WannaCry Mitigation plus Windows XP and Server 2003 Patch

By now most of the world has heard about the WannaCry malware put together from purported NSA exploit "tools".

The simplest thing to do is to disable or remove SMBv1 on our networks: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Microsoft Support).

Dealing with SMBv1

On Windows 7:

First, we need the following put into a text file:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
pause
shutdown -r -t 0 -f

In Notepad click File then Save As and name exactly as follows:

"Windows7 SMBv1 DISABLE.BAT"

NOTE: The quotes " are necessary

Right click on the resulting BATCH file and Run As Administrator:

An administrator's username and password will be required for this step. A local admin or domain account would work.

A status window will show:

NOTE: Windows 7 should show SUCCESS for both steps

As the message says, press any key to continue.

NOTE: The script automatically reboots the machine so make sure users save and close before running.

On Windows 10:

1. Click Start and type PowerShell
2. Right click on the result and Run as Administrator
3. Remove-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
• You should see:
•     

That fully removes the problematic component in Windows.

Windows Server

Open an elevated PowerShell window:

Remove-WindowsFeature –Name FS-SMB1

Backup & Restore

For users that almost exclusively work from their computer over server or cloud based resources with no local backup it's important that they back up their machines daily! They should have at least three 2.5" USB3 fast disk drives in rotation.

We use ShadowProtect Desktop by StorageCraft to back up our client's endpoints.

A critical component in the backup regime is an air-gap. Just as it is for the entire organization's server infrastructure.

• Blog Post: Protecting a Backup Repository from Malware and Ransomware

Windows XP and Server 2003

Get the Security Updates ASAP and install them!

The files may be able to be set up to be delivered via your favourite patching mechanism. Please check that out to get these patches out to as many systems as is possible.

Windows Firewall

One mitigation step would be to set up a Group Policy object that denies File & Print (445) Inbound from any system but necessary such as servers and/or domain controllers.

Malware Mitigation

As always, the best form of mitigation is a well trained user. Patch and train the human is the best methodology going.

A a small plug, our xD mail sanitation and continuity service flags and renders inert links that say one thing but point to another location. This has put link shortening services like Bit.Ly at a disadvantage but we're willing to pay that price to keep our users sage. Just ask us how!

Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service

Group Policy Settings Reference for Windows and Windows Server Excel Spreadsheets

Microsoft downloads:

• Group Policy Settings Reference for Windows and Windows Server

Note the new spreadsheet for Windows Server 2012 (8).

The spreadsheets support Pivot Tables so it is fairly straightforward to find a specific or group of settings. The Excel Find feature allows for a quick search of the content.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

AD DS Operation Failed – directory service is missing mandatory configuration – Event ID 2091 – FSMO Role Broken

We went to run a DCPromo on a temporary DC to remove it from a domain and received the following error:

Active Directory Domain Services Installation Wizard

The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDNSZones,DC=DOMAIN,DC=LOCAL to Active Directory Domain Controller \\SBS.DOMAIN.LOCAL.

“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

In the temporary DC’s Event Logs we found the following:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          3/12/2011 12:29:37 PM
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      TempDC.DOMAIN.LOCAL
Description:

Ownership of the following FSMO role is set to a server which is deleted or does not exist.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
FSMO Server DN: CN=NTDS Settings\0ADEL:b3541fc4-50cc-4c12-96be-e5239b314bea,CN=OLD-DC\0ADEL:da50a8ba-dbc7-4219-8d68-ffa03b38c030,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=LOCAL
 
User Action:
 
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently.  If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

The referenced OLD-DC was an original Windows Server from eight years ago!

Long story short, make sure to open ADSIEdit _on the affected FSMO Role owner_ and make the necessary changes there. When we tried to change the required settings on TempDC we kept getting errors.

1. Obtain the correct setting:
   1. On the affected role owner open ADSIEdit.
   2. Click on Default Naming Context [SBS.Domain.Local].
   3. Click on DC=Domain,DC=Local.
   4. Double click on CN=Infrastructure at the bottom of the list of folders.
   5. Locate the fSMORoleOwner attribute and click on it.
   6. Click the Edit button.
   7. CTRL+C to copy the contents of the attribute.
   8. Click CANCEL twice.
2. Correct the problematic settings:
   1. Right click the ADSI Edit root and click on Connect to…
   2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Domain,DC=Local
      2. 
   3. Click on Default Naming Context [SBS.Domain.Local] to populate it.
   4. Click on DC=DomainDNSZones,DC=Domain,DC=Local folder.
   5. Double click on CN=Infrastructure.
   6. Locate the fSMORoleOwner attribute and click on it.
   7. Click the Edit button.
   8. CTRL+V to paste the correct setting.
   9. Click OK and then Apply.
   10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Domain,DC=Local.

Once the above steps were completed on the FSMO Role owner for Infrastructure we were able to properly demote the temporary DC.

NOTE

The error we kept receiving when trying to edit the FSMO Role owner setting on TempDC was the following:

ADSIEdit

Operation failed. Error code: 0x20ae
The role owner attribute could not be read.

000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

The above message took a while to decipher that we were being told to move our FSMO editing operations over to the Role Owner!

Further Reading

• Microsoft KB949257: Error message when you run the "Adprep /rodcprep" command in Windows Server 2008: "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com"
• We could not get the script to run properly. Though, we were attempting to run it on the TempDC instead of the FSMO Role Owner.
• Microsoft Forums: dcpromo remove domain controller failed
• Helped to guide us into the right direction.
• Microsoft KB867464: Event ID 4515 is logged in the DNS Server log in Windows Server 2003
• Error is completely irrelevant. OPTION 1 showed us how to get connected to ForestDNSZones and DomainDNSZones in ADSIEdit.
• TechArena Forums: Infrastructure FSMO role owner attibute [sic] not correct in root do
• The realization that we needed to be on the Role Owner came from here.
• 
• Thanks Michael!
• We opened a ticket on the Microsoft Partner Forum: DCPromo Fail - AD DS could not transfer the remaining data in directory partition ... missing mandatory configuration. FSMO.
• Green Yi’s reply helped us to focus in on finding the solution.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Recovering Server 2003 with Dynamic Disks via ShadowProtect

One of our non-profit clients needed to replace an aging server with new hardware. Since their licensing covered moving the OS to another box, and the legacy app on that box would not run on Server 2008, we used ShadowProtect to move the OS to new hardware.

Unfortunately, virtualizing the legacy setup was not an option or we would have taken that approach.

The source server was set up with a pair of dynamic disks that were mirrored via an OS software RAID.

When recovering a server that uses a set of Dynamic disks for an OS based software RAID, there is an extra step to the image recovery process.

If the server is a member server, as was the case for us, make sure to reset the local admin password on the server and have that change reflected in the SP image before the image is used for a restore.

Once the SP image has been placed on the new drives, or in our case on a new server, we needed to boot to the Windows Server 2003 CD and log onto the recovery console.

At the recovery console we needed to run the following commands:

1. fixboot c: [Enter]
2. fixmbr [Enter]

This will reset the dynamic disks to basic and allow the OS to boot.

Remember to follow the required post Hardware Independent Restore steps (previous blog post) if moving the OS to new hardware as we were doing here.

StorageCraft’s white paper on dynamic disks:

• StorageCraft: Dynamic Disk – Restore from a ShadowProtect Image.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Windows Server 2003 SP1? Hotfix or SP2 before ChkDsk /F or /X or R

If SBS 2003 has not been service packed up to Windows Server 2003 SP2 (How to obtain the SP) yet, there is a cautionary tale to be had about running chkdsk /f on that server:

• Microsoft KB: 913034: The Chkdsk.exe utility incorrectly identifies and resets security descriptors in Windows Server 2003

If the bug rears it’s head, then it is quite possible the server will not come back up if the system partition had chkdsk /f run on it. This goes for any other partition chkdsk was run on that may have critical data on it relevant to a proper OS boot too.

If the partition was client data oriented, there could be a need to either reset the permissions on the entire partition, or recover it from the most recent backup to save on all of the work resetting permissions.

This is another good reason to test those service packs and then deploy them on our client servers!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Microsoft Licensing Briefs

One area we always seem to need to brush up on is Microsoft Licensing.

A site that has the necessary documentation:

• Microsoft: About Licensing – Licensing Briefs

The site:

We are looking to find out whether a client of ours can install Windows Server 2008 x64 Server Core with the Hyper-V role enabled and virtualize a Windows Server 2003 Standard server using the 1+1 virtualization rights plus downgrade ability with Open Licensing.

This is the site we were pointed to with the specific document:

• Licensing Microsoft Server Products in Virtual Environments (DOCX)

Pages 24-25 explain the Server Standard 1+1 and Enterprise 1+4 licensing guidelines quite well.

So, the answer is yes we can run Server 2003 Standard with their Open Licensing server license.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

WSUS Database at 61GB

Here is probably one of the largest WSUS directories we have seen to date:

WSUS Folder at 60.8GB

This particular server is a stand-alone Windows Server 2003 RTM Standard box that has been around for a long time.

Given the way the WSUS Server Cleanup Wizard tends to choke up the CPU cycles for a very good amount of time, we have not had any opportunity to run the cleanup wizard on this particular box.

The box is also running very slim on disk space on both the OS partition and the data partition. So, hopefully this particular organization will be able to replace the box … and soon.

Nonprofits struggle by default unless they are large and/or well funded by the government. This particular nonprofit is no exception to the rule: Broke all of the time.

Please remember to help out with your local nonprofits with talent time, hardware, and if possible cash donations. Giving a little back to the community we happen to find ourselves in is an important part of doing business.

Giving back is even more important today as folks around us tighten up their wallets.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac!

Windows Live Writer

DNS Update is an absolute requirement

Lately, we have seen a lot of news on the wire and in the blogosphere about vulnerabilities in our DNS setup.

The news is such that Microsoft has reissued a Microsoft Security Advisory (956187).

The threat is immanent, and we should be patching all of our client systems.

From the above Security Advisory:

Microsoft released Microsoft Security Bulletin MS08-037 on July 8, 2008, offering security updates to protect customers against Windows Domain Name System (DNS) spoofing attacks. Microsoft released this update in coordination with other DNS vendors who were also similarly impacted. Since the coordinated release of these updates, the threat to DNS systems has increased due to a greater public understanding of the attacks, as well as detailed exploit code being published on the Internet.Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

Microsoft’s investigation of this exploit code has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.

Threat Level has some good background information on the who/what/where/when:

• Details of DNS Flaw Leaked; Exploit Expected by End of Today
• Kaminsky on How He Discovered DNS Flaw and More
• DNS Exploit in the Wild -- Update: 2nd More Serious Exploit Released

A little work is in store for those of us who have not patched yet. :)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS - QuickBooks 2008 - Problem with multi-user hosting setup

When installing QuickBooks 2008 with the intention of having multiple users access the same company file, you may receive the following error when opening QB and opening a company file located on a network share:

Problem with multi-user hosting setup

Problem
You are trying to work with a company file that is located on another computer, but that computer needs additional installation and setup. (H505)

In our case, the files are being hosted on the client's Small Business Server 2003 Premium box.

So, we need to run the QB setup disk on the server itself. Once we start the setup, accept the licensing agreement, we are greeted with:

Install QuickBooks Server 2008

Once the install has completed, we end up with a couple of new services on the server and an icon in the tray:

QuickBooks Services Icon - Far Left

Note the Simply Accounting 2008 server service is also running on this particular box.

Keep in mind for busy accounting offices whose SBS box is nearing its performance limits, these two server services may push the box over the edge when a number of company files are open at the same time.

We did run through the "Alternate Setup" process to configure the workstation as a host for the file and it seems to work okay. Users on a simply Internet Router setup may have issues with name resolution or changing IPs, but it will work. Note that any third party firewall software may interfere with connectivity too.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Windows 2003 Service Pack 2 - Intel ProSet teaming broken.

We got called in to a client's location because they could not figure out why their server was no longer connected to anything after a bunch of updates. It turns out that one of the updates was Windows Server 2003 Service Pack 2.

After a bit of investigation it was discovered that the adapters were showing that they were part of an adapter team, but there was no team entry in the Network Connections folder.

This is how the setup should look for the Intel ProSet adapter teaming:
LAN Adapter 1 (Connected)
LAN Adapter 2 (Connected)
LANTeam 1 (Connected) in fault tolerance mode.

After Server 2003 SP 2 it looked like:
LAN Adapter 1 (Connected)
LAN Adapter 2 (Connected)

Because it is the LANTeam adapter that has all of the actual network bindings attached to it, the server was throwing all sorts of fits. Active Directory, DNS, WINS, and more were throwing codes left, right, and centre.

To fix it temporarily, we broke the adapter teaming by removing one of the physical adapters from the team, and then set the appropriate static IP settings to it.

We didn't do any updating of the ProSet software for now, as timing was critical for them. They had been down since early that morning when the service pack was applied.

There are no guarantees that when we go back to install the newest ProSet version that the adapter teaming will work as it should either. We will need to test that beforehand!

We are hesitant as far as installing the newest ProSet 11.x. This newest version has been giving us problems with the inability to set the adapters into teaming mode for fault tolerance. This is without W2K Server SP2 on the boxes as they all tend to be SBS based. So, there are no guarantees that this newest version will work with SP 2 either!

The investigation is ongoing! ;)

UPDATE 2007-07-16: We have a Windows Server 2003 Standard R2 box that had version 11.1 of the ProSet installed on it. The Service Pack did not kill the team in this case. However, it did kill access to any of the ProSet tabs when bringing up the NIC's properties via the physical NIC's Configure button.

We will reinstall the original ProSet 11.1 to see if that brings back the tabs and thus the ability to control the Teaming feature. If not, we will install the newest version of ProSet to see if that works.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

System Builder Tip: Keep that PS/2 Keyboard Around

We had an interesting situation come up recently.

When we slaved up a failing WD hard drive to our data mule machine running Windows XP Pro SP2, we were not able to cancel out the default disk scan Windows wants to run on the WD.

We had to reboot the system a number of times due to the poor condition of the drive.

The only way we could bypass the scan was to have a PS/2 keyboard plugged in so we could hit the "any key". Right at that point, Windows had disconnected the USB and thus the USB keyboard.

We have seen this on servers as well right at the 34 minute mark of a Windows Server 2003, 2003 SP1, and 2003 R2 install. The USB would get knocked out, and the system would ask for the RAID driver to be accepted right after it. With no PS/2 keyboard, we would have been stuck. The same would be true for the Disk 1 install of SBS.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

Windows Server 2003 - The attempt to retrieve account information for specified task failed

I had a member server running Windows Server 2003 R2 Standard that was promoted into an SBS domain that suddenly refused to run Shadow Copy.

A little research brought me to an MS Knowledgebase article that helped.

The following Microsoft KB 822904 had the fix in it: "The attempt to retrieve account information for the specified task failed" error message when you use Task Scheduler to schedule volume shadow copy to run in Windows Server 2003

From the article:

SYMPTOMS
You use Task Scheduler to schedule a shadow copy backup of a volume to run on a Microsoft Windows Server 2003-based computer. You enable the Volume Shadow Copy service and then run the Dcpromo.exe utility. However, the task does not run successfully, and you do not receive an error message.

Additionally, if you right-click the scheduled task and then click Properties, you receive the following error message:
The attempt to retrieve account information for the specified task failed; therefore, the task did not run. Either an error occurred, or no account information existed for the task.

The specific error is:
0x8007000d: The data is invalid.

If you then click OK in the error box to display the properties, the Run as line is blank and unavailable. The correct parameters appear in the Run line, but the Run line is also unavailable.

CAUSE
This problem occurs because you used a local computer account that is no longer available to create the task.

WORKAROUND
To work around this problem, run the Dcpromo.exe utility before you enable the Volume Shadow Copy service, and then use Task Scheduler to schedule volume shadow copy.

You can also work around this problem by re-creating the d42* files. To do this, follow these steps:1. Log on as user who has administrative credentials.
2. Delete all scheduled tasks. To do this, follow these steps:a. Click Start, Run, type control schedtasks, and then press ENTER.
b. Confirm the list of jobs that are registered in the Scheduled Tasks window.
c. Delete all registered tasks.
d. Close the Scheduled Tasks window.

3. Click Start, click Run, type cmd, and then click OK.
4. At the command prompt, type the following to move to the specified folder:
cd %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18
5. Delete all files that start with d42* by typing the follow command:
del d42*
6. At the command prompt, type exit.
7. Reschedule the volume shadow copy tasks. The files that start with d42* are re-created after the volume shadow copy tasks are rescheduled.
8. Make sure that the scheduled tasks function correctly on the domain controller

In our case, a DCPROMO was not possible. We needed to use the second suggestion to delete the d42* files to fix the problem.

You may need to attrib the directory first to find the files as they may be hidden and/or system files. You will then need to remove the hidden and system attributes with the attrib command.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

Windows XP x64 SP2 now available

Okay, I am a little behind on my WSUS monitoring.

With a couple of critical client situations taking up most of our week, now is the first time to go through our servers and approve updates that need to happen.

This gem caught my eye under the highlighted updates:


We don't really work with XP Pro x64 that much due to the lack of need in our client base.

I was surprised to see that XP x64 gets an SP2 along with Server 2003 x64 versions.

Go to the XP Pro site and then link on to the XP x64 SP site and we get the following:



One thing that pleasantly surprises me in the links: We can now download the Service Pack CD via an ISO download. No more ordering and waiting for that CD to come, waiting for the TechNet update disks, or Microsoft Action Pack.

That in my opinion is an excellent move on Microsoft's part.

Click on to the actual download:



And, low and behold, the XP x64 version is the same as the Server 2003 x64 versions.

I am not a software architect by any means, but I do find it curious that the SP covers both server and desktop x64 editions.

Also, check out that download size: 475 MB!

This leads me to believe, given the size of the recent SQL 2005 service pack, that the Vista and eventual Longhorn service packs will approach 1 GB in download size. WOW!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

SBS - Windows Server 2003 Access-based Enumeration

When there is a need to have folders in the general company share hidden from users with no permission to access them, we use Windows Server 2003 Access-based Enumeration.


This tool installs onto the server, and uses the Security ACL permissions to determine who is allowed to see the folder listed in their Windows Explorer or command line directory listing.


When installing the tool, one has the choice to enable enumeration on all shares, or choose to enable it on individual shares later on. I always choose the manual option.


Once installed, you will find a new tab in your folder properties window.




Once clicked on, you are presented with the option to enable enumeration on the folder.

Once enabled, only those users that have permission to access the folder will see it in their Explorer. This goes for folders listed in the Network Neigbourhood/My Network Places listings on the server.

The documentation can be found here on Microsoft's site.

The actual download can be found here. Note the different downloads for different processor architectures.

Happy SBSing!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists