GPO: WSUS Patches June 2016 disabled security filtered GPO

Important change for all GPO-Admin | Change in way GPO's are applied and filtered.

 

The Windows Updates JUNE 2016 bring up a change in how POLICY GPO (Gruppenrichtlinien) should be filtered to Active Directory Security Groups. You can't anymore JUST remove "Authenticated users" and add a security group under Security Filtering. The Policy will not pull because Microsoft has changed the concept.

German:

GPO welche auf Usergruppen gefiltert sind gehen nach dem Update der Patche nicht mehr wenn Authenticatedusers oder Domaincomputers KEIN read unter Delegation hat.

June 2016 Patches:

KB 3163018

KB 314913

KB 3159398

 

https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

http://www.gruppenrichtlinien.de/artikel/sicherheitsfilterung-neu-erfunden-ms16-072-patchday-14062016/

This is a normal policy which is not affected by the patches:

Please make a backup of your GPO before changing anything:

Here so see one where we removed the "Authenticated Users" or "Authentifizierte Benutzer" and this needs to get corrected. Leave it as IT IS under security filtering. The place to change it would be under Delegation.

First How NOT to do it (> This would make the POLICY PULL for all!)

Correct way to make it June 2016 Patchday compatible

Make a backup of the GPO before you even think about changing it!

 

Powershell from listed by Stepan Kokhanovskiy on Social MSDN

 

I changed this to a READ only and LIST only version so you can check first if you have SUCH GPO's

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Above Version which will only LIST / Report / Nur lesen

 

Below Version which will Change / Correct / Aenderung

Change version from Posting in Social adapted to German Active Directory with Domänencomputer

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Add the `"Read`" permission for the `"Domänencomputer`" group."

Set-GPPermissions -Guid $Gpo.Id -PermissionLevel GpoRead -TargetName 'Domänencomputer' -TargetType Group -ErrorAction Stop | Out-Null

Write-Debug "Permissions changed successful."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Ransomware Schweiz: Mcafee TIE Threat Intelligence Exchange im Einsatz

Ransomware Schweiz, Switzerland, Suisse. Lösungen/Solutions.

Intelligente "Black/White-Listing" Technologie z.B. Mcafee TIE ist die derzeit einzige Lösung nebst ATD-Sandboxen um Ransomware/Epressungstrojaner in den Griff zu bekommen. (http://www.mcafee.com/de/products/threat-intelligence-exchange.aspx). Alles andere ist ein Gebastel und man rennt nur den Problemen nach statt diese zu lösen.

 

 

Proof of Concept soll zeigen wie Mcafee TIE unbekannte Dateien erkennt und soll zeigen, dass Directory welche wir im Virenschutz Modul VSE 8.X ausschliessen nicht vom TIE tangiert sind. Diese Ausnahmen gelten AUCH fuer TIE-Modul.

Proof of concept mit Test Datei welche wir anpassen

 

Wir nehmen ein EXEcutable z.B. Superscan.exe und Machen dies auf um es anzupassen.

 

Wir passen einige unrelevante Sachen mit eine HEX Editor im EXE an und speichern dies unter neuen Namen TIE_superscan.exe (HEX Editor z.B. http://hxd-hex-editor.soft32.com). Einfach die TEXT Partie "not be rund in DOS" anpassen.

 

Die Software superscan.exe ist im Mcafee TIE nicht vorhanden (Obwohl Foundstone von Mcafee/Intel gekauft wurde ;-). Ca. 75-80% Aller Binaries sind aber in der GTI/TIE Datenbank vorhanden. (Durchschnitt Windows 7 64BIT client mit ca. 80 Applikationen Schweiz).

 

Test client virtuel exclusions VSE (Normaler Virenschutz)

Der Folder c:\Geheim_geheim ist exlcuded da sonst z.B. Internet Explorer IEAK9/11 Setups aber auch andere Software beim Setup Probleme machen. Aber auch Driver fuer das Installieren des OS selber sind dort vorhanden. Dieser Folder wird nicht gescannt da man dort zu 100% Vertrauenswürdige Files hat. User hat dort keine Schreibrechte.

 

 

Im Mcafee TIE nicht sichtbar da in c:\geheim_geheim

Update Mcafee > Force senden Infos an EPO

 

Kopieren des Files in c:\temp und ausführen

Directory nicht Exlcuded und VSE > Daher TIE auch Scan

 

Alarm auf client und Block des Files beim Öffnen.

 

 

Umgehend auch OHNE Force Framework Agent sichtbar in Mcafee EPO TIE

 

Neue Datei unbekannt und Rating 50 > DAHER geblockt

 

Die anderen Werte welche zur Einstufung der Reputation heran gezogen werden sind noch nicht ermittelt worden. Da es sich um einen Installer handelt wird dies zudem anders gewichtet.

GTI (mcafee P2P/Cloud Datenbank) kennt das File noch nicht:

 

 

 

Anpassen der Reputation

 

Wir passen die Reputation des Files an da wir dieses File kennen und mit dem PLUGIN in TIE fuer VIRUSTOTAL.COM gescannt haben. Dies kann man durch einen Click auf einen Button automatisch machen lassen!

 

Nach dem Anpassen der Reputation von "Unknown" to "File Known Trusted" PLUS zusätzlich einem Rename des EXE (TIE_superscan.exe zu superscan.exe) wird das File ausgeführt. Damit TIE das Binary intelligent einstufen kann muss es längere Zeit und in mehreren Versionen in der Firma sein ODER die TIE/GTI cloud kennt es.

 

 

Anzeige in MCAFEE EPO Konsole (Enforcement Events)

 

Mcafee EPO Konsole, DASHBOARD

 

Weitere Links von uns:

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/Ransomware-Versions-who-spread-in-network-and-attack-locked-files-from-SQL-Servers-coming-up.aspx

 

Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches

Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches

 

  • Ein RDP Patch wird zwei Reboots machen (Dies ist normal)
  • DENY KB3114717 Office 2013 macht WinWord 2013 langsam (Problem patch)
  • Die Windows 10 Updates Packages sind jetzt im WSUS erschienen (W7 product)

     

     

These updates have come to WSUS-customer even when to W10 product was chosen. They appear under W7 Product category.

Windows 10 corporate support, Mcafee VSE and WSUS status 05.08.2015

 

Windows 10, WSUS Integration

If you support Server 2012R2 and 8.1 then you have the Updates on the WSUS you will see the new Categorys straight away.

Windows 10, Mcafee VSE 8.8 with Patch 6 which should be released 26. August 2015

https://kc.mcafee.com/corporate/index?page=content&id=KB51111

https://community.mcafee.com/community/business/blog/2015/08/02/windows-10-support-updates

 

Product Version

Product
Build

Release Notes

Known Issues

Release Date

EOL Date

Comments

VSE 8.8 Patch 6 (under development)

TBD

TBD

TBD

Target July 30, 2015 for private release
Target Aug 26, 2015 for full release

n/a

Adds support for the Windows 10 platform.

NOTE: Patch 6 is currently available in managed release. To obtain the patch and participate in the managed release program, contact your Support Account Manager.

 

31.08.2015 And here comes Patch 6 and you already wait for release 7 (DLP 9.4 DOES Not work, Protection rules not visible)

 

McAfee VirusScan Enterprise (VSE) 8.8

Summary

This article contains important information about known issues of high or medium rating that are outstanding with this product release. This article will be updated if new issues are identified post-release or if additional information becomes available. To read the Release Notes, see: PD26069

Release to World (RTW): August 26, 2015
 
Known Issues

IMPORTANT NOTES: 
  • Data Loss Prevention (DLP) customers: This release upgrades a common component used by DLP, which may cause the system to hang. Customers using DLP 9.4.0 are advised to delay installing VSE 8.8 Patch 6 until further notice. Development is in progress for updating the DLP 9.4 version to work with VSE 8.8 Patch 6. This updated release will be required prior to installing VSE 8.8 Patch 6. This article will be updated as more detail becomes available.

    To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.

     
  • VirusScan Enterprise for Storage (VSES) customers: VSE 8.8 patches 5 and 6 are not supported for use with VSES. Do not deploy VSE 8.8 Patch 5 or 6 to nodes running VSES. Instead, Intel Security recommends you deploy VSE 8.8 Patch 4 to nodes running VSES.

CRITICAL: There are currently no critical known issues.
Reference Number Related Article Issue Description
1090227 KB85551 Issue: VirusScan threat events do not parse to the ePO database with VirusScan Enterprise Reports Extension 1.2.0.263.
Workaround: Check in the Patch 5 Reporting Extension (1.2.0.250) until an updated extension becomes available.
Status: Intel Security is investigating this issue. See the related article for workaround steps.


Non-critical:

Reference Number Related Article Issue Description
966892 KB84913 Issue: Access Protection rules are not visible in the ePolicy Orchestrator console after checking in the Patch 5 or Patch 6 management extension.
Resolution: See the related article. This is tentatively planned to be resolved in VSE 8.8 Patch 7, which is not currently available.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.
1074199 n/a Issue: Environments using Lotus Notes mail, with the Lotus Notes mail scanner feature enabled, encounter Access Protection violations after installing Patch 6.
Resolution: Add the Lotus Notes process (NLNOTES.EXE) to the Processes to Exclude list for the Access Protection rule that is being violated (for example, Common Standard Protection:Prevent modification of McAfee files and settings).
n/a n/a Issue: Detection count is inconsistent with detections displayed in the On-Demand Scan (ODS) progress window.
Resolution: The product is functioning as designed.

If you require a change to this functionality in a future version of the product, you can submit a Product Enhancement Request (PER) by logging in at: https://mcafee.acceptondemand.com/.

To register as a new user, click McAfee Customers Register Here at the top of the page. For additional information, see KB60021.
1065335 KB84084 Issue: Modification to the Artemis FQDN field for the Network Heuristic Check feature requires a reboot on the client before the change takes effect.
Resolution: Restart the McShield service or reboot the system.
1077854 n/a Issue: Outlook closes unexpectedly (crashes) when sending mail after installing VSE 8.8 Patch 6 on systems with DLP 9.4.0 (RTW).
Resolution: Upgrade to DLP 9.4 Patch 1 (expected Q4 2015 release date) or later.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.
n/a = not available

W7, 64BIT, WMI Hotfixes do date post SP1

 

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

 

IE11patch Infos:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

 

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO = Does not install on same system

 

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

 

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

 

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

 

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

 

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu