again about wsus

Everybody knows about free Windows System Update Service/WSUS. But i feel this service needs some extra explanations, recommendations for newbie sysadmins.

At first why do you need it? – briefly: for security and to fix software glitches. Proper and in time hotfixing/patching has paramount importance for security (maybe even more important than to have weak antivirus, IDS/IPS, firewall and other standard protection measures, which also should be regularly updated) If your health is bad or even if you are close to die then just screening from hackers will not help you. The weaker you are the more expensive protection, … Read the rest

How to enable for vPro/AMT computers mutual authentication using certificates.

In May 2017 Intel publicly confirmed the vulnerability in own firmware for vPro/AMT.

To download and patch such computers from Dell use links inside the PDF file from following link.

But as i mentioned in my linkedin post it’s possible to protect even noname computers (without updated BIOS) with compromised ME firmware — implementing SSL/TLS certificates for mutual authentication. In this post i will show how it can be done.

At first let’s consider that

  • you know that your computer supports vPro/AMT, ME version, you know AMT type (ISM or full AMT and so on)
  • you already use intel
Read the rest

How manually enable Let’s encrypt SSL for Windows IIS server.

Let’s Encrypt free certificates are very useful for Microsoft web servers, MS Dynamics Nav web client access, Exchange and Lync/Skype for business external accesses and so on (better to use it with windows ACME clients for auto prolongation of certificate)

But if you have problems with publishing 80/443 port of your web server (conflict with router admin port, or maybe even server is not in public Internet access and so on, maybe you should configure manually Let’s encrypt SSL for your testing environment)

1. go to https://zerossl.com

2.

3.

Certbot/ACME clients use “HTTP verification”. We will in this post use … Read the rest

How to auto renew “Let’s encrypt” free certificate extending 90 days limit.

In the previous post i recommended for non-critical web services to start using free certificates from “Let’s encrypt”.

Many people refuse to use this kind of certificates thinking that it’s not good enough and moreover it’s only for 3 months and that it would be annoying to prolong it manually each 3 months and not forget about it. As for “not good enough” – even if you don’t trust free SSL certificates for web server authentication it’s always better to have enabled SSL than to go without SSL – at least channel will be encrypted (unlike free self-signed certs which … Read the rest

WannaCry and XP

Microsoft stopped the support for XP, but for WannaCry attack they made exclusion:

 

If you have too many XP as a pos stations you can use registry hack to enable again Windows Update for extra 5 years.

 

 … Read the rest

If you need temporary VPS hosting (for testing, for development and so on)

Sometimes temporary, moreover free VPS hosing for 1 year is great and generous opportunity. Usually it’s very handy for testing (for example to install linux, configure lamp, wordpress, 2fa, freeSSL, plugins and so on ), web development, personal blogs, short-term projects like election events and so on.

Amazon Web service suggests it for whole 1 year. Just be VERY careful to not trespass limits of free tier (for example AWS automatically has done EBS snapshots during import of my vmware ova to AWS AMI and later on to free tier instance — although 09 cents were generously forgiven by AWS … Read the rest

Free ComodoSSL, free “Let’s encrypt” certificates

Strange that the main national domain registrar (http://manage.datacom.mn) yet don’t use SSL for own management console. Mobinet, national cloud provider even don’t have DNS registration for own services asking to create hosts file records for vps-mgnt.mobinet.mn. Mobinet who resells Comodo SSL doesn’t have valid SSL for https://vps-mgnt.mobinet.mn/ (and looks like self-signed SSL is created to conflict with vmware cert namespace).

SSL providers suggest DNS (email) validation for certificate CSR, so vulnerable web DNS manager (not protected by SSL) can compromise issued SSL certs and finally web sites with online banking, payment systems and so on. I suggest for

Read the rest

Facts about Active Directory to help understand it and properly use.

  1. AD is the basement/heart/glue for all Microsoft (and not only Microsoft) server products. Almost any Microsoft solution is based on AD as a prerequisite. Therefore it’s common misunderstanding and misuse that AD is considered only as side effect (or even as lesser unavoidable evil :)) of implementation of other Microsoft systems like MS Dynamics NAV, Exchange, Lync, Sharepoint. It means you cannot install Exchange without pre-installation and pre-configuration of AD. As a result of a such wrong approach to AD many companies don’t use Active Directory appropriately, some of them completely don’t understand what is the main role of AD
Read the rest

iMac and macbooks in Windows environment, why you better integrate them.

The main reason why you need to limit end-users on Windows and Mac computers is the same – much longer periods of stable, guaranteed work with less maintenance overheads.

Recently i see more and more companies which ignores that principle. Mindlessly MacOS is considered as more stable and protected by default without any needs in extra efforts. But if you don’t deprive end-user rights for full system configuration as you do for Windows computers you can get really bad problems. The most unpleasant one is when you got a blocked computer with unknown EFI firmware password. On modern models of

Read the rest