ZERO $ (Free).
Create Policies;
- Require that users (or family) have a PIN
- Deploy APPS to phones or tablets
- Keep track of installed APPS
- Create geo-fencing – be warned if the device leave a defined area (sadly this does not work well in Denmark as the matching of IP’s to addresses is very limited due to privacy legislation)
You can even choose to implement it in your household to keep track of what apps etc are installed be the kids etc.
So are there great skills required? no not really, perhaps a little in setting it up initially – and there are some minor challenges, especially with the certificate part (which need to maintained/updated yearly), but in general – if you have experience with IT operations it’s more or less a breeze.
To get started here are a few links.
Several free or cheap services exist, to name a few;
The first one “Meraki” I actually tried and is still using (free for up to 100 devices as I recall)
https://account.meraki.com/login/new_account
You can even get a free cloud managed WiFi Access Point if you attend one of their online seminars.
Additionally you can install Windows Clients on Windows PC’s and thus now also have free inventory of your Windows PC’s.
You can see a demo of a related Meraki mobile management pack, it’s not quite the same as the free MDM solution – but it can give you some idea of what is possible.
https://youtu.be/fa95GJZQ0fQ
Another one is Spiceworks, I have not tried their MDM solution – but the “Spiceworks framework” (free IT operations software) in general is quite good and capable.
https://www.spiceworks.com/free-mobile-device-management-mdm-software/
Let’s imagine you need to turn over your old computer to friends or family, you for some reason do not wish to re-install Windows all over – well there is a middelground that I imagine could be used in case it’s close friends or relatives. Remove all your personal stuff, documents, mails etc. from the computer, remember to empty the recycle bin, clear all browser caches and clear restore points – if possible create a new user and from this delete your old user profile. Final step is to run the command below, this will wipe all free space on the disk – the command is a buildin Windows command that was introduced back in WinXP, so no need for additional software etc. Is it safe enough? Well as I say, if it is close relatives or friends it may be ok as long as you are sure that all sensetive data is removed, but I would likely not advice this for a computer you sell etc. Again, it all depends.
Command to issue;
Cipher /w:c:
(for the C: drive, replace C: with other drivelettes as you need).