4 August 2017

IT PRO IDOL



IT PRO IDOL is a set of sessions of new speakers in the technical community IT Pro Portugal I invite you to be on the 30th of this month at the Microsoft premises in Portugal to attend the sessions for free.


If you want to know more you can watch the following video the language is in Portuguese




If you have never presented a session, do not miss this opportunity & nbsp; Fill in the Call For IT Pro IDOL . The community itself helps you improve your session, including some coaching.

If you want to practice your presentation in Portuguese or English you are always welcome.

16 July 2017

Office 365 beware of choosing the domain name onmicrosoft.com

We can test the Microsoft Office 365 service at zero cost with almost all of its features but there is a scramble in using the chosen domain name.

At the end of the trial we can assume that the ID of the internal domain chosen for example test365.onmicrosoft.com is expired after the end of the trial and can be reused later in a new subscription. Well it is not quite like that.

The domain onmicrosoft.com chosen is never expired and can be used later by the global admin subscription to add monthly, annual, or Open License. And it's documented in the Office 365 documentation. The following image shows the Office 365 subscription lifecycle and explains that administrators can always access the subscription even after we received the notification of being deleted the subscription change the stage to deprovisioned.


Source: "What happens to my data and access when my Office 365 for business subscription ends?"

It is possible that another company can acquire the domain name that we had but if we forget the password from global admin user the subscription the only way to recover is to speak with Office 365 technical support by telephone usually the language used is English.

If you attempt to activate a license through the Open license of an account that has already been expired for some time as the following image.



Activation will always inform you that the domain name is being used and you need to choose another domain.


So by testing the Office 365 trial, do not choose names of the organizations where you are working.

5 July 2017

SMB V1 the Drama

For reasons of ransomware SMB v1 is still much discussed because most manufacturers continue to use SMB version 1. Equipment such as NAS, printers to computer applications will not support SMB v2 or 3 because it implies a large financial cost to manufacturers and some even close their eyes.

One of the examples I've had was with Hewlett-Packard (HP) Portugal that neither enterprise support assistance can not give explanations on the subject is always the customer fault because it uses Windows Server and its printers and others are only Windows XP up to 10, good move HP.

NedPyle from Microsoft has made a publication with the title "SMB1 Product Clearinghouse" in which it publishes a list of products requiring SMB v1 and is explicit in its documentation.

It is worth reading and knowing some of the products, you can consult the publication in  https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

2 July 2017

Azure Web App not found if a custom domain is used

When you add a custom domain to Azure by default, the domain name and the TLD extension are added. The "www" is considered a subdomain so it is when you access a webpage in Azure with www.domain.com it will be redirected to the error page 404 by defined as the following image.




I'll show you how you can add any subdomain to a Web App in Azure. 

First you have to access the DNS management of the domain and create a CNAME (Alias) with the 'www' ID and point to the URI address of the Web App in Azure, for example.




Make sure the new setting has been accepted before you proceed with the Azure setup.

In Azure go to the Web App, select "Custom domains" and then select the "Add hostname".
 




On the hostname enter the domain with the www subdomain then select the record type "CNAME (www.example.com or any subdomain)" and click the validate button.
 




If Azure can confirm to validate the "Domain owenership" the option "Add hostname" is active and you can continue with the process.






In the notifications you will receive the information that the new subdomain was added successfully.




You can now try accessing your web app with the www subdomain.






You can add any other subdomain to a Web App that is not required to be the "www". And that's how you add subdomain in Azure Web Apps.

There are Internet browsers like Firefox ESR that already do this compensation internally but not all browsers can do this. For example Firefox on Linux may be able to do the validation but on Windows not and is not an operating system problem. So it is always recommended in any cloud system or another set the www subdomain.

There are changes in the Nano server in the next version/update of Windows Server 2016

There are changes in the Nano server in the next version/update of Windows Server 2016

If you're watching the news from Microsoft already know that Microsoft has published an article on the day 2017-06-19 that there will be changes in Nano Server (Windows Server 2016).


But what are these changes?
Windows Update will have two update options "current branch for Business (CBB) model" and "semi-annual channel" this setting will be update the Nano server two to three times a year and will happen from version 1709.

But it's not all the, Nano server will run as a container like a Docker container and contains the following changes:
  • It has been optimized for .net core applications.
  • Its size has been reduced due to change to the container and does not include Windows PowerShell, .net core, and WMI these already exist in containers.

Source: https://docs.microsoft.com/en-us/windows-server/get-started/nano-in-semi-annual-channel

28 June 2017

Petya or Petwrap ransomware (Update: Kill-switch)

The Kill-switch for Petya ransomware has already been found, the company Positive Technologies has published how to disable ransomware here.


To detect the Petya attack in the infrastructure, the following indicators can be used: 
   C:\Windows\perfс
   A task in Windows Scheduler with an empty name and action (reboot) "%WINDIR%\system32\shutdown.exe /r /f"

IDS/IPS rule triggers:

   msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001254; rev: 2;
   msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; sid: 10001255; rev: 3;
   msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001256; rev: 2;
   msg: "[PT Open] Petya ransomware perfc.dat component"; sid: 10001443; rev: 1
   msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; sid: 10001444; rev:1


Signatures::
https://github.com/ptresearch/AttackDetection/blob/master/eternalblue(WannaCry%2CPetya)/eternalblue(WannaCry%2CPetya).rules

Petya use the TCP ports 135, 139, 445 atraves dos serviços SMB e WMI.

How to active the Kill-switch?

Petya checks if the perfc file exists in the "C:\Windows" the directory and the drive is hardcoded. The perfc file has no content is just an empty file without extension and only with read permissions.

Source: www.ptsecurity.com
Again it is not recommended to pay the ransom and so far there is still no way to recover the encrypted files.

27 June 2017

Petya or Petwrap ransomware

There is one more ransomware that is taking advantage of the SMB V1 vulnerability and that is spreading worldwide.

If you consult the hastag #ransomware can check that already made some victims.

This is why it is extremely important to update the operating systems not only Microsoft but also Linux and Apple. All systems have vulnerabilities, all systems have flaws so all systems have ransomware. If you don't believe, do a search.

But there's the following problem:

O Petya use NSA exploits "Spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." source: Mikko Hyppone

All recommendations say not to pay the ransom!! The email address used is already blocked and up to the time there have already been 28 victims who made the payment. You can consult the transfers here.

How can I protect you?

The recommendations are:
  1. Disable SMB v1;
  2. Disable WMIC (Windows Management Instrumentation Command-line);
  3. Install all Microsoft patches.