A recent briefing from the FBI’s Internet Internet Crime Complaint Center (IC3) detailed current best practices and industry standards for cyber defense. Here is a summation:
Cyber Defense Best Practices
Backups – Regularly back up data and verify its integrity. Backups are critical in ransomware; if you are infected, backups may be the only way to recover your critical data.
Training – Employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
Patching – All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
Antivirus – Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. Centrally managed is even better.
File Permissions – If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.
Macros – Disable macro scripts from Office files transmitted via email.
Program Execution Restrictions – Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs.
Remote Desktop Protocol – Employ best practices for use of RDP, including use of VPN, auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
Software Whitelisting – Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy. This one takes careful planning.
Virtualization – Use virtualized environments to execute operating system environments or specific programs. No physical access to servers makes hacking harder.
Network Segmentation – Implement physical and logical separation of networks and data for different organizational units. Keep guest traffic out of your business network.
No Saved Passwords – Require users to type information or enter a password when their system communicates with a website. Better yet use a password management tool.
If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.
This article came from the need of another local tech company to forward an Exacqvision Web Portal to something other than port 80, as it was already in use. I could not find a detail article on how to accomplish Sophos DNAT while changing the port number:
How to configure Sophos DNAT for an internal server
Navigate to Firewall then click +Add Firewall Rule and select Business Application Policy.
Select Application Template and choose DNAT/Full NAT/Load Balancing.
Fill out the settings as shown below:
Source Zones: WAN (and LAN if needed)
Allowed Client Networks: Any
Destination Host/Network: WAN Interface (#eth0-? whichever one you use)
Services: Either select the service you already created or create a new one for the external port to be used as below
Protected Servers: Select an existing or create a host entry for the internal server.
Protected Zone: Select the Zone in which the host resides (LAN or DMZ).
Change Destination Port(s): Check this then change the port to the internal port.
Click Save to save the configuration.
If your company is using a Sophos router and is unsure of how to configure it, then contact us for assistance in making the best use of your router.
In reviewing compliance documentation, we found it necessary to talk about Virtual Private Network (VPN) technology for both privacy and secure remote access. A VPN is a connection to a private network over the internet through an encrypted tunnel – think smuggling information across a secret passageway between two places.
Why use VPN?
Privacy: There has been a huge buzz lately about using VPN technology to help mask you browsing habits from the likes of the NSA or Google. VPN services offer connections that regularly change your external IP address so that a profile (marketing or otherwise) is harder to build. It also makes hacking of your information harder when these services providers offer anti-virus and anti-spam filtering as part of the VPN service.
What are the trade-offs? These VPN service providers will now be the sole owner of your browsing habits – they can sell targeted profiles to marketing companies – so read those terms of service. There will also be a performance hit to your internet speed, so if you are working from a slow network already this may not be an option. Then there is the added cost of an extra $5 to $15 per month for these services on top of your internet bill each month.
Secure Remote Access: This was the original intent of VPN technology and where it really shines. Either from remote workers using coffee shop wifi or remote offices connecting to the main office, VPN tunnels are used to securely access data, servers, and other network resources. This technology is required by all major compliance agencies so that all data transmitted is encrypted during transport. In the past servers would open ports to the internet to allow access, but it was found that this practice allowed hackers the same opportunity to gain access. With VPN tunnels there is another layer of protection from unexpected access. There is also the benefit that no outside provider gets access to your browsing habits.
What are the trade-offs? This will require a router at the main office that is business grade and capable of handling the traffic. It will then require setup of remote workers laptops or remote offices with similar business grade routers.
If your company is concerned about privacy on the internet or secure remote access, then contact us for assistance.
NIST is the National Institute of Standards and Technology. It acts as the defacto baseline that all other security and compliance organizations use to construct their standards. Reading their publications is like reading any other government document – extremely long and not interesting. Farmhouse Networking recently became aware of one such document called NISTIR 7621 aka Small Business Information Security: The Fundamentals. We took the time to distill out the main points here:
The Fundamentals aka Best Practices
Identify: Who has access to the network, who has access to the data, and what do they have access to. This includes background checking employees during the hiring process, taking an inventory of data to see who needs access to what, requiring that each user have their own login, and company policy creation.
Protect: Protection starts with separating data into shares then giving access only to those who really need it. It also includes protecting hardware with uninterruptible power supplies (UPS) and protecting software with regular updates. Protecting the network includes setting up a proper firewall, separate wireless for guest access, and VPN only access for remote users. Web filtering, SPAM filtering, file encryption, proper disposal of old equipment, and employee training are also mentioned.
Detect: Having a centrally managed antivirus software on each workstation is a must. This includes the ability to look back in time via log files or monitoring system to find the root of the security breach.
Respond: Have a disaster recovery plan and security incident response plan in place.
Recover: Need full backups of all important business data, invest in cyber insurance, and regularly access your technology to find timely improvements.
If your company does not meet these fundamentals, then contact us for assistance.
Give your business freedom from hardware constraints with the agility and functionality of cloud computing.
Cloud requires no upfront costs, which makes it an operating expense rather than a capital expense. Your business will benefit from predictable monthly payments that cover software licenses, updates, support and daily backups. Cloud technologies provide greater flexibility as your business only pays for what it uses and can easily scale up and down to meet demand.
Moving to the cloud enables your business to no longer pay to power on-premises servers or to maintain the environment. This significantly reduces energy bills.
Finally, for those concerned with security, cloud data centers employ security measures far beyond what most SMBs can afford. Your company data is much safer in the cloud than on a server in their office.
Move your business to the cloud ahead of Office 2010 and Windows 7 End of Support!
If your company is looking to make the move to cloud, then contact us for assistance.
According to the following Microsoft Support Post published in October 2018, the HomeGroup feature has now been removed from Windows 10. Most people won’t need to worry about this, but recently ran across a business that had relied on this feature to run their network. With HomeGroup removed from Windows 10 they were left without the ability to share properly with a new computer on the network. So here is how to fix the issue:
How to fix Windows Networking after HomeGroup Removal
Turn off all sharing:
Open Network & Sharing Center
Click on Advanced Sharing Settings
Turn off network discovery (Private & Public)
Turn off file and print sharing (Private & Public)
Turn off Public folder sharing (All Networks)
Turn off Password Protected Sharing (All Networks)
Remove old password:
Open Credentials Manager
Change to Windows Credentials
Remove all $HomeGroup users credentials from networked computers on all computers formerly in HomeGroup
Find Function Discovery Provider Host and set to Automatic Startup then Start service
Find Function Discovery Resource Publication and set to Automatic Startup then Start service
Find SSDP Discovery and set to Automatic Startup then Start service
Find UPnP Device Host and set to Automatic Startup then Start service
Get username and password for all computers on network
On each computer on the network, open command prompt
For each username, use the command – net user [username] [password] /add
Turn on all sharing:
Open Network & Sharing Center
Click on Advanced Sharing Settings
Turn on network discovery (Private)
Turn on file and print sharing (Private)
Turn on Public folder sharing (All Networks)
Use 128-bit encryption (All Networks)
Turn on Password Protected Sharing (All Networks)
Recreate Shares (if needed)
Right-click on folder and choose Properties
Click on Sharing tab
Click on Advanced Sharing
Check Share This Folder
Name the share
Click on Add
Select username and add Full Control then click OK
Repeat for each username
Click OK to return to Properties window
Click on Security Tab
Click on Advanced
Click on Add
Select username and add Full Permissions (or appropriate level) then click OK
Repeat for each username
Check Replace Child Permisssions and click OK
Click OK on all previous windows
Hope this post helps some other techs save the time in fixing Windows 10 networking when HomeGroup is removed.
If your company is still using HomeGroup or needs any help with advanced networking, then contact us for assistance.
It seems lately that the power company in the area has not been able to offer consistent service power to the city. This has left many businesses down without the technology they need to operate properly. These power outages cause data loss and damage computer components.
My own unexpected outage
Once upon a time, about two weeks ago, the unexpected happened at our offices. A semi-truck carrying a large backhoe on a trailer drove between two buildings in the area. The landlord had wired power between buildings and the truck driver did not lower the arm of the backhoe low enough. Sure enough the wire was snagged by the backhoe’s arm and pulled from the building. Needless to say the power was out to that part of the building until the landlord took care of the matter.
What can be done?
Farmhouse Networking recommends that all business workstations, servers, and networking equipment be protected by an uninterruptible power source aka UPS or battery backup. When the power goes out the right size battery backup will keeps things running for about 15-30 minutes to allow the last touches to be added to whatever was being worked on and things to be shutdown gracefully.
Strange to think that the current wireless security protocol has been in use for over a decade, but with the release of WPA3 certification today the Wi-Fi Alliance has made some serious strides towards a more secure wireless security standard.
Offline Password Guessing – Attackers will now only get one guess per offline packet instead of unlimited. This will force them to interact with the wireless device directly which will make their attacks easier to detect and easier to shut them out.
Forward Secrecy – Even if the attacker is able to record a data stream and crack the current password, they will not be able to read the recorded data – only new data flowing over the network.
192-bit Encryption: – Enterprise users and tech savvy small businesses will be able to take advantage of deeper encryption for more secure connections
Wi-Fi Easy Connect – Simple to use, secure way for home users to connect their devices by scanning a QR code instead of entering a complex password.
This new security protocol mixed with the latest 802.11ax (that could bring 10 Gigabit speeds to wireless) will make 2019 a banner year for wireless technology.
If your company is interested better wireless security or faster wireless speeds, then contact us for assistance.
Ran into an issue with Scan to Folder on Windows 10 Home from a Xerox Versalink C7025 via SMB. Contacted support and they stated that Xerox does not support this setup. Further digging found that Windows 10 Home folder shares need passwords in a [Computername]\[Username] format that the Xerox Versalink could not provide correctly. I found another option that works well in this situation:
Scan to Folder via FTP
Create a Scan folder in the Users directory
Download and install Filezilla FTP Server with the defaults (I prefer to set “start user interface: to manually)
Click on the Edit > Users menu item.
Click on the Add button and create a username (case sensitive)
Check the password box and create a password
Click on the Shared Folders tab on the left then click on the Add under Shared Folders
Browse to the Scan folder and click OK
Check all File & Directory permissions then click OK at bottom left
With this setup on the Windows 10 Home computer an Address Book entry can be created for Scan to Folder via FTP on the Xerox Versalink. The only thing that could be a problem after that is a software firewall link Windows Firewall or McAfee LiveSafe.
If your company wants to utilize more functionality from your multi-function device, then contact us for assistance.