Microsoft stitches up Windows Server 2003 on busy June Patch Tuesday

Organizations that still use Windows Server 2003 got a surprise on June Patch Tuesday, with a Microsoft security…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

update for the unsupported server operating system.

A month after the company issued patches for legacy systems to ward off the WannaCry ransomware attacks that affected thousands of computers, Microsoft released a free patch for Windows Server 2003, which has been unsupported since 2015. Microsoft addressed the exploit used in the WannaCry attacks in its March Patch Tuesday, but that only applied to supported Windows systems. The company later issued updates to protect unsupported Windows XP, Windows 8 and Windows Server 2003 operating systems.

This most recent course reversal — which also applies to other unsupported systems, such as Windows XP — comes alongside June Patch Tuesday updates that addressed an eye-opening 94 vulnerabilities.

“In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,” Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, wrote in a blog post. Hall indicated Microsoft chose to issue these additional security updates to protect unsupported systems from threats that may be similar to WannaCry.

Microsoft encourages businesses to migrate from legacy systems, such as Windows Server 2003, through end-of-life support deadlines. By releasing a security update for an unsupported product, Microsoft risks setting a precedent that businesses can stay with legacy products and still receive critical security updates.

In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, cautioned that this “should not be viewed as a departure from our standard servicing policies,” and businesses will be best-served by staying on Microsoft’s roadmap with supported Windows systems.

“It’s sort of a double-edged sword,” said Amol Sarwate, director of vulnerability labs for Qualys Inc., based in Redwood City, Calif. “For things like WannaCry, when the exploitation is so high and everyone and anyone is affected, Microsoft did the right thing by releasing patches for an end-of-life operating system.”

At the same time, “if they do this more often, people will start thinking the patches will be there, and that takes them away from the goal of moving away from the old operating systems,” he said.

Patch for in-the-wild vulnerability

Of the 94 vulnerabilities Microsoft identified for June Patch Tuesday, 27 are remote code execution (RCE) exploits that could allow an attacker to take control of a machine.

Sarwate said the top priority for Windows Server administrators should be CVE-2017-8543, which affects Windows Server 2008 and above, and is currently exploited in the wild. On an unpatched system, attackers can send a specially crafted Server Message Block request to the Windows Search service to gain control of a computer.

Administrators should give prompt attention to address CVE-2017-8507, an RCE vulnerability in Microsoft Outlook an attacker could use to gain control of a system when a user views an email message, Sarwate said.

For more information about the remaining security vulnerabilities released on June Patch Tuesday, visit Microsoft’s Security Update Guide.

Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at dcagen@techtarget.com.

Next Steps

How to adapt to Microsoft’s patching changes

New patching process may mean less control

Security Update Guide brings growing pains


Essential Guide

Catch up on the Windows Server patches of 2017

Powered by WPeMatico

Announcing Windows 10 Insider Preview Build 15223 for Mobile

Hello Windows Insiders!

We have released Windows 10 Mobile Insider Preview Build 15223 to in the Fast ring. This build is just one builder newer than last week’s Mobile build and includes the following fixes and improvements:

  • We fixed an issue where only the first VPN profile was being displayed in the VPN settings page via Settings > Network & wireless > VPN.
  • We fixed an issue where a meeting Time Zone was garbled in Chinese or Japanese.
  • Based on Insider feedback, we have changed “Phone Update” to “Windows Update” under Settings > Update & security.

Known issues for Mobile

  • In some cases, the WeChat app may crash on launch.

Keep hustling team,
Dona <3

Hop on board an Express Migration for Exchange Online

Exchange administrators have more important things to worry about than migration tools. A complex project — such…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

as a migration from Exchange 2010 or higher to Office 365 — takes more time and thought than a busy admin can afford.

Microsoft’s Express Migration option, available for Exchange 2010 or higher organizations, lets admins move mailboxes to Exchange Online and Office 365 quickly and without expert knowledge of tools. A typical Exchange Online migration, even a small one, requires a choice. Some admins want new features, such as automatic client reconfiguration, retention of offline caches and password synchronization; other businesses simply want to give end users new passwords and reconfigure every client.

Without Express Migration, administrators who want a high-fidelity migration with those advanced features must understand how to set up Azure AD Connect and configure a full Exchange hybrid setup. They also need to learn Exchange admin center functionality so they can manage mailbox migrations.

The Express Migration route automates the setup of these features, such as automatic client reconfiguration, and provides a single dashboard within the main Office 365 portal to manage the migration. Admins avoid the work that comes with a hybrid migration and get users onto Office 365 faster. The hybrid configuration offers several administrative benefits, including automatic client reconfiguration, retention of offline caches and one-time password synchronization — none of which are possible with the alternative cutover migration.

Assess the environment before the Express Migration

For the purpose of this article, we will move Goodman Industries, a fictitious, small manufacturing company that employs 40 people, to Office 365. The business has a Windows Server 2012 R2 domain controller and two Exchange 2010 servers — one runs the client access and hub transport role and the other runs the mailbox role.

The company uses Office 2013 installed via a Windows Installer package (.msi file), which is patched and up-to-date. Clients have direct connectivity and access to all internet locations, including Office 365. They also have 100 Mbps bandwidth with low utilization.

Exchange is set up correctly, and autodiscover is working; the environment has valid external Secure Sockets Layer certificates. The client access server role publishes to the internet with a direct firewall rule that allows HTTPS traffic. The hub transport role sends and receives mail via the internet.

Goodman Industries has a new Office 365 subscription that it doesn’t use yet, but it has purchased licenses for users. In addition, Goodman Industries doesn’t want to rely on any on-premises infrastructure to support Office 365, which eliminates long-term directory synchronization. However, it wants to synchronize accounts before they migrate and wants to ensure a quick and simple client switchover.

Prep the Office 365 environment

Goodman Industries is typical of many small businesses. It has no heavy restrictions on its internet connection and uses a simple Exchange Server configuration to minimize complexity. To prep the Office 365 environment in such a scenario, go through the validation process and ensure the bandwidth and firewall configurations are suitable for a full adoption of Office 365 services. For the purposes of this article, assume the company meets all requirements.

However, there are key areas to check and configure. Within the new Office 365 tenant, add custom domains for each email domain in use. Log into the Office 365 portal, and select Setup > Domains in the administration center. The wizard will ask to add records after it adds the TXT record; choose Skip. Once domains are configured, they should be listed within the portal, as shown in Figure 1.

Office 365 custom domains
Figure 1. Before an Express Migration to Office 365, set up the custom domains for each email domain in the Office 365 admin center.

Resolve any errors with invalid Active Directory user data. To do this, update the user principal name attribute in Active Directory so it matches end users’ email addresses and remove duplicate addresses, as shown in Figure 2. This ensures the administrator can make a copy of user accounts in Office 365. Use Microsoft’s IdFix tool to find and fix accounts with errors.

Office 365 IdFix
Figure 2. Use Office 365 IdFix to correct accounts with invalid Active Directory user data.

Use the Hybrid Configuration wizard

To begin the Express Migration, go to the data migration page in the Office 365 admin portal from a domain-joined Windows computer. This installs the AD synchronization tool set, so it might make sense to run this from an Exchange Server or Active Directory domain controller.

Once logged in, select Users > Data Migration to select the type of data source to migrate. For this scenario, choose Exchange (Figure 3).

Data migration page
Figure 3. Choose the data source to migrate to Office 365.

Office 365 asks if you want to run the Office 365 Hybrid Configuration wizard, which performs the Express Migration configuration. Choose Download Application to launch the wizard. Select the Exchange Server to use. In this case, select the Exchange 2010 client access and hub transport server. Enter the credentials to connect to the Exchange Server and Office 365 and then select the type of hybrid configuration.

For the wizard to create necessary Office 365 settings and migrate mailboxes, unselect the Use current Windows credentials option and manually enter credentials. When the wizard asks which hybrid features to use, select Minimal Hybrid Configuration (Figure 4).

Minimal Hybrid Configuration
Figure 4. Choose Minimal Hybrid Configuration to streamline the mailbox migration process.

On the next page, select the Update button to configure the basic features in both Exchange Server 2010 and Office 365 and to assist the mailbox migration. On the next page, select the option to Synchronize my users and passwords one time, as shown in Figure 5, and follow the prompts to install Azure AD Connect and perform the synchronization.

User and password synchronization
Figure 5. Select the option to perform a one-time synchronization of users and passwords.

This completes the Office 365 hybrid configuration wizard portion. Next, a prompt gives the option to visit the Data migration page. To select the page manual, navigate to Users > Data migration and select Exchange.

The Data migration page should show user accounts in the Office 365 tenant. Select a few test users, assign a license if necessary and then click Start migration to ensure the migration works properly (Figure 6).

Office 365 data migration page
Figure 6. Select a few test users to make sure the Office 365 migration process works as expected.

Exchange Online will simultaneously connect to the on-premises Exchange Server, via HTTPS, to the client access server. It then will attempt to natively migrate selected mailboxes. Refresh the page for progress updates, as shown in Figure 7.

Successful migration
Figure 7. An Office 365 message indicates the test migration succeeded.

Once mailbox migration completes, the status will change to Completed. At this point, the on-premises mailboxes convert into Remote Mailboxes. The next time a client launches Outlook 2013, the autodiscover process reads the Remote Mailbox user objects and redirects the connection to the mailbox in Office 365. Outlook will ask for the end user’s password, and then it will receive email messages.

When the rest of the users are migrated, uninstall Azure AD Connect from the Windows machine that ran the hybrid configuration wizard. The organization can then decide if it wants to remove Exchange Server from the environment.

Next Steps

Hybrid wizard configures deployment

Prepare for an Office 365 migration

Make an Office 365 migration pay off

Powered by WPeMatico

Microsoft releases additional updates to protect against potential nation-state activity

On May 12, 2017, the WannaCrypt ransomware served as an all too real example of the danger of cyber attacks to individuals and businesses globally.

In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations. To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows. Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt. For more technical information and links to related articles, visit our Microsoft Security Response Center blog.

It is important to note that if you’re running a supported version of Windows, such as Windows 10 or Windows 8.1, and you have Windows Update enabled, you don’t need to take any action. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.

If you’re unsure what version of Windows you’re running, or whether you have Windows Update enabled, there are links at the bottom of this page to help you check.

We appreciate your business and are committed to delivering the most secure and trusted technology possible in today’s complex and interconnected world.

Additional Resources:

Visit this link for help determining which Windows operating system you’re running.  

Visit this link if you’re running a version of Windows that no longer receives extended support.

Visit this link for help enabling Windows Update.

For more technical information and links to updates for products no longer in extended support see our Microsoft Security Response Center blog.

OneDrive Files On-Demand now available for Windows Insiders

Hello Windows Insiders!

At Build 2017, Joe Belfiore announced that the new OneDrive Files On-Demand feature will be delivered with the Windows 10 Fall Creators Update. And today, we are excited to announce that OneDrive Files On-Demand is rolling out to Windows Insiders in the Fast ring who are on Build 16215. The updated OneDrive client will be rolling out over the next few days but can also be installed from here.

OneDrive Files On-Demand

With Files On-Demand, you can access all your files in the cloud without having to download them and use storage space on your device. All your files—even online-only files—can be seen in File Explorer and work just like every other file on your device. You’ll be able to open online-only files from within any desktop or Windows Store apps using the Windows file picker. And you’re covered in both your home and professional life since it works with your personal and work OneDrive, as well as your SharePoint Online team sites.

After enabling Files On-Demand in OneDrive, your files will have these statuses in File Explorer:

Online-only files

Online-only files

Online-only files don’t take up space on your computer. You see a cloud icon for each online-only file in File Explorer, but the file doesn’t download to your device until you open it. You can only open online-only files when your device is connected to the internet. However, you online files will always be visible in File Explorer even if you are offline.

 Locally available files

Locally-available files

When you open an online-only file, it downloads to your device and becomes a locally available file. You can open a locally available file anytime, even without Internet access. If you need more space, you can change the file back to online-only. Just right-click the file and select “Free up space.”

Always available files

Always available files

Only files that you mark as “Always keep on this device” have the green circle with the white check mark. These files will always be available even when you’re offline. They are downloaded to your device and take up space.

To read up on everything you need to know about OneDrive Files On-Demand, click here.

And here are a few things we recommend you try out!

  • Setup your personal MSA and Office 365 accounts with OneDrive Files On-Demand.
  • Right-click on a file or folder in OneDrive and select “Free up space” or “Always keep on this device”.
  • Double click an online-only file with a cloud on it. It will download on-demand.
  • Navigate into a folder in OneDrive that is full of pictures, and you can watch the thumbnails populate.
  • Access an online-only file through your favorite apps.
  • Mount a SharePoint Online team site.
  • Work with all your files as you normally do!

This has been the #1 requested feature for OneDrive on UserVoice, so we’re excited to get this out to Windows Insiders. Tell us what you think!

Educate users to avert email phishing attacks

Cybercriminals use more sophisticated and efficient email phishing methods to attack businesses, forcing IT teams…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

to protect systems from frequent and costly data breaches and infections. But security tools aren’t enough to stop advanced threats.

Ransomware and other malicious code often slip through the IT defensive perimeter — despite IT’s best efforts. Several recent attacks occurred when unsuspecting users clicked on a link or opened an email attachment that ran malicious code and infected the computer. IT departments use several tools to reduce these threats, but attackers shift tactics constantly and not all security components can block every threat.

Don’t rely on technology; take a more human approach to defend the business and educate users. These four critical steps will build a successful security culture and awareness within an organization.

Create a human security layer

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches.

Chief information security officers recognize that no single security initiative or measure will block every threat; those tactics exist to diminish the risks associated with an attack. Even with security tools, unsuspecting users could inadvertently give away credentials and cause a data breach.

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches. To prepare employees, must teach them what to look for in phishing attempts and what to avoid in email messages. Some organizations make it mandatory or part of a yearly review to address security.

Perform regular security audits

IT performs audits to uncover security gaps within the environment. In addition to performing a technical audit, use a third-party service, such as KnowBe4, to send a fake spear phishing attempt via email to all users. The service then reports back to IT on who responded or clicked on the links. IT can give those employees additional training.

Open up feedback to collect and document new threats

With email attacks, cybercriminals pose as an employee or encourage the end user to open a document or link. As attack strategies continuously evolve, IT must keep up to date on new methods before it can devise a strategy to defend against them. Encourage users to self-report some email messages with a designated IT resource. This helps the organization catalog attack methods.

Provide frequent security reminders

Create regular reminders and routinely schedule lessons to ensure security remains top of mind for all end users. Build different security campaigns — periodically send out newsletters and post videos that warn of recent threats and provide email security tips. This reminds users to be proactive to protect themselves from attacks.

Organizations implement security awareness to mitigate the risks of infections or data breaches that come with email attacks. No single security system will block all threats that arrive via email; end users that know what to look for are less likely to fall victim to an attack.

Cybercriminals use more sophisticated and efficient email phishing methods to attack businesses, forcing IT teams to protect systems from frequent and costly data breaches and infections. But security tools aren’t enough to stop advanced threats.

Ransomware and other malicious code often slip through the IT defensive perimeter — despite IT’s best efforts. Several recent attacks occurred when unsuspecting users clicked on a link or opened an email attachment that ran malicious code and infected the computer. IT departments use several tools to reduce these threats, but attackers shift tactics constantly and not all security components can block every threat.

Don’t rely on technology; take a more human approach to defend the business and educate users. These four critical steps will build a successful security culture and awareness within an organization.

Create a human security layer

Chief information security officers recognize that no single security initiative or measure will block every threat; those tactics exist to diminish the risks associated with an attack. Even with security tools, unsuspecting users could inadvertently give away credentials and cause a data breach.

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches. To prepare employees, must teach them what to look for in phishing attempts and what to avoid in email messages. Some organizations make it mandatory or part of a yearly review to address security.

Perform regular security audits

IT performs audits to uncover security gaps within the environment. In addition to performing a technical audit, use a third-party service, such as KnowBe4, to send a fake spear phishing attempt via email to all users. The service then reports back to IT on who responded or clicked on the links. IT can give those employees additional training.

Open up feedback to collect and document new threats

With email attacks, cybercriminals pose as an employee or encourage the end user to open a document or link. As attack strategies continuously evolve, IT must keep up to date on new methods before it can devise a strategy to defend against them. Encourage users to self-report some email messages with a designated IT resource. This helps the organization catalog attack methods.

Provide frequent security reminders

Create regular reminders and routinely schedule lessons to ensure security remains top of mind for all end users. Build different security campaigns — periodically send out newsletters and post videos that warn of recent threats and provide email security tips. This reminds users to be proactive to protect themselves from attacks.

Organizations implement security awareness to mitigate the risks of infections or data breaches that come with email attacks. No single security system will block all threats that arrive via email; end users that know what to look for are less likely to fall victim to an attack.

Next Steps

Train employees to ward off attacks

Test your Office 365 Advanced Threat Protection knowledge

Respond quickly to a malware attack

Powered by WPeMatico