This is a must have for everyone utilizing a local storage server for containing the Veeam Backup, even for the Community editoon, GO FOR IT!!

Veeam Backup & Replication v11 introduces the Hardened Repository as a secure place where backups can be stored immutably for a configured amount of time. With the Hardened Repository, Veeam created a WORM (write once, read many) storage option for Veeam backups. And the best part, this new role can be deployed on ANY general-purpose Linux server, without locking you down to the special proprietary hardware.

Various regulations exist for WORM storage. To make sure the Hardened Repository meets the highest compliance standards, we engaged Cohasset Associates as an independent third party, who concluded that Hardened Repository meets the compliance requirements for the key U.S. financial industry regulations. When properly configured, the Hardened Repository meets the requirements for non-rewritable, non-erasable storage as specified by SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations.

The compliance assessment report is available for download here. The assessment report was created for compliance officers and thus it might be hard to read for an IT professional. That’s why we created an additional whitepaper for Veeam administrators to make the requirements easier to understand. The chapter “Configuration for SEC Rule 17a-4(f), FINRA Rule 4511 and CFTC Rule 1.31 (c)-(d) compliance” covers the necessary Veeam configuration options. The whitepaper is available for download here.

In the report, you may note Cohasset determines that the Hardened Repository is only compliant with WORM regulations when used as standalone, but not a part of the Scale-out Backup Repository. This is because for the Capacity Tier Move policy to function, we cannot make GFS backup files immutable for longer than the Move policy window, while regulations require locking them for the entire duration of their retention policy. However, based on the input from Cohasset, we have implemented changes to ensure that hardened repositories, which are a part of Scale-out Backup Repositories, using the Copy policy remains compliant. This change is included in Veeam Backup & Replication v11 P20210319 and later builds.

This new functionality is a big step for Veeam customers working in regulated industries, such as financial services, broker dealers, healthcare, etc. They can now store backups on the Veeam Hardened Repository in compliance with mandatory regulations. But of course, even more importantly, every Veeam customer can now use the Hardened Repository to protect themselves against ransomware and other cyberthreats. And because of how important such protection is these days, we included this functionally in every Veeam Backup & Replication edition, including even the free Community Edition.

Get started here:

V11: Immutable Storage – Here’s What You Need to Know (veeam.com)

Source:

Veeam Hardened Repository passes independent compliance assessment

When certificates needs to be renewed or changed on (on-premise) Exchange server’s, and you have Microsoft 365 hybrid setup though Hybrid Configuration Wizard, a Office 365 connecter is setup as send and receive:

Receive:

Send:

If you try to delete the old certificate, without setting the new cert for the connectors, you will get this in ECP:

“A special Rpc error occurs on server EXCH01: These certificates are tagged with following Send Connectors : Outbound to Office 365. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.”

So we need to move into Powershell and replace it, because it cannot be done through the ECP:

• Get the thumprint for the new cert:
  Get-ExchangeCertificate
  
  So here it is, the top level cert, it’s a wildcard cert, thus the “*.” in the subject name, sorry for the maskings, this is from a non-lab environment
  Copy the thumprint to notepad for next command.
• Read the certificate subject and thumprint into a variable:

  $cert = Get-ExchangeCertificate -Thumbprint <paste the thumbprint in here from previous command>

  $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" - Do not change anything here!

• The replace the connectors:
  Send Connector –

  Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

  Receive Connector –

  Set-ReceiveConnector "EXCH01\Default Frontend EXCH01" -TlsCertificateName $tlscertificatenam

  Note: replace the word “EXCH01” with the name of your Exchangeserver like "MY-EXCH01\Default Frontend MY-EXCH01"

• Run IISRESET

Note that if you fail to replace your certificate before it expires (You forgot to), your mailflow between on-prem Excahnge and Exchange Online (365) will stop working and you will see this in the logs:

[Message=451 5.7.3 STARTTLS is required to send mail]

IMPORTANT:

You may run into “You get a blank page after logging in EAC or OWA in Exchange 2013 or Exchange 2016” or:

Read more about the fix: Exchange: An error occurred while using SSL configuration for endpoint 0.0.0.0:444 – martinsblog.dk

Source:

Replace SSL Certificate in Send Connector in Exchange Server (azure365pro.com)

After changing the certificate on Exchange 2013+2016 (AND you have rebooted it – or it will happen eventually if you forget!), you may experience this when logging into ECP, you get the username and password prompt, you press login and – BAM:

You look in the event logs, and you see this:

EventID: 15021
An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.

No need to be scared, this is not difficult to use, what happens is that the IIS websites are not having the new certificate set, and the certificate window under the binding in IIS is just empty:

Just click the dropdown menu, and select the correct certificate you have imported and run a IISRESET on the command prompt afterwards or even better reboot the server if possible.

This issue occurs if the SSL binding on 0.0.0.0:444 has one of more of the following issues:

• The binding is installed incorrectly
• The binding doesn’t have a certificate assigned.
• The binding contains incorrect information.

For example, this issue occurs if the certificate hash of the binding is different from that of other bindings for application ID 4dc3e181-e14b-4a21-b022-59fc669b0914.

You can also fix via command prompt:

Type “netsh http show sslcert”:

Remove and replace the wrong certificate hash for 0.0.0.0:444 by running this:

“netsh http delete sslcert ipport=0.0.0.0:444”

“netsh http add sslcert ipport=0.0.0.0:444 certhash=a1d2a8d3275634xxxxxxxxxxxxxxxxx appid=”{4dc3e181-e14b-4a21-b022-59fc669b0914}”

Note: replace certhash with the full hash of your cert!

Reboot the server or do IISRESET command

Source:

You get a blank page after logging in EAC or OWA in Exchange 2013 or Exchange 2016 (microsoft.com)

Microsoft Exchange 2013 shows blank ECP & OWA after changes to SSL certificates | vcloudnine.de

Sophos has just released the new Sophos Firewall v18.5 (formerly known as Sophos XG Firewall), and this new version add’s support for the new “XGS” hardware appliances (Only XGS is supported atm. later on the XG appliances will also get v18.5:

The XGS hardware – from Sophos community post ((+) Introducing Sophos Firewall and the new XGS Series hardware – Release Notes & News – Sophos (XG) Firewall – Sophos Community):

Today, we’re launching the first of our new XGS Series next-gen firewall appliances with Sophos Firewall OS version 18.5.

For network admins, this completely re-engineered hardware platform finally takes a common dilemma off the table: how to scale up protection for today’s highly diverse, distributed, and encrypted networks without throttling network performance.

Coupled with a highly attractive price, the new XGS Series is guaranteed to reshuffle the pack in the network firewall space.

Here are just three key highlights of this new release.

Dual processor architecture – powered by Xstream

Every XGS Series appliance has two hearts beating at its core: a high-performance multi-core x86 CPU, and an Xstream Flow processor to intelligently accelerate applications by offloading security-verified and trusted traffic to the FastPath.

This architecture allows us to retain the same flexibility to extend and scale protection as purely x86-based firewalls while also providing a performance boost that’s unhampered by the limitations of some legacy platform designs.

For example, with the programmable Xstream Flow processors, we can extend the offload capabilities in future software releases, providing additional performance improvements without changing the hardware.

Protection and performance

As much as we like to talk about speeds and feeds in the firewall space, the additional performance headroom in the XGS Series is there for a purpose: protection.

With about 90% of network traffic encrypted (source: Google Transparency Report) and almost 50% of malware using TLS to avoid detection (source: SophosLabs), organizations are leaving huge blind spots in their network visibility by not activating TLS inspection.

Just going by our own telemetry, about 90% of organizations don’t have TLS inspection activated on their firewalls. Even if we take into account that some of those may have separate solutions doing TLS inspection, it’s likely to be the minority rather than the majority. And aside from the security risk that poses, it’s pretty hard to create a policy for traffic that shows as “general” or “unknown”.

Before you all scream, “but TLS inspection breaks the internet,” Sophos Firewall includes native support for TLS 1.3 and provides a user interface which clearly shows if traffic has caused issues and how many users were affected. With just a couple of clicks, you can exclude problematic sites and applications without reverting to a less-than-adequate level of protection.

We’ve got the edge

The XGS Series includes multiple form factors that beat the all-important price per protected Mbps of many competitive models.

XGS Series appliances are equipped with high-speed interfaces to meet the diverse connectivity requirements of businesses large and small. In addition to the built-in copper, fiber, and a range of other ports on every model, add-on modules provide the flexibility to tailor your device connectivity to your unique environment – both today and in the future.

The XGS Series integrates further with edge infrastructure devices such as APX access points and our SD-RED Remote Ethernet Devices. With cloud-managed Zero-Trust Network Access and access layer network switches coming later this year, we’re bringing your network security to every edge.

Sophos Firewall OS v18.5

The new appliances come with the latest v18.5 software release, which not only provides support for the new hardware but also includes all the 18.x maintenance releases – many new capabilities and security improvements – since the v18 release.

For further information about Sophos Firewall and the XGS Series or to request a quote visit Sophos.com/Firewall or Sophos.com/Compare-XGS.

For the latest SophosLabs research on TLS, check out this article.

So what’s in the loop for 18,5?

All XGS Series next-generation firewalls have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor for hardware acceleration. The Xstream Flow Processor is a Network Processing Unit (NPU), which accelerates trusted traffic flows, freeing up resources on the host CPU for more resource-intensive tasks, such as TLS inspection and deep packet inspection.

What’s new in v18.5

Flexibility and performance enhancements

• Version 18.0 delivered a data plane with a Virtual FastPath (VFP) to allow the offloading of trusted and previously security-verified traffic, using the same x86 CPU for the offloaded traffic. On the XGS Series, after inspecting the initial packets in a flow, the x86 CPU offloads trusted traffic to the Xstream FastPath, which runs on the Xstream Flow Processor and is specifically designed for FastPath operations.
• The Xstream Flow Processor delivers and retrieves packets directly to and from the DPI engine’s main memory. These enhancements deliver a significant increase in the overall network performance with a 5x improvement in latency with the zero-copy operation and up to a 5x increase in SSL/TLS decryption performance versus the previous hardware models.
• The Xstream architecture saves cycles of the x86 clock by lowering memory bandwidth usage and allowing both processors to update the cache.
• Port density and diversity: XGS Series appliances offer an increased number of fixed ports and include some new port connectivity, such as Power over Ethernet (PoE), which is now built-in on some desktop models. They also offer a broad range of Flexi Port modules and add-on options to adapt and extend connectivity.

More information available here: v18.5 GA Release notes

The appliances can be compared here, I must say it’s promising, as I have seen it with my own eyes

XGS Next-Gen Firewall Appliances: Desktop, 1U and 2U Models (sophos.com)

Sophos Firewall uses FastTrack to offload known not-dangerous traffic to a faster path, in the new XGS hardware models, this traffic is pushed to the new Xstream Flow Processor:

“In the XG series we used a virtual FastPath that was processed by the CPU. The XGS series includes an Xstream Flow Processor that sits between the physical ports and the CPU, with a PCIe (PCI Express) interconnect between them. The Xstream Flow Processor handles the traffic that is offloaded to the FastPath reducing the load on the CPU for other tasks that cannot be offloaded. “

If you want to check if traffic is being offloaded to the FastPath on an XGS series device, you would start by checking if firewall acceleration is enabled on the console with the command:

console> system firewall-acceleration show

You can also use the system firewall-acceleration command to enable and disable the FastPath.

Note:

You can also review the counters that show how many packets are being offloaded to the FastPath. On the advanced shell use the command:

Today Sophos released UTM 9.706. The release will be rolled out in phases.

• In phase 1 you can download the update package from their download server.
• In phase 2 they will make it available via their Up2Date servers in several stages.
• In phase 3 they will make it available via their Up2Date servers to all remaining installations.

Up2Date Information

News

• Maintenance Release
• Strict TCP Session Handling enabled by default

  New installations of UTM 9.706 have strict TCP session handling enabled by default.
  When updating to 9.706 and strict TCP session handling is not enabled, admins can enable it under Network Protection > Firewall > Advanced.

• Secure Up2Date

  Up2Date updates will be downloaded via HTTPS connections. In cases where UTM 9 is being used with an upstream proxy or behind a different firewall, it may be necessary to change the configuration on these devices to allow UTM 9 to retrieve Up2Date information via HTTPS.

• Email Protection anti-spam engine changed to Sophos Anti-Spam Interface (SASI)

  Starting with this release, E-Mail Protection will use the Sophos Anti-Spam Interface (SASI) for anti-spam scanning. SASI is already being used as part of Sophos Email and will replace the currently used anti-spam engine in UTM 9.
  In case of false positive or false negative detections, please follow the instructions in this support article on how to submit a sample.

Remarks

• System will be rebooted
• Configuration will be upgraded
• Connected REDs will perform firmware upgrade
• Connected Wifi APs will perform firmware upgrade

Issues Resolved

• NUTM-12050 [Access & Identity] IPv6 auto-firewall rules missing with IPsec S2S respond only
• NUTM-12062 [Access & Identity] AD Group object not updated when user with an Umlaut in the username logs in
• NUTM-12188 [Access & Identity] openl2tp service is dead and unable to start
• NUTM-12198 [Basesystem, UI Framework] Webadmin host injection reported
• NUTM-11753 [Basesystem] SG450 RAID status not alerting
• NUTM-11988 [Basesystem] Interface goes down after re-assigning the hardware of an interface
• NUTM-11989 [Basesystem] BGP issue causes long delay in UTM startup
• NUTM-12064 [Basesystem] Perl – Vulnerabilities
• NUTM-12112 [Basesystem] Libc Vulnerabilities
• NUTM-12122 [Basesystem] net-snmp Vulnerability CVE-2019-20892
• NUTM-12354 [Basesystem] Patch BIND (CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624)
• NUTM-12471 [Basesystem] OpenSSL: CVE-2020-1971 – DoS
• NUTM-11941 [Email] unnecessary SMTP restarts due to a SSL VPN login
• NUTM-12286 [Email] ECC Ciphers ECDH-ECDSA not supported by Exim SMTP
• NUTM-12542 [Email] Arbitrary Config Object Deletion via User Portal</Fix>
• NUTM-11915 [Network] Ipsec routes will be removed if a wifi network will be added and the ipsec local networks overlap with an existing wifi network
• NUTM-12045 [Network] INFO-122 Dhcpd not running
• NUTM-12280 [RED] RED site-to-site tunnels reconnecting at random intervals (utm to tum)
• NUTM-12253 [RED_Firmware] Split DNS doesn’t work with SD-RED
• NUTM-12379 [RED_Firmware] RED doesn’t reboot after reconnect doesn’t work properly
• NUTM-12098 [UI Framework] Remote crash of User Portal index.plx
• NUTM-11950 [WAF] AH00051 child pid XXXX exit signal Segmentation fault (11), possible coredump in /tmp
• NUTM-12148 [WAF] WAF not always sending SNI to backend
• NUTM-12029 [Web] AWS https scanning connect timeout on some sites with chrome
• NUTM-12204[Web] High CPU with http proxy coredumps.
• NUTM-12032 [Wireless] “&” sign in PSK cause issues after config change
• NUTM-12127 [Wireless] wireless client list empty
• NUTM-12254 [Wireless] Website not loading for wireless user due to large packets whose size is larger than the MTU of the link
• NUTM-12362 [Wireless] AP55/55C/100X/320X : Communication issue for Clients which are connected to the same SSID but at different APs
• NUTM-12383 All SSIDs disappears from AP and disconnects all connected clients

Source: UTM Up2Date 9.706 Released – Release Notes & News – UTM Firewall – Sophos Community

Sophos released an update that fixes the security flaw in Exim (Used in mail Security) for UTM’s running 9.705, UTM’s running 9.706 will have to wait for the same fix for Exim, as it is yet to come

Changelog from Sophos:

Today we’ve released UTM 9.705-7. The release will be rolled out in phases.

• In phase 1 you can download the update package from our download server.
• In phase 2 we will make it available via our Up2Date servers to all installations.

Up2Date Information

News

• Maintenance Release / Security Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12779 [Email] Upgrade Exim to v4.94.2 – 9.705

Source: UTM Up2Date 9.705-7 Released – Release Notes & News – UTM Firewall – Sophos Community

For thoose still on XG, as it is now only called “Sophos Firewall” (From SFOS 18.5 and as of now only possible with XGS Hardware!) , there is a small maintenance release:

Changelog from Sophos:

We have fixed 4 important issues in the earlier v18 MR5 build; and have released another build for v18 MR5 (Build 586). We will continue calling this release as v18 MR5; And we have added build number in the release name on the web UI and SSH for easy identification, “v18 MR5-Build586”.

Sophos Firewall devices that are already running the earlier v18 MR5 (Build 574) can upgrade to the new firmware (Build 586) with configuration migration supported.

Issues fixed in v18 MR5 Build 586:

1. Fixed migration issue when multiple SNMP communities are configured (NC-71491)
2. Fixed Sophos Connect Client download from user portal for MAC & Windows (NC-71456)
3. Fixed Sophos Connect for the pre-shared key of length of 128 or more characters (NC-71582)
4. Fixed Show pre-shared key on UI for IPSec remote access and L2TP (NC-72172)

Source: Sophos (XG) Firewall v18 MR5 (Build 586) is Now Available – Release Notes & News – Sophos (XG) Firewall – Sophos Community

Sophos has released the security update for Exim for the 9-706-branch, it is critical to get it installed, as if not, your UTM will offer remote code execution possibilities!:

Advisory: Multiple Vulnerabilities (AKA 21Nails) in Exim – Community Security Blog – Sophos Community – Sophos Community

Change log from Sophos:

Today we’ve released UTM 9.706-9. The release will be rolled out in phases.

• In phase 1 you can download the update package from our download server.
• In phase 2 we will make it available via our Up2Date servers in several stages.
• In phase 3 we will make it available via our Up2Date servers to all remaining installations.

Up2Date Information

News

• Maintenance Release/ Security Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12780 Upgrade Exim to v4.94.2 – 9.706

Source: UTM Up2Date 9.706-9 Released – Release Notes & News – UTM Firewall – Sophos Community

Sophos has released a minor security update for their UTM manager, read the changes here:

Today we’ve released SUM 4.310. The release will be rolled out in phases.

• In phase 1 you can download the update package from our download server.
• In phase 2 we will make it available via our Up2Date servers to all installations.

Up2Date Information

News

• Maintenance Release

Remarks

• System will be rebooted

Bugfixes

• NSU-341 : SUM Pre-auth RCE (CVE-2020-25223)
• NSU-327 : Replace FTP Up2date Link in WebAdmin / Gateway Manager
• NSU-320 : Remove weak algorithm arcfour from SSH

Source SUM Up2Date 4.310 Released – Release Notes & News – UTM Firewall – Sophos Community

When updating to vCenter Server 7.0 Update 1, you may see error in the Skyline Health, telling you something like this:

“When you perform a Reconfigure for VMware HA operation on the primary node in an HA cluster, an unexpected virtual machine failover occurs for the virtual machines running on that primary node.W

It’s because the timeout settings in the HA needs to be changed to support this, luckily VMWARE provided a KB article about how to fix:

Performing a Reconfigure for VMware HA operation on a primary node causes an unexpected virtual machine failover (2017778)

So basically, edit your HA in Adv. settings and add (or change):

For 7.0U1 or greater:
das.config.fdm.unknownStateMonitorPeriod = 30
Pre 7.0U1:
das.config.fdm.policy.unknownStateMonitorPeriod = 30

It was 10 earlier.

Finally we can get the new start menu and all the other nice things

The first edition is for Dev’s, beware it’s buggy, it would be feasible to wait for the Public Beta

Upgrade to the New Windows 11 OS | Microsoft

Announcing the first Insider Preview for Windows 11 | Windows Insider Blog

Known issues with Build 22000.51

• When upgrading to Windows 11 from Windows 10 or when installing an update to Windows 11, some features may be deprecated or removed. See details here.
• Taskbar:
  • Taskbar will not be shown across multiple monitors but will return in an upcoming build.
  • The preview window may not display the entire window when hovering over Task View on the taskbar.
• Settings:
  • When upgrading a device with multiple user accounts to Windows 11, Settings will fail to launch.
  • A small set of Settings legacy pages as well as fit and finish bugs will be addressed in future releases.
  • The ‘Power mode’ setting does not show up on the Power & battery page.
  • When launching the Settings app, a brief green flash may appear.
  • When using Quick Settings to modify Accessibility settings, the settings UI may not save the selected state.
• Start:
  • In some cases, you might be unable to enter text when using Search from Start or the taskbar. If you experience the issue, press Win + R on the keyboard to launch the Run dialog box, then close it.
  • We’re working on fixing an issue that’s preventing unpinning apps from Start, making the command bar in File Explorer disappear, or hiding snap. To work around these, restart your PC.
• Search:
  • App icons in the Search panel may do not load, and instead appear as gray squares.
  • When hovering your mouse over the Search icon on the taskbar, the third recent search does not load and remains blank.
  • After clicking the Search icon taskbar, the Search panel may not open. If this occurs, restart the “Windows Explorer” process, and open the search panel again.
  • When you hover your mouse over the Search icon on the taskbar, recent searches may not be displayed. To work around the issue, restart your device.
  • Search panel might appear as black and not display any content below the search box.
• Widgets:
  • System text scaling will scale all widgets proportionally and may result in cropped widgets.
  • Launching links from the widgets board may not invoke apps to the foreground.
  • When using screen reader/Narrator in widgets may not properly announce content
  • Widgets board may appear empty. To work around the issue, you can sign out and then sign back in again.
  • When using the Outlook client with a Microsoft account, Calendar, and To Do changes may not sync to the widgets in real time.
  • Widgets may be displayed in the wrong size on external monitors. If you encounter this, you can launch the widgets via touch or WIN + W shortcut on your actual device monitor first and then launch on your secondary monitors.
  • After adding multiple widgets quickly from the widgets settings, some of the widgets may not be visible on the board.
• Store:
  • The install button might not be functional yet in some limited scenarios.
  • Rating and reviews are not available for some apps.

Sophos has just soft-released 9.707 today, fixing theese issues, here is from release notes:

We’ve just released UTM 9.707. As usual, the release will be rolled out in phases:

• In phase 1 you can download the update package from our download server.
• During phase 2 we will make it available via our Up2Date servers in several stages.
• In phase 3 we will make it available via our Up2Date servers to all remaining installations.

Up2date information

News

• Maintenance release
• Security release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues resolved

• NUTM-12550 [Access & Identity] Replace deprecated option in SSLVPN client config
• NUTM-12310 [Email] SPF checks incorrectly occurring when multiple upstream hosts are configured in an availability group
• NUTM-12672 [Logging] IPFIX does not switch source and destination ports between inbound and outbound side of flow
• NUTM-12749 [Basesystem] Update bzip2 to address CVE-2019-12900
• NUTM-12590 [Basesystem] Patch OpenSSL against CVE-2021-23840 & CVE-2021-23841

Remark, the “NUTM-12550 [Access & Identity] Replace deprecated option in SSLVPN client config” contains this change:

They replaced the deprecated command-line option --tls-remote with the update option --verify-x509-name in OpenVPN client config files.

This updated option has been supported in OpenVPN since version 2.5.3, released in 2013. Continuing to use the older option generates warnings during connection.

Source: (4) UTM Up2Date 9.707 Released – Release Notes & News – UTM Firewall – Sophos Community

Here we go again, a new PoC is in the wild and it’s attacking your print spooler!!

The lastest update from Microsoft does not patch this and even Windows 7 to Windows 2019 is vulnerable.

Mitigation:

Stop the spooler on all devices not needing it, especially DC’s!

Restrict access to print servers with firewall rules.

Run theese commands in your RMM or logon scripts.

Command prompt: net stop spooler && sc config spooler start=disabled
PowerShell prompt: Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

Source:

Zero day for every supported Windows OS version in the wild — PrintNightmare | by Kevin Beaumont | Jul, 2021 | DoublePulsar

PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug – The Record by Recorded Future

PrintNightmare, Critical Windows Print Spooler Vulnerability | CISA

In Sharepoint you cannot right click a folder and show properties, you need to use the storage manager:

https://domain.sharepoint.com/sites/xyz/_layouts/15/storman.aspx

So just add “_layouts/15/storman.aspx” to your site and you have all the info you need

The patches are out, download them from this page, look near the bottom

CVE-2021-34527 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability

Photo: Lansweeper.com

Had this case where a company bought a company, and they wanted all the users created in their environment to begin migration af mails, but as the comunicated over email with the company the bought, it was essential that the users created, would not show up in Outlook, so they may choose the “wrong” user that had to be migrated, thus not capable of reading the mails sent to the new account.

An easy task to accomplish this, it just to hide the users from the Global Address List (GAL), this can be done manually, but a foolish task when you have hundreds of users.

Here powershell compes into play:

Hide the users in the OU:
Get-ADUser -filter * -searchbase “OU=NEWGROUP,DC=MARTINSBLOG,DC=local” | Set-ADUser -replace @{msExchHideFromAddressLists=$true}

Show the users in the OU:
Get-ADUser -filter * -searchbase “OU=NEWGROUP,DC=MARTINSBLOG,DC=local” | Set-ADUser -replace @{msExchHideFromAddressLists=$false}

Remember you have to wait for users to vanish or show, as GAL updates once a day

Microsoft has released a Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability, telling how things have to be right now, to mitigate the possibilities of an exploit, here it is important to check the registry keys:

Microsoft has focused its efforts on making customer protections available as quickly as possible and our guidance has been updated as our understanding of the issue has evolved. We recommend that customer follow these steps immediately:

• In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
• After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
• If the registry keys documented do not exist, no further action is required
• If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Read more here:

Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability – Microsoft Security Response Center

Sometimes you do not have the correct rights for the SQL server, but you are a domain admin, quite annoying! – this can be solved by taking the SQL offline and running in single user mode:

Step by step instructions

The following step-by-step instructions describe how to grant system administrator permissions to a SQL Server login that mistakenly no longer has access.

These instructions assume,

• SQL Server running on Windows 8 or higher. Slight adjustments for earlier versions of SQL Server or Windows are provided where applicable.
• SQL Server Management Studio is installed on the computer.

Perform these instructions while logged in to Windows as a member of the local administrators group.

1. From the Windows Start menu, right-click the icon for SQL Server Configuration Manager and choose Run as administrator to pass your administrator credentials to Configuration Manager.
2. In SQL Server Configuration Manager, in the left pane, select SQL Server Services. In the right-pane, find your instance of SQL Server. (The default instance of SQL Server includes (MSSQLSERVER) after the computer name. Named instances appear in upper case with the same name that they have in Registered Servers.) Right-click the instance of SQL Server, and then click Properties.
3. On the Startup Parameters tab, in the Specify a startup parameter box, type -m and then click Add. (That’s a dash then lower case letter m.)

    Note

   For some earlier versions of SQL Server there is no Startup Parameters tab. In that case, on the Advanced tab, double-click Startup Parameters. The parameters open up in a very small window. Be careful not to change any of the existing parameters. At the very end, add a new parameter ;-m and then click OK. (That’s a semi-colon then a dash then lower case letter m.)

4. Click OK, and after the message to restart, right-click your server name, and then click Restart.
5. After SQL Server has restarted, your server will be in single-user mode. Make sure that SQL Server Agent is not running. If started, it will take your only connection.
6. From the Windows Start menu, right-click the icon for Management Studio and select Run as administrator. This will pass your administrator credentials to SSMS.

And that’s it

Read more about other solutions in the article I grabbed above from:

Connect to SQL Server when system administrators are locked out – SQL Server | Microsoft Docs