This is the fourth in a series about the concept of Zero Trust, which means in the IT sense that you trust nothing and always verify everything surrounding and connected to your network. Today’s discussion will be on secure remote access.
Secure Remote Access
Secure Remote Access is the ability to connect to company resources from anywhere in a manner that does not compromise security. This can be done by several means including remote access software, Virtual Private Network (VPN), or File Sync & Share (FSS). Here are some questions that you should be asking yourself:
Does anyone in your organization work from home or remotely?
How are they remotely connecting to the office?
Are you able to revoke access to the office if they leave the company?
If that connection is a modern VPN, what type of security does it use?
Is your VPN based on passwords or certificates?
Does the VPN log usage statistics?
If that connection is a remote access software, what type of security does it use?
Does the software limit who has access to which resource?
Does the software log who is logging in and for how long?
If that connection is via FSS, what type of security does it use?
Does your FSS have file versioning, backups, and ransomware protection?
Does the FSS limit who has access to which resource?
Do you use 2FA as part of your remote access?
Take time to think about these questions and decide where changes can be made to better protect your IT investments, or contact us to do the thinking for you.
This is the third in a series about the concept of Zero Trust, which means in the IT sense that you trust nothing and always verify everything surrounding and connected to your network. Today’s discussion will be on the backup of important data.
Backup
Backup is a way of creating multiple copies of your important data and the systems that house them. This has become a necessity thanks to acts of God (unforeseen physical disasters), acts of employees (accidental or purposeful destruction of data), and acts of malicious hackers (ransomware or malware). Here are some questions that you should be asking yourself:
What data or systems are being backed up?
How often are these backups being performed?
Are your backups protected from natural disasters (offsite and redundant)?
How long are backups being stored?
Once expired are they securely removed?
What is the process for recovering files, emails, workstations, servers, applications, databases?
Have you tested your recovery process lately?
Do you know how long it will take to recover?
How will business continue until systems are restored?
How will you merge new information into recovered data once restored?
How often do you test your recovery process?
Is the recovery test process automated?
Take time to think about these questions and decide where changes can be made to better protect your IT investments, or contact us to do the thinking for you.
This is the second in a series about the concept of Zero Trust, which means in the IT sense that you trust nothing and always verify everything surrounding and connected to your network. Today’s discussion will be on the vendors you purchase network equipment from.
Trusted Vendors
Trusted vendors are those who supply workstations, servers, routers, switches, power protection, software, and anything else connected to your network. Here are some questions that you should be asking yourself:
Do you know who makes your network equipment, servers, computers, and software?
Do you know the way to contact their support and have current account access information?
Do you have current warranties / support contracts on hardware and software?
Is the hardware able to perform at the level needed?
Are you purchasing software from those who meets industry standards?
If a subscription, how much are you paying and are you on the correct plan for your needs?
When is the last time you upgraded your software and hardware?
Have you budgeted for the next upgrade?
Take time to think about these questions and decide where changes can be made to better protect your IT investments, or contact us to do the thinking for you.
83% of employees continue accessing old employer’s accounts
A study was performed by Beyond Identity throughout the US, UK, and Ireland which found that 83% of employees admitted to maintaining continued access to accounts from a previous employer. Also a shocking 56% admitted to using this access to harm their former employer.
The study also states that a professional and details offboarding process can prevent unauthorized access by former employees by eliminating their passwords and other insecure authentication methods. Strangely enough this also creates a sense of goodwill in the company that helps to lessen the motivation for employees to attempt this kind of malicious access. This kind of process is vital considering the current employment market and high turn over rates at almost all companies.
If your company does not have a detailed and documented offboarding process, thencontact usfor assistance.
Security researchers performed penetration testing on the networks of 45 various mid-sized companies and found that in real life scenarios 93% of those networks were able to be compromised to the point of business disruption. Here are the details:
The Target
The 45 companies were polled to determine what would be an unacceptable business interruption. They decided that the following met that criteria:
Disruption of production processes
Disruption of service delivery processes
Compromise of the digital identity of top management
Theft of funds
Theft of sensitive information
Fraud against users
These became the target for the penetration testers.
The Process
In order for the penetration tester to achieve their target, they followed the following process:
Breach the network perimeter – This was done by the use of compromised passwords found on the Dark Web and know vulnerabilities on devices that were directly connected to the internet
Obtain maximum privileges – In 100% of the networks, once an attacker was inside the network
Gaining access to key systems – With maximum privileges, the testers are able to gain access to other areas of the network including databases, executives computers, and production servers
Develop attacks on target systems – Once key systems are compromised the testers then figured out how to create the unacceptable business interruption. Although they could have created these interruptions, they only gathered proof that they could to present the data to the companies.
How to Defend
There are a couple main ways to defend against these kinds of attacks:
Security Controls / Segmentation – Creating least privileged access to key systems and segmenting the network will keep hackers from traversing the network once inside
Enhanced Network Monitoring – Modern cyber security tools watch activity and traffic on the network to find indicators of compromise. They pool this information into an attack history that can be used to remediate and further protect.
Your company is not as safe as you think, so contact us for free initial cybersecurity evaluation and risk report. .
Here is a quick bit of Powershell that helped me to track down a “shared calendar” in a Co-Managed IT / Tier3 client’s Office 365 tenant. After looking in Shared Mailboxes and Resources for the calendar with no luck, we tried to get into the Exchange Management Console (EMC). The loading circle of death went on for an eternity, so switched to good old Powershell. Found the commands as follows after connecting to Exchange Online in Powershell:
If your company is looking for local management of your Office 365 tenant or need advanced support for your IT team, then contact us to find out how much you can save with us.
Researching issues that several clients were having with slow Windows Roaming Profile logins and found that the common denominator was profiles being too large. Looked at Event Viewer and found nothing but Event ID 6005 – “The winlogon notification subscriber is taking long time to handle the notification event (Logon).” Looked at their Group Policy settings and found the folder that profiles were being saved in. Ran WinDirStat on the user.v6 folder and found some interesting details. It looks like downloads, Slack, Teams, and Zoom were taking up 13+GB of data that was then trying to be synced over the network. Looks like it is time to update the Group Policy to exclude some folders:If your company is looking to virtualize your servers or take them to the cloud, then contact us to setup migration evaluation.
GPO – Exclude directories in Roaming Profile
Open Group Policy Management
Edit the Roaming Profile policy
Open User Configuration > Policies > Administrative Templates > System > User Profiles
Enable – Exclude directories in roaming profiles
Add the following directories – Downloads;AppData\Roaming\Slack;AppData\Roaming\Microsoft\Teams;AppData\Roaming\Zoom
Ok your way out
Open Windows Explorer and navigate to the user.v6 folder and delete the following folders:
Downloads
AppData\Roaming\Slack
AppData\Roaming\Microsoft\Teams
AppData\Roaming\Zoom
Wait 15 minutes for changes to propagate then reboot the effected machines and login again.
If your company is using roaming profiles to keep employees agile in the office, then contact us to setup a group policy evaluation.
Got a email from one of our co-managed IT / Tier3 / managed RMM clients that was having issues with DNS resolution. The network consists of a Synology NAS acting as Domain Controller / DNS Server and a VM on the Synology that runs the clients main application. Several of the workstations were having an issue where they could not browse to the IP address (\\192.168.0.11\sharename)of the application server at one time and could not browse to the UNC path (\\servername\sharename) of the same server on another day. First tried setting the external forwarders to Google DNS and the Forward Policy to Forward First, but the problem resurfaced. So we dug deeper into the DNS settings and found the following:
If you look closely the IP address of the server is 192.168.0.11 and the records for DNS servers associated with the domain above and below it point to servers outside the subnet of the application server (10.0.0.2). Upon further investigation this DNS server address was blocked by the firewall because it was an old IP address scheme that was no longer in use. The current good DNS server IP addresses are 192.168.40.10 and 192.168.0.10.
Turns out the stale DNS records were the problem. Made the needed changes to the DNS records and things are working great.
If your company needs a little extra help running the IT department, then contact us to setup a co-managed IT evaluation.
A bill in Congress has been brewing since October 2020 and finally passed in December 2020. Representative David Scott introduced H.R.8620 which is stated to:
“To permit payments for certain business software or cloud computing services as allowable uses of a loan made under the Paycheck Protection Program of the Small Business Administration.”
What PPP can do for you
This bill was an amendment to the Small Business Act that changes the definition of how PPP loan moneys can be used. The changes are as follows:
“the term ‘covered operations expenditure’ means a payment for any business software or cloud computing service that facilitates business operations, product or service delivery, the processing, payment, or tracking of payroll expenses, human resources, sales and billing functions, or accounting or tracking of supplies, inventory, records and expenses”
So what does this mean for your business? That you can apply for the PPP funds then use them to upgrade your out-of-date software that runs your company or use the funds to move your business into the cloud. There has never been a better time or excuse to discuss the possibilities of moving your business to the cloud and implementing those upgrades that have waited so long. By doing so you will position your company better for the Work From Home trend and be prepared for business expansion once the pandemic is over.
Here are some lessons learned from a recent recovery of a server with the following error:
Lesson #1 – Blinking Hard Drives
So when I got to the customer site the Dell server had blinking hard drive lights on two of the drives. Based on the support article about it the lights meant -“Identifying drive or preparing for removal.” and digging into the RAID controller I found the worst possible scenario for a RAID-5 array – two dead hard drives. I removed the two dead drives, cleared the configuration on the RAID controller, built a new RAID-5 array out of the remaining drives (4 out of 6), and did a fast initialize.
Lesson #2 – Drive letters on Windows Server Backup
Not sure if anyone else has noticed, but when Windows Server Backup is setup to use an external drive it likes to hide the drive by not assigning it a drive letter. This caused a few issues with the restore done from Windows Server 2012 R2 USB boot media as it couldn’t find the drive. I had to connect the external drive to my laptop then give it a drive letter. Plugged it back into the server and rebooted.
Lesson #3 – Patience is a virtue in Scanning for System Image Disks
Following the basic instructions for doing a Windows Server Backup 2012 Restore via Windows Server 2012 R2 USB boot media it came to the point where it does the scanning for System Image Disks. Turns out this can take hours depending on the speed of the drive plus the size and quantity of restores you have on the external drive. Just wait for the process to complete.
Lesson #4 – UEFI or Legacy BIOS matters
So you waited all that time for the Scanning for System Image Disks to complete and now that precious moment arrives when you realize that the Windows Server 2012 R2 USB boot media that you created was UEFI instead of legacy BIOS and the restore fails telling you so. Make sure that when you create the Windows Server 2012 R2 USB boot media that you change the settings to match the system that you are trying to restore.
Hope that these lessons help a few other Windows Server admins, who are trying to do a Windows Server Backup 2012 Restore, save some time and frustration. If you are looking for a better way to do backup and restore then contact us for details.
