How to disable curve25519 / x25519 key exchange on Windows Server 2016

If you are using a Palo Alto firewall to do inbound SSL decryption, you might have run in to issues with decryption on Windows Server 2016 running IIS.

For us, this was due to the server using a key exchange not supported for SSL decryption in PANOS 8.1.

You probably don’t want to disable all ECDH key exchanges, so this one will just disable x25519 and will allow your Palo Alto firewall to do decryption.

Open up Powershell, type the following command:

Disable-TlsEccCurve -Name curve25519

If you run Get-TlsEccCurve before and after running the command you should be able to see if it’s been disabled or not.

After a reboot, IIS should not use x25519 for encryption.

For a complete list of supported ciphers in PANOS 8.1, see Palo Alto’s documentation.

Hvordan stoppe «Posten»-viruset

De siste dagene har det igjen vært en økning av «Posten-virus», altså eposter tilsynelatende sendt med Posten som avsender.
VG har skrevet en sak om dette her.

Eposten tar deg videre til en ekstern side og ber deg laste ned hentelapp, noe som resulterer i en komprimert fil (.zip) som inneholder en JavaScript-fil. (.js).
Åpner du og kjører JavaScriptet, vil dette da kryptere dataene på din maskin, og for en stor bunke penger vil du kanskje få igjen filene dine.

Dersom du er så uheldig å ha blitt rammet av viruset, er denne guiden dessverre ikke noe som nå vil hjelpe deg. Gå heller til Kasperskys «No Ransom»-side med ransomware-dekrypteringsverktøy.

I tillegg til å ha antivirus, en sunn dose paranoia og de siste oppdateringene til ditt operativsystem installert er det et par veier å få bukt med nettopp denne type malware.

Denne løsningen vil kjøre at .js-filer ikke lenger vil kjøres automatisk på din datamaskin, og så lenge de kun åpnes i Notisblokk vil de ikke kunne gjøre skade.

For privatbrukere med Windows:

Merk: Skjermbildene er fra Windows 10, men fremgangsmåten er relativt lik på Windows 7.

  1. Åpne Notisblokk/Notepad.
  2. Velg lagre som, og lagre den på skrivebordet som Test.js.
  3. Gå til skrivebordet, høyreklikk på «Test.js» og velg «Åpne i» og «Velg en annen app».
  4. Velg «Notisblokk», og huk av for «Bruk alltid denne appen for å åpne .js-filer».

Til systemadministratorer med Windows-systemer:

  1. Aktiver SPF på ditt domene, og kjør hard blokkering av innkommende epost som feiler SPF-sjekk. Dette vil også hjelpe deg mot CEO-svindel.Postnorge.no, ett av domenene benyttet i siste utsending, hadde da epostene gikk ut, ikke SPF-liste for dette domenet, men dette er heldigvis nå aktivert.
  2. Opprett en group policy for samtlige brukere som setter Notepad.exe som standardapplikasjon for .js-filer.Denne policyen ligger under «User Configuration – Preferences – Control Panel Settings – Folder Options».
  • Action: Update
  • Name: js
  • Associated Program: %WindowsDir%\System32\notepad.exe

Remove KB3101496 for Skype for Business client

Microsoft recently released a security update for the Skype for Business client, which seems to be causing issues for people.

The one I noticed first, was the lack of missed call emails being delivered to users.
This script will remove the 32-bit version of the update:

@ECHO OFF
taskkill /IM lync.exe /F
msiexec /package {90150000-0011-0000-0000-0000000FF1CE} /uninstall {6A0E6442-2FD5-499F-9E97-51E3375FF53C} /quiet /qb /norestart
msiexec /package {90150000-002A-0000-1000-0000000FF1CE} /uninstall {6A0E6442-2FD5-499F-9E97-51E3375FF53C} /quiet /qb /norestart
msiexec /package {90150000-012B-0414-0000-0000000FF1CE} /uninstall {6A0E6442-2FD5-499F-9E97-51E3375FF53C} /quiet /qb /norestart
EXIT /B 0

UPDATE: This issue was resolved in KB3114732 that released in February.

Move media subfolders out of «My Documents» with ease

At work, we are in the process of moving all our users’ «My Documents» folder to a new file server, and we also thought that we’d do some changes to the Folder Redirection GPO.

Supermove2000-FollowGPO

Several applications likes to save to the dedicated media folders by default, which can eat up a lot of space if you set the media folders (My Pictures, My Music and My Vidoes) to simply follow the «My Documents» folder in your GPO (which it does by default).

This means that you can easily end up backing up your users’ private iTunes libraries, family photos and what ever they might have stored in the «My Videos» folder.

So before enabling the new GPO where these media folders were redirected to each users’ local profile, I wanted to move these files out of the way.

Supermove2000-LocalGPO

So I give you…

Supermove 2000.

It’s fairly simple, enter the current location of the root Documents-folder (source), the where you would like to have the media folders and their content copied or moved (destination).

Since the «My Documents» folder is often named based on local region, you will also be prompted for the name used in your environment.

Robocopy will now take care of the rest, and leave you logs for each folder moved for each user.

Supermove2000-IMG

It’s currently set up to move the regional names of the media folders as well, but this can be easily edited in the batch file to suit your own needs.

If everything is in English and/or Norwegian, you are good to go. The file will check to see if the folders exist before doing anything.

High fives to Morten for helping out!

Download the batch file here (.zip).

Or copy this text into your favorite text editor, and save as either .bat or .cmd:
Source code for Supermove2000.cmd


@ECHO OFF
IF /I "%1"=="/c" (
SET MODE=
SET MODEDESC=/C speficied, Supermove2000 will copy files.
SET MODEDESC2=copy media folders.
SET MODEACTION=Copying
GOTO START
)
IF /I "%1"=="/m" (
SET MODE=/MOVE
SET MODEDESC=/M specified, Supermove2000 will move files.
SET MODEDESC2=move media folders.
SET MODEACTION=Moving
GOTO START
)
ELSE (
SET MODE=/L
SET MODEDESC=No switch specified, will only create logs.
SET MODEDESC2=only generate Robocopy logs.
SET MODEACTION=Logging
GOTO START
)
:START
CLS
ECHO THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
ECHO IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
ECHO FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
ECHO AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
ECHO LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
ECHO OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
ECHO THE SOFTWARE.
PAUSE
CLS
ECHO --------------------------------------------
ECHO Supermove 2000 - 20©14 FISK Crew/NSGP by
ECHO DJ Helskjegg and Hevneren - www.nsgp.net
ECHO --------------------------------------------
ECHO %MODEDESC%
ECHO --------------------------------------------
ECHO To move files, launch with /M switch
ECHO To copy files, launch with /C switch
ECHO --------------------------------------------
PAUSE
SET /P SRC=Enter source folder (no trailing slash):
SET /P DEST=Enter destination folder (no trailing slash):
SET /P DOCS=Enter name of "My Documents" folder:
CLS
ECHO ----WARNING----
ECHO If you proceed, Supermove2000 will %MODEDESC2%
ECHO From: %SRC%\Username\%DOCS%\
ECHO To: %DEST%\Username\%DOCS%\
PAUSE
DIR %SRC% /B /A:D > Supermove-Folders.txt

IF NOT EXIST «Supermove-Logs» (
MD Supermove-Logs
)
FOR /F %%A IN (Supermove-Folders.txt) DO (
REM Pictures!
IF EXIST «%SRC%\%%A\%DOCS%\Mine bilder» (
ECHO %MODEACTION% «Mine bilder» for %%A
ROBOCOPY.EXE «%SRC%\%%A\%DOCS%\Mine bilder» «%DEST%\%%A\%DOCS%\Mine bilder» /COPY:DAT /DCOPY:T /TIMFIX /E %MODE% > Supermove-Logs\%%A-MineBilder.log
)
IF EXIST «%SRC%\%%A\%DOCS%\My Pictures» (
ECHO %MODEACTION% «My Pictures» for %%A
ROBOCOPY «%SRC%\%%A\%DOCS%\My Pictures» «%DEST%\%%A\%DOCS%\My Pictures» /COPY:DAT /DCOPY:T /TIMFIX /E %MODE% > Supermove-Logs\%%A-MyPictures.log
)
REM Music!
IF EXIST «%SRC%\%%A\%DOCS%\Min musikk» (
ECHO %MODEACTION% «Min musikk» for %%A
ROBOCOPY «%SRC%\%%A\%DOCS%\Min musikk» «%DEST%\%%A\%DOCS%\Min musikk» /COPY:DAT /DCOPY:T /TIMFIX /E %MODE% > Supermove-Logs\%%A-MinMusikk.log
)
IF EXIST «%SRC%\%%A\%DOCS%\My Music» (
ECHO %MODEACTION% «My Music» for %%A
ROBOCOPY «%SRC%\%%A\%DOCS%\My Music» «%DEST%\%%A\%DOCS%\My Music» /COPY:DAT /DCOPY:T /TIMFIX /E %MODE% > Supermove-Logs\%%A-MyMusic.log
)
REM Videos!
IF EXIST «%SRC%\%%A\%DOCS%\Intern video» (
ECHO %MODEACTION% «Intern video» for %%A
ROBOCOPY «%SRC%\%%A\%DOCS%\Intern Video» «%DEST%\%%A\%DOCS%\Intern Video» /COPY:DAT /DCOPY:T /TIMFIX /E %MODE% > Supermove-Logs\%%A-InternVideo.log
)
IF EXIST «%SRC%\%%A\%DOCS%\My Videos» (
ECHO %MODEACTION% «My Videos» for %%A
ROBOCOPY «%SRC%\%%A\%DOCS%\My Videos» «%DEST%\%%A\%DOCS%\My Videos» /COPY:DAT /DCOPY:T /TIMFIX /E %MODE% > Supermove-Logs\%%A-MyVideos.log
)
)
DEL Supermove-Folders.txt
ECHO ——————————————–
ECHO All done, check the Supermove-Logs folder
ECHO for the job logs.
ECHO ——————————————–
ECHO w w w . n s g p . n e t
ECHO ——————————————–
PAUSE