Posts made by Mike Davis

Not sure what your environment looks like, but if there was a chance it was an iSCSI drive that went down, you would have the iSCSI initiator running on that server. If you launch it and it says it's not running, you probably weren't using it.

Can someone recommend a package that works on Microsoft Server 2012 R2 servers that bans IPs if they try to RDP using certain account names, or fail multiple times in a certain time frame?

Some of the older tools don't work because the event log doesn't seem to keep track of IPs in server 2012.

I'd lean towards application trapping the print screen key the way green shot does. I think you're right.

Welcome @WrCombs and @Romo!

@WrCombs said in Intrusion Detection System experience - Snort or others?:

@Mike-Davis new to IT ; what is "IDS" ?
and what is "Snort"?

Welcome to IT. You can get quick answers about what acronyms are and other stuff by googling it. IDS = Intrusion Detection System. It's a system that looks at what normal network traffic looks like and tries to find out of the ordinary traffic to indicate that you might have unauthorized access going on in your network among other things.

Does anyone run an IDS? I'm working with a SonicWall firewall and primarily concerned with the traffic hitting the remote desktop server since it's the only incoming port. I'm also interested in looking for suspicious traffic leaving our network in the even that a computer on the inside got hacked and was calling home/providing remote access.

Is anyone running Snort that can comment on it? I'm not against a commercial product if there is something that works well.

It was set up by internal staff. The sad thing is, it doesn't even look like it was still in use. Lesson for all admins out there.

Figured out how it happened. Shut it down and started on the ugly analysis. In this case there was no ransom note file. Therefore there was no .txt file to check the permissions on. In the filename that got changed, the hacker put his email address.... Restores should be done in 2 hours. The infection bypassed cryptolocker group policies because a hacker launched it. It was not picked up by Microsoft Endpoint Protection (no surprise there) or MalwareBytes. Webroot detected it. It looks like a weak password on a service account that was allowed to log in to remote desktop caused all this.

I'm working on a network that is getting cryptolockered. How do I figure out which machine it's running on? I can't find one of those .txt files with the removal instructions to check the owner. All the encrypted files have maintained their ownership from the original creator.

@BRRABill said in Getting Windows 10 License Upgrade on Linux Mint Laptop:

@Mike-Davis said

Well that worked. I also removed a stick of RAM and put in a SSD in place of the spinning disk of rust and it activated as well. Unfortunately with all hardware integrated in to the motherboard, that's about all I can swap out on this system. Oh well, it answers a couple questions.

When you did this, did it say it wasn't activated?

Or were you hoping it WAS activated?

I am still trying to figure out a way to "upgrade" all my Windows 8 FPP licenses to Windows 10, just so I have them when the time is right.

It did activate. I could try the key on a totally different hardware platform, but I think others have done that and it failed.

Thanks to those of you that offered a suggestion. I built a second RDS server and applied my group policy and browsing was fine. I then started to think about what I needed to do to move it in to production and replace the one that had the browsing issue. Then it hit me.... I have load balancing on my SonicWall. RDS is mapped through the firewall on https. Therefore requests that went out over https could go out over either interface, but always came back on one. This is why it would sometimes work. This is also why most other sites would work, but https (in this case Office 365 which always goes over https) would only work once in a while. Adding a route to force all traffic from the RDS server out over the interface that traffic will come in on fixed the problem.

@BRRABill said in Getting Windows 10 License Upgrade on Linux Mint Laptop:

@Mike-Davis said in Getting Windows 10 License Upgrade on Linux Mint Laptop:

@BRRABill I was more concerned with if it would give you a hard time if you originally activated it with 32bit Windows and then tried to activate after installing 64 bit. I figured with so many of the drivers changing it might detect it was running on different hardware.

Yeah, who knows what it is going to do...

Well that worked. I also removed a stick of RAM and put in a SSD in place of the spinning disk of rust and it activated as well. Unfortunately with all hardware integrated in to the motherboard, that's about all I can swap out on this system. Oh well, it answers a couple questions.

@BRRABill I was more concerned with if it would give you a hard time if you originally activated it with 32bit Windows and then tried to activate after installing 64 bit. I figured with so many of the drivers changing it might detect it was running on different hardware.

For my other 7 machines I think I'm going to take a spare SSD and install 10 on them and then put my 7 drive back in once it has activated.

I upgraded 7 32bit to 10 and then wiped the machine and installed 64 bit Windows 10 and it prompted for the original Windows 7 key and installed and activated.

@Mike-Davis discovered there is a documented problem where if you don't disable automatic updates, this can happen.

I think @JaredBusch is right from what this page says:

https://www.microsoft.com/en-us/software-download/windows10
Note

If you’ve already successful activated Windows 10 on this PC, including if you upgraded by taking advantage of the free upgrade offer you won't need to enter a Windows 10 product key. You can skip the product key page by selecting the Skip button. Your PC will automatically activate later.

If I had to take a guess from previous versions, if one of three main components changes it will go ahead, and anything else will requires a phone activation or something. I have a Windows 7 machine with 32 bit windows on it and decided to test this theory. That was 18 hours ago and it's at 99% now... To be fair, this is on a 2.2GHz Core 2 Duo.

Some of you have a point. I probably should have said "more secure than sending them across the internet unencrypted." Dropbox is using SSL and AES and has a security team monitoring everything. If there is a breach, they have a lot to lose as a company. If I stood up my own server, I wouldn't have those kinds or resources, so I think it is more secure than something I could put together myself. As @JaredBusch said, DropBox is about as secure as your password.

I just added a user to a Office 365 Plan E1 non for profit and it changed all my users to E2. What is E2? I can't even find E2 on their website.

Thanks for the help. It looks like the website guy is using Wix and it has a plug in for dropbox, so it made it dead simple to implement.