Gmail will stop working in Chrome browser for Windows XP and Vista

Gmail online service will show a message warning about the termination of support for Chrome browser older versions. Due to significant changes relating to safety you have to download the 55-th Chrome update to continue using mail services.

Unfortunately, the above solution is not suitable for users of Windows XP and Vista because Microsoft has stopped the support for these operating systems and Chrome updates for them was stopped after version 49.

Gmail services would work till the end of the year in case you won’t update OS and browser. However, service will begin to redirect Windows XP and Vista users to the basic HTML version of the interface with a lower level of functionality and protection.

Home Routers Under Attack via Malvertising on Windows, Android Devices

Nowadays, it is difficult to surprise someone by malicious advertising campaigns, but the experts of Proofpoint have discovered a new trend in this area. Now attackers are targeting not on the users ‘ browsers and in their routers. The final goal of the attacker is to inject ads into every page visited by infected victim. Interestingly, the campaign focused not on IE users, as it happens often, but for Chrome users (both desktop and mobile versions).

routers-1

Attack scheme

Hackers do in the following way: on legitimate sites buy advertising space for ad placement. For this the attackers use AdSupply ad network, OutBrain, Popcash, Propellerads and Taboola. In the ad embedded malicious JavaScript code that uses WebRTC request to Mozilla’s STUN server to discover the local IP address of the victim. Based on this information, the malware determines by a local network user in any home router. If the answer is positive, the attack continues. If not, the user shows an ordinary, harmless advertising, and he avoids trouble.

The owners of the routers do not show a harmless ad. Advertising will take them straight to the exploit kit DNSChanger, which continues the attack. Using steganography, the attacker sends router of the victim image, which contains the AES key. Malicious advertising uses this key to decrypt further traffic received from DNSChanger. So attackers hide their operations from the attention of is professionals.

After receiving AES key, DNSChanger sends the victim a list of the distinguishing features of 166 router (including various models of Linksys, Netgear, D-Link, Comtrend, Zyxel, and Pirelli), which is set based on the type of router, which is then transmitted to the attackers control server. The server has a list of vulnerabilities and hard-coded credentials from different devices, which are used to intercept control over the victim’s router. Proofpoint experts noted that in some cases (if the model allows), the attackers are trying to create an external connection to an administrative port on the router and take control directly.

Vulnerability Review 2016

New security vulnerability research realeased by Flexera. There were over 2,000 number of vulnerabilities across the top 20 software products, many of which you are using right now.

According to Flexera, the largest instances of vulnerabilities were attributed to Microsoft with 518 across its Windows 10, Windows Server 2012, Windows 8 and Windows RT operating systems.

Read more…

bitlocker windows

How to enable BITLOCKER on EXCHANGE servers

The Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files for Exchange Server 2013 and Exchange Server 2016.

What is BitLocker?

BitLocker is the built-in Microsoft Windows feature for full disk encryption that offers enhanced protection against data theft on stolen or lost computers or hard disks.

BitLocker first appeared in Windows Vista and Windows Server 2008. Since then, BitLocker functionality has expanded and now includes encrypting data volumes, encrypting only used disk space, and provisioning flexibility.

Windows BitLocker enables data protection on volumes with 128-bit (default) and 256-bit key using AES (Advanced Encryption Standard) encryption algorithm.

How to deploy BitLocker?

BitLocker can be deployed on Exchange servers using the following methods.

  1. Encrypting the operating system volume, as well as, the Exchange data volumes either via TPM (recommended) or with the help of network unlock, the Data Recovery Agent and PKI infrastructure.
  2. Only encrypting the Exchange data volumes.

To use BitLocker in a FIPS-compliant manner, note that:

In case that you are not using Windows Server 2012 R2 or later as the base OS, then you cannot utilize recovery passwords for BitLocker. For more details, see What’s New in BitLocker and KB 947249.

Volume Encryption Method

There are two approaches for volume encryption:

  1. Encrypting the entire volume. This option works best when you need to encrypt volumes which already comprise existing messaging data. With a 3TB disk, it will take more than 8 hours to encrypt the disk completely.
  2. Encrypting the used space only. This method works for new deployments or for new disks without existing data.

Prior to beginning the encryption of an entire volume, make sure to set the servers in maintenance mode to prevent impact to end users. Performance can significantly deteriorate (~90% CPU usage) and free OS volume space will be limited (less than ~2GB) while the volume is being encrypted. Remember to deploy BitLocker on one DAG server at a time to ensure availability.

OS Volume and Exchange Data Volume Encryption Scenario

BitLocker provides the most protection when used with a TPM. The TPM is a hardware component installed in the server and we recommend a TPM 2.0 chip. It works with BitLocker to help protect user data and to ensure that a server has not been tampered with while the system was offline.

Specifically, BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original server.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

Checks that the early boot file integrity has been maintained, and helps ensure that there has been no malicious modification of those files, such as with boot sector viruses or rootkits.

Enhances protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.

Locks the system when it is tampered with. If any monitored files have been modified, the system does not start. This alerts the administrator to the tampering, because the system fails to start as usual. In the event that system lockout occurs, follow the BitLocker recovery process which includes unlocking the system with a password or a USB key.

Important: A TPM can only be used in a physical server deployment. Virtualized servers are not capable of using a TPM. If you encrypt the guest operating system volume, a password or USB key must be used to allow the guest operating system to boot.

Setting up the Environment

The steps below assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

  1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist. Open PowerShell with the appropriate Active Directory permissions.
New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"

$ExchangeOU = Get-ADOrganizationalUnit -Filter ‘Name -like "Exchange Servers"’

Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName

2. Create group policy object and link it to the Exchange Servers OU.

Import-Module grouppolicy #RSAT должен быть установлен

New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com

New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName

3. Install the BitLocker module on the Exchange servers.

  • Open PowerShell with local administrative privileges.
  • ExecuteInstall-WindowsFeature BitLocker -Restart.
  • Reboot the server.

4. Enable TPM on the Exchange servers.

  • Refer to your hardware vendor’s BIOS manual for details on how to enable/activate the TPM.
  • Verify the TPM state by using the Trusted Platform Module Management tool (msc).

5. Allow TPM Recovery Information to be stored in Active Directory.

  • Open the Exchange Management Shell with an account that has the necessary permissions in Active Directory to apply access control entries.
  • Execute the following.


Add-ADPermission $ExchangeOU.DistinguishedName -User "NT AUTHORITY\SELF" -AccessRights ReadProperty,WriteProperty -Properties msTPM-OwnerInformation,msTPM-TpmInformationForComputer -InheritedObjectType Computer -InheritanceType Descendents

6. Configure the Bitlocker GPO settings.

  • Open the Group Policy Management Console (gpmc.msc).
  • Navigate the hierarchy to the Exchange Servers OU.
  • Right-click the Exchange Server BitLocker Policy and select Edit.
  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.

In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AES 256-bit encryption, select it and click OK.

Choose drive encryption method and cipher strength

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Operating System Drives.
  • In the right pane, double-click Require additional authentication at startup. Select the Enabled option. If you want to disable or change any of the authentication methods, do so and click OK.

Additional-authentification-at-startup

  • In the right pane, double-clickChoose how BitLocker-protected fixed drives can be recovered. Select the Enabled  Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Choose how BitLocker-protected fixed drives can be recovered

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives.
  • In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabledoption. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption option

  • Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
  • In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.

Turn on TPM backup to Active Directory Domain Services

  • Ensure the group policy is applied to the Exchange servers.


$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter

Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}

  • Enable OS encryption.
  • Create a recovery key: manage-bde -protectors -add -RecoveryPassword C:
  • Execute the following against the operating system drive: manage-bde -on C: –usedspaceonly
  • Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).

Create a recovery key: manage-bde -protectors -add -RecoveryPassword “C:\ExchangeVolumes\ExVol1”

Execute the following for each Exchange database volume: manage-bde -on “C:\ExchangeVolumes\ExVol1” –usedspaceonly

Execute the following for each Exchange database volume to enable automatic unlock: Enable-BitLockerAutoUnlock –MountPoint “C:\ExchangeVolumes\ExVol1”

Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

In the situation where a TPM cannot be used (e.g., the server does not have a TPM, or it is virtualized), encrypting the OS volume requires the use of a password or USB key to allow the operating system to boot. As that can be detrimental for a service like Exchange, you could choose not to encrypt the OS volume. Instead, you only encrypt the fixed data volumes. Since the OS volume is not encrypted, the operating system cannot automatically unlock the encrypted volumes on boot. Therefore, one of two things must happen:

  1. An administrator manually enters the recovery key and unlocks each drive after OS boot.
  2. A scheduled task is invoked to unlock the encrypted volumes during OS boot.

The following steps outline how to setup the scheduled task and assume the Exchange Server operating system is Windows Server 2012 R2 or later.

  • Create an Organizational Unit to contain the Exchange servers, if one does not already exist.


New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"

$ExchangeOU = Get-ADOrganizationalUnit "Exchange Servers"

Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath  ExchangeOU.DistinguishedName

  • Create group policy object and link it to the Exchange Servers OU.


Import-Module grouppolicy #RSAT должен быть установлен

New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com

New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName

  • Create BitLocker scheduled task service account (_bitlockersvc).
  • Create security group for BitLocker management, placing the security group in a protected container.


New-ADGroup -name "Exchange BitLocker Management" -groupscope Universal -path "cn=users,dc=coe,dc=local"

Add-ADGroupMember "Exchange BitLocker Management" -members "_bitlockersvc", "Organization Management"

  • Install the BitLocker module on the Exchange servers.


Install-WindowsFeature BitLocker

  • Reboot the server.
  • Add BitLocker security management group to local administrators group on the Exchange servers.
  • Grant the BitLocker security management group permissions to access the msFVE-RecoveryPassword AD object. This allows the accounts to access the recovery password.


$ExchangeOU = Get-OrganizationalUnit "Exchange Servers"

DSACLS $ExchangeOu.DistinguishedName /I:T /G "contoso\Exchange BitLocker Management:CA;msFVE-RecoveryPassword"

  • Configure the BitLocker GPO settings.
  • Ensure the group policy is applied to the Exchange servers.


$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter

Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}

Create the script that unlocks the volumes when the operating system boots.

Save the below file to your script directory (e.g., c:\bitlocker).



UnlockDrives.ps1

$computer = Get-ADComputer $env:computername $RecoveryInformations = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties *
$vols = gwmi win32_encryptablevolume -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption"
$lockedvols = $vols | ? {$_.GetLockStatus().LockStatus -eq 1}
$vols[0].GetKeyProtectors().VolumeKeyProtectorID foreach($lockedvol in $lockedvols)
{
$RecoveryInformations | % {$lockedvol.UnlockWithNumericalPassword($_."msFVE-RecoveryPassword")}
}

  • Create the scheduled task to run at system start and unlock the volumes, replacing the bold items.

Save the below file to your script directory.

  • Executeschtasks /create /s $env:computername /ru contoso\_svcexbitlocker /rp /XML c:\Bitlocker\UnlockDrivesAtStart.xml /TN UnlockDrivesAtStart.

System Changes

It’s important to keep in mind that any of the following system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected volumes:

  • Moving the BitLocker-protected drive into a new computer.
  • Installing a new motherboard with a new TPM.
  • Turning off, disabling, or clearing the TPM.
  • Changing any boot configuration settings.
  • Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
  • Applying BIOS/UEFI firmware updates.

As part of your customary procedure, it’s best to suspend BitLocker encryption (via the Suspend-BitLocker cmdlet) before introducing any changes to the server. Additionally, make sure to test any hardware and software configuration changes in a lab setting (that has BitLocker enabled) before deploying in production.

Also, be sure to develop a standard operating procedure about how to recover in the event the BitLocker recovery must be performed. This will ensure that downtime is minimized. For more information, please see the BitLocker Recovery Guide.

Disk Maintenance Activities

During the server’s lifecycle, disks will die. As part of your standard operating procedures, you need to ensure that when a disk is replaced the new volume is formatted and encrypted via BitLocker.

In the event you are using AutoReseed to recover from failed disks, you have two options: format and encrypt the disks prior to usage, or encrypt after failure.

Format and encrypt the disks prior to usage

In this scenario, your standard operating procedure will be to prevent Disk Reclaimer from formatting hot spare disks. Instead, you will format and encrypt all hot spare disks prior to usage.

  1. Disable Disk Reclaimer on the DAG: Set-DatabaseAvailabilityGroup -AutoDagDiskReclaimerEnabled $false
  2. Format and encrypt all hot spares. Do not assign mount points or drive letters.
  3. As disks fail, AutoReseed will assign the hot spare volumes, replacing the failed volumes, and reseed the afflicted database copies.
  4. Schedule a maintenance window. Replace the failed disks. Format and encrypt.

Encrypt after failure

In this scenario, your standard operating procedure will be to allow Disk Reclaimer to format hot spare disks (default behavior). After the spare is formatted and databases are reseeded, you will encrypt the disk.

  1. As disks fail, AutoReseed allocates, remaps and formats a spare disk.
  2. AutoReseed initiates reseed operations.
  3. Using SCOM, or another operations management tool, you will monitor for events 1127 (initiated reseed of a database) and 826 (completed reseed of a database) that are located in the Microsoft-Exchange-HighAvailability/Seeding crimson channel.
  4. Schedule a maintenance outage for the affected server and encrypt the new volume.

We hope that this post will help understanding BitLocker encryption and configuring BitLocker for Exchange servers. As demonstrated, the best approach is to use a TPM for storing the recovery data and to allow the operating system to unlock volumes automatically during boot. If your servers do not have access to a TPM, you can consider encrypting only the data volumes and making a mechanism to ensure that the data volumes unlock at OS boot.

Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files, both for Exchange Server 2013 and Exchange Server 2016.

More articles about BitLocker