SSL 64-bit Block Size Cipher Suites Supported ( 3DES -CBCSHA Ciphers, RC4-MD5, RC4-SHA ) 

Legacy block ciphers having a block size of 64 bits are affected by a vulnerability, known as SWEET32. A man-in-the-middle attacker who has sufficient resources can exploit this
vulnerability via “birthday” attack By misusing the SWEET32 vulnerability, an attacker can send in a large volume of dummy data and get blocks of ciphertext that matches
that of the organisation.
Attack Process
1. The attacker sniffs all data sent to your customer (external user).
2. The attacker sends dummy data to your server until a key used for a customer matches the attacker’ssession key.
3. Once there’s a match, sensitive data can be decrypted by determining how the key was chosen.

Fix

 https://gallery.technet.microsoft.com/Solve-SWEET32-Birthday-d2df9cf1

And

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

“Enabled”=dword:00000000

Server Version Disclosure

Default or misconfigured web servers often disclose the version at multiple locations like HTTP response headers, and at error pages. Attackers can perform banner-grabbing against the webserver by using netcat or telnet, which reveals the webserver, version, and operating system.

On IIS 7

Using the Registry key.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

On IIS 6 

2) 1. Install URLScan (this is a free tool available from Microsoft)
2. Open the URLScan.ini file with a text editor. The file is usually located in the
%WINDIR%System32InetsrvURLscan directory.
3. Search for the key RemoveServerHeader, which by default, is set to 0. Set the value to 1 in order to
remove the Server header.

SSLv3, TLS 1.0 protocols

If Poodle SSLv3 is enabled on any website, then it is vulnerable to a poodlebleed attack. The remote service accepts connections encrypted using SSL 3.0. These versions of SSL reportedly suffer from several cryptographic flaws.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
“Enabled”=dword:00000000

Disable SSL V2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

Webserver HTTP Header Internal IP Disclosure

A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further targeted attacks. Internal IP addresses are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. This may also affect other web servers, web applications, web proxies, load balancers, and a variety of misconfigurations related to redirection.

IIS 7.0

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:”remote.server.domain.com”  /commit:apphost

IIS 6.0

To prevent internal IP address disclosure, take the following steps.
1. Open a command prompt and change the current directory to c:\inetpub\adminscripts or to where the adminscripts can be found.
2. Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc
This will cause the IIS server to use the machine’s hostname rather than its IP address.

If running the above on IIS 7 you will get : 

ErrNumber: -2147463162 (0x80005006)
Error Trying To SET the Property: UseHostName

SSL/TLS DiffieHellman Modulus <=1024 Bits (Logjam)

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols, including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The current Modulus being used is a weak one and can be exploited by a determined hacker. Update to DHE-2048 Bits

Fix
Make sure that you have KB 3174644 installed on the affected server.
Run Regedit on the affected server
Navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
Create a new sub key named Diffie-Hellman (if it didn´t already exists)
Inside that create a new DWORD called “ServerMinKeyBitLength” with the value “00000800” (for 2048 bit)

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Problem Description:

  1. [FSM:FAILED]: Cap the power consumption of chassis 1(FSM:sam:dme:EquipmentChassisPowerCap). Remote-Invocation-Error: Error in setting power cap budget-MC Error(-5): Error Executing Command
  2. Warning: there are pending management I/O errors on one or more devices, failover may not complete.

UCS-FI-M-6324

UCSM:Package-Vers: 3.1(3a)A

Action Taken:

+ Tried changing the power cap policy from Chassis level to blade level and back to chassis level, fault did not clear.

 

Rebooted FI-IOM B, all faults are cleared.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

icacls “{GPO UID}” /remove:g “<localdomain>\Domain Admins”

Then the following command to add a single Domain Admin account back to the GPO

icacls “{GPO UID}” /grant “<localdomain>\Domain Admins”:(OI)(CI)(F)

We then we forced replication again with these two commands

repadmin /syncall

repadmin /syncall /AdePq

After that we re-ran the Detect Now on the server 2016 and all servers were green.

IMPORTANT NOTE:

If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

After enabling Mimecast for Inbound routing , Threat Protection Re-Writes the URLs for Safety. When this is enabled with the following 365 Spam Check : Image links to remote sites

Which : Messages that contain <Img> HTML tag links to remote sites (for example, using http) are marked as spam.

All Inbound emails with Images with Hyperlinks get marked as Spam by Office365. Make sure this is turned off!

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

The compact is the recommendation from iManage Support. Ideally, you can stop connector and the ingestion due to it not being used anymore and start the services after DRECOMPACT

You will need 30% free disk space to run DRECompact Successfully.

 

STEPS TO RESOLVE

  1. Stop Worksite Connector and Work Ingestion Server services
  2. Expand Content Engine disks to a point that there is more than 30% capacity free 
  3. Run a DRECOMPACT task against both engines

    http://127.0.0.1:11001/DRECOMPACT
    http://127.0.0.1:12001/DRECOMPACT

    Make a note of the INDEXID number returned to your browser.
  4. Wait until completed

    YOU CANNOT STOP THIS PROCESS AND IT MAY TAKE A CONSIDERABLE AMOUNT OF TIME


  5. You can monitor the status from the IndexerBrowser

    “The compaction is complete when the IndexerGetStatus action reports that the job (INDEXID number) is finished (status=-1, description = Finished).”

 

  1. Restart the Connector and Ingestion Server services once the job has completed and the content engine disks are looking a little emptier

 

To set up a schedule for compaction

  1. Open the Content server configuration file in a text editor.
  2. Find the [Schedule] section. If the configuration file does not contain a [Schedule] section, add one.
  3. Set the following parameters in the [Schedule] section:

 

Compact:                         

Type true to enable a compacting schedule.

 

CompactTime:                

The time (hh:mm) when you want the Compact operation to start.

 

CompactInterval:           

The number of hours between DRECOMPACT operations. Specify the time in the 24-hour clock and the format hh:mm. When you start WorkSite Indexer, the specified CompactInterval must elapse (after the specified CompactTime) before the first  DRECOMPACT

operation takes place. Type 0 to schedule daily compactions.

 

For example:

[Schedule]

Compact=true

CompactTime=01:00

CompactInterval=168

 

This configures a compaction every 168 hours (once a week) at 1:00 a.m.

 

      1. Save and close the configuration file.
      2. Restart the Content server for your changes to take effect.
      3. Repeat Step 1 to Step 5 for all your Content servers.

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Check these recommended Enterprise Cloud Resources and Neutral Resources network settings

Also : 

Exempting the App means the app will allow to be able to access and share company data 

Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"

Name : Firefox

Product Name : O=MOZILLA CORPORATION, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US

Publisher : *

File : firefox.exe

Min Verison : *

Max Version : *

 

Name : Chrome

Product Name : O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US

Publisher : *

File : chrome.exe

Min Verison : *

Max Version : *

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Currently, there is no way to use the Regex filter to capture “Everything” is not allowed in Microsoft 365 environment. This is by design.

A bit annoying when you want to tag a sensitivity label to all files

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Something went wrong. Here are some possible reasons.
Device already connected to org
Couldnt auto discover a management endpoint assigned to username. If you know your endpoint please enter it.\
mdm server URL: blank     > https://wip.mam.manage.microsoft.com/Enroll didnt work

 

  1. Checked existing connections, if so disconnect and reconnect again.  There wasn’t.
  2. Backup and delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
  3. Try again.. existing connection popped up, disconnect and reconnect working now
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  • Needs a specific PDF Reader

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/protected-pdf-readers

Nitro PDF at the time of writing this does not work! Remember this will be for Internal and External People reading a protected document

  • Deployment of Microsoft Azure Information Protection Viewer ( There is no Mac OSX client for Azure Information Protection.)
    To read-protected Txt files and image files, think of files that will be protected without a reader.

  • Authorized Workflow or Users to Remove the Sensitivity Label
    If you want the send the document out of the organization to a user who is not setup in your company’s Azure AD ( e.g Guess Access ) you will need a Workflow that automates and logs this removal for Compliance/Auditing of a User with these permissions
  • Sensitivity Labelling
  1. Enable Sensitivity on a Teams or Sharepoint Library  Does not set Files underneath it
  2. You can set a Default Document Label however you will still need to encrypt old documents ( see below ) 
  3. Auto-Labelling Technology to do this needs License and is still in Preview License needed ( Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling. ) 
  4. Use the Microsoft Cloud App Security dashboard with File Policy to Tag the files ( still needs above license ) 
  • Breaks CoAuthoring
    Can only use the web version of Office for Document CoAuthorign

  • Needs the latest version of Office 365 for Client-Side Labelling Modifications 
    Remember any external people you are sharing with will need this as well to open

 

 

 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)