From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw – Microsoft Security

With Microsoft continuously improving kernel mitigations and raising the bar for exploiting native kernel components, third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or, more commonly, bypass driver signature enforcement—without the complexity of using a more expensive zero-day kernel exploit in the OS itself.

Computer manufacturers usually ship devices with software and tools that facilitate device management. These software and tools, including drivers, often contain components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel; even one flawed component could become the Achilles’ heel of the whole kernel security design.

We discovered such a driver while investigating an alert raised by Microsoft Defender Advanced Threat Protection’s kernel sensors. We traced the anomalous behavior to a device management driver developed by Huawei. Digging deeper, we found a lapse in the design that led to a vulnerability that could allow local privilege escalation.

We reported the vulnerability (assigned CVE-2019-5241) to Huawei, who responded and cooperated quickly and professionally. On January 9, 2019, Huawei released a fix. In this blog post, we’d like to share our journey from investigating one Microsoft Defender ATP alert to discovering a vulnerability, cooperating with the vendor, and protecting customers.

Detecting kernel-initiated code injections with Microsoft Defender ATP

Starting in Windows 10, version 1809, the kernel has been instrumented with new sensors designed to trace User APC code injection initiated by a kernel code, providing better visibility into kernel threats like DOUBLEPULSAR. As described in our in-depth analysis, DOUBLEPULSAR is a kernel backdoor used by the WannaCry ransomware to inject the main payload into user-space. DOUBLEPULSAR copied the user payload from the kernel into an executable memory region in lsass.exe and inserted a User APC to a victim thread with NormalRoutine targeting this region.

figure-01-WannaCry-user-APC-injection-technique-schematic-diagram

Figure 1. WannaCry User APC injection technique schematic diagram

While the User APC code injection technique isn’t novel (see Conficker or Valerino’s earliest proof-of-concept), detecting threats running in the kernel is not trivial. Since PatchGuard was introduced, hooking NTOSKRNL is no longer allowed; there’s no documented way drivers could get notification for any of the above operations. Hence, without proper optics, the only sustainable strategy would be applying memory forensics, which can be complicated.

The new set of kernel sensors aim to address this kind of kernel threat. Microsoft Defender ATP leverages these sensors to detect suspicious operations invoked by a kernel code that might lead to code injection into user-mode. One such suspicious operation triggered this investigation.

Investigating an anomalous code injection from the kernel

While monitoring alerts related to kernel-mode attacks, one alert drew our attention:

figure-02-2-Microsoft-Defender-ATP-kernel-initiating-code-injection-alert

Figure 2. Microsoft Defender ATP kernel-initiating code injection alert

The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.

To get a better understanding of the observed anomaly, we looked at the raw signals we got from the kernel sensors. This analysis yielded the following findings:

  • A system thread called nt!NtAllocateVirtualMemory allocated a single page (size = 0x1000) with PAGE_EXECUTE_READWRITE protection mask in services.exe address space
  • The system thread then called nt!KeInsertQueueApc to queue User APC to a services.exe arbitrary thread with NormalRoutine pointing to the beginning of the executable page and NormalContext pointing to offset 0x800

The payload copied from kernel mode is divided into two portions: a shellcode (NormalRoutine) and a parameter block (NormalContext). At this point, the overall behavior looked suspicious enough for us to proceed with the hunting. Our goal was to incriminate the kernel code that triggered the alert.

Incriminating the source

In user-mode threats, the caller process context could shed light on the actor and link to other phases in the attack chain. In contrast, with kernel-mode threats, the story is more complicated. The kernel by nature is asynchronous; callbacks might be called in an arbitrary context, making process context meaningless for forensics purposes.

Therefore, we tried to find an indirect evidence to third-party code loaded into the kernel. By inspecting the machine timeline, we found that several third-party drivers were loaded earlier that day.

We concluded based on their file path that they are all related to an app from Huawei called PC Manager, a device management software for Huawei MateBook laptops. The installer is available on Huawei website, so we downloaded it for inspection. For each Huawei driver we used dumpbin.exe to examine imported functions.

And then we had a hit:

figure-03-dumpbin-utility-used-to-detect-user-APC injection-primitives

Figure 3. dumpbin utility used to detect user APC injection primitives

HwOs2Ec10x64.sys: Unexpected behavior from a driver

Hunting led us to the kernel code that triggered the alert. One would expect that a device management software would perform mostly hardware-related tasks, with the supplied device drivers being the communication layer with the OEM-specific hardware. So why was this driver exhibiting unusual behavior? To answer this question, we reverse-engineered HwOs2Ec10x64.sys.

Our entry point was the function implementing the user APC injection. We found a code path that:

  1. allocates RWX page in some target process;
  2. resolves CreateProcessW and CloseHandle function pointers in the address space of the target process;
  3. copies a code area from the driver as well as what seemed to be a parameter block to the allocated page; and
  4. performs User APC injection targeting that page

The parameter block contains both the resolved function pointers as well as a string, which was found to be a command line.

figure-04-User-APC-injection-code

Figure 4. User APC injection code

The APC normal routine is a shellcode which calls CreateProcessW with the given process command line string. This implied that the purpose of the code injection to services.exe is to spawn a child process.

figure-05-User-shellcode-performing-process-creation

Figure 5. User shellcode performing process creation

Inspecting the xrefs, we noticed that the injection code originated from a create-process notify routine when Create = FALSE. Hence, the trigger was some process termination.

But what command does the shellcode execute? Attaching a kernel debugger and setting a breakpoint on the memcpy_s in charge of copying the parameters from kernel to user-mode revealed the created process: one of Huawei’s installed services, MateBookService.exe, invoked with “/startup” in its command line.

figure-06-2-Breakpoint-hit-on-the-call-to-memcpy_s-copying-shellcode-parameters

Figure 6. Breakpoint hit on the call to memcpy_s copying shellcode parameters

Why would a valid service be started that way? Inspecting MateBookService.exe!main revealed a “startup mode” that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.

figure-07-MateBookService-exe-startup-code-path

Figure 7. MateBookService.exe /startup code path

At this point of the investigation, the only missing piece in the puzzle was making sure the terminated process triggering the injection is indeed MateBookService.exe.

figure-08-Validating-terminated-process-identity

Figure 8. Validating terminated process identity

The code path that decides whether to inject to services.exe uses a global list of watched process names. Hitting a breakpoint in the iteration loop revealed which process was registered: it was MateBookService.exe, as expected, and it was the only process on that list.

figure-09-Breakpoint-hit-during-process-name-comparison-against-global-list

Figure 9. Breakpoint hit during process name comparison against global list

HwOs2Ec10x64.sys also provided process protection against external tampering. Any attempt to force MateBookService.exe termination would fail with Access Denied.

Abusing HwOs2Ec10x64.sys process watch mechanism

The next step in our investigation was to determine whether an attacker can tamper with the global watched process list. We came across an IOCTL handler that added an entry to that list. MateBookService.exe process likely uses this IOCTL to register itself when the service starts. This IOCTL is sent to the driver control device, created from its DriverEntry.

figure-10-HwOs2Ec10x64.sys-control-device-creation-with-IoCreateDevice

Figure 10. HwOs2Ec10x64.sys control device creation with IoCreateDevice

Since the device object is created with IoCreateDevice, Everyone has RW access to it. Another important observation was that this device isn’t exclusive, hence multiple handles could be opened to it.

Nevertheless, when we tried to open a handle to the device \.HwOs2EcX64, it failed with Last Error = 537, “Application verifier has found an error in the current process”. The driver was rejecting our request to open the device. How is access enforced? It must be on the CreateFile path; in other words, in HwOs2Ec10x64.sys IRP_MJ_CREATE dispatch routine.

figure-11-IRP_MJ_CREATE-dispatch-routine

Figure 11. IRP_MJ_CREATE dispatch routine

This function validates the calling process by making sure that the main executable path belongs to a whitelist (e.g., C:Program FilesHuaweiPCManagerMateBookService.exe). This simple check on the initiating process name, however, doesn’t guarantee the integrity of the calling process. An attacker-controlled instance of MateBookService.exe will still be granted access to the device \.HwOs2EcX64 and be able to call some of its IRP functions. Then, the attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice. Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it. In our proof-of-concept, we used process hollowing.

figure-12-Procmon-utility-results-showing-POC-process-start-exit-IL

Figure 12. Procmon utility results showing POC process start/exit & IL

Because watched processes are blindly launched by the watchdog when they’re terminated, the attacker-controlled executable would be invoked as a child of services.exe, running as LocalSystem, hence with elevated privileges.

figure-13-Procexp-utility-process-tree-view-showing-LPE_POC-running-as-LocalSystem

Figure 13. Procexp utility process-tree view showing LPE_POC running as LocalSystem

Responsible disclosure and protecting customers

Once we had a working POC demonstrating the elevation of privilege from a low-integrity attacker-controlled process, we responsibly reported the bug to Huawei through the Microsoft Security Vulnerability Research (MSVR) program. The vulnerability was assigned CVE-2019-5241. Meanwhile, we kept our customers safe by building a detection mechanism that would raise an alert for any successful privilege escalation exploiting the HwOs2Ec10x64.sys watchdog vulnerability as we described.

figure-14-2-Microsoft-Defender-ATP-alerting-on-the-privilege-escalation-POC-code

Figure 14. Microsoft Defender ATP alerting on the privilege escalation POC code

Abusing a second IOCTL handler

Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.

We also worked with Huawei to fix this second vulnerability, which was assigned CVE-2019-5242. Huawei addressed the flaw in the same security advisory.

We presented our research at the Blue Hat IL Conference in February. Watch the video recording here, and get the slide deck here.

Summary

The two vulnerabilities we discovered in a driver prove the importance of designing software and products with security in mind. Security boundaries must be honored. Attack surface should be minimized as much as possible. In this case, the flaws could have been prevented if certain precautions were taken:

  • The device object created by the driver should be created with a DACL granting SYSTEM RW access (since only the vendor’s services were communicating directly with the driver)
  • If a service should persist, developers should check that it’s not already provided by the OS before trying to implement a complex mechanism
  • User-mode shouldn’t be allowed to perform privileged operations like writing to any physical page; if needed, the driver should do the actual writing for well-defined, hardware-related scenarios

Microsoft’s driver security checklist provides some guidelines for driver developers to help reduce the risk of drivers being compromised.

Our discovery of the driver vulnerabilities also highlights the strength of Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and give SecOps personnel the intelligence and tools to investigate threats, as we did.

Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused. Nevertheless, Microsoft Defender ATP exposed a security flaw and protected customers before it can even be used in actual attacks.

Not yet reaping the benefits of Microsoft Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

Amit Rapaport (@realAmitRap)
Microsoft Defender Research team

Go to Original Article
Author: Microsoft News Center

Announcing Windows Admin Center Preview 1903 | Windows Experience Blog

Hello Windows Insiders! Thank you for your continued interest in Windows Admin Center! In this release, we have added a few new tools and functionality, all based on our top user feedback.
Email notifications in Windows Admin Center is the #1 user request. We are enabling this with new Azure Monitor integration in Windows Admin Center. More details and setup instructions are below.
A new tool to manage Active Directory Users and Groups is the #2 user request. The #5 request is a new tool to manage DHCP, and the #7 request is a new tool to manage DNS. These three preview tools are not included in the Windows Admin Center installer; you must install them from the Extensions manager in Settings. With these tools on the extension feed, they can be easily updated more frequently. To make this easier, we’ve made improvements to the notifications you get regarding extensions, which are described below.
The #6 user request for Windows Admin Center is adding connections from Active Directory. In this release of Windows Admin Center, we added the option to search Active Directory when adding Servers or Windows 10 PCs to your connection list. Using wildcards in your search and adding multiple connections is supported.
Finally, the Dark UI theme that was first introduced in Windows Admin Center Insider Preview 1812 is no longer an experimental feature; if you haven’t tried it yet, check it out in the Personalization tab in Settings!
If you missed last month’s Windows Admin Center Insider preview release, you can check out the new shared connection list, and SDN features here.

To help make extension discovery and update easier, we’ve added the following features:

Notification will appear when you connect to a server/cluster and there is an extension available that supports the hardware manufacturer and model. Information for implementing this in the extension package will be provided to our extension developer partners and you will start seeing these notifications as partners update their extensions in the future. In the next release, we plan to provide an option to turn off these notifications if the user chooses.

Notification will appear if you open a tool/extension and an update for the extension is available to install. (Known issue: In desktop mode, the notification will tell you to contact your gateway admin to install the update, and this will be fixed in an upcoming release.)

After installing the Active Directory extension from the extension feed, the tool will appear when you connect to a server that is a domain controller. In this version of the tool, you can:

View domain details such as DNS root, forest, and domain mode
Create users, configure basic user properties, and group memberships
Create groups and manage membership
Search for users, computers, and groups (search limited to 10 of each type in this release)
View details pane for users, computers, and groups
Enable/disable, and remove user or computer objects
Reset user passwords
Configure resource-based constrained delegation on a computer object (use this to configure single sign-on for your Windows Admin Center gateway deployment!)

After installing from the extension feed, the DNS tool will appear when your server is configured as a DNS server. In this version of the DNS tool, you can:

View details of DNS Forward Lookup zones, Reverse Lookup zones and DNS records
Create Forward Lookup zones in different types (primary, secondary and stub), configure Forward lookup zone properties like master servers, dynamic update, zone file location, etc.
Create Host (A or AAAA), CNAME or MX type of DNS records, configure DNS records properties such as FQDN, TTL, etc.
Create IPV4 and IPV6 Reverse Lookup zones in different types (primary, secondary and stub), configure reverse lookup zone properties like Network ID, zone file name and location, Master Servers, etc.
Create PTR, CNAME type of DNS records under reverse lookup zone, configure DNS records properties such as HOST IP Address, FQDN, TTL, etc.

After installing from the extension feed, the DHCP tool will appear when your server is configured as a DHCP server. In this version of the tool, you can:

View IPV4 and IPV6 scope details such as IP distribution status, usage of IP addresses, address exclusions and address reservations.
Create IPV4 and IPV6 scopes, configure scopes properties such as IP address range, Router, lease duration of DHCP client and Activate/Deactivate IPV4/IPV6 scopes
Create address exclusions and configure start and end IP address
Create address reservations and configure client MAC address (IPV4), DUID and IAID (IPV6)

Our #1 UserVoice request was to enable email notifications from Windows Admin Center. Now, with the added integration with Azure Monitor, you can configure custom email notifications about your server health, using the robust alerting framework of Azure Monitor. With Azure Monitor’s free 5 GB of data per month/customer allowance, you can easily try this out for a server or two without worry of getting charged. Read on to see additional benefits of onboarding servers into Azure Monitor, such as getting a consolidated view of systems performance across the servers in your environment.
Set up your server for use with Azure Monitor, coming this week!
Note: We are releasing this feature with Windows Admin Center Preview 1903 to Windows Insiders today, however there is a pending API update in Azure that is not rolled out yet. The feature will not be functional end-to-end until the update in Azure is live by the end of the week, March 29th.
From the Overview page of a server connection, click the new button “Manage alerts”, or go to Server Settings > Monitoring and alerts. Within this page, onboard your server to Azure Monitor by clicking “Set up” and completing the setup pane. Admin Center takes care of provisioning the Azure Log Analytics workspace, installing the necessary agent, and ensuring the VM insights solution is configured. Once complete, your server will send performance counter data to Azure Monitor, enabling you to view and create email alerts based on this server, from the Azure portal.
Create email alerts
Once you’ve attached your server to Azure Monitor, you can use the intelligent hyperlinks within the Settings > Monitoring and alerts page to navigate to the Azure Portal. Admin Center automatically enables performance counters to be collected, so you can easily create a new alert by customizing one of many pre-defined queries, or writing your own.
Get a consolidated view across multiple servers
If you onboard multiple servers to a single Log Analytics workspace within Azure Monitor, you can get a consolidated view of all these servers from the Virtual Machines Insights solution within Azure Monitor (tackling another top 10 UserVoice request!) Note that only the Performance and Maps tabs of Virtual Machines Insights for Azure Monitor will work with on-premises servers – the health tab functions only with Azure VMs. To view this in the Azure portal, go to Azure Monitor > Virtual Machines (under Insights), and navigate to the “Performance” or “Maps” tabs.
Visualize apps, systems, and services connected to a given server
When Admin Center onboards a server into the VM insights solution within Azure Monitor, it also lights up a capability called Service Map. This capability automatically discovers application components and maps the communication between services so that you can easily visualize connections between servers with great detail from the Azure portal. You can find this by going to the Azure portal > Azure Monitor > Virtual Machines (under Insights), and navigating to the “Maps” tab.
Note: The visualizations for Virtual Machines Insights for Azure Monitor is currently supported for the following Azure regions only: East US, West Central US, West Europe, and Southeast Asia. You must deploy the Log Analytics workspace in one of these regions to get the additional benefits provided by the Virtual Machines Insights solution described above.

Azure Monitor – If you try to set up Azure Monitor and get an error, then Azure has not finished rolling out a required API update. Please try again later; the update in Azure is scheduled to complete by the end of the week, March 29th.
Virtual Machine Settings – If you attempt to change a VM setting within a Hyper-Converged or Failover Cluster connection, you will receive an error notification and the setting change will fail. The workaround solution is to connect to the Hyper-V host that the VM resides on as a Server connection and make the VM setting change there. This bug will be fixed in the next release.
Network – If you have configured an Azure Network Adapter, the value under Microsoft Azure Virtual Network Gateway Address will be formatted as a hyperlink but leads to an invalid address. [20420185]
Extension update notification – In desktop mode, the notification will tell you to contact your gateway admin to install the update. This bug will be fixed in the next release. [20646984]
Azure Update Management onboarding – If you get an error setting up or using Azure Update Management, this is a known issue which will also be fixed by the Azure API change described in the Azure Monitor section above. If you have already installed the MMA agent, or install the agent using the new integration for Azure Monitor, you will not be able to onboard the server to Azure Update Management through the UI in Windows Admin Center. If Azure Update Management is already configured (whether through Admin Center or another way), you can still onboard the server to the Azure Monitor Virtual Machines Insights solution using the Windows Admin Center UI.
Chrome users may see 403 Forbidden response from WAC after upgrading. The workaround is to close *all* open chrome tabs (make sure there are no chrome.exe processes running). After restarting chrome, everything will function normally. We have an error message that makes this clear, but chrome users with multiple windows admin center tabs open during upgrade will not see the message.

Registered Insiders may download Windows Admin Center Preview 1903 directly from the Windows Server Insider Preview download page, under the Additional Downloads dropdown. If you have not yet registered as an Insider, see Getting Started with Windows Server on the Windows Insiders for Business portal.

The most important part of a frequent release cycle is to hear what’s working and what needs to be improved, so your feedback is extremely valued. Send us feedback via UserVoice. We also encourage you to visit the Windows Admin Center space on the Microsoft Tech Communities forum to collaborate, share and learn from experts.

All pre-release software made available to you via the Windows Server Insider program are governed by the Insider Terms of Use
No downtime for Hustle-As-A-Service,Dona

Google Cloud taps into VMware vRealize for hybrid deployments

VMware shops now have a way to manage both on-premises virtualized workloads and Google Cloud Platform resources from the same console — a pairing that supports hybrid cloud scenarios and speaks to VMware’s still-critical influence on enterprise IT.

In July 2018, VMware and Google pledged to create a plug-in for VMware’s vRealize Automation software to tap into Google Cloud Platform (GCP). The plug-in, which is now generally available, connects to VMware vRealize Orchestrator, the workflow engine inside vRealize Automation, to provide a consistent experience for admins across vSphere and GCP environments, VMware said.

Google Cloud services are accessed and managed through vRealize Automation from the command line, an API or as blueprints published to the management suite’s service catalog.

Customer feedback during the project’s testing period prompted VMware and Google to add features outside the original scope. These include support for more Google Cloud services, including Google Kubernetes Engine, Cloud Spanner, Cloud Filestore, Cloud SQL and Cloud Pub/Sub. They also enhanced performance, reliability and usability, such as a workflow that captures errors and sends email reports to support teams.

Mary Johnston TurnerMary Johnston Turner

The move helps Google Cloud keep pace with AWS and Microsoft Azure, which already had integration points with VMware vRealize. In the case of AWS, that relationship has even influenced vRealize’s design direction. Moreover, the Google Cloud plug-in for vRealize Automation is not as comprehensive as VMware Cloud on AWS, said Mary Johnston Turner, research vice president for cloud management at IDC. VMware Cloud on AWS, built on VMware’s Cloud Foundation software stack, is now available in 13 AWS regions.

Still to come is AWS Outposts, an AWS-managed software system that will reside inside customers’ data centers. Outposts, planned for release later this year, enables customers to use the VMware control plane to manage workloads, or one that uses AWS’ own tools.

Organizations have become much more savvy about how they make these multi-cloud decisions, what workloads go where.
Mary Johnston Turnerresearch vice president for cloud management, IDC

Meanwhile, Google has introduced Cloud Services Platform, a software stack that is meant to run on a customer’s existing data center hardware and is dependent on VMware.

Still, the Google plug-in to vRealize Automation is a useful integration point for VMware customers and a good step forward for Google, Turner said.

“This underscores the value and role VMware is playing in multi-cloud and the continued interest in on-premises [deployments],” she said.

A couple of years ago, many IT observers believed the bulk of workloads would eventually move into the public cloud. That hasn’t played out for various reasons, such as a miscalculation of how quickly application architectures could transform and take advantage of the cloud model, concerns over latency and regulatory limitations, Turner said. As containers and microservices come into vogue for distributed application development, hybrid cloud makes more sense.

“Organizations have become much more savvy about how they make these multi-cloud decisions, what workloads go where,” Turner said.

Go to Original Article
Author:

Wanted – Cheap 1150 cpu and DDR3 laptop menory

Discussion in ‘Desktop Computer Classifieds‘ started by geordieboy25, Mar 13, 2019.

  1. geordieboy25

    geordieboy25

    Active Member

    Joined:
    Feb 2, 2008
    Messages:
    1,520
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    48
    Location:
    Newcastle
    Ratings:
    +42

    Hi guys.

    Just bought a 2nd user laptop and a Lenovo M93P sff.

    None of which came with memory and I’d like a few 4gb ddr3 sticks

    Also the M93P was a barebones kit so would like a cheap cpu. Just wanted to get it up and running, nothing fancy please.

    Thanks

    Location: Newcastle

    ______________________________________________________
    This message is automatically inserted in all classifieds forum threads.
    By replying to this thread you agree to abide by the trading rules detailed here.
    Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

    • Landline telephone number. Make a call to check out the area code and number are correct, too
    • Name and address including postcode
    • Valid e-mail address

    DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

  2. maddy

    maddy

    Well-known Member

    Joined:
    Jan 31, 2006
    Messages:
    1,447
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +329

    CEX are cheap for 4GB DDR3 – £8, or £9.50 posted. They’re the cheapest I’ve found.

    Is your Lenovo one of the tiny range? If it is, make sure you buy an Intel from their “T” series as they tiny ones aren’t designed for the thermal load of a non-T CPU.

    Great little machines.

  3. Krooner

    Well-known Member

    Joined:
    Jun 14, 2007
    Messages:
    4,745
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +511

    I have 2 stick of 4gb DDR3 at home, do you need low voltage ram in the SFF?

  4. geordieboy25

    geordieboy25

    Active Member

    Joined:
    Feb 2, 2008
    Messages:
    1,520
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    48
    Location:
    Newcastle
    Ratings:
    +42

    Not too sure, is it SODIMMS that you have?

  5. Krooner

    Well-known Member

    Joined:
    Jun 14, 2007
    Messages:
    4,745
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +511

    Yes, I know the ultra small form factor units require PC3L is all, not sure about the SFF It was something I ran into on the m92p.

    I have Low voltage sticks, but if it will take standard PC3 then CEX will be 50p per stick cheaper than me.

  6. GIBSrUS

    GIBSrUS

    Active Member

    Joined:
    May 30, 2011
    Messages:
    501
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    28
    Ratings:
    +38

    Hiya. I have a pentium g3258 if that’s of interest?

  7. geordieboy25

    geordieboy25

    Active Member

    Joined:
    Feb 2, 2008
    Messages:
    1,520
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    48
    Location:
    Newcastle
    Ratings:
    +42

    Thanks but I think I need a “t” series cpu.

Share This Page

Loading…

Go to Original Article
Author:

Understand Azure Update Management basics

Keeping up with all of the patches an organization needs already takes careful and quick planning. Mixing the location of OSes in the cloud and on premises adds another challenge.

Microsoft created Azure Update Management to centralize and automate Windows and Linux patching, wherever the systems are located. The service promises to simplify the process, but IT administrators must decide if the tool fits their organization’s needs and understand how to integrate it with their existing systems.

How to use Azure Update Management

Administrators enable Azure Update Management functionality through Azure Automation or Windows Admin Center, where they can check and schedule the updates available with the help of Azure Log Analytics. The Azure Update Management service uses different configurations to deploy updates, such as Microsoft Monitoring Agent, PowerShell and Automation Hybrid Runbook Worker for Windows and Linux.

Azure Update Management keeps track of each system’s status with multiple scans throughout the day, which Azure Log Analytics processes. If a new update is available, each OS retrieves an update from its source, such as Windows Server Update Services (WSUS) for Windows or a local repository for Linux systems.

The update service knows to add a new update by comparing logs of each system’s status. Once administrators schedule deployments, Azure Automation develops a master runbook to check each system against and confirm the system needs an update.

Confirm system compatibility

Administrators should estimate the cost of the update service and keep track of charges throughout its use to make sure the charges match expectations.

Before administrators dive into incorporating Azure Update Management into their tool set, they should confirm that their systems are compatible. Azure Update Management supports many Windows and Linux systems, both on premises and in the cloud, but there are exceptions: Windows Server 2008 R2 SP1 and newer server versions meet Azure Update Management requirements because they have .NET Framework 4.5.1 or later, as well as Windows PowerShell 4.0 or later. Windows agents connect with WSUS or Microsoft Update. But administrators cannot use Azure Update Management to patch Windows client OSes and Nano Server deployments.

Many Linux distributions can use Azure Update Management, including CentOS 6 x86 and x64 versions, Red Hat Enterprise Linux 6 x86 and x64 versions, and Ubuntu Linux 14.04 LTS. Compatible Linux systems use agents with access to public or private repositories.

How to integrate management tools

Azure Update Management can lighten an administrator’s update workload in combination with other automation and reporting tools.

Security services can block some updates, but PowerShell runbooks work with Azure Update Management to automatically turn off security services with scripts before the deployment and turn them back on after. Administrators can schedule deployments with System Center Configuration Manager and get a report back from Azure’s update service or vice versa. This also requires configuration with Azure Log Analytics for the storage and analysis of reports.

Microsoft’s Operations Management Suite (OMS) requires some adjustment to shift to Azure Update Management; admins must recreate deployments in Azure. Azure Automation can rebuild update deployments using the OMS details.

Beware of additional fees

To use the basic functionality of Azure Update Management, such as system checks and deployment updates, organizations do not have to pay; however, using the advanced features comes with a price that increases with the size of the environment.

For example, Microsoft charges organizations for advanced features based on the gigabytes of ingested and stored data in Azure Log Analytics per month after they use up the free 5 GB of data ingestion and 31 days of storage per month.

Administrators should estimate the cost of the update service and keep track of charges throughout its use to make sure the charges match expectations.

Go to Original Article
Author:

Easily Choose Your Route with Bing Maps Traffic Coloring

There is an old saying that you don’t know where you are going until you get there. With Bing Maps new route coloring feature, you will know right away where the delays will be along your selected route so you can change your route, your plans or your destination based on the route ahead!

For example, if you are leaving Redmond Town Center for Westlake Center in Seattle, you can see the delays on WA-520 W and I-90 W before you decide which route to take. Also, with our new route labels showing the travel mode, distance and time of each route, you can easily compare and toggle between the different routes quickly on the map.

Bing Maps Traffic Coloring

Bing Maps Traffic Coloring

While blue means no traffic delays, the orange and red colors highlight moderate to heavy traffic delays on the route. These are calculated based on a combination of current traffic updates and predictions from historic data depending on the length of the route.

Traffic coloring not only helps you select the best route for your trip, but can also be very useful when there are major traffic delays due to inclement weather, big events, accidents, or road construction nearby. For example, if there is an MLB or NFL game in town, you can avoid the most impacted roads near the event and choose an option that offers the least delays.

In addition, if you need to take a ferry as part of your route, Bing Maps visualizes the ferry segments using dashes to differentiate that part of the trip. The image below illustrates the route between Bellevue and Bainbridge Island in Washington State. Bing Maps highlights the ferry segment between Seattle and Bainbridge with a dashed line.

Bing Maps Traffic Coloring Ferry Route

The Bing Maps Routing and Traffic Team is constantly working to make navigation and route planning easier for our users. To try out the traffic coloring feature, go to https://www.bing.com/maps.

 – Bing Maps Team

Go to Original Article
Author: Microsoft News Center

Array Networks launches monitoring system for app performance

Array Networks Inc., a maker of network functions virtualization hardware, has introduced monitoring and reporting software for its virtual application delivery controllers, providing customers with a reporting option other than third-party products.

Array released this week its Monitoring and Reporting System (MARS), which can handle as many as 32 of the company’s virtual APV Series ADCs. Customers use the controller, which companies can buy as a component of Array’s AVX NFV appliance, to improve application performance and security.

Array customers access MARS through a console that can run on an AVX appliance or a VMware virtual machine. The console comprises five customizable dashboards for monitoring server behavior and traffic. Array designed the console as a tool to help network administrators spot trends that could lead to a deterioration of application performance.

Array released MARS as an alternative to third-party products that provided similar features by drawing data from the vendor’s ADCs through their RESTful APIs. “We did not have our own monitoring and reporting system that we could sell to a customer,” said Paul Andersen, head of sales at Array.

In general, universal monitoring tools from other vendors tend to be less useful than those built for a specific product, said Kevin Tolly, founder of The Tolly Group, an IT testing firm based in Boca Raton, Fla.

“Third-party tools, by definition, are more generic, less tightly coupled to the app and might not be able to provide the level of detail or the timeliness of an integrated solution,” said Tolly, whose customers include Array.

Array Networks MARS dashboards

Four of the MARS console’s five dashboards focus on monitoring a specific element of the network. The items include HTTP response codes, such as status, the URLs administrators should cache to improve application performance, server response times, and secure socket layer (SSL) traffic. The fifth dashboard alerts administrators to performance issues, such as a problematic IP address.

Array Network MARS
The alert dashboard in Array Networks’ new Monitoring and Reporting System.

Array plans to release more dashboards covering other application-related data in the future. Andersen said the company could offer three or four more panels next quarter.

The Array vAPV controllers feeding data into MARS provide Layer 4-7 server and network link load balancing, SSL acceleration, caching, compression, traffic shaping and protection against distributed denial-of-service attacks. Array claims its ADCs can deliver 99.999% application availability while significantly improving application response times. The software, which can also run as a virtual instance on a public cloud, acts as the first line of defense for web-enabled applications and cloud services, according to the vendor.

Array’s AVX network functions virtualization platform launched in May 2017, comprises a series of virtualized servers for running Array and third-party software. The latter includes Fortinet’s FortiGate next-generation firewall and Positive Technologies’ PT AF web application firewall.

Companies can purchase MARS through Array resellers. A perpetual license starts at $7,995 for two units, while a yearly subscription license starts at $2,665 for an equal number of units.

Go to Original Article
Author:

For Sale – Inwin X99 980ti system

I suspect I’ll need to split this, but will try the whole system.

It has barely been used. I’ve played <50h on it.

It runs like a dream. Currently clocked at 4.5ghz. CPU never goes above 60c

I’ve never mined on it or ran anything more taxing than a game.

Everything other than the CPU is boxed.

Edit: I’m keeping my SSD, but I’ll include a small ssd with a windows install to show it works.

5820k (no box)
X99 MSI MPower motherboard

MSI X99A MPOWER USB 3.1 ATX Motherboard

16gb (4x4gb) Corsair Dominator platinum 3000mhz C15 quad channel kit

GTX 980ti Zotac Amp

Corsair H115i 280mm AIO (need to double check model)

Inwin 805c

Corsair RMI850 + white Corsair braided cables

Corsair white fans x3

Any questions, ask away

Price and currency: £725
Delivery: Delivery cost is not included
Payment method: BT / PPG / cash
Location: Glasgow
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Go to Original Article
Author: