August 10 2015

Windows 10 peer-to-peer (P2P) patching

Reviewing Microsoft 10 over the last week, I am very happy with the approach that Microsoft are taking with their ‘Windows Update Delivery Optimization’.  In short, this is peer-to-peer (P2P) sharing of Microsoft updates and Apps instead of content delivery directly from Microsoft servers. I like the concept behind this and I believe that this is an delivery method that we’ll start to see more of from other Internet-based software and service providers in the coming years.

The main concepts behind this are:

  • WUDO lets you get Windows updates and Windows Store apps from sources in addition to Microsoft.
  • Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows uses the fastest, most reliable download source for each part of the file.
  • WUDO creates a local cache, and stores files that it has downloaded in that cache for a short period of time. Depending on the settings, Windows then send parts of those files to other PCs on the local network or PCs on the Internet that are downloading the same files.
  • Delivery Optimization is turned on by default for all editions of Windows 10 (an opt-out scenario as opposed to opt-in), with the following differences:
    • Windows 10 Enterprise and Windows 10 Education: The PCs on your local network option is turned on by default.
    • All other editions of Windows 10: The PCs on your local network and PCs on the Internet option is turned on by default.
  • Users can turn this feature on and off, and can also set whether they can get and send updates to either just PCs on their local network or to PCs on the Internet as well.

There isn’t any detailed technical information available from Microsoft on how this works so one can only assume that it may be a larger implementation of Microsoft’s SCCM BranchCache concept.

 

June 22 2015

System Center Endpoint Protection (SCEP) support for Windows Server 2003

As we all know, as of July 14 2015, Windows Server 2003 will no longer be a supported operating system. This means that customers using Windows Server 2003 will no longer receive new security updates, non-security updates, free or paid assisted support options or online technical content updates from Microsoft.

However, it isn’t that well publicised that on this same date, customers using System Center Endpoint Protection on Windows Server 2003 will stop receiving updates to antimalware definitions and the engine for Windows Server 2003.

As a result, the SCEP agent will stop functioning.  Starting on July 14 2015, systems running Windows XP and Windows Server 2003 that have the System Center 2012 Endpoint Protection client installed will receive the following system tray notification:

SCEP notification

SCEP notification

SCEP notification

SCEP notification

Time to get off Windows 2003!

June 18 2015

Why we need to keep Domain Controllers physically secure

This purpose of this post is to highlight another reason we need to keep Domain Controllers physically secure – in fact the principle here also applies to standard Windows Servers too.

My home test lab had been powered down for a few months and I’d forgotten my Domain Administrator password. I knew there was a method to log onto a Windows Server without a username and password back in Windows Server 2003 and I thought that surely this still wouldn’t work with Windows Server 2012 R2 – however to my horror it still did. Here is how I reset my Domain Administrator account password – scary stuff!

Forgotten password

Forgotten password

So I’d forgotten my Domain Administrator password. Time to attach the Windows Server 2012 R2 ISO to the VM.

Attach ISO

Attach ISO

Adjust the boot order to force booting from ISO first.

Boot to DVD/ISO

Restart the VM and boot to the DVD/ISO. Click Next on the first setup screen. On the following screen make sure you select “Repair your computer”.

Next

Next

Repair your computer

Repair your computer

Then click on “Troubleshoot” followed by “Command Prompt”

Troubleshoot

Troubleshoot

Command Prompt

Command Prompt

You will now be presented with a Command Prompt.  Change your directory to c:\Windows\System32.  Then rename the Utilman.exe executable by running the command “ren Utilman.exe Utilman.exe.old”.  Then make a copy of cmd.exe named Utilman.exe using the command “copy cmd.exe Utilman.exe”.  See below screenshot.

Replace Utilman

Replace Utilman

Close the command prompt and restart the machine, booting back into the regular Windows logon screen.  Once the logon screen is presented, press the “Windows Key” and “U”.  Much to your horror you will see a Command Prompt appear. If you check Task Manager, you will see that the Command Prompt (executable called Utilman.exe) is running in the SYSTEM context.  Given that this is a Domain Controller, effectively this mean the commands run within the Command Prompt are executed with the Domain Admin permission level.

SYSTEM context

SYSTEM context

To reset the Domain Administrator account password, we simply need to run the “net user Administrator password” command.

Reset password

You can now close the Command Prompt and log onto the domain with the Administrator account and the newly set password.

I have also seen this work with the Sticky Keys executable (sethc.exe) being replaced instead of Utilman.exe.

 

Once again this highlights why we need to keep our Domain Controllers physically secure – from this demo you can see that anyone with physical access to the server can have control over your entire Active Directory domain in a very short amount of time!

 

May 13 2015

Turn off Tools Pane in Adobe Acrobat Reader DC

I was frustrated with the Tools Pane being displayed every time I opened Adobe Acrobat Reader DC.  Surprisingly, there is no option/preference within the application to permanently turn this off.  Here is a nice trick to get the Tools Pane to not be displayed at all:

  1. Go to the install directory and head to the AcroApp\ENU subfolder, usually “C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU”.
  2. Create a new subfolder, the name doesn’t matter – for example “Disabled”
  3. Move the following 3 files from the “ENU” folder into the new “Disabled” folder: AppCenter_R.aapp, Home.aapp & Viewer.aapp
  4. Open a Adobe Acrobat Reader and the Tool Pane is no more!

If you are doing looking to customize Adobe Acrobat Reader DC for a mass deployment, it is recommended to use the customization tool rather than a hack like this – see http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/AcroApps.html

 

 

May 4 2015

Microsoft Local Administrator Password Solution

logo

Microsoft have released a new tool to manage local Administrator account passwords for domain joined machines. The solution automatically creates and manages the password on each managed computer so that it is unique, randomly generated and securely stored in Active Directory. ACLs are then used to allow access to view the password.

More info:

The tool is free!

Microsoft Security Advisory 3062591 – Local Administrator Password Solution (LAPS) Now Available

May 4 2015

Optus Cable Premium Speed Pack testing…

In the last few years, Optus has upgraded its has upgraded its HFC (cable internet) network in Melbourne to the DOCSIS 3.0 standard.  I decided it was time to take advantage of this and upgrade to the “Optus Cable Premium Speed Pack”. The first thing I required was a new cable modem, so Optus sent me a Netgear cg3000v2. I did some before and after speed tests – tests were done via Ookla Speedtest (http://www.speedtest.net/) and used the ‘Yes’ Optus Melbourne server.  Multiple tests were done as each point however I have picked the “average” test screenshot to use below.

“Normal” Optus cable with old Motarola “surfboard” modem. As expected, the normal cable download speed was about 18Mbps, 500Kbps upload speed and ping is 14ms.

Optus cable "standard" speed

Optus cable “standard” speed

I then tested with the new Netgear modem while still on the “Normal” Optus cable plan.  Similar results to before – 19Mbps download, 500Kbps upload and 11ms ping.

Optus cable "standard" speed

Optus cable “standard” speed with Netgear cg3000v2 modem

Once the “Premium Speed Pack” plan was applied to my account I retested.  Almost 100Mbps download, 900Kbps upload and 11ms ping.

Optus cable speed after adding the "Premium Speed Pack"

Optus cable speed after adding the “Premium Speed Pack”

I’m pretty happy with this and have constantly been getting download rates in the range of 75-100Mbps depending on the time of day.

Category: Geek | LEAVE A COMMENT