News Categories
Announcement (9) Amy Babinchak (64) Tips (1) SBS 2011 (6) Windows Essentials 2012 (4) Edwin Sarmiento (28) SQL Server (22) SQL Server 2012 (6) SQL Server Clustering (3) SQL Server Disaster Recovery (6) Windows Server 2008 Clustering (1) log shipping (1) Brian Higgins (3) Uncategorized (42) Hyper-V (67) Virtualization (13) Windows 8 (13) Cisco VPN Client (1) Windows Server 2012 (24) Friend of TT (4) Hangout (2) Office365 (4) DNS (8) Jeremy (7) Cliff Galiher (3) Active Directory (12) ClearOS (4) Linux (4) presentations (2) SQL PASS (6) Chris Matthews (4) Printers (2) SharePoint (8) SQL Server Administration (7) Windows PowerShell (3) recovery model (1) sql server databases (1) Dave Shackelford (7) SMB Nation (1) Steve (1) Boon Tee (5) Kevin Royalty (3) Lee Wilbur (2) Philip Elder (10) SMBKitchen Crew (31) Susan Bradley (15) AlwaysOn (1) AlwaysOn Availability Groups (4) readable secondaries (1) row versioning (1) undocumented (1) The Project (2) Webinar (3) Enterprise for SMB Project (9) Security (25) Remote Desktop Connection for Mac (1) Remote Desktop Services (8) Windows Server 2008 (1) Exchange (15) Powershell (6) Microsoft (15) Performance (7) data types (1) Server 2012 (1) monitoring (1) DevTeach (1) SQL Server High Availability and Disaster Recovery (5) Clusters (44) Hyper-V Server 2012 (2) Business Principles (26) Cost of Doing Business (13) DHCP (7) sbs (15) Windows Server (30) SMBKitchen (26) Windows Server 2008 R2 (4) StorageCraft (1) P2V (1) ShadowProtect (6) StorageCraft ShadowProtect (1) VHDs (1) Intel RAID (2) Intel Server System R2208GZ (1) Intel Server Systems (17) RAID (2) SAS (2) SATA (2) Server Hardware (12) Microsoft Licensing (2) OEM (2) System Builder Tips (4) Intel (5) Intel Channel Partner Program (4) Intel Product Support (10) Intel Server Boards (2) Intel Server Manager (2) Cloud (26) IT Solutions (2) On-Premises (20) SMB (9) WIndows Azure (2) StorageSpaces (1) Error (47) Error Fix (35) Intel Desktop Boards (2) Intel SSDs (2) SSD (2) Business Opportunity (17) Data Security (11) Identity Security (7) Information Security (14) Privacy (2) Intel Modular Server (6) Promise (2) Storage Systems (9) Live ID (2) Microsoft ID (4) User Profiles (2) Articles (2) Building Client Relationships (6) DBCC IND (2) DBCC PAGE (2) filtered indexes (2) SQL Server Index Internals (2) training (11) Adobe (3) Internet Street Smart (8) Intel Storage Systems (2) LSI Corp (2) LSI SAS6160 Switch (2) Storage Spaces (7) Firmware Update (2) Product Support (7) Hybrid Cloud Solutions (3) Server Core (2) MAXDOP (1) SharePoint 2013 (1) SharePoint best practices (1) SQL Server Authentication (1) Family (5) Alternatives (1) SBS 2011 Standard (4) Microsoft Small Business Specialist Community (2) Microsoft Surface (2) SBSC (2) Networking (4) Availability Groups (3) CANITPro (1) HA/DR (1) Step-By-Step: Creating a SQL Server 2012 AlwaysOn Availability Group (1) webcast (1) VMWare (2) Conferences (2) Client Focus (2) Disaster Recovery (6) Error Workaround (8) Troubleshooting (4) Logitech (2) Product Review (7) Windows Features (4) XBox Music (2) SBS 2008 All Editions (4) MDOP (2) Microsoft Desktop Optimization Pack (2) Software Assurance (2) W2012E (6) Windows Server 2012 Essentials (6) Internet Explorer (3) USB 3.0 (2) USB Hard Drive (2) Bug Report (2) Microsoft Office 365 (5) sharepoint online (2) BitLocker (2) Windows (2) Microsoft Update (3) Swing Migration (2) Windows Update (4) Outlook (2) Group Policy (9) WS2012e (2) WSUS (3) Office (3) Microsoft Downloads (5) Microsoft Office (3) DRP (3) Virtual Machines (2) Virtual Server Hardware (2) online course (1) SQL Server learning (7) 2 Factor Authentication (2) 2FA (2) PASS Summit 2013 (4) SQLPASS (5) Contest (1) e-learning (1) Udemy (1) smbtechfest (1) backups (2) PASS Summit First Timers (3) IIS (2) RD Gateway (4) RD RemoteApp (2) RDWeb (4) Remote Desktop Connection (2) Remote Web Access (2) Remote Web Workplace (2) Cryptolocker (6) Backup (4) Restore (2) CryptoLocker (1) AuthAnvil (1) SBS 2003 (1) SBS Migration (1) Windows Server 2012 R2 (9) Documentation (1) IE 11 (4) testimonials (11) SQL Server 2008 (1) Best Practices (1) Support (1) Intel Xeon Processor (1) RemoteApp (1) Android (1) iOS (1) Hyper-V Replica (2) PowerShell (2) SBS (3) Break (1) Business Intelligence (1) Excel 2013 (1) Power Map (1) Power Query (1) PowerBI (1) MultiPoint (2) Surface (1) Net Neutrality (1) Opinion (2) ASP (9) HP (2) Scale-Out File Server (8) SOFS (10) Windows Phone (1) Updates (1) Intel NUC (1) Intuit (1) QuickBooks (1) Office364 (1) Intel Server Systems;Hyper-V (1) Firewall (1) Patching (1) Mobile (1) Mobility (1) sharepoint (1) Microsoft Security (1) Beta (1) Storage Replication (1) outlook (1) Hyper-V Setup (3) JBOD (1) Azure (1) PCI (1) PCI DSS (1) PII (1) POS (1) MicroStaff (2) Catherine Barr (2) Third Tier (1) BeTheCloud (1) BrainExplosion (1) LookAWhale (1) Manuel (1) Rayanne (3) SuperSecretNews (1) TechYourBooks (3) Managed Services (1) Training (1) E-mail (1)
RSS Feed
News
Feb
25
SMBKitchen Archives: Managing Click to Run Office
Posted by Amy Babinchak on 25 February 2015 11:24 AM

Managing Office 2013 Click to Run

Click to Run is Microsoft’s newer way to deploy Office licensing. First starting with the Office 2010 retail skus, it is now included as an option with Office 365 Office deployments. With Office 365 volume licensing in fact, you have the choice of deployment via Click to run or deployment via the traditional MSI code. The major difference between Click to Run deployments and traditional Office deployments is in how the updates are deployed. In Click to run an App-V streaming method is used so that you get the entire Office image deployed to you as a whole. The next time there is an update, you’ll get the entire upgrade of the deployment. Traditional Office, you get your updates via Microsoft Update.

Click-to-Run is available for the following products from Office 365:

· Office 365 ProPlus

· Visio Pro for Office 365

· Project Pro for Office 365

· SharePoint Designer 2013

· Lync 2013

· Lync 2013 Basic

The products that are available to you depend on your Office 365 subscription.

Click-to-Run is also available for the following retail products:

· Office Professional 2013

· Office Home and Business 2013

· Office Home and Student 2013

Traditional Office updating

First a bit of background on traditional Office deployments. Office updating is controlled by Microsoft update, not Windows update. Windows update only offers up Windows updates only, that is, only updates for the operating system itself. On standalone unmanaged systems you must flip the machine over to Microsoft update in order to receive Office updates. Typically at the end of an install of Office the machine will ask you if you wish to stay up to take with Office updates. Saying yes at this step will do several things. Firstly it will opt you into Microsoft updates, secondly it will enable automatic updating.

If you have ever been convinced that your windows update settings spontaneously changed from what you set it to be, chances are you said yes at this user prompt and didn’t realize the impact of saying yes. Patches for traditional office can also be managed by third party patching engines such as WSUS

Click to Run

Beginning in 2010, Microsoft started deploying certain retail versions of office using their “features on demand” or “app-v” deployment. When you first start installing a click to run Office version, it will start to install the entire image to the machine. You will see indications of what it is doing in the background. You have to make sure you do not turn your computer off during this time otherwise you may need to remove the Office install and reinstall it. Click to run does not get updates via Microsoft update and thusly every patch Tuesday you will not see Office updates being offered up. Rather an entire new install will be streamed down to the workstations typically a day or two after the second Tuesday of the month.

Rolling back

But invariably the question comes up, what if there is an incompatibility with the streamed version of Office and some line of business add in? How can you roll back to a prior working version of Click to Run? It’s not as difficult as it might seem and also points out that in a domain or network setting, Click to Run can be centrally managed as well. In the case of the unmanaged workstation, you can roll back to a prior working version by doing a repair install.

The process to How to revert to an earlier version of Click-To-Run Office 2013 is as follows:

1. Disable Office 2013 updates. In Outlook Click File, Office Account, Office Updates and click Disable Updates.

2. In your Outlook calendar add an appointment reminder for a date in the future to remind you to re-enable updates.

3. Open an elevated cmd.exe (right click on “Command Prompt” and choose Run as administrator)

4. Change Directory to the path of integratedOffice.exe

In the command prompt type the following syntax depending in you are running 32 or 64 bit Office:

cd %programfiles%\Microsoft Office 15\ClientX64\ For the 64 bit version of Office

or

cd %programfiles%\Microsoft Office 15\ClientX86\ for the 32 bit version of Office

5. Run the following command to revert to September 2013 version of Office 64 bit:

C:\Program Files\Microsoft Office 15\ClientX64>integratedoffice.exe REPAIRUI RERUNMODE version 15.0.4535.1004

Or for the 32 bit version of Office

C:\Program Files\Microsoft Office 15\ClientX86>integratedoffice.exe REPAIRUI RERUNMODE version 15.0.4535.1004

*Note*: Available versions are listed here: http://support.microsoft.com/gp/office-2013-click-to-run

You will need to determine the last working build of Office and roll back to that version.

6. This brings up the Online Repair dialog. Choose *Online Repair*

Once complete you can check your version to verify it updated properly.

Network customizations

In a domain or network setting you can control this process even more.
Click-to-Run for Office 365 products are based on core virtualization and streaming Microsoft Application Virtualization (App-V) technologies. Click-to-Run resources run in an isolated virtual environment on the local operating system.

To customize Click-to-Run for Office 365 installation settings for an on-premises deployment of Office 365 ProPlus, administrators who have signed up for Office 365 can use the Office Deployment Tool. You download the Office Deployment Tool from the Microsoft Download Center site. The download includes a sample Configuration.xml file. To customize a Click-to-Run for Office 365 installation, you run the Office Deployment Tool and provide a custom Configuration.xml configuration file. The Office Deployment Tool performs the tasks that are specified by using the optional properties in the configuration file.

You can specify the following Click-to-Run installation options in the Configuration.xml file:

Product and languages to install or remove

· Source path

· Level of user interface to display

· Logging options

· Product updates behavior

Download the Office customization tool from the Microsoft download center.

clip_image003

Click to extract the contents.

Accept the EULA

clip_image005

You will note you have a setup.exe and a configuration file.

clip_image007

The setup file has several switches

clip_image009

To begin the customization process open up the configuration file in notepad and edit the variables as follows:

<Configuration>
<!– <Add SourcePath=”\\Server\Share\Office\” OfficeClientEdition=”32″ >
<Product ID=”O365ProPlusRetail”>
<Language ID=”en-us” />
</Product>
<Product ID=”VisioProRetail”>
<Language ID=”en-us” />
</Product>
</Add> –>

<!– <Updates Enabled=”TRUE” UpdatePath=”\\Server\Share\Office\” /> –>
<!– <Display Level=”None” AcceptEULA=”TRUE” /> –>
<!– <Logging Name=”OfficeSetup.txt” Path=”%temp%” /> –>
<!– <Property Name=”AUTOACTIVATE” Value=”1″ /> –>
</Configuration>

In the first line you indicate where the click to run installer files will be located.

<!– <Add SourcePath=”\\Server\Share\Office\” OfficeClientEdition=”32″ >

Make sure that the user has read rights to that share location in order to install Office. Indicate the edition of Office, either 32bit or 64 bit.

<Product ID=”O365ProPlusRetail”>

Edit the name of the product you are deploying in the network.

<Language ID=”en-us” />
Enter in the language you wish to deploy.

</Product>
<Product ID=”VisioProRetail”>
<Language ID=”en-us” />
Enter in any additional products you wish to install.

If you download Office Pro Plus from Office 365 (e.g. E3 plan) and use the Office Deployment Tool for Click-to-Run (http://www.microsoft.com/en-IE/download/details.aspx?id=36778 ) and use the scripts i.e. ‘setup.exe /download’ and ‘setup.exe /configure’ as per Technet articles for the tool (http://technet.microsoft.com/en-us/library/jj219422.aspx , http://blogs.technet.com/b/office_resource_kit/archive/2013/08/08/how-to-deploy-office-365-proplus-from-an-on-premises-web-portal.aspx and http://technet.microsoft.com/en-us/library/jj219422.aspx )>, from an on-premises location, i.e. network share, the Office 2013 apps are NOT set to automatically update.

Open any Office app, click on File – Account, look under “Product Information” and click on the “Update Options” button to enable them.

Either use group policy or set the updates element to automatically update or point to a network location:

* GPO (http://www.microsoft.com/en-us/download/details.aspx?id=35554 ) and http://technet.microsoft.com/en-us/library/cc179176.aspx

* Utilize the “Updates element” within the Click-to-Run configuration.xml file (http://technet.microsoft.com/en-us/library/jj219426.aspx ) and set up a local network share for an “Update Path” (http://technet.microsoft.com/en-us/library/jj219420.aspx )

Switching back to MSI deployment

Be aware you can flip Click to run back to a traditional deployment by downloading the msi file. In Office 365 you can find this msi download easily. Even if you are a retail customer you can log into the account portal and download the Office 2013 msi from there.

How to switch back to MSI (old fashioned MU updates) deployment

http://office.microsoft.com/en-us/excel-help/click-to-run-switch-to-using-an-msi-based-office-edition-HA101850538.aspx

Managing retail Office 2013

Currently I can find no way around the need for a Microsoft account for a retail or keycard deployment. There are two means of managing these accounts.

One master account.

Using this method one master Microsoft account is set up for the entire firm. A manual spreadsheet must be maintained of which user has which product key assigned to them.

Each user gets a Microsoft account.

The second way is each user in the firm gets a Microsoft Live ID that matches their business email account. Each product key is then set up in each separate Live ID. You can rename and re-alias this account as the person leaves the firm. https://account.live.com/names/Manage Log in with the Microsoft account credentials to manage the information there. 


Read more »



Jan
22
SMBKitchen Archives: Blocking IE 11
Posted by Third Tier on 22 January 2015 02:46 PM

It’s been more than a year since this article was published to the SMBKItchen, so we’re now sharing it with the general public.

_____

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN


Patch Management TiPS

Internet Explorer 11

Here we go again, but this time we need to decide when we want IE 11 to be installed on our systems.

Once again you will need to test and ensure compatibility with line of business applications and key business websites before approving the update on your customer’s machines.

At the present time IE11 is offered up but unchecked on Windows 7 machines.

clip_image002

Soon it will be pushed out to unmanaged machines.

There will be no release of IE11 on Windows 8 machines. You are expected to upgrade those machined to Windows 8.1 to obtain IE11. There will be no IE11 on Server 2012 machines.

Here is guidance on how to stop Internet Explorer 11 from being installed on your customer’s Windows 7 sp1 machines:

Blocking IE 11 in Managed Networks

If you use Microsoft’s server patch management tool called Windows Server Update Services to manage updates in your customer’s networks (natively installed on SBS 2003 R2, SBS 2008 and SBS 2011 standard), you need to do nothing at all in order to stop the deployment of IE 11. By default, as long as WSUS is controlling the updates in the network, the category of IE11 update rollups will not be approved and will not deploy automatically.

If you use another patch management tool, or you have an unmanaged environment you may wish to block the deployment of IE 11.

First some facts of the upgrade process to IE 11

1. Internet Explorer 11 can always be uninstalled. To uninstall it, go to the control panel, then to programs and features, click on View Installed Updates and remove IE11.

2. IE11 will only be offer to those who have local administrator rights on their Windows 7 computers. If your customers have been deployed with non-administrator rights they will not see this update automatically deployed

3. IE11 will be available as an “Important” update through automatic updates soon after it releases to the web. The timing of this “RTW” is not known at this time, but given that we already see it offered up but unchecked, they will begin to push it out soon.

4. If a machine has automatic updates enabled and has Service pack 1 for Windows 7, they will get an automatic upgrade to IE 11.

5. Microsoft tends to “throttle” large patches and monitors for any issues. IE 11 may be announced as being released, but you may not see it on your customer’s workstations for a few days or a few weeks afterwards.

6. Even if you previously used the IE blocker toolkit for IE8, IE9 or IE10, you will need to use this specific kit for IE11 as the specific registry key has changed.

Blocking IE 11 using the toolkit

If your clients are in an unmanaged deployment you may wish to use the IE11 blocking toolkit available from the Microsoft download site (http://www.microsoft.com/en-us/download/details.aspx?id=40722 ) in order to block IE 11. This tool kit does not expire, but be aware that your unmanaged customer can manually go to Windows or Microsoft update and scan for updates and be offered up IE 11. It does not block the “offering” of IE 11 to a Windows 7 sp1 machine. It will block the automatic deployment via Windows update to an unmanaged machine.

Instructions for standalone deployments

clip_image003

If you merely need to block IE11 from a few machines, installing this blocker script by hand during your normal review of the machine may be your choice. It may not be the most efficient way to block IE 11 however.

Patching is often most disruptive to unmanaged customers. Internet Explorer 11 is default on Windows 8.1

IE11 for Windows 7 includes many, but not all, of the same features that are in the Windows 8.1 version. Here’s what’s different:

•In the Windows 7 version of IE11, the URL bar remains at the top of the browser (like it is with IE10 on Windows 7). IE11 for Windows 8.1 puts the URL bar at the bottom.

•The new tab view in Windows 8.1 isn’t part of the IE11 for Windows 7 release.

•IE11 on Windows 7 won’t support for premium video extensions like the 8.1 version does. “There are many solutions available for Windows 7 customers to stream and view protected content online, those methods will continue to function for customers,” a spokesperson confirmed. (Read: Silverlight and Flash.)

•No support for Google’s SPDY protocol (the precursor to HTTP 2.0) in IE11 on Windows 7. IE11 on Windows 8.1 does support SPDY.

•IE11 on Windows 7 will not support Enhanced Protected Mode browser security enhancements. (IE10 on Windows 7 didn’t, either.)

Beyond this, IE11 for Windows 7 and IE 11 for Windows 8.1 are largely the same, according to Microsoft officials.

Like IE11 on Windows 8.1, IE11 on Windows 7 includes support for WebGL. It will natively decode JPG images in real-time on the GPU so that pages load faster, use less memory and help improve battery life and support HTML5 link prefetching and pre-rendering, officials said. IE11 on Windows 7 also it incorporates the same changes to the “Chakra” JavaScript engine, including changes to garbage collection and just-in-time (JIT) compilation as IE11 for Windows 8.1 does, they said.

(source: http://www.zdnet.com/microsoft-releases-to-the-web-ie11-for-windows-7-7000022751/ )

Download the blocker toolkit from http://www.microsoft.com/en-us/download/details.aspx?id=40722

1. Click on the link to download the package and select ‘Run’ or ‘Open’. You will be asked to accept the end-user license agreement (EULA) before you gain access to the package contents. The package contains 4 different files.

2. Ignore the fact that the download warning says IE11 release preview

clip_image005

Figure 1 – ignore the warning and click to continue

clip_image007

Figure 2 – Accept the EULA

3. Pick a location where you would like to place the 3 files above by clicking on ‘Browse’. Once you have specified the location to place the extracted files, click ‘OK’. If the folder location does not previously exist you will be prompted to make the location to store the three files.

clip_image009

Figure 3 – Insert location of extraction

4. Launch an elevated Command Prompt by navigating to Start -> All Programs -> Accessories -> and then right click on “Command Prompt” and select “Run as Administrator”.

clip_image011

Figure 4 – Right mouse click on Command Prompt

5. Type “CD” followed by the path to where you have extracted the 4 files in step 2 above.

clip_image013

Figure 5 – Moving to the extract location

6. In the Command Prompt, type “ie11_blocker.cmd /B” and hit Enter to set the blocker on the machine.

clip_image015

Figure 6 – enter in the command to block IE 11

7. You will see confirmation in the Command Prompt: “Blocking deployment of Internet Explorer 11 on the local machine. The operation completed successfully.” You can now close the Command Prompt window.

clip_image017

Figure 7 – IE 11 is now blocked

8. To confirm, click on start, in the run box, type in regedit and hit enter. Navigate to the HKEY_LOCAL_MACHINE key, then to SOFTWARE, then to Microsoft, then to Internet Explorer, then to Setup, then to 10.0

clip_image019

Figure 8 – Ensuring that the block registry key is set

9. You will see a registry key there blocking the deployment of IE11

clip_image021

Figure 9 – Reviewing the registry key

Instructions for using your own deployment tool

Using a Remote management tool that allows for scripting, merely push out a registry key as follows:

Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\11.0

Key value name: DoNotAllowIE11

Deploy a DWORD (32-bit) value with a Hexadecimal value of 1 as shown below to block IE 11.

clip_image023

Figure 10 – Registry key values

The registry key will block the automatic deployment of IE11.

Alternatively you can script the command included in this download by specifying the machine name. The syntax to use is IE11_Blocker.cmd [<machine name>] /B. The command switch of /U will unblock the distribution of IE11 and the switch of /H will showcase the help file. If the remote registry can’t be accessed due to security permissions or the remote machine can’t be found, an error message is returned from the REG command.

clip_image025

Figure 11 – Switches used in the command

Instructions for using group policy

Included in the toolkit is a Group policy ADM file. It allows administrators to import the new group policy settings to block or unblock automatic deliver of IE11. Users running Windows 7 (SP1) or Windows Server 2008 R2 (SP1) will see the policy under Computer Configuration / Administrative Templates / Classic Administrative Templates / Windows Components / Windows Update / Automatic Updates Blockers v3. This setting is available only as a Computer setting; there is no Per-User setting.

Note: This registry setting is not stored in a policies key and is thus considered a preference. Therefore if the Group Policy Object that implements the setting is ever removed or the policy is set to Not Configured, the setting will remain. To unblock distribution of Internet Explorer 11 by using Group Policy, set the policy to Disabled.

_____

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN


Read more »



Dec
18
Third Tier 2015 Sneak Preview
Posted by Third Tier on 18 December 2014 02:10 PM

We held a webinar where we talked about what we’ll be up to in 2015. Here’s the concluding slide. 8 programs and 11 staff. We recorded the session; you can download it and have a listen. We talked about our current programs: Helpdesk, MicroStaffing, SMBKitchen and Brain Explosion. Then we talked about our new programs: Super Secret News, Look a Whale, Tech Your Books and Be the Cloud. We also announced a monthly webinar series. All of the new things start up in 2015.

image


Read more »



Nov
13
Protecting Merchant Point of Sale Systems during the Holiday Season
Posted by Third Tier on 13 November 2014 08:27 AM

One of the services that we provide to members of the SMBKitchen ASP at Third Tier are classified documents prepared by various government agencies relating to IT security. Being aware of the current threats can give you a leg up on protecting your clients. Having access to the research let’s you understand the threats in a way that your competition simple won’t. When you know more, you can provide more value to your clients. It really is that simple.

We’ve never before been able to share this information with the general public but recently this document came to us and was declassified for public consumption. Below is the first page and link to document the full document.

This advisory was prepared in collaboration with the Financial Services Information Sharing and Analysis Center (FS-ISAC), the United States Secret Service (USSS), and the Retail Cyber Intelligence Sharing Center (R-CISC), and is directed towards retailers or companies which are processing financial transactions and managing customer personally identifiable information (PII) during the upcoming holiday season and beyond. This advisory serves to provide information on and recommends possible mitigations for common cyber exploitation tactics, techniques and procedures (TTPs) consistently and successfully leveraged by attackers in the past year. Many of these TTPs have been observed by the FS-ISAC, through its members, and identified in Secret Service investigations.

The TTPs discussed in this report include:

• Exploiting commercial application vulnerabilities

• Unauthorized access via remote access

• Email phishing

• Unsafe web browsing from computer systems used to collect, process, store or transmit customer information  

This document provides recommended security controls in these four commonly observed areas to protect customer data and also provides recommendations to smaller merchants who should work with their vendors to implement these recommendations (see Appendix A).

 
This advisory is not intended to be a robust, all-inclusive list of procedures as attackers will modify TTPs depending upon the target’s network and vulnerabilities. This report does not contain detailed information about memory scraping Point of Sale (PoS) malware that has been used in recent high- profile data breaches. Secret Service investigations of many of the recent PoS data breaches have identified customized malware only being used once per target.  A list of observed PoS malware families is provided in Appendix B.  

These recommendations should be analyzed by cyber threat analysis and fraud investigation teams based on their operational requirements.  The information contained in this advisory does not augment, replace or supersede requirements in the Payment Card Industry Data Security Standard (PCI DSS); however, the PCI DSS version 3.0 recommendations are cited when appropriate.1 

Download the full document

_____

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN


Read more »



Nov
12
Managing Click to Run Office Installations
Posted by Third Tier on 12 November 2014 10:56 AM

In 2013 as part of the SMBKitchen Project, Susan Bradley wrote an article called Managing Click to Run Office. Click to Run Office was introduced in 2010 and generally went unnoticed by the IT community as it was sold only to home subscribers. This article brought forth the reality that in 2013 Click to Run became the mainstream method of Office deployments. Since this writing it is now nearly ubiquitous.  

_____

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

OFFICE DEPLOYMENTS

clip_image001

Office 2013 Click to Run

32 versus 64 bit Office

You may have a 64bit operating system but that doesn’t mean you are operating the 64 bit version of the Office suite. Most experts recommend installing the 32 bit version of Office as most toolbars and add ins and line of business apps only work with 32bit Office. If you are unsure you can check the location of the Office15 folder. If the file executables are located in C:\Program Files\Microsoft Office 15\ClientX64> you have the 64 bit version installed. If you see C:\Program Files\Microsoft Office 15\ClientX86>, that is the 32bit version installed.

Click to Run is Microsoft’s newer way to deploy Office licensing. First starting with the Office 2010 retail skus, it is now included as an option with Office 365 Office deployments. With Office 365 volume licensing in fact, you have the choice of deployment via Click to run or deployment via the traditional MSI code. The major difference between Click to Run deployments and traditional Office deployments is in how the updates are deployed. In Click to run an App-V streaming method is used so that you get the entire Office image deployed to you as a whole. The next time there is an update, you’ll get the entire upgrade of the deployment. Traditional Office, you get your updates via Microsoft Update.

clip_image002

Click-to-Run is available for the following products from Office 365:

• Office 365 ProPlus

• Visio Pro for Office 365

• Project Pro for Office 365

• SharePoint Designer 2013

• Lync 2013

• Lync 2013 Basic

The products that are available to you depend on your Office 365 subscription.

Click-to-Run is also available for the following retail products:

• Office Professional 2013

• Office Home and Business 2013

• Office Home and Student 2013

Traditional Office updating

First a bit of background on traditional Office deployments. Office updating is controlled by Microsoft update, not Windows update. Windows update only offers up Windows updates only, that is, only updates for the operating system itself. On standalone unmanaged systems you must flip the machine over to Microsoft update in order to receive Office updates. Typically at the end of an install of Office the machine will ask you if you wish to stay up to take with Office updates. Saying yes at this step will do several things. Firstly it will opt you into Microsoft updates, secondly it will enable automatic updating.

If you have ever been convinced that your windows update settings spontaneously changed from what you set it to be, chances are you said yes at this user prompt and didn’t realize the impact of saying yes. Patches for traditional office can also be managed by third party patching engines such as WSUS

. Click to Run

Beginning in 2010, Microsoft started deploying certain retail versions of office using their “features on demand” or “app-v” deployment. When you first start installing a click to run Office version, it will start to install the entire image to the machine. You will see indications of what it is doing in the background. You have to make sure you do not turn your computer off during this time otherwise you may need to remove the Office install and reinstall it. Click to run does not get updates via Microsoft update and thusly every patch Tuesday you will not see Office updates being offered up. Rather an entire new install will be streamed down to the workstations typically a day or two after the second Tuesday of the month.

Rolling back

But invariably the question comes up, what if there is an incompatibility with the streamed version of Office and some line of business add in? How can you roll back to a prior working version of Click to Run? It’s not as difficult as it might seem and also points out that in a domain or network setting, Click to Run can be centrally managed as well. In the case of the unmanaged workstation, you can roll back to a prior working version by doing a repair install.

The process to How to revert to an earlier version of Click-To-Run Office 2013 is as follows:

1. Disable Office 2013 updates. In Outlook Click File, Office Account, Office Updates and click Disable Updates.

2. In your Outlook calendar add an appointment reminder for a date in the future to remind you to re-enable updates.

3. Open an elevated cmd.exe (right click on “Command Prompt” and choose Run as administrator)

4. Change Directory to the path of integratedOffice.exe

In the command prompt type the following syntax depending in you are running 32 or 64 bit Office:

cd %programfiles%\Microsoft Office 15\ClientX64\ For the 64 bit version of Office or cd %programfiles%\Microsoft Office 15\ClientX86\ for the 32 bit version of Office

5. Run the following command to revert to September 2013 version of Office 64 bit:

C:\Program Files\Microsoft Office 15\ClientX64>integratedoffice.exe REPAIRUI RERUNMODE version 15.0.4535.1004

Or for the 32 bit version of Office

C:\Program Files\Microsoft Office 15\ClientX86>integratedoffice.exe REPAIRUI RERUNMODE version 15.0.4535.1004

*Note*: Available versions are listed here: http://support.microsoft.com/gp/office-2013-click-to-run

You will need to determine the last working build of Office and roll back to that version.

6. This brings up the Online Repair dialog. Choose *Online Repair*

Once complete you can check your version to verify it updated properly.

Network customizations

In a domain or network setting you can control this process even more.

Click-to-Run for Office 365 products are based on core virtualization and streaming Microsoft Application Virtualization (App-V) technologies. Click-to-Run resources run in an isolated virtual environment on the local operating system.

To customize Click-to-Run for Office 365 installation settings for an on-premises deployment of Office 365 ProPlus, administrators who have signed up for Office 365 can use the Office Deployment Tool. You download the Office Deployment Tool from the Microsoft Download Center site. The download includes a sample Configuration.xml file. To customize a Click-to-Run for Office 365 installation, you run the Office Deployment Tool and provide a custom Configuration.xml configuration file. The Office Deployment Tool performs the tasks that are specified by using the optional properties in the configuration file.

You can specify the following Click-to-Run installation options in the Configuration.xml file:

Product and languages to install or remove

• Source path

• Level of user interface to display

• Logging options

• Product updates behavior

Download the Office customization tool from the Microsoft download center.

clip_image003

Click to extract the contents.

Accept the EULA

clip_image005

You will note you have a setup.exe and a configuration file.

clip_image006

The setup file has several switches

clip_image007

To begin the customization process open up the configuration file in notepad and edit the variables as follows:

<Configuration>

<!– <Add SourcePath=”\\Server\Share\Office\” OfficeClientEdition=”32″ >

<Product ID=”O365ProPlusRetail”>

<Language ID=”en-us” />

</Product>

<Product ID=”VisioProRetail”>

<Language ID=”en-us” />

</Product>

</Add> –>

<!– <Updates Enabled=”TRUE” UpdatePath=”\\Server\Share\Office\” /> –>

<!– <Display Level=”None” AcceptEULA=”TRUE” /> –>

<!– <Logging Name=”OfficeSetup.txt” Path=”%temp%” /> –>

<!– <Property Name=”AUTOACTIVATE” Value=”1″ /> –>

</Configuration>

In the first line you indicate where the click to run installer files will be located.

<!– <Add SourcePath=”\\Server\Share\Office\” OfficeClientEdition=”32″ >

Make sure that the user has read rights to that share location in order to install Office. Indicate the edition of Office, either 32bit or 64 bit.

<Product ID=”O365ProPlusRetail”>

Edit the name of the product you are deploying in the network.

<Language ID=”en-us” />

Enter in the language you wish to deploy.

</Product>

<Product ID=”VisioProRetail”>

<Language ID=”en-us” />

Enter in any additional products you wish to install.

If you download Office Pro Plus from Office 365 (e.g. E3 plan) and use the Office Deployment Tool for Clickto-Run (http://www.microsoft.com/en-IE/download/details.aspx?id=36778 ) and use the scripts i.e.

‘setup.exe /download’ and ‘setup.exe /configure’ as per Technet articles for the tool

(http://technet.microsoft.com/en-us/library/jj219422.aspx ,

http://blogs.technet.com/b/office_resource_kit/archive/2013/08/08/how-to-deploy-office-365-proplusfrom-an-on-premises-web-portal.aspx and http://technet.microsoft.com/en-us/library/jj219422.aspx )>, from an on-premises location, i.e. network share, the Office 2013 apps are NOT set to automatically update.

Open any Office app, click on File – Account, look under “Product Information” and click on the “Update Options” button to enable them.

Either use group policy or set the updates element to automatically update or point to a network location:

* GPO (http://www.microsoft.com/en-us/download/details.aspx?id=35554 ) and http://technet.microsoft.com/en-us/library/cc179176.aspx

* Utilize the “Updates element” within the Click-to-Run configuration.xml file

(http://technet.microsoft.com/en-us/library/jj219426.aspx ) and set up a local network share for an “Update

Path” (http://technet.microsoft.com/en-us/library/jj219420.aspx )

Switching back to MSI deployment

Be aware you can flip Click to run back to a traditional deployment by downloading the msi file. In Office 365 you can find this msi download easily. Even if you are a retail customer you can log into the account portal and download the Office 2013 msi from there.

How to switch back to MSI (old fashioned MU updates) deployment

http://office.microsoft.com/en-us/excel-help/click-to-run-switch-to-using-an-msi-based-office-editionHA101850538.aspx

Managing retail Office 2013

Currently I can find no way around the need for a Microsoft account for a retail or keycard deployment.

There are two means of managing these accounts.

One master account.

Using this method one master Microsoft account is set up for the entire firm. A manual spreadsheet must be maintained of which user has which product key assigned to them.

Each user gets a Microsoft account.

The second way is each user in the firm gets a Microsoft Live ID that matches their business email account. Each product key is then set up in each separate Live ID. You can rename and re-alias this account as the person leaves the firm. https://account.live.com/names/Manage Log in with the Microsoft account credentials to manage the information there.


Read more »



Apr
18
SMBKitchen ASP Security News
Posted by amy on 18 April 2014 10:31 AM

What is SMBKitchen ASP doing and why should you join us? Here is one section of what we’re doing. It’s about security knowledge, patching and taking action on what you’ve just learned to protect your clients.

Patching issues. Susan Bradley is the patch-o-holic and provides a monthly overview of released patches, what to install, what to avoid and case studies on problems incurred and how to avoid or recover from the issues seen. The articles are updated with new real world information from the field and Microsoft support cases as they occur.

Windows Server 2012 with Issues: Server 2012 R2 is getting a big patch with new features and it has some issues seen already even though it’s official release isn’t until tomorrow. 4/13 this document was updated. Some are running into real problems. by Susan Bradley

Windows 8.1 Update Issues: Two articles regarding issues for the update to Win 8.1. Do also note that this update is HUGE and takes a solid hour to install. Update fails to install. Breaks WSUS. by Susan Bradley

Patching March: March Patching tips from the Patch-o-holic. **Update on Office Patch issues by Susan Bradley

Security Documents from Government Sources. These declassified documents provide information on what government security organizations are seeing as upcoming sources of problems for the nations businesses. As the ASP project continues you will see some of this information distill into recommendations, policy suggestions and consulting projects. This information will keep you well ahead of the competition and the threats.

POS Malware Technical Analysis: Indicators for Network Defenders: _This information is not to be shared outside of your company and is only accessible to registered users here by permission._   This advisory was prepared in collaboration with the Nat…

Phone scams on the elderly: _This information is not to be shared outside of your company and is only accessible to registered users here by permission._ This isn’t directly related to supporting businesses, but which of your clients doesn’t have an aging parent? This phone sc…

Heartbleed Technical plus Snort Signatures: _This information is not to be shared outside of your company and is only accessible to registered users here by permission._ Official documents attached for Heartbleed technical information, incident occurrences and also snort signatures for your fi…

Healthcare Warning and Opportunity?:_This information is not to be shared outside of your company and is only accessible to registered users here by permission._ So this is interesting. There’s a warning here to be on the lookout for an increased likelihood that hackers will be target…

WiFi Vulnerabilities from Pineapple Router:_This information is not to be shared outside of your company and is only accessible to registered users here by permission._ Have you ever looked over the list of SSID’s in a public space and wondered what the open network called “free open wifi” i…

Coordinated financial attacks with list of domains:_This information is not to be shared outside of your company and is only accessible to registered users here by permission._ Since September 2012, U.S. financial institutions have been under coordinated and timed DDoS attacks. In total, 50 U.S. fin…

Collecting and Monitoring Event Logs:_This information is not to be shared outside of your company and is only accessible to registered users here by permission._ How to collect and monitor event logs. This article by NSA and CSS goes into detail about how and what to monitor in your e…

Google Dorking Friend or Foe?:_This information is not to be shared outside of your company and is only accessible to registered users here by permission._ Google dorking is a thing. It can be used to help narrow your searches and I’ve used it without realizing that it had a nam…

Alerts on Banking Attack:The attached documents are for your eyes only. They are shared only to trusted parties, such as SMBKitchen subscribers, who may build solutions to protect businesses from this activity. by Susan Bradley

SAP to be target for Trojan:_This information is not to be shared outside of your company and is only accessible to registered users here by permission._ New Trojan Variant Likely to Offer Cyber Criminals Access to SAP Systems to Collect Sensitive Information or Disrupt Busine…

HeadsUP is a space for things to know and do around security and patching.

Security Office 2003 and Windows XP

Windows Xp End of Life

High Risk P2P Mobile Payment Solutions Vulnerable: Person-to-person (P2P) payments are electronic transfers between family members, friends, and/or service providers. Mobile payment service apps such as Square Cash, Google Wallet, and Venmo provide a quick and easy way for individuals to pay for goods …

Zero Day for Word 2010: Word 2010 is the recipient of a zero day exploit attacking RFT file types. by Susan Bradley

_____

Are you not a member of SMBKitchen ASP? Join up. It’s free through the end of the month. http://www.thirdtier.net/smbkitchen-asp/ Our goal is to help IT firms be more aware, be better consultants and survive in the new era.

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN


Read more »




Help Desk Software by Kayako Fusion