Lenovo Bios Updates for X1 Carbon


image

and on the details page…

image

there it is!

so PATCH, PATCH, PATCH!!!

Publié dans Security | Tagué | Laisser un commentaire

Intel Bug–Follow up Post!


Ok, donc AWS et Azure sont patchés… GCP aussi. Windows et Linux et Mac OS ont tous reconnus être vulnérables et sont en cours de déploiement des patches correctifs.

Encore une brillante illustration de la sécurité du Cloud vs la sécurité du On-Premise: combien de temps pensez vous qu’il faudra à tous nos serveurs et PCs en interne pour être imagetous patchés? Des mois ou des années très probablement!

Commencer par aller tout de suite pousser les patches depuis WSUS/SCCM, sans même vous poser la question?…attendez d’être sur que votre Antivirus ne se retrouve pas lui même bloqué car s’appuyant sur la fameuse fonctionnalité de prédiction d’Intel Smile

Si tout se passe bien, allez y et patchez rapidement tout ce qui tourne sur de l’Intel.

Moi je sais que c’est fait sur toutes mes machines….

N’oubliez pas que pour Windows 7 et 2008 R2, il faut aller les chercher sur le catalogue Windows Update, car oui.. il commence à y avoir des délais entre les sorties sur du Legacy OS vs les dernières moutures….à confirmer mais cela a bien l’air d’être le cas.

image

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056897

…et faites tout de suite vos règles de déploiement d’urgence de ces KB car le code de POC de Meltdown et de Spectre seront bientôt rendus publics et cela sera potentiellement beaucoup plus simple de s’appuyer sur ces failles une fois que c’est fait que cela n’est le cas actuellement!

Un très bon post pour vous aider à évaluer la situation rapidement: https://robertsmit.wordpress.com/2018/01/04/check-with-powershell-for-meltdown-and-spectre-exploit-critical-vulnerabilities-protection-meltdown-spectre-kb4056892/

Le guide de Microsoft sur le sujet: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Et n’oubliez pas que des MAJ de vos Microcodes (BIOS) sont également nécessaires afin de mitiger correctement les failles… donc une fois patchés, passez le PowerShell afin de vérifier l’état, et courrez demander à votre fournisseur de matériel les updates de bios et les outils de déploiement de ces dernières! Puis une fois appliquées ces MAJ Bios, revérifiez l’état de santé de votre parc et continuez de monitorer les news pour la prochaine alerte Smile

Allez, Allez… on patche tout ça, rappelez vous: »On est mieux On Premise que dans le Cloud” qu’ils disaient…

Bonne journée,

Pierre.

Publié dans 2003, 2003R2, 2008R2, 2012R2, 2016, Azure, Cloud, Deployment, Security, Windows 7, Windows 8, Windows 8.1, Windows10, WSUS | Tagué , , , , , | Laisser un commentaire

Gros Bug INTEL : AWS et AZURE patchent tous leurs hyperviseurs…


intelBon, la rumeur est apparemment confirmée, Intel aurait communiqué sur une faille de sécurité non corrigeable au niveau Microcode sur ses processeurs. Cette faille touche les processeurs de toute la dernière décennie…et permettrait si j’ai bien compris, et je n’en suis pas sur, à des instructions du mode User d’accéder à des information du mode Kernel.

Amazon et Microsoft (AWS et AZURE) patchent cette semaine et la suivante leurs hyperviseurs en data center…c’est dire si la faille semble importante et urgente à patcher.

OSSLes Builds Insiders de Windows 10 de ces dernières semaines embarquent apparemment le fixe officiel en “beta” qui devrait atterrir sur nos postes d’ici le mois prochain très vraisemblablement. Linux est de même déjà dans la place, et une campagne de patchs est déjà en train d’être déployée afin de contourner au niveau du kernel l’utilisation de la fonctionnalité CPU qui pose problème. Mac OS aussi devra mettre à jour ses Builds mais je ne sais pas si cela est en cours…je n’utilise pas MacOs sur PC, que sur mon téléphone Smile

Là ou le bas blaisse c’est que selon les diverses sources commentant sur le sujet, le contournement effectué par le Système d’Exploitation couterait entre 5 et 30 % de performance selon les instructions et l’utilisation de la machine sur laquelle on fait le test.

Ci dessous vous trouverez plusieurs posts parlant de ce problème, et vous allez en voir apparaître d’autres dans les heures/jours qui viennent je pense!

http://www.aidanfinn.com/?p=20880

https://www.lemondeinformatique.fr/actualites/lire-enorme-faille-de-securite-au-sein-des-puces-intel-70419.html

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

Bonne journée à vous, et patchez vite!

Publié dans Apple, Azure, business, Cloud, Deployment, Hyper-V, Linux, Security | Laisser un commentaire

Happy new year everybody!!!


Et merci pour votre aide, intérêt et suivi 🙂

Red kaffe est passé au dessus des 20.000 visites en 2018! Merci & à l année prochaine 😉

Happy new year!

Publié dans Uncategorized | Laisser un commentaire

Configuration Manager Client Messaging SDK


Et encore un bon tuyau d’Yvette:

The Configuration Manager team is pleased to announce that an updated version of the Configuration Manager Client Messaging SDK version 5.1710.1059.1000 is now available on NuGet.org.

Notable changes in this version:

  • Support for Cryptography Next Generation (CNG) certificates on Configuration Manager 1710 and newer
  • Bug fixes and improvements

For more information about CNG support in Configuration Manager, please see our blog post on this topic. No code changes are required to use CNG certificates.

We invite you to try out our new Client Messaging SDK packagehere and leave us some feedback on ourUser Voice site.

The Configuration Manager Team

Additional Resources:

Afficher l’article…

Publié dans Deployment, ENGLISH, Scripting, System Center | Laisser un commentaire

Very shiny post on Modern Management :)


Un petit post trés sympa sur le Modern Management de vos devices Windows 10!

Happy Monday! We are delighted to announce that we have released version 1710 for the Current Branch (CB) of System Center Configuration Manager that includes new features and product enhancements!

One of the key features in the 1710 release is co-management which enables a new and more practical path to transition the management of Windows 10 devices to a modern management approach. While there are a few paths to move to modern management, we heard from our customers that until now, it wasnt always easy to make the transition. Some customer scenarios require the ConfigMgr agent, and there are also Windows 7 devices that need to be managed. Customers also use deeply integrated partner or homegrown solutions for ConfigMgr, and not to mention the complexity of planning and switching from traditional to modern management with existing IT systems, organizational structures, and processes. Many organizations were looking for a more simplified and manageable way to transition from ConfigMgr and AD to a modern management approach with Intune and Azure AD. This is now possible with co-management.

Start a practical move to modern Windows 10 management with EMS

Starting with the Anniversary Update (June 2016), a Windows 10 device can be joined to on-premises Active Directory (AD) and cloud-based Azure AD at the same time. Co-management takes advantage of this improvement and enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move specific workloads of their management to the cloud making the transition in manageable chunks. For example, customers can transition device compliance check, resource access policies, or Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr for other workloads such as software distribution and deep device security configuration. Over time, it will be possible to transition more workloads through co-management. You can learn more from our Ignite presentation and technical documentation.

We are also excited to see the continued growth in adoption of the Current Branch of Configuration Manager by our customers. A little less than 2 years since the initial release, we now have more than 50,000 organizations managing more than 100 million devices using the Current Branch of Configuration Manager. And thanks to our active Technical Preview Branch community, the 1710 update includes feedback and usage data we have gathered from customers who have installed and road tested our monthly technical previews over the last few months. As always, 1710 has also been tested at scale by real customers, in real production environments.

Here are just few of the enhancements that are available in this update:

Microsoft 365 Adoption

  • OS Deployment support for Windows 10 version 1709 You can now upgrade to the latest Windows 10 ADK version 1709 to deploy the latest Windows 10 build.
  • Configure and deploy Windows Defender Application Guard policies – You can now create and deploy Windows Defender Application Guard policies to Windows 10 clients that help protect your users by opening untrusted web sites in a virtualized browser.
  • Improvements to policies for Windows Defender Application Control You can now authorize software that is trusted by the Intelligent Security Graph as part of Windows Defender Application Control (previously Device Guard).
  • Windows Defender Exploit Guard You can now configure Windows Defender Exploit Guard policy that provides intrusion prevention rules and policies that make vulnerabilities more difficult to exploit in Windows 10.

Streamlined Infrastructure

  • Support for next generation certificates – Most client-facing site roles can now use next generation certificates (or CNG from version 3 templates).

Modern Management

  • Co-management You can now enable co-management that helps you to streamline the journey to modern management in a controlled and iterative way. Windows 10 devices can be concurrently managed by Configuration Manager and Intune as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD). This enables a practical way for you to transition the management to Intune and Azure AD over time.
  • Check compliance for co-managed devices from Software Center when device compliance is managed by Intune – Users can now use Software Center to check the compliance of their co-managed Windows 10 devices when device compliance is enforced by Intune.

Configuration Manager connected with Microsoft Intune

  • Device Health Attestation assessment for compliance policies for conditional access – Use Device Health Attestation status as a compliance policy rule for conditional access to company resources.
  • New compliance policy actions – You can now configure actions for compliance policies. These actions include setting a grace period for devices that are noncompliant before they lose access to company resources and creating emails to be sent to users with noncompliant devices.
  • App Protection settings to block printing and contact Sync – Additional settings have been added to block printing and contact sync on applications enlightened with Intune App Protection.
  • Improved VPN profile experience in Configuration Manager console – VPN profile settings are now filtered according to the platform. When creating new VPN profiles, each supported platform workflow contains only the settings appropriate for the platform. Existing VPN profiles are not affected.
  • Mobile device management support for ARM64 devices running Windows 10 Windows 10 MDM scenarios will be supported for ATM64 devices once these devices are available.

Customer Feedback

  • Run Task Sequence step – This is a new step in the task sequence to run another task sequence, which creates a parent-child relationship between two task sequences.
  • Allow up to 512×512 pixel icons for application in Software Center – You can now deploy apps with up to 512×512 pixels icon to display in Software Center.
  • Software Center customization – You can now add enterprise branding elements and specify the visibility of tabs in Software Center. You can add a Software Center specific company name, set a color theme, set a company logo, and set the visibility of tabs for client devices
  • Improved descriptions for pending computer restarts – The reason for a pending computer restart is posted.
  • Create and run PowerShell scripts You can now create and run scripts with optional parameters, configure security scopes and monitor script results.

For more details and to view the full list of new features in this update check out our Whats new in version 1710 of System Center Configuration Manager documentation.

Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you will be notified when it is ready to install from the Updates and Servicing node in your Configuration Manager console. If you cant wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update. By running this script, you will see the update available in your console right away.

For assistance with the upgrade process please post your questions in the Site and Client Deployment forum. To provide feedback or report any issues with the functionality included in this release, please use Connect.If theres a new feature or enhancement you want us to consider including in future updates, please use the Configuration Manager UserVoice site.

Thank you,

The System Center Configuration Manager team

Additional resources:

Afficher l’article…

Publié dans Azure, business, Cloud, Deployment, Intune, System Center, Windows10 | Laisser un commentaire

Security Baselines pour la Fall Update


Aaron Margosis vient de publier un article intéressant:

Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Fall Creators Update,” also known as version 1709, “Redstone 3,” or RS3. There are no changes from the draft release we published a few weeks ago.

The 1709 baseline package has been added to the Microsoft Security Compliance Toolkit. On that page, click the Download button, then select « Windows 10 Version 1709 Security Baseline.zip » and any other content you want to download.

The 1709 baseline package includes GPOs that can be imported in Active Directory, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form. The spreadsheet also includes the corresponding settings for configuring through Windows’ Mobile Device Management (MDM).

We’re also happy to announce the revamping of the Windows Security Baselines landing page.

The differences between the 1709 baseline and that for Windows 10 v1703 (a.k.a., “Creators Update,” “Redstone 2”, RS2) are:

  • Implementing Attack Surface Reduction rules within Windows Defender Exploit Guard. Exploit Guard is a new feature of v1709 that helps prevent a variety of actions often used by malware. You can read more about Exploit Guard here: Reduce attack surfaces with Windows Defender Exploit Guard. Note that for this draft, we are enabling “block” mode for all of these settings. We are taking a particularly careful look at the “Block office applications from injecting into other process;” if it creates compatibility problems then we might change the baseline recommendation to “audit” mode for that setting. Please let us know what you observe with this draft baseline.
  • Enabling Exploit Guard’s Network Protection feature to prevent any application from accessing web sites identified as dangerous, including those hosting phishing scams and malware. This extends the type of protection offered by SmartScreen to all programs, including third-party browsers.
  • Enabling a new setting that prevents users from making changes to the Exploit protection settings area in the Windows Defender Security Center.

We also recommend enabling Windows Defender Application Guard. Our testing has proven it to be a powerful defense. We would have included it in this baseline, but its configuration settings are organization-specific.

The old Enhanced Mitigation Experience Toolkit (EMET) add-on is not supported on Windows 10 v1709. Instead, we offer Windows Defender Exploit Guard’s Exploit Protection, which is now a built-in, fully-configurable feature of Windows 10. Exploit Protection brings the granular control you remember from EMET into a new, modern feature. Our download package includes a pre-configured, customizable XML file to help you add exploit mitigations to many common applications. You can use it as-is, or customize it for your own needs. Note that you configure the corresponding Group Policy setting by specifying the full local or server file path to the XML file. Because our baseline cannot specify a path that works for everyone, it is not included in the baseline packages GPOs – you must add it yourself.

Thank you to the Center for Internet Security (CIS) and to everyone else who gave us feedback.

Afficher l’article…

Publié dans Audit, Security, vNext, Windows10 | Tagué , , , , | Laisser un commentaire