In order to leave a sustainable OS image I like to fully automate the image creation process, starting with a known untouched OS DVD image and ending with a fully formed sysprepped image at the end. That way it's easy to tell exactly what's gone into the image and to update any element.

However, to install all the patches and updates each time can be a time consuming process so I prefer to slipstream these into the install.wim, hoever, I still want to be able to trace back to a known untouched install.wim.

So I start by manually copying the DVD image to a custom folder ('aaa') in the eXpress share, make it Read Only and then create a Scripted OS install job from that source. I then create a Job with a "Run Script" task run locally on the DS that will copy the untouched install.wim from the source to the WINOSnnn directory, mount it, patch it and unmount it. The scripted OS install will then be using a patched Install.wim. I copied the DISM folder from the relevant Windows ADK and created an empty d:\mount directory. Download any patches as extracted CAB files to an OfflineCAB directory under your OS directory in your folder.

REM Run on DS

set myco=aaa
set os=win10x64
set dvd=SW_DVD5_WIN_ENT_10_64BIT_Eng_Intl_MLF_X20-26306
set dism=%os%\DISM
set Winos=WinOS008
set wim=.\deploy\%winos%\sources\sources\install.wim 
set mount=d:\mount

copy /Y .\%myco%\%os%\%dvd%\sources\install.wim  %wim%

".\%myco%\%dism%\dism.exe" /mount-wim /wimfile:%wim% /mountdir:%mount% /index:1

FOR /F "delims=" %%A IN ('dir ".\%myco%\%os%\OfflineCab\*.cab" /s /b') DO (".\%myco%\%dism%\dism.exe" /image:%mount% /Add-Package /PackagePath:"%%A" /NoRestart /quiet)

".\%myco%\%dism%\dism.exe" /unmount-wim /mountdir:%mount% /commit

As part of our standard scripted install I have a number of simple scripts to help with tasks such as patching and hardening the image.

Quite a few of you will have your images subject to Security scans - I now run these scripts to close minor security holes:

REM Set local passwords to expire after 30 days
REM This may not survive sysprep

net accounts /MAXPWAGE:30

REM Rename Local Administrator and Guest accounts
REM This may not survive sysprep
set admin=mooney
set guest=hunt

wmic UserAccount where name="Administrator" call Rename Name="%admin%"
wmic UserAccount where name="Guest" call Rename Name="%guest%"

REM Turn off CDROM Autorun

reg add HKLM\SYSTEM\CurrentControlSet\services\cdrom /v AutoRun /t REG_DWORD /d 0 /f

REM Disable saving Dial up passwords

reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v DisableSavePassword /t REG_DWORD /d 1 /f

Then there's odd other settings you may want:

REM powercfg.exe High power no hibernate

powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
powercfg.exe /hibernate off

REM Disable Windows Media Player Update

Reg add HKLM\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer /v DisableAutoUpdate /t REG_DWORD /d 00000001

You might have a variety of OS and core app updates to install, CAB, EXE and MSU files:

REM To install exe updates
REM Copy executable patches locally to c:\support\Patches\exe first

FOR /F "delims=" %%A IN ('dir c:\support\patches\exe\*.exe /s /b') DO (%%A /quiet /norestart)

REM To DISM Windows updates from CAB
REM Copy cab files locally to c:\support\Patches\cab first

FOR /F "delims=" %%A IN ('dir c:\support\patches\cab1\*.cab /s /b') DO (dism.exe /online /Add-Package /PackagePath:%%A /NoRestart /quiet)

REM To WUSA Windows updates from MSU
REM Copy msu files locally to c:\support\Patches\msu first

FOR /F "delims=" %%A IN ('dir c:\support\patches\msu\*.msu /s /b') DO (wusa.exe %%A /NoRestart /quiet)

And for Windows 7 I like to get rid of the Event ID 10 errors:

'KB2545227 Event ID 10 error fix
'vbscript

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\subscription")

Set obj1 = objWMIService.ExecQuery("select * from __eventfilter where name='BVTFilter' and query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ""Win32_Processor"" AND TargetInstance.LoadPercentage > 99'")
For Each obj1elem in obj1
set obj2set = obj1elem.Associators_("__FilterToConsumerBinding")
set obj3set = obj1elem.References_("__FilterToConsumerBinding")

For each obj2 in obj2set
WScript.echo "Deleting the object"
WScript.echo obj2.GetObjectText_
obj2.Delete_

next

For each obj3 in obj3set
WScript.echo "Deleting the object"
WScript.echo obj3.GetObjectText_
obj3.Delete_

next
WScript.echo "Deleting the object"
WScript.echo obj1elem.GetObjectText_
obj1elem.Delete_

Next

por Vladimir Amarante

Ataques direcionados baseados em engenharia social - técnica que busca conhecer os hábitos dos colaboradores da empresa para facilitar a entrada de malwares - são uma estratégia crescente em todo o mundo. Eles são formulados com foco em companhias específicas, centrando esforços em grupos de usuários determinados e utilizam como base o comportamento de navegação na internet e de comunicação para facilitar a invasão. Dois muito comuns são o spear-phishing e o watering hole.

Evitar esse tipo de ação é  trabalho complexo, porque o invasor investe tempo e foco na elaboração de uma estratégia certeira e discreta, baseada em muita pesquisa. Mas isso não significa que seja uma tarefa impossível.  É importante, então, conhecer bem o inimigo, para poder combatê-lo.

O que é o spear-phishing?

O spear-phising funciona como um spam: o usuário recebe um e-mail que o convida a clicar em um link malicioso. A diferença para as ações de massa é que pelo spaer-phishing tanto a mensagem quanto a oferta são direcionadas para seu perfil de atuação na empresa. Um departamento de Recursos Humanos, por exemplo, dificilmente vai se negar a abrir um currículo enviado anexo a um e-mail, assim como um vendedor não achará estranho baixar uma apresentação institucional de um cliente em potencial. Em 2014, o mundo lidou com uma média diária de 73 spear-phishing, segundo o Relatório de Ameaças de Segurança na Internet, produzido pela Symantec com dados referentes a 2014.

O que é watering hole?

Em ataques do tipo watering hole, os cibercriminosos conhecem o comportamento de navegação na internet de um grupo de usuários e infectam os sites mais visitados com links maliciosos. A chance de sucesso aumenta, já que os malwares ficam "escondidos" em um ambiente aparentemente seguro.

O que motiva as invasões?

Há duas grandes motivações por trás de um ataque direcionado: ou se trata de ganho financeiro -  obtido com o roubo de informações bancárias, campanhas de marketing, base de clientes, propriedade intelectual em geral - ou o foco é o ciberativismo, seja porque o invasor quer causar um prejuízo para a empresa, seja para ganhar visibilidade.

Quem são os alvos?

O estudo da Symantec mostra que colaboradores individuais (27%),  estagiários (26%), diretores (19%) e gerentes (6%) foram alvo de ao menos um ataque do tipo spaer-phishing no ano passado. Por ramo de atividade, manufatura (20%); serviços não-tradicionais (20%); finanças, seguros e imóveis (18%); serviços profissionais (11%); e atacado (10%) são as indústrias mais visadas pelos invasores.

Quais as portas de entrada mais comuns?

Eles podem entrar na infraestrutura corporativa por meio de falhas de segurança convencionais, não corrigidas por falta de atualização de ferramentas como antivírus, por exemplo, mas tendem a ser produzidas para se esgueirarem por meio de brechas do tipo dia zero, ou zero-day - aquelas totalmente desconhecidas pelo mercado, ainda não catalogadas pelos criadores do software ou empresas de segurança.  A Symantec identificou 24 vulnerabilidades do tipo em 2014, sendo que as cinco principais levaram, em média, 59 dias para serem resolvidas.

Como evitar?

Obviamente, há softwares de segurança desenvolvidos para proteger as empresas e dar os alertas em casos de comportamento suspeito, mas fica a pergunta: a equipe de segurança da informação está treinada e em número suficiente de colaboradores para atender a todas essas demandas? Levando em consideração que o alvo do ataque são os colaboradores, eles estão conscientes sobre os riscos e preparados para evitar os riscos desses dois tipos de ataque direcionado? 

por Vladimir Amarante

Ataques direccionados basados en ingeniería social - técnica que busca conocer los hábitos de los colaboradores para facilitar la entrada de malwares o ganar acceso privilegiado - son una práctica creciente en todo el mundo. Ellos son formulados con foco en compañías específicas, centrando esfuerzos en grupos de usuarios determinados y utilizan como base el comportamiento de navegación en Internet y de comunicación para facilitar la invasión. Dos muy comunes son el spear-phishing y el watering hole.

Evitar ese tipo de acción es un trabajo complejo, porque el invasor invierte tiempo y foco en la elaboración de una estrategia certera y discreta, basada en mucha investigación y persistencia. Sin embargo, eso no significa que sea una tarea imposible. Es importante, entonces, conocer bien al enemigo, para poder combatirlo.

¿Qué es spear-phishing?

Por el spear-phising, el usuario recibe un correo electrónico que lo invita a pinchar un enlace malicioso. La diferencia en relación a las acciones masivas es que por el spear-phishing tanto el mensaje como la oferta son direccionadas para su perfil de actuación en la empresa. Un departamento de Recursos Humanos, por ejemplo, difícilmente va a negarse a abrir un currículo enviado en adjunto a un correo electrónico, de la misma forma que a un vendedor no le parecerá raro bajar una presentación institucional de un potencial cliente. En 2014, el mundo lidió con un promedio diario de 73 spear-phishing, según el Reporte de Amenazas de Seguridad en Internet, producido por Symantec con datos referentes a 2014.

¿Qué es watering hole?

En ataques del tipo watering hole, los cibercriminales conocen el comportamiento de navegación en Internet de un grupo de usuarios e infectan los sitios web más visitados con enlaces o contenido maliciosos. La posibilidad de éxito aumenta, ya que las amenazas quedan "escondidas" en un ambiente aparentemente seguro.

¿Qué motiva las invasiones?

Hay dos grandes motivaciones por tras de un ataque direccionado: o se trata de ganancia financiera - obtenida con el robo de informaciones contables, campañas de marketing, base de clientes, propiedad intelectual en general - o el foco es el ciberactivismo, sea porque el invasor quiere causar un perjuicio para la empresa o para ganar visibilidad.

¿Quiénes son los blancos?

El estudio de Symantec muestra que colaboradores individuales (27%), pasantes (26%), directores (19%) y gerentes (6%) fueron blanco de al menos un ataque del tipo spear-phishing el año pasado. Por sector de actividad, manufactura (20%); servicios no tradicionales (20%); finanzas, seguros e inmuebles (18%); servicios profesionales (11%); y mayorista (10%) son las industrias más visadas por los invasores.

¿Cuáles son las puertas de entrada más comunes?

Se puede entrar en la infraestructura corporativa mediante fallas de seguridad convencionales, no corregidas por falta de actualizaciones o configuraciones adecuadas, por ejemplo, pero vemos crecimiento del uso de la vulnerabilidad del tipo día cero, o zero-day - aquellas totalmente desconocidas por el mercado, todavía no catalogadas por los creadores del software o empresas de seguridad. Symantec identificó 24 vulnerabilidades de ese tipo en 2014, mientras las cinco principales llevaron, en promedio, 59 días en ser resueltas por los fabricantes y, quizás, más tiempo aún, por las empresas vulnerables.

¿Cómo evitar?

Obviamente, hay softwares de seguridad desarrollados para proteger las empresas y dar las alertas en casos de comportamiento sospechoso o vulnerabilidades, pero queda la pregunta: ¿el equipo de seguridad de la información está entrenado y en número suficiente de colaboradores para atender todas esas demandas? Considerando que el blanco del ataque son los colaboradores, ¿ellos están conscientes acerca de los riesgos y preparados para evitar los riesgos de esos dos tipos de ataque direccionado?

Congratulations to Microsoft for releasing Exchange 2016 today. We are very pleased to announce that NetBackup supports Microsoft Exchange 2016 today as well, on its first day of general availability. This announcement is a further demonstration of our commitment to protect the data, applications, and platforms you depend on to run your businesses, without delay.

What does it mean to be agile in today’s business environment? One of the most important enablers of business agility is the IT organization. Rapidly taking advantage of new technologies can open up new opportunities and sharpen business processes to a fine point. Those who can most effectively leverage the latest market innovations will be one step ahead of the competition.

Any seasoned IT professional knows how difficult it can be to roll out new technology. Many elements need to be planned for and tested together. One of the most important requirements is to ensure data will not be lost during the roll out. It is for this reason that a sound backup and recovery strategy is firmly in place before new technology can be rolled into production. Until the backup strategy is there, new technologies remain idle and business opportunities are squandered.

For this reason, Veritas has placed a heavy emphasis on rapid support for new application platforms that are fundamental to IT. As Senior VP Ana Pinczuk said when we announced Day One support for VMware vSphere 6, “our team is committed to helping you move faster and take bigger risks knowing your information will be safe.”

Click here for more information on support for Microsoft Exchange 2016 with NetBackup 7.7.1.

Symantec have released Symantec Endpoint Protection 12.1.6 MP2 on 1 October 2015.

Product is available for download on FileConnect.

Mac 10.11 OS Zero Day Support has been included.

Release Notes and Fix Notes are available https://support.symantec.com/en_US/article.DOC9101.html

Hello Everyone,

SEP 12.1 RU6 MP2 (12.1.6465.6200) is now available on Flexnet to download.

This version of Symantec Endpoint Protection includes new features in the following.

System Requirements:

• The Symantec Endpoint Protection client adds support for Mac OS X 10.11
• Symantec Endpoint Protection Manager adds browser support for Google Chrome through 45.0.2454.99, and for  Firefox
  through 40.0.3

Release Notes: http://www.symantec.com/docs/DOC9101

Fix notes: http://www.symantec.com/docs/INFO2883

System requirements: http://www.symantec.com/docs/TECH231877

We have talked a lot about ECC (Elliptic Curve Cryptography) for the past year. Although the use of elliptic curves is not exactly new, their use in our industry is fairly recent: ECC is a new cryptographic algorithm used for key exchange and authentication purposes in the SSL/TLS protocols (see this previous blog article for more details). 

It is expected that RSA – the current standard - will be replaced by ECC as its scalability is becoming an issue with the arrival of IoT (Internet of Things):  explosion in number of devices, machine to machine (M2M) communications, ever-growing amount of data transfers, etc.

We expected this change to happen. This is why Symantec’s ECC roots have been added to all major root stores back in 2007. Most CAs followed years later.

ECC, RSA and compatibility

The reliability and performances of ECC no longer need to be demonstrated. However, a significant obstacle to the adoption of ECC lies on the lack of support for this relatively new algorithm in legacy products.  While all modern servers and browser fully support ECC, some legacy system will not trust ECC roots, or will not be able to support ECC at all.

Browser compatibility (root ubiquity) as of today

Current Server compatibility as of today

There are devices and systems that are unable to proceed with ECC due to a trust deficit due to the missing trusted ECC root certificate and it is not always possible to upgrade, change servers or switch to another application easily. To overcome this issue, Symantec has created a solution for devices and systems that can support ECC but don’t have ECC roots in their trust stores: hybrid ECC/RSA hybrid SSL certificates.

Hybrid certificates use ECC for encryption and authentication but are chained to a well-trusted RSA root. Hybrid ECC/RSA certificates enable you to benefit from the best protection for your current infrastructure and mitigate potential compatibility issues at the same time.

How does it work?

It’s fairly simple: when you enroll, we give you the choice between a full ECC certification chain (fig.1) and a hybrid ECC/RSA certification chain (fig.2). The full ECC chain comprises of your ECC SSL certificate, signed by an ECC intermediate, signed by an ECC root.

Fig. 1:full ECC chain

In order to offer hybrid RSA/ECC certificates, we have created a new ECC intermediate signed by an RSA root. This intermediate can be installed as direct intermediate, or as a cross certificate to a full ECC chain.

The direct intermediate is the solution we recommend. You benefit from ECC encryption for your infrastructure, while using a globally trusted RSA root.

Fig.2: hybrid ECC/RSA chain

If you are unsure which certification path is made for you, or if you have questions or concerns, please contact us! We are happy to help and to advise.

Yesterday, on October 8, 2015, a team of international cryptography researchers announced a significant improvement in practical attacks against the SHA-1 hash function, which is used in many contexts including the TLS protocol and TLS certificate signatures. SHA-1 became the most commonly used hash algorithm in certificates of all kinds when the industry moved away from the MD5 hash algorithm several years ago.

The risk is that with enough computing power, an attacker can exploit practical attacks against the SHA-1 hash function to craft a fake certificate that in all key respects appears to be signed by a public Certification Authority (it cryptographically chains up to a Certification Authority’s root certificate). These researchers estimate that it would cost between $75K USD and $120K USD to acquire the necessary computing power to launch such an attack – a dollar figure considered very low for many of today’s advanced cyber-criminals. This doesn’t mean that your website is suddenly insecure, but it certainly is a wake-up call.

For the past several years, Symantec has been migrating customers to certificates using the SHA-2 algorithm (which the researchers pointed out is not vulnerable to this type of attack). The vast majority of our customers have already migrated to SHA-2 certificates and are not at risk from this type of attack announced by the researchers.

However, some of Symantec’s largest enterprise customers recently told us that due to the sheer number of certificates to upgrade, they would not be able to complete the transition to SHA-2 before the CA/Browser Forum SHA-1 issuance deadline of January 1, 2016. To assist these customers, Symantec recently proposed a ballot to relax the issuance requirement, moving the issuance deadline back to January 1, 2017. However, in light of this new research detailing that the risk is much higher than previously believed, we plan to withdraw the ballot. We will continue to work with these customers to find alternatives that might work for them.

The researchers urged everyone to migrate to SHA-2 certificates as soon as possible. The current policy of most browsers stipulates that they will completely reject SHA-1 TLS certificates on January 1, 2017. However, in light of these new findings, it’s highly possible that deadline may be accelerated. If you’re still using SHA-1 certificates, you should accelerate your plans to replace them with SHA-2 certificates. All modern browsers, mobile devices and desktop operating systems support SHA-2, so the transition should be straightforward for nearly everyone.

We recommend the following:

1. Check to see if your certificate uses SHA-1 with the free Symantec CryptoReport: https://cryptoreport.websecurity.symantec.com
2. Login into your account, identify any SHA-1 certificates and replace them with SHA-256. Symantec customers can always replace their certificates for free.
3. Install your new certificate on your server and check your installation with CryptoReport.

If you need help, Symantec certificates and Complete Website Security products come with 24/7 technical support included. 

The Problem

When Using Servicedesk, I wanted to add some primary contact information on the Advanced Tech Feeder form, in some open space on the form.  The form does not by default render info like "Domain/Username".  When I attempted to place and retrieve the correct data, the form displayed the selected AD contact info as "NOT FOUND".  

The Why

I was attempting to retrieve the data contained from the FullContactInfo variable, but in that variable, the ADLoginname variable was found to be blank.  That is because it was not mapped to the correct variable.  Instead of being mapped to the "SelectedUser.ActiveDirectoryLoginname" variable, it was mapped to "GetUserDetailsComponentResults.Adloginname"

The How - to make it all better:

To resolve this issue, the data mapping must be changed:

1. Open the advanced Tech feeder form
2. Open the Create Incident Form
3. Next to the Select User field, choose the magnifying glass option
4. Open the USer Interaction Tab, and click the ellipsis to open the model
5. Find the Single Value Mapping component named Full Contact Info. Double 
Click on it
6. Click the Ellipsis to open the data Mapping
7. The right-side User.ActiveDirectoryLoginname variable is currently mapped 
to GetUserDetailsComponentResults.Adloginname.  
8. Change that mapping from GetUserDetailsComponentResults.Adloginname to 
SelectedUser.ActiveDirectoryLoginname. 

This captures the AD information for the Primary User contact correctly.