Re: [NTSysADM] Password expiring debate on patch management

[Richard Stovall]

That was a little bit too easy.

(Thanks!)

On Tue, Apr 26, 2016 at 8:49 PM, Susan Bradley <sbrad...@pacbell.net> wrote:

> http://www.patchmanagement.org/
>
> Go there and sign up.
>
>
> On 4/26/2016 5:31 PM, Richard Stovall wrote:
>
>> 
>>
>> How does one subscribe to the fabled patch management list?
>>
>> 
>>
>> On Tue, Apr 26, 2016 at 7:59 PM, Andrew S. Baker <asbz...@gmail.com
>> <mailto:asbz...@gmail.com>> wrote:
>>
>> From the article:
>>
>> /*>>For instance, we recommend using system monitoring tools that
>> present users with information about the last login attempt, so
>> they can see if they’re responsible for failed login attempts. <<
>> */
>> Do they really believe that if users are inconvenienced by
>> password changes every 30 or 60 or 90 days, that they'll actually
>> bother to match up their activities with information that
>> indicates last login of the system?
>>
>> The fact that they could not point to an improved security posture
>> by their new stance indicates its weakness.  Let's see if they
>> feel the same way about it in 5 or 6 months.
>>
>> The fact is, we are at a good point in computing history to go
>> with changing passwords, since so many online services are doing
>> it.  Back when people only had an eternal bankcard pin and a
>> changing corporate password, it would be easy to see how the
>> changing password would be a huge annoyance.
>>
>> Today?  Let's see how many users feel that identity theft is a
>> worthwhile trade-off for password changing convenience, after they
>> experience the former.
>>
>> If user convenience is the paramount consideration for information
>> security, then it's hard to see what other authentication and
>> authorization options will be deemed acceptable.
>> -- Two-factor?  Inconvenient.
>> -- Digital certificates? Inconvenient.
>>
>> Reducing the scope of exposure is the primary purpose of changing
>> passwords.
>>
>> */>>The new password may have been used elsewhere, and attackers
>> can exploit this too.<< /*
>>
>> A. Pure Speculation.
>> B. There's nothing to prevent the current password from being used
>> somewhere else, too.  Frankly, if the next password a user selects
>> is used somewhere else, then there is an equal chance that they
>> will use their current password on the next service that they sign
>> up for. They are just employing poor password hygiene and they are
>> not only going to do so if the corporate password changes.
>>
>>
>> */>>The new password is also more likely to be written down, which
>> represents another vulnerability. <>
>> For any user that is likely to write down their next password,
>> they are also likely to be reusing passwords across sites.  See
>> previous point.
>>
>> This means that their poor password practices are *already*
>> endangering the current environment.
>>
>>
>> */>>New passwords are also more likely to be forgotten, and this
>> carries the productivity costs of users being locked out of their
>> accounts, and service desks having to reset passwords.<>
>>
>> Whine, whine, whine.  The deployment of a self-service password
>> portal eliminates this risk, and is not an uncommon solution.
>>
>>
>> What has been offered here is not a reason or a set of reasons,
>> but a set of ill-considered excuses.
>>
>> Anyhoo, it will be interesting what their guidance is next year...
>>
>>
>>
>> Regards,
>>
>> ***ASB*
>> **_http://XeeMe.com/AndrewBaker <http://xeeme.com/AndrewBaker>_
>>
>> ***Providing Expert Technology Consulting Services for the SMB
>> market…*
>>
>> * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A
>>
>>
>>
>> On Mon, Apr 25, 2016 at 6:56 PM, Dave Lum <l...@ochin.org
>> <mailto:l...@ochin.org>> wrote:
>>
>> Anyone see the debate on the Patch management list, driven by
>> this:
>>
>> https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry
>>
>> I don’t even know how it’s a debate other than the desired
>> frequency (no one-size-fits-all on that IMO). Even six months
>> is far better

Re: [NTSysADM] Password expiring debate on patch management

[Richard Stovall]

How does one subscribe to the fabled patch management list?



On Tue, Apr 26, 2016 at 7:59 PM, Andrew S. Baker  wrote:

> From the article:
>
>
> *>>For instance, we recommend using system monitoring tools that present
> users with information about the last login attempt, so they can see if
> they’re responsible for failed login attempts. <<*
> Do they really believe that if users are inconvenienced by password
> changes every 30 or 60 or 90 days, that they'll actually bother to match up
> their activities with information that indicates last login of the system?
>
> The fact that they could not point to an improved security posture by
> their new stance indicates its weakness.  Let's see if they feel the same
> way about it in 5 or 6 months.
>
> The fact is, we are at a good point in computing history to go with
> changing passwords, since so many online services are doing it.  Back when
> people only had an eternal bankcard pin and a changing corporate password,
> it would be easy to see how the changing password would be a huge annoyance.
>
> Today?  Let's see how many users feel that identity theft is a worthwhile
> trade-off for password changing convenience, after they experience the
> former.
>
> If user convenience is the paramount consideration for information
> security, then it's hard to see what other authentication and authorization
> options will be deemed acceptable.
> -- Two-factor?  Inconvenient.
> -- Digital certificates? Inconvenient.
>
> Reducing the scope of exposure is the primary purpose of changing
> passwords.
>
> *>>The new password may have been used elsewhere, and attackers can
> exploit this too.<< *
> A. Pure Speculation.
> B. There's nothing to prevent the current password from being used
> somewhere else, too.  Frankly, if the next password a user selects is used
> somewhere else, then there is an equal chance that they will use their
> current password on the next service that they sign up for. They are just
> employing poor password hygiene and they are not only going to do so if the
> corporate password changes.
>
>
> *>>The new password is also more likely to be written down, which
> represents another  vulnerability. <<*
> For any user that is likely to write down their next password, they are
> also likely to be reusing passwords across sites.  See previous point.
>
> This means that their poor password practices are *already* endangering
> the current environment.
>
>
> *>>New passwords are also more likely to be forgotten, and this carries
> the productivity costs of users being locked out of their accounts, and
> service desks having to reset passwords.<<*
>
> Whine, whine, whine.  The deployment of a self-service password portal
> eliminates this risk, and is not an uncommon solution.
>
>
> What has been offered here is not a reason or a set of reasons, but a set
> of ill-considered excuses.
>
> Anyhoo, it will be interesting what their guidance is next year...
>
>
>
> Regards,
>
>  *ASB*
>  *http://XeeMe.com/AndrewBaker *
>
>  *Providing Expert Technology Consulting Services for the SMB market…*
>
> * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A
>
>
>
> On Mon, Apr 25, 2016 at 6:56 PM, Dave Lum  wrote:
>
>> Anyone see the debate on the Patch management list, driven by this:
>> https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry
>>
>>
>>
>> I don’t even know how it’s a debate other than the desired frequency (no
>> one-size-fits-all on that IMO). Even six months is far better than never.
>> With expiring passwords you at bare minimum mitigate employee’s that leave.
>>
>>
>>
>> *David Lum*
>>
>> *Systems Administrator III*
>> *P:** 503.943.2500 <503.943.2500>*
>> *E:** l...@ochin.org *
>> *A:** 1881 SW Naito Parkway, Portland, OR 97201*
>>
>>
>> [image: Facebook Link] [image:
>> Twitter Link] [image: Linkedin Link]
>>  www.ochin.org
>> [image: OCHIN email]
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Attention: Information contained in this message and or attachments is
>> intended only for the recipient(s) named above and may contain confidential
>> and or privileged material that is protected under State or Federal law. If
>> you are not the intended recipient, any disclosure, copying, distribution
>> or action taken on it is prohibited. If you believe you have received this
>> email in error, please contact the sender with a copy to
>> complia...@ochin.org, delete this email and destroy all copies.
>>
>
>

Re: [NTSysADM] Drobo b1200i

[Richard Stovall]

Just say no.

On Fri, Apr 8, 2016 at 5:28 PM, CSSU NetAdmin  wrote:

> Hi,
>
> We are looking to replace our EMC VNXe.  It currently hosts about 40 VM's
> for three schools and total network storage of about 1 TB.  A friend
> mentioned looking at the Drobo b1200i.  It looks pretty good and the price
> is great.
>
> Anyone have any thoughts about this comparison or experience with it?
>
> Thanks!
>

Re: [NTSysADM] users prompted for cerdentials after MS patching

[Richard Stovall]

So what application is actually asking for credentials?  Sounds like it may
not actually be the viewer application.  Did anything change on the
server/application side?





On Wed, Jan 27, 2016 at 2:44 PM, Todd Lemmiksoo 
wrote:

> The PDF is pulled from the medical records application and opened by the
> published application on the Citrix server. I think.
>
> On Wed, Jan 27, 2016 at 12:19 PM, Webster  wrote:
>
>> The Citrix issue is an issue with Windows 10 and the January 2016
>> security updates. I have not heard of any issues like what you are
>> reporting.
>>
>>
>>
>> How are they getting to the PDFs? Browser, file explorer?
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> Webster
>>
>>
>>
>> *From:* listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] *On Behalf Of *Todd Lemmiksoo
>> *Sent:* Wednesday, January 27, 2016 11:44 AM
>> *To:* ntsys...@lists.myitforum.com
>> *Subject:* Re: [NTSysADM] users prompted for cerdentials after MS
>> patching
>>
>>
>>
>> 6.5 Receiver 4.2.0.10 users are on Win 7
>>
>>
>>
>> On Wed, Jan 27, 2016 at 11:34 AM, Webster 
>> wrote:
>>
>> What Citrix product? What Receiver version? What OS are the users on?
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> Webster
>>
>>
>>
>> *From:* listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] *On Behalf Of *Todd Lemmiksoo
>> *Sent:* Wednesday, January 27, 2016 11:33 AM
>> *To:* ntsys...@lists.myitforum.com
>> *Subject:* [NTSysADM] users prompted for cerdentials after MS patching
>>
>>
>>
>> I have some users ( in one dept) that are being prompted for login when
>> opening a PDF file. Have any of you had this occur after MS patching. The
>> users are citrix users.
>>
>> I have checked main DC and seeing some NETLOGON 5805 errors but nothing
>> else.
>>
>>
>>
>> --
>>
>> T. Todd Lemmiksoo
>>
>>
>>
>>
>>
>> --
>>
>> T. Todd Lemmiksoo
>>
>
>
>
> --
> T. Todd Lemmiksoo
>

Re: [NTSysADM] Very, very weird

[Richard Stovall]

Did you get hashes of the files and run them through your favorite Google
search engine?

On Fri, Jan 22, 2016 at 3:49 PM, Kurt Buff  wrote:

> All,
>
> I logged into our file server to do some work on it, and noticed a new
> directory - C:\780A76EB-C496-4C3D-B653-F2AF085FA643\
>
> It contained the following files zero-length, marked as Read-only,
> Hidden, System:
>  0湶甭敳獲琮穧
>  1㍄ᄢ
>  2㍄ᄢ
>  3虯戱❮耀
>
> The dates on the files and directory is 2016-01-04 18:28. Perms on the
> files/directory are innocuous. One thing that's very weird is that the
> filenames are in two different character sets - they show as Chinese
> and Korean in Google Translate's autodetection.
>
> I did a lot of searching, and finally found reference to the
> directory/files in the PFRO.log:
> 1/10/2016 17:59:27 - PFRO Error:
>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\0湶甭敳獲琮穧,
> !\??\湶甭敳獲琮穧, 0xc034
> 1/10/2016 17:59:27 - PFRO Error:
>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\1㍄ᄢ,
> !\??\㍄ᄢ, 0xc034
> 1/10/2016 17:59:27 - PFRO Error:
>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\2㍄ᄢ,
> !\??\㍄ᄢ, 0xc034
> 1/10/2016 17:59:27 - PFRO Error:
>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\3虯戱❮耀,
> !\??\虯戱❮耀, 0xc034
> 1/10/2016 17:59:27 - PFRO Error:
>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643,
> |delete operation|, 0xc101
> 1/10/2016 17:59:27 - 0 Successful PFRO operations
>
>
> The GUID that begins '3ec25' refers to the C: drive. I have no idea
> what is referenced by the GUID that begins '780A' - it doesn't show in
> the registry, and I can't find reference to it anywhere else on the
> machine.
>
> I checked the eventlogs, and see that the machine rebooted at the time
> noted in PFRO.log. However, the PFRO log shows that whatever it was
> failed to install.
>
> The reboot was initiated by one of our team members as we were
> completing moving some VMs around and reconfiguring VMDKs, etc.
>
> There were no patches pending, and no software installs recently.
>
> I've run a scan with ESET against the C: drive, and haven't found
> anything untoward, and used ProcessExplorer's VirusTotal capability to
> check memory, and it came back clean also.
>
> I'm really baffled - if anyone has thoughts on this, I'd surely like
> to hear them.
>
> Kurt
>
>
>

Re: [NTSysADM] Very, very weird

[Richard Stovall]

Doh!  I neglected to register the zero length part of your original post.
Sorry about that.

On Fri, Jan 22, 2016 at 4:27 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> A zero-length file always returns the same hash...
>
> Kurt
>
> On Fri, Jan 22, 2016 at 1:18 PM, Richard Stovall <rich...@gmail.com>
> wrote:
> > Did you get hashes of the files and run them through your favorite Google
> > search engine?
> >
> > On Fri, Jan 22, 2016 at 3:49 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
> >>
> >> All,
> >>
> >> I logged into our file server to do some work on it, and noticed a new
> >> directory - C:\780A76EB-C496-4C3D-B653-F2AF085FA643\
> >>
> >> It contained the following files zero-length, marked as Read-only,
> >> Hidden, System:
> >>  0湶甭敳獲琮穧
> >>  1㍄ᄢ
> >>  2㍄ᄢ
> >>  3虯戱❮耀
> >>
> >> The dates on the files and directory is 2016-01-04 18:28. Perms on the
> >> files/directory are innocuous. One thing that's very weird is that the
> >> filenames are in two different character sets - they show as Chinese
> >> and Korean in Google Translate's autodetection.
> >>
> >> I did a lot of searching, and finally found reference to the
> >> directory/files in the PFRO.log:
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\0湶甭敳獲琮穧,
> >> !\??\湶甭敳獲琮穧, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\1㍄ᄢ,
> >> !\??\㍄ᄢ, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\2㍄ᄢ,
> >> !\??\㍄ᄢ, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\3虯戱❮耀,
> >> !\??\虯戱❮耀, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643,
> >> |delete operation|, 0xc101
> >> 1/10/2016 17:59:27 - 0 Successful PFRO operations
> >>
> >>
> >> The GUID that begins '3ec25' refers to the C: drive. I have no idea
> >> what is referenced by the GUID that begins '780A' - it doesn't show in
> >> the registry, and I can't find reference to it anywhere else on the
> >> machine.
> >>
> >> I checked the eventlogs, and see that the machine rebooted at the time
> >> noted in PFRO.log. However, the PFRO log shows that whatever it was
> >> failed to install.
> >>
> >> The reboot was initiated by one of our team members as we were
> >> completing moving some VMs around and reconfiguring VMDKs, etc.
> >>
> >> There were no patches pending, and no software installs recently.
> >>
> >> I've run a scan with ESET against the C: drive, and haven't found
> >> anything untoward, and used ProcessExplorer's VirusTotal capability to
> >> check memory, and it came back clean also.
> >>
> >> I'm really baffled - if anyone has thoughts on this, I'd surely like
> >> to hear them.
> >>
> >> Kurt
> >>
> >>
> >
>
>
>

Re: [NTSysADM] Very, very weird

[Richard Stovall]

Who owns them?

On Fri, Jan 22, 2016 at 4:39 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> But, you sparked a memory, and I marked down another possibility as
> negative.
>
> Alternate Data Streams.
>
> I used the Sysinternals streams utility - that came up negative
> against the directory and the files.
>
> Kurt
>
> On Fri, Jan 22, 2016 at 1:18 PM, Richard Stovall <rich...@gmail.com>
> wrote:
> > Did you get hashes of the files and run them through your favorite Google
> > search engine?
> >
> > On Fri, Jan 22, 2016 at 3:49 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
> >>
> >> All,
> >>
> >> I logged into our file server to do some work on it, and noticed a new
> >> directory - C:\780A76EB-C496-4C3D-B653-F2AF085FA643\
> >>
> >> It contained the following files zero-length, marked as Read-only,
> >> Hidden, System:
> >>  0湶甭敳獲琮穧
> >>  1㍄ᄢ
> >>  2㍄ᄢ
> >>  3虯戱❮耀
> >>
> >> The dates on the files and directory is 2016-01-04 18:28. Perms on the
> >> files/directory are innocuous. One thing that's very weird is that the
> >> filenames are in two different character sets - they show as Chinese
> >> and Korean in Google Translate's autodetection.
> >>
> >> I did a lot of searching, and finally found reference to the
> >> directory/files in the PFRO.log:
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\0湶甭敳獲琮穧,
> >> !\??\湶甭敳獲琮穧, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\1㍄ᄢ,
> >> !\??\㍄ᄢ, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\2㍄ᄢ,
> >> !\??\㍄ᄢ, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\3虯戱❮耀,
> >> !\??\虯戱❮耀, 0xc034
> >> 1/10/2016 17:59:27 - PFRO Error:
> >>
> >>
> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643,
> >> |delete operation|, 0xc101
> >> 1/10/2016 17:59:27 - 0 Successful PFRO operations
> >>
> >>
> >> The GUID that begins '3ec25' refers to the C: drive. I have no idea
> >> what is referenced by the GUID that begins '780A' - it doesn't show in
> >> the registry, and I can't find reference to it anywhere else on the
> >> machine.
> >>
> >> I checked the eventlogs, and see that the machine rebooted at the time
> >> noted in PFRO.log. However, the PFRO log shows that whatever it was
> >> failed to install.
> >>
> >> The reboot was initiated by one of our team members as we were
> >> completing moving some VMs around and reconfiguring VMDKs, etc.
> >>
> >> There were no patches pending, and no software installs recently.
> >>
> >> I've run a scan with ESET against the C: drive, and haven't found
> >> anything untoward, and used ProcessExplorer's VirusTotal capability to
> >> check memory, and it came back clean also.
> >>
> >> I'm really baffled - if anyone has thoughts on this, I'd surely like
> >> to hear them.
> >>
> >> Kurt
> >>
> >>
> >
>
>
>

Re: [NTSysADM] HughesNet and AWS

[Richard Stovall]

I was actually thinking of suggesting a VPN, then I realized that the OP is
probably dealing with multiple end users, each on satellite, and would
actually add complexity by going this route.

On Fri, Jan 22, 2016 at 3:41 PM, James M. Pulver <jmp...@cornell.edu> wrote:

> Use a VPN maybe? Would that actually be able to hold a connection over the
> satallite latencies?
>
> James Pulver
> CLASSE Computer Group
> Cornell University
>
> On 01/22/2016 03:21 PM, Charles F Sullivan wrote:
>
>> DNS Acceleration = Ignore TTL
>>
>> Brilliant concept!
>>
>> *From:*listsadmin@lists.myitforum.com
>> <mailto:listsadmin@lists.myitforum.com>
>> [mailto:listsadmin@lists.myitforum.com
>> <mailto:listsadmin@lists.myitforum.com>] *On Behalf Of *Damien Solodow
>> *Sent:* Friday, January 22, 2016 1:44 PM
>> *To:* ntsys...@lists.myitforum.com <mailto:ntsys...@lists.myitforum.com>
>> *Subject:* RE: [NTSysADM] HughesNet and AWS
>>
>> Yeah, I’d thought (and hoped) it was their DNS server doing it, but when
>> even ‘nslookup saasapp.com <http://saasapp.com> 8.8.8.8’ came back wrong
>> (and different from the results on my PC) I knew something was rotten. J
>>
>> DAMIEN SOLODOW
>>
>> Senior Systems Engineer
>>
>> 317.447.6033 (office)
>>
>> 317.447.6014 (fax)
>>
>> HARRISON COLLEGE
>>
>> *From:*listsadmin@lists.myitforum.com
>> <mailto:listsadmin@lists.myitforum.com>
>> [mailto:listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
>> *Sent:* Friday, January 22, 2016 1:40 PM
>> *To:* ntsys...@lists.myitforum.com <mailto:ntsys...@lists.myitforum.com>
>> *Subject:* Re: [NTSysADM] HughesNet and AWS
>>
>> That's friggin awesome, but it doesn't hurt.  :-)
>>
>> On Fri, Jan 22, 2016 at 1:33 PM, Michael B. Smith <mich...@smithcons.com
>> <mailto:mich...@smithcons.com>> wrote:
>>
>> Both Comcast and CenturyLink have similar “features” if you use
>> their DNS servers. But they don’t override you if you choose another
>> DNS server…
>>
>> *From:*listsadmin@lists.myitforum.com
>> <mailto:listsadmin@lists.myitforum.com>
>> [mailto:listsadmin@lists.myitforum.com
>> <mailto:listsadmin@lists.myitforum.com>] *On Behalf Of *Richard
>> Stovall
>> *Sent:* Friday, January 22, 2016 12:48 PM
>> *To:* ntsys...@lists.myitforum.com > ntsys...@lists.myitforum.com>
>> *Subject:* Re: [NTSysADM] HughesNet and AWS
>>
>> That is so friggin' awesome it hurts.
>>
>> On Fri, Jan 22, 2016 at 12:19 PM, Damien Solodow
>> <damien.solo...@harrison.edu <mailto:damien.solo...@harrison.edu>>
>> wrote:
>>
>> Having a fun issue, and figured I’d see if anyone else has run into
>> something like it and has a solution. J
>>
>> One of our SaaS apps is hosted on AWS, and AWS has the lovely habit
>> of using very short DNS TTLs and changing IPs frequently. Normally
>> not that big a deal.
>>
>> However, it looks like a satellite provider used by a number of our
>> users (HughesNet) has a wonderful little “feature” called DNS
>> Acceleration.
>>
>> This looks to be a local DNS caching server (which ignores the
>> provided TTL) that runs on their modem. This means that the user
>> almost always gets outdated information from DNS for this SaaS app,
>> which prevents them from accessing it.
>>
>> There doesn’t appear to be a way in the modem UI to turn off this
>> “feature”, and it looks to intercept **all** outbound DNS traffic,
>> so even if I set the client or their router to use a different DNS
>> server it still gets intercepted.
>>
>> Anyone run into this or have a useful contact at HughesNet to sort
>> this out?
>>
>> DAMIEN SOLODOW
>>
>> Senior Systems Engineer
>>
>> 317.447.6033  (office)
>>
>> 317.447.6014  (fax)
>>
>> HARRISON COLLEGE
>>
>> 500 North Meridian St
>>
>> Suite 500
>>
>> Indianapolis, IN 46204-1213
>>
>> www.harrison.edu <http://www.harrison.edu/>
>>
>>
>
>

Re: [NTSysADM] HughesNet and AWS

[Richard Stovall]

That's friggin awesome, but it doesn't hurt.  :-)

On Fri, Jan 22, 2016 at 1:33 PM, Michael B. Smith <mich...@smithcons.com>
wrote:

> Both Comcast and CenturyLink have similar “features” if you use their DNS
> servers. But they don’t override you if you choose another DNS server…
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
> *Sent:* Friday, January 22, 2016 12:48 PM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* Re: [NTSysADM] HughesNet and AWS
>
>
>
> That is so friggin' awesome it hurts.
>
>
>
>
>
>
>
> On Fri, Jan 22, 2016 at 12:19 PM, Damien Solodow <
> damien.solo...@harrison.edu> wrote:
>
> Having a fun issue, and figured I’d see if anyone else has run into
> something like it and has a solution. J
>
>
>
> One of our SaaS apps is hosted on AWS, and AWS has the lovely habit of
> using very short DNS TTLs and changing IPs frequently. Normally not that
> big a deal.
>
> However, it looks like a satellite provider used by a number of our users
> (HughesNet) has a wonderful little “feature” called DNS Acceleration.
>
>
>
> This looks to be a local DNS caching server (which ignores the provided
> TTL) that runs on their modem. This means that the user almost always gets
> outdated information from DNS for this SaaS app, which prevents them from
> accessing it.
>
>
>
> There doesn’t appear to be a way in the modem UI to turn off this
> “feature”, and it looks to intercept **all** outbound DNS traffic, so
> even if I set the client or their router to use a different DNS server it
> still gets intercepted.
>
>
>
> Anyone run into this or have a useful contact at HughesNet to sort this
> out?
>
>
>
> DAMIEN SOLODOW
>
> Senior Systems Engineer
>
> 317.447.6033 (office)
>
> 317.447.6014 (fax)
>
> HARRISON COLLEGE
>
> 500 North Meridian St
>
> Suite 500
>
> Indianapolis, IN 46204-1213
>
> www.harrison.edu
>
>
>
>
>

Re: [NTSysADM] HughesNet and AWS

[Richard Stovall]

That is so friggin' awesome it hurts.



On Fri, Jan 22, 2016 at 12:19 PM, Damien Solodow <
damien.solo...@harrison.edu> wrote:

> Having a fun issue, and figured I’d see if anyone else has run into
> something like it and has a solution. J
>
>
>
> One of our SaaS apps is hosted on AWS, and AWS has the lovely habit of
> using very short DNS TTLs and changing IPs frequently. Normally not that
> big a deal.
>
> However, it looks like a satellite provider used by a number of our users
> (HughesNet) has a wonderful little “feature” called DNS Acceleration.
>
>
>
> This looks to be a local DNS caching server (which ignores the provided
> TTL) that runs on their modem. This means that the user almost always gets
> outdated information from DNS for this SaaS app, which prevents them from
> accessing it.
>
>
>
> There doesn’t appear to be a way in the modem UI to turn off this
> “feature”, and it looks to intercept **all** outbound DNS traffic, so
> even if I set the client or their router to use a different DNS server it
> still gets intercepted.
>
>
>
> Anyone run into this or have a useful contact at HughesNet to sort this
> out?
>
>
>
> DAMIEN SOLODOW
>
> Senior Systems Engineer
>
> 317.447.6033 (office)
>
> 317.447.6014 (fax)
>
> HARRISON COLLEGE
>
> 500 North Meridian St
>
> Suite 500
>
> Indianapolis, IN 46204-1213
>
> www.harrison.edu
>
>
>

Re: [NTSysADM] Source of DNS queries

[Richard Stovall]

In this instance I don't know the original source of the query, be it an
iPhone, PC, server, or whatever.  Trying to find a way to make discovering
that device as easy as possible.

On Thu, Jan 7, 2016 at 2:44 PM, Ed Ziots <eziot...@gmail.com> wrote:

> I agree the malicious iPhone should be blocked then you can parse firewall
> logs to see who are the connection and just put that on a egress filter
> last firewall block rule.
>
> Ed
> On Jan 7, 2016 2:42 PM, "Michael B. Smith" <mich...@smithcons.com> wrote:
>
>> Why are you averse to scanning the logs?
>>
>>
>>
>> *From:* listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
>> *Sent:* Thursday, January 7, 2016 1:49 PM
>> *To:* ntsys...@lists.myitforum.com
>> *Subject:* [NTSysADM] Source of DNS queries
>>
>>
>>
>> I am in the early stages of deploying a SIEM solution and one of the
>> things that pop up occasionally are alarms for when a DNS query is
>> conducted and the response contains a known-malicious ip.  What I'm trying
>> to do is figure out which machine queried the DNS server because the alert
>> just shows that a query response with the malicious ip went back to the DNS
>> server.
>>
>>
>>
>> Short of enabling DNS debug logging on my MS DNS servers and picking
>> through them to find the source of the query, is there another solution
>> that's more permanent?
>>
>>
>>
>> I'm thinking that if I had something like a "DNS proxy" that does the
>> kind of logging I'm looking for, that would be great.  Essentially a DNS
>> server that forwards everything on to the 'regular' servers.
>>
>>
>>
>> client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers
>>
>>
>>
>> Just messing around with ideas.  Anyone have a solution to this already
>> in place?  (Preferably one that's affordable for the little guys.  :-)
>>
>>
>>
>> Thanks,
>> RS
>>
>

Re: [NTSysADM] Source of DNS queries

[Richard Stovall]

Got it.  At the moment, I've only got the capability to capture LAN <-->
Internet.

On Thu, Jan 7, 2016 at 3:25 PM, Kennedy, Jim <kennedy...@elyriaschools.org>
wrote:

>
>
>
>
> It all depends on what you are using, what it is monitoring and where it
> monitoring. In my case I do a traffic capture on all traffic to and from my
> servers.  So I too see the server make the request, and also the client.
> Then the box analyzes all the traffic. A second monitoring point to and
> from the internet is in the works.
>
>
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
> *Sent:* Thursday, January 7, 2016 3:19 PM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* Re: [NTSysADM] Source of DNS queries
>
>
>
> In this instance I don't know the original source of the query, be it an
> iPhone, PC, server, or whatever.  Trying to find a way to make discovering
> that device as easy as possible.
>
>
>
> On Thu, Jan 7, 2016 at 2:44 PM, Ed Ziots <eziot...@gmail.com> wrote:
>
> I agree the malicious iPhone should be blocked then you can parse firewall
> logs to see who are the connection and just put that on a egress filter
> last firewall block rule.
>
> Ed
>
> On Jan 7, 2016 2:42 PM, "Michael B. Smith" <mich...@smithcons.com> wrote:
>
> Why are you averse to scanning the logs?
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
> *Sent:* Thursday, January 7, 2016 1:49 PM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] Source of DNS queries
>
>
>
> I am in the early stages of deploying a SIEM solution and one of the
> things that pop up occasionally are alarms for when a DNS query is
> conducted and the response contains a known-malicious ip.  What I'm trying
> to do is figure out which machine queried the DNS server because the alert
> just shows that a query response with the malicious ip went back to the DNS
> server.
>
>
>
> Short of enabling DNS debug logging on my MS DNS servers and picking
> through them to find the source of the query, is there another solution
> that's more permanent?
>
>
>
> I'm thinking that if I had something like a "DNS proxy" that does the kind
> of logging I'm looking for, that would be great.  Essentially a DNS server
> that forwards everything on to the 'regular' servers.
>
>
>
> client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers
>
>
>
> Just messing around with ideas.  Anyone have a solution to this already in
> place?  (Preferably one that's affordable for the little guys.  :-)
>
>
>
> Thanks,
> RS
>
>
>

Re: [NTSysADM] Source of DNS queries

[Richard Stovall]

The SIEM can do it, but I guess I'm missing how to get it in there using
the default tools in Windows Server.

On Thu, Jan 7, 2016 at 3:48 PM, Michael B. Smith <mich...@smithcons.com>
wrote:

> Well, if your SIEM can’t parse it, it’s pretty easy to do with
> WMI/PowerShell.
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
> *Sent:* Thursday, January 7, 2016 3:16 PM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* Re: [NTSysADM] Source of DNS queries
>
>
>
> Not averse to it, per se.  They just get pretty big pretty quickly, and
> are temporal because they wrap as well.
>
>
>
> Just thinking out loud about how it would be nice to have the relevant
> info in a single, non-expiring repository.
>
>
>
> On Thu, Jan 7, 2016 at 2:41 PM, Michael B. Smith <mich...@smithcons.com>
> wrote:
>
> Why are you averse to scanning the logs?
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
> *Sent:* Thursday, January 7, 2016 1:49 PM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] Source of DNS queries
>
>
>
> I am in the early stages of deploying a SIEM solution and one of the
> things that pop up occasionally are alarms for when a DNS query is
> conducted and the response contains a known-malicious ip.  What I'm trying
> to do is figure out which machine queried the DNS server because the alert
> just shows that a query response with the malicious ip went back to the DNS
> server.
>
>
>
> Short of enabling DNS debug logging on my MS DNS servers and picking
> through them to find the source of the query, is there another solution
> that's more permanent?
>
>
>
> I'm thinking that if I had something like a "DNS proxy" that does the kind
> of logging I'm looking for, that would be great.  Essentially a DNS server
> that forwards everything on to the 'regular' servers.
>
>
>
> client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers
>
>
>
> Just messing around with ideas.  Anyone have a solution to this already in
> place?  (Preferably one that's affordable for the little guys.  :-)
>
>
>
> Thanks,
> RS
>
>
>

Re: [NTSysADM] Source of DNS queries

[Richard Stovall]

And, thanks to y'all for helping me talk it out, here's the general
direction for what I'm trying to do.

https://www.alienvault.com/forums/discussion/4564/how-to-get-my-dns-logs-into-usm

Woot!

On Thu, Jan 7, 2016 at 3:55 PM, Richard Stovall <rich...@gmail.com> wrote:

> The SIEM can do it, but I guess I'm missing how to get it in there using
> the default tools in Windows Server.
>
> On Thu, Jan 7, 2016 at 3:48 PM, Michael B. Smith <mich...@smithcons.com>
> wrote:
>
>> Well, if your SIEM can’t parse it, it’s pretty easy to do with
>> WMI/PowerShell.
>>
>>
>>
>> *From:* listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
>> *Sent:* Thursday, January 7, 2016 3:16 PM
>> *To:* ntsys...@lists.myitforum.com
>> *Subject:* Re: [NTSysADM] Source of DNS queries
>>
>>
>>
>> Not averse to it, per se.  They just get pretty big pretty quickly, and
>> are temporal because they wrap as well.
>>
>>
>>
>> Just thinking out loud about how it would be nice to have the relevant
>> info in a single, non-expiring repository.
>>
>>
>>
>> On Thu, Jan 7, 2016 at 2:41 PM, Michael B. Smith <mich...@smithcons.com>
>> wrote:
>>
>> Why are you averse to scanning the logs?
>>
>>
>>
>> *From:* listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
>> *Sent:* Thursday, January 7, 2016 1:49 PM
>> *To:* ntsys...@lists.myitforum.com
>> *Subject:* [NTSysADM] Source of DNS queries
>>
>>
>>
>> I am in the early stages of deploying a SIEM solution and one of the
>> things that pop up occasionally are alarms for when a DNS query is
>> conducted and the response contains a known-malicious ip.  What I'm trying
>> to do is figure out which machine queried the DNS server because the alert
>> just shows that a query response with the malicious ip went back to the DNS
>> server.
>>
>>
>>
>> Short of enabling DNS debug logging on my MS DNS servers and picking
>> through them to find the source of the query, is there another solution
>> that's more permanent?
>>
>>
>>
>> I'm thinking that if I had something like a "DNS proxy" that does the
>> kind of logging I'm looking for, that would be great.  Essentially a DNS
>> server that forwards everything on to the 'regular' servers.
>>
>>
>>
>> client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers
>>
>>
>>
>> Just messing around with ideas.  Anyone have a solution to this already
>> in place?  (Preferably one that's affordable for the little guys.  :-)
>>
>>
>>
>> Thanks,
>> RS
>>
>>
>>
>
>

[NTSysADM] Is there an off-the-shelf way to completely block macros in Office files

[Richard Stovall]

By off-the-shelf I mean GPO, etc.  Any in-built functionality in a modern
network with AD.

Re: [NTSysADM] New Firewall

[Richard Stovall]

Why replace them if they're doing what you need?

On Wed, Dec 23, 2015 at 1:31 PM, David McSpadden  wrote:

> Well I guess my requirements would be to continue to do what the ASA 5500
> does and what the Ironport WSA does.  (The ASA also does our VPN
> connections, very limited to a few personnel and they use the AnyConnect
> client.)
>
>
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Andrew S. Baker
> *Sent:* Wednesday, December 23, 2015 1:27 PM
> *To:* ntsysadm 
> *Subject:* Re: [NTSysADM] New Firewall
>
>
>
> The Palo Alto devices are quite stellar, but do require a shift in how you
> think about device configuration.
>
>
>
> I'm still more inclined to recommend Fortinet devices, from a
> bang-for-the-buck perspective.
>
>
>
> Of course, you haven't actually told us what your requirements are, so
> this is just another name-your-preferred-vendor exercise.
>
>
>
> Regards,
>
>
>
>
>
>
>
> *ASB **http://XeeMe.com/AndrewBaker* 
> *Providing Virtual CIO Services (IT Operations & Information Security) for
> the SMB market…*
>
> * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A
>
>
>
> On Wed, Dec 23, 2015 at 8:13 AM, David McSpadden  wrote:
>
> We are looking to replace our ASA 5500 and Ironport WSA.
>
> What is the leader in Firewall’s currently.
>
> (NextGen type firewall.)
>
> We have some that are saying Palo Alto is the only way to go but just
> wondering from the list what everybody else if feeling good about these
> days.
>
>
>
>
>
> *David McSpadden*
>
> System Administrator
>
> Indiana Members Credit Union
>
> P: 317.554.8190
>
> [image: Description: Description: imcu email icon]   [image:
> Description: Description: facebook email icon]
>   [image: Description:
> Description: twitter email icon] 
>
>
>
> [image: Description: Description: email logo]
>
> [image: http://www.amuletsolutions.com/images/mcp.gif]
> 
>
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
>
>
> Please consider the environment before printing this email.
>
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
> Please consider the environment before printing this email.
>

[NTSysADM] Juniper ScreenOS backdoors

[Richard Stovall]

I don't believe I've seen these discussed on this forum.

There are two major vulnerabilities with Juniper's ScreenOS in the wild
that are pretty scary for both both their immediate ramifications and their
long-term implications.

Have a look at the following to see if you're affected.  (And even if
you're not, consider the implications of what happened and how it could
affect you in the future.)

https://kb.juniper.net/InfoCenter/index?page=content=JSA10713=SIRT_1=LIST


Note that there are two different CVEs.  Don't stop reading after the first
few paragraphs.

Happy Christmas,

RS

Re: [NTSysADM] Barracuda Spam fw appliance

[Richard Stovall]

I have one that does a pretty good job with everything but friggin' macro
viruses in Office documents.  We have had one in place for about 11 years,
so it is highly tuned for our environment.  I also do a lot to block .ru,
.cn, .in, etc straight out of the gate before the Barracuda's inspection
even begins.

Shoot some specific questions about configuration settings to the list if
you like, and I can check how I've got mine setup.

Also, primarily for the macro virus issue, we're adding Proofpoint to the
mix in the next few weeks.  I'm still going to keep the Barracuda, but
everything inbound will go through Proofpoint first.


On Fri, Dec 18, 2015 at 9:37 AM, Jake Gardner  wrote:

> Does anyone here use one?  We have a model 300 and lately we are getting
> absolutely hammered with SPAM that the ‘cuda just won’t catch.
>
>
>
> I have opened a few tickets with them about the issue and all they say is
> that my firewall is blocking the ‘cuda from checking websites.  I’ve
> checked my firewall and I don’t see any blocks and the ‘cuda is in a policy
> with no  outbound restrictions.
>
>
>
> The only thing that seems to slow it down is rate control.  I turned it
> down to 20/30mins.   In the last 9 hours it controlled 3700 and only
> outright blocked 1450.We see about 17k messages a day on average.  A
> couple months again we were averaging 12k.
>
>
>
>
>
> Thanks,
>
>
>
> Jake Gardner
>
> IT Administrator
>
> 267-352-2020 Ext. 246
>
> www.ttcdas.com
>
>
>
> ***Teletronics Technology Corporation***
> This e-mail is confidential and may also be privileged. If you are not the
> addressee or authorized by the addressee to receive this e-mail, you may
> not disclose, copy, distribute, or use this e-mail. If you have received
> this e-mail in error, please notify the sender immediately by reply e-mail
> or by telephone at 267-352-2020 and destroy this message and any copies.
>
> Thank you.
>
> ***
>   ­­
>

Re: [NTSysADM] Barracuda Spam fw appliance

[Richard Stovall]

I am using the following:

BRBL - Block
Zen.spamhaus.org - Quarantine
bl.spamcop.net - Tag

On Fri, Dec 18, 2015 at 11:18 AM, Jake Gardner  wrote:

> Thanks guys.  I used to use them years ago and removed them for some
> reason.  I don't remember the reason so I'll add them back.
>
>
> Thanks,
>
> Jake Gardner
> IT Administrator
> 267-352-2020 Ext. 246
> www.ttcdas.com
>
>
> -Original Message-
> From: listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
> Sent: Friday, December 18, 2015 11:07 AM
> To: ntsysadm
> Subject: Re: [NTSysADM] Barracuda Spam fw appliance
>
> +10 - rbls help massively.
>
> Kurt
>
> On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
> > Take a look at adding some external RBL’s to augment Cuda’s.
> >
> >
> >
> > https://www.spamhaus.org/sbl/  and
> > https://www.spamcop.net/fom-serve/cache/290.html
> >
> >
> >
> >
> >
> >
> >
> > From: listsadmin@lists.myitforum.com
> > [mailto:listsadmin@lists.myitforum.com]
> > On Behalf Of Jake Gardner
> > Sent: Friday, December 18, 2015 10:54 AM
> > To: 'ntsys...@lists.myitforum.com'
> > Subject: RE: [NTSysADM] Barracuda Spam fw appliance
> >
> >
> >
> > I guess my question was if anyone else is seeing this type of increase.
> >
> >
> >
> > Is there a list of common regex’s that I could use?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Jake Gardner
> >
> > IT Administrator
> >
> > 267-352-2020 Ext. 246
> >
> > www.ttcdas.com
> >
> >
> >
> > From: listsadmin@lists.myitforum.com
> > [mailto:listsadmin@lists.myitforum.com]
> > On Behalf Of Todd Lemmiksoo
> > Sent: Friday, December 18, 2015 10:14 AM
> > To: ntsys...@lists.myitforum.com
> > Subject: Re: [NTSysADM] Barracuda Spam fw appliance
> >
> >
> >
> > I have a physical 400 and a virtual 300 in a cluster config. I also
> > block .ru, .cn, .cz
> >
> > Ask your questions.
> >
> >
> >
> > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin 
> wrote:
> >
> > We have a couple of 800s, but they're second tier behind ProofPoint,
> > so they don't see a lot of malicious traffic. What does slip through
> > ProofPoint does appear to get caught by the Barracuda's in most cases.
> >
> >
> >
> > - Sean
> >
> >
> >
> > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner 
> wrote:
> >
> > Does anyone here use one?  We have a model 300 and lately we are
> > getting absolutely hammered with SPAM that the ‘cuda just won’t catch.
> >
> >
> >
> > I have opened a few tickets with them about the issue and all they say
> > is that my firewall is blocking the ‘cuda from checking websites.
> > I’ve checked my firewall and I don’t see any blocks and the ‘cuda is
> > in a policy with no outbound restrictions.
> >
> >
> >
> > The only thing that seems to slow it down is rate control.  I turned it
> down
> > to 20/30mins.   In the last 9 hours it controlled 3700 and only outright
> > blocked 1450.We see about 17k messages a day on average.  A couple
> > months again we were averaging 12k.
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Jake Gardner
> >
> > IT Administrator
> >
> > 267-352-2020 Ext. 246
> >
> > www.ttcdas.com
> >
> >
> >
> >
> >
> > ***Teletronics Technology Corporation*** This e-mail is confidential
> > and may also be privileged. If you are not the addressee or authorized
> > by the addressee to receive this e-mail, you may not disclose, copy,
> > distribute, or use this e-mail. If you have received this e-mail in
> > error, please notify the sender immediately by reply e-mail or by
> > telephone at 267-352-2020 and destroy this message and any copies.
> >
> > Thank you.
> >
> > ***
> >
> >   ­­
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > T. Todd Lemmiksoo
> >
> >
> >
> > ***Teletronics Technology Corporation*** This e-mail is confidential
> > and may also be privileged. If you are not the addressee or authorized
> > by the addressee to receive this e-mail, you may not disclose, copy,
> > distribute, or use this e-mail. If you have received this e-mail in
> > error, please notify the sender immediately by reply e-mail or by
> > telephone at 267-352-2020 and destroy this message and any copies.
> >
> > Thank you.
> >
> > ***
> >
> >   ­­
>
>
>
> Teletronics Technology Corporation
> This e-mail is confidential and may also be privileged.  If you are not
> the addressee or authorized by the addressee to receive this e-mail, you
> may not disclose, copy, distribute, or use this e-mail. If you have
> received this e-mail in error, please notify the sender immediately by
> reply e-mail or by telephone at 267-352-2020 and destroy this message and
> any copies.
>
> Thank you.
>
>

Re: [NTSysADM] Encry pting File Attachments

[Richard Stovall]

I would love to quarantine only the ones with Macros.  That would be
eee.  Our current on-prem Barracuda can't do that (or if it
can, I sure don't know about it.)  How do you do it?

On Wed, Dec 9, 2015 at 1:31 PM, Mark Gottschalk <mgo...@2roads.com> wrote:

> I quarantine only Office attachments that contain macros.  I have the
> option of stripping all macros from office docs, but 99%+ of all Word/Excel
> files we receive with macros are trojans anyway.  I've had to release from
> quarantine maybe half a dozen legitimate office docs with macros this year.
>
>
>
>
> From:Richard Stovall <rich...@gmail.com>
> To:ntsys...@lists.myitforum.com
> Date:12/09/2015 10:23 AM
> Subject:Re: [NTSysADM] Encry pting File Attachments
> Sent by:listsadmin@lists.myitforum.com
> --
>
>
>
> Not surprising at all.  I do the same thing.  I am also manually triaging
> all Office attachments (though that is a major pain and will go away pretty
> soon when we add another layer of automated defense).
>
> On Wed, Dec 9, 2015 at 1:08 PM, Mark Gottschalk <*mgo...@2roads.com*
> <mgo...@2roads.com>> wrote:
> We quarantine all emails with html attachments (such as the secure Cisco
> email), since the majority (90%+) we see are trojans or phishing.  Same for
> zip files in email, believe it or not.  Those are easily topping 99.9%
> trojans (thousands received in the past week).  Same for dozens of more
> obscure attachment types.  Recipients get a quarantine notification if the
> originating mail server is not also a known spam source.  If the email is
> legit and needed, they request it being released.  I see zero to two zip
> file recovery requests a week, tops.
>
> I don't trust an antivirus system enough to allow users to decide whether
> or not to open attachment types that are overwhelmingly used maliciously in
> email.  But, I get the need for occasional, easy-to-use secure messaging
> and the tradeoff between irritation and security.
>
> -- Mark
>
>
>
>
> From:David McSpadden <*dav...@imcu.com* <dav...@imcu.com>>
> To:"*ntsys...@lists.myitforum.com* <ntsys...@lists.myitforum.com>"
> <*ntsys...@lists.myitforum.com* <ntsys...@lists.myitforum.com>>
> Date:12/09/2015 09:04 AM
> Subject:RE: [NTSysADM] Encry pting File Attachments
> Sent by:*listsadmin@lists.myitforum.com*
> <listsadmin@lists.myitforum.com>
> --
>
>
>
>
> Well,
> It is better than seeing my members data on FoxNews I suppose.
> But yeah, hate it from time to time.
>
>
> * From:* *listsadmin@lists.myitforum.com* <listsadmin@lists.myitforum.com>
> [*mailto:listsadmin@lists.myitforum.com* <listsadmin@lists.myitforum.com>]
> *On Behalf Of *Gavin Wilby
> * Sent:* Wednesday, December 9, 2015 12:01 PM
> * To:* '*ntsys...@lists.myitforum.com* <ntsys...@lists.myitforum.com>' <
> *ntsys...@lists.myitforum.com* <ntsys...@lists.myitforum.com>>
> * Subject:* RE: [NTSysADM] Encry pting File Attachments
>
> J
>
> That’s a very annoying feature you have.
>
> * Gavin Wilby*
> * IT Support Engineer*
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
> Please consider the environment before printing this email.
>
>

Re: [NTSysADM] Encry pting File Attachments

[Richard Stovall]

Not surprising at all.  I do the same thing.  I am also manually triaging
all Office attachments (though that is a major pain and will go away pretty
soon when we add another layer of automated defense).

On Wed, Dec 9, 2015 at 1:08 PM, Mark Gottschalk  wrote:

> We quarantine all emails with html attachments (such as the secure Cisco
> email), since the majority (90%+) we see are trojans or phishing.  Same for
> zip files in email, believe it or not.  Those are easily topping 99.9%
> trojans (thousands received in the past week).  Same for dozens of more
> obscure attachment types.  Recipients get a quarantine notification if the
> originating mail server is not also a known spam source.  If the email is
> legit and needed, they request it being released.  I see zero to two zip
> file recovery requests a week, tops.
>
> I don't trust an antivirus system enough to allow users to decide whether
> or not to open attachment types that are overwhelmingly used maliciously in
> email.  But, I get the need for occasional, easy-to-use secure messaging
> and the tradeoff between irritation and security.
>
> -- Mark
>
>
>
>
> From:David McSpadden 
> To:"ntsys...@lists.myitforum.com" 
> Date:12/09/2015 09:04 AM
> Subject:RE: [NTSysADM] Encry pting File Attachments
> Sent by:listsadmin@lists.myitforum.com
> --
>
>
>
> Well,
> It is better than seeing my members data on FoxNews I suppose.
> But yeah, hate it from time to time.
>
>
> *From:* listsadmin@lists.myitforum.com [
> mailto:listsadmin@lists.myitforum.com ] *On
> Behalf Of *Gavin Wilby
> * Sent:* Wednesday, December 9, 2015 12:01 PM
> * To:* 'ntsys...@lists.myitforum.com' 
> * Subject:* RE: [NTSysADM] Encry pting File Attachments
>
> J
>
> That’s a very annoying feature you have.
>
> *Gavin Wilby*
> *IT Support Engineer*
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
> Please consider the environment before printing this email.
>
>

Re: [NTSysADM] Urgent DNS server patch

[Richard Stovall]

There's actually 8 criticals this month...

https://technet.microsoft.com/library/security/ms15-Dec

On Tue, Dec 8, 2015 at 1:50 PM, Wolf, Daniel  wrote:

> *Security Update for Microsoft Windows DNS to Address Remote Code
> Execution (3100465 <%283100465>)*
>
>
>
> https://technet.microsoft.com/en-us/library/security/ms15-127.aspx
>

Re: [NTSysADM] dns propagation errors

[Richard Stovall]

If I was in the financial services industry, or any other key
infrastructure business, I would seriously consider this.

http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/

On Tue, Dec 8, 2015 at 5:03 PM, Don Ely  wrote:

> To be fair, it was a short break from working on a Cisco ACI deployment in
> 2 new datacenters.  Though it did seem some folks might want to brush up on
> their DNS skills...  :)
>
>
>
> On Tue, Dec 8, 2015 at 10:37 AM Jeff Steward  wrote:
>
>> The list will return to normal snark levels after the holidays :)
>>
>> -Jeff
>>
>>
>> On Tue, Dec 8, 2015 at 1:17 PM David McSpadden  wrote:
>>
>>> Ended up being several issues.
>>>
>>> Arin did not have an SOA pointing to ultradns.
>>>
>>> Old ISP had PTR’s of their own pointing to old IP addresses.
>>>
>>> ISP routing email to old firewall not new firewall.
>>>
>>> Ironport didn’t have new IPs from new firewall or DNS.
>>>
>>> All in all a complete breakdown.
>>>
>>> Almost back to 100% now though.
>>>
>>> Thanks all for the direction and less flame acidic responses.
>>>
>>> From:David McSpadden 
>>> To:"ntsys...@lists.myitforum.com" 
>>> Date:12/04/2015 11:38 AM
>>> Subject:[NTSysADM] dns propagation errors
>>> Sent by:listsadmin@lists.myitforum.com
>>>
>>>
>>>
>>>
>>> My DNS servicer is stating my PTR issues is a DNS propagation error?
>>> This is my zone currently:
>>> ;File created: 12/04/2015 16:23
>>> ;Record count: 25
>>> $ORIGIN imcu.com.
>>> @86400IN   SOA pdns206.ultradns.com. bill\.
>>> krause.fiserv.com. (
>>> 2014081268
>>> ;Serial
>>> 10800
>>>  ;Refresh
>>> 3600
>>>   ;Retry
>>> 2592000
>>>;Expire
>>> 86400
>>>  ;Minimum
>>> )
>>> @86400IN   NS  pdns206.ultradns.org.
>>> @86400IN   NS  pdns206.ultradns.com.
>>> @86400IN   NS  pdns206.ultradns.net.
>>> @86400IN   NS  pdns206.ultradns.biz.
>>> autodiscover  600 IN   A 192.171.14.74
>>> legacymail   600 IN   A 192.171.14.74
>>> mail600 IN   A 192.171.14.74
>>> outlook 600 IN   A 192.171.14.74
>>> 74.14.171.192.in-addr.arpa  86400IN   PTR
>>> mail.imcu.com.
>>>
>>> @86400IN   MX 10 mail.imcu.com.
>>>
>>> @86400IN   TXT "v=spf1
>>> ip4:184.72.242.195 ip4:192.171.14.74 ~all"
>>> @86400IN   TXT "\"v=spf1
>>> ip4:184.72.242.195 ip4:192.171.14.74 ~all\""
>>>
>>>
>>>
>>> Am I missing an SOA?
>>>
>>>
>>> This e-mail and any files transmitted with it are property of Indiana
>>> Members Credit Union, are confidential, and are intended solely for the use
>>> of the individual or entity to whom this e-mail is addressed. If you are
>>> not one of the named recipient(s) or otherwise have reason to believe that
>>> you have received this message in error, please notify the sender and
>>> delete this message immediately from your computer. Any other use,
>>> retention, dissemination, forwarding, printing, or copying of this email is
>>> strictly prohibited.
>>>
>>> Please consider the environment before printing this email.
>>>
>>

Re: [NTSysADM] RE: Windows 10 limited wireless and no network.

[Richard Stovall]

Adobe?

On Wed, Dec 2, 2015 at 12:25 PM, David McSpadden  wrote:

> Freaking ADOBE
>
> They have the adware of AVG included.
>
> AVG network filter driver was select in the properties of the Ethernet and
> Wireless adapters!
>
> FUBAR
>
> Yes all caps.
>
> 5 hours of my life I feel I can only charge her for ½ an hour.
>
> Looked right at it for hours upon hours.
>
> Found it here:
>
>
> http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/windows-couldnt-automatically-bind-the-ip-protocol/a2f074cf-be62-435e-b951-42dfbb9351c2?auth=1
>
> Under most helpful replay cretaceousfiligree October 26, 2013.
>
>
>
> Not even a windows 10 issue.
>
>
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *David McSpadden
> *Sent:* Wednesday, December 2, 2015 11:01 AM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] RE: Windows 10 limited wireless and no network.
>
>
>
> Last update they took was on the 18th, 3103688.
>
> They are not on 1511.
>
>
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *James Rankin
> *Sent:* Wednesday, December 2, 2015 10:54 AM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] RE: Windows 10 limited wireless and no network.
>
>
>
> It’s possible that the 1511 update may introduce other issues apart from
> wireless – it’s near enough a new OS. Is it on?
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *David McSpadden
> *Sent:* 02 December 2015 15:52
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] RE: Windows 10 limited wireless and no network.
>
>
>
> Won’t even connect to the Cat5 cable.
>
>
>
>
>
> *From:* listsadmin@lists.myitforum.com [
> mailto:listsadmin@lists.myitforum.com ] *On
> Behalf Of *James Rankin
> *Sent:* Wednesday, December 2, 2015 10:40 AM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] RE: Windows 10 limited wireless and no network.
>
>
>
> Yes, that’s the 1511 update – it causes problems with some wireless cards
> (maybe need a driver update), authentication to RADIUS servers in some
> situations, all sorts of good fun.
>
>
>
> Who said a constant release schedule wasn’t fun? We will have
> approximately 3000 new student laptops after Xmas all running the latest
> version of Windows 10 – let’s hope they’ve fixed the issues by then.
>
>
>
> *From:* listsadmin@lists.myitforum.com [
> mailto:listsadmin@lists.myitforum.com ] *On
> Behalf Of *Damien Solodow
> *Sent:* 02 December 2015 15:36
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] RE: Windows 10 limited wireless and no network.
>
>
>
> There is a KB article about issues in wireless with a November Windows 10
> update having to do with certain 802.11x/WPA2 types.
>
>
>
> DAMIEN SOLODOW
>
> Senior Systems Engineer
>
> 317.447.6033 (office)
>
> 317.447.6014 (fax)
>
> HARRISON COLLEGE
>
>
>
> *From:* listsadmin@lists.myitforum.com [
> mailto:listsadmin@lists.myitforum.com ] *On
> Behalf Of *David McSpadden
> *Sent:* Wednesday, December 2, 2015 10:33 AM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] Windows 10 limited wireless and no network.
>
>
>
> Friends home laptop.  Upgraded to Windows 10 back in September running
> fine.
>
> Now all of a sudden any wifi access comes back limited with 0 bytes in or
> out.
>
> And I have it here at worked connected to a sandbox Ethernet connection
> with no ip or anything.
>
> Has Mcafee Total protection on it.  I have disabled the firewall and
> rebooted with no access still?
>
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
>
>
> Please consider the environment before printing this email.
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
>
>
> Please consider the environment before printing this email.
>
> This e-mail and any files transmitted 

Re: [NTSysADM] Windows 7+ command line auditing

[Richard Stovall]

Pretty much what I thought...

On Thu, Nov 19, 2015 at 5:20 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> That's very cool. I wonder how I missed that?
>
> Kurt
>
> On Thu, Nov 19, 2015 at 1:55 PM, Richard Stovall <rich...@gmail.com>
> wrote:
> > I did not know about this until today.  Pretty great addition to the
> Windows
> > auditing lineup.
> >
> >
> https://dirteam.com/sander/2015/02/17/security-thoughts-include-command-line-in-process-creation-events/
> >
> > Win 8.1, Server 2012 R2 (and presumably 10) already have the kb3004375
> bits
> > baked in.
> >
> > Enjoy!
>
>
>

[NTSysADM] Windows 7+ command line auditing

[Richard Stovall]

I did not know about this until today.  Pretty great addition to the
Windows auditing lineup.

https://dirteam.com/sander/2015/02/17/security-thoughts-include-command-line-in-process-creation-events/

Win 8.1, Server 2012 R2 (and presumably 10) already have the kb3004375 bits
baked in.

Enjoy!

Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters

[Richard Stovall]

Amen.

On Mon, Nov 16, 2015 at 11:08 AM, Kennedy, Jim <kennedy...@elyriaschools.org
> wrote:

> Putting on my PDQ Deploy advocate hat again.
>
>
>
> The OP can solve the bandwidth issues and the control issues and the
> update issue for 500 bucks.  This thread and the prior work on all those
> GPO’s and the ongoing work every month costs his org more than that.
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
> *Sent:* Monday, November 16, 2015 11:06 AM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters
>
>
>
> 
>
>
>
> Totally understood.  This does not appear to be that sort of environment.
> If I read the thread correctly, things appear to be working well for the OP
> with auto-updating enabled, except for Internet bandwidth saturation at
> inopportune times.  Purposefully disabling updates to vulnerable
> applications that are not bound to specific versions without a plan to
> immediately assume a managed plan to patch them is not wise at best. At
> worst it's potentially career limiting.
>
>
>
> 
>
>
>
> On Mon, Nov 16, 2015 at 10:23 AM, Mark Liechty <m...@mliechty.com> wrote:
>
> On Nov 16, 2015, at 6:33 AM, Richard Stovall <rich...@gmail.com> wrote:
> >
> > Understood.  I totally get that there are valid reasons to retain old
> versions of Java for some very specific use cases.  But Reader/Acrobat?
> Chrome?  And heaven forbid, Flash?
> > #
>
>
> I worked with a medical device company a few years ago that was very
> specific about the Adobe Reader version.   They have very complex QA around
> any changes to the processes of any kind.  Rules come from the FDA, Legal
> Department and lots of other strangeness that It cannot, and should not,
> control.
>
> It seems that at one point the PDF documents that were generated by some
> other process did not display properly when looked at by the newest version
> ##.### of Adobe but were perfect when using version YY.YYY  since opening
> these documents was required for each device as it came from assembly (had
> testing results) we could not use the latest versions.
>
> Added to that ANY change at any point in the process required a complete
> end-to-end revalidation\certification that was a very detailed process.
>
> So we stayed with the old versions and moved on.  My last contact was 5
> years later and they still had not been able to change.  What they had
> worked and there was no motivation to upgrade for the sake of being “new
> and shiny”
>
>
>
>
>

Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters

[Richard Stovall]

Totally understood.  This does not appear to be that sort of environment.
If I read the thread correctly, things appear to be working well for the OP
with auto-updating enabled, except for Internet bandwidth saturation at
inopportune times.  Purposefully disabling updates to vulnerable
applications that are not bound to specific versions without a plan to
immediately assume a managed plan to patch them is not wise at best. At
worst it's potentially career limiting.



On Mon, Nov 16, 2015 at 10:23 AM, Mark Liechty <m...@mliechty.com> wrote:

> On Nov 16, 2015, at 6:33 AM, Richard Stovall <rich...@gmail.com> wrote:
> >
> > Understood.  I totally get that there are valid reasons to retain old
> versions of Java for some very specific use cases.  But Reader/Acrobat?
> Chrome?  And heaven forbid, Flash?
> > #
>
>
> I worked with a medical device company a few years ago that was very
> specific about the Adobe Reader version.   They have very complex QA around
> any changes to the processes of any kind.  Rules come from the FDA, Legal
> Department and lots of other strangeness that It cannot, and should not,
> control.
>
> It seems that at one point the PDF documents that were generated by some
> other process did not display properly when looked at by the newest version
> ##.### of Adobe but were perfect when using version YY.YYY  since opening
> these documents was required for each device as it came from assembly (had
> testing results) we could not use the latest versions.
>
> Added to that ANY change at any point in the process required a complete
> end-to-end revalidation\certification that was a very detailed process.
>
> So we stayed with the old versions and moved on.  My last contact was 5
> years later and they still had not been able to change.  What they had
> worked and there was no motivation to upgrade for the sake of being “new
> and shiny”
>
>
>
>
>

Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters

[Richard Stovall]

If you don't have a robust strategy for keeping these applications updated,
you might be better off letting them auto-update.  If you've got
Internet-connected PCs running these applications, you're just asking to
get bitten if you don't keep them up to date.  A managed strategy with
reporting is best, but auto-updating is better than nothing (and certainly
better than willfully keeping them out of date.)



On Mon, Nov 16, 2015 at 8:57 AM, David McSpadden  wrote:

> I have put in place the GPO’s for these but apparently I don’t have the
> right settings.
>
> Adobe DC Reader and Java update 6v8whatever are trying to update to my
> internet PC’s.
>
> What should the settings be on the GPO’s to stop these autoupdaters from
> even running?
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
> Please consider the environment before printing this email.
>

Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters

[Richard Stovall]

Understood.  I totally get that there are valid reasons to retain old
versions of Java for some very specific use cases.  But Reader/Acrobat?
Chrome?  And heaven forbid, Flash?

On Mon, Nov 16, 2015 at 9:26 AM, James Rankin <ja...@htguk.com> wrote:

> Unfortunately there are myriad apps out there that either a) won’t work,
> or b) won’t be supported by their half-assed vendors on the latest
> version of Java
>
>
>
> Browsium and FSLogix both have solutions that can run specific Java
> versions for specific URLs or web apps. Neither of these products would
> exist if the vendors of these awful Java apps got their collective fingers
> out.
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
> *Sent:* 16 November 2015 14:24
> *To:* ntsys...@lists.myitforum.com
> *Cc:* Patch Management Mailing List (
> patchmanagem...@listserv.patchmanagement.org) <
> patchmanagem...@listserv.patchmanagement.org>
> *Subject:* Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters
>
>
>
> <Devil's advocate>
>
>
>
> If you don't have a robust strategy for keeping these applications
> updated, you might be better off letting them auto-update.  If you've got
> Internet-connected PCs running these applications, you're just asking to
> get bitten if you don't keep them up to date.  A managed strategy with
> reporting is best, but auto-updating is better than nothing (and certainly
> better than willfully keeping them out of date.)
>
>
>
> 
>
>
>
> On Mon, Nov 16, 2015 at 8:57 AM, David McSpadden <dav...@imcu.com> wrote:
>
> I have put in place the GPO’s for these but apparently I don’t have the
> right settings.
>
> Adobe DC Reader and Java update 6v8whatever are trying to update to my
> internet PC’s.
>
> What should the settings be on the GPO’s to stop these autoupdaters from
> even running?
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
>
>
> Please consider the environment before printing this email.
>
>
>

[NTSysADM] Re: Known drive by malware URLs, etc.

[Richard Stovall]

Thanks, Z.

On Monday, October 26, 2015, Ed Ziots <eziot...@gmail.com> wrote:

> Check out urlquery.net. Malware.traffic analysis.net
> and.malwaredontneedcoffee.com and.malwaredomains.com
>
> Should.give.u plenty to.test.against
> On Oct 23, 2015 12:25 PM, "Richard Stovall" <rich...@gmail.com
> <javascript:_e(%7B%7D,'cvml','rich...@gmail.com');>> wrote:
>
>> Is there a publicly available repository of such things?  I am kicking
>> the tires of a new AV product and I want to try to break it.  Please e-mail
>> off list if that is appropriate for this kind of thing.
>>
>> Thanks
>> RS
>>
>

Re: [NTSysADM] Known drive by malware URLs, etc.

[Richard Stovall]

The real kind.

On Fri, Oct 23, 2015 at 1:02 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Do you want a "test virus" or real viruses to test with?
>
>
> On Friday, October 23, 2015, Richard Stovall <rich...@gmail.com> wrote:
>
>> Is there a publicly available repository of such things?  I am kicking
>> the tires of a new AV product and I want to try to break it.  Please e-mail
>> off list if that is appropriate for this kind of thing.
>>
>> Thanks
>> RS
>>
>
>
> --
> --
> Espi (via mobile)
>

Re: [NTSysADM] Known drive by malware URLs, etc.

[Richard Stovall]

Already got a sandbox.  Looking for real-world items to put in it.

On Fri, Oct 23, 2015 at 1:23 PM, Robert Cato <cato.rob...@gmail.com> wrote:

>
> Find an eicar file, that is a good "test virus". During your search, you
> will likely find others. It's a dangerous game to play, find a sandbox
> first.
>
> On Fri, Oct 23, 2015 at 12:23 PM, Richard Stovall <rich...@gmail.com>
> wrote:
>
>> Is there a publicly available repository of such things?  I am kicking
>> the tires of a new AV product and I want to try to break it.  Please e-mail
>> off list if that is appropriate for this kind of thing.
>>
>> Thanks
>> RS
>>
>
>

[NTSysADM] Known drive by malware URLs, etc.

[Richard Stovall]

Is there a publicly available repository of such things?  I am kicking the
tires of a new AV product and I want to try to break it.  Please e-mail off
list if that is appropriate for this kind of thing.

Thanks
RS

Re: [NTSysADM] Known drive by malware URLs, etc.

[Richard Stovall]

Thanks, guys.  I also just realized you can download samples from reverse.it
.


On Fri, Oct 23, 2015 at 3:31 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Its been a few years since I've looked at anything I would consider
> up-to-date.  Many of my past bookmarks are dead, but you could start off
> with this:
>
> https://vxheaven.org/vl.php
>
>
>
> --
> Espi
>
>
> On Fri, Oct 23, 2015 at 11:17 AM, Richard Stovall <rich...@gmail.com>
> wrote:
>
>> The real kind.
>>
>> On Fri, Oct 23, 2015 at 1:02 PM, Micheal Espinola Jr <
>> michealespin...@gmail.com> wrote:
>>
>>> Do you want a "test virus" or real viruses to test with?
>>>
>>>
>>> On Friday, October 23, 2015, Richard Stovall <rich...@gmail.com> wrote:
>>>
>>>> Is there a publicly available repository of such things?  I am kicking
>>>> the tires of a new AV product and I want to try to break it.  Please e-mail
>>>> off list if that is appropriate for this kind of thing.
>>>>
>>>> Thanks
>>>> RS
>>>>
>>>
>>>
>>> --
>>> --
>>> Espi (via mobile)
>>>
>>
>>
>

Re: [NTSysADM] Synology NAS Recommendations

[Richard Stovall]

+1 on dumping Drobo.  I had one.  I won't have another.

We have some QNAPs that are as good as the Synology devices.

On Thu, Oct 22, 2015 at 10:02 AM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Just seeing this post now...
>
> I am a former/current Drobo admin/user as well as a Synology admin/user
> for a few years now.  My opinion is pretty plain and simple:  Drobos are
> crap.  Synologys are good.
>
> I was initially impressed with Drobos until I started to deploy and
> maintain them in large environments.  The bigger/busier the environment,
> the worse they are.  Performance goes exponentially in the toilet to the
> point of literal unavailability - aka, it kills them.  I've had Drobo
> support replace quite a few of them, only to experience the same problems
> after prolonged use.  I was primarily using them as backup devices.  Very
> large/long backup jobs can kill them.  I seriously recommend removing
> any/all at your first opportunity.
>
> Synology is my current go-to for these types of devices.  I haven't
> experienced any issues of note.
>
>
>
>
> --
> Espi
>
>
> On Wed, Oct 7, 2015 at 1:25 PM, Gordon Pegue  wrote:
>
>> I currently have a DroboPro unit populated with 8 – Seagate Constellation
>> ES 2GB drives connected to a server via iSCSI.
>>
>> The unit is used to store backup sets and other file/folder content for
>> my modest Windows network.
>>
>> The hardware is robust and very stable but using Drobo Dashboard to do
>> anything beyond checking device status is painful….
>>
>>
>>
>> I’ve lurked here for some time and see repeated recommendations for and
>> kudos given to Synology NAS units.
>>
>>
>>
>> Before I can pitch to management my thoughts on replacing the Drobo unit,
>> I was wondering if anyone on this list was a former Drobo user and now a
>> Synology user who might comment on the transition.
>>
>>
>>
>> Inviting any other commentary/recommendations as seen fit.
>>
>>
>>
>> TIA
>>
>> Gordon
>>
>
>

Re: [NTSysADM] RE: Outlook 2016 Calendar OT

[Richard Stovall]

"I'll give you my Outlook 2010 when you pry it from my cold, dead hands."

On Fri, Oct 16, 2015 at 2:45 PM, Andrew S. Baker  wrote:

> I'm still on 2010 as well.I'll change just before it goes bust...
>
>
>
>
>
>
> *ASB **http://XeeMe.com/AndrewBaker* 
> *Providing Virtual CIO Services (IT Operations & Information Security) for
> the SMB market…*
>
> * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A
>
>
> On Fri, Oct 16, 2015 at 1:02 PM, Michael B. Smith 
> wrote:
>
>> I'm still on 2010. But after 2016 has been around for a while (and had a
>> few months of patch releases), I'll make the switch.
>>
>> At this point, I've got clients making fun of me because I'm running
>> 2010. :-)
>>
>> -Original Message-
>> From: listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
>> Sent: Friday, October 16, 2015 11:12 AM
>> To: ntsys...@lists.myitforum.com
>> Subject: [NTSysADM] RE: Outlook 2016 Calendar OT
>>
>> I am hating Outlook 2016.  It forgets view settings, PITA to propagate
>> those settings to other folders...it just doesn't work that well or
>> consistently.  Slow as dirt switching folders. Reminds me why I rolled back
>> from 2013. I will probably roll this one back also.
>>
>> But it looks cool, that is all that matters right.
>>
>> -Original Message-
>> From: listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] On Behalf Of James Rankin
>> Sent: Friday, October 16, 2015 8:52 AM
>> To: ntsys...@lists.myitforum.com
>> Subject: [NTSysADM] RE: Outlook 2016 Calendar OT
>>
>> Me neither. Rather annoying now you've brought it to my attention. Looks
>> like it's another change Microsoft have made for us that isn't very
>> helpful...
>>
>> -Original Message-
>> From: listsadmin@lists.myitforum.com [mailto:
>> listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
>> Sent: 16 October 2015 13:44
>> To: 'ntsys...@lists.myitforum.com' 
>> Subject: [NTSysADM] Outlook 2016 Calendar OT
>>
>> This is really bugging me, I just stare at it all day and get nothing
>> done.
>>
>> Since upgrading to Office 2016 the To Do Bar Calendar is not showing the
>> dates I have appointments with a bold font.  I know they won't show bold
>> unless the appointment is flagged as 'busy'.  They are, in fact I have
>> tried every type to be sure.  Ran all the outlook switches, reset
>> views...googled my fingers until they hurt.
>>
>> Anyone else seeing this? Maybe it is working as intended now?
>>
>
>

[NTSysADM] Cylance Protect

[Richard Stovall]

Anyone using it?  If so, any thoughts or experiences to share?

Re: [NTSysADM] C2 tunneling over DNS

[Richard Stovall]

Yup.  I already restrict outbound DNS queries to authorized internal DNS
servers.  But what the article makes clear is that strategy isn't
sufficient to protect against this kind of communication.

Oy.

On Fri, Oct 16, 2015 at 11:21 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> The problem is that the domain being queried will be reached with a
> recursive query, and will include in the response (especially in TXT
> items) the C2 data. That won't be mitigated by choosing specific DNS
> servers for your queries, unless your specific DNS servers have some
> way to scrub the query results, or to deny them for known bad domains.
>
> Kurt
>
> On Fri, Oct 16, 2015 at 8:17 PM, Micheal Espinola Jr
> <michealespin...@gmail.com> wrote:
> > Anything can be "tunneled".   In this case, restrict DNS to specific
> servers
> > (internal and/or external) to prevent rouge connections.
> >
> > --
> > Espi
> >
> >
> > On Fri, Oct 16, 2015 at 7:59 PM, Richard Stovall <rich...@gmail.com>
> wrote:
> >>
> >> I had not heard of this before.
> >>
> >> https://zeltser.com/c2-dns-tunneling/
> >>
> >> How in the world can most SMBs ever begin to beat back this kind of
> stuff?
> >
> >
>
>
>

[NTSysADM] C2 tunneling over DNS

[Richard Stovall]

I had not heard of this before.

https://zeltser.com/c2-dns-tunneling/

How in the world can most SMBs ever begin to beat back this kind of stuff?

Re: [NTSysADM] Power company vs fiber company. (OT)

[Richard Stovall]

Ha!

(I hope the guy that backhoed the power lines didn't get zapped.)

On Wed, Oct 14, 2015 at 1:37 PM, Kennedy, Jim 
wrote:

>
>
> So the other day the power company was working on the lines to one of our
> buildings and back hoe’d our fiber line.  Today the fiber company is out
> fixing it, they just back hoe’d the power lines.
>

Re: [NTSysADM] E-mail threat protection service for SMBs

[Richard Stovall]

Thanks for the replies, everyone.  We are on-premise Exchange, and I don't
see that changing anytime soon.  The Exchange ATP service appears to be the
type of thing I'm looking for, but it's only for hosted customers.  AFAICT,
MX Guarddog only uses signature-based AV, so they're out.  Mimecast and
Proofpoint look worth pursuing.  Thanks again.

On Mon, Oct 5, 2015 at 6:59 PM, Michael Tavares <m...@miketavares.me> wrote:

> Having used EOP for several months, my recommendation would be to look at
> another product.  I have had a lot of malware get through EOP.  Submitted
> samples to MS and they are baffled as to why they get through.   Not sure
> having to pay extra for Exchange Advanced Threat Protection is worth it.
> I have moved on to proofpoint, much better filtering results with them.
>
>
>
> Mike
>
>
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Brian Desmond
> *Sent:* Monday, October 05, 2015 4:47 PM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* RE: [NTSysADM] E-mail threat protection service for SMBs
>
>
>
> *Have you looked at the Exchange Online Protection and Exchange Advanced
> Threat Protection offerings? *
>
>
> *Thanks, Brian*
>
>
>
>
>
> *From:* listsadmin@lists.myitforum.com [
> mailto:listsadmin@lists.myitforum.com <listsadmin@lists.myitforum.com>] *On
> Behalf Of *Richard Stovall
> *Sent:* Monday, October 5, 2015 1:16 PM
> *To:* ntsys...@lists.myitforum.com
> *Subject:* [NTSysADM] E-mail threat protection service for SMBs
>
>
>
> I am looking to add another layer of anti-malware/anti-phishing/anti-spam
> protection to our company's e-mail and am thinking about adding a hosted
> service to the mix.  We have an on-premise Barracuda (which I like and plan
> to keep) and its native abilities combined with some pretty restrictive
> filtering policies have worked well for us.  We've been lucky so far, but
> it requires a lot of manual work to triage quarantined items.
>
>
>
> Ideally I'm looking for a service that actually opens and detonates all
> types of allowed attachments and linked URLs with a view to looking for
> signs of malicious activity.
>
>
>
> Proofpoint Essentials looks interesting.  Are there any others out there I
> should be looking at?
>
>
>
> Also, for those that haven't seen it, there is a very interesting site at
> https://www.reverse.it/ that does fascinating work analyzing uploaded
> files for signs of malware.  Similar to virustotal.com but much more
> analysis rather than just AV results.  They have a solution that I'm
> looking at as well.
>

[NTSysADM] E-mail threat protection service for SMBs

[Richard Stovall]

I am looking to add another layer of anti-malware/anti-phishing/anti-spam
protection to our company's e-mail and am thinking about adding a hosted
service to the mix.  We have an on-premise Barracuda (which I like and plan
to keep) and its native abilities combined with some pretty restrictive
filtering policies have worked well for us.  We've been lucky so far, but
it requires a lot of manual work to triage quarantined items.

Ideally I'm looking for a service that actually opens and detonates all
types of allowed attachments and linked URLs with a view to looking for
signs of malicious activity.

Proofpoint Essentials looks interesting.  Are there any others out there I
should be looking at?

Also, for those that haven't seen it, there is a very interesting site at
https://www.reverse.it/ that does fascinating work analyzing uploaded files
for signs of malware.  Similar to virustotal.com but much more analysis
rather than just AV results.  They have a solution that I'm looking at as
well.

Re: [NTSysADM] One hell of a read

[Richard Stovall]

Kindle version ordered!

On Thu, Oct 1, 2015 at 12:44 PM, Steven M. Caesare 
wrote:

> Indeed.
>
>
>
> Makes me want to read Cliff Stoll’s “The Cuckoo’s Egg” again…
>
>
>
> -sc
>
>
>
> *From:* listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] *On Behalf Of *Andrew S. Baker
> *Sent:* Thursday, October 1, 2015 12:32 PM
> *To:* ntsysadm
> *Cc:* Kurt Buff
> *Subject:* Re: [NTSysADM] One hell of a read
>
>
>
> Very interesting...
>
>
>
> Thanks, Kurt
>
>
>
>
>
>
>
> *ASB**http://XeeMe.com/AndrewBaker* 
> *Providing Virtual CIO Services (IT Operations & Information Security) for
> the SMB market…*
>
> * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A
>
>
>
> On Thu, Oct 1, 2015 at 12:17 PM, Kurt Buff  wrote:
>
> What happened before conficker:
>
> http://blogs.technet.com/b/johnla/archive/2015/09/26/the-inside-story-behind-ms08-067.aspx
>
>
>

Re: [NTSysADM] WSUS settings seem to be repointed to 127.0.0.1 - found the cuplrit

[Richard Stovall]

Excellent.  Good catch.
On Sep 23, 2015 11:16 AM, "Michael Leone"  wrote:

> On Wed, Sep 23, 2015 at 10:21 AM, Michael Leone 
> wrote:
>
> >> Can you throw some security auditing on the key and scour the event
> logs for what is changing it?
>
> Meet the smoking gun ... In the Kaspersky specific event log:
>
> Log Name:  Kaspersky Event Log
> Source:klnagent
> Date:  9/22/2015 10:03:27 AM
> Event ID:  1
> Task Category: None
> Level: Information
> Keywords:  Classic
> User:  N/A
> Computer:  DCTRAPP009.wrk.ads.pha.phila.gov
> Description:
> Switching Windows Update Agent to Kaspersky Security Center mode!
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event;>
>   
> 
> 1
> 4
> 0
> 0x80
> 
> 9792
> Kaspersky Event Log
> DCTRAPP009.wrk.ads.pha.phila.gov
> 
>   
>   
> Switching Windows Update Agent to Kaspersky Security Center
> mode!
>   
> 
>
> Log Name:  Kaspersky Event Log
> Source:klnagent
> Date:  9/22/2015 10:03:27 AM
> Event ID:  1
> Task Category: None
> Level: Information
> Keywords:  Classic
> User:  N/A
> Computer:  DCTRAPP009.wrk.ads.pha.phila.gov
> Description:
> Web address for Windows Update Agent: http://127.0.0.1:1550
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event;>
>   
> 
> 1
> 4
> 0
> 0x80
> 
> 9793
> Kaspersky Event Log
> DCTRAPP009.wrk.ads.pha.phila.gov
> 
>   
>   
> Web address for Windows Update Agent: http://127.0.0.1:1550
> 
>   
> 
>
>
> Log Name:  Kaspersky Event Log
> Source:klnagent
> Date:  9/22/2015 4:29:51 PM
> Event ID:  1
> Task Category: None
> Level: Information
> Keywords:  Classic
> User:  N/A
> Computer:  DCTRAPP009.wrk.ads.pha.phila.gov
> Description:
> Windows Update Agent has been switched out of Security Center mode.
> Default settings of Windows Update Agent have been restored.
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event;>
>   
> 
> 1
> 4
> 0
> 0x80
> 
> 9807
> Kaspersky Event Log
> DCTRAPP009.wrk.ads.pha.phila.gov
> 
>   
>   
> Windows Update Agent has been switched out of Security
> Center mode. Default settings of Windows Update Agent have been
> restored.
>   
> 
>
> So I still don't know WHY it did it, but I have proof as to WHO (well,
> WHAT) did it ... it was Kaspersky AV ...
>
>
>

Re: [NTSysADM] IE10, Intranet Zone and SSO

[Richard Stovall]

Is there anything else like ADFS in the mix?
On Sep 22, 2015 9:42 PM, "Webster"  wrote:

> Helping a customer with the last issues in moving from old Citrix XenApp 5
> on Server 2003 to XenApp 7.6 running om Server 2012 (not R2). Their
> consultant quit on them after 3 weeks on the project and I was asked to
> help get the project completed. They have a web app that requires IE10 that
> is why Server 2012.
>
>
>
> They want to use SSO so I have created a User GPO that puts the site in
> the Intranet zone (Value = 1) with http://*.appsite.com. The policy also
> has logon with username and password and I have also tried just logon in
> intranet zone. I have also tried setting a preference for turning off
> integrated windows auth (as suggested by a couple of google hits).
>
>
>
> So far, no combination of settings is allowing SSO to work. The site does
> appear in the intranet zone and if I right-click, Properties on the page,
> it shows as Intranet zone.
>
>
>
> If I have "enable integrated windows auth" unselected, I get "The server
> xxx at SSO requires a username and password. Warning: This server is
> requesting that your username and password be sent in an insecure manner".
>
>
>
> If I have "enable integrated windows auth" selected, I get the app's login
> dialog.
>
>
>
> When I google "ie 10 intranet zone auto logon", I have tried the first 20
> suggestions and no combination of GPO settings has worked yet. What am I
> missing?
>
>
>
> Thanks
>
>
>
>
>
> Webster
>
>
>

Re: [NTSysADM] WSUS settings seem to be repointed to 127.0.0.1

[Richard Stovall]

Are you seeing the behavior where at
HKLM\Software\Policies\Microsoft\Windows\ you have more than one
WindowsUpdate key?  (One just WindowsUpdate and one WindowsUpdate-{GUID} ?

On Tue, Sep 22, 2015 at 4:17 PM, Michael Leone <oozerd...@gmail.com> wrote:

> On Tue, Sep 22, 2015 at 4:11 PM, Richard Stovall <rich...@gmail.com>
> wrote:
> > If you Google for http://127.0.0.1:1550 you'll see that you're not the
> first
> > person to see this exact behavior.  Scanning some of the results didn't
> > point to an exact cause (that I saw, anyway), but it may be useful in
> your
> > search.
>
> Oh, yes, I've been Googling most of the afternoon. :-) I found no
> cause, I found no cure ...
>
>
> >
> > On Tue, Sep 22, 2015 at 3:55 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
> >>
> >> This is weird. I am noticing that a number of my clients of my WSUS
> >> 3.0 SP 2 server seem to be having their registry settings for the WSUS
> >> server to use, being reset.
> >>
> >> I assign the WSUS server via GPO, and this has been working fine for
> >> years. Now, however, I noticed the WSUS console indicates that some
> >> clients need a lot more updates than they should. Examining the
> >> clients, and looking at the reg key
> >>
> >> HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
> >>
> >> that "WUServer" and "WUStatusServer" are both set to
> >> "http://127.0.0.1:1550;.
> >>
> >> Additionally, there is a new key
> >>
> >>
> >>
> HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate-{601C5C5E-2C8F-4507-B11C-CE0EC46C42F4}
> >>
> >> with the correct settings that point to my WSUS server.
> >>
> >> I tried changing the key back to my server name, and in a few seconds,
> >> it reverts back to "http://127.0.0.1:1550;.
> >>
> >> The GPO is set correctly. DNS is resolving for that name. Doign a
> >>
> >> http://wsus-server/selfupdate/wuident.cab
> >>
> >> does give me the wuident.txt file.
> >>
> >> So what's going on here? It seems weird to be malware, and I got no
> >> alerts from our AV. On the affected clients, doing a check for windows
> >> updates does come back and say that there are updates waiting ...
> >>
> >> Going to http://127.0.0.1:1550 gives me this:
> >>
> >> 
> >> - >>
> >> xmlns:wusWebServiceSoap12="
> http://www.microsoft.com/SoftwareDistribution/WebServiceSoap12;
> >>
> >> xmlns:wusWebServiceSoap="
> http://www.microsoft.com/SoftwareDistribution/WebServiceSoap;
> >>
> >> xmlns:wusSoftwareDistribution="
> http://www.microsoft.com/SoftwareDistribution;
> >>
> >> xmlns:wusSimpleAuthSoap12="
> http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService/SimpleAuthSoap12
> "
> >>
> >> xmlns:wusSimpleAuthWebService="
> http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService;
> >>
> >> xmlns:wusSimpleAuthSoap="
> http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService/SimpleAuthSoap
> "
> >>
> >> xmlns:wusServerSyncProxySoap12="
> http://www.microsoft.com/SoftwareDistribution/ServerSyncProxySoap12;
> >>
> >> xmlns:wusServerSyncProxySoap="
> http://www.microsoft.com/SoftwareDistribution/ServerSyncProxySoap;
> >>
> >> xmlns:wusDssAuthWebServiceSoap12="
> http://www.microsoft.com/SoftwareDistribution/Server/DssAuthWebService/DssAuthWebServiceSoap12
> "
> >>
> >> xmlns:wusIMonitorable="
> http://www.microsoft.com/SoftwareDistribution/Server/IMonitorable;
> >>
> >> xmlns:wusDssAuthWebServiceSoap="
> http://www.microsoft.com/SoftwareDistribution/Server/DssAuthWebService/DssAuthWebServiceSoap
> "
> >>
> >> xmlns:wusDssAuthWebService="
> http://www.microsoft.com/SoftwareDistribution/Server/DssAuthWebService;
> >>
> >> xmlns:wusClientSoap12="
> http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/ClientSoap12
> "
> >>
> >> xmlns:wusClientWebService="
> http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService;
> >>
> >> xmlns:wusClientSoap="
> http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/ClientSoap
> "
> >> xmlns:wusTypes="http://microsoft.com/wsdl/types/;
> >> xmlns:aklwngt="http://tempuri.org/aklwngt.xsd;
> >> xmlns:param="http://tempuri; xmlns:ns="urn:person"
> >> xmlns:xsd="http://www.w3.org/2001/XMLSchema;
> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> >> xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/;
> >>
> >> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/
> ">-- >>
> >> SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/
> ">SOAP-ENV:ClientHTTP
> >> Error: 404 Not
> >> Found
> >>
> >>
> >> And that all looks like legit Microsoft sites, to me.
> >>
> >>
> >
>
>
>

Re: [NTSysADM] Meraki speed problems

[Richard Stovall]

My experience with a free Meraki AP was not good.

On Mon, Aug 24, 2015 at 2:51 PM, John Gwinner jgwin...@dazsi.com wrote:

 Folks:


 The owners are NOT happy about our Meraki wireless. I had the splash page
 turned on for a while and this seemed to confuse them, but I disabled that
 and they still complain about “it doesn’t work”. I haven’t been able to get
 my tech support guy on their laptops (Mac’s) to take a look, but I went on
 the wireless (my office is next door to one owner) and it worked OK



 I did notice a few sporadic slow-downs occasionally.



 I’m wondering if the cloud management stuff means if the Meraki web site
 is busy, the user workstation gets a slowdown



 Has anyone else noticed that?



 Wireless strength and connectivity is fine, but I do notice a lot of
 ‘disconnect’ events from their laptops. I opened a Meraki ticket and they
 basically thought it was the laptop – but their laptops are fine (they work
 well at their home apparently).

  == John ==

Re: [NTSysADM] Fwd: Win 2012 client registration problems to WSUS v3 Win 2008 server

[Richard Stovall]

Are these new machines from a cloned image?

On Wed, Aug 5, 2015 at 10:35 AM, Michael Leone oozerd...@gmail.com wrote:

 I have a WSUS v3.2.7600.226 server, running on Win 2008 R2. It has
 150+ clients, including some Win 2012 R2 clients. All has been working
 fine for a few years. Now I am seeing an odd problem.

 Yesterday I created 2 new Win 2012 R2 clients, and Group Policy set
 them to use the WSUS server, as usual. But the odd thing: Only 1
 client at a time shows up, they both won't show at the same time.

 Here's what I mean: 2 clients, SERVER8 and SERVER9. Neither was
 showing up in the All Computers group, so I went to each, restarted
 the BITS and Windows Update service, and issued a wuauclt
 /resetauthorization /detectnow. This is what I usually do for Win
 2008 R2 clients, who are having problems communicating with the WSUS
 server.

 So I did that on SERVER8, and it then showed up in WSUS. I then did
 the same on SERVER9. Oddly, SERVER8 then disappeared from WSUS, and
 SERVER9 showed up.

 It's like I can have one or the other, but not both at the same time. :-)

 DNS is correct, each shows the proper IP address (when it does show
 up). I see nothing in the Windows Event Logs of the WSUS server. I
 don't see any errors in the WindowsUpdate.log file of the server. And
 I see no errors in that file on the clients - in fact, I see things
 like 4 updates detected, but nothing after to indicate why it's
 dropping off the list.

 Ideas? Where to go next?

RE: [NTSysADM] Happy SysAdmin day!

[Richard Stovall]

That doesn't start with B.
On Jul 31, 2015 6:25 PM, John Matteson john.matte...@gmail.com wrote:

 Pay Raise.



 *From:* listsadmin@lists.myitforum.com [mailto:
 listsadmin@lists.myitforum.com] *On Behalf Of *Richard Stovall
 *Sent:* Friday, July 31, 2015 1:11 PM
 *To:* ntsys...@lists.myitforum.com
 *Subject:* Re: [NTSysADM] Happy SysAdmin day!



 There is a GLARING omission in the list of proper things to do.



 ---



 Proper observation of SysAdmin Day includes (but is not limited to):

- Cake  Ice cream
- Pizza
- Cards
- Gifts
- Words of gratitude
- Custom t-shirts celebrating the epic greatness of your SysAdmin(s)
- Balloons
- Streamers
- Confetti



 On Fri, Jul 31, 2015 at 9:55 AM, Maglinger, Paul pmaglin...@scvl.com
 wrote:

  http://sysadminday.com/

 -Paul

Re: [NTSysADM] Happy SysAdmin day!

[Richard Stovall]

There is a GLARING omission in the list of proper things to do.

---

Proper observation of SysAdmin Day includes (but is not limited to):

   - Cake  Ice cream
   - Pizza
   - Cards
   - Gifts
   - Words of gratitude
   - Custom t-shirts celebrating the epic greatness of your SysAdmin(s)
   - Balloons
   - Streamers
   - Confetti


On Fri, Jul 31, 2015 at 9:55 AM, Maglinger, Paul pmaglin...@scvl.com
wrote:

  http://sysadminday.com/

 -Paul

Re: [NTSysADM] Windows Server 2012 keeps crashing intermittently

[Richard Stovall]

What about his DriverView utility?  Have you looked at the loaded drivers?
There shouldn't be too much other than MS stuff on a VM.

http://www.nirsoft.net/utils/driverview.html


On Wed, Jul 15, 2015 at 3:35 PM, Pierre-Marie Camilleri 
pmcamill...@laferla.com.mt wrote:

  The problem is that no dmp file is being generated when the BSOD occurs.
  --
 *From:* listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com]
 on behalf of Susan Bradley [sbrad...@pacbell.net]
 *Sent:* 15 July 2015 19:06
 *To:* ntsys...@lists.myitforum.com
 *Subject:* Re: [NTSysADM] Windows Server 2012 keeps crashing
 intermittently

  http://www.nirsoft.net/utils/blue_screen_view.html
 Used that?

  On 7/15/2015 10:00 AM, Pierre-Marie Camilleri wrote:

 Hi Peter. All I see in the BSOD is CRITICAL_PROCESS_DIED but what that
 process is, I have no idea.
 The server is still running (6+ hrs). Hope it remains so during the night.
  --
 *From:* listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com]
 on behalf of Boyles, Peter J {BIS} [peter.j.boy...@pepsico.com]
 *Sent:* 15 July 2015 17:59
 *To:* ntsys...@lists.myitforum.com
 *Subject:* RE: [NTSysADM] Windows Server 2012 keeps crashing
 intermittently

   Depending on the process, disk writing may have stopped and no dump or
 event log entry created.  Are there any clues on the STOP screen as to
 which process stopped?





 *Peter Boyles *

 *BIS Engineering Analyst *

 *PepsiCo Inc. | Global End User Services | GEUS Deploy *

 *SM:  Issues:  **GEUS DEVICE L2 SUPPORT*

 *  Requests:  **MIGRATION AND DISTRIBUTION*

 *Office: (972) 963-6578 %28972%29%20963-6578 *| E-Mail:  
 *peter.j.boy...@pepsico.com
 peter.j.boy...@pepsico.com *



 *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Pierre-Marie Camilleri
 *Sent:* Wednesday, July 15, 2015 10:10 AM
 *To:* ntsys...@lists.myitforum.com
 *Subject:* RE: [NTSysADM] Windows Server 2012 keeps crashing
 intermittently



 Yes, because the Write debugging information is set to Automatic memory
 dump.
  --

 *From:* listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com]
 on behalf of James Rankin [james.ran...@talosys.co.uk]
 *Sent:* 15 July 2015 16:49
 *To:* ntsys...@lists.myitforum.com
 *Subject:* RE: [NTSysADM] Windows Server 2012 keeps crashing
 intermittently

 Is the system configured to write a dump file?



 *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Pierre-Marie Camilleri
 *Sent:* 15 July 2015 15:45
 *To:* ntsys...@lists.myitforum.com
 *Subject:* RE: [NTSysADM] Windows Server 2012 keeps crashing
 intermittently



 Tried looking for a dmp file but found nothing which is strange.
  --

 *From:* listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com]
 on behalf of Susan Bradley [sbrad...@pacbell.net]
 *Sent:* 15 July 2015 15:42
 *To:* ntsys...@lists.myitforum.com
 *Subject:* Re: [NTSysADM] Windows Server 2012 keeps crashing
 intermittently

 Is there a dmp file on the system and have you run it through nirsoft's
 bsod tool?

  On 7/15/2015 6:13 AM, Pierre-Marie Camilleri wrote:

  Hi Andrew

 Thanks for replying.  It's Hyper 2008 R2 and the VM is Windows 2012
 Standard Edition. When looking at the Event log I see reference to Kernel
 Power. But not very informative as to what is causing it.





 Sent from Samsung Mobile



  Original message 
 From: Andrew S. Baker
 Date:15/07/2015 14:43 (GMT+01:00)
 To: ntsysadm
 Subject: Re: [NTSysADM] Windows Server 2012 keeps crashing intermittently

 Is the host running Hyper-V 2012-R2 or 2008-R2?



 And is the VM running 2012 or 2012-R2?



 Any other event log messages?








 *ASB **http://XeeMe.com/AndrewBaker* http://xeeme.com/AndrewBaker
 *Providing Virtual CIO Services (IT Operations  Information Security) for
 the SMB market…*





 On Wed, Jul 15, 2015 at 6:44 AM, Pierre-Marie Camilleri 
 pmcamill...@laferla.com.mt wrote:



 Hi all



 Lately we have been experiencing a strange issue with one of our Windows
 servers. It keeps crashing intermittently with a BSOD reporting
 CRITICAL_PROCESS_DIED. This seems to be a very generic error message and
 have tried researching it on the net to see what could be causing this.

 But no success. This Windows 2012 server is running as a VM under Hyper-V
 R2. I’ve excluded hardware issues because all our other VMs are working
 well without any issues at all. The only difference is that they are
 running Windows Server 2008 R2. I cannot understand why this is happening.
 Could it be that the OS has become corrupted due to a MS update? Has anyone
 encountered this before? Any further help on this would be appreciated.



 TIA

 Pierre

Re: [NTSysADM] Flash update and WSUS

[Richard Stovall]

Wow.  I have been updating Flash, Java, etc. with a Kace K1000, which is,
to say the least, a PITA.  I just did it with Ninite Pro in a few minutes
and saved a boatload of time.  I am absolutely going to subscribe.  Thank
you for the tip.

On Thu, Jul 9, 2015 at 7:55 AM, Kennedy, Jim kennedy...@elyriaschools.org
wrote:

  Ninate is very good, used it for a long time. Switched recently to
 PDQDeploy, take a look at that one too. I am loving it.



 http://www.adminarsenal.com/pdq-deploy



 When Flash dropped I went in, right clicked it and hit deploy. Minutes
 later any computer that was on had the new Flash.



 *From:* listsadmin@lists.myitforum.com [mailto:
 listsadmin@lists.myitforum.com] *On Behalf Of *Gavin Wilby
 *Sent:* Thursday, July 9, 2015 6:29 AM

 *To:* 'ntsys...@lists.myitforum.com'
 *Subject:* RE: [NTSysADM] Flash update and WSUS



 Check out Ninite Pro (http://www.ninite.com)



 I’m trailing it right now and works as advertised.



 *Gavin Wilby*

 *IT Support Engineer*



 *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Damien Solodow
 *Sent:* 08 July 2015 23:08
 *To:* ntsys...@lists.myitforum.com
 *Subject:* RE: [NTSysADM] Flash update and WSUS



 Scup does. J



 DAMIEN SOLODOW

 Senior Systems Engineer

 317.447.6033 (office)

 317.447.6014 (fax)

 HARRISON COLLEGE



 *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Daniel Chenault
 *Sent:* Wednesday, July 8, 2015 6:06 PM
 *To:* ntsys...@lists.myitforum.com
 *Subject:* RE: [NTSysADM] Flash update and WSUS



 Local Update Publisher does not run on 64b 2012 w/.NET 4.0. :(
  --

 From: dani...@hotmail.com
 To: ntsys...@lists.myitforum.com
 Subject: [NTSysADM] Flash update and WSUS
 Date: Wed, 8 Jul 2015 14:46:52 -0700

 I was looking for a way to push the latest Flash update to my workstations
 and found the below:


 http://windowsitpro.com/article/patch-management/Secure-non-Microsoft-applications-by-publishing-3rd-party-updates-to-WSUS-129241

 Installing it now. Seems pretty straightforward.

 SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited
 are licensed by the Isle of Man Financial Supervision Commission. SMP
 Accounting  Tax Limited is a member of the ICAEW Practice Assurance Scheme.

 SMP Partners Limited registered in the Isle of Man, Company Registration
 No: 000908V
 Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott,
 S.J. Turner

 SMP Trustees Limited registered in the Isle of Man, Company Registration
 No: 068396C
 Directors: A.C. Baggesen, M.W. Denton, O. Peck, J.J. Scott, J. Watterson,
 J. Cubbon

 SMP Fund Services Limited registered in the Isle of Man, Company
 Registration No: 120288C
 Directors: V. Campbell, M.W. Denton, D.A. Manser, S.E McGowan,  J.J.
 Scott, R.K. Corkill

 SMP Accounting  Tax Limited registered in the Isle of Man, Company
 Registration No: 001316V
 Directors: I.F. Begley,  A.J. Dowling, P. Duchars, J.J. Scott, S.J. Turner

 SMP Capital Markets Limited registered in the Isle of Man, Company
 Registration No: 002438V
 Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck,
 J.J. Scott.

 SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP
 Accounting  Tax Limited and SMP Capital Markets Limited are members of the
 SMP Partners Group of Companies.



 This email is confidential and is subject to disclaimers. Details can be
 found at: http://www.smppartners.com/disclaimer.html
 __
 This email has been scanned by the Symantec Email Security.cloud service.
 For more information please visit http://www.symanteccloud.com
 __

Re: [NTSysADM] Opinions on the Best wireless - Meraki | Ruckus | Cisco | Aruba | other?

[Richard Stovall]

I have installed Ubiquiti Unifi APs at home and at a club I belong to.
Been great so far.  I absolutely recommend trying them out.  The 802.11n
devices are dirt cheap ($70 for one or $195 for three at Amazon).  Well
worth testing in a lab.  You also don't have a hardware controller with
Ubiquiti.  It's a software application that doesn't even have to be running
all the time.  The only thing to remember about Ubiquiti's Unifi APs is
that they do not use standard PoE.  It's a lower power protocol that
requires special PoE switches.

And definitely don't fear Ruckus.  I have a friend in Richmond (where I
also live) who is a Ruckus reseller and he loves them.  Very good gear from
what I understand.  Nova Swimming has Ruckus, and I believe they handle all
the guest devices at a big swim meet with no problem.

On Wed, Jul 1, 2015 at 7:40 PM, Derrenbacker, L. Jonathan 
jderrenbac...@keitercpa.com wrote:

  Some really great thoughts here. Thanks everyone!
 Keep it coming if anyone has more input.
 Also, for those running 802.11ac(both APs and clients), what speed are you
 seeing?

 Just to reply to some of the questions and comments:

 Two strikes, and Meraki is out.
 They have the ability to shut down your infrastructure.
 They host the web site that controls your infrastructure.

 I agree, that does bother me.


 Doesn't Meraki automatically update units, without any real reporting
 behind it?

 One thing that bothers me about auto-firmware updates is what if someone
 hacked Meraki, planted 'special' firmware and set APs to upgrade to it. Is
 that not possible? From a hackers point of view, they hack 1 company and
 then get access to 10's of thousands of companies. In the traditional
 world, if someone hacked Cisco and uploaded some bad ios images, they might
 get 50 guys upgrading that day who don't already have the code downloaded.
 But if all Meraki APs call home every day? I'm sure it's extremely unlikely
 though.


 What are the features that you're looking for?

 #1 is security. I want something that's as secure as wireless can be. I'm
 thinking it will at a minimum tie into Radius with AD authentication and
 certificates. I'm still learning wireless security(have AD/Radius/PKI setup
 in the lab right now), so any insight is more than welcome.
 #2 is speed. Most of our apps are written to be used on high speed
 LANs(bandwidth hogs), so the faster the better.
 Related to that, about 1/3rd of end-user laptops will be 802.11ac this
 year, and 100% within 2 years.


 Take a look at Ubiquiti https://www.ubnt.com/enterprise/
 We are replacing Cisco at %dayjob% with this. I have used this elsewhere
 as well with good results.

 Looks like a lot of people are saying to try Ubiquiti. Are there any
 features missing in Ubiquiti that you had with Cisco?


 I have experience with Ruckus, Cisco, and HP – Ruckus does its job very
 well at a good price point, it has a lot of features, and easy to use.
 Cisco is absolutely rock solid (you could stake your job on its
 reliability) but you do pay for it up front and with SmartNET.
 I’d recommend getting some demo equipment, play with it, see what you
 like and what you don’t.  Some like it more technical, others more
 point-and-click easy.

 Thanks, that's good to hear. I had never heard of Ruckus until yesterday.
 Seems like almost no one has heard of them which makes me nervous.
 Speaking of demo gear, I’m collecting it now. I just got a demo Ruckus AP
 and controller in the mail today and I have a Meraki M34 on its way. We'll
 see…




 Thanks everyone,
 Jon



 *Jon Derrenbacker | CISSP | Sr. Systems Engineer | Manager | Keiter *4401
 Dominion Boulevard, 2nd Floor, Glen Allen, VA 23060
 phone: 804-273-6221 | fax: 804-747-3632 | *keitercpa.com*
 http://www.keitercpa.com/
 *Encrypted File Upload*
 https://keitercpa.sharefile.com/r/rff820ebe11a43e38

 *Experience* |  *Knowledge* | *Relationships** |* *Insight*
 *Unless the above message (“this message”) expressly provides that the
 statements contained therein and in any attachments thereto (“the
 statements”) are intended to constitute written tax advice within the
 meaning of IRS Circular 230 § 10.37, the sender intends by this message  to
 communicate general information for discussion purposes only, and you
 should not, therefore, interpret the statements to be written tax advice or
 rely on the statements for any purpose.  The sender will conclude that you
 have understood and acknowledged this important cautionary notice unless
 you communicate to the sender any questions you may have in a direct
 electronic reply to this message.*
 Note: This communication, including any attachments, may contain
 privileged or other confidential information.  If you are not the intended
 recipient, or believe you have received this communication in error, do not
 print, copy, retransmit, disseminate, or otherwise use the information
 contained within.  Any unauthorized review, use, disclosure, or
 distribution is prohibited.  If 

Re: [NTSysADM] RE: Script to fine Group policies referencing a topic

[Richard Stovall]

It hurts in your A, not your chest?

That's so weird...

On Fri, Jun 26, 2015 at 1:39 PM, Kurt Buff kurt.b...@gmail.com wrote:

 :)

 I've actually been looking at that article for a couple of days, but
 haven't gotten far with it.

 --

 Still kinda weak after being out of work for 3 days with some kinda
 upper respiratory infection. Coughing, etc. - Major PITA...

 Kurt

 On Fri, Jun 26, 2015 at 10:04 AM, David McSpadden dav...@imcu.com wrote:
  Ok, I didn't get the pebble from your hand, master, your Google-Fu is
 great and mine is weak..
  I will strive to be better...
  :-)
 
 
  -Original Message-
  From: listsadmin@lists.myitforum.com [mailto:
 listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
  Sent: Friday, June 26, 2015 1:03 PM
  To: ntsysadm
  Subject: Re: [NTSysADM] RE: Script to fine Group policies referencing a
 topic
 
 
 https://duckduckgo.com/?q=powershell+search+group+policy+for+a+particular+settingt=ffab
 
  On Fri, Jun 26, 2015 at 9:48 AM, David McSpadden dav...@imcu.com
 wrote:
  Kurt you are joking right.
  That is exactly what I need.
 
 
  -Original Message-
  From: listsadmin@lists.myitforum.com
  [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
  Sent: Friday, June 26, 2015 12:43 PM
  To: ntsysadm
  Subject: Re: [NTSysADM] RE: Script to fine Group policies referencing
  a topic
 
  http://deployhappiness.com/searching-gpos-for-that-specific-setting/
 
  On Fri, Jun 26, 2015 at 8:56 AM, David McSpadden dav...@imcu.com
 wrote:
  I'll look at that.
  We moved from an old html linked iis site to a new share point site
  and after a month of testing we want to make the new site our default
 home page.
  I wanted to find all the old policies and 'fix' them.
 
  Sent from my iPhone
 
  On Jun 26, 2015, at 11:53 AM, Gavin Wilby
  gavin.wi...@smppartners.com
  wrote:
 
  In IE at least that is a registry entry.
 
 
 
  Rather than GPO’ing it out I normally just use a reg add  command to
  push it.
 
 
 
  Gavin Wilby
 
  IT Support Engineer
 
 
 
  From: listsadmin@lists.myitforum.com
  [mailto:listsadmin@lists.myitforum.com]
  On Behalf Of David McSpadden
  Sent: 26 June 2015 16:43
  To: 'ntsys...@lists.myitforum.com'
  Subject: [NTSysADM] Script to fine Group policies referencing a topic
 
 
 
  Is there a powershell to find home page URL’s referenced in Group
 Policy??
 
 
 
  David McSpadden
 
  Systems Administrator
 
  Indiana Members Credit Union
 
  P: 317.554.8190 | F: 317.554.8106
 
image002.jpg
 
 
 
  image005.png
 
 
 
  This e-mail and any files transmitted with it are property of Indiana
  Members Credit Union, are confidential, and are intended solely for
  the use of the individual or entity to whom this e-mail is addressed.
  If you are not one of the named recipient(s) or otherwise have reason
  to believe that you have received this message in error, please
  notify the sender and delete this message immediately from your
  computer. Any other use, retention, dissemination, forwarding,
  printing, or copying of this email is strictly prohibited.
 
 
 
  Please consider the environment before printing this email.
 
  SMP Partners Limited, SMP Trustees Limited and SMP Fund Services
  Limited are licensed by the Isle of Man Financial Supervision
  Commission. SMP Accounting  Tax Limited is a member of the ICAEW
 Practice Assurance Scheme.
 
  SMP Partners Limited registered in the Isle of Man, Company
 Registration No:
  000908V
  Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J.
  Scott, S.J. Turner
 
  SMP Trustees Limited registered in the Isle of Man, Company
 Registration No:
  068396C
  Directors: A.C. Baggesen, M.W. Denton, O. Peck, J.J. Scott, J.
 Watterson, J.
  Cubbon
 
  SMP Fund Services Limited registered in the Isle of Man, Company
  Registration No: 120288C
  Directors: V. Campbell, M.W. Denton, D.A. Manser, S.E McGowan,  J.J.
  Scott, R.K. Corkill
 
  SMP Accounting  Tax Limited registered in the Isle of Man, Company
  Registration No: 001316V
  Directors: I.F. Begley,  A.J. Dowling, P. Duchars, J.J. Scott, S.J.
  Turner
 
  SMP Capital Markets Limited registered in the Isle of Man, Company
  Registration No: 002438V
  Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O.
  Peck, J.J. Scott.
 
  SMP Partners Limited, SMP Trustees Limited, SMP Fund Services
  Limited, SMP Accounting  Tax Limited and SMP Capital Markets Limited
  are members of the SMP Partners Group of Companies.
 
  This email is confidential and is subject to disclaimers. Details can
  be found at: http://www.smppartners.com/disclaimer.html
  _
  _ This email has been scanned by the Symantec Email Security.cloud
  service.
  For more information please visit http://www.symanteccloud.com
  _
  _
 
 
  This e-mail and any files transmitted with it are property of Indiana
  Members 

Re: [NTSysADM] RE: User lock out

[Richard Stovall]

Good call.  BTDT.  I wound up having to block the employee's home IP at the
firewall because he wouldn't delete the account from the old device.

On Tue, Jun 23, 2015 at 10:37 AM, Jack Kramer tari...@mac.com wrote:

 Any chance they got a new phone? I had a user who had this going on a few
 years ago and it turns out they got a new phone, gave their old phone to
 their kids, and thought they had wiped all the settings—but it was still
 set to sync contacts. After the next password change they started getting
 lockouts and I traced it back to her home IP, had her bring the phone in,
 and hard reset it. Problem solved.


 On Jun 23, 2015, at 10:22 AM, David McSpadden dav...@imcu.com wrote:

 Tonight if it doesn’t clear up I will.

 *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Kennedy, Jim
 *Sent:* Tuesday, June 23, 2015 10:20 AM
 *To:* ntsys...@lists.myitforum.com
 *Subject:* [NTSysADM] RE: User lock out

 +1

 IIS reset with a force if you can.

 *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Michael B. Smith
 *Sent:* Tuesday, June 23, 2015 10:17 AM
 *To:* ntsys...@lists.myitforum.com
 *Subject:* [NTSysADM] RE: User lock out

 Iis caches usernames/passwords for 4 – 24 hours. Seems likely that they
 have more than one device attempting to connect.

 I personally have 3 devices plus Outlook. When I change my password I
 expect to get locked out a couple of times until I get all the passwords
 updated.

 *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *David McSpadden
 *Sent:* Tuesday, June 23, 2015 10:07 AM
 *To:* 'ntsys...@lists.myitforum.com'
 *Subject:* [NTSysADM] User lock out

 User changed password.
 Keeps getting locked out.
 Removes email from phone.
 Resets password.
 Keeps getting locked out.
 Logs or events show attempts from the exchange server.
 What tool can I use to determine exactly what is causing the bad attempts
 that are locking her out?


 *David McSpadden*
 Systems Administrator
 Indiana Members Credit Union
 P: 317.554.8190 | F: 317.554.8106
 image001.jpg http://imcu.com/  image002.jpg
 https://www.facebook.com/IndianaMembersCU  image003.jpg
 https://twitter.com/IndMembersCU

 image004.jpg
 image005.png


 This e-mail and any files transmitted with it are property of Indiana
 Members Credit Union, are confidential, and are intended solely for the use
 of the individual or entity to whom this e-mail is addressed. If you are
 not one of the named recipient(s) or otherwise have reason to believe that
 you have received this message in error, please notify the sender and
 delete this message immediately from your computer. Any other use,
 retention, dissemination, forwarding, printing, or copying of this email is
 strictly prohibited.


 Please consider the environment before printing this email.

 This e-mail and any files transmitted with it are property of Indiana
 Members Credit Union, are confidential, and are intended solely for the use
 of the individual or entity to whom this e-mail is addressed. If you are
 not one of the named recipient(s) or otherwise have reason to believe that
 you have received this message in error, please notify the sender and
 delete this message immediately from your computer. Any other use,
 retention, dissemination, forwarding, printing, or copying of this email is
 strictly prohibited.

 Please consider the environment before printing this email.

Re: [NTSysADM] RE: User lock out

[Richard Stovall]

It's a sad fact, but in some regards not all employees are equal under the
laws of who gets the big clue-by-4 and who doesn't.

On Tue, Jun 23, 2015 at 11:21 AM, Jonathan Raper jra...@nwnit.com wrote:

  Thats ridiculous! The user cannot dictate what I do on my firewall,
 period. If they do not want to delete or shut down what I tell them is
 causing the problem then I tell them that they will continue to have said
 problem until they comply.

 Jonathan

 Sent by Outlook for Android



 On Tue, Jun 23, 2015 at 7:42 AM -0700, Richard Stovall 
 rich...@gmail.com wrote:

  Good call.  BTDT.  I wound up having to block the employee's home IP at
 the firewall because he wouldn't delete the account from the old device.

 On Tue, Jun 23, 2015 at 10:37 AM, Jack Kramer tari...@mac.com wrote:

 Any chance they got a new phone? I had a user who had this going on a few
 years ago and it turns out they got a new phone, gave their old phone to
 their kids, and thought they had wiped all the settings—but it was still
 set to sync contacts. After the next password change they started getting
 lockouts and I traced it back to her home IP, had her bring the phone in,
 and hard reset it. Problem solved.


  On Jun 23, 2015, at 10:22 AM, David McSpadden dav...@imcu.com wrote:

   Tonight if it doesn’t clear up I will.

   *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Kennedy, Jim
 *Sent:* Tuesday, June 23, 2015 10:20 AM
 *To:* ntsys...@lists.myitforum.com
 *Subject:* [NTSysADM] RE: User lock out

  +1

  IIS reset with a force if you can.

   *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *Michael B. Smith
 *Sent:* Tuesday, June 23, 2015 10:17 AM
 *To:* ntsys...@lists.myitforum.com
 *Subject:* [NTSysADM] RE: User lock out

  Iis caches usernames/passwords for 4 – 24 hours. Seems likely that they
 have more than one device attempting to connect.

  I personally have 3 devices plus Outlook. When I change my password I
 expect to get locked out a couple of times until I get all the passwords
 updated.

   *From:* listsadmin@lists.myitforum.com [
 mailto:listsadmin@lists.myitforum.com listsadmin@lists.myitforum.com] *On
 Behalf Of *David McSpadden
 *Sent:* Tuesday, June 23, 2015 10:07 AM
 *To:* 'ntsys...@lists.myitforum.com'
 *Subject:* [NTSysADM] User lock out

  User changed password.
  Keeps getting locked out.
  Removes email from phone.
  Resets password.
  Keeps getting locked out.
  Logs or events show attempts from the exchange server.
  What tool can I use to determine exactly what is causing the bad
 attempts that are locking her out?


  *David McSpadden*
  Systems Administrator
  Indiana Members Credit Union
  P: 317.554.8190 | F: 317.554.8106
  image001.jpg http://imcu.com/  image002.jpg
 https://www.facebook.com/IndianaMembersCU  image003.jpg
 https://twitter.com/IndMembersCU

  image004.jpg
  image005.png


 This e-mail and any files transmitted with it are property of Indiana
 Members Credit Union, are confidential, and are intended solely for the use
 of the individual or entity to whom this e-mail is addressed. If you are
 not one of the named recipient(s) or otherwise have reason to believe that
 you have received this message in error, please notify the sender and
 delete this message immediately from your computer. Any other use,
 retention, dissemination, forwarding, printing, or copying of this email is
 strictly prohibited.


 Please consider the environment before printing this email.

 This e-mail and any files transmitted with it are property of Indiana
 Members Credit Union, are confidential, and are intended solely for the use
 of the individual or entity to whom this e-mail is addressed. If you are
 not one of the named recipient(s) or otherwise have reason to believe that
 you have received this message in error, please notify the sender and
 delete this message immediately from your computer. Any other use,
 retention, dissemination, forwarding, printing, or copying of this email is
 strictly prohibited.

  Please consider the environment before printing this email.

[NTSysADM] Don't re-use your passwords, folks

[Richard Stovall]

St. Louis Cardinals employees apparently used known passwords of a former
executive to access records of his new employer, the Houston Astros.

http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html

It'll be interesting to see how hard the FBI and DoJ come down on the
perpetrators.  I'm guessing what they did is felonious and violated any
number of different laws.

Re: [NTSysADM] Zxyel Routers

[Richard Stovall]

What's the model number?

On Tue, May 12, 2015 at 4:39 AM, Gavin Wilby gavin.wi...@smppartners.com
wrote:

  Hi,



 I have a Zyxel router at a small remote site and need to set up some rules
 to allow/ deny access to services behind it.



 The manual for the router is shocking and although describes where the
 firewall is, doesn’t explain the way that it should be configured.



 Does anyone have any experience of these at all and can confirm the
 following:



 This only allows PPTP from a single IP address to the VPN server on the
 other side.





 And this allows SMTP traffic in from anywhere.





 Or, should the “anywhere rule” be notated as 0.0.0.0 / 0.0.0.0?



 *Gavin Wilby*

 *IT Support Engineer*



 SMP Partners Ltd

 Clinch’s House, Lord Street,

 Douglas, Isle of Man IM99 1RZ

 Tel +44 1624 682214

 Mob +44 7624 480575
 *gavin.wi...@smppartners.com gavin.wi...@smppartners.com*
 www.smppartners.com



 A member of the SMP Partners Group of Companies



 SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited
 are licensed by the Isle of Man Financial Supervision Commission. SMP
 Accounting  Tax Limited is a member of the ICAEW Practice Assurance Scheme.

 SMP Partners Limited registered in the Isle of Man, Company Registration
 No: 000908V
 Directors: M.W. Denton, M.J. Derbyshire, P.N. Eckersley, S.E McGowan, O.
 Peck, J.J. Scott, S.J. Turner

 SMP Trustees Limited registered in the Isle of Man, Company Registration
 No: 068396C
 Directors: A.C. Baggesen, M.W. Denton, O. Peck, J.J. Scott, J. Watterson,
 J. Cubbon

 SMP Fund Services Limited registered in the Isle of Man, Company
 Registration No: 120288C
 Directors: V. Campbell, M.W. Denton, P.N. Eckersley, D.A. Manser, S.E
 McGowan, O. Peck, J.J. Scott, R.K. Corkill

 SMP Accounting  Tax Limited registered in the Isle of Man, Company
 Registration No: 001316V
 Directors: I.F. Begley,  A.J. Dowling, P. Duchars, P.N. Eckersley, J.J.
 Scott, S.J. Turner

 SMP Capital Markets Limited registered in the Isle of Man, Company
 Registration No: 002438V
 Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck,
 J.J. Scott.

 SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP
 Accounting  Tax Limited and SMP Capital Markets Limited are members of the
 SMP Partners Group of Companies.

 http://www.smppartners.com/disclaimer.html
 This email is confidential and is subject to disclaimers. Details can be
 found at: http://www.smppartners.com/disclaimer.html
 __
 This email has been scanned by the Symantec Email Security.cloud service.
 For more information please visit http://www.symanteccloud.com
 __

Re: [NTSysADM] Mounting an ISO

[Richard Stovall]

That's what I have always used for this when the OS doesn't do it
natively.  Just make sure you get it from elby.ch.

On Thu, May 7, 2015 at 2:28 PM, Richard McClary richard.mccl...@aspca.org
wrote:

 I am trying Virtual CloneDrive at the moment (recommended by co-workers in
 my department).

 Thanks!

 -Original Message-
 From: listsadmin@lists.myitforum.com [mailto:
 listsadmin@lists.myitforum.com] On Behalf Of Susan Bradley
 Sent: Thursday, May 07, 2015 1:26 PM
 To: ntsys...@lists.myitforum.com
 Subject: Re: [NTSysADM] Mounting an ISO

 If the server is 2012 r2 you click on the ISO and it will mount it as a
 drive letter.

 If you have lower OS's I install a virtual ISO (magic disc ) that you then
 install that, browse to the iso, and it's now a drive letter.

 If you have hyperV you go into the parent, mount the iso as a scsi hard
 drive and then it will be a drive letter in your virtual machine.

 so what's your OS?

 MVP15_MicrosoftMVP_VC_WebTile_Speaker_160x160px
 
 http://blogs.msmvps.com/bradley/files/2015/04/MVP15_MicrosoftMVP_VC_WebTile_Speaker_160x160px.png
 
 For more info check out
 http://mvp.microsoft.com/en-us/VirtualConference.aspx
 On 5/7/2015 11:14 AM, Richard McClary wrote:
 
  Greetings!
 
  Our telephony vendor is now distributing updates as ISO’s.  I do not
  know how to use these.  I cannot burn them onto a disk as they
  approach  13 Gb.
 
  Instructions say to put it onto a file server, then mount it as a
  drive. End of instructions.
 
  Currently, I have them on a NetApp CIFS volume, and I can “see” them
  from the server needing the updates.
 
  Aside from finding an actual server and using an application to dump
  the ISO contents to a folder there (that is, the server needing the
  updates does not read the ISO but rather the opened contents), might
  anyone be able to tell me how this is done?
 
  Thank you…
 
  --
 
  *Richard D. McClary*
 
  Jr Infrastructure Architect, Information Technology Group
 
  *American Society for the Prevention of Cruelty to Animals^*
 
  1717 S. Philo Rd, Ste 36
 
  Urbana, IL 61802
 
  Email: richard.mccl...@aspca.org
 
  Phone: 217-337-9761
 
  Cell: 217-417-1182
 
  Fax: 217-337-9761
 
  URL: www.aspca.org http://www.aspca.org/
 
  The information contained in this e-mail, and any attachments hereto,
  is from The American Society for the Prevention of Cruelty to Animals®
  (ASPCA®) and is intended only for use by the addressee(s) named herein
  and may contain privileged and/or confidential information. If you are
  not the intended recipient(s) of this e-mail, you are hereby notified
  that any dissemination, distribution, copying or use of the contents
  of this e-mail, and any attachments hereto, is strictly prohibited
  unless authorized by the sender. If you have received this e-mail in
  error, please immediately notify the sender by reply email and
  permanently delete this e-mail and any printout thereof.



 The information contained in this e-mail, and any attachments hereto, is
 from The American Society for the Prevention of Cruelty to Animals®
 (ASPCA®) and is intended only for use by the addressee(s) named herein and
 may contain privileged and/or confidential information. If you are not the
 intended recipient(s) of this e-mail, you are hereby notified that any
 dissemination, distribution, copying or use of the contents of this e-mail,
 and any attachments hereto, is strictly prohibited unless authorized by the
 sender. If you have received this e-mail in error, please immediately
 notify the sender by reply email and permanently delete this e-mail and any
 printout thereof.

Re: [NTSysADM] POS software

[Richard Stovall]

Quickbooks?

On Mon, Apr 20, 2015 at 1:27 PM, J- P jnat...@hotmail.com wrote:

 Has to be supported though , can't expect a pharmacist or cashier to
 troubleshoot open source.






 --
 Date: Mon, 20 Apr 2015 12:21:24 -0500
 Subject: Re: [NTSysADM] POS software
 From: drod...@gmail.com
 To: ntsys...@lists.myitforum.com


 I think that there is some Open Source, Linux based software that will do
 what you want.

 Daniel Rodriguez
 On Apr 20, 2015 11:55 AM, J- P jnat...@hotmail.com wrote:

 Hi all,

 I have a client that's looking for a POS for their store , my distributor
 only carries PCAmerica POS software,

 From what I have been reading, I wouldn't recommend or sell it  to my
 worst enemy, can anyone with POS experience share some opinions, and or
 guide me in the right direction?

 it a small pharmacy, it will require 2 terminals

 thanks

Re: [NTSysADM] Some good news regarding MS15-034

[Richard Stovall]

Server 2003 not affected!  W00t!

On Thu, Apr 16, 2015 at 7:09 PM, Kurt Buff kurt.b...@gmail.com wrote:

 I attended the SANS webinar, and we were told that if your IIS
 installation requires authentication, it's not vulnerable. By auth, I
 don't mean SSL/TLS.

 That doesn't help those whose infrastructure is public facing without
 auth (basic web presence, ecommerce, etc.), but for
 Exchange/Lync/etc., it seems to be a small relief.

 Another small note of relief, for those who have them, is that
 PaloAlto's firewalls are supposed to have a signature for this. I'm
 sure other brands either have it or will soon.

 Of course, patching is still a good thing.

 If anyone hears anything different on any of the above, I'm all ears.

 Kurt