Blog

If you are using Server 2016 as a Citrix or RDS server, users often request for Windows Photo Viewer to be their default program for photos instead of Paint. Photo viewer is installed with Server 2016, but does not have the file associations needed. Also, setting the default application is a per user setting and will require a GPO policy.

Here are the steps:

1. Import the registry settings to create the file associations needed for Windows Photo Viewer
2. Set Default Program associations
   1. Control Panel > Default Programs > Set default programs
   2. Select Windows Photo Viewer
   3. Select Choose Defaults for this program
   4. Select the extensions you want to set as default for Windows Photo Viewer
   5. Click Save
3. Verify functionality by opening a file with extension set in previous step and verify it opens with Photo Viewer
4. Create default association file to set default for all users at logon
   NOTE: the above process sets defaults for the current user only, to set for a user at logon the settings must be imported at logon
   1. Via powershell run the command below to create an XML document with the necessary associations
      "dism /Online /Export-DefaultAppAssociations: C:\cnx\DefAppAssoc.xml"
   2. Copy XML to a network location accessible by GPO policies
5. Create or modify an existing GPO to pull XML file settings
   1. Computer Configuration > Administrative Templates > Windows Components > File Explorer > Set a default associations configuration file
   2. Enable policy and set network path of file from previous step

I recently built some new Remote Desktop Server for a customer. They had previously used roaming profiles set via the Profile Path setting in the Remote Desktop Services Profile tab of the user's Active Directory object. This worked well when setup correctly, but sometimes the IT department would forget to add this path to new user profiles which would cause issues. I was looking for a way to eliminate the need for IT to have to remember to add this option to the profiles of the RDS users.

I remember User Profile Disks being an option in Windows Server 2012 and newer server operating systems. I added the User Profile Disks to the configuration when I setup my new collection and it initially seemed to work well. However when I then logged into all six of my RDS server at the same time and noticed that I received a temporary profile on all but one of the RDS servers. Some investigation led me to find that a User Profile Disk can only be connected to one server at a time. This likely would have been fine 99% of the time, but I wanted to be sure that the odd occasion where a user got connected to two servers at one time due to something like a server being prevented from accepting new connection would now cause problems. I ultimately decided not to enable user profile disk to avoid any potential issues when a user might have a session on two servers.

As an alternative I was able to set a roaming profile path via a computer Group Policy and link it to the OU containing the RDS servers. This accomplished the goal of automating the user profile setup. If a user is logged into to servers at one time, there may be an issue with which profile is written back to the share last, but it will not cause a temporary profile to be created on the RDS server. The settings I enabled are shown below:

This article was updated on August 28, 2019. See below for the updates.

What is the FSSCC Cybersecurity Profile?

The FSSCC Cybersecurity Profile was published on October 25, 2018 by the Financial Services Sector Coordinating Council (FSSCC). The FSSCC is a private entity comprised of 70 members from financial services organizations. Their cybersecurity profile has multiple tiers, which allow users to answer a scalable set of questions. This scaling is designed to provide an expedited assessment of the user's organization's cybersecurity preparedness.

In addition to the tool's claims of efficiency, the tool's development is largely credited to organizations familiar to the financial services industry. The Press Release includes names such as the American Bankers Association, Bank Policy Institute, the Institute of International Bankers, and more.

Beyond this, the FSSCC has made multiple appeals to the Cybersecurity Profile's usefulness in regulatory examinations, going so far as to claim, "The numerous and substantial benefits [of using the FSSCC Cybersecurity Profile] to the financial services sector are: […] Supports tailored supervision, examinations, and collaboration among state, federal, and international supervisors," per the FSSCC Overview and Users Guide.

What is the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool (CAT) was initially published on June 30, 2015, and updated May 31, 2017. The CAT was designed by the Federal Financial Institutions Examination Council (FFIEC), a formal interagency body, comprised of members from the FRB, FDIC, NCUA, OCC, CFPB, and SLC. The CAT is standardized, which allows users to answer a specific set of questions, designed to provide a thorough assessment of their organization's cybersecurity preparedness.

The FFIEC CAT includes 494 cybersecurity maturity statements, which has resulted in some complaints. However, it is not only designed to provide a detailed assessment of a financial institution's current state of cybersecurity preparedness, it also enables targeted and long-term planning for growth and improvement.

With regard to examinations:

• The FDIC continues to heavily rely on the InTREx Work Program. While InTREx does state financial institutions are not required to use the FFIEC CAT to assess cybersecurity preparedness, the program also states FDIC examiners will reference the CAT's Appendix A when performing examinations.

• The NCUA is currently implementing the Automated Cybersecurity Examination Tool (ACET). The ACET is based on the FFIEC CAT, with a document request list to help credit unions understand, gather, and organize the documents needed for the examination. Read our blog on FAQs about the ACET. 

• In their Spring 2018 Semiannual Risk Perspective, the OCC announced they had "implemented the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) into its examination process." In addition, an OCC representative at the 2019 CoNetrix KEYS Conference Examiner Panel indicated the OCC is piloting their own segmented version of the FFIEC CAT, to be fully completed on a three-year cycle.

August 2019 Update: In July 2019, the OCC replied to a comment from the FSSCC in the Federal Register. The FSSCC asked the agencies to "make a clear statement that other methodologies, such as NIST Cybersecurity Framework and the FSSCC Cybersecurity Profile, are acceptable inputs into the examination process." The OCC replied that financial institutions "may choose to use the [FFIEC CAT], the NIST Cybersecurity Framework, or any other risk assessment process or tool to assess cybersecurity risk."

• The FRB's supervisory letter about the tool, SR 15-9, indicated the CAT's planned use in examinations, and the FRB was a contributor in the May 2017 update of the tool, per their 2017 Annual Report. Additionally, a list of Information Technology Guidance was published, including the FFIEC CAT as a "Policy Letter."

Will the FSSCC Cybersecurity Profile Replace the FFIEC Cybersecurity Assessment Tool?

While the FSSCC Cybersecurity profile has fewer questions, and the FSSCC has expressed interest in seeing the tool used during regulatory examinations, the federal banking agencies have not yet expressed the same interest.

In addition, while completing the FFIEC CAT is not required, four years into the CAT's implementation, examiners are now familiar with the tool and the agencies continue to supplement and reference the CAT in their own examination programs. In light of this, using the CAT to assess cybersecurity preparedness could help expedite the examination process, as the tool may be used during an exam.

At this point in time, it is not clear what the future holds for the FSSCC Cybersecurity Profile. Due to the thorough nature and widespread adoption of the FFIEC CAT, it is difficult to imagine the CAT will be replaced by any tool in the foreseeable future.

August 2019 Update: In August 2019, the FFIEC published a press release encouraging a standardized approach to assessing cybersecurity preparedness. While the press release lists the FFIEC CAT, NIST Cybersecurity Profile, Center for Internet Security Controls, and FSSCC Cybersecurity Profile as references to "support institutions in their self-assessment activities," the press release reiterates that "the FFIEC does not endorse any particular tool" and the "tools are not examination programs."

Does CoNetrix have anything that can help with assessing cybersecurity preparedness?

Yes. The Tandem Cybersecurity module took the FFIEC CAT PDF content and streamlined it into an easy-to-use web-based application. With email reminders, charts and graphs, presentation documents, optional peer comparison, and tools for the NCUA's ACET, you can put the FFIEC CAT to work for you. Get started for free with Tandem Cybersecurity.

Cybersecurity budgets for financial institutions are continuing to increase in an effort to keep pace with advances in technology. CoNetrix conducted a survey to gain insights into cybersecurity and how institutions are using their funds to support their cybersecurity program. 

Here is some of the information you will find in the report concerning IT and Cybersecurity budgets for financial institutions.

• 52% of all respondents indicated their IT budget for 2019 will exceed the allotted amount for 2018.
• 31% reported they will neither increase nor decrease their IT budget for 2019.
• Institutions with a larger asset size are more likely to increase their IT budget in 2019.
• 52% of respondents reported they plan to increase Network Infrastructure making it one of the top priorities in 2019.
• 41% of financial institutions will be increasing their cybersecurity budget in 2019.
• 44% will maintain the same cybersecurity budget.
• Institutions with higher confidence in their Board's understanding of cybersecurity posture results in a higher likelihood the budget will increase.
• 66% of institutions have a shared budget with IT with no designated line item for cybersecurity.
• 19% have a shared budget with IT with a designated line item for cybersecurity.

Find out more about how institutions are managing their IT and Cybersecurity budget by downloading our report on The State of Cybersecurity in the Financial Institution Industry. https://conetrix.com/cyber-report

On April 2, 2019, the Federal Deposit Insurance Corporation (FDIC) released a new financial institution letter (FIL-19-2019) called "Technology Service Provider Contracts."

Why was this guidance published?

When FIL-19-2019 was published, it had been five years, almost to the date, since the last vendor management guidance was released by the FDIC (see FIL-13-2014, published on April 7, 2014). Presumably, it was a good time for a reminder about vendor management expectations.

In addition, the guidance stated FDIC examination findings recently noted some financial instruction contracts with Technology Service Providers (TSP) lack of sufficient detail around business continuity and incident response. 

What does it mean when the guidance states "contracts do not adequately" address some risks?

In recent exams, the FDIC was looking for a few key areas to be covered in TSP contracts, but the contracts did not always meet those expectations. Missing items included:

• A Business Continuity Plan (BCP): Contracts should require TSPs to have BCP and acceptable recovery standards.
• Remedies: Contracts should include assurance of compensation if a business disruption occurs and the TSP fails to restore services in the established timeframe.
• Notification Requirements: Contracts should define who the TSP should contact (e.g., the financial institution, regulators, law enforcement, etc.) and in what timeframe, if an incident occurs.
• Key Terms: Contracts should define what constitutes a "business disruption" or an "incident," since rights and responsibilities could be debatable without clear definitions.

How can you ensure TSP contracts are "adequate?"

It would be beneficial for you to review your TSP contracts again with these items in mind, especially if they are long-term or automatically renewing contracts. If your existing contracts are not sufficient in these areas, it is important to note that the financial institution is still responsible for assessing and applying controls to mitigate the risk.

What controls can you apply to ensure you are covered?

In vendor management, your primary control is performing adequate oversight, which is something you should already be doing. The FDIC seems to recognize this since a significant percentage of the FIL recaps guidance that already exists.

For more specific recommendations though, if your contract with a TSP does not clearly define business continuity and incident response requirements:

• Request and Review Their BCP: Find out if your TSP actually has one and if they'd be willing to share it with you. You don't necessarily need their whole BCP; you just need to know that they have a plan and it is routinely tested.
• Update Your BCP: If the TSP does not have a BCP or you find it inadequate, it is the financial institution's responsibility to compensate. Update your BCP to describe how you would continue to offer services to your customers or members if your TSP's services are unavailable.
• Conduct More Frequent Reviews: Whatever the contract says, it is important to periodically confirm the TSP is holding up their end of the deal. You may want to assess this more often if the contract is weak in the areas of business continuity and incident response.
• Renegotiate the Contract: Depending on the financial institution's risk tolerance, if the contract is deemed "inadequate," it may benefit the financial institution to consider renegotiation or an alternative TSP.

In Summary

Contracts with TSPs should address business continuity and incident response. The FDIC recommends financial institutions contractually require the TSP to have a BCP, as well as contractually define remedies, notification requirements, and key terms.

If existing TSP contracts do not stipulate these items, you should consider additional oversight options, such as requesting and reviewing their BCP documentation, updating your BCP, reviewing the TSP more frequently, or renegotiating the contract.

Does CoNetrix have anything that can help with this?

Absolutely. The Tandem Vendor Management software includes suggested significance questions, designed to help you determine if you need BCP documentation from your vendors. The module also includes a contract review template, designed with business continuity and incident response in mind. Learn more about Tandem Vendor Management.

There are times when I want to remove password protection from a PDF that has been "protected" from this type of removal. For example, if I receive a utility bill via email and the attachment is password protected. I'd rather save the bill so I can open at a later date without having to lookup the password. However, the utility company has protected the PDF and a different password is required to "unprotect" it.

I found that, if I open the PDF in a Chrome browser then print from the browser to a PDF, it will create an unprotected PDF.

When I was performing a Windows Server 2019 Standard install, the license key was not available at the time of hardware receipt so I decided to install Server 2019 and license it later once the key was received. Upon receiving the key and activating Windows the activation would return the error "This product key didn't work. Please check it and try again, or try a different key."

I double checked the version installed and the license key version were both 2019 Standard and not another edition, but found no discrepancy. I ran Windows Update check, restarted, and double checked I was logged in as the local Administrator account. Research of others finding this issue returned the recommendation of re-installing the OS and entering the license key during install to successfully activate Windows. Instead I decided to give it one last effort and decided to use the "slmgr.exe" utility accessible via Command Prompt - "Slmgr.vbs /ipk" successfully activated my Server 2019 install

When adding a Cisco switch to an existing switch stack, there is always the chance that the firmware of the new switch will be an older version than the firmware version of the existing switches in the stack. One way to resolve this issue is to enter the command "boot auto-copy-sw" in the existing stack configuration before adding the new switch. The newer firmware version will be copied to the new switch and rebooted to apply the firmware, when it is powered up and connected to the switch stack.

The copy does take some time so it may be prudent to console to the new switch to monitor the status of the copy.

We recently migrated a customer to a new RDS server, including moving their QuickBooks application. Users began experiencing issues where QuickBooks would not retain their desired printer settings, and would revert back to the default QuickBooks settings each time the user would log back in.

I ensured the desired printer was set as the user's default printer on their local machine, as well as in their individual session on the RDS server. Still QuickBooks would revert to its default settings at each log in. Please note that users were using network shared printers as their defaults.

To resolve this issue, I had to install the desired printers locally (not as a network shared printer) on the RDS server. I did so by adding the printer by IP instead of adding it from the print server. You can then share that printer from the RDS server so any user that logs into the RDS server has access to said printer. Once that was done, we were able to set this local printer as the default, and QuickBooks was able to retain the printer settings.