كيف تحمى جهاز الكمبيوتر الخاص بك من فايروس الفدية المنتشر

انتشرت فى الفترة الأخيرة برمجيات خبيثة تسبب تعطيل جهاز الكمبيوتر الخاص بك أو تشفير ملفاتك الهامة و طلب فدية مبلغ مالى معين حتى يتم استرجاعها لك و هو ما يعرف بفايروسات الفدية  (Ransomware) و أكثرهم انتشارا الفايروس الذى ظهر فى الحادى عشر من الشهر الحالى (مايو 2017) و المعروف بأسم (WannaCry or Wannacrypt) و قد اصاب الكثير من أجهزة الكمبيوتر التى لديها نظام تشغيل ويندوز فى الشركات و المؤسسات و الأفراد فى كل أنحاء العالم….  فماذا تفعل لحماية أجهزة الكمبيوتر الخاصة بك من مثل هذه البرمجيات الخبيثة ؟

  • لا تقم بفتح أى روابط أو ملفات مرفقة تأتيك مع البريد الألكترونى الا بعد التأكد أنها من مصدر موثوق به و من أنها قادمة فعلا من الشخص المدعى أنه المرسل (حيث تنتشر معظم هذه البرمجيات عن طريق البريد الألكترونى)
  • إذا وصلتك رسالة من صديقك بها رابط، اسأله قبل أن تفتح الرابط للتأكد من أنه أرسل لك الرابط فعلا بنفسه لأن بعض هذه الرسائل ممكن أن تنشر نفسها و ترسل تلقائيا من جهاز الكمبيوتر أو الهواتف الذكية
  • لا تقم بفتح الروابط المجهولة بالنسبة لك الموجودة على صفحات الأنترنت و خصوصا الدعائية منها حيث يمكن أن تكون روابط ضارة تسبب فى تنزيل ملفات خبيثة على جهازك فور الضغط عليها
  • تأكد من وجود برنامج محاربة الفيروسات على جهازك و من أن ملفات تعريف الفيروسات محدثة فيه دائما
  • لا تستخدم برامج ذات اصدارات قديمة حيث تكون عرضة أكثر للأختراقات و قم دائما بتحديث نسخ البرامج على جهازك و لا تستخدم نظم تشغيل ويندوز قديمة أيضا  مثلا:  ويندوز 8 أفضل من ويندوز7 و ويندوز 10 أفضل من ويندوز 8 و هكذا
  • قم بنسخ بياناتك و ملفاتك الهامة الموجودة بجهازك على قرص خارجى أو فى أحد خدمات التخذين السحابى مثلOneDrive (لا تبق أى معلومات هامة بدون نسخها فى أكثر من مكان واحد) بحيث تستطيع أسترجاعها أذا تم تشفير و تدمير النسخة الموجودة بالجهاز
  • أذا ظهرت لك رسالة تقول أن ملفاتك قد شفرت و أنه يمكن استعادتها أذا ارسلت مبلغ مالى معين على حساب معين أو بالعملة الألكترونية المعروفة ب  Bitcoin…قم بفصل الجهاز عن أى شبكة واى فاى أو الشبكة المحلية بمكان عملك و أبلغ الدعم الفنى
  • لا تفكر فى دفع الفدية حيث لا يضمن هذا استرجاع الملفات و يمكن طلب مبلغ أكبر اذا تم الدفع

Delegate Permissions to add more than 10 Computers to Domain

We all know that BY DEFAULT ……any Active Directory Domain have the setting “Add workstations to domain” user wright (in group policy) set to Authenticated Users in the Default Domain Controllers Policy only …..wright ? peace of cake 🙂
And that makes any any user in the domain able to join machines to the domain BUT with the hard limit of up to 10 machines (WHY? I don’t know ! ask Microsoft :))
But what if you want to give a specific user or group the wright to join any number of PCs to the domain – without giving this user Domain Admin permission – (and also rejoin old machines to the domain, which involves and need Reset Password permission on the Computers Container ) ….. then you must delegate to this user or group a specific security permissions as following steps:

 
1- Locate and right-click the OU that contains Computer Accounts, and then click Delegate Control.
2- In the Delegation of Control Wizard, click Next.
3- Click Add to add a specific user or a specific group to the selected users and groups list, and then click Next.
4- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
5- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
6- Click Next.
7- In the Permissions list, click to select the following check boxes:
a. Reset Password
b. Read and write Account Restrictions
c. Validated write to DNS host name
d. Validated write to service principal name
DON’T just add the group or user to the User Wright: “Add workstations to domain” it will not allow them to add more than 10 machines only 

and If you want to change this and prevent any user in domain to join any workstation to domain, you must remove “Authenticated Users” from Group Policy settings: “Add Workstations to Domain” in “Default Domain Controllers Policy”   and add only users or group that you want to allow. 🙂

Auto Organize new Computer Accounts in Active Directory by PowerShell

We all know that we can change the default container for Computer Accounts in AD to a new specific custom OU other than the default container, which is ‘Computers‘ (CN=Computers,DC=domain,DC=local). This done by the CMD command: redircmp. This will make all new computers joined to the domain go in this OU

but what do you do if you have a well organized AD Structure with a specific OUs for Servers and Workstations and you want new computers to be moved automatically from the default container to the correct OU based on some criteria like OS or name of the machine, and also you want to monitor these new computers ? by sending Email to you in case new computers are introduced to the domain ?  I hear you say SCRIPTING ? No SIEM Solutions? No Old Black Magic? also No 🙂 …. , the answer is ……….POWERSHELL. Yes you can do all this by only powershell magic, with simple PS1 file that have few Powershell commands I’ll show you how to do it:

we will use two primary commands, one for getting and moving new computers to specific OU and one for sending Email containing those new computers as following:

open a new Notepad file and type your commands on it, so …after finish we can save it as .ps1 file and schedule it to run every 10 or 15 minutes on a Domain Controller.

1- First Command: there are two CMDlets that you can use to get computers from AD:

Get-ADcomputer

Get-ADobject (with aiming to target computers container only)

but we will use first one (Get-ADcomputer) because you can use useful properties of it as a criteria for filtering computers (like Operating System and IP Address ….)

now we need to retrieve computers only from Computers container and not all computers in the domain so we will use -SearchBase parameter to search only on a specific location in AD:


get-ADComputer -SearchBase “CN=Computers, DC=domain, DC=local”


this will return all computers in Computers container, but let’s say that you need only Worksations, I mean computers with windows 7, 8 or 10 and not windows server edition, so we will filter by the following command:


get-ADComputer -Filter {operatingsystem -notlike ‘Windows Server*’} -SearchBase “CN=Computers, DC=domain, DC=local”


or if you need all Windows 8.1 machines for example, you will make the filter like that:

{operatingsystem -like ‘Windows 8.1’}         and so on.

now we need to move those machines to the correct OU (for example ‘WORKSTATIONS’), so we will pipeline the previous command to the Move-ADobject command:


get-ADComputer -Filter {operatingsystem -notlike ‘Windows Server*’} -SearchBase “CN=Computers, DC=nu, DC=edu, DC=sa” | Move-ADObject -TargetPath “OU=WORKSTATIONS, DC=domain, DC=local”


so this command will get all client OS machines from Computers container and move them to an OU called Worksations

2- Second Command:  will contain two portions: first, to get the machines and thair properties and format the result as a table and choose friendly names for it’s columns and put them in a variable that will be used in the second portion:


$Workstations=get-ADComputer -Filter {operatingsystem -notlike ‘Windows Server*’} -properties name, created, ipv4address -SearchBase “CN=Computers, DC=domain, DC=local” |select @{N=’Computer Name’;E={$_.samaccountname}}, @{N=’Creation Time’;E={$_.created}}, @{N=’IP Address’;E={$_.ipv4address}} | Format-Table -wrap


Second, to send mail to specific Email Address IF the value of the previous variable ($Workstations) is not NULL, and this Email will contain a table of those new machines: 


IF ($Workstations -ne $NULL) { Send-MailMessage -From Active_Directory<AD@domain.com> -SmtpServer xx.xx.xx.xx -Subject “New Workstations have been added to Domain” -To xxxxx@domain.com -BODY ($Workstations | out-string)}


by grouping these commands together in one file (attached to this article) you will have a PowerShell script that you can schedule to run as a scheduled task on the Domain Controller

NOTE: the script or task must be run by an account that have permission to move computers in Active Directory and to send Email messages from your SMTP server

In Task Scheduler, create a new task and set the Triggers to be “On a Schedule” and make it run every 10 or 15 minutes indefinitely,  and set the Action to “Start a Program” and type the program name: powershell.exe and in “Add Arguments” field, point to the script file on the disk by providing the file path like the following example:


-NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File “D:\Scripts\move computers.ps1”


then save the task and monitor its behavior by checking the History tab in Task Scheduler console 🙂

every time this script will run, you got an Email with the new added workstations to the domain, and then they will be moved to a specific OU based on your enterprise structure. Also, you can make more commands to move Servers or move other machines based on other criteria (you can filter by any property in powershell)

the following is the script file:  (just change the file extension to SP1 after editing it with your domain names and SMTP server IP address):

Move Computers with Email

A Configuration Manager gift from Cireson …..”Remote Manage app”

There is a very powerful and easy to use GUI Tool out there from Cireson – a company that develops in Microsoft Service Manager and Configuration Manager in Asset and Service Management Tools. You must TRY it as SCCM Admin or even an AD Admin in any company, and I thought that I must share with all because not a lot of people know about it  …….. and IT IS FREE:

Remote Manage app” : this free tool is considered a WMI and SCCM Client tool that can give a lot of information about any PC in your SCCM Client environment and help troubleshoot any problems about it, also it can do some actions or  open some admin consoles on the machine …it is very useful and I use it a lot in my work

It is working based on PowerShell CMDlets, so be sure that WinRM Service are running on machines and PowerShell Execution Policy is set to allow these CMDlets to run

How To Use: Just type the name or IP of the client and the Site Server name or IP (check below first image) and click …….CONNECT   🙂

with this tool you can:

  • Make a Client Actions same like you initiate the action cycles in SCCM Control Panel Icon.
  • review the Collections the machine is member of and add it to any other collection.
  • Open C$ share directly from it
  • Open ConfigMgr Client Logs Folder directly from it
  • Repair ConfigMgr Client from it
  • Reset the SCCM Client Machine Policy (this resets all policies on the machine not only getting a new policy from the MP)
  • Uninstall ConfigMgr Client
  • check client info like OS, IP, System Model, CPU, RAM, Top Console user, UpTime,….
  • See real-time Logging of the PS Commands that the tool is running against the machine to get ll these info and actions
Remote Manage App 1
Actions and Tools Tab

 

  • Review the Installed Software on the Client, and you can filter the results:
Remote Manage App 2
Installed Software Tab

 

  • See the available Software to this client in Software Center and Install or Uninstall any one:
Software Center Tab
Software Center Tab

 

  • check and deploy the available or required Windows Updates published to the client by SCCM.
Available Updates Tab
Available Updates Tab

 

  • Review the Installed Updates on the machine and the MISSING updates (This is very useful to compare between missing updates here and the updates configured in SCCM ADRs and to know that your rules are getting the right updates to the right machines…. and that you are going to the right party 🙂 )
Installed Updates Tab
Installed Updates Tab

 

  • Review the Running Processes in the machine and the owner and path of each one, like you do in Task Manager, and you can KILL any process from the tool:
Processes Tab
Processes Tab

 

  • Review the Installed Printers and also cancel print jobs or Pause the Print Queue of any Printer:
Printers Tab
Printers Tab

 

  • Review all System Services and Start or Stop any of them (like in Services.msc console):
Services Tab
Services Tab

 

  • The last Tab is the most useful and exited tab ……that is …OTHER Tab, in it you will find tools to do the following:
  1. Shutdown or Reboot the machine
  2. Open Computer Management, User Management and Event Viewer Consoles directly from the tool
  3. Know more info about the Agent like: Last Logon User, Last Reboot, Uptime and whether there is a reboot pending or not …..GREAT Right ?
  4. Verify or Repair or Reset WMI on the targeted machine
  5. Run PowerShell remotely on the machine
  6. Run Remote Desktop or Remote Control and connects directly to the machine ……also GREAT Right ?
  7. THE GREATEST: execute and simulate a Group Policy Results directly from the tool against target machine (very useful to troubleshoot GPOs applied to any machine and the wining GPO in every Single Setting) – this is like running RSOP.msc Console (but faster)
The beautiful OTHER Tab
The beautiful OTHER Tab

 

The Group Policy Results Tab with option to select any User :)
The Group Policy Results Tab with option to select any User 🙂

Thanks to Cireson for such a great FREE Tool that make SCCM Client Administration easier 🙂

at last ….. you can DOWNLOAD this tool from Cireson website:

http://cireson.com/apps/remote-manage/

See ya in a next post …

Free AD Tools that made my day

I will show you today three free tools from SolarWinds that can make great Maintenance Tasks on Active Directory:

1- Delete obsolete user accounts:

with this you can get a report of all inactive User Accounts (based on last logon Time attribute of the Object in AD) after choosing inactive period to check ….for example all accounts that didn’t log into the domain from 30 days or 90 days ……and you can Delete them directly from your AD or export them in a CSV file where you can use PowerShell to Delete or Disable them as you like. 

2- Delete obsolete computer accounts

with this you can get a report of all inactive Computer Accounts (based on last logon Time attribute of the Object in AD) after choosing inactive period to check ….for example all Computers that didn’t log into the domain from 30 days or 90 days ……and you can Delete them directly from your AD or export them in a CSV file where you can use PowerShell to Delete or Disable them  or move them to specific OU for Obsolete Objects as you like. 

3- Import User Accounts:

with this you can bulk create User Accounts based on a list in a CSV file, and also you can choose to create a Mailboxs for them or not.

 

 Although we can do these tasks with PowerShell, it is easier to do it by these tools if you are not familiar with PowerShell

you can download them from this link:

http://www.solarwinds.com/products/freetools/ad_admin_tools.aspx

 

WSUS BITS Issue

If you have Event ID: 364 in Application Event Log related to Windows Server Update Services (WSUS) can’t download some updates, like this one:

WSUS Event 364

Then you are lucky by reading this article, because there is a workaround for this nightmare:

This error happens because of some proxies or routers (that maybe not in your internal environment, it might be in the ISP or any place in the way to Microsoft Update Servers) doesn’t support the ancient 10 years old HTTP 1.1 Protocol used by BITS service. The workaround is to configure BITS with a command by connecting to WSUS Database with SQLCMD.exe tool as following steps (If you have SQL 2012 installed in the WSUS Server (As the command to connect to a named pipe changed in SQL 2012) :

  • Install both of the above tools.
  • In a command prompt, navigate to C:\Program Files\Microsoft SQL Server\90\Tools\Binn\ and run the following command:
    exe -S \\.\pipe\MICROSOFT##WID\tsql\query -E -b -Q “USE SUSDB update tbConfigurationC set BitsDownloadPriorityForeground=1”
  • If everything works ok, you will see the following result:

    C:\Program Files\Microsoft SQL Server\90\Tools\Binn>SQLCMD.exe -S \\.\pipe\mssql
    $microsoft##ssee\sql\query -E -b -Q “USE SUSDB update tbConfigurationC set BitsD
    ownloadPriorityForeground=1″
    Changed database context to ‘SUSDB’.

    (1 rows affected)

  • Restart WSUS Service and initiate a Synchronization Process from Configuration Manager or from WSUS if you don’t have SCCM

This solution is described by Microsoft in this TechNet Article (but with another tool called osql.exe that didn’t work with new WSUS Version):

https://technet.microsoft.com/en-us/library/cc708426(v=ws.10).aspx

Configuration Manager Remote Desktop Tools

Hi all, today I’ll share with you ConfigMgr 2012 behind the scene setting that may affect your whole infrastructure and productivity. It’s Remote Control settings in SCCM Client Settings:

We all know that by default, the Administrators and Remote Desktop Users groups have the right to log on remotely through Remote Desktop Protocol. (for Domain Controllers it is Administrators only) ….but Configuration Manager 2012 has another opinion when you give it the controller stick 🙂

To permit users to remotely control machines, by using Remote Desktop or Remote Control tool, we do the following steps:

  1. From SCCM Console go to Administration Tab and click Client Settings from the left side list:
Administration Tab
SCCM Console Administration Tab

2. Open the Default Client Settings or the custom client settings (If you created one for Remote Settings) and click Remote Tools from the left side list:

Clicking Remote Tools
Default Client Settings

3. On Permitted viewers of Remote Control and Remote Assistance click on Set Viewers … :

Set Permitted Viewers
Set Permitted Viewers

4. It will open a list that you can add to it Domain Users or Groups as a Permitted Viewers (Recommend to add dedicated group for Users that needs Remote Access Permissions):

Permitted Viewers Window
Permitted Viewers Window

NOW, What happens when you add Accounts into this list (Permitted Viewers) ?

To answer this question, let’s see what ConfigMgr is doing when you enable Remote Control on Clients:

Configuration Manager creates a group called “ConfigMgr Remote Control Users” in local groups on every Machine, and it give this group the local security policy user wright: “Allow Log on Through Remote Desktop Services“. So when you add any accounts to the Permitted Viewers List, ConfigMgr Client will add them to this group. If you want for example to give Domain Admins the permission to use Remote Control to Share Users Desktop in a shared session, put the Domain Admins group in the Permitted Viewers List. Microsoft Doesn’t recommend adding users to this group (ConfigMgr Remote Control Users) directly, instead add them to the Permitted Viewers List.

Thanks for reading

Hossam

Hello world!

Hi, I’m Hossam Almosallamy.
I’m a Systems Engineer focused on Microsoft Products and Solutions (SCCM 2012 – SCSM 2012 – Active Directory – Group Policy – Windows Server – PowerShell)
I worked for many companies since 2007, and now I’m working at Najran University in Saudi Arabia.
This is my new BLOG and I consider it as my official site to share my Technical Skills and Knowledge with other IT Professionals around the world.
I hope this help you to work easier or smarter, and I’ll be happy seeing your comments or questions.