Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 17th May 2017, 2:11 PM   #46
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,289
Default

Quote:
Originally Posted by cvidler View Post
Does no one keep snapshots of their server shares?

Gives you plenty of time to find/kill and restore without having to go back to backups.

And you're using role based access right? or does everyone get read/write to the entire data share?
I'm not sure if Wannacry uses any privilege escalation techniques, but in your average windows network, they are pretty trivial.

Some of the ransomware escalates and hoses Volume shadow copies before it encrypts.

All in all, I'd say everyone got off lightly, It could have been much worse.

Using NXDOMAIN as a method of sandbox detection made it very easy to stop before it had spread to far.

It's been a while since we've had a good and proper worm. (ala Nimda/Code Red). people have forgetten how nasty it can get.

/ClevelandBrown.mp4
PabloEscobar is online now   Reply With Quote

Join OCAU to remove this ad!
Old 17th May 2017, 2:17 PM   #47
cvidler
Member
 
cvidler's Avatar
 
Join Date: Jun 2001
Location: Canberra
Posts: 10,433
Default

Quote:
Originally Posted by PabloEscobar View Post
I'm not sure if Wannacry uses any privilege escalation techniques, but in your average windows network, they are pretty trivial.

Some of the ransomware escalates and hoses Volume shadow copies before it encrypts.
I meant proper snapshots (storage system CoW based), not crummy Windows rubbish.

Not going to have too much luck, if it has to figure out your NAS/SAN vulnerabilities and command set to hose your data. (just don't use HPe, it's self hosing)
__________________
We might eviscerate your arguments, but we won't hurt you. Honest! - Lucifers Mentor
⠠⠵
[#]
cvidler is offline   Reply With Quote
Old 17th May 2017, 2:22 PM   #48
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,908
Default

Quote:
Originally Posted by PabloEscobar View Post
I've been told that Kronos is sweaty ball juice as far as "Enterprise Shitware that relies on Outdated stuff" goes, but haven't had the displeasure of working with it myself.
newer versions are much better.
previous versions would only work with version 1.5.somethingorother of java.
newer versions now work with the latest version, but if you don't have java installed it will encourage you to install version 1.7.20.

it's not nearly as bad as the fucking steam heap of shit known as freightmaster.
looktall is online now   Reply With Quote
Old 17th May 2017, 6:53 PM   #49
elvis
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,734
Default

Quote:
Originally Posted by cvidler View Post
Does no one keep snapshots of their server shares?
I'd be interested to see real numbers on this, but I'd say snapshots are a minority thing still.

Particularly in small businesses, storage is frequently run at 90%, and snapshots are nothing more than "wasted space that we paid for". I've lost count of the number of places I've worked for in the past where it was almost impossible to get businesses to understand that they needed to shell out for double the storage they actually wanted in production just to stay safe (and not slow down on full/busy file systems either).
__________________
Play old games with me!
elvis is offline   Reply With Quote
Old 17th May 2017, 6:54 PM   #50
NSanity
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 16,043
Default

Everywhere I build now, I use Snapshots on file shares.

No, fuck you, you can't have that 20% of space. its mine.
NSanity is online now   Reply With Quote
Old 17th May 2017, 7:13 PM   #51
Doc-of-FC
Member
 
Doc-of-FC's Avatar
 
Join Date: Aug 2001
Location: Canberra
Posts: 2,622
Default

Quote:
Originally Posted by NSanity View Post
https://msdn.microsoft.com/en-us/pow...ent/get-hotfix
Code:
PS C:\> $A = Get-Content "servers.txt"
PS C:\> $A | ForEach { if (!(Get-HotFix -Id "KB4012216" -ComputerName $_)) { Add-Content $_ -Path "Missing-kb953631.txt" }}
off you go.
for example, dumping computers from WSUS:
Code:
sqlcmd -I -S np:\\.\pipe\MICROSOFT##WID\tsql\query -d SUSDB -Q "SELECT * from PUBLIC_VIEWS.vComputerTarget" -o "computers.csv" -s"," -w 20000]
craft your joins accordingly and away you go, just don't forget to wuauclt /reportnow every machine before query wsus
Doc-of-FC is offline   Reply With Quote
Old 17th May 2017, 7:20 PM   #52
elvis
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,734
Default

Quote:
Originally Posted by NSanity View Post
Everywhere I build now, I use Snapshots on file shares.

No, fuck you, you can't have that 20% of space. its mine.
Again, I just tell people to estimate what they think they need, and then tell them that they need to buy double, no excuses, and 25% of that is space they'll never even know existed, but will save their arses a thousand times over.

The very first time some finance knob deletes "that one critical XLSX file" and needs it urgently restored, you point to a dozen read-only copies of it dating back hours/days/weeks, and they realise you weren't bullshitting.

Go CoW, or go home.
__________________
Play old games with me!
elvis is offline   Reply With Quote
Old 17th May 2017, 7:29 PM   #53
NSanity
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 16,043
Default

20% is my snapshots.
60% can be your data.
the remaining 20% is my fucking watermark for getting you to buy more storage.
NSanity is online now   Reply With Quote
Old 17th May 2017, 7:31 PM   #54
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,908
Default

Quote:
Originally Posted by NSanity View Post
Everywhere I build now, I use Snapshots on file shares.

No, fuck you, you can't have that 20% of space. its mine.
What are you using to snapshot the shares?
looktall is online now   Reply With Quote
Old 17th May 2017, 7:31 PM   #55
NSanity
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 16,043
Default

Quote:
Originally Posted by looktall View Post
What are you using to snapshot the shares?
ZFS/BTRFS/VSS - depends on the application/deployment.
NSanity is online now   Reply With Quote
Old 17th May 2017, 7:33 PM   #56
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,908
Default

Quote:
Originally Posted by NSanity View Post
ZFS/BTRFS/VSS - depends on the application/deployment.
The Snapshots don't get crypto'd?
looktall is online now   Reply With Quote
Old 17th May 2017, 7:33 PM   #57
NSanity
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 16,043
Default

Quote:
Originally Posted by looktall View Post
The Snapshots don't get crypto'd?
they aren't mounted so.... no?
NSanity is online now   Reply With Quote
Old 17th May 2017, 7:43 PM   #58
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,908
Default

Quote:
Originally Posted by NSanity View Post
they aren't mounted so.... no?
VSS saves to a mounted volume doesn't it?
looktall is online now   Reply With Quote
Old 17th May 2017, 7:51 PM   #59
elvis
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,734
Default

Quote:
Originally Posted by looktall View Post
The Snapshots don't get crypto'd?
Quote:
Originally Posted by NSanity View Post
they aren't mounted so.... no?
We mount and share ours, but they're read only at the filesystem layer. Note even "root" is allowed to write to them.

Having them available to users removes a tonne of IT overhead. Although with that said, even after having been shown several times, there are still notable users who can't figure it out and need IT to restore files for them. But whatever, they're "high effort" users for a bunch of other reasons too, not just storage.

If an entire volume got wrecked, we'd restore the entire thing at the storage side (obviously *after* figuring out who/what wrecked it). So far it's just some user who accidentally deleted/changed something and needed to undo it, and typically a single file at a time.
__________________
Play old games with me!
elvis is offline   Reply With Quote
Old 17th May 2017, 7:58 PM   #60
NSanity
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 16,043
Default

Quote:
Originally Posted by looktall View Post
VSS saves to a mounted volume doesn't it?
I mean kinda? in a way. But its read-only. And its hidden by a guid

Code:
vssadmin list shadows /for=X:\
mklink /D c:\muhshadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\
So long as your defended from nubs purging VSS, you're fine.

Honestly... literally everything that elvis said.

I'm sure I wrote a post on how to deal with this shit years ago.
NSanity is online now   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 11:01 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!