SBS :: Page 5 :: KW Support & Consulting LLC

Your Tampa Bay Small Business Specialist!

Archive for SBS – Page 5

Testing your CryptoLocker Group Policy

by KW · Comments (0)

Oct 22 2013

I posted previously on using Group Policy to establish rules to prevent executable files (.exe) stored in the Windows AppData directory from running, as a way to minimize or prevent the Cryptolocker-type ransomware from infecting your computers.

Someone asked me: “How do I know if the group policy rules are working?”

Good question … easy answer: drop in a small executable file into your local AppData directory and try to run it. I like to use notepad.exe for this test.

Here are the steps if doing this from a Vista / Win7 / Win8 workstation:

Open up an elevated command prompt window.
By default, it should put you into the C:\Windows\System32 folder
Enter the following commands, pressing Enter after each:
copy notepad.exe %localappdata%
cd %localappdata%
notepad.exe

If you receive an error message: “This program is blocked by group policy.” – then your group policy rules are working.
Congratulations!

Comments (0)

Categories : Malware, SBS, Servers, SMB, Windows

Tags : CryptoLocker, Malware

Block Executables from AppData folder

by KW · Comments (0)

Oct 22 2013

The SMB Kitchen team from Third Tier has made available (for free) a CryptoLocker Prevention Kit that includes a 20 page document that includes step by step instructions on how to lock down your servers and workstation using Group Policy settings to minimize future attacks.

The purpose of this post is to summarize those steps down to a single page. These steps are specific to SBS 2008/2011, but should be applicable to Windows 2008/2012 servers.

GOAL: create Software Restriction Policies within Group Policies to block executables (.exe) from running when they are located in the AppData folder or subfolders therein.

CREATE POLICIES FOR XP

Open up Group Policy and drill down to Domain –> Computers –> SBSComputers
Right click on SBSComputers and select ‘Create a GPO in this domain and link…’
Title this policy Prevent CryptoLocker XP and click OK
Right click on this policy and select Edit
Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
Right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
Path = %AppData%\*.exe
Security Level = Disallowed
Description: Don’t allow executables from AppData
Repeat Step 7 for AppData subfolders
Path = %AppData%\*\*.exe
Security Level = Disallowed
Description: Don’t allow executables from AppData subfolders
Close this policy configuration window
From the Prevent CryptoLocker XP policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows XP’

CREATE POLICIES FOR VISTA / WIN7 / WIN8

Open up Group Policy and drill down to Domain –> Computers –> SBSComputers
Right click on SBSComputers and select ‘Create a GPO in this domain and link…’
Title this policy Prevent CryptoLocker Vista and higher and click OK
Right click on this policy and select Edit
Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
Right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
Path = %localAppData%\*.exe
Security Level = Disallowed
Description: Don’t allow executables from AppData
Repeat Step 7 for AppData subfolders
Path = %localAppData%\*\*.exe
Security Level = Disallowed
Description: Don’t allow executables from AppData subfolders
Close this policy configuration window
From the Prevent CryptoLocker Vista and higher policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows Vista’

Comments (0)

Categories : Essentials, News, SBS, Security, Servers, SMB, Tools, Windows

Tags : CryptoLocker, Malware

Beware Cryptolocker Malware Madness

by KW · Comments (0)

Oct 02 2013

The past few weeks have been filled with reports of workstations and servers being hacked with the Cryptolocker / Ransomware malware. It is being called one of the worst malware attacks ever seen. And these attacks are occurring even when anti-virus and anti-spam filters are in place.

http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/

Please do not treat this lightly!

The result of this attack is that files on your computer will be encrypted with a high-level 128-bit encryption key. And it will quickly spread to any mapped drives or USB drives that are attached. And even worse — there is no known tool to unencrypt these files.

This malware often comes in through rogue emails that appear to be from FedEx, UPS, Amazon or other similar purchasing sites. It may be a link in the email, or an attachment. But clicking on the link or the attachment is all that it takes.

SHUTDOWN YOUR COMPUTER IMMEDIATELY

You will know if you have been infected with the Cryptolocker malware, because you will see a large message on your screen telling you to pay a ransom to get your data files back.

Do not attempt to run any anti-virus or anti-malware utilities. If you see the ransom message, turn off your computer immediately. Power it off and disconnect your network cable.

BACKUP – BACKUP – BACKUP!!!!

The best advice anyone will give you is to make sure you have up-to-date backup of your servers, workstations and your data. Because if you get caught by this malware, you will need to restore your data from backup. It primarily seeks out office files (Word, Excel, etc.), but will also look for database files (Access, FoxPro, etc.)

Cryptolocker can be removed using well know malware removal tools, such as MalwareBytes. But these tools CANNOT unencrypt your infected files.

DO NOT PAY THE RANSOM!

The Cryptolocker malware will display a large warning message that your computer has been compromised, and that you can recover your files if you pay the required ransom (anywhere from $100 to $300). But they say that you only have a limited amount of time to pay this ransom, generally 72 hours.

Even though there are some people who have reported paying the ransom and getting their files unencrypted, I cannot condone such actions. Not only is there is no assurance that the cleanup will take place if you pay the money, it still remains that your system has been compromised.

REFORMAT and RELOAD

I strongly advise to reformat infected systems and restore Windows, either from backup or as a clean install.

Comments (0)

Categories : Backup, Malware, SBS, Security, Servers, Windows

Tags : Malware

Download certugr.asp file

by KW · Comments (0)

Oct 01 2013

Over the past many years, I often get a request for a missing certugr.asp file when installing Certificate Services on SBS 2003 (yes 2003!).

In the past, I’ve handled these requests offline, but in the chance someone still needs the file in the future, I have provided instructions and a link to download the file from my site.

Instructions:

Right click on this link: certugr.txt and select the “Save target as…” option.
Save the file to your desktop
Rename the file from certugr.txt to certugr.asp
Copy the file to your ..\windows\systems32\certsrv folder on your server

Good luck, and let me know if this helps you!

Comments (0)

Categories : SBS, Servers

Tags : Certugr.asp, SBS

Exchange 2007 Rollup 11 SBS 2008

by KW · Comments (0)

Sep 29 2013

I generally like to wait a month before installing Exchange rollups. If you’re running SBS 2008 and Exchange 2007, you may have noticed that Rollup 11 for Exchange 2007 was released on August 13, 2013.

As with all previous Exchange rollups, you can install it via WSUS, or you can install it manually – which is my preference. There is a small trick you need to know to install the rollup manually, so let’s jump in:

Go ahead and download the latest rollup. Rollup 11 can be found here.
You will be asked to select whether to download the 32-bit (x6) or 64-bit (x64). For SBS 2008, you want the x64 version.
Download and save the file to your preferred folder on your server.
Now, if you simply click on the downloaded file and try to install it, it’s not going to work! you will get the following error message “The Installer has insufficient privileges to modify this file: C:\Program Files\Microsoft\Exchange server\RelNotes.htm”.
So you say to yourself, “Oh, I guess I need to right click on the file and ‘run as’ administrator”.
Go ahead, and try it, and you will be in for a surprise – you won’t find a ‘run as’ option, because this is a .msp file.
What are you going to do now?
Kudos to my good friend and MVP buddy, Philip Elder, who discovered the following trick to get around this issue:
Start up a command prompt window using the ‘run as’ administrator, and then within the command prompt window, navigate to the folder where the Rollup file was stored, and type in the full name of the file (including the .msp suffix)
You can now proceed to install the rollup. Be sure to reboot your computer after the installation is completed.

Comments (0)

Categories : Exchange, SBS, Servers, WSUS

Tags : Exchange

SMBNation 2003 – A Look Back

by KW · Comments (0)

Sep 02 2013

SMB Nation will be holding it’s 2013 fall conference in Las Vegas on Oct 10-12, 2013.

Harry Brelsford and his staff have come a long way from the very first SMB Nation, which was held in Indianapolis, Indiana in September, 2003.

I thought it would be fun to view some photos from that first conference (click here for photo gallery).

Enjoy!

Comments (0)

Categories : Conferences, News, SBS, SMB

Tags : Conference

New HP Microserver Gen8 available!

by KW · Comments (0)

Aug 09 2013

Hurrah! HP has released their next generation of the HP Microserver, properly labeled as: HP ProLiant MicroServer Gen8.

First, a quick look back …

HP MediaSmart Server / Data Vault Server

Nearly five years ago, HP released their HP MediaSmart Server for running Microsoft’s Windows Home Server solution. Although it was designed as a “home” solution, many of us immediately saw this as a great backup solution for small businesses.

Sure enough, a year later, HP repackaged the MediaSmart Server, and sold it as the HP StorageWorks Data Vault Server. Nearly everyone of my customers has a MediaSmart/Data Vault server strictly for doing workstation backups.

All at a cost of less than $500!

HP MicroServer

Two and a half years ago, I purchased my first HP ProLiant MicroServer. I have one in my lab that I use for demos. It is currently running Windows Server 2012 Hyper-V, 2012 Essentials and Windows 8. At every I.T. seminar or conference I have spoken at in the past two years, you get everyone’s attention when showing off the HP MicroServer.

I have the HP MicroServer installed at customer sites being used as a backup server (WHS 2011), as a member server running Windows Foundation/SharePoint, and as a development system for LOB web applications.

And now, presenting …

HP ProLiant MicroServer Gen 8

Last month HP released the next generation of the MicroServer – HP ProLiant MicroServer Gen 8. And it’s a beauty!

The improvements over the prior MicroServer includes: supports up to 16GB memory, up to 12TB (terabytes) of non-hot plug STA drives, HP iLO4 integrated with the gigabit NIC switch, add-on Raid 5, and easier internal access when adding memory.

It comes in two models: Intel Celeron G1610T (2 core, 2.3GHz, $449) or Intel Pentium G2020T (2 core, 2.5 Ghz, $529). Both models come standard with 2GB memory.

But don’t take my word for it. Read what my good friend and MVP partner, Robert Pearman has to say about the new Gen8 MicroServer!

Let me know what you think of it!

Comments (0)

Categories : Backup, News, SBS, Servers, WHS

Tags : MicroServer

Cleanup Log Files (Batch vs PowerShell)

by KW · Comments (0)

Aug 06 2013

Back in Nov 2006 I wrote a blog post on creating a batch command file that could be used to cleanup old IIS log files. Then, in Dec 2007, I wrote an updated blog post with another solution. I thought I would update those posts for 2013 using PowerShell.

OLD SCHOOL (Batch command file)

Both of the above solutions were written in the SBS 2003 era, but will work with SBS 2008/2011. Both versions will let you identify the number of days to keep (I suggest 30 days), and will scan sub-folders under the specified folder.

As a quick review, here’s how to implement my Dec 2007 solution:

Download the zip file from my web site which contains three files: .vbs, .bat, and .log files.
Extract and copy those three files to your desired directory. I normally use c:\scripts.
Edit the .bat file to point to the appropriate parent folder of the log files to be cleaned up, and the number of days of log files to retain.
For Windows 2008 R2, my .bat file looks like this:
NOTE: If running this for the first time, you may wish to test drive the script, without actually deleting any files. To do this, edit the deloldfiles.vbs file and comment out the ‘file.delete’ line in the script by adding a single quote (‘) to the start of the line. If all works, go back and remove the single quote.
After testing the script manually, all that is left is to schedule the script to run on a weekly or monthly basis, as desired.

NEW SCHOOL (PowerShell)

While batch files are still supported in the Windows 2008 R2/Windows 2012 era, we need to start getting comfortable with using PowerShell scripts. I found a handy PowerShell script that does this from the Microsoft forum.

This script used the “start-transcript / stop-transcript” command to create a history log of files deleted.

Download the PowerShell script file (deloldfiles.ps1) from my web site.
Edit the script, as necessary, to point to the appropriate parent folder and the number of days to retain, and save.
NOTE: the script includes a “–whatif” option that allows us to run the script without actually deleting anything. If the script appears to work as expected, then simply remove the –whatif option from the script. Be sure to leave the trailing brace } in the script.
To run, right click on the .ps1 file and click ‘Run with PowerShell’
After testing the script manually, don’t forget to schedule it to run on a weekly or mothly basis.

Finally, from the FWIW department: you should know that from a security point of view,
deleting IIS log files or other similar system log files, is not generally recommended.

Comments (0)

Categories : SBS, Servers, Tools, Windows

Tags : Scripts, Tools

Not Enough Disk Space SBS 2008 Backup

by KW · Comments (0)

Aug 05 2013

My normal experience is that the built in backup for SBS 2008 generally just works … that is, until now. I returned from vacation to find backup errors on an SBS 2008 customer’s server. The error message was: “Failed – There is not enough space on the disk”

So, I hunted around for a solution to get things running, and here’s what I found that worked for me. What we will be doing is to manually delete the oldest shadow partition(s) from the USB drive, thus making room for newer backups. Here’s the process we will follow:

Temporarily assign a drive letter to your USB drive being used for backup
Use the DiskShadow utility to delete the oldest shadow partition(s) to free up enough disk space
Remove the temporary drive letter assignment
Rerun the backup

So, let’s get started:

Open up Disk Management (Start –> Run –> DiskMgmt.msc)
Right click on the USB Drive being used for backups, then click Change Drive Letter and Paths

Remember: by default, the USB drive being used for SBS Backups is generally hidden.
We can, however, assign a drive letter temporarily to make room on the drive.
I mounted my USB drive to X:

Keep the disk Management window open, as you will be needing it.
Next, open up a command prompt with administrator rights

Type: diskshadow and press enter
Type: delete shadows OLDEST x: and press enter
Repeat the delete shadows command several time until you have freed up enough disk spac
Then close the command prompt window

Return to the Disk Management window, click Change Drive Letter and Paths… and remove the drive letter assignment.
Note: removing the drive letter may take a few minutes, so do not panic!
Next, rerun your scheduled backup, and hopefully your backup will successfully complete!

Finally, you will find some helpful information in this blog post from the Microsoft Storage Team on backups and space management for Windows Server 2008/2008R2.

Comments (0)

Categories : Backup, SBS, Tools, Windows

Tags : Backup

Adjusting Exchange 2010 Memory Usage

by KW · Comments (0)

Jul 25 2013

The folks at ThirdTier have a great article on the how’s and why’s of adjusting Exchange 2010’s memory usage. I suggest you read their blog post first. My intent here is to highlight and clarify the process, as there are some steps that were not clearly obvious to me.

As always, before starting – make sure you have a recent backup of your server. And be aware that you will need to restart Exchange at the end of this process!

Log into your Exchange 2010 server (I’m running SBS 2011 Standard and Exchange 2010)
Click on Start, type adsiedit.msc and press enter.
In most cases, ADSIEdit will start with the Configuration node already selected. If not, KB 266768 explains what you need to do.
Now, drill down the Container module as follows: Services –> Microsoft Exchange –> Your organization –> Administrative Groups –> Your administrative group –> Servers –> Server name –> Information Store
Right click on the Information Store, then click Properties
Scroll Down and locate the two attributes: msExchESEParamCacheSizeMax and msExchESEParamCacheSizeMin
You will want to double click on each of these two parameters, and enter your desired value.
What value should you use? Thirdtier suggests using 10GB/5GB for your max/min values. Adjust accordingly.