Archive

Archive for March, 2013

Counterfeit software likely to contain viruses

March 28th, 2013 No comments

Results of a recent study conducted by the International Data Corporation (IDC) found that one in three consumers with counterfeit software installed on their home computer will be infected with malware in 2013. Additionally, consumers worldwide will spend 1.5 billion hours and $22 billion identifying, repairing and recovering from issues involving pirated software.

When you use counterfeit software instead of genuine Microsoft software, you face increased risks that cybercriminals have purposely added malware and that you won’t always have access to critically needed security updates. For more information about software piracy, read The Importance of Playing It Safe.

Download the IDC white paper (PDF)

Learn how to protect your computer from pirated software

Updates: Autoruns v11.5, Du (Disk Usage) v1.5, Procdump v5.14, Procmon v3.04, Ru (Registry Usage) v1.0

March 27th, 2013 No comments

Autoruns v11.5: This update to Autoruns, a utility for managing autostarting applications and components, now reports the image timestamp of executables and the last-modified timestamp of other file types and autostart locations to help with forensic analysis. The jump-to-entry feature is also improved to navigate directly to files rather than their parent directory.

Disk Usage (Du) v1.5: Du, a command-line utility for reporting the disk space consumed by directories and their files, has expanded CSV output that includes file and directory counts, as well as an option for tab-delimiting, which is a format more convenient for import into Excel than comma-delimited.

ProcDump v5.14: This release of Procdump, a command-line utility that enables the capture of process dumps based on numerous trigger types including on-demand, doesn’t report process exceptions unless the exception trigger is specified.

Process Monitor v3.04: Procmon, a power system activity monitor, now includes support for new Windows 8 file information query types and fixes a bug in the tooltip handling.

Registry Usage (RU) v1.0: Ru (Registry Usage) is a new command-line utility that reports the size, value and subkey counts of registry keys. Like its Sysinternals Du (Disk Usage) counterpart, Ru can help you find the keys that contribute to registry bloat.

There was a flash, and then my startpage was gone…

March 27th, 2013 No comments

We recently came across the file 1ac150ddb964722b6b7c96808763b3e4d0472daf during the course of regular research. We detect this file as Trojan:Win32/Preflayer.A.
 
The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
 

Obviously, it’s disguised as an Adobe Flash Player 11 installer.
 
The text section of the agreement doesn’t have a scroll bar – which makes it kind of tricky to see all the conditions of installation. However, you can highlight the entire text using your mouse so you can see, right at the end, there’s a message describing a key condition:
 
* YOUR BROWSER HOMEPAGE WILL CHANGE WITH
<URL>
IF YOU ACCEPT THIS, PLEASE CONTINUE.
 
Note: <URL> is the page that this trojan sets your start page to.
 
Not having a scroll bar is a bit dodgy as most users won’t realize that the program is going to change their browser’s start page.
 
When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe from the following url:
hxxp://aihdownload.adobe.com/bin/install_flashplayer11x32ax_mssd_aih.exe
 
It then changes the user’s browser start page. It changes the start page for the following browsers:

  • FireFox
  • Chrome
  • Internet Explorer
  • Yandex

to one of the following pages: 

  • hxxp://www.anasayfada.net
  • hxxp://www.heydex.com

These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing.
 
A bit of research indicates that these sites were created fairly recently:

————————————————————————

Domain information – from domaintools.com:
 
hxxp://www.anasayfada.net
Created: 2013-02-15
Ip address: 109.235.251.146
IP location: Manisa – Manisa – Dgn Teknoloji Bilisim Yayincilik Sanayi Ve Limited Sirketi
 
The file 1ac150ddb964722b6b7c96808763b3e4d0472daf is reported downloaded from: hxxps://flash-player-download.com/FlashPlayer.exe
domain: flash-player-download.com
Created: 2013-03-04
Ip address: 31.3.228.202
IP location: England – Gosport – Redstation Limited

The file 7b50ac5bbd21b945df128c2606402ef68533dc30 is reported downloaded from: hxxp://www.yonlen.net/flash_player.exe
domain: yonlen.net
Created: 2012-10-29
Ip address: 37.220.28.122
Ip location: England – Gosport – Redstation Limited
 
hxxp://www.heydex.com
Created: 2013-01-22
Ip address: 188.132.235.218
IP location: Istanbul – Istanbul – Hosting Internet Hizmetleri Ltd Sti

————————————————————————

Aside from the misleading GUI, the File Properties are also disguised as if the file was from Adobe:
 
File Version: 2.1.0.0
Description: Adobe Flash Downloader
Copyright: 2012 Ironion
 
Comments: Flash Downloader Acceletor
Company: Adobe Inc
File Version: 2.01
Internal Name: flash
Language English (United States)
Legal Trademarks: 2012 Ironion
Original Filename: flash.exe
Product Name: Flash Downloader
Product Version: 2.01
 
It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA (why do they bother?), misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week.
 
Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying ‘no’ to content you don’t trust.
 
Jonathan San Jose

Categories: Uncategorized Tags:

KB: A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts

March 26th, 2013 No comments

eHere’s a new KB article we just published on Microsoft Forefront Unified Access Gateway 2010. This article talks about an issue where a Direct Access client experiences repeated One Time Password (OTP) prompts and the steps needed to fix it. You can read all the details here:

KB2797301 – A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts (http://support.microsoft.com/kb/2797301/en-gb)

J.C. Hornbeck | Knowledge Engineer | Microsoft CTS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts

March 26th, 2013 No comments

eHere’s a new KB article we just published on Microsoft Forefront Unified Access Gateway 2010. This article talks about an issue where a Direct Access client experiences repeated One Time Password (OTP) prompts and the steps needed to fix it. You can read all the details here:

KB2797301 – A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts (http://support.microsoft.com/kb/2797301/en-gb)

J.C. Hornbeck | Knowledge Engineer | Microsoft CTS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts

March 26th, 2013 No comments

eHere’s a new KB article we just published on Microsoft Forefront Unified Access Gateway 2010. This article talks about an issue where a Direct Access client experiences repeated One Time Password (OTP) prompts and the steps needed to fix it. You can read all the details here:

KB2797301 – A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts (http://support.microsoft.com/kb/2797301/en-gb)

J.C. Hornbeck | Knowledge Engineer | Microsoft CTS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Outlook.com is officially launched

March 26th, 2013 No comments

Outlook.com (formerly Hotmail) is the newest version of free webmail from Microsoft. More than 60 million people have signed up for it since we released the beta version last summer.

Whether you make the transition from Hotmail to Outlook.com now or wait to be automatically upgraded, you can keep using your existing @hotmail.com, @live.com, or @msn.com address. Or you can get a new @outlook.com address. Get more answers to your general questions about why your Hotmail account was upgraded.

With Outlook.com, you’re in control of your data, and your personal conversations aren’t used for ads. We don’t scan your email content or attachments and we don’t sell this information to advertisers or any other company. You decide whether to connect your account to any social networks, and you’re in control of who you friend or follow.

Get more information about the security and privacy features of Outlook.com

Categories: email, hotmail, Microsoft, passwords, privacy, security Tags:

2819682 – Security Updates for Microsoft Windows Store Applications – Version: 1.0

Revision Note: V1.0 (March 26, 2013): Announced availability of update 2832006 for Windows Modern Mail.
Summary: Microsoft is announcing the availability of security updates for Windows Store applications running on Windows 8, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not affected). The updates address vulnerabilities that are detailed in the Knowledge Base articles associated with each update.

Categories: Uncategorized Tags:

2819682 – Security Updates for Microsoft Windows Store Applications – Version: 1.0

Revision Note: V1.0 (March 26, 2013): Announced availability of update 2832006 for Windows Modern Mail.
Summary: Microsoft is announcing the availability of security updates for Windows Store applications running on Windows 8, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not affected). The updates address vulnerabilities that are detailed in the Knowledge Base articles associated with each update.

Categories: Uncategorized Tags:

Security Updates for Microsoft Windows Store Applications – Version: 1.0

Revision Note: V1.0 (March 26, 2013): Announced availability of update 2832006 for Windows Modern Mail.
Summary: Microsoft is announcing the availability of security updates for Windows Store applications running on Windows 8, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not affected). The updates address vulnerabilities that are detailed in the Knowledge Base articles associated with each update.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2819682): Security Updates for Microsoft Windows Store Applications – Version: 1.0

Severity Rating:
Revision Note: V1.0 (March 26, 2013): Announced availability of update 2832006 for Windows Modern Mail.
Summary: Microsoft is announcing the availability of security updates for Windows Store applications running on Windows 8, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not affected). The updates address vulnerabilities that are detailed in the Knowledge Base articles associated with each update.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2819682): Security Updates for Microsoft Windows Store Applications – Version: 1.0

Revision Note: V1.0 (March 26, 2013): Announced availability of update 2832006 for Windows Modern Mail.
Summary: Microsoft is announcing the availability of security updates for Windows Store applications running on Windows 8, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not affected). The updates address vulnerabilities that are detailed in the Knowledge Base articles associated with each update.

Categories: Uncategorized Tags:

PKI Library (PKI Documentation and Reference Library Updated)

March 22nd, 2013 No comments

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also created a vanity short URL to it http://aka.ms/pkilibrary. Finding all our different information on AD CS and PKI can be challenging, so this reorganization will hopefully help you.

If you see articles missing, broken links, or have suggestions – you can contact me about it. Better yet, login and fix the issue yourself. 🙂

Thank you!

PKI Library (PKI Documentation and Reference Library Updated)

March 22nd, 2013 No comments

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also created a vanity short URL to it http://aka.ms/pkilibrary. Finding all our different information on AD CS and PKI can be challenging, so this reorganization will hopefully help you.

If you see articles missing, broken links, or have suggestions – you can contact me about it. Better yet, login and fix the issue yourself. 🙂

Thank you!

PKI Library (PKI Documentation and Reference Library Updated)

March 22nd, 2013 No comments

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also created a vanity short URL to it http://aka.ms/pkilibrary. Finding all our different information on AD CS and PKI can be challenging, so this reorganization will hopefully help you.

If you see articles missing, broken links, or have suggestions – you can contact me about it. Better yet, login and fix the issue yourself. 🙂

Thank you!

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

March 22nd, 2013 No comments

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private key, certificate database, logs and the certification authority’s registry configuration.

Windows Server Backup Feature should be installed on the certification authority to take a System State Backup. It has been enhanced in Windows Server 2012 to allow the administrator to take a System State Backup using the feature’s Graphical User Interface (GUI), and the command line. Furthermore, System State Backup in Windows Server 2012 allows the administrator to back-up the certification authority’s Private Key without the need to install any hotfixes.

Note: Windows Server 2008 and 2008 R2 required installing a hotfix to back-up the private key using System State Backup

Steps Required to Back-up the Certification Authority Using System State Backup

 There are two easy steps to prepare the certification authority for a System State Backup.

1.      Install Windows Server Backup Feature

2.      Schedule a System State Backup

Install Windows Server Backup Feature

 Windows Server Backup is not enabled by default on Windows Server 2012. The feature needs to be installed before taking or scheduling a System State Backup.

1.      Log on to the certification authority and select Manage in Server Manager

2.      Click Add Roles and Features

3.      Click Next in Before you begin screen

4.      Select Role-based or feature-based installation and then click Next

5.      Select the local server in Select destination server screen

6.      Click Next  in Select server roles screen

7.      Select Windows Server Backup in Select features  screen and then click Next

8.      Select Install in Confirm installation selections screen

9.      Click Close

Note: The Winddows Server Backup feature can be installed using Install-WidnowsFeature –name Windows-Server-Backup cmdlet

Schedule a System State Backup

 Windows Server Backup allows administrators to back-up the system to a non-critical volume only, setting a registry key as described in KB944530 provides a workaround to this limitation, but it is not recommended to run in production because it might cause a critical volume to fill up quickly. In general, make sure you have a volume, or disk or network share designated to a certification authority’s backup other than your c: drive.

Using the Graphical User Interface (GUI)

1.   Log on the certification authority and select Tools in Server Manager

2.   Click Windows Server Backup

3.   Select Local Backup

4.    Click Backup Sched

5.    Click Next in Getting Started screen

6.    Click Custom – I want to choose custom volumes, file for backup and then click Next

7.    Click Add Items in Select Items for Backup screen

8.    Select System State and then click OK

9.    Click Next in Select Items for Backup screen

10.  Choose the backup run time frequency in Specify Backup Time and then click Next

11.  Select the backup destination in Specify Destination and then click Next

Note: The rest of this document assumes having a dedicated volume to back-up the certification authority to. The wording might be slightly different is you chose a network share for your backup location.

12.  Click Add in Select Destination, select the dedicated volume and then select OK

13.  Click Next

14.  Review the scheduled backup settings in the Confirmation screen and then click Finish

Using the Command Line

Windows Server Backup can be configured using the command line. The command line tool Wbadmin has many verbs that can identify backups, volumes, disks, create jobs and many more. The disk identifier has to be known before scheduling any backup job.

The disk identifier is retrieved by running Wbadmin get disks

 

Note the Volumes label in the screen shot. The scheduled backup should target non-System Reserved volumes. The volume that has the Disk Identifier {eb9c44d8-0000-0000-0000-000000000000} is the clear choice for the backup files.

The next step is creating a scheduled task to take a System State Backup to the volume specified. This is also achieved using the Wbadmin command line tool with the enable backup verb. For example, run the following command to set up a backup job to run daily at 10:00 PM and include System State Backup

Wbadmin enable backup –addtargret: {eb9c44d8-0000-0000-0000-000000000000} –schedule:22:00 –SystemState

 

Note: If you prefer to take a one time System State Backup, then run Wbadmin Start SystemStateBackup –backuptarget:<non-critical volume DriveLetter> 

Using PowerShell

 Setting a schedule System State Backup might seem intimidating at first. The tasks involve creating a backup policy, a backup directory, a schedule, and then trying all of that to the policy. Let us go through them one at a time

 The first command stores the result of the New-WBPolicy cmdlet in the variable named $Policy

  PS C:> $Policy = New-WBPolicySetting the volume as the System State Backup Path

This command creates a WBBackupTarget object that uses a volume with drive letter E: as the backup storage location. You can add multiple volumes for storage to the WBPolicy object that contains the backup policy.

 PS C:> $volumeBackupLocation = New-WBBackupTarget -VolumePath E:
 
This command adds the system state to the backup policy in the $Policy variable.
 
 PS c:> Add-WBSystemState -Policy $Policy 
 This command adds the backup location – volume E - to the backup policy in the $Policy variable
 
 PS C:> Add-WBBackupTarget -Policy $Policy -Target $volumeBackupLocation
 

This command sets the backup schedule configured in the $Policy variable to run daily at 10 PM

 
 PS C:> Set-WBSchedule -Policy $Policy –Schedule 22:00:00
 

This is the last command, where it sets the backup schedule based on the$Policyvariable

 

 PS C:> Set-wbpolicy –policy $Policy

  

Steps Required to Restore the Certification Authority from System State Backup

 The steps listed in this section detail three different approaches to restore the certification authority using Windows Server Backup Graphical User Interface (GUI), Windows Server Backup Command Line, and Windows Server Backup PowerShell.

General Steps Required to Restore the Certification Authority

The general steps to restore the certification authority are the preliminary steps required before attempting any other restore activity. These steps are:

1. Install Windows Server 2012 Standard or Datacenter Edition depending on the certification authority’s previously installed operating system version.

2. Join the server to the same domain or workgroup

3. Access to System State backup media

4. Install Windows Server Backup Feature

Restore the Certification Authority Using Windows Server Backup GUI

1. Select Tools in Server Manager

2. Select Windows Server Backup

3. Select Local Backup

4. In Actions menu, select Recover

5. In Getting Started window Select This Server (local Servername) and then select Next

 

 

5. In Select Backup Date window, choose the backup to restore from and then click Next

 

6. In Select Recovery Type window, select System State and then then click Next

 

 

7. In Select Location for System State Recovery window, select Original Location and then click Next

 

8. Review your selections in the Confirmation window, make sure Automatically reboot the server to complete the recovery process is selected and then click Recover

 

9. Click Yes in the screen warning you about the ability to cancel, or pause System State backup once the recovery operation is started

 

10. At this point, System State recovery will restore the certification authority, and automatically reboot the server

 

11. Press Enter to continue after you log on the server after it reboots to confirm System State recovery

 

 

Restore the Certification Authority Using Windows Server Backup Command Line

1. Start the Command Prompt (Admin)

2. List the backup history by running wbadmin get versions and note the version identifier of the latest backup. The backup’s Can recover value should clearly indicate System State is included in the backup.

 

3. Start System State recovery by typing wbadmin start Systemstaterecvoery –version:<version identifier value> -backuptarget:<Backuplocation>

For example, the version identifier from my latest backup is 03/14/2013-04:03 and stored on C: , hence the command is wbadmin start systemstaterecovery –version:03/14/2013-04:03 –backuptarget:c:

 

4. Type Y and the then hit Enter to start System State recovery

 

5. Type Y and then hit Enter to confirm. System State recovery will start restoring files

 

 6. Type Y and then hit Enter to restart the system to complete the System State restore

 

Restore the Certification Authority Using Windows Server Backup PowerShell Cmdlets

1. Start PowerShell as an Administrator

2. Set the $Backup variable using Get-WBBackupset cmdlet

             PS C: $Backup = Get-Wbbackupset

3.  Start the system state recovery from the backup set in $Backup.

             PS C: Start-WbSystemStateRecovery –backupset $Backup

 4. Type Y when prompted to restore System State to the original location

  

 5. Type Y to confirm the required system restart

Amer F. Kamal

Sr. Premier Field Engineer

 

 

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

March 22nd, 2013 No comments

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private key, certificate database, logs and the certification authority’s registry configuration.

Windows Server Backup Feature should be installed on the certification authority to take a System State Backup. It has been enhanced in Windows Server 2012 to allow the administrator to take a System State Backup using the feature’s Graphical User Interface (GUI), and the command line. Furthermore, System State Backup in Windows Server 2012 allows the administrator to back-up the certification authority’s Private Key without the need to install any hotfixes.

Note: Windows Server 2008 and 2008 R2 required installing a hotfix to back-up the private key using System State Backup

Steps Required to Back-up the Certification Authority Using System State Backup

 There are two easy steps to prepare the certification authority for a System State Backup.

1.      Install Windows Server Backup Feature

2.      Schedule a System State Backup

Install Windows Server Backup Feature

 Windows Server Backup is not enabled by default on Windows Server 2012. The feature needs to be installed before taking or scheduling a System State Backup.

1.      Log on to the certification authority and select Manage in Server Manager

2.      Click Add Roles and Features

3.      Click Next in Before you begin screen

4.      Select Role-based or feature-based installation and then click Next

5.      Select the local server in Select destination server screen

6.      Click Next  in Select server roles screen

7.      Select Windows Server Backup in Select features  screen and then click Next

8.      Select Install in Confirm installation selections screen

9.      Click Close

Note: The Winddows Server Backup feature can be installed using Install-WidnowsFeature –name Windows-Server-Backup cmdlet

Schedule a System State Backup

 Windows Server Backup allows administrators to back-up the system to a non-critical volume only, setting a registry key as described in KB944530 provides a workaround to this limitation, but it is not recommended to run in production because it might cause a critical volume to fill up quickly. In general, make sure you have a volume, or disk or network share designated to a certification authority’s backup other than your c: drive.

Using the Graphical User Interface (GUI)

1.   Log on the certification authority and select Tools in Server Manager

2.   Click Windows Server Backup

3.   Select Local Backup

4.    Click Backup Sched

5.    Click Next in Getting Started screen

6.    Click Custom – I want to choose custom volumes, file for backup and then click Next

7.    Click Add Items in Select Items for Backup screen

8.    Select System State and then click OK

9.    Click Next in Select Items for Backup screen

10.  Choose the backup run time frequency in Specify Backup Time and then click Next

11.  Select the backup destination in Specify Destination and then click Next

Note: The rest of this document assumes having a dedicated volume to back-up the certification authority to. The wording might be slightly different is you chose a network share for your backup location.

12.  Click Add in Select Destination, select the dedicated volume and then select OK

13.  Click Next

14.  Review the scheduled backup settings in the Confirmation screen and then click Finish

Using the Command Line

Windows Server Backup can be configured using the command line. The command line tool Wbadmin has many verbs that can identify backups, volumes, disks, create jobs and many more. The disk identifier has to be known before scheduling any backup job.

The disk identifier is retrieved by running Wbadmin get disks

 

Note the Volumes label in the screen shot. The scheduled backup should target non-System Reserved volumes. The volume that has the Disk Identifier {eb9c44d8-0000-0000-0000-000000000000} is the clear choice for the backup files.

The next step is creating a scheduled task to take a System State Backup to the volume specified. This is also achieved using the Wbadmin command line tool with the enable backup verb. For example, run the following command to set up a backup job to run daily at 10:00 PM and include System State Backup

Wbadmin enable backup –addtargret: {eb9c44d8-0000-0000-0000-000000000000} –schedule:22:00 –SystemState

 

Note: If you prefer to take a one time System State Backup, then run Wbadmin Start SystemStateBackup –backuptarget:<non-critical volume DriveLetter> 

Using PowerShell

 Setting a schedule System State Backup might seem intimidating at first. The tasks involve creating a backup policy, a backup directory, a schedule, and then trying all of that to the policy. Let us go through them one at a time

 The first command stores the result of the New-WBPolicy cmdlet in the variable named $Policy

  PS C:\> $Policy = New-WBPolicySetting the volume as the System State Backup Path

This command creates a WBBackupTarget object that uses a volume with drive letter E: as the backup storage location. You can add multiple volumes for storage to the WBPolicy object that contains the backup policy.

 PS C:\> $volumeBackupLocation = New-WBBackupTarget -VolumePath E:
 
This command adds the system state to the backup policy in the $Policy variable.
 
 PS c:\> Add-WBSystemState -Policy $Policy 
 This command adds the backup location – volume E - to the backup policy in the $Policy variable
 
 PS C:\> Add-WBBackupTarget -Policy $Policy -Target $volumeBackupLocation
 

This command sets the backup schedule configured in the $Policy variable to run daily at 10 PM

 
 PS C:\> Set-WBSchedule -Policy $Policy –Schedule 22:00:00
 

This is the last command, where it sets the backup schedule based on the$Policyvariable

 

 PS C:\> Set-wbpolicy –policy $Policy

  

Steps Required to Restore the Certification Authority from System State Backup

 The steps listed in this section detail three different approaches to restore the certification authority using Windows Server Backup Graphical User Interface (GUI), Windows Server Backup Command Line, and Windows Server Backup PowerShell.

General Steps Required to Restore the Certification Authority

The general steps to restore the certification authority are the preliminary steps required before attempting any other restore activity. These steps are:

1. Install Windows Server 2012 Standard or Datacenter Edition depending on the certification authority’s previously installed operating system version.

2. Join the server to the same domain or workgroup

3. Access to System State backup media

4. Install Windows Server Backup Feature

Restore the Certification Authority Using Windows Server Backup GUI

1. Select Tools in Server Manager

2. Select Windows Server Backup

3. Select Local Backup

4. In Actions menu, select Recover

5. In Getting Started window Select This Server (local Servername) and then select Next

 

 

5. In Select Backup Date window, choose the backup to restore from and then click Next

 

6. In Select Recovery Type window, select System State and then then click Next

 

 

7. In Select Location for System State Recovery window, select Original Location and then click Next

 

8. Review your selections in the Confirmation window, make sure Automatically reboot the server to complete the recovery process is selected and then click Recover

 

9. Click Yes in the screen warning you about the ability to cancel, or pause System State backup once the recovery operation is started

 

10. At this point, System State recovery will restore the certification authority, and automatically reboot the server

 

11. Press Enter to continue after you log on the server after it reboots to confirm System State recovery

 

 

Restore the Certification Authority Using Windows Server Backup Command Line

1. Start the Command Prompt (Admin)

2. List the backup history by running wbadmin get versions and note the version identifier of the latest backup. The backup’s Can recover value should clearly indicate System State is included in the backup.

 

3. Start System State recovery by typing wbadmin start Systemstaterecvoery –version:<version identifier value> -backuptarget:<Backuplocation>

For example, the version identifier from my latest backup is 03/14/2013-04:03 and stored on C: , hence the command is wbadmin start systemstaterecovery –version:03/14/2013-04:03 –backuptarget:c:

 

4. Type Y and the then hit Enter to start System State recovery

 

5. Type Y and then hit Enter to confirm. System State recovery will start restoring files

 

 6. Type Y and then hit Enter to restart the system to complete the System State restore

 

Restore the Certification Authority Using Windows Server Backup PowerShell Cmdlets

1. Start PowerShell as an Administrator

2. Set the $Backup variable using Get-WBBackupset cmdlet

             PS C:\ $Backup = Get-Wbbackupset

3.  Start the system state recovery from the backup set in $Backup.

             PS C:\ Start-WbSystemStateRecovery –backupset $Backup

 4. Type Y when prompted to restore System State to the original location

  

 5. Type Y to confirm the required system restart

Amer F. Kamal

Sr. Premier Field Engineer

 

 

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

March 22nd, 2013 No comments

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private key, certificate database, logs and the certification authority’s registry configuration.

Windows Server Backup Feature should be installed on the certification authority to take a System State Backup. It has been enhanced in Windows Server 2012 to allow the administrator to take a System State Backup using the feature’s Graphical User Interface (GUI), and the command line. Furthermore, System State Backup in Windows Server 2012 allows the administrator to back-up the certification authority’s Private Key without the need to install any hotfixes.

Note: Windows Server 2008 and 2008 R2 required installing a hotfix to back-up the private key using System State Backup

Steps Required to Back-up the Certification Authority Using System State Backup

 There are two easy steps to prepare the certification authority for a System State Backup.

1.      Install Windows Server Backup Feature

2.      Schedule a System State Backup

Install Windows Server Backup Feature

 Windows Server Backup is not enabled by default on Windows Server 2012. The feature needs to be installed before taking or scheduling a System State Backup.

1.      Log on to the certification authority and select Manage in Server Manager

2.      Click Add Roles and Features

3.      Click Next in Before you begin screen

4.      Select Role-based or feature-based installation and then click Next

5.      Select the local server in Select destination server screen

6.      Click Next  in Select server roles screen

7.      Select Windows Server Backup in Select features  screen and then click Next

8.      Select Install in Confirm installation selections screen

9.      Click Close

Note: The Winddows Server Backup feature can be installed using Install-WidnowsFeature –name Windows-Server-Backup cmdlet

Schedule a System State Backup

 Windows Server Backup allows administrators to back-up the system to a non-critical volume only, setting a registry key as described in KB944530 provides a workaround to this limitation, but it is not recommended to run in production because it might cause a critical volume to fill up quickly. In general, make sure you have a volume, or disk or network share designated to a certification authority’s backup other than your c: drive.

Using the Graphical User Interface (GUI)

1.   Log on the certification authority and select Tools in Server Manager

2.   Click Windows Server Backup

3.   Select Local Backup

4.    Click Backup Sched

5.    Click Next in Getting Started screen

6.    Click Custom – I want to choose custom volumes, file for backup and then click Next

7.    Click Add Items in Select Items for Backup screen

8.    Select System State and then click OK

9.    Click Next in Select Items for Backup screen

10.  Choose the backup run time frequency in Specify Backup Time and then click Next

11.  Select the backup destination in Specify Destination and then click Next

Note: The rest of this document assumes having a dedicated volume to back-up the certification authority to. The wording might be slightly different is you chose a network share for your backup location.

12.  Click Add in Select Destination, select the dedicated volume and then select OK

13.  Click Next

14.  Review the scheduled backup settings in the Confirmation screen and then click Finish

Using the Command Line

Windows Server Backup can be configured using the command line. The command line tool Wbadmin has many verbs that can identify backups, volumes, disks, create jobs and many more. The disk identifier has to be known before scheduling any backup job.

The disk identifier is retrieved by running Wbadmin get disks

 

Note the Volumes label in the screen shot. The scheduled backup should target non-System Reserved volumes. The volume that has the Disk Identifier {eb9c44d8-0000-0000-0000-000000000000} is the clear choice for the backup files.

The next step is creating a scheduled task to take a System State Backup to the volume specified. This is also achieved using the Wbadmin command line tool with the enable backup verb. For example, run the following command to set up a backup job to run daily at 10:00 PM and include System State Backup

Wbadmin enable backup –addtargret: {eb9c44d8-0000-0000-0000-000000000000} –schedule:22:00 –SystemState

 

Note: If you prefer to take a one time System State Backup, then run Wbadmin Start SystemStateBackup –backuptarget:<non-critical volume DriveLetter> 

Using PowerShell

 Setting a schedule System State Backup might seem intimidating at first. The tasks involve creating a backup policy, a backup directory, a schedule, and then trying all of that to the policy. Let us go through them one at a time

 The first command stores the result of the New-WBPolicy cmdlet in the variable named $Policy

  PS C:\> $Policy = New-WBPolicySetting the volume as the System State Backup Path

This command creates a WBBackupTarget object that uses a volume with drive letter E: as the backup storage location. You can add multiple volumes for storage to the WBPolicy object that contains the backup policy.

 PS C:\> $volumeBackupLocation = New-WBBackupTarget -VolumePath E:
 
This command adds the system state to the backup policy in the $Policy variable.
 
 PS c:\> Add-WBSystemState -Policy $Policy 
 This command adds the backup location – volume E - to the backup policy in the $Policy variable
 
 PS C:\> Add-WBBackupTarget -Policy $Policy -Target $volumeBackupLocation
 

This command sets the backup schedule configured in the $Policy variable to run daily at 10 PM

 
 PS C:\> Set-WBSchedule -Policy $Policy –Schedule 22:00:00
 

This is the last command, where it sets the backup schedule based on the$Policyvariable

 

 PS C:\> Set-wbpolicy –policy $Policy

  

Steps Required to Restore the Certification Authority from System State Backup

 The steps listed in this section detail three different approaches to restore the certification authority using Windows Server Backup Graphical User Interface (GUI), Windows Server Backup Command Line, and Windows Server Backup PowerShell.

General Steps Required to Restore the Certification Authority

The general steps to restore the certification authority are the preliminary steps required before attempting any other restore activity. These steps are:

1. Install Windows Server 2012 Standard or Datacenter Edition depending on the certification authority’s previously installed operating system version.

2. Join the server to the same domain or workgroup

3. Access to System State backup media

4. Install Windows Server Backup Feature

Restore the Certification Authority Using Windows Server Backup GUI

1. Select Tools in Server Manager

2. Select Windows Server Backup

3. Select Local Backup

4. In Actions menu, select Recover

5. In Getting Started window Select This Server (local Servername) and then select Next

 

 

5. In Select Backup Date window, choose the backup to restore from and then click Next

 

6. In Select Recovery Type window, select System State and then then click Next

 

 

7. In Select Location for System State Recovery window, select Original Location and then click Next

 

8. Review your selections in the Confirmation window, make sure Automatically reboot the server to complete the recovery process is selected and then click Recover

 

9. Click Yes in the screen warning you about the ability to cancel, or pause System State backup once the recovery operation is started

 

10. At this point, System State recovery will restore the certification authority, and automatically reboot the server

 

11. Press Enter to continue after you log on the server after it reboots to confirm System State recovery

 

 

Restore the Certification Authority Using Windows Server Backup Command Line

1. Start the Command Prompt (Admin)

2. List the backup history by running wbadmin get versions and note the version identifier of the latest backup. The backup’s Can recover value should clearly indicate System State is included in the backup.

 

3. Start System State recovery by typing wbadmin start Systemstaterecvoery –version:<version identifier value> -backuptarget:<Backuplocation>

For example, the version identifier from my latest backup is 03/14/2013-04:03 and stored on C: , hence the command is wbadmin start systemstaterecovery –version:03/14/2013-04:03 –backuptarget:c:

 

4. Type Y and the then hit Enter to start System State recovery

 

5. Type Y and then hit Enter to confirm. System State recovery will start restoring files

 

 6. Type Y and then hit Enter to restart the system to complete the System State restore

 

Restore the Certification Authority Using Windows Server Backup PowerShell Cmdlets

1. Start PowerShell as an Administrator

2. Set the $Backup variable using Get-WBBackupset cmdlet

             PS C:\ $Backup = Get-Wbbackupset

3.  Start the system state recovery from the backup set in $Backup.

             PS C:\ Start-WbSystemStateRecovery –backupset $Backup

 4. Type Y when prompted to restore System State to the original location

  

 5. Type Y to confirm the required system restart

Amer F. Kamal

Sr. Premier Field Engineer

 

 

“Cyber Crime Department” scam

March 21st, 2013 No comments

We’ve received increased reports of a new phishing scam email message that uses the name and official logo of the Microsoft Digital Crimes Unit (DCU). The wording varies, but it looks like a security measure and says you need to validate your account by confirming your user name and password or by opening a file attached to the message.  

This is a fake message, but DCU is a real worldwide team of lawyers, investigators, technical analysts, and other specialists working to transform the fight against digital crime through partnerships and legal and technical breakthroughs that destroy the way cybercriminals operate. The DCU is a unique team in the tech industry, focused on disrupting some of the most difficult cybercrime threats facing society today – including malicious software crimes fueled by the use of botnets and technology-facilitated child sexual exploitation.

DCU does not send email to individuals asking them to validate their account information.  If you get one of these email messages, it is a scam. 

There are legitimate times when, in the course of a botnet cleanup effort, DCU will work to inform known victims of a particular threat to help them remove the botnet malware and regain control of their computer.  Sometimes Microsoft will work with Internet service providers (ISPs) and Computer Emergency Response Teams, who in turn will work to inform malware victims by communicating through their already-established relationship with their ISP customers. This enables ISPs to be able to reach victims in a way that is clearly verifiable to botnet victims as legitimate.  Other times, Microsoft may indeed notify victims directly – but not in email and not to verify account information, as the phishing scams claim. 

When DCU does inform victims directly about a known malware infection on their computer, like in the recent case involving the Bamital botnet takedown, it will not ask people to click on a link or download an attachment.  Rather, DCU’s communication will be done over a secured connection and will be readily verifiable as legitimately coming from Microsoft.  These notifications will often also be accompanied by a high profile public information campaign that outlines the notification process, which will also help people independently verify that a warning is real and actually coming from Microsoft.

If you receive an email message claiming to be from the DCU, do not click on links or open any attachments.  Instead, you can either just delete it or you can report it.

Here’s a copy of the fake message:

This message contains three common signs of a scam:

  • Impersonation of a well-known company or organization
  • Time-sensitive threats to your account
  • Requests to click an attachment or link

Get more information on how to recognize phishing email messages, links, or phone calls.

Get automatic app updates

March 19th, 2013 No comments

If you have Windows Phone 8 you might be aware of our strong security stance of offering only digitally signed apps you can download from your phone or from the web in Windows Phone Store.

Now we’ve taken another step to help reduce risk and increase safety with your PC apps. Security updates for Windows 8 apps will be automatically installed as they are ready. This will include updates for programs that come pre-installed for Windows 8 (like Mail) and for apps that you download.

For more information, read the announcement at Microsoft Security Response Center or the official policy page.

Categories: apps, security updates Tags: