Vol. 21, #44 - October 31, 2016 - Issue #1104


Revisiting Win7 updating, Win10 annoyances, and DDoS mitigation


Editor's Corner

This week's newsletter looks back at several topics we've covered in recent issues of our newsletter including Windows 7 updating problems, Windows 10 annoyances, and mitigating DDoS attacks involving swarms of IoT devices like so-called "smart" refrigerators and similar ilk. Of course as this Dilbert comic strip illustrates, refrigerators have been smart since the day people started dieting:

http://www.wservernews.com/go/rbpbv4dg/

Ask Our Readers - Two-factor authentication and Windows Server Essentials with Azure/Office 365 integration

Tony from the UK sent us the following scenario that he's been wrestling with:

I run Windows Server Essentials 2012 R2  (WSE) and it has a couple of users -- one of who is the admin. Office 365 is integrated into it. I recently decided that as one company I work with had forced me to use two factor authentication for Office 365, I would move over to two factor authentication (2FA) for my own account, especially as it is the administrator account. I know about authorizing applications -- my phone (Android), laptop and desktop all set up; 2FA using the Microsoft Azure app (really neat the way it just photos the QR code to set it up).
All going well and then I find errors on WSE -- it cannot authenticate. The Office 365 plan had been changed (Microsoft forget that this causes other issues every time they force us to change plans -- it may be good marketing, but it is not pain and side effect free). So I removed the integration, turned off 2FA and re-set up the integration, which then worked (but gives a critical error about the old Office 365 plan that has expired because it was forcibly changed to a new one and there is no obvious way of telling it to ignore the old expired plan because it really is not an error). Of course, the pain is that if you turn off 2FA you then have to recreate all the app authorizations when you turn it back on.
I could find no way of "authorizing" my server, and clearly the WSE does not support 2FA -- or at least I could not find anything about how to do this. So unless there is a method, then the only way integration works for Office 365 etc on WSE is if you don't have a more secure 2FA on the admin account -- the very account you WANT most to secure.
So the question is:
1) Is there a way of using 2FA with Windows Essential Server for Azure/Office 365 services integration?
2) If not, then having integrated services force the lowest level of security is surely a security risk in itself?

If any readers out there can offer any suggestions for Tony, please email us at wsn@mtit.com


Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at wsn@mtit.com
 

From the Mailbag

Our mailbag for Issue #1102 Ask Our Readers: Attack of the refrigerators! included a comment from a reader named Felix concerning Issue #1099 Malware and cloud backup: a bedtime story where Bill Bach shared how he helped a client recover data from their mission-critical PSQL database which had been rendered useless by a Cryptolocker-style, data-encrypting malware attack:

An interesting story from Bill Bach. I wonder if the end user had a VSS aware version of PSQL. We use and recommend backup solutions like the one Bill describes, but you must make sure that all software used is VSS aware and has a VSS writer, so that a proper backup is taken. It appears that in Bill's client's case this was not happening. Checking the PSQL site, I note that PSQL has only supported VSS with V11 SP2:

http://www.wservernews.com/go/12u03jtl/

Of course best practice is to always do a test restore of your backup once implemented and do these tests every few months to make sure your backups are actually usable.

Bill responds to Felix's comment as follows:

The user has PSQLv12, the most recent version, which DOES have the VSS Writer, and it is correctly configured.  This is why they were surprised when the problem arose.  What most administrators don't realize (until it is too late) is that the timestamps on PSQL data files do NOT get updated when the VSS Writer is used without the System Cache, so an incremental or differential backup based solely on the file timestamps will not be complete.  The complete paper (on our web site) does provide this additional detail, as well as how to check that your backup system is working properly.

More on Windows 7 updating problems

In Issue #1098 Windows 7 updating pain we described how painful it's become for some users running Windows 7 to keep their machines up to date with the latest software patches made available on Windows Update. While I offered my own solution to the problem in that issue, many readers responded with solutions of their own and we published many of them in Issue #1100 Reader Feedback: Windows 7 updating pain. Comments keep pouring in however so we thought we'd publish a few more in case they can help some of our readers facing this problem.
Robin, who works for an Information, Communications and Technology service provider based in the UK, recommended the following procedure for resolving Windows 7 updating issues:

Having just had the "pleasure" of deploying 12 laptops for a client I found the following procedure worked to speed up updating. Download the following KB updates:
1.KB3138612
2.KB3145739
3.KB3020369
4.KB3172605

Installation procedure:

1.Disconnect the PC from the internet & reboot to ensure all internal update processes are terminated
2.Install the 1st KB in the list & reboot
3.Install the 2nd KB in the list & reboot
4.Install the 3rd KB in the list & reboot (even though it won't ask you to)
5.Install the 4th KB in the list & reboot
6.Connect to the internet & reboot
7.Run Windows Update from Control Panel -- updates should list in 20 -- 30 minutes

Another reader named Steven who works in IT Customer Services for a professional business services company based in the UK shared the following procedure which worked for him:

I have read your article on the problem people are having updating Windows 7, after a lot of stopping and starting services and restarting the PC here is what I did to get it working.

1.Stop Background Intelligence Transfer Service
2.Stop Windows Update Service
3.Install KB3020369
https://support.microsoft.com/en-us/kb/3020369
4.Install KB3075851
https://support.microsoft.com/en-us/kb/3075851
5.Install KB3102810
https://support.microsoft.com/en-us/kb/3102810
6.Install KB3112343
https://support.microsoft.com/en-us/kb/3112343
7.Install KB3125574
https://support.microsoft.com/en-us/kb/3125574
8.Install KB3135445
https://support.microsoft.com/en-us/kb/3135445
9.Install KB3138612
https://support.microsoft.com/en-us/kb/3138612
10.Install KB3172605
https://support.microsoft.com/en-us/kb/3172605

*NOTE* ONLY RESTART COMPUTER WHEN ASKED -- IF SO REMEMBER TO STOP THE 2 SERVICES AGAIN.

11.Start Background Intelligence Transfer Service
12.Start Windows Update Service
13.Run Windows Update and Leave Approx. 5mins… If it is working when you Click Start Menu there should be a Yellow Shield next to Shut Down.


Next, a reader named Ed sent us the following note of thanks which we greatly appreciated:


Many thanks for the two issues which have addressed the problem of Windows 7 Updates.  We have to get new PC's out to users and can't wait around for hours (or days). So far we've gotten things to work!

You're welcome!

Finally, here's another note of thanks we received, this time from a reader named Lee, which includes an alert for businesses that have older HP laptops:

Thanks for the stories about Windows 7 update issues. As a repair shop that will see two or three formats during a week, it has been a tremendous time sink.
 
I had been experiencing the same problems, and did not know it was widespread until your article.  I followed the advice about manually installing specific updates in order to fix the issue.  Sadly, a fix for one machine does not seem to work on the next.  Your October 17th issue suggested using WSUS Offline Update.  What a great tool.  I deployed it this morning with great results.

EDITOR'S NOTE: Here's a link for the WSUS Offline Update tool:

http://www.wservernews.com/go/56eqdtj5/

On a possibly related note, about the same time Windows update broke, HP seems to have removed all drivers from its website for older laptops.  This is a major issue for those of maintaining old systems.  I hate conspiracy theories, but who knows.

Do any readers who have contacts with HP Support have any further insight into what Lee is referring to here? Email us at wsn@mtit.com

 

More on Windows 10 annoyances

Some of our readers are clearly still wrestling with issues concerning Windows 10 which we caught up on recently in Issue #1101 Catching up on Windows 10. For example, a reader named Tom has been experiencing an annoyance we hadn't previously heard about:

 I have an issue when I have an File Explorer window open on drives in Windows 10 when telling it to create a new folder (and sometimes when re-naming) -- Explorer will hang for 1 to 4 minutes while trying to create it -- It says Non-Responding in the title bar -- then eventually it creates it. Sometimes it creates a "New Folder" folder name and not the name I told it to use. Does not matter how many Explorer windows are open -- the one being used to create a new folder just hangs for some reason. I have each Explorer in its own process.

Have any other readers been experiencing this or a similar problem? Have you found a solution? Email us at wsn@mtit.com

Greg who works in IT for a manufacturing company in Illinois, USA explains why he's still holding off moving his users to Windows 10:

I've been running Win 10 on 2 out of 50 machines (rest are Win 7). No way I'd move to this OS. I've had stalls, video freezes, really high disc I/O just sapping the 2 machines that are on it. Unannounced updates killing the usability of the machines. One of the worst experiences I had is when Microsoft was doing the forced upgrades to Win 10 in which one of my machines absolutely needed Windows 7 to operate an industrial piece of equipment which after the upgrade downed the equipment. I was beyond livid with this. This had a ripple effect in our plant costing us thousands of dollars in down time until I could get the PC set back to Win 7 along with the software needed. I certainly don't need 50 more headaches.
Microsoft says it listens to customer but they never do. They listen to the big players who have several thousand seats, the rest of us suffer with their BS. Microsoft needs to change their arrogant attitude with the very people that pay them, US! I've dropped most licensing agreements with them. Microsoft wonders why companies move away from them? It's pretty clear to me. Can you hear me now?

Maybe send Microsoft a bill for the amount of money your company lost because of the borked upgrade?
On the slightly brighter side, a reader named Dan pointed us to a TechTarget article that describes a new Windows 10 feature that will hopefully reduce the number of reboots required after updates are installed:
In re irritating auto reboots after Win10 updating, it looks like the Spring update fixes the problem, according to TechTarget.com:

 "IT pros dealing with interruptions from Windows 10 crashes look forward to updates coming this spring. If a PC restarts automatically after an update or crashes suddenly, that can be a big detriment to user productivity. Employees who are on a deadline or giving a presentation lose valuable time, for instance, and some workers could even lose information they didn't save. Some IT departments have update and patch management software to prevent this problem, but a few new Windows 10 features could help companies that don't have those tools."

http://www.wservernews.com/go/vefl41qi/

 Ungrouping of service processes does sound like a step forward as I've always been a bit annoyed by how hard it is to track down the exact cause of a problem when it appears to be associated with a Scvhost.exe process that's hosting a half dozen or more Windows services. On the other hand, I fear what may be the unintended consequences of ungrouping services that were formerly bundled into Svchost processes. 

Finally, here's a golden comment from a reader named Peter from Australia:

I have to agree with all the comments I have read regarding this. The word "annoyance" is not strong enough to describe my experience. As a result of the recent debacle, I am reverting a number of machines for clients who I support, back to Win 7. In other cases I have used gpedit to get some control over the updates.
The "Wake/sleep problems" that others encountered are a little different to my experience -- mine is all about the lack of sleep I have had to endure trying to sort out numerous systems stuffed up by the recent "automatic" upgrades!!!!!!!

Got more Windows 10 frustrations or annoyances? Found a solution to a particular Windows 10 problem that's been bugging you? Email us at wsn@mtit.com

Mitigating DDoS attacks from IoT devices

In Issue #1102 Ask Our Readers: Attack of the refrigerators! we asked readers for their advice about how online businesses can protect themselves against the latest threat: distributed denial of service (DDoS) attacks by botnets of Internet of Things (IoT) devices like Internet-connected refrigerators, television sets, washing machines, and so on. Several of our readers weighed in on this topic by offering helpful tips and insights. To start off, Pat who is President of a company based in Wisconsin, USA said:

As much as a wireless printer can be an open door to your network, other IoT devices are just as available.  It has been noted that some appliances are being shipped with a standard default password … it is necessary to change the password on each device you install.

I almost think there should be a law of some kind saying that any "smart" device when first turned on should display a screen that forces the owner of the device to change the default password for the device.
Tony from the UK went into some detail concerning his thoughts on the subject as follows:

Whilst this is potentially a problem, it is fairly simple to at least provide a significant amount of mitigation. The majority of these devices use a router in the property/home they are in to gain their access into the wider Internet. These routers have firewalls, and it is not difficult to start to filter outgoing traffic. DDOS attacks are usually high level and concentrated on a target domain. Thus a certain amount of monitoring of traffic patterns and when it is clear a DDOS attack is underway, the routers can have their routing modified (they are mostly going to get their DNS from an ISP, Google or OpenDNS) to redirect e.g. to a non-publicly routable address to at least snuff out the major traffic. It needs a bit more thought as to how to separate out legitimate traffic.
If nothing else, then most of these types of devices have no need for high data rates, and so designers/developers should design in the minimum interval between data transmissions. For example, a normal room temperature sensor has no need to transmit more than once every 10-30 seconds. Many years ago, the Slammer worm was so effective because they managed to code it into a single packet, thus reducing the latency by several orders of magnitude over a multiple packet worm, and hence it spread so quickly.
But I expect that as IoT progresses, we will see responsible router manufacturers starting to mitigate outgoing malicious traffic, and maybe it may even become a requirement.
I think that DDOS attacks will end up having to be tackled at least partly at source, or close to the source, and the router would seem to be the obvious starting point. Since ISPs often bear the brunt of the DDOS traffic as well, it will be in their interests, and you may well see ISPs charging customers less if they supply a secure router (possibly managed by the ISP to mitigate DDOS etc) than they charge customers who don't have a secure router.
ISPs have to collaborate to reduce this to a manageable level -- after all a few thousand ISPs control the access the majority of IoT devices have to the Internet.

Thanks for some insightful comments. I agree that DDoS is a complex problem whose solution likely involves network device manufacturers, ISPs, and customers. On the other hand, finding a solution that involves coordinating the efforts of so many parties might simply be an exercise in futility.
A reader named Russell who works for a company offering managed datacenter and cloud hosting says:

This is just my personal view, but it used to be in the early days that you had to prove yourself worthy of joining the Internet. Most universities got connections, but had to prove they understood IP and DNS. They were governed by 'netiquet' and could be taken off the net if they miss-behaved.
Fast forward to when normal people started joining. We do that via an 'ISP' who already has a connection and *should* know what they are doing. The Internet used to be free, but the ISP's charge you for allowing access to the Internet through their connections.
The way I see it is that they are charging people for the 'free' Internet and should shoulder some responsibility for keeping it clean. They are the only ones that really know which subscriber is at the end of their changing DHCP IP address. They collect the money, so they definitely know who is connecting.
I would like to see them send an email to infected subscribers warning them. If the subscriber does not fix their issue, they should be disconnected. I believe most people would welcome an email telling them they are infected as they almost certainly do not know they are infected, are part of a bot-net and potentially have their personal information being stolen. I would then go one step further and if a particular ISP does not comply and 'clean up their act' then the ISP should be cut off. Surely if this was done, then within a few months, the bot-net problem would be largely over. Also, I would like to think that the bad hackers would be more easily detected and reported to the authorities.

Cutting off an ISP may sound draconian but Russell has a good point here. Maybe it's time to play hardball to keep the Internet running smoothly since so many individuals, businesses, and even governments depend upon it for providing/purchasing goods and services.
However, what I was actually driving at in my original editorial on this topic is what kind of steps *your* company can take to defend against DDoS attacks involving IoT botnets. It's one thing to suggest connected-refrigerator owners should change their default passwords or careless ISPs should have their pipe shut down, but it's another thing to ask what can *I* do to protect *my* company given that default passwords won't get changed and bad ISPs won't even get their wrists slapped.
Not being an expert on DDoS prevention, I searched around and found the following resource which seemed helpful:

How do major sites prevent DDoS? (StackExchange)

http://www.wservernews.com/go/v7owiodr/

The top answer for this thread suggests the following DDoS prevention/mitigation steps your company can perform:
• Bandwidth Oversubscription
• Automated Mitigation
• Upstream Blackholing
• Third Party Provider
• System Hardening

My question for readers, especially those of you working in enterprise environments or datacenters, is this: Which of these (or any other) techniques does your company use to guard against or mitigate DDoS attacks? Email us at wsn@mtit.com if you would like to share any thoughts on this matter for the benefit of other readers of this newsletter. Thanks!
 

Send us your feedback

Got feedback about anything in this issue of WServerNews? Email us at wsn@mtit.com

Recommended for Learning

Microsoft Tech Community


Share tips and best practices with Microsoft experts on the Microsoft Tech Community:

http://www.wservernews.com/go/pxz8zazp/
 

Microsoft Virtual Academy

Azure for IT Pros Content Series

IT Pros, if you’re ready to dive into Azure--from fundamentals to deployment, security, and management, along with scale and agility, this series of courses is for you! Get an authoritative and comprehensive look at Azure and its components. And come back for more, as this series will eventually include as many as 12 courses, with topics ranging from Azure Storage, Azure Data Services, Azure Web Apps and Mobile Apps, and much more--basically, all you need to know about Azure.

http://www.wservernews.com/go/9snhkpqg/

NEW! Factoid of the Week 

We're getting tired of trying to find inspiring/entertaining quotes each week so we're going to try out something new: Factoid of the Week. FWIW Merriam-Webster defines "factoid" as originally meaning "a non-established piece of information commonly believed to be a fact, but which may not actually be true" so we aren't guaranteeing that any of these "facts" that we're presenting are actually true--though we *think* they are. But our point is more to entertain than inform, and also to stimulate some interesting feedback from our readers. So here goes...

Fact: In 2010, the BBC spent nearly £230,000 on tea, but only £2,000 on biscuits.

Question: What could account for this startling discrepancy? Email us your answer: wsn@mtit.com

Until next week,
Mitch Tulloch


Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at wsn@mtit.com

RoboForm is a password manager and one-click web form filler with some serious Artificial Intelligence inside:

http://www.wservernews.com/go/20duej25/

Real Temp is a temperature monitoring program designed for all Intel single Core, Dual Core, Quad Core and Core i7 processors:

http://www.wservernews.com/go/n9rud2fe/

AdwCleaner is a tool that searches for and deletes Adware, Toolbars, PUP (Potentially Unwanted Programs), Hijackers, and more:

http://www.wservernews.com/go/o6944rbz/

 

This Week's Tips

GOT TIPS you'd like to share with other readers? Email us at wsn@mtit.com

WSUS - Cleanup script

Windows Management Experts (WME) has a tip about how you can write a script that uses a PowerShell cmdlet in Server 2012 R2 to perform a WSUS cleanup:

http://www.wservernews.com/go/w3524gqq/

Windows Intune - Enrolling Windows 10 PCs as mobile devices

Jeff Gilbert has a post on his blog that examines different ways of enrolling Windows 10 PCs in Windows Intune:

http://www.wservernews.com/go/c39o1107/

Microsoft Azure - Some helpful shortcuts

Want to quickly find or learn about some aspect of Microsoft Aure? Check out this list of more than 200 shortcut links:

http://www.wservernews.com/go/1nz9n7n5/

 

Events Calendar

North America

Microsoft Ignite Australia on February 14-17, 2017 at the Gold Coast Convention & Exhibition Centre, Broadbeach, QLD

http://www.wservernews.com/go/zzb8ckyb/

Microsoft Worldwide Partner Conference (WPC) on July 9-13. 2017 in Washington, D.C.

http://www.wservernews.com/go/8819wfmp/

Add Your Event

PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact info@techgenix.com

New on TechGenix.com

Know before you go: Understanding cloud computing services

When it comes to cloud computing, the hard part isn’t deciding if you should make use of the cloud but rather which service to use. Here are some tips:

http://www.wservernews.com/go/m3eacj7h/

‘BadTunnel’ flaw could mean a scary Windows trip

A flaw in the Windows operating system affects all versions from the past 20 years, from Windows 95 to Windows 10. Learn what you can do to fix it:

http://www.wservernews.com/go/ulgxkbc3/

Tips from the pros: How to succeed as an IT consultant

Some tips from experienced consultants that can help you succeed with your own IT consulting business by winning new customers and earning their trust:

http://www.wservernews.com/go/06xd5iog/

IoT adoption slows down as consumers look for real solutions

Is IoT going to continue its growth trajectory? Perhaps not since your WiFi bandwidth will be throttled:

http://www.wservernews.com/go/xas5cils/

AWS and Microchip team for IoT security

Along with the great conveniences promised by the Internet of Things, there are lurking threats. Two companies hope to avert a potential nightmare scenario:

http://www.wservernews.com/go/uvgmeiys/

 

Tech Briefing

Azure

Use Azure DNS Service (preview) from Azure VMs (Cloud Solution Architect)

http://www.wservernews.com/go/6q2jarya/

Getting started Azure Networking (WindowsNetworking.com)

http://www.wservernews.com/go/y8o69k53/

Cloud computing

Getting Started with Containers (Part 7) (VirtualizationAdmin.com)

http://www.wservernews.com/go/rjlrend9/

DevOps in the Cloud (WindowsNetworking.com)

http://www.wservernews.com/go/3semcacn/

Hyper-V

What you need to know about using Disk2VHD (VirtualizationAdmin.com)

http://www.wservernews.com/go/899ddhc3/

Why Are My Virtual Machines Slow? (myITforum)

http://www.wservernews.com/go/4u4eascn/

Office 365

What you need to consider with multiple Office 365 tenants (Part 1) (MSExchange.org)

http://www.wservernews.com/go/4a5ok0ag/

Measuring and validating network bandwidth to support Office 365 and Unified Communications (MSExchange.org)

http://www.wservernews.com/go/p9rmk3iy/

Security

Most Vulnerable Computers Online is September’s Free ConfigMgr Report (myITforum)

http://www.wservernews.com/go/lzk9xp1k/

Drones - Another threat to security (WindowsSecurity.com)

http://www.wservernews.com/go/rekrnogy/

 

Other Articles of Interest

How to deliver Linux desktops using VMware Horizon

VMware added support for Linux VDI in Horizon View 6.1 – though it is clear it still has some work to do to match the functionality of Windows desktop virtualization. Find how more:

http://www.wservernews.com/go/ojqfro7f/

Evaluate log management tools from top cloud providers

Log management tools should be an integral part of your cloud computing plan. Compare top provider tools, such CloudWatch, Stackdriver and Operations in this complimentary tip from our editors:

http://www.wservernews.com/go/s7wnmkrn/

Master microservices management on IT resources

Deploying and managing microservices is a hard, continuous process. Proper resource planning and automation tools help realize the benefits of cloud and virtualization. Find out what four elements for resource binding and elasticity in apps is needed to retain the benefits of virtualization and cloud.

http://www.wservernews.com/go/zasurmna/


Make the right move with the Active Directory Migration Tool

Migrating Active Directory to a new version can be complicated – unless of course you use Microsoft's Active Directory Migration Tool and follow these best practices that can help make the switch relatively painless.

http://www.wservernews.com/go/temyplm2/

 

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at wsn@mtit.com

Since we recently talked about "smart" appliances like the network-connected refrigerator, we thought we'd point you to some classic Flixxy videos on the topic of "home" for your enjoyment:

Hidden Secret Passages For Your Home

Creative Home Engineering can build Hollywood-style secret passages for your home or office:

http://www.wservernews.com/go/g64apy3c/

$41,000 Home Built In 4 Days Using Screwdrivers

Four days, an electric screwdriver, $41,000 and a piece of land is all you need to build the structure of this beautifully designed pop-up house:

http://www.wservernews.com/go/pbfr094k/

A Tiny Home Tour: Living In 89 Square Feet

Jay Shafer of the Tumbleweed Tiny House Company gives us a tour of his 89-square-foot home on wheels:

http://www.wservernews.com/go/qy5i3n54/

The Future of Home Construction

It can take from six weeks to six months to build a house. Within the next five years, we may be able to upload design specifications to a massive 3D Printer, press print, and watch as it spits out a house in less than a day:

http://www.wservernews.com/go/blb4dvxy/

 

WServerNews - Product of the Week

 

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his  outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.