4 lug 2021

WindowServer.it Honor Community Member

Ringrazio la Community WindowServer.it, con la quale collaboro ormai da tempo, per il badge ricevuto. 




Il badge di Honor Community Member viene assegnato a coloro che fanno parte della community WindowServer.it da molti anni e che continuano a diffondere i valori di WindowServer.it, che vanno oltre il concetto di articolo, video o sessione durante gli eventi. I membri di questo club sono colonne portanti di questo sito e dei valori che rappresenta.

1 lug 2021

Configurazione del server NTP attraverso w32tm

Eseguire il seguente comando nel PDC Emulator sostituendo NTPSERVER con il server ntp geograficamente più vicino, ad esempio:

ntp1.inrim.it 193.204.114.232 NTP (RFC 5905)

ntp2.inrim.it 193.204.114.233 NTP (RFC 5905)

time.inrim.it 193.204.114.105 NTP (RFC 5905), TIME (RFC 868), DAYTIME (RFC 867)


w32tm /config /manualpeerlist:NTPSERVER /syncfromflags:manual /reliable:yes /update

net stop w32time && net start w32time


Per verificare che effettivamente sia stato configurato correttamente possiamo usare i seguenti comandi:

Forzare la sincronizzazione
w32tm /resync /nowait

Controllare la configurazione
w32tm /query /configuration

Visualizzare la sorgente time
w32tm /query /source 

Visualizzare l'elenco di tutti i server NTP configurati e il loro stato
w32tm /query /peers 

Visualizzare lo stato del servizio, ad esempio se sta ricevendo l'ora dall'orologio cmos locale/server NTP esterno
w32tm /query /status 

Monitor
w32tm /monitor


Configurazione del server NTP attraverso le GPO

Creare un filtro WMI e specificare la query:

Select * from Win32_ComputerSystem where DomainRole = 5

Creare una GPO da linkare ai DC e collegare il filtro in modo che sarà applicata solo al PDC Emulator

Editare la gpo e posizionarsi in “Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

Abilitare “Enable Windows NTP Client” e “Enable Windows NTP Server

Impostare “Configure Windows NTP Client” 




3 mag 2021

Microsoft Security Compliance Toolkit

 



22 apr 2021

Send as SMTP alias ora disponibile in Exchange Online

Una delle richieste degli utenti più longeve è finalmente una realtà. Gli utenti possono finalmente inviare e-mail "come" uno dei propri indirizzi SMTP alias.

Gli amministratori di Exchange possono assegnare indirizzi email alternativi, o alias, alle cassette postali degli utenti. Gli utenti possono ricevere e-mail per uno qualsiasi dei loro alias, ma fino ad ora, e-mail e risposte possono essere inviate solo utilizzando il loro indirizzo e-mail SMTP principale. Con il nuovo comportamento, i messaggi di posta elettronica inviati utilizzando un alias, mostrano l'indirizzo del mittente e l'indirizzo di risposta come indirizzo SMTP dell'alias utilizzato.

E' possibile abilitate la funzionalità tramite il seguente cmdlet

Set-OrganizationConfig -SendFromAliasEnabled $true

Una volta impostato, gli utenti potranno inviare e-mail utilizzando uno dei loro indirizzi alias configurati, in Outlook o OWA. In Outlook, l'utente deve prima mostrare il campo Da per i nuovi messaggi di posta elettronica utilizzando il menu Opzioni, quindi scegliere un indirizzo alias o fare clic su Altro indirizzo email e digitare quello che si desidera utilizzare.

14 apr 2021

Poweroff Linux based NAS (Synology, ecc) remotely from Windows by command line

#Note - Updated 14/04/2021 
I had to turn off the NAS automatically after a Veeam backup copy process, but... it's not as simple as I thought.
The problem is that Linux SSH security permit executing of the "power off" command only as root and then root can not login to SSH

how do to do?

#Product affected / related 
NAS Linux based, Linux and Windows Server and Clients

#Solution 
1. Login to your NAS as admin user by SSH (PuTTY)

To enable ssh on Synology:
Control Panel > Terminal & SNMP > Terminal allows your Synology NAS to support Telnet and SSH command-line interface services. You can also change the security level of the SSH encryption algorithm.
To enable Telnet/SSH service:
Check the box next to the SSH protocol
Click Apply

2. Take permission as root
sudo su - or sudo -i

3.  Edit /etc/sudoers
vi /etc/sudoers

4: Add the following line 
 
## Admin user group is allowed to execute halt and reboot 
userOrGroup ALL=NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/poweroff

6. Download plink (Now as part of putty)

On Windows, you have to download plink from PuTTY download page and save it in a folder.
This is the command that resolve the problem:

plink.exe -ssh -t -pw “yourpassword” admin@xxx.xxx.xxx.xxx "sudo poweroff"










7 apr 2021

11 mar 2021

Windows 10: Bluescreen Of Death on printing kb:5000802, kb:5000808

Latest Microsoft patch kb:5000802,  kb:5000808 produce BSOD on printing. 

We can resolve this issue with the two commands below:

In a command prompt with administrative rights

wusa /uninstall /kb:5000802

wusa /uninstall /kb:5000808


3 mar 2021

Servizi che possono essere disabilitati su un Domain Controller

Per ragioni di sicurezza si dovrebbe ridurre al minimo la superficie di attacco, soprattutto sui domain controller. Per cominciare potremmo disattivare una serie di servizi, magari tramite una GPO

  • ActiveX Installer (AxInstSV) (AxInstSV)
  • Bluetooth Support Service (bthserv)
  • CDPUserSvc (CDPUserSvc)
  • Contact Data (PimIndexMaintenancesvc)
  • dmwappushsvc (dmwappushsvc)
  • Downloaded Maps Manager (MapsBroker)
  • Geolocation Service (lfsvc)
  • Internet Connection Sharing (ICS) (SharedAccess)
  • Link-Layer Topology Discovery Mapper (lltdsvc)
  • Microsoft Account Sign-in Assistant (wlidsvc)
  • Microsoft Passport (NgcSvc)
  • Microsoft Passport Container (NgcCtnrSvc)
  • Network Connection Broker (NcbService)
  • Phone Service (PhoneSvc)
  • Print Spooler (Spooler)
  • Printer Extensions and Notifications (PrintNotify)
  • Program Compatibility Assistant Service (PcaSvc)
  • Quality Windows Audio Video Experience (QWAVE)
  • Radio Management Service (RmSvc)
  • Sensor Data Service (SensorDataService)
  • Sensor Monitoring Service (SensrSvc)
  • Sensor Service (SensorService)
  • Shell Hardware Detection (ShellHWDetection)
  • Smart Card Device Enumeration Service (ScDeviceEnum)
  • SSDP Discovery (SSDPSRV)
  • Still Image Acquisition Events (WiaRpc)
  • Sync Host (OneSyncSvc)
  • Touch Keyboard and Handwriting Panel (TabletInputService)
  • UPnP Device Host (upnphost)
  • User Data Access (UserDataSvc)
  • User Data Storage (UnistoreSvc)
  • WalletService (WalletService)
  • Windows Audio (Audiosrv)
  • Windows Audio Endpoint Builder (AudioEndpointBuilder)
  • Windows Camera Frame Server (FrameServer)
  • Windows Image Acquisition (WIA) (stisvc)
  • Windows Insider Service (wisvc)
  • Windows Mobile Hotspot Service (icssvc)
  • Windows Push Notifications System Service (WpnService)
  • Windows Push Notifications User Service (WpnUserService)
  • Xbox Live Auth Manager (XblAuthManager)
  • Xbox Live Game Save (XblGameSave)

Microsoft 365: How to force Modern authentication

Outlook App

In the newer versions of Outlook App, Modern Authentication is enabled by default.

In case of problems, that is the window in Outlook that continues to ask for the password, it is also recommended to force the use of Modern Authentication in Outlook, adding, through Regedit, the following registry key, setting the DWORD value to 1 

HKEY_CURRENT_USER\Software\Microsoft\Exchange\

AlwaysUseMSOAuthForAutoDiscover – DWORD=1


Tenant

Check to see if Modern Authentication is ENABLED for your Office 365 tenant

Run the command Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

If you see “False” listed next to your Office 365 tenant proceed to the next step to enable Modern Auth. If you see “True” then Modern Auth is already enabled; no further action is required. Skip to Disconnect your PowerShell session. 


Enable Modern Authentication for your Office 365 tenant

Run the command Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Note: This command does not prevent connections via Basic Authentication. Desktop and mobile e-mail client applications which do not support Modern Authentication will still be able to connect to the Office 365 account using Basic Authentication until October 13, 2020.


Verify Modern Authentication is ENABLED for your Office 365 tenant

Run the command Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

You should now see “True” listed next to your Office 365 tenant indicating that Modern Authentication is enabled for your Office 365 tenant

27 feb 2021

Announcing Windows Server Preview Build 20298 aka Windows Server 2022

Announcing Windows Server Preview Build 20298 

 

Hello Windows Insiders!

Today we are pleased to release a new build of the Windows Server Long-Term Servicing Channel (LTSC) Preview that contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions.

 

 

 

Available Content

 

  • Windows Server Long-Term Servicing Channel Preview is available in ISO format in 18 languages, and in VHDX format in English only.  The following keys allow for unlimited activations:
    • Server Standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH
    • Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
  • Windows Server Language Pack/Core App Compatibility FoD Preview

 

Keys: Keys are valid for preview builds only. After activation for the preview keys is disabled, you may still install and use preview builds for development and testing purposes without activating.

Symbols:  available on the public symbol server – see Update on Microsoft’s Symbol Server blog post and Using the Microsoft Symbol Server

Expiration: This Windows Server Preview will expire October 31, 2021.

 

Known Issues

 

Shutdown Event Tracker is displayed every time a user logs on even when the user is a member of the administrators group and the user has closed the tracker window properly.

Auto Logon does not work correctly in some scenarios.

 

How to Download 

 

Registered Insiders may navigate directly to the Windows Server Insider Preview download page.  If you have not yet registered as an Insider, see GETTING STARTED WITH SERVER on the Windows Insiders for Business portal.


Original post
Announcing Windows Server Preview Build 20298 - Microsoft Tech Community

14 feb 2021

Microsoft 365: Dynamic Delivery in Safe Attachments policies

The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

If an attachment is found to be malicious, the message is quarantined. Only admins (not end-users) can review, release, or delete messages that were quarantined by Safe Attachments scanning. For more information, see Manage quarantined messages and files as an admin.

Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.

If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery previewer on your mobile device, try opening the message in Outlook on the web (formerly known as Outlook Web App) using your mobile browser.

Here are some considerations for Dynamic Delivery and forwarded messages:

  • If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.

  • If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments will be delivered without any Safe Attachments scanning or attachment placeholders.

There are scenarios where Dynamic Delivery is unable to replace attachments in messages. These scenarios include:

  • Messages in public folders.

  • Messages that are routed out of and then back into a user's mailbox using custom rules.

  • Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.

  • Deleted messages.

  • The user's mailbox search folder is in an error state.

  • Exchange Online organizations where Exclaimer is enabled. To resolve this, see KB4014438.

  • S/MIME) encrypted messages.

  • You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, Safe Links in Microsoft Defender for Office 365 is able to scan Office file attachments that contain URLs (depending on how the global settings for Safe Links are configured).