Do you know? Microsoft has the power to track every single word you type or say to its digital assistant Cortana while using its newest operating system, Windows 10. Last fall, we reported about a 'keylogger' that Microsoft openly put into its Windows 10 Technical Preview saying the company 'may collect voice information' as well as 'typed characters.' It was thought that the company would include the keylogger only within the Technical Preview of Windows 10, just for testing purpose. But, the thought was Wrong! The keylogger made its ways to Windows 10 public release offered by Microsoft for free due to which Windows 10 gained millions of adoption in just a few days after its first roll out back in July – but the free upgrade is not always free. Yes, besides various privacy issues, there is a software component that tracks your inputs using your keyboard, voice, screen, mouse, and stylus, however, it is a bit more complicated than you thought.

If you have been a Windows user for long time, I am sure you must have used Command Prompt. Even today, the CMD helps in performing many advanced administrative functions, and in troubleshooting Windows related issues. We have earlier, already covered some Basic Command Prompt Tips. Today we will see some a-bit-more-advanced CMD tricks for Windows 10 / 8 / 7.

An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: “The fact that new Windows devices require users to backup their recovery key on Microsoft’s servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they’ve already uploaded it to the cloud…..As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, ‘Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft

Online Self-service for Windows Troubleshooting Analysis

If you're having issues with a computer or server, Microsoft provides an online tool to help diagnose problems. In the past, working with Microsoft support, you would need to locate specific configuration and support information, find a way to deliver it to support personnel, and then wait for analysis and resolution.

The Machine Memory Dump Collector is run from a web page on the Microsoft diagnostics support site. Running the tool causes an executable to download and run on the local computer, which then uploads the last 5 memory dump files and processes them for analysis.

Go here: The Machine Memory Dump Collector

In addition, the tool collects system configuration information including event logs, hotfixes and updates, networking data, file versioning, specific registry keys, and information about virtualized environments.

What should I know about security? The massive list of links post

I maintain a list of links I call "security stuff every Microsoft customer should know" that I send to every customer I visit. The list ranges from basic things to more in depth security knowledge, and is now available even if I haven't visited you. :) You might want to bookmark this page, as it will get updated periodically.

My links on security I send to every customer :

Best Practices for Securing Active Directory http://aka.ms/bpsadtrd This whitepaper also contains a large quantity of monitoring guidance including which optional logs to turn on. I highly recommend at least skimming through this whole whitepaper.

Pass the Hash Whitepapers

http://microsoft.com/pth (this URL also hosts ongoing content and discussions on the topic of Pass the Hash – there are two whitepapers here, I recommend reading both. )

Channel9 Presentation of SLAM and Lateral Movement :

http://aka.ms/toppopslam

POP-EMET Presentation :

https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-Protect-Your-Enterprise-with-the-Enhanced-Mitigation-Experience-Toolkit

LAPS Video :

https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-How-to-tackle-Local-Admin-Password-Problems-in-the-Enterprise-with-LAPS

Download LAPS :

https://aka.ms/laps

JIT-JEA (just in time just enough admin – this is the future) :

http://channel9.msdn.com/events/Ignite/2015/BRK2470

AGPM :

http://channel9.msdn.com/events/TechEd/NorthAmerica/2011/WCL308

Advanced Threat Analytics :

https://channel9.msdn.com/events/Ignite/2015/BRK3870

Ransomware Talk:

https://channel9.msdn.com/Blogs/Taste-of-Premier/Ransomware101

Windows Event Forwarding and monitoring what matters (centralized logging for free!)

http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx

http://blogs.technet.com/b/jepayne/archive/2015/11/27/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts.aspx

http://blogs.technet.com/b/kfalde/archive/2015/11/18/laps-audit-reporting-via-wef-posh-and-powerbi.aspx

Blackbelt security from TechEd 2014

http://channel9.msdn.com/events/TechEd/Europe/2014/WIN-B318

KB2871997 Overview of the backported security features from 8.1/2012 to 7/2008R2. These features are critical for stopping lateral movement, especially the "Local Account" principal. (Highly recommend following the SRD blog in general, as it is one of the best sources from Microsoft) :

http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx

How Cybersecurity investigations actually work - how real attacks happen, a little on what the Incident Response process looks like and a lot on what you could be doing to stop attackers

https://channel9.msdn.com/Events/Ignite/Australia-2015/WIN433

*the attack I show in this was based on this : http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html I'm not linking this to show you how to hack - that's not why I am here, but to show you people who do want to attack you can find clever ways quite easily. You should learn how these work so you can defend against them.

My Boss talking about Microsoft Incident Response :

https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-Cybersecurity-Incident-Response

Information on the JASBug/GPO patch - this bug would allow you to trick a Windows workstation into getting group policy from the internet. It was patched however there are steps that need to be configured post-patch to defend against it :

https://www.jasadvisors.com/additonal-jasbug-security-exploit-info/

https://www.jasadvisors.com/about-jas/jasbug-security-vulnerability-fact-sheet/

Blackhat talk on Golden Ticket and other attacks (which can be prevented by the controls we discussed)

https://www.youtube.com/watch?v=-IMrNGPZTl0  (PtH mitigations make all of this moot.)

SRD posts on some of the critical security issues in the last year: :

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx

Discussions on Powershell persistence and logging - this is a very popular technique now and most 2008R2/Win7 customers don't have sufficient logging or preventions :

https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html

https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-lazanciyan-investigating-powershell-attacks.pdf

Pretty good writeup of some webshell behavior to maintain persistence on a network (I’ve encountered this group/webshell before and this is pretty spot on even if not written my Microsoft) :

http://blog.crowdstrike.com/mo-shells-mo-problems-web-server-log-analysis/

Threatpost discussions of various attacks that can be used:

http://threatpost.com/tracking-malware-that-uses-dns-for-exfiltration/111147

http://threatpost.com/patched-windows-kernel-mode-driver-flaw-exploitable-with-one-bit-change/111020  

http://threatpost.com/chinese-hackers-compromised-forbes-com-using-ie-flash-zero-days/110996 This one is really important, because this targeted malware being deployed simply by visiting a website. This is why defense in depth/desktop hardening/credential hygiene/EMET are so key.

“Admin Free” Active Directory blog posts (anything Laura writes is gold)  :

http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-and-windows-part-1-understanding-privileged-groups-in-ad.aspx

http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx

Purging Legacy Authentication Protocols :

http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx

Building custom X-Path filters :

http://blogs.technet.com/b/kfalde/archive/2014/03/25/xpath-event-log-filtering.aspx

Spotting the Adversary with Windows Event Forwarding from our dear friends at the NSA, which is a good write-up of basic monitoring (including gathering crash dumps, as they can indicate compromise in many instances) :

http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

OCTAVE framework for threat modeling :

http://www.cert.org/resilience/products-services/octave/

http://www.sei.cmu.edu/reports/99tr017.pdf (this is the older version but still applicable!)

TechEd presentation on memory analysis which contains details on Pass the Hash and Golden Ticket :

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B350#fbid=

TechEd presentation on EMET to prevent zero days and other exploits (EMET is free!):

http://channel9.msdn.com/events/TechEd/Europe/2014/CDP-B348

Way more indepth overview of EMET :

http://channel9.msdn.com/events/TechEd/NewZealand/2014/PCIT417

TrustedSec giving EMET an endorsement:

https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/

Redirecting the default place computers joined to your domain go (remember Computers is a “Container” and can’t get policy such as randomized passwords and firewall.) :

http://support.microsoft.com/kb/324949

Reducing the number of computers someone can join to the domain so any person with credentials can’t add random Macs to the domain :

http://support.microsoft.com/kb/243327

Using Powershell to get local group membership like Admins :

http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/15/weekend-scripter-use-powershell-to-find-local-administrators-on-a-computer.aspx

Blocking out of date ActiveX on the internet :

http://technet.microsoft.com/en-us/library/dn761713.aspx

Hope these help!

-Jessica @jepayneMSFT

How to Install .NET Framework 3.5 on Windows Server 2012 R2

Most modern Windows applications require .NET Framework to work properly. The roles and features setup wizard Server Manager in Windows Server 2012 R2 allows to install two different versions of .NET Framework at a time – 3.5 and 4.5. The installation of .NET Framework 4.5 doesn’t usually cause any problems – it’s all very simple, however, it cannot be said about the installation of .NET 3.5.

Actually, when trying to install .NET Framework 3.5 in Windows Server 2012 R2 with the standard settings, the following error message appears: «Installation of one of more roles, role services or features failed. The source files could not be found…».

The reason of this behavior is that .NET Framework 3.5 binary files are not a part of the local cache of the binary files that are saved to the server when the operating system is being installed. This is done under the concept of Features on Demand in Windows Server 2012 to reduce the amount of disk space occupied by the OS for its own needs.

Check if .NET Framework 3.5 is in the local depository using the Powershell command:

Get-WindowsFeature *Framework*

As you can see, the required component is deleted (Install State: Removed)

By default, the system tries to download the necessary files from Windows Update (local WSUS server is not suitable for this purpose), and if this is not possible, the user is prompted to specify the path to the OS distribution, from which the missing component could be installed.

To install .NET Framework 3.5 manually, click Specify an alternative source path to enter an alternative path to a folder containing the installation disk of Windows Server 2012 R2.

As the path, you can specify either a local folder (in our example it is D:\source\sxs, where D:\ is a letter of the local DVD drive with a Windows Server distribution), or a network folder.

By clicking OK, the system will find .NET Framework 3.5 binaries and install the component.

The same operation can be performed from the command line by running the following command as an administrator:

dism /online /enable-feature /featurename:NetFX3 /all /Source:d:\sources\sxs /LimitAccess

/Online means that you need to upgrade your current OS, and not the image

/enable-feature/featurename: NetFX3/all means that it is necessary to install .NET Framework 3.5 with all its features

/Source is the path to the directory with Windows distribution, which contains the necessary components

/LimitAccess prevents accessing Windows Update

The same operation in Powershell looks like this:

Add-WindowsFeature NET-Framework-Core -Source d:\sources\sxs

Path to the «original» Windows distribution can be fixed in the system on an ongoing basis using:

A registry setting RepairContentServerSource that is located in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing branch

Or a group policy Specify settings for optional component installation and component repair (the policy changes this setting in the registry)

Note. The group policy Specify settings for optional component installation and component repair is in the following section GPO: Computer Configuration -> Administrative Templates -> System. The policy should be enabled  and the path to the directory with the OS distribution should be specified (Alternative source file path). To prevent the server from trying to update online, check the box Never attempt to download payload from Windows Update.

If you are a mobile worker and use a portable Windows 10 based device between home, work or even different floors of your company there is a new feature in the November update for Windows 10 that makes accessing your default printer more logical.

In previous versions of Windows your default printer never changed and if you were needing to use a different printer in a new location for a short period of time it always meant re-selecting it for each print job.

Now, in the November Update for Windows 10, you can allow Windows to manage your default printer so that the last printer you used will come up as your default for printing jobs.

What the new Windows 10 servicing model means for businesses

From the Windows server news newsletter

Despite all the new bells and whistles, probably the biggest change in Windows 10 as far as IT professionals concerned is no more service packs. With previous versions of Windows, Microsoft would periodically release service packs that included all software updates since the initial release of that Windows version and which occasionally also included new features. Service packs were typically released every year or so. Windows 2000 actually had four service packs released during its product lifetime, while Windows XP Service Pack 2 included some major security improvements to the platform including a much-needed host firewall, a popup blocker and security zones for Internet Explorer, new Automatic Updates settings and mechanisms, and other much-needed features for XP. But on the whole service packs usually only included fixes--new features were delayed until the next major release of the product.

So why were service packs so loved by IT departments? Because they could delay installing a new version of Windows until the first service pack was released for that version. Like any other business these days, Microsoft often pushes its products out the door before they're ready, and rather than be unwitting beta testers, most organizations preferred to sit and wait for early adopters to take the heat. Then when Microsoft had fixed most of the issues with the initial release and had packaged all the fixes together as Service Pack 1, the IT department would download the new Windows image with SP1 baked into it from the Microsoft Volume Licensing website and begin serious piloting of the new Windows version with a view to deploying it.

Well as I'm sure you are aware of by now, service packs are now gone because Windows 10 has a completely different servicing model than that used for previous versions of Windows. Microsoft now offers Windows 10 in four different branches:

Windows Insider Program - Deploying from this branch basically lets you beta test new features before they are considered ready for prime time use.

Current Branch (CB) - This is the flavor of Windows 10 that users of Windows 10 Home Edition users are basically locked into (unless they want to take a chance and participate in the Windows Insider Program). New releases of Windows 10 are expected to be provided two or three times per year for machines on this branch. These releases will include new and updated features and core applications, and Windows 10 Home machines will automatically download and upgrade to each new release as it becomes available.

Current Branch for Business (CBB) - This branch is the default for Windows 10 Professional Education and Enterprise editions and it differs from CB in two main ways. First, each CBB release will appear about four months after the corresponding CB release appears first. This probably means the CBB release will include all the patches that have appeared in the previous four months to address the complaints of Home Edition users who upgraded to the corresponding CB release. And second, administrators can configure Group Policy to defer upgrade of Professional, Education and Enterprise machines for an additional eight months so they can perform testing to ensure the new release won't break existing applications and systems. However, once the eight months are up the machines on the CBB will be automatically upgraded to the new release just like Home edition users on the CB, and there's no way of stopping this from happening with CBB.

Long-Term Servicing Branch (LTSB) - This branch basically follows a servicing model similar to the old service pack approach. The LTSB option is only available for Windows 10 Enterprise Edition, so you'll need a volume licensing agreement with Microsoft if you want to deploy it. And since Enterprise edition can support either the CBB or LTSB branches, there are two separate ISO images on the volume licensing site for you to choose from depending on whether you want to deploy machines from the CBB or LTSB branches. I suspect that new releases (ISOs) for LTSB will appear every couple of years or so, similar to how service packs were delivered except you might need to wipe and reinstall instead of upgrade (it's not clear at this point). One thing to note however is that these LTSB images don't include a number of Windows 10 features such as Cortana, Microsoft Edge, the Windows Store, or the Mail and Calendar apps. The reasoning behind this is probably that these features are constantly being tweaked by Microsoft, so including them would violate the raison d'etre of the LTSB. As a result, Microsoft is positioning LTSB as primarily for special use machines like point-of-sale systems, kiosk computers, and ATM machines, and they're basically pushing organizations to use CBB if they have volume licensing agreements.

You can read more about these different branches on TechNet:

http://www.wservernews.com/go/7hyuvj27/

So what does all this mean for businesses who are still running Windows 7 and have been waiting for a new version of Windows they feel comfortable about deploying (or businesses who deployed Windows 8/8.1 and can't wait to get rid of it)? For organizations that deploy anything from a handful of client computers to thousands or ten thousands of them, I think it may mean several things:

Windows deployment will no longer be something you think about every five years or so. Instead, you'll need pilot and test new Windows releases regularly as they appear every few months, because like it or not your systems will end up running them sooner (CB) or later (CBB).

Helpdesk support for Windows 10 may be a nightmare. CBB releases may overlap for some organizations if certain departments finish their testing before others have. And employees who have Windows 10 at home and are on the CB may have apps that function differently than how those same apps function at their workplace.

Training for Windows 10 will obviously be impacted as well. I mean, what's the point of developing courseware or writing a book for a Windows release that will be out of date in 4-6 months? HR departments will like throw up their hands and just say "You'll just have to figure it out on your own" to users who are puzzled by how to accomplish certain tasks on their machines.

Users who are older and are therefore generally more resistant to change are going to be frustrated with using Windows 10 when they discover settings changing and apps moving around every few months when their machines are automatically upgraded to the latest release. Since I use an iPad for entertainment, I'm gradually becoming immune to such things since Apple does this type of thing regularly with their platform, but it annoys me when Windows which I use for business purposes decides to emulate Apple in this regard because I value productivity, and moving apps around or changing settings (or removing them entirely) impacts my productivity.

I'm sure many of you readers can think of some additional likely consequences of the new Windows 10 servicing model. Email me at [email protected] if you'd like to share your thoughts either positive or negative in this regard.

Of course I get the reasoning Microsoft has for making these changes to the Windows servicing model--it's about maintaining the code base, not about pleasing the customer. The obvious goal Microsoft has here is to gradually remove outdated Windows features and replace them with new features that are more secure and especially are easier for Microsoft to maintain and refine. An example is the Control Panel which has been a key part of Windows since I don't know when and which has gradually become more and more bloated over the years are more and more CPL utilities keep getting added. Awhile back The Windows Club (TWC) posted a scary news item "Control Panel will be phased out in Windows 10" that set the Twittersphere afire:

http://www.wservernews.com/go/9704ewgo/

Numerous  twitters complained that the Settings app in Windows 10 was woefully inadequate as a replacement for Control Panel, but Microsoft later clarified that Control Panel will be *eventually* phased out i.e. once the Settings app has full functional equivalency. It's obvious to me that the real reason Microsoft wants to eliminate Control Panel is simply to get rid of all that legacy code involved and replace it with nice shiny new code that is easier for them to maintain. Ultimately that will be a good thing. The problem however is that we'll all be experiencing several years of pain until Microsoft gets there.