To narrow the scope of GPO create OU with only WSUS server(s), or create security filter for sec.group with only computer accounts of WSUS server(s):
details:
result should be like:
Everybody knows about free Windows System Update Service/WSUS. But i feel this service needs some extra explanations, recommendations for newbie sysadmins.
At first why do you need it? – briefly: for security and to fix software glitches. Proper and in time hotfixing/patching has paramount importance for security (maybe even more important than to have weak antivirus, IDS/IPS, firewall and other standard protection measures, which also should be regularly updated) If your health is bad or even if you are close to die then just screening from hackers will not help you. The weaker you are the more expensive protection, … Read the rest
In May 2017 Intel publicly confirmed the vulnerability in own firmware for vPro/AMT.
To download and patch such computers from Dell use links inside the PDF file from following link.
But as i mentioned in my linkedin post it’s possible to protect even noname computers (without updated BIOS) with compromised ME firmware — implementing SSL/TLS certificates for mutual authentication. In this post i will show how it can be done.
At first let’s consider that
Let’s Encrypt free certificates are very useful for Microsoft web servers, MS Dynamics Nav web client access, Exchange and Lync/Skype for business external accesses and so on (better to use it with windows ACME clients for auto prolongation of certificate)
But if you have problems with publishing 80/443 port of your web server (conflict with router admin port, or maybe even server is not in public Internet access and so on, maybe you should configure manually Let’s encrypt SSL for your testing environment)
1. go to https://zerossl.com
2.
3.
Certbot/ACME clients use “HTTP verification”. We will in this post use … Read the rest
In the previous post i recommended for non-critical web services to start using free certificates from “Let’s encrypt”.
Many people refuse to use this kind of certificates thinking that it’s not good enough and moreover it’s only for 3 months and that it would be annoying to prolong it manually each 3 months and not forget about it. As for “not good enough” – even if you don’t trust free SSL certificates for web server authentication it’s always better to have enabled SSL than to go without SSL – at least channel will be encrypted (unlike free self-signed certs which … Read the rest
Microsoft stopped the support for XP, but for WannaCry attack they made exclusion:
If you have too many XP as a pos stations you can use registry hack to enable again Windows Update for extra 5 years.
Sometimes temporary, moreover free VPS hosing for 1 year is great and generous opportunity. Usually it’s very handy for testing (for example to install linux, configure lamp, wordpress, 2fa, freeSSL, plugins and so on ), web development, personal blogs, short-term projects like election events and so on.
Amazon Web service suggests it for whole 1 year. Just be VERY careful to not trespass limits of free tier (for example AWS automatically has done EBS snapshots during import of my vmware ova to AWS AMI and later on to free tier instance — although 09 cents were generously forgiven by AWS … Read the rest
Strange that the main national domain registrar (http://manage.datacom.mn) yet don’t use SSL for own management console. Mobinet, national cloud provider even don’t have DNS registration for own services asking to create hosts file records for vps-mgnt.mobinet.mn. Mobinet who resells Comodo SSL doesn’t have valid SSL for https://vps-mgnt.mobinet.mn/ (and looks like self-signed SSL is created to conflict with vmware cert namespace).
SSL providers suggest DNS (email) validation for certificate CSR, so vulnerable web DNS manager (not protected by SSL) can compromise issued SSL certs and finally web sites with online banking, payment systems and so on. I suggest for
The main reason why you need to limit end-users on Windows and Mac computers is the same – much longer periods of stable, guaranteed work with less maintenance overheads.
Recently i see more and more companies which ignores that principle. Mindlessly MacOS is considered as more stable and protected by default without any needs in extra efforts. But if you don’t deprive end-user rights for full system configuration as you do for Windows computers you can get really bad problems. The most unpleasant one is when you got a blocked computer with unknown EFI firmware password. On modern models of