Forum Widgets
Latest Discussions
BLOG: CVE-2024-38063 - Disabling IPv6 binding = fix - or not?
Dear community, in today's LinkedIn Stream and other social media you might have noticed a recent CVE and the recommendation to disable IPv6 in Windows Server and Windows Client. We are talking about this one: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 Reading the advisory carefully, Microsoft, strictly speaking, does not directly recommend disabling (technically remove binding) of IPv6. Citing: "Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: Systems are not affected if IPv6 is disabled on the target machine." Maybe I am a bit nitpicking here about old experiences and would greatly appreciate a refreshed Microsoft statement on the disablement (unbinding) of IPv6 and the side-effects in 2024. What we have learned in the past - do no disable IPv6 easily. - yes, you can face issues with IPv6 being on by default and unexpected or misconfiguration. Often caused by DHCPv6, especially in the combination of critical domain controllers, Dual Stack ISPs and SoHo routers messing up your DNS. What's the fuss about IPv6? I am not actively using it in corporate / at home. IPv6 is being used in Windows. More specifically non-routable fe80 addresses and loopback ::1 for internal purposes of Windows or other software. One may complain use cases are - unrightfully - not well and transparent documented. Have a read in the past Here are some references that Copilot brings up. Trust my memory, I've read more like this. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251 https://community.spiceworks.com/t/is-it-a-bad-practice-to-disabe-ipv6/781811/9 https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows My personal conclusion Hold on, we need patches for this CVE, but we should not disable IPv6 easily. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes which system you have had to disable and consider re-enabling once patches have been tested and applied. If you are using IPv6 knowingly, note the NIC configs. They will be lost when using static settings rather DHCPv6. I am sad to see that NetSec people, undoubtedly experts in their area, jump on the bandwaggon esp. on Social Media to easily disgrace the IPv6 by default enablement of Windows Client and Windows Server, telling you the easier story: "Disable IPv6 and you are good / if you do not need it." Let me counter: You might not know you're "needing it" it in the first place. Whenever you are changing system defaults in Windows, mind that Microsoft and other software vendors may not consider these changes in their testing. And the Crowdstrike Black Friday showed us clearly how outlier system configs and unwell testing goes along. Not very well. IPv6 usage and defaults today One of the most recent example that Microsoft is using IPv6 can be found in the Azure Arc Agent (Connected Machine Agent) changelog: "Better handling when IPv6 local loopback is disabled" source: https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes How can I disable IPv6, if required? Many roads led to Rome. Windows + X > Terminal / PowerShell (Admin) #save current NIC config into a simple text file Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Out-File $env:temp\original-ipv6-config.txt #disable IPv6 on all adapters Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Disable-NetAdapterBinding And how to revert the change? Windows + X > Terminal / PowerShell (Admin) #enable IPv6 on all adapters (mind the text file) Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Enable-NetAdapterBinding TL:DR Microsoft is using fe80 addresses and loopback ::1 addresses for internal reasons. IPv6 is preferrably used over IPv4 when it is bound to a network adapter, including said special non- routable addresses. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes of current config. Please share the word and mind that disabling IPv6 can turn your OS into an outlier system, causing immediate or later issue due lack of testing by Microsoft or other software vendors, assuming the defaults, which is IPv6 being turned on.
BLOG: Guidance for Windows Recovery partition (WinRE) patching and why you would need it
This is an extended blog, which continues in comments. Windows Client and Server should have this WinRE Partition. You want to enlarge the C (OS Partition) in a VM and WinRE partition is in the way. The most common advice is to delete the WinRE partition. And this is a bad advice imho. The WinRE partition enables you for different to access different options including uninstalling Updates *pre-boot* that prevent a system startup. This doesn't happen very often but it can happen. This feature has been added to WinRE starting with Windows Server 2022, and Windows 10 22H2 / Windows 11 22H2, or newer. It is quite unknown, though. You can do more like direct UEFI access, and troubleshooting GPT / UEFI required and recommended anyway for both Windows Server and Client. Proper location and number of WinRE partitions on a physical disk 1. WinRE should located right hand side to the C partition If you find that your WinRE it is located left of the OS boot drive (C) it has been installed by a bugged release (old ISO). I am sure it was Windows Server 2019 when we noticed that. Aka Windows 10 1809. See below why the certainty. When installing Windows or especially Windows Server always use the lastest ISO for fixes like this or for in-place upgrades. There is no such updated ISO for Windows Server 2016, very unfortunately. They started patching them on a monthly basis with Windows Server 2019. You can access your latest ISOs either via my.visualstudio.com (Dev / Test use only), or admin.microsoft.com for VLSC or CSP production use. 2. There could be more than two WinRE partitions to the right hand side of the C partition This often happened when the existing could not be enlarged during in-place upgrade. Maybe also a Bug. Haven't seen this long time. It was common before Windows 10 1809. It is common though if you are using more than one Windows Installation on one physical disk. This is known as side-by-side installation or more commonly "Windows OS multi-boot". Each OS will create and maintain its own WinRE Partition (by design). Multi-boot is common for people that use designated Windows Installation for specific use cases, like Windows Insiders to test different Insider branches on one physical machine and disk. More information can be found in the comment below. Patching Windows RE is important There is a 2024 CVE that needs to addressed. Please find more information in the comments below on the "How-to".patching the WinRE CVE and remediate the 01-2024 LCU failing. More information on how to actually fix this can be found in this comment below Relocate WinRE partition A WinRE Partition left of C (OS Partition) makes no sense as Windows still may not move partitions to the right or left (while technical possible). Windows can only shrink Partitions As such I don't get how one can at all shrink C (to the right only). Mind that if you change / delete WinRE partitions you need to inform Windows about it via reagentc.exe These are tools you have at hands: Windows Diskpart Settings App > Storage Settings > Advanced Storage Settings > Disks and Volumes Windows 10 22H2 / Windows 11 22H2 / Windows Server 2022 or newer. diskmgr.mmc all legacy OS Windows Key + X > Disk Management Trusted 3rd party tool for Home Use (Windows 10 / 11) or paid for Windows Server use: Minitools Partition Wizard (Free) Formerly recommended Minitools Partition Wizard but they now have a paywall. If you are ok I would still recommend it. These can do everything! Acronis Partition Wizard isn't nice too old code and slow. Not optimized for SSD / NVMe. Both recommendable tools are available through winget. Bonus: Use Paritioning tools for Windows Server / Expanding WinRE / Resize OS Drive Create a PAWS VM Client or Server on Azure Stack HCI, Azure, Hyper-V, VMware etc. Buy the Tool (aquire a license, required for Windows Server) Install the license on the PAWS Shutdown affected VM Attach affected virtual disk to the PAWS VM, do the resize job Attach modified disks back to the original VM Pro: easy and licensing costs savyy Cons: Downtime and manual task Hope this is helpful to you. Appreciate your likes, spreading the word.
Clarification on NTLM Authentication Events (Event ID 4625 & 4624) in SOC Monitoring
Hello, While monitoring authentication events in the SOC, I frequently encounter multiple failed (Event ID: 4625) and successful (Event ID: 4624) login attempts associated with NTLM authentication. Upon investigating the affected machine, I found no active NTFS shares or resources being accessed. Despite this, NTLM events continue to appear in the logs. I’m trying to understand what might be triggering these events. Could this be related to background processes, service accounts, or another NTLM authentication mechanism? Although this is a low-level incident, I’d like to fully grasp the cause to rule out any potential security concerns. I’d appreciate any insights you can provide! Thank you.
MICROSOFT XPS DOCUMENT WRITER
Good Day! Does anyone know who to install the same MICROSOFT XPS DOCUMENT WRITER that installs on WINDOWS 10/11 on SERVER 2025. An application needs it to send emails with attachments via OUTLOOK. None of the drivers available to install manually are the same as the one on WINDOWS 10/11. Thank you!
Windows Essentials 2022 Remote Access for nonadmins
Hello everyone, This topic is already asked several times but I did not find any working answer. I am administrating a Windows Essentials 2022 server. One user need to work on the Remote Desktop temporary. I should create a seperate virtual terminal server on the Essentials server but currently I do not have time for that and it costs some money. So I want to take advantage of the grace periode that this user can work by RDP. It is the only existing server in this network and the network has only two staff and me ;-) The wellknow issue is that only administrator users can access this domain controller. I do not want to make the user an domain administrator. I have added the user by GPO to the people which are allowed to connect and I have added the user manually by system settings -> remote. After the second step at leaste RDP is opening but then I am getting a message that the user is still not allowed. Is there any option?
Windows Server 2019 and .NET 4.8?
Hello, On a fully updated Windows Server 2019, roles and features allow me to install only .NET 4.7. One of the solution we are using require .NET 4.8 (Adaxes). When I install .NET 4.8 using the installer available here https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-8-offline-installer-for-windows-9d23f658-3b97-68ab-d013-aa3c3e7495e0 It works, I can install Adaxes, but it break ServerManager as well as Azure AD Connect. What's the correct procedure to install .NET 4.8 on Server 2019 without breaking anything else? Thanks a lot
Untagged VLAN - Server 2025 Hyper-V
Hi, I have a strage issue and not finding a solution. Using Server 2025 with two node Hyper-V cluster. Most of the machines using VLANs which works fine. Some machines using no VLAN config. Which usually means the "Access VLAN 1" regarding our switch configuration. With Server 2019 this worked fine. With Server 2025 same NIC port, same server/NIC hardware "Untagged" VMs don't get any network connection. If I add a second NIC to the VM "Untagged" the NIC get immidiatly an IP address and has a proper connection. If I remove the first NIC, the second NIC stop working. It looks like something has changed with Server 2025 (maybe already with Server 2022). Do you have any idea what kinde of problem I have found? Thanks Jack
Why can't the server generate a report about deleting folders and files?
Hello, I enabled Audit Policy through the following method: Open the Local Group Policy Editor (gpedit.msc). Navigate to Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Object Access. Open the Audit File System policy and check "Success". Update Group Policy Settings: Run the command "gpupdate /force" in Command Prompt to apply the changes. Then I enabled Audit policy on a folder and created and deleted a folder, but when I check the Event Viewer, there is only an ID of 4663. What is the problem? Thank you.Increase the size of user profile disk in my remote desktop server
Hi all experts. I have a server for remote desktop services purposes, Windows 2016 standard, and domain joined. It is configured using User Profile Disk, and the maximum limit is set to 5GB. I want to increase the maximum limit but I can't do it under the collection's properties because that field is grayed out. My questions: How to increase the maximum limit? Please guide me and let me know how. Can I increase the maximum limit for 1 single user only? If yes, please let me know how. I found some info from the web that this can be done by the Diskpart command, is it true? If I follow the Diskpart method, do all user profiles encounter data lost? I need your guidance and input, I appreciate it. Here are some images:
