Slashdot Mirror

This assumes that Windows 10 S will take off outside the K-12 (primary and secondary) education market. But Windows 10 S can't run Visual Studio or other compilers. (See subheading "Your app generates code" in "Prepare to package an app (Desktop Bridge)".) Without the ability to complete AP Computer Science homework, what makes you think Windows 10 S will take off even in secondary education?

10x more games for windows, for the meantime I can stick with 7, I'm still waiting for 3rd parties to fix the giant feces known as windows telemetry in win10.

'Basic level' - they collect so much they say it'd take 149 min's just to read what type of info it collects:
https://docs.microsoft.com/en-...

The latest .NET versions are also moving to JSON.

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

Sure, it's just a coincidence that Microsoft released MS17-010 - a patch for multiple NSA-discovered vulnerabilities - several weeks before they were disclosed by Shadow Brokers.

If you haven't looked into it yet and you're running Windows 7 and above, disable SMB v.1 on Windows as server or client. There's not much reason to maintain it unless you have older hardware/software that relies on it (XP, Windows Server 2003). v.1 is slower and completely replaced by SMB v.2 and v.3.

There's one small detail here, though: there are two keys: one, the "Microsoft Windows Production PCA" is used to sign Windows only, while the other, "Microsoft Corporation UEFI CA" is the one they for antitrust reasons "kindly" allow certain biggest distributions to be signed with. Inclusion of the former is mandatory, while the other OEMs merely "should consider including".

And this is why there needs to be more effort toward getting people to use Linux. OEMs will support it if there are potential customers but the reality is that customer base is almost non-existent. There is a genuine reason to create disruptive and innovative features that appeal to end users and that is economies of scale. But still after all these years and hundreds of distros there still hasn't been a disruptive innovation to come out of the desktop Linux community.

Whether you like it or not OEMs have no reason to support a second class citizen OS that virtually nobody wants so the obvious thing to do is to make it something that users genuinely want rather than Windows. Some real innovation is what is required, not yet-another-display-system or yet-another-init-system or yet-another-windowing-system, etc, etc.

Up until recently Windows 8 and Windows Vista were used more than Linux on the desktop, seriously! What bigger whack over the head does the community need to tell them something is wrong than that?!?! You can continue to excuse it away or blame whoever all you want but the reality is that the window is closing, the desktop has been an open market for operating systems for decades and Linux has failed to capitalize on that time and time again, if that doesn't change soon then that open market may disappear altogether.

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> Lastly, per my subject above: For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

'Today at the Consumer Electronics Show in Las Vegas, we announced the Microsoft Connected Vehicle Platform, a set of services built on the Microsoft Azure cloud'

'You gotta be shitting me'...

My thoughts precisely .. until I read this:

'Today at the Consumer Electronics Show in Las Vegas, we announced the Microsoft Connected Vehicle Platform, a set of services built on the Microsoft Azure cloud'.

Someone wrote an automated tool to install all KB's to fix Windows Update for Win 7:

https://answers.microsoft.com/...

Worked on all 3 machines I used it on, in various WU states (endless loop, failing to install).

There's one small detail here, though: there are two keys: one, the "Microsoft Windows Production PCA" is used to sign Windows only, while the other, "Microsoft Corporation UEFI CA" is the one they for antitrust reasons "kindly" allow certain biggest distributions to be signed with. Inclusion of the former is mandatory, while the other OEMs merely "should consider including".

Doesn't sound that ominous yet? Then recall what the way Windows is sold: there's a ridiculously high official price no one pays, and "volume discounts" every single mainstream PC maker gets, negotiated under strict non-disclosure. You can bet that when the time is ripe, all the makers will suddenly fail to include the UEFI CA key (as losing the volume discounts would effectively put them out of business).

And even while the UEFI CA key lasts, you lose the main reason to use Linux rather than some proprietary kernel: there's no way you can edit the kernel, install a non-distro version, build your own modules, etc. You no longer can insert unsigned modules, kexec an unsigned kernel, use a number of facilities that could be used to gain control over your own machine.

And what's the gain for you? Precisely nothing! A thief can still install Windows on a stolen machine, someone who wants your data can boot Windows (or, for now, one of the "blessed" distros). The UEFI CA doesn't sign particular kernel builds but distro signing keys, so you can be assured every three letter agency of US, Russia, China and any other country Microsoft wants to sell their software in do have such a signing key. Thus, the malware the thugs use against your machine on the border will also boot fine.

Ie, "Secure" Boot is strictly negative for you unless you can remove all keys not under your control.

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

* Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN) just turn off Server & Workstation services. It shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time.

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" ala https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)).

Of course, don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru as well (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

Shame it's not also on Linux

The stated dev reason was

It also means that if we advertise "Linux" we would need to QA a dozen different combination due to different Linux distributions and different editions of each distribution.

But .NET Core 2.0 " treats Linux as a single operating system, much like it does with Windows and macOS. We've tested the new .NET Core 2.0 Linux builds on many Linux distributions and it works."

So maybe there is some hope.

SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via MS

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---
To disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

To enable SMBv2 and SMBv3 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

* Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

---

With a SINGLE 'standalone' non-networked PC (no home network/LAN) just turn off Server & Workstation services. It shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time.

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" ala https://www.google.com/#q=HOW+... [google.com] vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)).

APK

P.S.=> Of course, don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru as well (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2... [theregister.co.uk] ) & DO PATCH per / ... apk

You do understand that your internet connection involves more than just an analog signal, right? TCP/IP among other standards, includes in every single routable data stream where it is going and where it came from. This can be read by the ISP and routed to lower priority for non-bribe paying websites. That sounds innocent eh? Except it unfairly degrades the services that are ALREADY paid for, and breaks the function of the internet as an open platform.

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

To disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

To enable SMBv2 and SMBv3 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto

* Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> Between the above (& patches exist also) OR doing what I do for standalone SINGLE systems w/ no home network-lan https://news.slashdot.org/comments.pl?sid=10624577&cid=54434563/ you'll be OK ... apk

Right, because nobody every breaks into buildings and messes with (or steals) computers.

If somebody broke into my home and stole my computer, I would be more unhappy because they stole my computer and not because now they can hack it (they can just pull the HDD out and connect it to another PC or boot my PC from a live CD if they want to access the data).

There is also the possibility of a trusted software vendor getting hacked and their application ending up with some code that exploits that "local user" vulnerability you didn't patch. You use that software regularly, you install the bad update, you run the application... you are the local user and now you've been exploited. Guess you needed that patch, after all.

And in Windows XP days my user was the admin - there was no need to exploit privilege escalation bug if the program was bad. Now my user is still the admin, but UAC sometimes pops up asking for my approval.

OTOH, if I opened a wrong email attachment, it could encrypt my data even if running as limited user (me) on a fully patched system (or Linux). So, on a single user computer it is kinda pointless ("The malware encrypted all my data, but at least the system files are unaffected, yay!").

History has shown us otherwise.

So, with today's forced updates, everybody updates more often? Even Windows 7 or 8? I used to update my Windows 7 PCs (not very often, but I did), until GWX and telemetry showed up. And now I cannot even pick and choose to not install telemetry, so Windows Update got disabled. Though I will install the specific patch on my Windows 7 and Windows XP laptops as those may be exposed to the internet without a router.

I would say that when telemetry and GWX came out, more people disabled updates if they wanted to avoid installing Windows 10.

Link, please?

https://technet.microsoft.com/...

You don't trust Microsoft's patch to do the job, but you trust their manual procedures? And you trust that no part of the system will act to protect the services you've removed? You do realize that Windows has had system file protection (and automatic repair and restoration of said files) since Windows 7, right?

Microsoft's patch means running their (new) code on my computer. It may just do what is promised, but it may also flip some registry or group policy setting that disables telemetry (enterprise edition). I do not know either way, so I would be back to sniffing packets on my router looking for any communication between that PC and Microsoft.
On the other hand, I expect the manual workaround to work as promised, because I really doubt that Microsoft had the foresight to make uninstalling SMBv1 support also mess up the other settings.

They did this weekend. https://www.microsoft.com/fr-F...

Microsoft does have quite a bit of hardware.

http://www.xbox.com/en-US/xbox...
https://www.microsoft.com/acce...
https://www.microsoft.com/en-u...

Facebook also own Occulus.

Microsoft does have quite a bit of hardware.

http://www.xbox.com/en-US/xbox...
https://www.microsoft.com/acce...
https://www.microsoft.com/en-u...

Facebook also own Occulus.

Microsoft does not.

That is a lie.

I disabled automatic updates on my Windows 7 machines when MS started to offer only cumulative updates for Windows 7 through the updater that combine security updates with non security updates. Before that I installed security updates automatically. But with rollup updates, this is something of the past. I don't want them to install whatever crapware they want on my machine. For that reason I already avoid Windows 10 whenever I can.
So I prefer to download security updates manually from http://www.catalog.update.micr... (yes, you can do it without using IE) and pay something like ~$30 a year for a proper proprietary anti-virus than putting up with Microsoft's shit. Hey, I'd even be willing to pay that money to MS every year if they offered a better service and didn't try to screw me over every chance they get.

Can you have an game with it's own mapedit.exe that can work with game.exe without the sandbox getting in the way?

Yes, provided the "mapedit" and "game" applications use either UWP file pickers or the Share contract, which Microsoft is suspiciously not calling an "intent".

Can you have an game with it's own mapedit.exe that can work with game.exe without the sandbox getting in the way?

Yes, provided the "mapedit" and "game" applications use either UWP file pickers or the Share contract, which Microsoft is suspiciously not calling an "intent".

I too am wary of running a patch from MS but they do offer a manual alternative which I used on a Win 7 machine: Create Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1 REG_DWORD: 0 = Disabled --from https://support.microsoft.com/... and keep your fingers crossed

To be fair, Microsoft are up-front about the end-of-life schedules of their operating systems, making that information available before a new OS version is even released.

If a manufacturer supplies a piece of equipment running a specific version of Windows and has no plan to keep it working or secure past the EoL of that version of Windows, that is entirely on them. They knew that their product would stop receiving updates and did nothing... which suggests that they are the ones who want you to buy a new product, not Microsoft.

Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.

Which is why if you were - for whatever reason - building a medical/manufacturing/research product that runs Windows and required continuity, you would use something like Windows 10 IoT LTSB, which is stable and supported for 10 years and also has the ability to defer updates.

You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.

If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.

...it's a good idea to patch the system, though. Get the patch here.

Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.

The original blogpost makes the following points:

1) Microsoft works hard, I tell you hard to avoid these problems.
2) Customers are to blame too! (really)
3) It's the government's fault!

They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.

It's too bad no one invented such a thing decades ago because by now we would have something that worked out of the box on Windows and Linux

Time to patch those XP boxes...

It was announced over three years ago (and they gave a year's extension):

https://technet.microsoft.com/en-us/library/security/2880823.aspx

Microsoft may be shite at a lot of things, but one thing they aren't is giving their enterprise customers long-term notice about changes like this.

You do not perceive that as a problem? How is Aunt Annie going to do this? You don't even remember the order... I know I have followed many guides, and it never worked. Never... Followed the exact order. Is it because it's a VM and doesn't get a true full core for it? I have no idea.

Assuming that Aunt Annie is not a technical person she would either hire a professional or rely on help from friends and relatives -- the same thing she would do if her car broke down (also assuming that she isn't a mechanic). I don't remember the order because I don't spend much time on Windows 7. I have moved on to a currently supported operating system. I happened to have the patch files sitting in a a directory on my file server and as a courtesy gave you the KB numbers. If I had to patch a Windows 7 box again, I would just look of the KBs I listed, install the two prerequisites for the speed patch, the speed patch, and then the update roll up. (The four KBs I listed) I don't perceive this as a problem because when Windows 7 was released the expected technical level of someone using a computer was much higher than it is today. I will perceive it as a problem if Windows 10 as a similar update issue 5 years from now as expectations of a computer maintaining itself are much higher. (As a side note, the current expectation of computers "just working" is a big driver of Microsoft forcing patches that we as technical folks can be uncomfortable with.)

I disagree. I paid for 7, I get 7 until it's officially expired. It should work until that day, which is in 2020.

Support (meaning that Microsoft will help individual users with specific issues, e.g. you can call them and get help) is officially expired as of January 13, 2015. The 2020 date is extended support, which means that Microsoft will create security patches, but not necessarily help you install them or help you with other issues.

Frankly, relying on the output of the net commands might not be enough considering how many places you can force services to start from on windows. If you run: netstat -an | findstr LISTENING how are 135, 139, 445 doing? (Or you can use TCPView from the Sysinternals Suite, although it seems like you already know what you're doing. technet.microsoft.com/en-us/sysinternals/default)

Maybe run a full port scan on your machine from another machine on the same network. If it's all locked down you should be fine because that service won't be accessible regardless. If not you can use Windows Firewall which has been vastly improved starting with Windows 7 (at least for blocking ports).

https://technet.microsoft.com/...

"This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted,"

4.) "Windows POS Ready 2009" is the SKU you're referring to. As the name suggests it was intended for Point of sale devices, and was released in 2009.
This Microsoft Lifecycle page shows the lifecycle of embedded products. POS Ready was based on the "Windows Embedded Standard 2009", which is the last revision of XP embedded, with a similar end of life date.

A lot of these "embedded" XP systems were probably released between 2001- 2009 (the original hey day of XP) and didn't include a SKU that would be released in the future with longer support. Even if they included "Windows XP Embedded", "Windows XP Embedded Service Pack 3" support ended in 2016.

No. I am not in the habit of praising Microsoft, but: https://blogs.technet.microsof... & https://technet.microsoft.com/...

No. I am not in the habit of praising Microsoft, but: https://blogs.technet.microsof... & https://technet.microsoft.com/...

> given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?

MS has instructions on how to disable SMBv1, SMBv2, and SMBv3 here:

* https://support.microsoft.com/...

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
Windows PowerShell 2.0 or a later version of PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force
To enable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

You can disable NetBIOS over TCP/IP:

* https://technet.microsoft.com/...

1. From the Network and Dial-up Connections icon in Control Panel , select Local Area Connection and right-click Properties .
2. On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
3. Click the Advanced button.
4. Click the WINS tab. Click Disable NetBIOS over TCP/IP .

--
Fuck You Red Cross for hijacking the + operator and the color red in a video game hundreds of years AFTER the Templars first used red crosses.

> given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?

MS has instructions on how to disable SMBv1, SMBv2, and SMBv3 here:

* https://support.microsoft.com/...

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
Windows PowerShell 2.0 or a later version of PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force
To enable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

You can disable NetBIOS over TCP/IP:

* https://technet.microsoft.com/...

1. From the Network and Dial-up Connections icon in Control Panel , select Local Area Connection and right-click Properties .
2. On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
3. Click the Advanced button.
4. Click the WINS tab. Click Disable NetBIOS over TCP/IP .

--
Fuck You Red Cross for hijacking the + operator and the color red in a video game hundreds of years AFTER the Templars first used red crosses.

> given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?

MS has instructions on how to disable SMBv1, SMBv2, and SMBv3 here:

* https://support.microsoft.com/...

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
Windows PowerShell 2.0 or a later version of PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force
To enable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

You can disable NetBIOS over TCP/IP:

* https://technet.microsoft.com/...

1. From the Network and Dial-up Connections icon in Control Panel , select Local Area Connection and right-click Properties .
2. On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
3. Click the Advanced button.
4. Click the WINS tab. Click Disable NetBIOS over TCP/IP .

--
Fuck You Red Cross for hijacking the + operator and the color red in a video game hundreds of years AFTER the Templars first used red crosses.

Microsoft.com released a fixes for EOLed Windows.

Did you miss the part where Microsoft patched this 2 months ago and the only people being infected are the ones that are grossly (even negligently) behind?

I honestly don't care about whether you blame the NSA for developing an exploit or not reporting it earlier. At this junction, however, 100% of the blame lies with these IT departments that can't get their shit patched.

"The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server"

Does it mean that the attackers encrypted the files from a remote location or automatically-downloaded a piece of software to do so? No idea, but I guess that the aforementioned typical infection should be dismissed (otherwise, the report would mentioned it, right?)

The reason why I am writing this new post (even though I am trying to not write too much to see if my mod points come eventually back) is to give a bit more of context to my original comment. I was plainly referring to a very specific claim about a very specific problem and took advantage from it to critic unnecessary-alarmist attitudes. Nothing more and nothing else than that. Too evident/not actually required? Look at the (other) AC comments!

> How does anyone know what it's doing with their data

that seems like just the kind of question that these people would ask.

Really?

Browsing
https://azure.microsoft.com/en... makes it look like running 3 Openstack deployments would be easier (and of course cheaper) than keeping something running on Azure ...

If MS can't do it, what are the chances and new comer can do it. So Google is a natural monopoly.

What do you mean MS can't do it? Not only do they do it, but they specifically make it so that you can't opt out of it. They literally record every URL you type, every search term you use, and every link you click, and you aren't allowed to turn it off.

To wit:

https://docs.microsoft.com/en-...

Browsing, Search and Query data

This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device.

Text typed in address bar and search box
Text selected for Ask Cortana search
Service response time
Auto-completed text if there was an auto-complete
Navigation suggestions provided based on local history and favorites
Browser ID
URLs (which may include search terms)
Page title

While Chrome collects some of this data, you can in fact turn all of it off by simply unchecking everything in the privacy section. If you do that, then the only time Chrome pings Google's servers is when it's checking for updates, which you can verify with wireshark.