Big thanks go out to the folks at SANS Institute for this write-up on Detecting Security Incidents Using Windows Workstation Event Logs that gave the guidance for this article on Windows Event Logs Intrusion Detection. These are the basics of creating Custom Views in Event Viewer on Microsoft Windows 2012, but the actual monitoring for these events should be done by more complex log parsing software that is beyond the scope of this article. Here are the basic steps towards finding these events:
Create Windows Event Logs Intrusion Detection Custom View
Open Event Viewer
Right click on Custom Views then choose “Create Custom View…”
Make sure to select all event levels and all Windows Logs
Add the following event id numbers into the space provided:
Click OK. Give the Custom View a name then Click OK again.
Right click on the newly created Custom View and select “Attach Task To This Custom View…”
Work through the wizard based interface and select the desired task. Email is a nice one but is depreciated and will require the setup of an SMTP Relay unless there is an onsite Exchange server or dedicated email setup for this purpose with your email provider.
These are just the basics the article from SANS goes into greater depth on how to configure event log monitoring software to parse these for you. Better yet contact us to setup remote monitoring and maintenance to do the heavy lifting for you.
There are many reasons your business needs to use a branded email address using a customized domain name. Let’s look at what the top ones are:
Branded Email Establishes Legitimacy
Customers want to trust a companies before they choose to give their business to them. This is the number one reason businesses should use branded email – not only does it give your business a deeper level of branding, but it establishes the business' legitimacy. This is because your email is often the customer’s first impression of you, especially if email or print marketing had an email for contact. It makes your business look professional and can set it apart from the competition. Phishing schemes are a very real concern these days and many of these fake emails come from people trying to pose as a legitimate business. The best way for your customer to know if the email is really from you or a potentially dangerous location, is by the email address' domain name. If the customer can look at the sender address and see your business’ domain, they will feel more confident clicking links or replying back with sensitive information.
Branded Email Builds Your Brand
A business can never have too much company branding. From business cards to bumper stickers to coffee mugs, there are branding opportunities everywhere. This should includes your business email too. Every time your employees send an email, it reinforces your business brand to the customer. It not only reminds the customer that you have a website, but gives them a peek into what your company is all about.
Branded Email Separates Company Departments
Having a branded email allows you to create multiple email addresses or email aliases for different departments and company objectives. This is a huge benefit as firstname.lastname@example.org may not always the best address to email or your business may not want the customer to directly contact your employees. It helps compartmentalize the work and make sure that the right person / department receives the correct emails. You can create emails like email@example.com, firstname.lastname@example.org, email@example.com and many others that can point to one or more members of the organization. It also helps the customer, by pointing them to the right email address for the issue they need addressed.
Branded Email Isn’t Expensive
With Office 365’s Hoste Exchange service your business can add as many individual email addresses and email aliases to your company's branded domain on an as needed basis, access email from anywhere across all major platforms, get industry leading anti-malware / anti-spam filtering built in, send email attachments up to 150MB in size and get 50GB of storage per mailbox. Prices start at just $4 per user per month. Microsoft manages the email server and Farmhouse Networking handles the setup / administration of the rest, which making it simple for you to have a professional branded customized business email address.
If you don’t have a branded email address, now is the perfect time to get one. Small businesses often think they don’t need one or can’t afford it, but that is simply not true. Help your business by setting up a branded email today by giving us a call or email to let our Office 365 experts get your business started on the path to better branding.
It is astounding to think that many servers in small businesses are plugged directly into the wall for power without any protection from outages or dirty electric current. It is easy to mitigate up to 44% of data loss incidents that are due to hardware failure by providing clean and consistent power to servers on the network. Installing a server battery backup is quite easy to do and the possible return on investment will never be seen due to the possible issues being taken care of. Here is a basic list of best practices for purchasing and setting up the monitoring software that comes with the unit:
Server Battery Backup Purchasing:
Budget to purchase new battery backup devices every 5-6 years
Replace internal battery on unit at the 3 year mark
Based on maximum load (think power supply total watts) select an Uninterupted Power Supply (UPS) that will not be loaded over 80% which protects the unit from undue wear and allows for some growth
Consider redundant UPS configuration for larger servers with multiple power supplies
In high production environments, consider adding an UPS for each workstation to allow for file saves before file server shutdown occurs.
Server Battery Backup Setup:
Make sure buildings elecrical breakers are rated to handle the 80-100% load of the UPS
If single UPS used in multiple power supply server scenario then put one plug into the wall and the other into the UPS, but please consider redundant power supplies.
Plug in serial, usb or network management and install the management software that comes with it
Configure the management software to gracefully shutdown the Operating System (OS) of all connected servers
If using sequential shutdown of servers then shutdown database servers first, file servers second and domain controllers last.
Configure either SNMP alerting or email alerting to get status updates from the device
Configure regular self-test of the battery to make sure there is no failure of the internal battery before the replacement period
Taking the time to do this right the first time will save headaches later when things go wrong. Call or email us to do an evaluation of your power infrastructure.
Shared calendars for the use of shared meeting space reservation is becoming a thing of the past. Office 365 has a better type of calendar specifically made for rooms. This guide will show you how to set up these Office 365 Meeting Rooms in Microsoft’s Office 365 admin portal. Login to the Office 365 Portal with an administrator account and do the following:
Setup Office 365 Meeting Rooms
Click on the Meeting Rooms tab on the left of the Office 365 admin center.
Click on the + symbol to begin the creation of the meeting room object.
Fill in the needed information (Name, Email Address and Room Capacity) then click Create.
Now users can access these meeting rooms when creating a new Meeting in Outlook by clicking on the Rooms button and selecting them.
Once selected that room for that date at that time will be marked off on the associated calendar. There are also color coated indicators as to the availability of the meeting rooms on the selected date in the calendar.
The meeting room will also now appear in their Calendar tab of Outlook and can be used similarly to other calendars. If you have any issues setting things up for your site, please feel free to contact our Office 365 experts to guide you through the process.
This one scares me to read about. A new variant of ransomware called UmbreCrypt RansomWare is out there that is getting into business networks via hacking of terminal servers. This is even more reason to use the best practice of connecting to a Virtual Private Network (VPN) before connecting to your company terminal server. Please take the time to read this article from BleepingComputer.com to find out the frightening details. Feel free to call or email us to discuss how to proactively protect your business computer network with managed antivirus and offsite backups. Schedule a full network security audit to determine just how vulnerable your systems are and to determine what can be done to mitigate the risks.
We undertook the task of complying with Google HTTPS-Everywhere on the web standards that are incentivising the move to HTTPS by increasing search rankings for those that comply. The first step in this process was acquiring an SSL certificate for our websites domain name from a provider. We went the cheap route and went with StartSSL using their Level 1 certificate that is good for one year and FREE. The process was not for the faint of heart as it included encryption keys, decryption of public keys, downloading of several certificates and importing them properly into our webhost. As you can see it is just a basic certificate with no verification information, so no green bar in the browser as some other sites have:
If you need to acquire a SSL certificate (especially those with wildcards or extended validation) or looking for help getting your SSL certificate configured on your website, just drop an email and I would be happy to help.
The next step in the process was to change the .htaccess file in the public_html folder on the webserver (this is for Linux hosts and is different for Windows IIS users as they will be editing web.config file). Once this is done the server will start automatically sending people to the same pages you already have on the server but will use https:// instead of http:// to display them. This is universal if you put it in the public_html folder, so be careful. I had some non-relative, absolute links on my pages that were causing issues with displaying them – had to go through each link to my own pages and update them to either be relative or the correct absolute values (this does not apply to any external links). As you can see things are running great now in SSL mode on our site.
Recently going through the HIPAA compliance standards and dealing with “accidentally” deleted items on a file share has lead to a need for a standard file server audit logging policy that can be deployed to all servers via Group Policy Object (GPO). Here is the summation of my research:
File Server Audit Logging Policy GPO
1. Create a GPO and name it File Server Audit Policy
2. Set the following settings to enable advanced features and disable shutdown:
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\]
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings – Enabled
Audit: Shut down system immediately if unable to log security audits – Disabled
3. Move down the tree structure to the following and edit these various auditing settings:
[Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\]
Account Logon: Credential Validation – Success and Failure
Account Management: Computer Account Management – Success
Account Management: Other Account Management Events – Success and Failure
Account Management: Security Group Management – Success and Failure
Account Management: User Account Management – Success and Failure
Detailed Tracking: Process Creation – Success
Logon-Logoff: Logoff – Success
Logon-Logoff: Logon – Success and Failure
Logon-Logoff: Special Logon – Success
Object Access: File System – Success
Policy Change: Audit Policy Change – Success and Failure
Policy Change: Authentication Policy Change – Success
Privilege Use: Sensitive Privilege Use – Success and Failure
System: IPsec Driver – Success and Failure
System: Security State Change – Success and Failure
System: Security System Extension – Success and Failure
System: System Integrity – Success and Failure
5. Open the Properties of the shared folder needing Auditing, click on Security tab and then on the Advanced button
6. Click on the Auditing tab, if there is UAC prompt then click Continue and then click on the Add button
7. Click on Select Principal, search for the Everyone security group and then click on the OK button
8. Change the Type to All, click on Show advanced permissions, check the boxes next to “Delete subfolders and files” and “Delete” and then click on the OK button
9. Put a check next to “Replace all child object auditing with inheritable auditing from this object then click on the OK button
If your company is using a Windows Server for network file access and need help getting the File Server Audit Logging setup property for HIPAA compliance, then contact us for assistance.
Recently have had to setup a couple terminal servers and wanted to create a list of standard lock downs that can be added via a Terminal Server lockdown Group Policy Object (GPO).
Terminal Server Lockdown Preparation
1. Open Active Directory Users & Computers
2. Create Organizational Unit (OU) for Terminal Server.
3. Move all terminal servers to this OU.
4. Create Security Group in this OU for users who will use Remote Desktop Host (i.e. Terminal Server Users).
5. Add all users who will use the terminal server as members of this security group. 6. Open Group Policy Management, right click the new Terminal Server OU and “Create a GPO in this domain, and Link it here” (i.e. Terminal Server Lock Down).
7. In Security Filtering delete Authenticated Users, add Terminal Server Users security group created in previous step.
Configure users who can connect to the server remotely:
1. Log into the terminal Server
2. Open Control Panel, open System, click on Remote Settings then click on the Remote tab.
3. Click on Select Users, Remove any groups/users and then Add the Terminal Server Users security group.
Disable Server Manager Pop Up at user log on:
1. On Terminal Server open Task Scheduler.
2. Navigate to Task Scheduler Library\Microsoft\Windows\Server Manager.
3. Disable task “ServerManager” which triggers at log on of any user.
Configure Group Policy for Terminal Server Lock Down:
I have had the privilege of using a new remote support tool called ScreenConnect which was recently acquired. This tool has all the major features of other remote support tools including a built in screen annotation feature and OCR capability that feeds into the built in research tool. Looking forward to training and trying all the features of this wonderful new software.
To understand the need to transfer FSMO roles it is necessary to understand FSMO. As per Wikipedia – “Flexible Single Master Operations (FSMO) is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate. Active Directory (AD) normally relies on multiple peer Domain Controllers, each with a copy of the AD database, being synchronized by multi-master replication. The tasks which are not suited to multi-master replication, and are viable only with a single-master database, are the FSMOs.”
When adding a new DC to a domain it often becomes the primary DC which means that a transfer FSMO roles will need to migrate. There are several ways to get this done, but this is by far the easiest I have found. Run the following PowerShell script from the new DC:
Move-ADDirectoryServerOperationMasterRole -Identity “[New DC Computer Name]” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster