How-To

CredSSP encryption oracle remediation

If you’re like me, you have encountered this error remoting into one of your servers.

An Authentication error has occurred. The function requested is not supported.
Remote computer: <servername> This could be due to CredSSP encryption oracle remediation

The quick solution is to patch your host from one of the patches here

If you are unable to patch and then issue the mandatory reboot of the remote server then you can apply the following registry fix

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
“AllowEncryptionOracle”=dword:00000002

You can even push this out via Group Policy if needed

 

 

 

CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability

Description

A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker could exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Download patches here

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

I have noticed that this patch has been disruptive to system owners who use remote desktop to access and manage servers.  Installing the patch on a client host w/o having it installed on the remote endpoint will end in an error preventing you from accessing them.

 

Its best to upgrade endpoints (servers) before client systems

Ref: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

 

How to: Disable the Windows Store

 

One of the features of Windows 10, is the Windows Store.  The Windows Store is a digital distribution platform for Microsoft Windows. It started as an app store for Windows 8 and Windows Server 2012 as the primary means of distributing Universal Windows Platform apps.

Ref: https://en.wikipedia.org/wiki/Microsoft_Store_(digital)

As system configurators and administrators, this may be problematic as it introduces new configuration that was not expected or supported by the IT Staff.  To mitigate this the following steps can be used to disable the Windows Store.

This can be disabled via local group policy or via active directory domain services group policy.

Type gpedit in the search bar to find and start Group Policy Editor.

In the console tree of the snap-in, click Computer Configuration, click Administrative Templates, click Windows Components, and then click Store.

In the Setting pane, click Turn off Store application and then click Edit policy setting.

On the Turn off Store application setting page, click Enabled, and then click OK.

 

Considerations:

These policies are applicable to users of the Enterprise and Education editions only. ref: https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy

 

Configure preferred geo data location in Office 365

 

GDPR had me thinking about Multi-Geo in Office 365

By default, Office 365 resources for your users are located in the same geo as your Azure AD tenant. So, if your tenant is located in North America, then the users’ Exchange mailboxes, OneDrive is also located in North America. For a multinational organization, this might not be optimal for various reasons.

Reasons such as

  • Performance and
  • Data residency requirements for data-at-rest

Multi-Geo enables a single Office 365 tenant to span across multiple Office 365 data-center geographies (geos) and gives customers the ability to store their Exchange and OneDrive data, at-rest, on a per-user basis, in their chosen geos

By setting the attribute preferredDataLocation, you can define a user’s geo

A list of all geos for Office 365 can be found here or long URL format: https://products.office.com/en-us/where-is-your-data-located?geo=All

These values can be set in your Office 365 tenant via PowerShell or Azure AD Connect.

In PowerShell – 

# Connect to Office 365 – by Jermal Smith (@jermsmit)
Set-ExecutionPolicy RemoteSigned
# Get-Credential – You will be asked for username / password
$credential = Get-Credential
# Import-Module MsOnline
Import-Module MsOnline
# If this step fails in error – Install-Module MsOnline
# Connect to MsolService using supplied credentials
Connect-MsolService -Credential $credential

Then use the command: Set-MsolCompanyAllowedDataLocation followed by service type and location.

Ref: https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanyalloweddatalocation?view=azureadps-1.0

After you have assigned Data Locations you can then set users to the location by issue the following example command:

Set-MsolUser -UserPrincipalName jsmith@jermsmit.com -PreferredDataLocation EUR

Then confirming with:

Get-MsolUser -UserPrincipalName jsmith@jermsmit.com | Select PreferredDataLocation

The above works well for new users, but for existing user’s you will need to trigger a migration with the following command:

Start-SPOUserAndContentMove -UserPrincipalName jsmith@jermsmit.com -DestinationDataLocation EUR

Ref: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/start-spouserandcontentmove?view=sharepoint-ps

Lastly… “To be eligible for Multi-Geo, you must have at least 5,000 seats in your Office 365 subscription” As this is just getting released I am confident more information will be known soon.

 

 

VMware Guest Customization Specification, Configure Domain Joining

I recently worked to correct an outstanding support issue of VMware Guest Customization Specification not joining guests to Active Directory Domains. I thought I’d share my setup so it might help others facing similar issues.

Log into the vSphere console, navigate to the Home page section

From the Home page click the Customization Specification Manager

Once in the Customization Specification Manager Click on “+” symbol to create VMware Guest Customization Specification.

Select the operating system either Windows or Linux from the drop-down on target VM operating system and Specify the name for the Customization Specification. Enter the description of the customization specification. Click on Next.

Provide your registration information and click Next.

I use the computer name of guest OS as same as the virtual machine name. It simplifies the identification of the virtual machine in the vCenter inventory. Select “Use the virtual machine name” to use the computer name as same as virtual machine name and click Next.

Enter the windows licensing information for this copy of the guest operating system; if you are using a KMS server for activation you don’t have to type a key here.

Specify the administrator password and auto-login option for the administrator account of Windows operating system. Click Next.

Select your time zone and continue.

If you need to run some commands on the first log on, put them here and when your done click Next.

On the Configure Network, you can specify the network settings for the guest operating system. Either you can use DHCP or specify the custom network settings.

To specify the custom network settings, Click on Edit “Pencil Icon”… In this section is where I specify the DNS suffix to add to the Windows operating system. Click on OK.

This allows me to communicate to a specific Active Directory Domain Service (ADDS), and include the domain suffix. Once Network settings are specified in customization specification. Click on Next.

Under Set Workgroup or Domain, choose “Windows Server Domain”, specify FQDN and specify the user account and credentials information that has permission to add a computer to the domain.
The user account is in the format of user@domain.tld
Click on Next.

Select the checkbox “Generate New Security ID (SID)” to generate a new security identity for the windows virtual machine. This option is important to generate the new SID from the source machine. Click Next.

Finally, review all the settings specified in VMware customization specification and click on Finish

Now you can Deploy Templates Using VMware Guest Customization Specification, and join the guest to your Active Directory Domain without issue.