Windows 10 Released- Big Problems Follow
As you know by now, Microsoft released the Windows 10 Operating System two weeks ago. This is a free upgrade for qualifying systems with various versions of Windows 7 or Windows 8.
I’ve been getting e-mails from users asking about moving ahead with this upgrade because it’s “free”. As we always do, we recommend not upgrading any business system to a new OS until in-shop validation is complete and most fixes are already in place. Let someone else figure out what’s broken as that doesn’t cost you any time or money. In fact, Microsoft has already announced a major update to Windows 10 which will be released in September with another major update scheduled for early next year. So, let me clarify this once again…
Windows 10 is available for qualified systems for one year from the date of release. Be patient. As with all new Operating Systems, the initial release of Windows 10 has problems with video drivers and other hardware that’s incompatible. Additionally, certain programs such as Trend Micro Antivirus have known issues with this OS. Same thing for some Line-of-Business programs…
Of even greater importance is how Windows 10 impacts network systems. Your systems are in a Client-Server Domain network for the most part. That means cliented systems have a Domain Trust Relationship which allows a PC to communicate with the Server and all data/programs/files stored there. Windows 10 will break systems in a Domain configuration and that will result in network down time. To fix that situation, we would be reloading systems or reconfiguring them to work with the network again. That is not cheap.
So, “free” isn’t as free as it would appear to be.
Secondarily, in cases where the Windows 10 upgrade has been reserved, we’ve seen it trying to force an upgrade on PC units. Fortunately, it appears Trend is blocking that action as it sees it as a hostile intrusion… which it certainly is.
And finally, in-shop testing has already shown that systems fully capable of running Windows 7 and Windows 8 suddenly get notified that they aren’t compatible with Windows 10 and that makes no sense at all. One such system had a callout that the processor wasn’t compatible and that was a Dual-Core Pentium D which had no issues with qualifying Operating Systems.
So for the time being, leave this OS alone and please, please pass this information on to your end users as that question will certainly pop up sooner or later.
Security Enhancements- Combatting Hackers and File Encryptors
Of all the issues we’ve seen over the last year, getting a CryptoLocker or CryptoWall infection inside a network rates as the number one threat by far. Even with our current best practices in place, we’ve had two such instances that took an extensive amount of time to correct. That resulted in business downtime, hefty support billing and generally unhappy clients.
Extensive research and testing has resulted in finding and configuring solutions that will cut this threat down to a bare minimum and virtually eliminate it even if a system gets infected. And here’s the key to this. Crypto-type infections come from malicious websites or e-mails that have links to these type of infected sites. Once a user gets infected, the Crypto infection has to communicate with a Server out on the web in order to get the encryption keys needed to lock you out of your data.
Because these types of programs morph constantly, we need to put several layers of protection in place that specifically address how this thing functions and cut it off from its source. That means having a combination of hardware and software resources in between you and the web.
SonicWall firewalls have services that are constantly updated in order to detect and isolate those malicious site Servers. That’s the hardware part of the solution and almost 98 percent of our networks have that in place now. It just requires keeping your services packages renewed annually which we notify you when that’s due anyway.
The secondary layer is a Software-as-a-Service application from OpenDNS (now owned by Cisco). Your Servers use a Domain Name Server (DNS) in order to help your systems find websites when you access the Internet. That DNS function is inside your network now. So once a Crypto infection hits a unit, your Server’s DNS function just happily sends the web request from the infection program right on out to the encryption-key Server since it doesn’t know any better. And without a SonicWall in place, it’s a straight shot from infection to encryption.
By using OpenDNS, we change the pointer function for websites away from your Server to the OpenDNS Servers. The critical part of this is that OpenDNS has a vast and constantly updated list of Crypto Servers so if a PC is infected with CryptoLocker or CryptoWall, the Open DNS Servers will not allow access to those Servers and that stops the ability of the program to encrypt your data.
We are also in the testing phase of WebRoot, which is another antivirus program that uses a lot of the same type of updated databases and web-based intercept functions along with technology that’s a bit different than Trend or other standard network Antivirus programs.
Now, while these technologies are very effective, they are not free. Still, any savvy business owner will need to compare the cost of high-level protection to the cost of business downtime and potential data loss. As an example, the last Crypto infection we had to deal with took an office of nine people down completely for three days while Lesa had to run a full compare and filter action on the infected file sets. How much did that cost the client? A whole lot more than added layers of security.
That site did not have a SonicWall in place at the time so the first layer of defense was totally missing. Fortunately, they did have a Datto in place so we had access to a set of clean data files which were used to do the recovery. And that brings me to the final entry for this blog post…
Data Backup Solutions versus Data Recovery Expectations
At this time, we have Datto backup devices deployed at about 65 percent of our supported sites. That device allows real-time data and file recovery as well as web-secured image storage for each Server. As a rule, we have to recover user files at least six times a month and with the Datto, that takes minutes.
The remaining one third of sites use either outdated tape backup or some sort of USB device to do backup functions. In those cases, the same type of single file recovery will take many, many times as long to do that function, if it’s even possible. Thus recovery costs go up. If the failure is something more critical like a Server crash or recovery of a fairly old file, maybe it works and maybe it doesn’t. Why?
Datto backups are verified every day. We get bootable screenshots sent to us that show the Datto can spin up when needed. File storage and archive for Datto devices can be up to one full year. On the other hand, Tape and USB backups are not verified or tested plus they get overwritten (i.e., wiped out) anywhere from a few days to a maximum of four weeks. Anything older than that is simply unavailable.
Consequently, any requirement to recover lost or corrupted files on these media types outside that timeframe is very likely not possible. Because of this, we will be amending the Support Agreement for FY2016 to reflect this reality. If you have Tape or USB as your primary backup source, we will issue a Service Amendment clarifying the Data Recovery Limitations based on your type of backup.
We are in the business of providing Business Continuity support to our client’s network operations. Some things require extensive testing before we allow it into our networks. That can be a piece of hardware or even things like normal Windows Updates (not every monthly update is released if it is likely to cause problems). Windows 10 is one of those things that falls into this category. In short, we’re testing it and well let you know when and how an upgrade of this type can be released. Please advise your end users of this.
We take network security seriously here. We’ve been advising our client base to get a SonicWall in the network for the better part of two years. In part, this has to do with the new Internet Protocol Version 6 which many websites are adopting now. Without a compatible Firewall/Router such as the SonicWall, fairly soon you’ll have the same problem with outdated routers that you now have with outdated browsers… they simply won’t work.
But if you understand the increased threat of the Crypto-type infections and hacking methods out there, along with the related costs associated with those threats, SonicWall becomes a simple requirement, no different than a particular PC configuration or a type of printer that fits the business needs. That’s where we are now so if you don’t have this device in your network, e-mail Lesa to ask about pricing. Networks without this device will also have a Service Amendment issued with the FY2016 Support Agreement.
Data security and file recovery isn’t one of those things that just magically happens. We can do a lot for you as long as the right tools are in place. The type of data backup you have in place either helps or hinders you when you need to recover something. If the image file or the data file is corrupted, has been overwritten or the backup media is simply bad, we are limited as to what we can do. In light of that, be aware that we will be issuing a Service Amendment with the FY2016 Support Agreement detailing what you can expect for data recovery based on how your backups are handled.
E-mail me with any questions or concerns.