Remote Symbolic Links – Redirecting fileserver data

So we had this problem, several of our Windows 2008 R2 fileservers were running full and due to technical issues (old hardware) replacing the disks became VERY expensive.

So alternatives, I started to thing – hey, lets create an “ISCSI drive” on a remote datacenter server, mount the ISCSI drive into the directory structure as a mountpoint named “Archive” or something.  Now users could put “old” archival data here, thus removing it from the server but still being available – clever 😀  A few issues crept up however, when creating an ISCSI target on a Windows 2008 R2 server this is “terminated” as a VHD file – this proved annoying (eg for backup etc), besides a friend of mine pointed out that they had tried something similar once – sadly if connectivity was sketchy this could cause the fileserver to hang as it was unable to connect to the iscsi target.

My friend however pointed out that he had had success with using “Links”, right – I have heard of these Junction points and symbolic links, but never really found any real good use for it.  But it turn out you can create a symbolic link from the directory structure on one server, pointing to a share on a different server.

So eg. O:\ could have a lot of directories, however we also make a Symbolic Link there named “Archive” – if you now perform a dir you will find all the subdirectories, however you will also find O:\Archive which looks just like a directory (the icon gets a screwy arrow but thats all) however it’s not, it is instead a “pointer” to a share on a different server (this share we can easily backup and maintain).

So the command to use is;

MKLINK /D <NAME> \\<SERVERNAME>\Sharename

2017-02-04 23_22_50-mRemoteNG - confCons.xml

eg,  MKLINK /D HyperVisor5 \\SECRETSERVER\aarhus

HyperVisor5 is the name the directory will get locally the /D indicate it is a directory junction, and the link will point to \\SECRETSERVER\aarhus (aarhus is the share name on the SECRETSERVER)..

2017-02-04 23_23_46-mRemoteNG - confCons.xml

Ohh that was easy you say, yeah – well – it did not work 🙁

2017-02-04 23_18_39-mRemoteNG - confCons.xml

When a workstation attempted to access a mapped drive (eg. O:\Archive) it would get the above error.

A bit of googleing let to;
https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/

And the solution was simple enough, you need to execute this command on the workstation that has the problem;

2017-02-04 23_46_00-mRemoteNG - confCons.xml

(the command above the yellow one show the state of your computer)

And now your workstation can browse the directory (which is actually a pointer to a share on a different server) just like it was on the local server.

This should also be controllable via Group Policy, however I have not had the chance to test it yet;

https://technet.microsoft.com/en-us/library/5c7ffdb9-7066-4bdf-bc7d-eded8db2ce82
The symlink evaluation settings can also be controlled via Group Policy. Go to Computer Configuration > Administrative Templates > System > Filesystem and configure “Selectively allow the evaluation of a symbolic link”.

 

 

New USB security tool, BeamGun..

USB SecurityBeamGun – So what is it all about, and do I need it?

Well, to answer the latter first – “maybe”,  if you could ever see yourself inserting a USB key you found somewhere, or if other people have access to your computer….

Background;

All modern computers have USB ports, you can attach all sorts of wonderful devices to USB ports – like mouse and keyboards, well imagine if someone made a device that looked like a USB key, however it actually emulated a keyboard – when you would plug this into your USB port it would tell your computer “Hey, I am totally a USB keyboard, honestly..”, and your computer would say “Hey that is cool, go ahead and be my second keyboard…”. So far so good, however, now this totally honest “keyboard” would start typing commands and your computer not knowing any better would think that it was you typing. So, long story short – any device looking like a USB key that is inserted into your computer has a chance to be an evil “Rubber Ducky USB” (that is the name under which many of these are actually sold), so someone either hands you a USB device and convince you to insert it (hey can you look at the report I just made) – or distracts you for a second and insert the USB device to your computer – BOOM and you are owned – in benign cases it just adds some practical joke (like switch your desktop background etc), but if evil it steals passwords etc. and it is very likely your Antivirus will not pick it up as it will look like commands issued from the local keyboard.

Sadly “no”, this is not Sci-Fi nor expensive, the script kiddie version of USB keys like this cost around 50$ but if you have real coding skills you can do it for 1-3$ 🙁

Ok, so anyone inserting a foreign USB device to your machine could be “hacking you”, or if you find an abandoned/lost USB key and insert it you may cause yourself to be hacked/compromised.

The tool;

https://github.com/JLospinoso/beamgun

2017-01-25 22_49_04-Greenshot

BeamGun to the rescue – BeamGun is actually rather nifty, it will monitor your computer – and the moment a new “keyboard” (or something emulating a keyboard) is inserted, it will lock your computer and block the device, it will also show anything this device was trying to do in a popup window.

Mind you, it is an early version and seem a bit rough around the edges, but if you are in the “risk” group this may be a tool you would want to install.  But it works (yes I tested it, however it is difficult to show screenshots as the software does a great job of protecting your computer while it display its warning).

Want to see more about these “Rubber Ducky USB” devices, take a look at this video;
https://youtu.be/4kX90HzA0FM
Something similar is also shown in the popular tv-show “Mr Robot”

Want to aspire as an evil hacker (or totally own your friends), buy your own “USB Rubber Ducky” here (yes its actually that simple);
https://hakshop.com/products/usb-rubber-ducky-deluxe

 

Links;

https://youtu.be/4kX90HzA0FM

https://github.com/JLospinoso/beamgun

https://hakshop.com/products/usb-rubber-ducky-deluxe

 

 

FREE – Mobile Device Management (MDM)

MDM1MDM or Mobile Device Management has become increasingly popular over the last few years. I was surprised to find, that when we implemented it in the company I work for we discovered that there actually was a few users without a pin or password on their mobile device (to be expected out of a few thousand users I guess, but still – NO PIN on your phone, REALLY!!!)!?

Anyhow, there are several reasons to dive into this area – AND the good news is that (depending on the size of your setup) you can actually do much for ZERO $ (Free).

Create Policies;

  • Require that users (or family) have a PIN
  • Deploy APPS to phones or tablets
  • Keep track of installed APPS
  • Create geo-fencing – be warned if the device leave a defined area (sadly this does not work well in Denmark as the matching of IP’s to addresses is very limited due to privacy legislation)

You can even choose to implement it in your household to keep track of what apps etc are installed be the kids etc.

So are there great skills required? no not really, perhaps a little in setting it up initially – and there are some minor challenges, especially with the certificate part (which need to maintained/updated yearly), but in general – if you have experience with IT operations it’s more or less a breeze.

To get started here are a few links.

Several free or cheap services exist, to name a few;

The first one “Meraki” I actually tried and is still using (free for up to 100 devices as I recall)
https://account.meraki.com/login/new_account
You can even get a free cloud managed WiFi Access Point if you attend one of their online seminars.
Additionally you can install Windows Clients on Windows PC’s and thus now also have free inventory of your Windows PC’s.
You can see a demo of a related Meraki mobile management pack, it’s not quite the same as the free MDM solution – but it can give you some idea of what is possible.
https://youtu.be/fa95GJZQ0fQ

Another one is Spiceworks, I have not tried their MDM solution – but the “Spiceworks framework” (free IT operations software) in general is quite good and capable.
https://www.spiceworks.com/free-mobile-device-management-mdm-software/

 

Wipe free space

cipher

Let’s imagine you need to turn over your old computer to friends or family, you for some reason do not wish to re-install Windows all over – well there is a middelground that I imagine could be used in case it’s close friends or relatives.  Remove all your personal stuff, documents, mails etc. from the computer, remember to empty the recycle bin, clear all browser caches and clear restore points – if possible create a new user and from this delete your old user profile.  Final step is to run the command below, this will wipe all free space on the disk – the command is a buildin Windows command that was introduced back in WinXP, so no need for additional software etc.  Is it safe enough?  Well as I say, if it is close relatives or friends it may be ok as long as you are sure that all sensetive data is removed, but I would likely not advice this for a computer you sell etc.  Again, it all depends.

Command to issue;

Cipher /w:c:

(for the C: drive, replace C: with other drivelettes as you need).

Free security for Aunt Mathilda or other family members

securityAs many of you may have experienced the Internet is not just filled with wonderful “things” and cute kittens, its equally filled with malware as well.  Just over the past 6 months, I in my professional capacity, have experienced Cryptolocker like malware more than 5 times, in the professional scene this was mainly a nuisance as we could “just” revert to backups – however in many private homes this could often mean “pay up” or loose your family photos etc. – seeing that many home users do not have a good backup strategy.

Sure antivirus may detect and protect against many of these things, however why rely solely on that – why not add an extra and free layer of protection to the internet of your friends/family and kids?  A protection that is not only free but also auto-updating thus maintenance free.

It is actually REALLY simple, all you do is to configure your DNS to use the DNS servers of Norton (and yes, it is totally free for home use).  Instructions for configuration is on their site https://connectsafe.norton.com/configurePC.html – on the top right you can even select the level of protection – three levels are available, may I suggest level 3 for Aunt Mathilda.

“Advanced” use

if you administer your own network and or router (or that of family and friends), then you can setup the DHCP to hand out these Norton DNS addresses and protect each and every device in the network (even that Internet of things ;-))..

Word of caution..

If you configure this setting manually (like shown below) and have a laptop you carry with you, then you MAY run into problems at schools/workplaces – in my company we ONLY allow our own DNS servers access to the internet and subsequently if you set your own DNS addresses these requests are blocked in the firewall.  This is not a problem for Aunt Mathilda or the toddlers using the home desktop computer, but keep it in mind if using laptops – the VERY best solution is to setup your DHCP to hand out the Norton DNS addresses..

2015-07-23 14_23_46-Internet Protocol Version 4 (TCP_IPv4) Properties

How good is it?

That is a difficult question to answer, as you get no statistics it would be pure guesswork – but seeing it is free and MIGHT protect you and your loved ones, why not just go with it.

Alternatives

This sounds really cool, but are there no alternatives?
Well sure there are alternatives, not sure if they are better but to mention a few;

https://www.comodo.com/secure-dns/ – Equally free, but give you adds for non-existing domains.

https://www.opendns.com/enterprise-security/threat-enforcement/packages/ – OpenDNS is a great and old player in this field, you can customize things and it even works in corporate environments – however it’s not free, you will need the “Umbrella Prosumer uses” license which is a bit hard to find on their site, however it will give you 3 devices for 20US$.

http://www.securly.com/parent-signup   – This one I just read about, it sounds cool though even though the purpose seem more parental control than security – by using Google accounts you keep track of your loved ones internet use and you get to see cool graphs etc.  But this one is equally not free.

Cleaning up after ransomware (Cryptolocker etc.).

2015-06-10 15_59_50-cryptolocker - Google Search - Internet ExplorerAfter experiencing Ransomware a few times during the past months in our corporate setup I decided to scribble down some cleanup notes and things you can do to combat this.

This guide is seen from the point of a sysadmins and thus not from an enduser, however some tricks may apply even so (depending on various factors). In addition, this guide focuses on the cleanup of the server and not the client computer, which in my opinion always should be reinstalled after an incident like this.

This guide also assume that you have Shadowcopy enabled on your server; if not then you will need to go for a restore from backup (this however also loosely covered in the guide).  See the good thing about Shadowcopy is, that as the server is not infected nor is the servers shadowcopy – you thus have quick access to non-corrupted data from here quite easily and quickly.  Client wise things are different as most ransomeware clears the shadowcopy locally to ensure against easy cleanup locally, I heard that this may fail if the user is not a local administrator on his/her pc, so you may still have a straw to cling to if this is the case for recovering the local data easily.

Background.

First, let me sum up what this ransomware is all about.

Ransomware is a special type of malware, opposed to a regular virus it is not as much aimed at spreading but more focuses on its area of business (to extort users to pay to regain access to their data).  Ransomware is often spread via phishing mails, you may receive a mail stating that you have a package at the post office (just one example) and that you need to download and open the linked file to get the details.  Once you download and run the file from the phishing mail, it will execute the ransomware software, which will run in the background encrypting your files without you noticing it (to begin with).

It is very hard protecting against malware like this, as the makers of this type of malware keep changing the software to avoid detection.  Furthermore, antivirus is only of limited help as it cannot restore files that has been encrypted.

Ransomware usually starts by encrypting local files first and then move on to server shares.

Ransomware is actually not a new thing; it has existed since the MS-dos days in some form or other. I recall a very old virus that infected your boot sector, and upon the trigger event (could be a date or a number of boots) it would delete your fat table and bring up a slot machine, if you won the game you would get your FAT table back if not everything was lost.  Same but different.

How to get your data back after it being encrypted?  Well best bet is backups, hopefully you have either backups on some USB disk or in the cloud, if not you are likely in serious problems.  You can also choose to pay the ransom and have your data de-crypted, the price for this is usually around 100€ or 100$ depending, and from what I have heard it should work quite well and reliable to get your data back this way – some of the ransomware vendors should even have kind of customer support to assist you if you have problems – but supporting organized crime hardly seem like a good idea in the long run.

Anyhow, let us move on to the “fun” part, how to clean-up a file server after a visit from a client infected with ransomware.

So you have been struck by Ransomware (Cryptolocker, Cryptowall, Cryptodefence etc etc etc), “congratulations” and welcome to the club 🙁

Let us go through some steps to get things back on the road.

Important tip;

If you are using Shadowcopy on your server, DO NOT START CLEANUP BEFORE DATA HAS BEEN RESTORED – you may just waste storage space from your shadowcopy pool and thus be able to restore less data.

 

Step 1 – Stop the disaster from escalating.

You need to figure out which user is infected and stop this users pc from encrypting more files on your servers, if you are not fast to react your server will quickly look like this (the white is the infected files, it’s a mess).

Step 1.1 – how to identify the user

There are obviously different tactics for this, but two obvious once are;

1) look at an encrypted file and determine the owner – now to my surprise this did not work on the last server I looked at, here all the files for some reason was set to be owned by the local administrator group.

2) Look at the home folder for your users – most ransomware drop files on how to decrypt your data and these may serve as tell tail signs of “infection”.

2015-06-10 15_33_47-mRemoteNG - confCons.xml2015-06-10 15_29_46-mRemoteNG - confCons.xml

Thus, the user with all the “decrypt” files in his homedrive will be the user you are after.  Simply search the user’s folder for files with the word “decrypt” in it. The ransomware normally also targets the users local drives first, thus you may catch a lucky break if you like us have redirected the “My Documents” folder to the users home directory on the server, in our cases this meant that the infected users had tons of these files on his home share.

Step 1.2 – Shutdown the user’s computer

Shutdown the user’s computer and change the password of the user (as the user has malware on his/her computer his/her passwords (all of them) are likely now compromised.

 

Step 2 – Assess the damage

You now need to look at the server to determine how much data have been encrypted. How to determine the “infection” rate, well that depends – different ransomware uses different tactics, however at least for now they seem to share these tactics.

1) The ransomware will encrypt files, then add some extension to the file to show that it is encrypted (the extension may vary, but could be .encrypted or .iufasee or something totally different/random – but still the same for all encrypted files).

2) After encrypting a complete folder ransomware will often add 2-4 files that pertain to how to decrypt data, these files could be named “HELP_DECRYPT.TXT” / “HELP_DECRYPT.BMP” / “HOW_DECRYPT.TXT” / “!Decrypt-All-Files-iufasee.bmp” or anything like that.

2015-06-10 15_29_46-mRemoteNG - confCons.xml

NOTE: the ransomware is quite clever as not to change the creationdata/last modified date as this makes it hard to just look for files changed in the past 24h – however, as I mentioned in step two then the ransomware often creates “how to decrypt” files/pictures/links in the folders and these may be used to spot the “infection”.

My suggestion is;

  1. Try to determine the file extension using the tips above.
  2. Use Windirstat to get an idea of the scope of the incident (you can see an example below) http://windirstat.info/
  3. See screenshoot (the white is the encrypted/infected data).

cryptolocker

 

Step 3 – Restoring data (the non-encrypted files)

See we had a special challenge with restoring data as we use online backup, and the restore hence will take a LONG time seeing that the data need to come from the WAN restoring gigabytes of data would take a LONG time, so we had to get creative to make the cleanup as fast as possible.

You first need to determine the time for the last backup/shadowcopy snapshot before the “infection” occurred.

If you have shadow copy, then go back through the snapshots to find the time where files had their original extension. You may get best results if you look at the infected users home folder, this is likely the first folder to be “infected” (you can also look at the creation date/time of the “how to decrypt” files which may give you a lead).

2015-06-10 15_29_46-mRemoteNG - confCons.xml

If you have local backup it is quite easy I guess, just restore more or less all data (with the do not overwrite newer/changed versions option set) and then proceed to delete the encrypted data and the “help files” (the once on how to decrypt) – see section below on how to cleanup.

If however you cannot easily restore data from backup (like e.g. if you use “online backup” like we did), then move to shadowcopy (which you hopefully have enabled on the server).

You could of cause restore one file/folder at the time from shadowcopy, this will take forever especially if users have worked on the folder structure meanwhile. So why not make it fast and easy by using robocopy (yes it is actually possible to use Robocopy, we found a cool way to do this).

Restoring non encrypted data via ShadowCopy and Robocopy.

  • Determine the “last good” shadowcopy, the one just before files started to be encrypted.

 

    1. On the server list the shadowcopy snapshots using the dos command, you do this to get the “identifier” which we will need in a moment.Start an administrative command prompt and issue the command;
      vssadmin list shadows
      (you may need to change drive to the drive you want to see)This will give you a long list of available snapshots, see screenshot.
      2015-06-10 15_00_00-mRemoteNG - confCons.xmlLook for the creation time and find the block just before the incident occurred.

      In this block “Contents of shadow copy set ID {…….}” look for the line “Shadow Copy Volume”, copy this line to a notepad starting with \\

      In this example;
      2015-06-10 14_56_13-mRemoteNG - confCons.xml

      \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107
      NOTE: the number at the end will be different for you.

      IMPORTANT! Now add a “\” to the line in notepad: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\

      Finally add a prefix of “mklink /d c:\restore ” to the line in notepad.
      So the final line should look like this;
      2015-06-10 15_12_14-mRemoteNG - confCons.xml

      mklink /d c:\restore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy107\
      (note: the c:\restore is a folder/name YOU choose, it can basically be anything you choose, the name must NOT exist before you run the command)Now run this command from the administrative command prompt.
      2015-06-10 15_09_35-mRemoteNG - confCons.xml

      It should give you a feedback much like;
      symbolic link created for c:\restore <<===>> \\?\GLOBALROOT\Device\HarddiskVolum eShadowCopy107\

      2015-06-10 15_13_13-mRemoteNG - confCons.xml

      Now if you write;
      dir c:\restore
      you will have a historic view of how the disk looked at the time of the shadowcopy snapshot, you could get the same via properties “previous version”… but this is much neater as you can access and script it.

  • Now we have the snapshot mounted we can run a robocopy job restoring any data that is not more recent or changed.In this example the command would be something like;ROBOCOPY C:\restore D:\ *.* /XC /XO /E /LOG:d:\restore.log
    2015-06-10 15_18_12-mRemoteNG - confCons.xmlYou will need to suit it to your environment.

    Things to make a note of are the /XC /XO command switches which ensures that we do not overwrite files modified after the “infection”. As the encrypted “infected” files have a different extinction this is not a problem.

    After the restore you can review the restore.log file to see if anything went wrong and see how much data was restored.

    Note, you MAY run into the problem that not everything was in shadowcopy in which case you have to revert to backups, in the incidents we have had “only” 10-20 gb of data was “infected” and our shadowcopy could easily accommodate this.

 

 

Step 4 – CleanUp

Final step is to clean up the encrypted files and the decrypt instructions.

Also remove the “directory link” to the shadowcopy snapshot if you used that (see previous section), you can just use “RD <directory name>”.

2015-06-10 15_13_13-mRemoteNG - confCons.xml

I used SearchMyFiles from http://www.nirsoft.net/ as it is easy and very customizable to use to find files, I suggest you take not more than 10.000 files at the time as deleting many files takes quite some time.

2015-06-10 16_41_29-2015-06-10 10_41_17-mRemoteNG - confCons.xml.png - Windows Photo Viewer

 

Mitigation strategy

  • On fileservers, try to limit access as much as possible – if nothing more than look at making data read-only wherever possible as this alone will protect you greatly.
  • FSRM – File Server Resources Monitor, set this up to detect and trigger alarms on new files where the word decrypt is part of the name – decrypt as part of a filename is uncommon enough to give only limited false alarms – I will create a separate article on the configuration of this later.
  • Supporters / super users – instruct them to react FAST to tell tail signs of ransomware, the faster you manage to stop the “infection” the less to clean up.

 

Tools that may be useful;

Decrypt Cryptolocker (this most likely will not work, but give it a go anyhow just in case).
https://www.decryptcryptolocker.com/

Windirstat                                     http://windirstat.info/
SearchMyFiles                              http://www.nirsoft.net/

Read more about Cryptolocker; http://en.wikipedia.org/wiki/CryptoLocker

Thanks to:

Torben Slaikjer for finding that link on how to mount shadowcopy snapshot as a directory, this made the job vastly easier.

Bitlocker – free diskspace

bitlockericonhero-100301743-largeWe recently enabled Bitlocker in the install process of all laptops in the company I work for, and everything seem to work fine..

However one of our local IT supporters had a problem preparing a new pc, the thing is that Bitlocker encrypts in the background so the installation continue even while bitlocker is encrypting – and here the problem arose, see Bitlocker is clever – it know that it is a waste to encrypt empty space so what it does is to start by reserving all but 6gb of diskspace (as seen below), Bitlocker now encrypts the USED part of the disk and then proceed to write garbage on the reserved portion of the disk (the “free” part) – once done it again free the reserved part and the entire free disk space is again available to the user.

bitlocker2

Well it so happens that our IT Supporters sometime need to install additional software after the initial installation of windows, and then it may become a problem with the only 6gb free space.

What to do, well it is actually quite easy you just pause the encryption process which will free up the reserved part, and once done preparing the pc you restart the encryption process.

To pause the Bitlocker encryption you goto an elevated command prompt and type;

manage-bde –pause driveletter :

once done with whatever you needed done you restart the process with this command;

manage-bde –resume driveletter :

https://technet.microsoft.com/de-de/library/ee449438(v=ws.10).aspx#BKMK_FreeSpace

 

KMS – increase count manually

So you have installed a Microsoft KMS server, but it tell you that it cant serve your clients as the count is too little!?

See the thing is that Microsoft has decided, that in order to make a KMS server only work for corporations, a KMS server need to recieve a certain number of activation requests before starting to issue licenses.  The idea is (from my understanding) that if some home user got his/her hands on a KMS server key he/she could not make the KMS server work as he/she did not have 25 machines (25 being the number of Windows 7 requests needed to jumpstart the KMS server for Winows 7), and hence a KMS server would only work for companies.

Well, in a perfect world (like the one Microsoft dream up) you would just wait, and eventually the count on your KMS servers would go up and the KMS would start activating clients – however if you like us have 2 kms servers and want to be sure both are working, well the wait approac was not my first choise as I would then need to revisit the process later to check up on it.

So what to do, well I googled it and found;
http://blog.thinkdigitalsolutions.com/manually-increase-kms-count/

They have a neat tool that seem to take care of this problem.
http://thinkdigitalsolutions.com/blog/files/IncreaseCount.zip
http://www.readmydamnblog.com/downloads/IncreaseCount.zip (Mirrored file)

The tool will actually submit enough key-activation requests to your server that it will start the activation process.

Now a cautious person may thing uhhh do I want to run some third party tool on my KMS server, hmm I would not – so I ofcause ran the tool on a non-admin workstation after checking on VirusTotal.com (it had a few hits on VirusTotal but I would expect this from a tool like this and no direct links to any know malware was found, so I my stomack said ok as long as it was run on a test machine as a non-admin).
https://www.virustotal.com/en/file/3b3eea879b5a35ac78afebb70406b6a95c42256d237ca49c5f7892ec73ecbd60/analysis/1430123999/

KMS01 KMS02

 

 

 

 

Worked like a charm, I could test both our KMS servers instead of having to wait.

Furthermore, check this site for some valuable debugging tips;

https://technet.microsoft.com/en-us/library/ee939272.aspx

Alternate solution (Script);

I afterwards found a different approach, a script that does more or less the same – quite clever if it works (I did not test this), but I dont see why it should not..

http://woshub.com/how-to-increase-kms-server-current-count/

Script below;

In the place where you run the script place two empty files;

7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

 

— <SCRIPT – You need to modify it so it reflects your KMS server and the directory run in> —

@echo off
set skms=kmssrv1.woshub.com
for %%i in (. . . . . . . . . . . . . . . . . . . . . . . . . .) do call :Act %skms%
slmgr /ato
sc stop sppsvc
goto :end
:Act
sc stop sppsvc
xcopy “7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0” “%systemroot%\system32\*” /H /R /K /Y
xcopy “7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0” “%systemroot%\system32\*” /H /R /K /Y
sc start sppsvc
cscript.exe “%systemroot%\system32\slmgr.vbs” /skms %1
cscript.exe “%systemroot%\system32\slmgr.vbs” /ipk FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
cscript.exe “%systemroot%\system32\slmgr.vbs” /ato
sc stop sppsvc
:end

Lync 2013 to become Skype for Business this month.

Lync 2013 to become Skype for Business this month.

The Windows client for Lync will presumable be updated this month to Skype for Business as part of the regular Office 2013 updates.  The update will add new functionality to Lync (Skype for Business) but will more importantly come with a slightly updated (and more Skype like) interface, acording to this blogpost.  You may want to considder if you wish to control the deployment of this new client/layout as to not totally confuse your users in a corporate environment.

You should also be able to force a “Lync 2013” look-a-like look for Skype for Business, read more here;
https://technet.microsoft.com/library/dn954919.aspx
You can basically create a new “GroupPolicy Preference” that blocks the SkypeUI, and this sounds like the right approach as this would work from first launch where as the server patch will “only” display a user dialog offering users to switch back to the LyncUI.

SkypeForBusiness

Blogposting;
http://blogs.office.com/2015/04/01/whats-new-in-skype-for-business-and-how-you-can-take-control-of-updates/

YouTube video;

Live view of ongoing DDOS attacks

attackmapSo if you like me have an interest in Internet security you may find this interesting, a live map of ongoing DDOS attacks.

http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16486&view=map