Blog: Networking

I have encountered issues on PCs that can't access CDs or flash drives that previously had removable media access restricted by either group policy or Symantec Endpoint device control. After the control restrictions were removed, trying to read from the CD or flash drive gave an "Access Denied" error.

The only way I've been able to resolve this issue is by going to the Device Manager, uninstalling the CD-ROM drive/flash drive, and then scanning for hardware changes to add it back.

My assumption is that some registry settings aren't being changed correctly when policies are removed, so re-adding the device recreates the registry settings for the hardware.


 

One of our Technology customers recently migrated to a new AT&T WAN offering called AT&T Switched Ethernet – Network on Demand (ASE NoD). This is the most recent evolution of their metro Ethernet service with the addition of long-distance layer 2 connections.

What makes this "network on demand" is the ability to change bandwidth as needed through a web portal up to the physical Ethernet hand-off limit, typically 10Mb/s, 100mb/s, or 1Gb/s. The default rate for each of this customer's location was set to 20, 50, or 100Mb/s.

Since this is a relatively new product we had several Gotcha's in the implementation:

  • The customer ordered 1Gb/s hand-offs delivered over single-mode fiber. This required new optics or media converters for sites with routers that had only UTP connections. We later learned that AT&T can provide the 1Gb/s hand-off using multi-mode fiber or UTP connections. Changing from single-mode would have required modifying the order and delaying the implementation, so we stayed with what was ordered.
  • The actual bandwidth for billing is based on the Committed Information Data (CID) rate. Initially this was set to 20Mb/s for most sites, which matched the price quoted by AT&T. We wanted to increase the bandwidth for one location but the portal did not allow any changes above the default CID. After several calls to AT&T we discovered there was a internal maximum set at 20Mb/s.  We had them change the maximum to the hand-off speed of 1Gb/s to fix this problem.
  • After fixing the issue above, the Ethernet Virtual Channel (EVC) for each site changed to 1Mb/s, but thankfully only in the portal. The actual EVC did not change. It took another series of calls with AT&T to fix this issue.

 
 

After installing each Windows 10 creator's update, I get the following error message when I try to click on any link in any email message or click on a table of contents link in a Word doc:

It's not an entirely bad thing to have email links require a copy and paste but it's a real problem with other links like the Table of Contents in a long Word document.

There is a KB article at https://support.microsoft.com/en-us/kb/310049 that discusses this issue. The solution for Windows 10 is to find a system that doesn't have the problem and export a registry key then import it into the offending system. The key it references gets deleted each time a new creator's update is installed.

HKEY_LOCAL_MACHINE\Software\Classes\htmlfile\shell\open\command

Then you export the subkey to a file, copy the file to the system having the problem and import it into that system's registry (either by double clicking the .reg file or importing it via regedit). There is a last verification step to verify the String (Default) value of "HKEY_CLASSES_ROOT \.html" key is "htmlfile".

That was several steps it took to make my system less secure. It's usually the other way around!

 


 

Recently, Microsoft released a production version of a new management interface called Windows Admin Center, formerly known as Project Honolulu. The purpose of this product is to provide a centralized or locally-deployed management interface that will (eventually, hopefully) replace Server Manager. It manages servers by using Remote PowerShell or WMI over WinRM and client systems through similar methods.

Simply add your machines in the list, assign credentials to connect with (they can be your own – it doesn't appear credentials would be shared between administrators), and connect. The main requirement is that the server you're connecting to for management has WMF 5.0 installed.

As you can see from the above screenshot, there are a TON of things that you can do through this interface – including: browsing files, managing local users, managing the registry, enabling RDP, installing roles & features, managing and installing Windows Updates. It's a really impressive application that I plan to start using more often. It's very responsive and even loads interfaces faster than the MMC equivalent in many cases. I can certainly see the difference in the Event Viewer, for example.

To learn more or to download the free product, check out https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center

 

 


 

I was configuring a new Windows 10 PC for a customer and logged in under the local administrator account. I tried to open Edge but received a notification that Edge could not be opened by the built-in administrator account.

After some research, I discovered that Microsoft has become distrusting enough of the local administrator account that they prevent it from opening Microsoft Apps. This was actually introduced with Windows 8, but Windows 10 introduced Edge, which is potentially the first widespread use of Microsoft App.

The options to fix this are to either disable UAC, or adjust group policy to allow the local admin account to access Apps. The details of the issue and the options for a fix are included in this link: https://4sysops.com/archives/why-the-built-in-administrator-account-cant-open-edge-and-a-lesson-in-uac/


 

At the beginning of 2018, news broke regarding "Meltdown" and "Spectre"; two vulnerabilities that took advantage of speculative execution in Intel CPUs to retrieve sensitive information. This quickly expanded some from the initial report as OS vendors would release patches for their respective systems, but the basic vulnerability remained the same.

Microsoft released an out-of-band patch to mitigate the vulnerability from the software side with a caveat; several antivirus vendors were taking advantage of kernel processing in ways that were not best practice. When the Microsoft patch is installed, the system would get a "blue screen of death" (BSOD) due to the antivirus software.

In response Microsoft implemented a check for a registry key before installing the patch - antivirus vendors would need to add this key to show they were compatible with the release. Vendors that did not add this (despite the compatibility) caused IT administrators to manually add the key in order to continue receiving patches following the January release.

Over the next several months, issues with CPU firmware caused software patches to be re-released, rolled back, and released again across a variety of vendors. Only recently have these firmware releases stabilized enough that software vendors can re-release and support their mitigation patches.

More recently, the March Monthly Rollup for Server 2008 R2 (KB 4088875/4088878) had an issue that affected many virtual servers with static IP addresses. Upon reboot, these servers would "lose" and "rediscover" the NIC, forcing administrators to delete the "disconnected" and hidden NIC driver and reconfigure the new NIC. Around a week after the initial release, Microsoft published workaround instructions for administrators to run some VBScript code, that would clear some registry settings, prior to installing this patch.

A few days later, information came out regarding "Total Meltdown" - a new vulnerability created from the patches of the original Meltdown/Spectre patches - that required an out-of-band kernel update in addition to the buggy March Monthly Rollup for Server 2008 R2.

Finally, a week before the April Patch Tuesday release, Microsoft released a patch that would execute the VBScript via Windows Update, and configured the metadata of the patches so that this patch should install prior to the buggy KB4088875 and the follow-up kernel update (KB4100480). As of the April Patch Tuesday, these patches appear to have been rolled up into the single Monthly Rollup release in order to take care of all the prerequisites automatically.

There are several other examples of patches in the past that require additional manual work following install. A few examples are below:

  • KB2871997 - Released October 2014, requires registry key to force clear leaked logon session credentials
  • KB3159706 - Released May 2016, requires post-installation command line for Server 2012 R2 WSUS to properly decrypt Windows 10 upgrades
  • KB4034879 - Released July 2017, requires registry keys to make LDAP authentication over SSL\TLS more secure

Needless to say, it is prudent that IT administrators remain on top of patching and vulnerabilities reported across your infrastructure. Many of these additional steps can easily slip through the cracks for someone who is blindly approving and installing patches - even though that appears to be the recommended best practice for Windows 10 / Windows Server 2016 going forward.


 

I installed a new Synology NAS with two folder shares with encryption enabled.  The Synology is configured to check for updates, but not install them.  This is so we can control that this is performed when there is no backup activity going on. After installing the updates the NAS is automatically rebooted.

After the reboot when I went to make sure I could still access the file shares on the device, I discovered they appeared to be gone.  In a panic, I checked the disk volumes within the Synology Web UI and saw they still had quite a bit of used disk space, so the data was still there.

As it turns out, the shared folders need to be mounted after a reboot.  Select each shared folder and under the encryption dropdown will be an option to mount.  This will bring up a prompt for the encryption key password which you must provide.  After mounting the folders, I could access the file shares again over CIFS.

 


 

Occasionally, I have the need to open a Visio diagram but don't have a need to create or modify them. So, the Visio viewer seemed to be an ideal option. However, after installing the viewer (I tried this with both 32-bit and 64-bit versions), I was still unable to open a Visio file.

The best I could get was Windows asking what I would like to use to open the file and Visio viewer wasn't an option. After drilling down to find the executable file, I found the viewer (VPREVIEW.EXE) would display a message saying "This program can only run from within another program” when I tried to execute it. I discovered the Visio viewer is designed to use ActiveX controls within Internet Explorer. Since I had disabled IE 11 on my system (using the "Turn Windows features on or off"), the viewer had nowhere to execute since Edge doesn't support ActiveX.

I found a Chrome plug-in in the Chrome web store that will allow me to view Visio files from inside Chrome. However, it requires me to click on a tag in the Chrome header and then drag the Visio file into the Chrome window.

So, the alternatives appear to be to enable IE 11 or use a Chrome plug-in. 

 


 

Brocade (now owned by Ruckus) switches have two versions of code loaded by default to two different partitions. The primary partition contains a layer 2 image, while the secondary partition contains a layer 3 image. For the ICX-6610 switches, the layer 2 image is named FCXSxxxxx.bin and the layer 3 image is named FCXRxxxxx.bin. Notice the S and R to notate layer 2 (switching) and layer 3 (routing), respectively. In order to enable layer 3 features on an ICX-6610 switch, you must switch to the layer 3 image by updating the boot record. You can see the following link for more information: https://community.brocade.com/t5/Ethernet-Switches-Routers/FastIron-image-files-and-choosing-Layer-2-or-Layer-3-code/ta-p/2887

Also, you are able to update these switches using a manifest file, which allows it to do most of the update for you. Using the manifest file will only update the running code version. To update the non-running code, you can use TFTP.

Brocade has recently sold their product lines to several companies. The product line for larger equipment was purchased by Broadcom and the brocade.com website can still be used for information for these devices. The product line for smaller equipment (what most of our customers own) was sold to Ruckus and information/downloads can only be found on the ruckuswireless.com website.