Vol. 23, #34 - August 27, 2018 - Issue #1196

WServerNews Ask Our Readers: 2FA or not 2FA? 

Free Tool for Monitoring Exchange Server Status & Performance 

Image

SolarWinds® Exchange Monitor is a free tool that allows users to monitor Microsoft® Exchange™ Server 2013 and 2016. Get basic information about the server’s metrics, services, and database availability group (DAG) status. Add as many Exchange Servers as you wish. Simply click the “Add Server” button and fill IP address/domain name and credentials.

Download Free Tool


Editor's Corner

2FA or not 2FA?
That is the question.
Whether 'tis nobler in the mind to suffer
The slings and arrows of unauthorized access to your network…

OK so maybe I'm not The Bard reincarnate, but two-factor authentication is definitely a hot topic with our newsletter readers who are responsible for keeping their networks safe and secure from intrusion. Last week we included the following Ask Our Readers question from a reader named Albert from Ontario, Canada:

Hi Mitch, I read with interest a while back about RDP managers. Seems like the Devolutions product is the most popular. We have been toying with the idea of using 2FA to our most sensitive servers (maybe all of them) and am wondering if others have used this feature and if it works well. Also, what happens in the case of various failures if things are locked down with 2FA - if this is done via the cloud, what happens if the internet is down at a site? Also, has anyone else used something different for 2FA to their servers?

One of our readers named Kelvin Jones who provides technical oversight for Cloud29 a cloud services distributor based in South Africa, wrote to us in some length to express his concerns about end-user use of 2FA as illustrated by the following recent experience:

Hi Mitch and Team, these are my thoughts on the risks of using 2FA: I don't think it's ready for end user adoption. But I do believe guardians of the data galaxy, such as IT heroes and businesses that protect businesses, absolutely need to use it.

Real experience from last week. I was on holiday and got a message to please respond to an email to unlock one of the tech's accounts on a system that was locked down by 2FA. He had changed phones and 2FA was locked to his now-dead phone. Rinse, repeat for everyone who gets a new phone because it's upgraded, lost or stolen. What if the person who holds the final token is not reachable? Wait till they come back or stay locked out forever. Hmmm...

So, clearly IT companies and other guardians of the data need to have proper controls in place to deal with the above, but, they MUST protect the customers data and 2FA is an excellent way to do that in today's modern-hacker world. Based on the above however, 2FA is not ready for the end user. It will hamper productivity on so many levels.

Here what I suggest for end user protection: long passwords. Simple, effective.

Kelvin then continued by giving us permission to reproduce the following article which he wrote and shared last year on LinkedIn.

 

 Cloud - Only as Secure as the Weakest Password

Cloud security is, in my opinion, an over documented topic. There's just too much information out there on the subject and it's really, I mean really really, difficult to get through it in an effort to determine whether you're protecting your cloud properly or not.

I don't want to over simplify the topic and offend the truly technical crowd either but I do want to simplify the subject somewhat by boiling it down to comments on what I believe is the weakest link in your cloud security – your password.

*Your cloud is only as strong as the weakest password*. This is what I tell all my customers.

Let me expand on that a bit. In a business, multiple people will share the same cloud environment. The person with the weakest password becomes the highest security risk, the weakest link. If a person with ill intent, a hacker, manages to guess the password of a fellow staff member, they can use it to access all the information that staff member has access too. This is most likely to be done by a computer on the internet somewhere that keeps guessing day and night till it finds a weak enough password and gets into your cloud. This is otherwise known as a brute force attack or hack. Once the hacker gains access they can disrupt your cloud services in some way or steal customer data or worse, bank details and credit card information. The most common scenario in the last year is the disruption of services via ransomware. While ransomware is not normally transmitted by hackers that brute force their way into your cloud, it could be. As for ransomware itself, there's plenty of information out there but suffice it to say that it is a virus of sorts that locks your data so you can't use it till you pay the miscreants for a key that unlocks it – they hold your data for ransom. All the more reason to improve your cloud security any way you can.

What about other aspects of cloud security such as data isolation, firewalls, SSL certificates and such? I'll leave that for others to comment on because most cloud providers cover all these basic cloud security elements anyway. As I said, there's already too much information on these topics.

So, if your password is the weakest link, how can you ensure that the one you're using is secure enough? Does it need to be one of these passwords the IT guys give me that's nothing but a jumble of letters and numbers that I can't remember? Does that make it secure? *No.*

Let's illustrate how you can keep your cloud secure but still have a password that's easy for a human to remember. The super heroes of IT might have their own ideas about what a secure password is but here's another idea for mere mortals.

Most banks require that your online banking password be a minimum of 7 characters and include UPPER case, lower case, a number and a special character like an exclamation. Here's an example:

PASSWORD 1 EXAMPLE: BuXG7L~

Let's compare this with a password that is not considered secure:

PASSWORD 2 EXAMPLE: whitemencantjump

Just for fun, let's run these both through the online howsecureismypassword.net password checker. See the following slides for the results:

Image

and

Image

 

Now just for fun, let's make the "whitemencantjump" password compliant by adding an UPPER case "W" at the beginning and a number "1" and "!" at the end and see what happens (I love this part) :

Image

How's that! 10 minutes for a computer to crack the 7 character bank-grade password but 35,000 years to crack the non-compliant, so called non-secure password!

Actually, THIS is the part I love, pay attention to what you read next and I promise you the light-bulb will switch on as to how easy you can secure your cloud.

Close your eyes and try to remember the first password, don't cheat now. You probably can't remember all of it but now try the second, much longer password and, BINGO! You remember it! Now which one is more secure? I suppose we have all the geeks up in arms now defending their complex impossible-to-remember passwords saying "Yah but the methodology behind this password website is unknown!" or "That's not right! A dictionary attack would guess the long password." True, there's some merit in what they say, however, this fact remains – the longer your password the stronger it is, and it doesn't have to be impossible to remember.

So what's the bottom line? Make your passwords longer, use memorable easy to type word jumbles that work as easily on a cell phone keyboard as they do on a computer keyboard and your cloud is now secure.

Have fun securing your cloud and never forgetting another password again!

EDITOR: You can read this and other LinkedIn articles by Kelvin here:

http://www.wservernews.com/go/lowy6ms7/

 

What's your 2cents?

Kelvin finished off his email to us by saying:

The above is an acritical I published on LinkedIn and is something I've been preaching to my cloud channel partners now for 5 years. It is based on my experience over the last 20 years in the industry. I don't know everything about IT security but in my experience the password is the key to everything. I've had the same password for one of my 20 year old email accounts since 1999. Never been hacked. That's not a challenge to all hackers out there, I'm sure I can be hacked, but I haven't been when others were. So what's the secret? The length. Simple, effective, memorable. Less password resets for admins (because the password can be memorable) and more secure systems (because they are long, effective).

That's my 2cents.

What do our other readers think about using 2FA and what Kelvin says above? Share your own 2cents with us by emailing us at [email protected]

 

 

Tip of the Week

Got any IT pro tips you'd like to share with other readers of our newsletter? Email us at [email protected]

Blocking apps with Intune and AppLocker CSP

This post by Microsoft's Matt Hinson on his blog NinjaCat's ConfigMgr/Intune/EMS AdveThis post by Microsoft's Matt Hinson on his blog NinjaCat's ConfigMgr/Intune/EMS Adventure explores whether it's possible to create policy to block certain applications from being able to be opened up on Windows 10 devices enrolled in Intune. It turns out such functionality is not available natively within Intune but it turns out that it is possible to policy via OMA-URI. Read the details here:

http://www.wservernews.com/go/3fu0b76l/

 

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without 

GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at [email protected]

Altaro VM Backup removes the complexities of backing up Hyper-V & VMware. Easy to use, sets up within just 15 mins & comes with the best deduplication in the industry! Download your FOREVER FREE copy!

http://www.wservernews.com/go/foitpf5l/


Wireshark is the world's foremost and widely-used network protocol analyzer:

http://www.wservernews.com/go/sqk4xgjo/


WMI Diagnosis Utility can help system administrators diagnose and repair problems with the WMI service:

http://www.wservernews.com/go/n1jlqwq8/


Pssdiag/Sqldiag Manager is a graphic interface that provides customization capabilities to collect data for SQL Server using sqldiag collector engine:

http://www.wservernews.com/go/ggbf7khg/

 

 

Factoid - Name the bug

Last week's factoid and question  was this:

Fact: Tuna House does the best sushi this side of the Sea of Japan.

Question: What's the best sushi place you've ever had occasion to dine in?

Pete from Australia responded to this challenge as follows:
Hi Mitch:

"Fact: Tuna House does the best sushi this side of the Sea of Japan."

Unless you are talking about the US being on the far, far, far west side of the Sea of Japan, are you really saying that Tuna House does better sushi than you can get in Tokyo?

[EDITOR'S NOTE: Actually I don't even know where the Sea of Japan is, I just heard that phrase somewhere]

The Sea of Japan is to the west (and north) of Japan.

[EDITOR BOWS AND SAYS: Thank you for enlightening me Pete-san]

Best I've had was at a little restaurant in Tokyo. Not sure of the name as it was chosen by Japanese work colleagues, but it made me look for sushi when I got back to Australia and now it's my regular lunch choice.

[EDITOR'S COMMENT: Not sure of the name of the restaurant? Thanks a lot!]

And despite the rules:

http://www.wservernews.com/go/jcyqnlju/

I do like to mix wasabi in with soy sauce.

Now let's move on to this week's factoid:

Fact: Bugs are weird. 

Source: See this photo I took recently of this strange-looking bug from one of our windows:

Image

Note the how the bug's tail is bent 180 degrees with two right angles. I've never seen a bug like this but am glad it was on the outside of the window, not the inside! 

Question: What kind of bug is this? 

Email your answer to [email protected]

 

Conference calendar

North America

>> Got an IT conference happening in North America that you'd like to promote in our newsletter? Email us at [email protected]

Microsoft Ignite -- September 24-28, 2018 in Orlando, Florida USA

http://www.wservernews.com/go/gazjf8nl/

IoT Security Summit -- Oct 15-18 in Dallas, Texas

http://www.wservernews.com/go/67iyqqdq/

IT/Dev Connections -- Oct 15-18 in Dallas, Texas USA

http://www.wservernews.com/go/gc41am7l/

 

Europe

>> Got an IT conference happening in North America that you'd like to promote in our newsletter? Email us at [email protected]

Gartner Catalyst Conference -- Sept 26-27 in London, England

http://www.wservernews.com/go/c628e21j/

VMworld Europe -- Nov 5-8 in Barcelona, Spain

http://www.wservernews.com/go/o7th53ea/

Cybersecurity Leadership Summit -- Nov 12-14 in Berlin, Germany

http://www.wservernews.com/go/d5li13hw/

European SharePoint, Office 365 & Azure Conference -- Nov 26-29 in Copenhagen, Denmark

http://www.wservernews.com/go/qo5pp1z5/

 

Australia/Asia

>> Got an IT conference happening in Australia or Asia that you'd like to promote in our newsletter? Email us at [email protected]

No conferences listed at present.

 

New on TechGenix.com

Google Cloud Next 2018: Everything you need to know about this mega-event

Google Cloud Next 2018 brought together a diverse gathering of 23,000 tech leaders and tech enthusiasts. Here are the big announcements from the event.

http://www.wservernews.com/go/3e7tnsb5/


Warning! 5 GDPR mistakes you must avoid

Like it or not, GDPR is here, and noncompliance can cost your business big time. Avoid these common GDPR mistakes, and you should do all right.

http://www.wservernews.com/go/8s87kloa/


When Hyper-V virtual machines fail to import

While it's possible to import virtual machines into Hyper-V, sometimes the process fails. Let's do some troubleshooting and see if we can fix the problem.

http://www.wservernews.com/go/2mwkx9cv/


Azure Data Box Disk offers simple, low-capacity data transfers

Microsoft is rolling out "phone sign-in," an easier and more secure way to access your accounts without having to use passwords.

http://www.wservernews.com/go/yn1yykmv/


These BYOD best practices will boost productivity and reduce dangers

A BYOD program can boost employee productivity — or it can produce a disaster. These BYOD best practices will keep you in control.

http://www.wservernews.com/go/dpexkhit/

 

Fun videos from Flixxy

Grandpa Knows How To Park

Grandpa amazes everyone by parking his car in true stunt man fashion:

http://www.wservernews.com/go/lb0xzqt0/


New Wind-Powered Strandbeest by Theo Jansen - UMINAMI 2018

Dutch artist Theo Jansen has invented a new animal that can walk on the beach powered only by the wind. Here is his latest creation:

http://www.wservernews.com/go/er4wd5gc/


Aretha Franklin With The Blues Brothers: 'Think'

Aretha Franklin appeared in the 1980 blockbuster movie 'The Blues Brothers.' Her performance made the scene one of the film's most memorable moments:

http://www.wservernews.com/go/etrkyvt2/


Time Travel To 1911 - New York City

Travel back in time to 1911 and take a trip through New York City. Fascinating!

http://www.wservernews.com/go/zhvjnzws/

 

 More articles of Interest

AWS Shield provides DDoS attack protection as threats mount

DdoS attacks continue to grow in sophistication, and enterprises need to be on alert. AWS Shield provides two tiers of automatic protection, but are they enough?

http://www.wservernews.com/go/t0dtf62e/


Azure PaaS strategy hones in on hybrid cloud, containers

Microsoft's PaaS offerings might have a leg-up in terms of support for hybrid deployments, but the vendor still faces tough competition in a quickly evolving app-dev market.

http://www.wservernews.com/go/swxh76mn/


The 5 basic Git commands every beginner needs to master

Just getting started with Git or GitHub? If so, there are five basic Git commands you need to master. This Git tutorial for beginners takes you through each.

http://www.wservernews.com/go/zzag6020/


Checklist for mobile app testing: 12 gaps to look out for

Emulators and automation tools are useful, but don't rely on them solely. Use this checklist for mobile app testing to ensure that software has no critical flaws.

http://www.wservernews.com/go/gp0gd3x2/

 

Need help from the IT pro community?

WServerNews goes out each week to more than 500,000 IT pro subscribers worldwide! That's a lot of expertise to tap into. Do you need help with some technical problem or are looking for expert advice on something IT-related? Ask Our Readers by emailing your problems and/or questions to us at [email protected]


Send us your feedback!

>> Got feedback about anything in this issue of WServerNews? Email us at [email protected]

 

WServerNews - Product of the Week

Free Tool for Monitoring Exchange Server Status & Performance 

Image

SolarWinds® Exchange Monitor is a free tool that allows users to monitor Microsoft® Exchange™ Server 2013 and 2016. Get basic information about the server’s metrics, services, and database availability group (DAG) status. Add as many Exchange Servers as you wish. Simply click the “Add Server” button and fill IP address/domain name and credentials.

Download Free Tool



WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his  outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.