Preventing Petya ransomware with Group Policy

Leave a reply

This post and this twitter thread describe a mechanism to prevent the latest ransomware cyber attack from running. It involves creating 1 (or 3) files with a specific name(s) and with the Read-only attribute set. Although the instructions on the first post describe copying and renaming notepad.exe, any file, even an empty file, with the correct names and the Read-only attribute will suffice, if I read the twitter thread correctly.

There are numerous ways to accomplish this in a large organization, including an SCCM package that either deploys some files, or that runs a script to create the files. However, I decided to use Group Policy File Preferences to copy a small text file to the three filenames described, including setting the Read-only attribute.

Using Group Policy File Preferences to create the files that will block the Petya (NotPetya) Ransomware.

This should be executed on the affected computers at their next GP refresh, which might be sooner than a reboot for a start-up script.

Remote Desktop Gateway Service – register NPS

Leave a reply

I struggled with getting a new Server 2016 Remote Desktop Gateway Service running. I followed the official documentation from Microsoft, configuring two servers as a farm, and creating a single CAP and RAP identically on each server. But every time I tried to connect, I received an error message from the client that my account:

Remote Desktop can't connect to the remote computer "xxxxxxxx" for one of these reasons:

I love those error messages that say “Contact your network administrator for assistance.”

I found a corresponding entry in the Microsoft-Windows-TerminalServices-Gateway/Operational log with the following text:

The user “CAMPUS\[username]”, on client computer “132.198.xxx.yyy”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.

I double-checked the groups I had added to the CAP and verified the account I was using should be authorized. I even removed everything and inserted “Domain Users”, which still failed.

I found different entries that also corresponded to each failure in the System log from the Network Policy Service (NPS) with Event ID 4402 claiming:

“There is no domain controller available for domain CAMPUS.”

I know the server has a valid connection to a domain controller (it logged me into the admin console). But I double-checked using NLTEST /SC_QUERY:CAMPUS. Yup; all good.

A few more Bingoogle searches and I found a forum post about this NPS failure. The marked solution just points to a description of the Event ID, but one of the comments contains the solution: the Network Policy Service on the gateway systems needs to be registered. This instruction is not part of the official documentation, though upon re-reading that doc, I now see that someone has mentioned this step in the comments.

In this case, registration simply means adding the computer objects to the RAS and IAS Servers AD group (requires Domain Admin privs). Once I made this change, I was able to successfully connect to a server using the new remote desktop gateway service.

Many thanks to TechNet forum user Herman Bonnie for posting the very helpful comment.

 

Moving OneNote notebooks to SharePoint

Leave a reply

You may have noticed that Microsoft OneNote displays a little warning for notebooks stored in your Documents folder.

OneNote notebook warning “may not sync correctly.”

This is because Windows computers that are part of UVM’s Active Directory domain use a feature called Offline Files to make your Documents folder available to you when you’re not on the campus network. (see my Offline Files post for more info.)

The warning shows up because OneNote has its own file sync process, and having another file sync process layer under that can mess up its syncing, theoretically. In my many years of using OneNote, I’ve only seen one (maybe two) situations where this may have created problems. That said, ignoring warnings is generally a bad idea; it makes it easier to miss an issue that really does need attention.

But there is another way: SharePoint. Continue reading

Windows 10 Wi-Fi – No Internet

1 Reply

SOS!! 22 hours with no wifi!!!!

In the past 48 hours, two different family members in different households have reported problems with their Windows 10 laptops’ Wi-Fi connections. Some basic troubleshooting — restarting the modem/router, verifying other devices could connect — demonstrated that the issue was with the laptops.

The laptop was connected to the Wi-Fi access point, with full signal strength, but there was no connectivity beyond that connection.

In the first troubleshooting effort, we did the standard things:

  1. Reboot. Of course.
  2. Disable/Enable the Wi-Fi adapter
  3. Checking adapter settings
  4. Running the Network Troubleshooter (didn’t fix things)

The Network Troubleshooter didn’t resolve anything, but it did mention something useful. It reported that the “Wi-Fi” adapter had an invalid configuration.

At this point, I turned to Google, and found a couple of sites suggesting using netsh to reset the IP configuration. We ran the following commands from an elevated command prompt (run as administrator, or it won’t work):

  1. netsh interface IPv4 reset
  2. ipconfig /flushdns

Then we rebooted, and the system came up and connected to Wi-Fi and the Internet was available again.

Subsequently, I found this Microsoft support article entitled Fix network connection issues in Windows 10, which covers may of the steps we tried as well as the steps that resolved our issues.

In Windows 10, if you run Netsh interactively, you see a notification that Netsh is deprecated, and to transition to the admittedly awesome PowerShell modules for managing TCP/IP. However, giving the specific behavior of the netsh interface ipv4 reset command (overwrites registry information; see the More Information section of https://support.microsoft.com/en-us/kb/299357), I’m not sure what PowerShell command would accomplish the same end. Something to look into.

Outlook MessageHeaderAnalyzer and Unsubscribe

Leave a reply

Microsoft and other providers have published add-ins that provide additional functionality within Outlook and Outlook for web. We have enabled two add-ins which you may find useful, the Message Header Analyzer and the Unsubscribe Add-on.

To make them available in your Outlook (Win/Mac/Web), you need to log into mail.uvm.edu and go the Manage add-ons option on the Options (gear) menu:

Image of the options menu in OUtlook for web, with the "manage add-ins" item highlighted.

Click the check-box in the Turned on column to make one or both add-ins available in Outlook:

Once this step is complete, the add-ins you have turned on should appear in the message window in your Outlook mail clients for Windows, Mac, and the web. It may take a little while (or maybe a restart of Outlook) before they appear in the Windows and Mac versions.

Outlook add-ins as they appear in Outlook for the Web.

Outlook add-ins as they appear in Outlook for Windows.

The Message Header Analyzer provides a convenient way to view detailed information (metadata) about an email message, including the message routing information.

The Message Header Analyzer in Outlook for Windows.

The Unsubscribe add-in appears when viewing bulk marketing messages, and depending on the content of the message, may unsubscribe your address from the a marketing list or may suggest simply blocking mail from that sender.

The Unsubscribe add-in within Outlook for Windows, suggesting that we block mail from this sender.

We hope that you will find these add-ins useful. Please let us know what you think.

Scheduled tasks, PowerShell’s -file parameter, and array values

Leave a reply

I wrote a script that accepts a comma-separated list of values, and the script worked just fine from the command-line. However, when I tried to configure a scheduled task to run the script, it always failed.

Why? Well, I started a cmd.exe session and then launched the script in the same way that the scheduled task did, using PowerShell’s -file parameter. And when I did that, the error message that I emit from the script showed me that the list was being parsed as a single string argument.

To confirm and experiment, I wrote a short little test script:

<# Cast-WizardSpell.ps1 
.SYNOPSIS 
Simple script to test parameter parsing when using -file invocation e.g.: 
powershell.exe -file .\Cast-WizardSpell -Spell 'Light','Magic Missile' 
#>
[cmdletbinding()]
param(
    [Parameter(Mandatory=$True,ValueFromPipeline=$True)]
    [string[]]
    $Spells
)
process {

    foreach ($spell in $spells ) {
        "Casting $spell"
    }
}

When run from within a PowerShell session, it works as expected:


PS C:\> .\Cast-WizardSpell.ps1 -SpellList 'Ray of Frost','Light','Detect Magic'
Casting Ray of Frost
Casting Light
Casting Detect Magic

When invoked using the PowerShell -file parameter, the comma-separated list is parsed as a single parameter (note: cmd.exe doesn’t like single quotes):


C:\>powershell -file .\Cast-WizardSpell.ps1 -SpellList "Ray of Frost","Light","Detect Magic"
Casting Ray of Frost,Light,Detect Magic

# Trying explicit array syntax, but no luck

C:\>powershell -file .\Cast-WizardSpell.ps1 -SpellList @("Ray of Frost","Light","Detect Magic")
Casting @(Ray of Frost,Light,Detect Magic)

What does work is to use the old-style -command syntax:


C:\>powershell -command "& .\Cast-WizardSpell.ps1 -SpellList 'Ray of Frost','Light','Detect Magic'"
Casting Ray of Frost
Casting Light
Casting Detect Magic

Alternatively, one can adjust the parameter syntax, adding the ValueFromRemainingArguments attribute. However, for this to work, you can’t specifiy the parameter name.


C:\>powershell -file .\Cast-WizardSpell.ps1  "Ray of Frost" "Light" "Detect Magic"
Casting Ray of Frost
Casting Light
Casting Detect Magic

C:\local\scripts>powershell -file .\Cast-WizardSpell.ps1 -SpellList "Ray of Frost" "Light" "Detect Magic"
C:\local\scripts\Cast-WizardSpell.ps1 : A positional parameter cannot be found that accepts argument 'Light'.
+ CategoryInfo          : InvalidArgument: (:) [Cast-WizardSpell.ps1], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Cast-WizardSpell.ps1

I’m not thrilled with either of these options, because some person like me may come along and, in an effort to be helpful, may twiddle the command line, thinking we’re normalizing or updating the syntax, when we’re really breaking things. However, I think using the -Command invocation is the least surprising, most consistent implementation. I’ll just make notes in the script help and in the description of the scheduled task about the reason I’ve used that method.

 

 

 

One-liner: duplicate a folder collection, without files

New fiscal year; new set of empty folders, but with the same structure and permissions as the previous year? Robocopy to the rescue:

robocopy "FY 2015" "FY 2016" /e /xf * /COPY:DATSO /log:c:\temp\new-year-folders.log /tee

/e = copy all subdirectories, even empty ones.
/xf * = Exclude filenames matching *, i.e., all of them
/COPY:DATSO = what to copy: Data, Attributes, Timestamp, Security, and Owner.

I like to log things, so I include that, too. If you’re really cautious, you could do a dry run with the /L switch, which makes robocopy just log what it would do, but not actually perform any actions. Kind of like the PowerShell -whatif switch.

Robocopy file classes

Leave a reply

This information comes from the Robocopy.exe documentation PDF file for Windows XP version, but it’s the best description I’ve been able to find. From page 15 of that document:

Using Robocopy File Classes

For each directory processed, Robocopy constructs a list of files in both the source
and destination directories. This list matches the files specified on the command line
for copying.

Robocopy then cross-references the lists, determining where files exist and comparing
file times and sizes. The program places each selected file in one of the following
classes.

File Class In source In destination Source/Dest file times Source/dest file sizes Source/dest attributes
Lonely Yes No n/a n/a n/a
Tweaked Yes Yes Equal Equal Different
Same Yes Yes Equal Equal Equal
Changed Yes Yes Equal Different n/a
Newer Yes Yes Source > Destination n/a n/a
Older Yes Yes Source < Destination n/a n/a
Extra No Yes n/a n/a n/a
Mismatched Yes (file) Yes (directory) n/a n/a n/a

By default, Changed, Newer, and Older files are candidates for copying (subject to
further filtering, as described later). Same files are not copied. Extra and Mismatched
files and directories are only reported in the output log.

Normally, Tweaked files are neither identified nor copied – they are usually identified
as Same files by default. Only when /IT is used will the distinction between Same and
Tweaked files be made, and only then will Tweaked files be copied.