Windows 10 Lifecycle

Windows 10 Lifecycle

You may have noticed that Windows 10 is designated with different version numbers like 1611, 1703, 1709, etc. For the most part we think of these incremental updates as feature enhancements and not that important. We think of these as simply feature updates because Microsoft categorizes them as “Feature Updates”. These updates are more than that and have much larger ramifications in your environment. What Microsoft is calling a feature update is really a full in-place OS upgrade. Like any other OS upgrade you need to test your applications and hardware to be sure that everything will work post deployment. These updates could also take a considerable amount of time. More on that later in the article.

Microsoft’s shift to this new “Semi-Annual Channel” model also has a shelf life. At the time of this writing Microsoft has promised to “Service” these Operating Systems for 18 months or 30 months depending on the edition. See chart below. There is an exception to this rule, Long Term Servicing Branch or LTSB, but that is beyond the scope of this article.

win10 Lifecycle blog insert.png

https://support.microsoft.com/en-us/help/4462896

What exactly does “Service” mean? You know the monthly updates that Microsoft releases to keep us all safe? Those are considered part of servicing. In some cases, Microsoft will make an exception for major security issues like we have seen with Windows XP security updates but for the most part consider your OS as not getting monthly updates based on the chart above. If your Windows 10 computers are running at the 1511 version (Enterprise or Education) or earlier, you are not receiving the monthly updates and you are putting your environment at risk. The chart below lists the end of service dates for Windows 10 version as of now.

https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

These feature update packs are deployed through the standard Windows Update (UPDATE ASSISTANT) mechanism as well as the Windows Upgrade Assistant. They can also be deployed as stand-alone installations through System Center Configuration Manager or other software deployment tools. These alternative methods become important as they bring advanced validation steps and logging which is important when troubleshooting deployment issues. An important thing to note is that these installations can take 2 hours or more to install on a computer with a spinning disk or 30 – 45 minutes to install on a computer with a Solid-State Drive (SSD). When choosing replacement PCs and laptops for your environment it will be important to select models with SSDs.

If you would like more information on Microsoft’s Lifecycle Policy including Windows 10 LTSB, Office 365, SQL Server and Windows Server feel free to reach out to me or visit the Microsoft Lifecycle Homepage.

ZAG is experienced in Windows 10 deployments.  Our mission is to “enable our clients to succeed”. To know more about ZAG Technical Services and the services we offer contact us at 408-383-2000.

​​Major Exchange Server Security Vulnerability Discovered  ​

​​Major Exchange Server Security Vulnerability Discovered ​

Situation

Security Researcher Dirk-jan Mollema has recently blogged about a newly available vulnerability in Exchange and how that can be exploited to allow an attacker to obtain escalated privileges.  Microsoft Exchange supports an API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscription, which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscription feature will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.

Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.

Impact

  • Exchange 2013

  • Exchange 2016

  • Exchange 2019

  • There is no word on if Exchange Online is impacted.

An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user's password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.

Response

Microsoft is currently working a solution for the exploit but it is not released yet, and still does not have an ETA.  Additionally, they are not recommending following many of the solutions suggested in the original article by Mollema.  He was recommending actions such as removing Exchange permissions to the domain objects in AD. 

The current recommendation is to implement the Registry Modification explained in CVE-2018-8581 and to consider securing or disabling the EWS Push/Pull Subscriptions to Exchange until the hotfix is released.

Contact us now if you need help: 408-383-2000

More Information:

Original Article by the person that published the flaw - https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

Article by Practical 365 with Microsoft’s stance - https://practical365.com/exchange-server/serious-exchange-server-vulnerability-reported/

Microsoft Security Response Center CVE-2018-8581 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

CERT Vulnerability 465632 - https://kb.cert.org/vuls/id/465632/

User Training... Security's First Line of Defense

User Training... Security's First Line of Defense

"Hi Linda, this is Rob in IT. We are troubleshooting an issue on the back-end.  I need your password to test functionality".

  • 60% of small to medium businesses are out of business within 6 months of a cyber-attack

  • 52% of data security breaches are caused by human error

Regularly occurring employee security training is a key first step in turning your company's greatest security liability into the greatest security asset.

Internet usage policies, data handling, labeling policies, security violation reporting, proper password creation and usage, and environmental awareness are just a fraction of security holes that can be filled by training users in proper security hygiene.

Basic security training does not need to be presented as an overwhelming flood of information.   Depending on your company’s business sector and internal culture, it should start as small as possible and be delivered in a simple manner to all users, while becoming increasingly more specific for smaller groups and departments as needed.  Small bites are easier to digest.

A baseline for all users should include a few basic steps:

  • Never write down your password

  • Never give your password to anyone, including IT

    o   Your boss and the IT department should not need your password for access or testing

  • Utilize Multi Factor Authentication (MFA)

  • Be aware of your environment

o   do not enter usernames and passwords over unsecured networks (airports & hotels)

o   do not enter usernames and passwords in view of other people

  • Confirm all attachments with the sender before opening

o   unless specifically expecting an attachment, double check, even if the sender’s address is known

  • Never plug unknown devices into your computer

o   found devices, such as USB drives (thumb drives), may contain viruses from someone with bad security hygiene, or planted purposely by bad actors

  • Report any antivirus or workstation update issues to IT as soon as possible

  • Avoid shared login accounts

  • Report strange information requests or odd behavior

  • Do not follow emailed web links to external sites

o   redirected or spoofed web links can easily lead to malicious sites

ZAG is experienced in security training and can assist you in evaluating the best options that meet your business needs. Our mission is to “enable our clients to succeed”.

Contact us now to schedule staff security training: 408-383-2000