hochwald.net About DevOps, PowerShell and more
Exchange Server

Paul Cunningham wrote a very interesting article about that topic!
His key point here: No! possibly not.

And I agree a 100 percent!

What makes that so interesting: I had the same discussion with a customer last week!
They plan to move to the cloud (Office 365) soon. However, the customers business needs the mail service available. Now!

Here is my approach for the customer:

  • Install a second Exchange 2013 Server (virtual)
  • Establish a HAProxy based Load Balancer
  • Configure Database Availability Groups (DAG)
  • Configure a Witness-Server (Existing HA solution was used) – Could be a cheap Azure Service as well

Read More

I will remove the Multi Language capabilities and change AMP version within the next few days.
Back in April I decided to install a Piwik based statistic tool and based on what I found, the German version makes no sense.

I know, that I missed a lot of visits because the statistic tool is configured to (strictly) respect the ‘Do Not Track‘ settings of visitors. Compared to my old statistics something between 30-40 percent is missing. However, if I compare the regular (English) and the German version, there seems to be nearly no more traffic on the German part.

I also found some issues with the AMP version (Also has very low traffic, by the way). I will try to fix this by apply a few new/different settings.

I have to figure out a way how to merge all the data (the German posts) without messing up everything. Even so, I think by the end of the week this should be done.

A couple of days ago, I published a free tool to scan your Active Directory for all Windows based Systems and report if the EternalBlue (WannaCry) related Hotfixes are installed.

 

Today, I published a new and extended version of the tool: The scan is much more accurate and it also reports the EternalBlue (WannaCry) related SMBv1 informations.
The tool now generates a CSV reporting instead of the simple text based from the old version. That makes it easy to use Excel (or any other tool that can do the Job) to filter and reuse the reporting data.

The tool is available for free (Freeware and Public Domain) on GitHub.
The Source is still not published and never will be! There are parts the Enabling Technology Framework included, and this is not open Source.
But the basic idea is based on the Gist Files I published here and on GitHub.

Here is a quick overview of the changes:

  • Changed the Output from plain ASC Text to CSV
  • Use some CIM calls to gather the needed information
  • Export to Excel to support native Excel Files instead of CSV Had some issues with that.
  • Gather more infos (e.g. the SMBv1 related infos)
  • Get all related Hotfixes
  • UI improved
  • Elevation (Admin) check
  • Scan now shows a bit more info while it runs
  • Installer is now 64Bit
  • Name of the installer is changed
  • Default location is changed (for the installer)
  • Now all Windows based systems are reported (Even newer Windows 10 based systems

You will find the Executable and an Installer on the GitHub Page for the tool. The old version of both is still available on the GitHub Page.

A few days ago, I published an article about a script that could scan all systems within an Active Directy for missing WannaCry-related Microsoft Patches (Hotfixes).

I was impressed by the traffic and the feedback! To be honest: When I started the script, it was just a kind of a quick hack!

Based upon several requests I decided to create a small tool that can do the same job! The tool is based on the Script and provided just a simple UI.

The major difference is the reporting! Instead of dumping everything to the Terminal, the tool creates a (simple) report.

Please check the GitHub Repository, you will find the following:

The Script, the tool, and the Installer are Freeware and Public Domain!

WannaCrypt ransomware appeared on May 12, 2017 and distributes itself like a typical worm. It uses well known, and already patched vulnerabilities in the SMBv1 implementation of Windows based systems.

The Exploit that the WannaCrypt ransomware is known as “EternalBlue” vulnerability (CVE-2017-0145). It sends a special package (or packages) to the target systems SMBv1 server.

Some engineers/analysts reported that the initial wave arrived via social engineering emails, that tricked users to download the malware. Others found, that many companies didn’t block netbios traffic on their firewalls and/or Internet routers.

What kind of systems are at risk: All older Windows based systems! According to Microsoft, Windows 10 systems are NOT at risk. But the patches are available, and it’s always a great idea to remove SMBv1 from all of your systems (whenever this is possible).

At we are not talking about a PC only problem! There are many functional devices (think about what happened to the Deutsche Bahn during the weekend) that uses Windows as the operating system. Many of these embedded systems and functional devices use older windows versions. So these could be the systems at the biggest risk!

Some researchers warned, that there many (>140, and counting) variants of the WannaCrypt ransomware! So be aware of that and apply all necessary patches as soon as possible.
If you need to scan your Active Directory and or available system: There is a script for that.

A researcher found a kind of a Kill-Switch: The WannaCrypt ransomware tries to contact the following Domains/Host names:

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The infected system tries to access these via the API call InternetOpenUrlA() on port 80 (http).

If these Domains/Hosts are accessible, the initial variant of the WannaCrypt ransomware seems to stop. It doesn’t encrypt any local data, and it looks like it doesn’t try to redistribute itself any further.
You should not block these Domains/Hosts. And doesn’t seem to be proxy aware. Admins should white list these or add a DNS record for them. For a customer, we decided to redirect these domains to a local Webserver, and the admins monitor any access to the server. I’m not 100% sure that this works, but this could be an option to find infected systems.

What could you do to protect your networks and systems?

  1. Install all necessary Patches and Hotfixes!
  2. Update your Anti-Virus product (All major vendors have published updates to detect and remove Win32/WannaCrypt)
  3. Block Netbios (minimum TCP Port 445) on your Internet Routers and/or Firewalls

Optional: Block all Netbios/SMB related ports on your Internet Routers and/or Firewalls!
You should block the following ports:

  • UDP/137 (netbios-ns)
  • TCP/137 (netbios-ns / unusual)
  • UDP/138 (netbios-dgm)
  • TCP/139 (netbios-ssn)
  • TCP/445 (microsoft-ds)

There should be no impact on anything! Why should you use Netbios over the unsecured Internet?

If you have any infected system, contact your local law enforcement agencies!

I highly recommend to talk to your users. I know; this is unusual for many IT guys, but a good communication is the key of prevention. And your users should be informed by you and not via any mainstream media (or even guys like me)!

In short: This is far from over! Be aware of that and keep an eye on your systems!

The Microsoft Windows Security Team published a great article with more detailed information and a solid and very detailed wrap up.

The WannaCrypt ransomware is also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY. AV vendors name is Win32/WannaCrypt.