Enable Reserved Storage Using DISM or PowerShell on Windows 10

How to Enable Reserved Storage on Windows 10

Laptop - @SeniorDBA

Windows Updates will fail to install if your PC doesn’t have enough free disk space. Before reserved space, the only workaround is to free up some storage space before continuing with your update effort. With the May 2019 Update to Windows 10, Microsoft fixed this problem by reserving disk space for future updates.

With “reserved storage,” Microsoft sets aside at least 7 gigabytes of space on your hard drive to ensure updates can download—regardless of how much normal disk space you have.

When not being used by update files, Reserved Storage will be used for apps, temporary files, and system caches, improving the day-to-day function of your PC.

When enabled, it keeps some disk space for Windows Update, apps, temporary files, and system caches because without enough disk space Windows and applications may stop working properly.

Users installing a fresh copy of Windows 10 1903 or later, or receiving a device with the OS preinstalled, should see Reserved Storage enabled out-of-the-box. Some device manufacturers choose not to enable Reserved Storage because it reduces the available disk space to users.

Those upgrading from a previous version of Windows don’t get Reserved Storage, unless the ShippedWithReserves registry key is set to 1 before the upgrade. You can find the key under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager

Windows Update and Reserved Storage

Windows Update gives priority access to Reserved Storage. Before an update, temporary files that are no longer needed in Reserved Storage are deleted and the remaining space is then given exclusively to Windows Update. If Reserved Storage still doesn’t have enough space, Windows Update can also spill into free disk space that is available to the user. On systems where disk space is severely limited, Windows Update might also prompt to attach external storage to complete the update process.

DISM updated with new Reserved Storage options

Admins are able to query the amount of space reserved and even disable Reserved Storage. The state of Reserved Storage is preserved across OS upgrades once it has been enabled or disabled using DISM. The following DISM command enables Reserved Storage for the online Windows image:

Enable or Disable Reserved Storage using PowerShell

If you don’t want to mess around with DISM, Windows 10 version 2004 supports a new PowerShell cmdlet that will let you enable or disable Reserved Storage for online images.

Continue reading “Enable Reserved Storage Using DISM or PowerShell on Windows 10”

10 Steps to Stopping Lateral Movement Attacks

Lateral Movement - @SeniorDBA

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Project Management: Cone of Uncertainty

project-management-2573125_960_720

If you are going to be any good at managing software projects, you have to learn more about what works, and what doesn’t, in project management. A research paper published by the Standish Group (available summarized here) indicates that in 2009, 44% of projects where delivered late, 24% failed, and only 32% of projects were delivered on time and within budget. The same report indicates in 1994, the average project schedule overrun was about 120% and the average cost overrun was about 100%. No doubt that to estimate a software project accurately is a challenge for all organizations.

An accurate estimate does not only help for a better budgeting, but also come with additional benefits. When referencing the book Software Estimation from Steve McConnell there are some obvious pointers you should focus on to improve your project accuracy:

  • Better planning  – A project plan is often setup based on the estimate. If the estimate is accurate and realistic, the project plan will be more useful for progress tracking.  Also you will have a more accurate view of resource availability.
  • Better task completion in terms of documentations, testings, training, etc – If the estimate is not accurate, resources and time will be used up on programming and these other tasks’ schedules will slip or even be omitted.
  • Better quality – More accurate estimate, better schedule, and less pressure to finish things within unrealistic time generate a higher quality

One thing you have to understand to provide better project management is the “Cone of Uncertainty”.

Introduction to the Cone

Early in a software project, specific details of the nature of the software to be built, details of specific requirements, details of the proposed solution, written project plan, personnel staffing including available resources, and other project variables are usually unclear. The variability in these factors contributes variability to project estimates — an accurate estimate of a variable phenomenon must include the variability in the phenomenon itself. As these sources of variabiility are further investigated and pinned down, the variability in the project diminishes, and so the variability in the project estimates can also diminish. This phenomenon is known as the “Cone of Uncertainty” which is illustrated in the following figure. As the figure suggests, significant narrowing of the Cone occur during the first 20-30% of the total calendar time for the project.

Figure 1: The Cone of Uncertainty

The horizontal axis contains common project milestones such as Initial Concept, Approved Product Definition, Requirements Complete, and so on. Because of its origins, this terminology sounds somewhat product oriented. “Product Definition” just refers to the agreed upon vision for the software, or “software concept,” and applies equally to web services, internal business systems, and most other kinds of software projects.

Continue reading “Project Management: Cone of Uncertainty”

Cloud Comparison: AWS vs. Azure vs. GCP

Cloud Computing - @SeniorDBA

Three vendors, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP),  dominate the public cloud computing market. When it comes to infrastructure as a service (IaaS) and platform as a service (PaaS), these three huge vendors have a significant lead on other contenders in the field. Lets talk about the services provided and compare the major features offered by each vendor.

Many IT experts recommend that enterprise teams evaluate their public cloud needs to match specific applications and workloads with the vendor that offers the best fit for their needs. Each vendor has particular strengths and weaknesses that make them a good choice for certain projects.

Compute

Compute is described as the processing power that the cloud service offers to support your business workloads. In general, the more compute power offered the better is can be for your business. Since more compute can cost more money, the price also plays a significant role in understanding the offered compute power.

Startups can find the cloud-based compute model most beneficial because this approach allows them to order extra compute power anytime they want without worrying about long-term installation, maintenance, and hardware costs. You can start small and move to more compute power as required to keep compute costs as small as possible.

AWS – Elastic Compute Cloud: Amazon’s flagship compute service is Elastic Compute Cloud, or EC2. Amazon describes EC2 as “a web service that provides secure, resizable compute capacity in the cloud.” EC2 offers a wide variety of options, including a huge assortment of instances, support for both Windows and Linux, bare metal instances (currently a preview), GPU instances, high-performance computing, auto scaling and more. AWS offers a free tier for EC2 that includes 750 hours per month of t2.micro instances for up to twelve months.

Azure – Virtual Machines: Microsoft’s primary compute service is simply known as Virtual Machines. Azure supports Linux, Windows Server, SQL Server, Oracle, IBM, and SAP. Like AWS, Azure has an extremely large catalog of available instances, including GPU and high-performance computing options. Azure has also added instances optimized for artificial intelligence and machine learning. Azure has a free tier with 750 hours per month of Windows or Linux B1S virtual machines for a year.

GCPCompute Engine: Google’s catalog of compute services is somewhat shorter than AWS or Azure. Their primary service is called Compute Engine, which includes both custom and predefined machine types, per-second billing, Linux and Windows support, automatic discounts, and carbon-neutral infrastructure that uses half the energy of typical data centers. GCP offers a free tier that includes one f1-micro instance per month for up to 12 months.

Continue reading “Cloud Comparison: AWS vs. Azure vs. GCP”

History of PowerShell

PowerShell is a tool developed by Microsoft to provide a powerful command-line interface to allow users to perform various automation efforts. If you are aware of Linux and mac command line, the PowerShell command-line is very similar in purpose. PowerShell version 1.o was first released in 2006 to support Windows XP SP2, Windows Server 2003 SPI, and Windows Vista. The newest version is PowerShell 7, which is the replacement for PowerShell Core 6.x products as well as Windows PowerShell 5.1, which is the previous supported Windows PowerShell version.

Development

Every version of Microsoft Windows has included a command line utility for basic scripting operations to help manage the Operating System, basically an interface similar to the older MS-DOS interface. The user would create a batch file that included basic scripting language commands which could be used to automate various tasks. The automation abilities of this older interface was limited in scope and didn’t allow full automation of all Windows administrative operations. Microsoft addressed these concerns by the introduction of the Windows Script Host in 1998 with Windows 98, and its command-line based host named cscript.exe. The problem was the Windows Script Host still had limited abilities and was quickly seen by many as more helpful to hackers than to administrators.

By 2002, Microsoft was developing a new command-line management tool called Monad. Jeffrey Snover published a white paper in August 2002, called the “Monad Manifesto”, and this paper discussed the concept of translating Unix tools to the Windows platform. Since Windows is very different from Unix, this is much harder than it might seem.

Monad was first demonstrated at the Professional Development Conference (PDC) in 2003, later it was released to private beta, and was eventually published to public beta in June 2005. By April 2006, Microsoft had announced the initial Monad product had been renamed Windows PowerShell.

PowerShell v2.0 development began before PowerShell v1.0 was shipped. 

Initial Release

Release Candidate 2 of PowerShell version 1 was released in September 2006, with the formal release in November 2006 in Barcelona. PowerShell for earlier versions of Windows was released in January 2007. PowerShell v2.0 was completed and released to manufacturing in August 2009,and it was part of Windows 7 and Windows Server 2008 R2. 

Release History

Windows PowerShell 1.0

PowerShell 1.0 was released in November 2006 for Windows XP SP2, Windows Server 2003 SP1 and Windows Vista. It is an optional component of Windows Server 2008.

Windows PowerShell 2.0

Windows PowerShell ISE v2.0 was released on Windows 7, and it was an integrated development environment for PowerShell scripts. The most remarkable feature introduced, with the help of WS-management, allowed you to write your commands to a remote machine.

PowerShell 2.0 is integrated with Windows 7 and Windows Server 2008 R2 and is released for Windows XP with Service Pack 3, Windows Server 2003 with Service Pack 2, and Windows Vista with Service Pack 1.

PowerShell v2 includes changes to the scripting language and hosting API, in addition to including more than 240 new cmdlets.

New features of PowerShell 2.0 include:

  • PowerShell remoting: Using WS-Management, PowerShell 2.0 allows scripts and cmdlets to be invoked on a remote machine or a large set of remote machines.
  • Background jobs: Also called a PSJob, it allows a command sequence (script) or pipeline to be invoked asynchronously. Jobs can be run on the local machine or on multiple remote machines. An interactive cmdlet in a PSJob blocks the execution of the job until user input is provided.
  • Transactions: Enable cmdlet and developers can perform transactional operations. PowerShell 2.0 includes transaction cmdlets for starting, committing, and rolling back a PSTransaction as well as features to manage and direct the transaction to the participating cmdlet and provider operations. The PowerShell Registry provider supports transactions.
  • Advanced functions: These are cmdlets written using the PowerShell scripting language. Initially called “script cmdlets”, this feature was later renamed “advanced functions”.
  • Modules: This allows script developers and administrators to organize and partition PowerShell scripts in self-contained, reusable units. Code from a module executes in its own self-contained context and does not affect the state outside the module. Modules can define a restricted runspace environment by using a script. They have a persistent state as well as public and private members.
  • Script debugging: It allows breakpoints to be set in a PowerShell script or function. Breakpoints can be set on lines, line & columns, commands and read or write access of variables. It includes a set of cmdlets to control the breakpoints via script.
  • You can get more information about PowerShell v2 here.
  • Microsoft recommends you no longer support, install, or use PowerShell v2

Windows PowerShell 3.0

PowerShell 3.0 is integrated with Windows 8 and with Windows Server 2012. Microsoft has also made PowerShell 3.0 available for Windows 7 with Service Pack 1, for Windows Server 2008 with Service Pack 1, and for Windows Server 2008 R2 with Service Pack 1.

PowerShell 3.0 is part of a larger package, Windows Management Framework 3.0 (WMF3), which also contains the WinRM service to support remoting. Microsoft made several Community Technology Preview releases of WMF3. An early community technology preview 2 (CTP 2) version of Windows Management Framework 3.0 was released on 2 December 2011. Windows Management Framework 3.0 was released for general availability in December 2012 and is included with Windows 8 and Windows Server 2012 by default.

New features in PowerShell 3.0 include:

  • Scheduled jobs: Jobs can be scheduled to run on a preset time and date using the Windows Task Scheduler infrastructure.
  • Session connectivity: Sessions can be disconnected and reconnected. Remote sessions have become more tolerant of temporary network failures.
  • Improved code writing: Code completion (IntelliSense) and snippets are added. PowerShell ISE allows users to use dialog boxes to fill in parameters for PowerShell cmdlets.
  • Delegation support: Administrative tasks can be delegated to users who do not have permissions for that type of task, without granting them perpetual additional permissions.
  • Help update: Help documentations can be updated via Update-Help command.
  • Automatic module detection: Modules are loaded implicitly whenever a command from that module is invoked. Code completion works for unloaded modules as well.
  • You can get more information about PowerShell v3 here.

Windows PowerShell 4.0

PowerShell 4.0 is integrated with Windows 8.1 and with Windows Server 2012 R2. Microsoft has also made PowerShell 4.0 available for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2012.

New features in PowerShell 4.0 include:

  • Desired State Configuration: Declarative language extensions and tools that enable the deployment and management of configuration data for systems using the DMTF management standards and WS-Management Protocol
  • New default execution policy: On Windows Servers, the default execution policy is now RemoteSigned.
  • Save-Help: Help can now be saved for modules that are installed on remote computers.
  • Enhanced debugging: The debugger now supports debugging workflows, remote script execution and preserving debugging sessions across PowerShell session reconnections.
  • -PipelineVariable switch: A new ubiquitous parameter to expose the current pipeline object as a variable for programming purposes
  • Network diagnostics to manage physical and Hyper-V’s virtualized network switches
  • Where and ForEach method syntax provides an alternate method of filtering and iterating over objects.
  • You can get more information about PowerShell v4 here.

Windows PowerShell 5.0

Windows Management Framework (WMF) 5.0 RTM which includes PowerShell 5.0 was re-released to web on 24 February 2016, following an initial release with a severe bug.

Key features included:

  • The new class keyword that creates classes for object-oriented programming.
  • The new enum keyword that creates enums.
  • Extending support for switch management to layer 2 network switches.
  • Debugging for PowerShell background jobs and instances of PowerShell hosted in other processes (each of which is called a “runspace”)
  • Desired State Configuration (DSC) Local Configuration Manager (LCM) version 2.0
  • DSC partial configurations
  • DSC Local Configuration Manager meta-configurations
  • Authoring of DSC resources using PowerShell classes
  • You can get more information about PowerShell v5 here.

Windows PowerShell 5.1

It was released along with the Windows 10 Anniversary Update in August 2016, and in Windows Server 2016. PackageManagement now supports proxies, PSReadLine now has ViMode support, and two new cmdlets were added: Get-TimeZone and Set-TimeZone. The LocalAccounts module allows for adding/removing local user accounts. A preview for PowerShell 5.1 was released for Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 in July 2016, and was formally released in January 2017.

PowerShell 5.1 is the first version to come in two editions of “Desktop” and “Core”. The “Desktop” edition is the continuation of the traditional Windows PowerShell that runs on full .NET Framework stack. The “Core” edition runs on .NET Core and is bundled with Windows Server 2016 Nano Server. In exchange for smaller footprint, the “Core” version lacks some features such as the cmdlets to manage clipboard or join a computer to a domain, WMI version 1 cmdlets, Event Log cmdlets, and profiles. This was the final version of PowerShell made exclusively for Windows.

PowerShell Core 6

PowerShell Core 6.0 was first announced in August 2016, when Microsoft unveiled PowerShell Core and also announced the decision to make the product cross-platform, independent of Windows, free, and open source. It achieved general availability in January 2018 for Windows, macOS, and Linux. It has its own support lifecycle and adheres to the Microsoft lifecycle policy that is introduced with Windows 10: Only the latest version of PowerShell Core is formally supported. Microsoft expects to release one minor version for PowerShell Core 6.0 every six months.

The most significant change in this version of PowerShell is the expansion to the other platforms. For Windows administrators, this version of PowerShell did not include any major new features. In an interview with the community in January 2018, the PowerShell team was asked to list the top 10 most exciting things that would happen for a Windows IT professional who would migrate from Windows PowerShell 5.1 to PowerShell Core 6.0; in response, Angel Calvo of Microsoft could only name two: cross-platform and open-source.

According to Microsoft, one of the new features of PowerShell 6.1 is “Compatibility with 1900+ existing cmdlets in Windows 10 and Windows Server 2019.” Still, no details of these cmdlets can be found in the full version of the change log. Microsoft later professes that this number was insufficient as PowerShell Core failed to replace Windows PowerShell 5.1 and gain traction on Windows. It was, however, popular on Linux.

PowerShell Core 6.2 is focused primarily on performance improvements, bug fixes, and smaller cmdlet and language enhancements that improved developer productivity.

PowerShell 7

PowerShell 7 is the replacement for PowerShell Core 6.x products as well as Windows PowerShell 5.1, which was the last supported Windows PowerShell version. The focus in development was to make PowerShell 7 a viable replacement for Windows PowerShell 5.1, i.e. to have near parity with Windows PowerShell in terms of compatibility with modules that ship with Windows.

New features in PowerShell 7 include:

  • Near parity with Windows PowerShell in terms of compatibility with built-in Windows modules
  • A new error view
  • The Get-Error cmdlet
  • Pipeline chaining operators that allow conditional execution of the next cmdlet in the pipeline
  • You can get more information about PowerShell v7 here.

Use of PowerShell

PowerShell is a fully supported scripting language that is actively under development by Microsoft and it also has a strong user community. PowerShell is a modern command shell that includes the same features as other popular shells. PowerShell accepts and returns .NET objects, which makes it a very powerful tool. The shell includes the following features:

  • Robust command-line history
  • Tab completion and command prediction
  • Supports command and parameter aliases
  • Pipeline for chaining commands
  • In-console help system
  • Extensible through functions, classes, scripts, and modules
  • Extensible formatting system for easy output
  • Extensible type system for creating dynamic types
  • Built-in support for common data formats like CSV, JSON, and XML

There are multiple sources to help you get started with PowerShell. Starting PowerShell in Windows is really easy.

Resources

Wikipedia – PowerShell

Microsoft – PowerShell

SIEM Overview

SIEM - @SeniorDBA

Introduction

Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Free Download: SQL Server Management Studio 18.9.1


SQL Server

SQL Server Management Studio (SSMS) is an integrated environment for accessing, configuring, managing, administering, and developing all components of SQL Server. SSMS combines a broad group of graphical tools with a number of rich script editors to provide developers and administrators of all skill levels access to SQL Server.

The SSMS 18.x installation doesn’t upgrade or replace SSMS versions 17.x or earlier. SSMS 18.x installs side by side with previous versions so both versions are available for use. If you have a previous GA version of SSMS 18 installed, installing SSMS 18.9.1 upgrades it to 18.9.1.

If a computer contains side-by-side installations of SSMS, verify you start the correct version for your specific needs. The latest version is labeled Microsoft SQL Server Management Studio 18.

Beginning with SQL Server Management Studio (SSMS) 18.7, Azure Data Studio is automatically installed alongside SSMS. Users of SQL Server Management Studio are now able to benefit from the innovations and features in Azure Data Studio.

Continue reading “Free Download: SQL Server Management Studio 18.9.1”

TIOBE Index for April 2021

Have you seen the latest TIOBE rankings report?

The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors. Popular search engines such as Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube and Baidu are used to calculate the ratings. Observe that the TIOBE index is not about the best programming language or the language in which most lines of code have been written.

Objective-C’s fame came to a sudden stop when, in 2014, Apple announced that there was a new language called Swift that should replace Objective-C. Remarkably, it took a long time before Swift was more popular than Objective-C. Only 7 years after its death sentence, Objective-C is now leaving the top 20. But there is still hope for Objective-C because old languages sometimes strike back. Take a look at Fortran! This dinosaur is back in the top 20 after more than 10 years. Fortran was the first commercial programming language ever, and is gaining popularity thanks to the massive need for (scientific) number crunching. Welcome back Fortran.

Continue reading “TIOBE Index for April 2021”

Tips for Leading IT Remotely

Work from Home - @SeniorDBA

As the remote workforce has become the “new normal”, IT leadership has had to adjust to the new requirements around how they must continue to lead an effective technology team from home. While things will continue to change as vaccines are administered and people are allowed more freedom to return to the workplace, things will probably never be the same as before a global pandemic forces millions of people away from the traditional office workspace and they began working full-time from their homes.

An effective leader must learn to identify changes and determine the best techniques for dealing with change.  Successfully adapting to change is something leaders must do all the time, and the recent work-from-home mandates are just another change to navigate to keep the business moving forward.

Work from Home - @SeniorDBA

When employees are unsure about procedures, processes, and requirements it is imperative that leaders step forward to provide guidance and instruction to help people successfully navigate changes with minimal stress and uncertainty.  As a member of IT leadership, you must provide strong leadership in times of uncertainty and confusion.

Here are some tips for helps you team stay productive in a remote work environment, even if working remote is no longer temporary.

Continue reading “Tips for Leading IT Remotely”

Defending Against Mimikatz in Windows 10

Mimikatz @SeniorDBA

A offensive security tool developed by Benjamin Delpy in 2011 is named Mimikatz.  Mimikatz is a free tool that tries to scrape the memory of the target computer looking for the process responsible for Windows authentication(LSASS) to reveal cleartext passwords and NTLM hashes that the attacker can then use to attack other computers on the same network. The attacker can then escalate their account privilege either by authenticating with the clear text credentials they just stole or by simply passing the stolen hash.

Mimikatz has been used by nation-state attackers, the first known case being the 2011 hack of the now-defunct Dutch certificate authority DigiNotar.  The attackers issued bogus certificates for Google and used them to spy on the Gmail accounts of several hundred thousand Iranian users. Mimikatz has since been used by many malware creators to automate the spread of their worms, including the NotPetya attack and the 2017 BadRabbit ransomware outbreak. Mimikatz will likely remain an effective offensive security tool on Windows platforms for many years to come.

Mimikatz exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also let Mimikatz exploit this feature by dumping memory and extracting the passwords.

Solution

Microsoft has reacted (somewhat slowly) to Mimikatz by publishing changes to address the security vulnerabilities identified, but you must apply the patches and recommendations below to address this security issue.

Continue reading “Defending Against Mimikatz in Windows 10”

Deciding on Microsoft Intune

 

Remote Management - @SeniorDBAMany companies are trying to figure out how to handle their mobile device management at their business. Many will buy a product that performs some or all of the functions they need, or at least they think they need. As their needs mature or as requirements change, they may need to change the solution to a different product. I think the full-featured product that many companies need is Microsoft Endpoint Management, also known as Microsoft Intune. Intune is Microsoft’s answer to mobile-device management for Windows centric companies, and it is so very simple to use.

Intune will allow you to enroll all your Windows 10, macOS, iPadOS, and Android devices. Once a device is enrolled, it can be configured, applications can be installed, and devices can be wiped when they no longer need to be managed.

As you can imagine, effective configuration and application management across all business devices, including advanced security settings on multiple operating systems, using one powerful and easy-to-use interface will make support and training much easier, and your business will save money and time.

Devices - @SeniorDBA

It is a popular and cost effective cloud-based tool that gives all employees access to corporate applications on their assigned endpoint,  along with conditional access to corporate data, and is simplifies the deployment of those settings, applications, and access to sensitive data to easily support hundreds or even thousands of employees with very little hands-on work by your technology team.

If you have your technology team buying and manually building laptops as you hire new employees you already know how difficult, time consuming, and manual that process can be, even if you have automated some of those steps. You need to deploy a new application to all employees? Simple, just send someone to all your users and they can install the software from a network share or flash drive. Maybe you have automated some of these steps and you deploy the new software via GPO? How long does it take for your remote workforce to finally make a VPN connection to the corporate network to get the new software? How easy is it to determine who is still missing the new software package or has installation errors?

  • How easy would it be to implement 10-20 new security settings to all your users laptops overnight?
  • How easy will it be to remove software they aren’t supposed to have installed, even if you can detect it exists on their laptop?
  • Do you have an accurate and up-to-date asset inventory of user laptops and what software is actually installed?
  • Are you able to detect missing patches to the OS and all the installed software for every user?
  • Can you make sure users are even trying to install patches on their laptops?

Remote workers that never connect to the corporate network make this management process even more difficult.

Do you have a solution to this issue? I think Microsoft Intune may be the solution to your problem, and it may already be included in your O365 licensing.

Let’s talk about some of the reasons I like Microsoft Intune.

Continue reading “Deciding on Microsoft Intune”

TempDB and Disk IO Tips and Tricks for SQL Server

SQL Server

One common issue with database performance is TempDB tuning. There are some basic tips and tricks to getting the best possible performance from your TempDB, but you need to understand that each instance will need tuning. There isn’t a checkbox in the server configuration that enables peak performance. You will need to investigate the specifics of your database instance and tune the server so that you get the best performance from your combination of hardware, software, and user load.

Proper configuration of IO subsystems is critical to the optimal performance and operation of any SQL Server system. Some of the most common best practices that are recommended are best completed during instance configuration and installation.

Continue reading “TempDB and Disk IO Tips and Tricks for SQL Server”

11 Things A New IT Manager Must Do On The First Day

11 things a new IT Manager must do on the first day.

 

New Manager Job - @SeniorDBA

Updated: Includes notes for COVID-19 Protocols for remote working

Congratulations, you have found a new job as an IT Manager. This new job could be leading a software development team, managing a group of system administrators, leading the cybersecurity team, or any other management position in the IT group. How you approach your first day at the new company will make a huge difference, putting you on the path to success or making your new role a struggle. You may not have been promoted to a management position at your last company, so you might not have any experience starting at a new company as a manager.

Don’t let you title go to your head. Don’t begin ordering people around and watching their every move. Act like a professional, observe team actions, and strive to understand before you recommend any changes. Many people have made career-killing mistakes by failing to adapt to a different way of doing things at a new company. Even if you have been with your current company for a long time, you are now at a different organizational level at a new company and you will need to learn about the new management culture to be truly successful.

Continue reading “11 Things A New IT Manager Must Do On The First Day”

Cybersecurity Awareness Training

Photo by Katerina Holmes on Pexels.com

Every organization should have an employee cybersecurity awareness training program to help educate all employees about their responsibilities in keeping corporate assets secure, how to secure their computer systems, and help them develop a basic understanding of how to secure their internet accounts from compromise.

Most cyberattacks are coming from hackers, organized crime, and state sponsored attackers in the form of phishing emails, compromised attachments, and malicious links. Users have to be trained on their role in securing the environment. Users must be given the training and awareness to identify threats and avoid making a poor decision or a simple mistake that could cost the business millions of dollars in lost revenue or ransomware payments.

The basics of user cybersecurity awareness training is specific coursework, usually video-based, that helps all employees understand the general threats in todays internet-based workforce, how they fit into that threat landscape, how they become a target for hackers, and what they can do to keep their corporate assets secure from attack. This type of information is usually easily transferable to the employee’s personal life. Your personal Twitter or Facebook account isn’t a corporate asset, but the techniques and methods in the training can usually be applied to those online accounts to make them more secure as well.

Continue reading “Cybersecurity Awareness Training”

Using Microsoft Endpoint Manager (Intune) and Windows 10 templates to configure policy settings

Photo by Andrea Piacquadio on Pexels.com

Introduction

Successfully configuring a variety of Group Policy settings has been a thing for millions of domain-joined Windows devices for many years, and the future of configuration options has expanded with the addition of many of these settings in Microsoft’s cloud endpoint management tool called Endpoint Manager (aka Intune).

Many of the same settings that businesses are accustomed to configuring today, using the traditional Group Policy settings, are also available by using the cloud management tool various Configuration Policy settings. They work in much the same way, using the new cloud interface from you browser.

The beauty of the new cloud interface is the ease in which Microsoft can add, change, and remove settings overnight. The worst part of the cloud interface is Microsoft can add, change, and remove settings overnight. Gone are the days of writing a GPO and it is good for many years. Now you can easily create a new Configuration Policy that does exactly what you need it to do, and it may last many years or it may be obsolete in a few months. That means you life is potentially just as easy, but you have to monitor the news feed from Microsoft to keep apprised of changes before they impact you production systems.

Continue reading “Using Microsoft Endpoint Manager (Intune) and Windows 10 templates to configure policy settings”

Building a Successful Cybersecurity Strategy

Photo by Pixabay on Pexels.com

When thinking of a strategy to address cybersecurity, your strategy must be one that is driven by a top-down management emphasis to build cybersecurity into everything a company does and builds. Cybersecurity can not be an afterthought or something that is added later, but it must be designed and implemented from the first day. If you have gaps today, they must be fixed and a management system must be put into place to prevent this type of issue in the future.

The first thing you must accomplish when building a mature strategy to fix your imperfect cybersecurity status is to perform a formal risk assessment. This will allow your team to compare your existing controls against an established security framework, like NIST, SANS, or CIS. A cybersecurity framework is a predefined set of controls that are identified and defined by leading cybersecurity organizations to help you enhance cybersecurity strategies within your enterprise. This will allow you to document what cybersecurity controls are already in place and how effective they are, and what controls are missing or ineffective. Once you have accomplished this step, it allows you to focus your change effort on the controls that will have the most impact to incrementally improve security with each change to the existing environment.

Now that you have a written list of needs you have a better understanding of where your team currently stands, including what controls are currently effective and which controls are missing or poorly implemented. This will also help you determine if you have the budget and personnel to make the required changes. You’ll now have a much better idea of where the biggest security gaps exist and it helps you assign a priority and schedule to each required change.

This might also be a good time to decide if outsourcing the effort, either in part or in full, might be a better solution for your business. Do you have the time and budget to train internal resources for the effort required to resolve the items identified for remediation? If you must hire new personnel, will you have time to onboard and complete orientation or training before you can start remediation of identified security issues, or should you outsource the remediation to an external resource with the experience and skill to quickly resolve your issues?

Continue reading “Building a Successful Cybersecurity Strategy”

Understanding Base-2 vs. Base-10 Numeric Systems

The modern binary number system (base-2) dates back to an article by Gottfried Leibniz in 1679. Leibniz was able to interpret Chinese hexagrams as evidence of binary calculus. Binary systems are still used today, and that numeric system is exposed to average consumers every day, even though they probably don’t understand the system or why it is used with computer-related hardware and software.

In this article by Bruce Dawson, he asks the question of why we should expose the base-2 numeric system to the average computer user.

It’s 2016 and Windows still displays drive and file sizes using base-2 size prefixes. My 1 TB SSD is shown as 916 GB, and a 449 million byte video file is shown as 428 MB. That is, Windows still insists that “MB” means 2^20 and “GB” means 2^30, even when dealing with non-technical customers.

  1. This makes no sense.
  2. Just because some parts of computers are base 2 doesn’t mean all parts are base 2.
  3. And, actually, most of the visible parts of computers are base-10.

So just stop it. Base 2 prefixes should only be used when there is a compelling advantage for the typical user, and for file and drive sizes in Windows explorer there are no such advantages. If you think I’m wrong (and I know that lots of people do) then be sure to explain exactly why base-2 size prefixes make sense in the context of file and drive sizes.

You might also find it useful trivia that the ancient Sumerians (circa 3100 B.C.) used a base-60 numbering system, which we still use today for time and latitude measurements. A number of factors distinguishes the base-60 system from its base-10 counterpart, which likely developed from people counting on both hands. The base-60 system uses integers 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30, and 60, while base-10 uses 1, 2, 5, and 10.

Reset the Azure VM administrator password

Azure - @SeniorDBA

To reset the password of an Azure virtual machine, you can use the Azure portal or Azure PowerShell.

Azure Portal

Log into the Azure portal (http://portal.azure.com), go to the Azure VM you want to reset. Under the Support + Troubleshooting menu, click on Reset Password, and follow to the Reset Password wizard to update the credentials.

Note: This is not supported for Active Directory Domain Controllers.

PowerShell

If you want to use Azure PowerShell, you can edit this script and run the following commands:

$SubID = "<SUBSCRIPTION ID>" 
$RgName = "<RESOURCE GROUP NAME>" 
$VmName = "<VM NAME>" 
$Location = "<LOCATION>" 

Connect-AzAccount 
Select-AzSubscription -SubscriptionId $SubID 
Set-AzVMAccessExtension -ResourceGroupName $RgName -Location $Location -VMName $VmName -Credential (get-credential) -typeHandlerVersion "2.0" -Name VMAccessAgent

This information should help you to reset the password of an Azure virtual machine if you have lost access. If you want to know more, read the following troubleshooting article on Microsoft Docs.

Free Download: SQL Server Management Studio 18.8


SQL Server

SQL Server Management Studio (SSMS) is an integrated environment for accessing, configuring, managing, administering, and developing all components of SQL Server. SSMS combines a broad group of graphical tools with a number of rich script editors to provide developers and administrators of all skill levels access to SQL Server.

The SSMS 18.x installation doesn’t upgrade or replace SSMS versions 17.x or earlier. SSMS 18.x installs side by side with previous versions so both versions are available for use. If you have a previous GA version of SSMS 18 installed, installing SSMS 18.8 upgrades it to 18.8.

If a computer contains side-by-side installations of SSMS, verify you start the correct version for your specific needs. The latest version is labeled Microsoft SQL Server Management Studio 18.

Continue reading “Free Download: SQL Server Management Studio 18.8”

TIOBE Index for January 2021

Have you seen the latest TIOBE rankings report?

The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors. Popular search engines such as Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube and Baidu are used to calculate the ratings. Observe that the TIOBE index is not about the best programming language or the language in which most lines of code have been written.

C is still number one, but it is Python that claims the second position now. Some say that Python’s recent surge in popularity is due to booming fields such as data mining, AI and numerical computing. 

Continue reading “TIOBE Index for January 2021”

Using Microsoft Intune to Secure Windows 10

Happiness

Microsoft Endpoint Management (Microsoft Intune) is a service available as part of the traditional O365 environment that allows a business to configure and enroll their Windows 10 devices (as well as macOS, iOS, and Android devices) to centrally manage corporate devices while ensuring that they meet your basic compliance requirements. You can read more about Microsoft Intune here.

The basic approach to cloud management of your Windows 10 devices is quite simple, but it can take a little work to get the pieces into place.

  1. Enroll new devices so that once you remove a new laptop from the box, your users log directly into the device using their standard network login to enroll new devices into Endpoint Management. This is how your devices will be managed and configured. This will take a little bit of work to get configured.
  2. Configure new devices so that your preferred settings are detected and applied to the devices during the initial enrollment. This can be a few settings to hundreds of specific settings, depending on how detailed you want your configuration to be, and the settings applied can be controlled based on Azure AD groups, so some devices can be configured differently that other devices.
  3. Require specific settings be applied before the device can be considered “compliant”, which can help you verify how secure a device is or isn’t, which can help you target specific devices for remediation.
  4. Download software directly onto the device, which can make software deployment almost effortless, software inventory easier, and may significantly reduce user complaints.
  5. Configure Windows Update to automatically update the Windows 10 endpoint, which will help avoid a missing patch from causing security headaches later.

Configuration Policy – Endpoint Security

Click on the Devices option, then select Configuration Policies, then select Create new policy, for the platform, select Windows 10 and later, select Profile and select Endpoint Protection. Set a name for your policy, such as “Windows Security Configuration”.

Microsoft Defender Smart Screen

  • SmartScreen for apps and files: Enable

Interactive Logon

  • Minutes of lock screen inactivity until screen saver initiates: 15
  • Require CTRL + ALT + DEL to log on: Enable

Local device security options

 Accounts

  • Guest account: Block
  • Guest Account: Rename
  • Administrator Account: Rename

Network access and security

  • Anonymous access to Names Pipes ad Shares: Block
  • Anonymous enumeration of SAM accounts: Block
  • Anonymous enumeration of SAM accounts and shares: Block
  • LAN Manager hash value stored on password change: Block
  • Insecure Guest logons: Block

User Account Control

  • Elevated prompt for app installations: Enabled

Compliance Policy

Click on the Devices option, then select Compliance Policies, then select Create new policy, for the platform, select Windows 10 and later. Set a name for your policy, such as ‘Windows Security Compliance”.

Device Health

  • Require Bitlocker: Require

System Security

  • Require a password to unlock mobile devices.: Require
  • Password type: Device default
  • Minimum password length: 8

Device Security

  • Firewall: Required
  • Trusted Platform Module (TPM): Required
  • Antivirus: Required
  • Antimalware: Required

Defender

  • Microsoft Defender Antimalware: Required
  • Microsoft Defender Antimalware security intelligence up-to-date: Required
  • Real-time protection: Required

Windows 10 Update rings

Click on the Devices option, then select Windows 10 update rings, then select Create profile, set a name for your policy, such as “Windows Update Configuration”.

  • Servicing channel: Semi-annual
  • Microsoft product updates: Allow
  • Windows drivers: Allow
  • Quality update deferral period (days) : 3
  • Feature update deferral period (days): 3
  • Automatic update behavior: Auto install at maintenance time
  • Active hours start: 8 am
  • Active hours end: 8 pm
  • Restart checks: Allow
  • Option to pause Windows updates: Disable

You can also create other Configuration Profiles to enforce various policies that you may be using GPO policies to enforce today, like various network settings, Windows Defender Firewall settings, renaming the local administrator account, disabling the guest account, etc. You can also create Apps, which allows you to install various software directly to the enrolled device.

Once you start working with Endpoint Manager (Intune) you will see the enormous potential that cloud management brings to your environment.

Detailed SQL Server Version Information

SQL Server - SeniorDBA

Microsoft’s SQL Server database engine has gone through various versions over the many years it has been one of the most popular solutions for database design. Some of the versions also support databases created under the older versions of the engine. This table helps you understand what support is available from those various SQL Server versions.

Continue reading “Detailed SQL Server Version Information”

Free Download: SQL Server Management Studio 18.8


SQL Server

SQL Server Management Studio (SSMS) is an integrated environment for accessing, configuring, managing, administering, and developing all components of SQL Server. SSMS combines a broad group of graphical tools with a number of rich script editors to provide developers and administrators of all skill levels access to SQL Server.

The SSMS 18.x installation doesn’t upgrade or replace SSMS versions 17.x or earlier. SSMS 18.x installs side by side with previous versions so both versions are available for use. If you have a previous GA version of SSMS 18 installed, installing SSMS 18.8 upgrades it to 18.8.

If a computer contains side-by-side installations of SSMS, verify you start the correct version for your specific needs. The latest version is labeled Microsoft SQL Server Management Studio 18.

Continue reading “Free Download: SQL Server Management Studio 18.8”

TIOBE Index for December 2020

Have you seen the latest TIOBE rankings report?

The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors. Popular search engines such as Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube and Baidu are used to calculate the ratings. Observe that the TIOBE index is not about the best programming language or the language in which most lines of code have been written.

C is still number one, but it is Python that claims the second position now. Some say that Python’s recent surge in popularity is due to booming fields such as data mining, AI and numerical computing. 

Continue reading “TIOBE Index for December 2020”