I don't understand why they aren't making the patch for MS14-025 available to WU clients. Some organizations have lots of workstations with RSAT installed, thus vulnerable, and not all of them use enterprise tools to distribute patches.
On Wed, May 14, 2014 at 6:23 PM, Susan Bradley <[email protected]> wrote: > Read the known issues in KB2962824 and it's impact on HyperV and > guest/childrens. It won't install if they child supports UEFI (Server > 2012/2012R2) and either you have to do a funky workaround involving > shutting down the kids or install bitlocker role. > (I don't like the resolution IMHO) > > I've seen several folks report that they can't open Outlook 2013 after > yesterday's update. Outlook 2013 relies on DirectX and thus update the > video driver/disable hardware acceleration or disable aero. > > MS14-025 is an interesting patch that you can shut down the > auditors/pentesters from grabbing passwords. > You can deploy the Group policy preferences patch to everyone BUT your > machine that has the RSAT tools to give you time to fix up how you do > things as pentesters keep grabbing credentials from passwords left behind > in Group policy preference and RSAT consoles (note this patch is not on MU > but on the download site/catalog and on WSUS) > > > http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx > > In addition to the change in behavior, Microsoft is providing customers > with two PowerShell scripts. The first script, Enum-SettingsWithCpassword, > will search existing GPO’s for use of the account password functionality. > We urge companies to immediately run this script and delete vulnerable > GPO’s detected. > > The second script, Invoke-PasswordRoll, can be used to set local > administrator passwords on remote systems (something that Group Policy > Preferences is commonly used for). The script takes a list of usernames and > computers, and uses PowerShell remoting to connect to each computer and > change each specified usernames password to a randomized password. The > username/password combinations will be written recorded in a file on disk > (which is encrypted, but optionally can be stored in clear-text). Note that > the script enforces randomized passwords to ensure the local accounts > cannot be used in pass-the-hash attacks. > > You can find both scripts at http://support.microsoft.com/kb/2962486. > > On 5/14/2014 3:12 PM, Jonathan Link wrote: > > Sometimes it's good to follow... > > > On Wed, May 14, 2014 at 6:07 PM, Kennedy, Jim < > [email protected]> wrote: > >> Oh, I will have plenty to say about that tomorrow. Too busy cleaning up >> the mess right now. >> ------------------------------ >> *From:* [email protected] [[email protected]] >> on behalf of Jon Harris [[email protected]] >> *Sent:* Wednesday, May 14, 2014 5:56 PM >> *To:* [email protected] >> *Subject:* [NTSysADM] Sure is quiet today >> >> It is sure quiet today. I figured with the Microsoft patches out I >> would see some chatter on issues. >> >> Jon >> > > > -- > Got your CryptoLocker prevention in > place?http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ > Our last day of XP patching. Wave it goodbye. > > -- Charlie Sullivan Sr. Windows Systems Administrator Boston College 197 Foster St. Room 367 Brighton, MA 02135 617-552-4318
