Nice gift :)


image

Image | Publié le par | Laisser un commentaire

Azure Made in France!!!! enfin!!!!


Bon, l’attente aura été longue mais Azure aura désormais 2 Datacenters en France!!! Nombre de mes clients n’attendent que ça pour commencer à pouvoir “jouer” avec le Cloud Public de Microsoft… Cela devient enfin possible, enfin, très bientôt!

image

PierrE (Azure in France)…

Publié dans Azure, AzureStack, business, Cloud | Laisser un commentaire

SCCM TP Update 1706 disponible


News from Yvette Smile

Hello everyone! We are happy to let you know that update 1706 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This month’s new preview features include:

Client
  • Include trust for specific file paths in Device Guard policies – Optionally, include trust for a specific local file or folder path on clients running a Device Guard policy. Any binaries at the locations specified in the policy can run on targeted clients when enforcement is enabled in the policy.
  • Register Windows 10 devices with Azure Active Directory – A new client setting (in Cloud Services group) is enabled by default to automatically register new Windows 10 domain joined devices with Azure AD.
Application Lifecycle and Content
  • Specify a different install content location and uninstall content location for a deployment type – You can now specify a different install content location and uninstall content location for a deployment type. Additionally, you can also leave the uninstall content location empty.
  • Improvements for Software Update Points in Boundary Groups – Boundary groups now support configuring the time for fallback for software update points.
Operating System Deployment
  • PXE network boot support for IPv6 – In an IPv6-only network, boot a device via PXE to start a task sequence OS deployment.
  • Hide task sequence progress – Easily toggle when the task sequence progress is or is not displayed to the end user, on a granular step-by-step basis.
Conditional Access
  • Device Health Attestation assessment for compliance policies for conditional access – Use Device Health Attestation status as a compliance policy rule for conditional access to company resources.
Software Updates
  • Manage Microsoft Surface driver updates – You can now use Configuration Manager to manage Microsoft Surface driver updates.
  • Windows Update for Business policy setting configuration – Use configuration items to configure deferral settings for Windows Update for Business.
Core Infrastructure
  • Site Server Role High Availability – You can now add a primary site server in ‘passive mode’ to your standalone site to increase availability.
  • Create and run scripts – Create and run scripts from Configuration Manager.
  • Upgrade Readiness added to Azure Services Wizard – You can now use Azure Services Wizard to connect ConfigMgr to Upgrade Readiness in Windows Analytics to synchronize data to assess device compatibility with Windows 10.
  • Accessibility improvements in the Configuration Manager console – This preview introduces several improvements to the accessibility features in the Configuration Manager console.

This release also includes the following improvement for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:

  • Android and iOS Enrollment Restrictions – Admins can now specify that users cannot enroll personal Android or iOS devices in their hybrid environment, limiting enrollment to predeclared company-owned devices or DEP-enrolled devices only.
  • New options for compliance policies – You can now configure new options for compliance policies that were previously only available in Intune standalone.
  • New compliance policy actions – You can now configure actions for compliance policies. These actions include setting a grace period for devices that are noncompliant before they lose access to company resources, and creating emails to be sent to users with noncompliant devices.
  • New settings for Windows configuration items – You can now configure new Windows configuration item settings that were previously only available in Intune standalone.
  • Cisco (IPsec) support for iOS VPN Profiles – Admins can now use Cisco (IPsec) as a connection type for VPN profiles for iOS.
  • App Protection settings to block printing and contact sync – Additional settings have been added to block printing and contact sync on Intune-enlightened applications.
  • PFX certificate creation and distribution and S/MIME support – Admins can create and deploy PFX certificates to users utilizing an Entrust certification authority. These certificates can then be used for S/MIME encryption, decryption, and authentication by devices that the user has enrolled.

Update 1706 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1703 baseline version of Configuration Manager Technical Preview Branch available on TechNet Evaluation Center.

We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use Connect. If theres a new feature or enhancement you want us to consider for future updates, please use the Configuration Manager UserVoice site.

Thanks,

The System Center Configuration Manager team

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Try the System Center Configuration Manager Technical Preview Branch

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

Afficher l’article…

Publié dans Deployment, System Center, vNext | Tagué , , , , | Laisser un commentaire

Nouveaux téléchargements disponibles sur MSDN


Bon, en plus de la migration vers la nouvelle plateforme de téléchargement de vos ISO et avantages MSDN, voila les nouveautés disponibles pour le mois de juin :

image

Les ISOs de W10 avec les MAJ, histoire d’être sûr de déployer la version UP TO DATE en ces temps de Ransomware….même si W10 n’est pas si exposé!

Bon Téléchargements,

 

PierrE.

Publié dans Uncategorized | 2 commentaires

Désactiver SMBv1 et éviter les Ransomware !


Les dernières vagues de Ransomware exploitent une faille de sécurité connue et normalement “patchée” avec le MS17-010 en utilisant “Eternal Blue” ‘leaké’ par The Shadow Brokers plus tôt cette année… plus d’info ici: https://fr.wikipedia.org/wiki/WannaCry

Donc, en théorie, il suffit de maintenir ses systèmes à jour pour l’éviter!

Si vous souhaitez prendre les devants, vous pouvez également désactiver SMBv1 qui est à la base de la vulnérabilité…et qui présente en plus, des inconvénients au niveau des performances par rapport à SMBv2…

Pour cela, je vous conseille de suivre les indications d’ Aaron Margosis, de Microsoft données ici : https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/ . Il s’appuie sur les ADMX/ADML du Guide de Sécurisation de Windows (que tout admin digne de ce nom devrait lire régulièrement) disponible ici : https://blogs.technet.microsoft.com/secguide/2017/06/15/security-baseline-for-windows-10-creators-update-v1703-draft/.

Si vous avez SCCM, vous pouvez aussi utiliser les “Compliance Settings”. Pour le faire, voir l’article de Cameron COX (Microsoft PFE) sur les étapes nécessaires ici : https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/22/disable-smbv1-in-your-environments-with-configuration-manager-compliance-settings/

Et voilà un trés bon article de Mattias Benninge , pour utiliser le filtrage sur vos serveurs de fichiers afin de déceler rapidement une infection en cours de propagation : https://deploymentresearch.com/Research/Post/634/Using-File-Screen-to-block-Ransomware-like-WannaCry-on-server-shares-Part-1

Alors n’attendez pas la catastrophe pour réagir, cette deuxième vague n’aurait jamais dû avoir les conséquences qu’elle a, sachant qu’elle exploite les même failles que celles de WannaCry… il faut apprendre ou mourir (oui, je suis formateur…) et cela paraît fou de voir que quelques semaines après une telle attaque, de grands groupes n’aient toujours pas mis en place les correctifs ou mesures nécessaires pour se protéger contre une menace connue, exploitée et déjà identifiée clairement il y a plus de 6 mois.

Bon Patchage à tous !

PierrE.

Publié dans business, Ransomeware, Security, System Center, WSUS | Tagué , , , , , , , , , , , | Laisser un commentaire

Alerte Sécurité ! Patchez vos systèmes… Petya et Petrwrap arrivent ! ! !


Seconde alerte Ransomware du trimestre… deuxième vague ! Du coup, Microsoft met à jour un bon nombre de KBs avant le Patch Tuesday…à vos consoles, prêts, patchez!

********************************************************************
Title: Microsoft Security Update Releases
Issued: June 27, 2017
********************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
* CVE-2017-0173  * CVE-2017-0299  * CVE-2017-8482  * CVE-2017-8522
* CVE-2017-0193  * CVE-2017-0300  * CVE-2017-8483  * CVE-2017-8523
* CVE-2017-0215  * CVE-2017-8460  * CVE-2017-8484  * CVE-2017-8524
* CVE-2017-0216  * CVE-2017-8462  * CVE-2017-8485  * CVE-2017-8527
* CVE-2017-0218  * CVE-2017-8464  * CVE-2017-8488  * CVE-2017-8528
* CVE-2017-0219  * CVE-2017-8465  * CVE-2017-8489  * CVE-2017-8529
* CVE-2017-0282  * CVE-2017-8466  * CVE-2017-8490  * CVE-2017-8530
* CVE-2017-0283  * CVE-2017-8468  * CVE-2017-8491  * CVE-2017-8531
* CVE-2017-0284  * CVE-2017-8469  * CVE-2017-8492  * CVE-2017-8532
* CVE-2017-0285  * CVE-2017-8470  * CVE-2017-8493  * CVE-2017-8533
* CVE-2017-0286  * CVE-2017-8471  * CVE-2017-8494  * CVE-2017-8534
* CVE-2017-0287  * CVE-2017-8472  * CVE-2017-8496  * CVE-2017-8543
* CVE-2017-0288  * CVE-2017-8473  * CVE-2017-8497  * CVE-2017-8544
* CVE-2017-0289  * CVE-2017-8474  * CVE-2017-8498  * CVE-2017-8547
* CVE-2017-0291  * CVE-2017-8475  * CVE-2017-8499  * CVE-2017-8548
* CVE-2017-0292  * CVE-2017-8476  * CVE-2017-8504  * CVE-2017-8549
* CVE-2017-0294  * CVE-2017-8477  * CVE-2017-8515  * CVE-2017-8553
* CVE-2017-0295  * CVE-2017-8478  * CVE-2017-8517  * CVE-2017-8554
* CVE-2017-0296  * CVE-2017-8479  * CVE-2017-8519  * CVE-2017-8555
* CVE-2017-0297  * CVE-2017-8480  * CVE-2017-8520  * CVE-2017-8575
* CVE-2017-0298  * CVE-2017-8481  * CVE-2017-8521  * CVE-2017-8576
* CVE-2017-8579
Revision Information:
=====================
– – https://portal.msrc.microsoft.com/en-us/security-guidance
– Version: 4.0
– Reason for Revision: Microsoft is announcing the release of the
following updates to address a known issue customers may experience
when printing from Internet Explorer or Microsoft Edge: 4032782 for
Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on
Windows Server 2012; 4032695 for Internet Explorer 11 and Microsoft
Edge on Windows 10; 4032693 for Internet Explorer 11 and Microsoft
Edge on Windows 10 1511; 4022723 for Internet Explorer 11 and Microsoft
Edge on Windows 10 1607; 4022716 for Internet Explorer 11 and Microsoft
Edge on Windows 10 1703; 4022720 which is the monthly rollup preview for
Windows 8.1 and Windows Server 2012 R2; 4022721 which is the monthly
rollup preview for Windows Server 2012; 4022168 which is the monthly
rollup preview for Windows 7 Service Pack 1 and Windows Server 2008 R2
Service Pack 1. ??This update removes the protection from CVE-2017-8529.
All updates are available only on the Microsoft Update Catalog, with
the exceptions of 4022720, 4022721, 4022168, and 4022716, which are
also available through Windows Update.
– Originally posted: June 27, 2017
– Aggregate CVE Severity Rating: Critical

 

Mais aussi AzureADConnect si vous l’avez mis en place!

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 27, 2017
********************************************************************
Security Advisories Released or Updated Today
==============================================
* Microsoft Security Advisory 4033453
– Title: Vulnerability in Azure AD Connect Could Allow Elevation
of Privilege
https://technet.microsoft.com/library/security/4033453.aspx
– Reason for Revision: Microsoft is releasing this security advisory
to inform customers that a new version of Azure Active Directory
(AD) Connect is available that addresses an Important security
vulnerability.
– Originally posted: June 27, 2017
– Updated: N/A
– Version: 1.0

 

Attention, cette seconde vague est au moins aussi sensible que celle de Wanacry, donc prenez les mesures adéquates, backups et patchs en urgence !

Ah, et voilà de la lecture de la part de Veeam:

Alors que le ransomware WannaCry a récemment alerté le monde entier en ciblant toutes les organisations des hôpitaux aux entreprises ferroviaires et en exigeant plus de 60 millions de dollars de rançons pour plus de 200 000 ordinateurs verrouillés, il faut retenir que ces attaques sont sans pitié : elles peuvent se produire à tout instant et frapper n’importe qui.
Alors, comment vous préparer à une infection par ransomware potentiellement inévitable et si vous êtes touché, comment restaurez-vous vos données critiques sans payer de rançon ?

Recevez l’e-book GRATUIT et son webinar bonus réalisés par Veeam® et Conversational Geek pour en savoir plus sur (en anglais) :

■ce qui rend les ransomware si difficiles à prévenir et à arrêter ;

■la manière de se préparer à affronter les ransomware avec des correctifs fréquents, des sauvegardes de qualité et la sensibilisation des utilisateurs ;

■la réponse aux attaques par ransomware grâce aux capacités de restauration de Veeam ;

■et encore beaucoup, beaucoup plus !

TÉLÉCHARGER MAINTENANT !

Et une super vidéo de Mr Mark Russinovich sur les techniques de diagnostiques et d’éradication de Ransomware/malware/virus..à voir absolument !

 

PierrE.

Publié dans Ransomeware, Security, SysInternals, System Center, WSUS | Tagué , , , , , , , , , | Laisser un commentaire

[ENGLISH] Device Guard notes from the Field…


 

1. Hardware Prerequisite

Support HYPERV et SLAT + Secure Boot + UEFI

2. Software Prerequisite

Only for the Windows 10 Enterprise version!

HyperV (the platform, not necessarily the management tools)

Isolated user mode

3. Create GPO/GPO Pack

a. Create a GPO for device Guard

clip_image002

clip_image003

clip_image004

Make appropriate choices in accordance with material capacity and desired configuration. Confirm and link the GPO on a test O.U. Then do a GPUPDATE / FORCE.

In this case, I used a local GPEDIT.MSC, but the system stays the same…

b. Creating a GPOPack

GPO Pack ‘s system allows you to deploy the exact same settings on non-domain joined PCs, through a script or from a TS MDT/SCCM.

In my case the purpose was to deploy automatically that GPOPack during MDT deployment.

To do so, you’ll have to export those settings with LocalGPO tool (included in SCM 3.0):

Cscript localgpo.wsf /Path:D: /export /GPOPack

This creates a file, on D, containing the included settings in the local GPO created here

Exporting Local Policy… this process can take a few moments.

Local Policy Exported to D:\{5179D33A-64A1-4432-AD76-D5D1BAE898FE}

Rename the file (for example WINGPOPACK1), then copy it in your MDT tree view

(C:\DeploymentShare\Templates\GPOPacks)

You’re good to go! You’ll just have to list it in CS.INI:

ApplyGPOPack=YES

GPOPackPath=WINGPOPACK1

During TS, there is a step called Apply Local GPO Packs that will apply your GPO Pack in deployment.

We can also produce a commandline as to manage/deploy several GPOPacks in a much more granular way:

cscript localgpo.wsf /Path:D:\{5179D33A-64A1-4432-AD76-D5D1BAE898FE}

4. Create a basic rule (certificate based)

Administrator mode in Windows PowerShell

New-CIPolicy -Level PcaCertificate -FilePath C:\ScanDeBase.xml -userPEs 3> C:\ScanDeBaseLog.txt

Checking for Catalog Signers…

Generating Rules…

Unable to generate rules for all scanned files at the requested level. A list of files not covered by the current policy can be found at C:\Users\Administrateur\AppData\Local\Temp\tmp550C.tmp. A more complete policy may be created using the -fallback switch

5. Convert in binary format

ConvertFrom-CIPolicy C:\ScanDeBase.xml C:\CIPolicydeBase.bin

6. Copy in CodeIntegrity folder

xcopy C:\CIPolicydeBase.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b /y

7. Restart your computer and test

8. Audit Device Guard mode

Eventvwr : CodeIntegrity Events 3076

9. Create the rule based on the audit (hash on detected exceptions)

New-CIPolicy -Audit -Level Hash -FilePath C:\ScanAuditBase.xml -UserPEs 3> CIAuditPolicylog.txt

10. Merging both rules

Merge-CIPolicy -PolicyPaths C:\ScanDeBase.xml, C:\ScanAuditBase.xml -OutputFilePath C:\ScanMerged.xml

11. Convert, copy…and restart

ConvertFrom-CIPolicy C:\ScanMerged.xml C:\ScanMerged.bin

xcopy C:\ ScanMerged.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b /y

Restart once again.

12. Second audit for verification

13. If conclusive: go on mode PROD.

To do so, you must uncheck the audit strategy option:

Set-ruleoption -Option 3 -delete C:\ScanMerged.xml

Compile and copy the file, then restart.

To deploy it with MDT/SCCM, you’ll just have to insert a copy stage of your SIPolicy.p7b in your TS MDT/SCCM if necessary:

(ex : xcopy \\DC01\DeviceGuard\ScanMerged.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b /y)

14. Conclusions

Device Guard allows you to achieve optimum security for your sensitive machines. It is not a tool you would apply on all machines, only on those you really want to secure!

@RioJoubert


Publié dans ENGLISH, Formation, Ransomeware, Security, Windows10 | Laisser un commentaire