Tuesday, 29 November 2016

Moving the WSUS Windows Internal Database

You can move WSUS content using the wsusutil.exe utility as per:

However, this doesn't move the SQL database.

Here's a quick guide to move the SQL database to another volume (from the default location in C drive to the same relative path on E drive).

First, stop the web server and WSUS services:

E:\>net stop W3SVC
E:\>net stop WsusService

Next, detach the database using sqlcmd.exe (path may be different, dependent on version of SQL):

E:\>cd /d "%ProgramFiles%\Microsoft SQL Server\100\Tools\Binn"

C:\Program Files\Microsoft SQL Server\100\Tools\Binn>sqlcmd -S \\.\pipe\mssql$microsoft##ssee\sql\query -E
1> EXEC sp_detach_db @dbname = 'SUSDB'
2> GO

Leave the sqlcmd session open and move the database files to your desired destination. Once the move is complete, attach the database again:

1> EXEC sp_attach_db @dbname = 'SUSDB', @filename1 = 'e:\WSUS\UpdateServicesDbFiles\SUSDB.mdf', @filename2 = 'e:\WSUS\UpdateServicesDbFiles\SUSDB_log.ldf'
2> GO

All done!

Tuesday, 18 October 2016

Chrome not working after version 54 update?

We've come across an issue where Chrome will not work properly after updating itself to version 54. The process launches and stays running, but there's no visible window. It seems to affect machines running a Software Restriction Policy with certificate checking enabled:


Unfortunately the only workaround this stage is to roll back to version 53 until a fixed version is released.

Tuesday, 7 June 2016

Do you use the same password across sites?

In 2012, LinkedIn had a security breach resulting in user credentials being stolen. In the last few days the media has reported a high volume of Twitter and Facebook accounts being compromised. In addition to this services such as TeamViewer appear to be under attack.

You can search this online database to see if your email address is found in the leak. If you reuse your password across sites and your details have been leaked, you'll definitely want to change said password.

Tuesday, 29 March 2016

Early detection of CryptoLocker

In one of our previous posts we explained how to set up Software Restriction Policies - settings designed to stop unwanted software (such as CryptoLocker) from running. While extremely effective they're not the one-stop solution, and not compatible with some poorly-written vendor software. Plus, malware/CryptoLocker can get a foothold another way - via software exploits in programs such as Flash Player and Java.

It's at this point that defense in depth becomes more compelling. Some document management systems leave their underlying file stores completely open to users - the infection of one person has the potentially to encrypt the entire store. So what else can we do besides waiting until someone notices that they can't open any documents and your document management store full of thousands of files has become encrypted?

When a CryptoLocker-style program runs, it (generally) encrypts the files, and then drops another file that contains instructions on how the user can pay the ransom and obtain the decryption key. So if we keep a watch for those 'helpful' files, we can spot when an infection occurs, and respond to it before it spreads too far.

Windows Server 2008 R2 and newer have a feature that can detect and notify us of when files matching certain criteria are accessed. If we tell it we want to know when the helpful ransom information files are detected, then we can detect and hopefully terminate an active CryptoLocker infection.

All that is required to set this up is Windows Server 2008 R2 (or newer), with the File Services Resource Manager role installed. A great guide to setting this up can be found here:

If you are using Windows Server 2012 R2 we have uploaded a PowerShell command to assist in creating the file group, however you may want to check the link above to see if any additions or changes need to be made.

Friday, 11 March 2016

Cloud Computing - 50 Years Young?

With the passing or Ray Tomlinson - credited with inventing e-mail in its current form using the "@" symbol - there have been many articles published covering the history of e-mail.  I won't try a re-write when, using the power of hyperlinks, I can link to a good one:

Rather, I was reminded that my family had a very small part in the very early days.  In the mid 1960s it became apparent that either a "time-share" terminal (ie a terminal remotely connected to one computer) or a file transfer between two remote computers was really all that was needed for a viable messaging system the British Post Office decided to intervene.

It is hard to imagine today the importance of the Post Office in days before e-mail and mobile phone.  In those, pre-British Telecom times, the Post Office had a monopoly in both telephone and letter communications.  My father*, as a director of GE Information Services UK (part of General Electric), was summoned to a meeting with the Postmaster General, then a cabinet position, held by one Anthony Wedgwood Benn**.  During the meeting the issue of the Post Office's monopoly was raised, but no action was taken (I can't see, even looking back from today, what could have been done to stop messages being sent in this way).  GE were involved in a "time-share" joint venture with MIT and were, as I described above, using terminals to send "messages" across the Atlantic.

Where does the "Cloud" come in to this?  Well, what is "time-sharing" if not shared access to a centralised computer?  Cloud computing by another name.  What's new about it?

* It wasn't a case of following in father's footsteps working in ICT.  Dennis has done a lot of things in his life and was pretty much finished in time share by the time I came along.
** Tony Benn, who died in 2014, was for a long time one of the most well know politicians in the UK.  Apparently, after the meeting he invited the GE visitors to attend a Post Office children's prize giving where he sat on the edge of stage and spoke eloquently without notes, and seemingly without preparation, for 20 minutes to a group of children.

Monday, 1 February 2016

Zero Day Ransomware?

There was a major Ransomware incident at Lincolnshire County Council in the United Kingdom at the end of January.  Of interest because it is being reported as a “zero day exploit” - ie using a previously unknown security flaw.  The BBC report is here:

The register.co.uk website has a few more details:
quoting a council spokesperson as saying that 300 computers were hit by the ransomware.

The details are quite sketchy, but if this is a zero day ransomware exploit that has been able to impact 300 computers on the council’s network, then the implications are scary.  The CryptoLocker/CryptoWall ransomware variants do not (yet) try to exploit vulnerabilities to attempt to replicate themselves.  Lincolnshire County Council will be doing CIO’s the world over a favour by releasing details.