A Huntress Labs Security Case Study :
Huntress has been hunting malicious actors across 50,000+ user accounts for 1,500+ small businesses enrolled in their Managed Detection and Response (MDR) for Microsoft 365 product.
This is a repost from Huntress Lab’s Security Blog, where they outline three recent cases, and how MDR was able to protect their partner’s accounts. Euclid Networks will begin offering MDR / Microsoft 365 tenant protection in the near future – Contact us today to learn more!
We’ve run into the issue of virtualized Primary Domain Controllers (PDCs) on Windows Server 2016/2019/2022 that fail to properly sync their clocks with global NTP time servers. In the following, we’ll outline the problem and show you how we’ve resolved this IT service issue for our partners.
In a normal functioning domain, properly configured time services are critical to the stability of the network – all domain-joined Windows computers by default will sync their clocks with the PDC.
Without valid time settings, all clocks on your network can be off as much as 8-15 minutes, or more – at best making your users late for meetings – or at worst, teleporting your entire office into an alternate dimension. 0_0;;
To verify Windows Time settings, log on to your domain controller as an administrator, and open an elevated CMD prompt. Once in, the following commands are useful for diagnosing.
Force synchronizing the time ASAP : w32tm /resync /nowait
Check NTP configuration : w32tm /query /configuration
Display time source : w32tm /query /source
Display list of all configured NTP servers and their status : w32tm /query /peers
Display service status (EG : Is time being synced from a CMOS clock, or external NTP server?) : w32tm /query /status
To check your current clock’s offset from a global time server, you can run : w32tm /stripchart /computer:time.windows.com /dataonly which may display something like the following, showing a 39 second offset.
Once you’ve discovered you have a problem, you can force your PDC to grab its time from an external source using :
w32tm.exe /config /manualpeerlist: “us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org,0x8” /syncfromflags:manual /update and run the above stripchart command once again.
However, on a virtual machine, after running the w32tm /query /source command you may see that your server is still using the VM IC Time Synchronization Provider as the source.
To resolve this and set the time service manually on a Hyper-V VM you have to change the VMICTimeProvider registry value from 1 to 0 by using the following command, allowing you to set a manual time source : reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 – and restart your time service with net stop w32time then net start w32time.
After doing the above, check your strip chart again to validate your time settings. Much better!
Finally, re-verify you’ve set your PDC’s clock as authoritative for clients with : w32tm /config /reliable:yes – and you’re done! Client machines should sync in the next several minutes, or on next login.
PS – If you bork your configuration, you can always reset it to the default with net stop w32time, w32tm /unregister, w32tm /register, net start w32time – registering and unregistering may require a reboot.
If this helped you, please share, and comment below!
Microsoft announced recently that Windows 10’s End-of-Life date is set for October 14th, 2025. As a business owner, the practical impacts of this announcement can be difficult to sort out – but not to worry – Euclid Networks is here to help you sort it out!
October 14th, 2025 will will mark just over 10 years since Microsoft’s Windows 10 operating system was first introduced – we know, we know – we can’t believe it has been that long either. With the recent announcement of Windows 11 however, it’s important to get ahead of the game when planning your long term IT budget, and equipment upgrade paths.
The majority of our clients have moved on to Windows 10 for their OS, and are covered by our proactive patching and updating service – but for those who still haven’t, now is the time to make the switch. As Windows 10 and Windows 11 share the same “DNA”, upgrading from 10 to 11 promises to be much simpler than an upgrade from – for example, Windows 7, or Win XP.
Win 10 End-of-Life : What it means for your business
Once Windows 10 reaches its end-of-life, the operating system will no longer receive important security updates, or new features via patches. As it will have reached the end of its cycle, 3rd party software vendors will also begin phasing out their support for the operating system, meaning new versions of those programs will default to Windows 11 as their recommended platform.
As an IT support provider, we can’t stress enough how important keeping current on security updates is, for the protection of your business’ data, and overall network. The #1 avenue for malware and ransomware attacks is through outdated software. Outdated software can potentially cost your business tens, or hundreds of thousands of dollars in remediation and lost revenue.
Ransomware in 2020 : At a glance (source : Nationwide)
» The average enterprise ransom payment is $111,605.
» 205,280 organizations were affected by ransomware attacks in 2019.
» The average cost for victims of ransomware attacks to recover more than doubled in the final quarter of 2019. According to a new report from Coveware, a typical total now stands at $84,116. That’s a little over double the previous figure of $41,198.
Windows 11 : What’s New?
Start Menu : Windows 11 has a new, simplified Start menu. Live tiles are gone, replaced with a list of app icons and recent files. Documents you edit in Office apps on other devices—even devices that aren’t running Windows—will appear as recent files here, too, thanks to Microsoft 365. Don’t have Microsoft 365 yet? We can help – contact us today!
Multi-App & Multi-Monitor Support : Windows 11 also features “Snap Groups”, which helps organize your windows, as you multi-task. Selecting a single taskbar icon will now pull up a group of snapped apps. Also, when using Windows 11 on a tablet, windows that are side-by-side will automatically stack on top of each other when you change the device’s orientation.
Multiple monitors support is improving also, with a “new docking and undocking experience.” When you unplug a monitor, the windows on the monitor will minimize themselves rather than getting in the way. When you reconnect the monitor, Windows will automatically restore the windows to their original positions on that monitor.
Widgets and MS Teams on the Taskbar
Tighter integration with Microsoft 365 and Redmond’s cloud offerings, means integrations with its services like Microsoft Teams and Onedrive will be built directly into the Windows 11 task-bar. We’ve seen iterations of this pop up in the latest Windows 10 updates, but as MS moves forward, expect the benefits of using Microsoft’s cloud offerings for your business to increase!
& More!
Details are forthcoming, but stay tuned – Microsoft has planned to begin rolling out Windows 11 as soon as this fall – expect to begin seeing it on new devices soon.
About Euclid Networks
Euclid Networks is an IT support provider that brings a fresh, proactive approach to your business computing needs. We serve a wide variety of Atlanta area businesses, including Legal Firms, Healthcare Providers, Non-Profits, and Professional Services Providers.
Our experience in the technology industry and dedication to personalized service sets us apart. We’re real people, who care about tech support.
Atlanta – did you know, World Backup Day is March 31st?
Nerdy, we know – but according to a leading backup company, only 15% of organizations back up data multiple times a day. Depending on your organization’s data security requirements, this could be a problem. How much is losing 4 hours of company-wide productivity worth to your business? 4 days? 4 weeks? What is more, most businesses don’t have a documented disaster recovery process in place, which can lead to catastrophic results in the event of a system crash or failure.
Why back up?
For companies that rely on their digital work product – such as attorneys, marketing professionals, and other service providers – keeping your organization’s data safeguarded is essential. If you have a storage issue, backing up information can be the difference between staying in business and closing for many, such as those in regulated industries, or where information is essential to business operations.
Cyberthreats are another big reason to keep your data backed up – with malware and ransomware threats on the rise in 2021 and beyond. If your organization is hit with an attack, it can relieve some of the burden if an additional copy is available of your stolen information.
Backup 101 – What is “good” backup practice?
It is important to discuss the pros and cons of different backup frequencies and retention policies – including the total cost, how often you will need access to the backup of your data (restores), and how frequent your backups should be. For some data-reliant companies, backing up multiple times a day makes sense, as you are harboring highly sensitive information that would cause major problems for your business and clients if you lost access. Other organizations with less sensitive information may only need to backup once a day or week, especially if they do not have compliance regulations they need to follow like those in legal, healthcare, and financial markets.
Euclid’s recommendation? Follow the 3-2-1 rule.
For our IT and Tech Support partners, we always recommend following the 3-2-1 rule for essential data protection, a best practices or guideline for safeguarding data.
The idea of the 3-2-1 rule of data protection is to eliminate single points of failure – it is not a failproof policy or complete guarantee – but helps mitigate a large swath of potential data pitfalls.
How Euclid can help!
Contact us today for a cost-effective review of your current backup practices, and for our expertise with cloud and offsite backup. The “1” of the 3-2-1 rule can be difficult to implement, especially for small and medium sized businesses, but we’re here to help. And for larger organizations, our solutions cover both workstations and servers – including more complex SQL database and state-aware backups!
After migrating an e-mail account to Microsoft 365, or setting up a new account in Outlook 2010/2013/2016/2019/ Office 365, often times we find users unable to connect or – or Outlook’s web services don’t work as expected.
For example, when adding a new account, autodiscover will time out, saying it can’t contact the server giving the following message :
Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The Microsoft Exchange information service in your profile is missing required information. Modify your profile to ensure that you are using the correct Microsoft Exchange information service.This, despite Microsoft’s (very useful) Remote Connectivity Analyzer reporting no configuration issues with Autodiscover, and being able to connect successfully using MS Activesync.
The issue we see here, is that Outlook is pre-configured by Microsoft 365’s profile configuration to prefer only M365 sources for autodiscover – ignoring DNS settings and local XML files.
This behavior is regulated by the registry, specifically keys under the Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\XX.0\Outlook\AutoDiscover location. XX.0 will vary, depending on the version of Office you have installed. Examples of these keys are :
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeLastKnownGoodUrl"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeScpLookup"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"ExcludeSrvRecord"=dword:00000001By toggling these switches to “0” – or “do not exclude” these autodiscover sources, Outlook connectivity to on-premise or 3rd party Exchange providers will be restored.
More detail available via Microsoft at the following KB’s :
We’ve seen on over a dozen machines today, Microsoft Outlook (Office 365 continual update version) crashes, with 0xc0000005 errors logged in the event log.
The full text of this error is below.
Faulting application name: OUTLOOK.EXE, version: 16.0.13001.20266, time stamp: 0x5ef262ee
Faulting module name: mso98win32client.dll, version: 0.0.0.0, time stamp: 0x5ef2aa2d
Exception code: 0xc0000005
Fault offset: 0x000474b2
Faulting process id: 0x4cf0
Faulting application start time: 0x01d65ac9b0e13874
Faulting application path: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Faulting module path: C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll
Report Id: 908e152f-636f-4f5a-9717-48a5576b3ccd
Faulting package full name:
Faulting package-relative application ID: Microsoft had acknowledged this crash and documented a resulting fix on Twitter, and on the Office 365 Support portal :
Title: Users experiencing Outlook connection issues and crashes
User Impact: Users may experience crashes or may be unable to access Exchange Online via Outlook.
More info: Our analysis indicates that Outlook on the web and mobile clients are unaffected. Users may be able to leverage those protocols as an alternative means to access email and service features while we remediate this problem.
Current status: Our initial review of the available data indicates that recently deployed updates are the likely source of the problem. We're performing an analysis of all recent service updates to isolate the underlying cause of the problem and to determine the most expedient means to restore service.
Scope of impact: This issue may potentially affect any of your users attempting to use Outlook.
The immediate fix for this is to roll back Microsoft Office versions, which can be done by opening a command line as Administrator and typing : cd "\Program Files\Common Files\microsoft shared\ClickToRun"
officec2rclient.exe /update user updatetoversion=16.0.12527.20880
After rolling back versions, Outlook should open and function as normal!
If you’re in need of a proactive, IT Support company in the Atlanta area, don’t hesitate to contact us today!
As we onboard any new IT support partner, one of our security and network assessment tasks is to validate a client’s server and disaster recovery environment.
As part of this assessment, we often find a customer will have a single point of failure with their active directory environment – most small businesses don’t have the resources to afford multiple servers, and often times previous systems administrators will have not had the foresight to follow best practices regarding building server resiliency.
One example of a point of failure with a single-server environment that we see all too often is DNS. In many cases, the Primary Domain Controller (PDC) will serve as the sole internal DNS provider. Meaning, if a power outage occurs, or if a PDC goes down for any reason, the entire office will “lose” internet connectivity – often a costly outage until technical help can arrive!
Many of these clients do, however, have secondary “server”-like devices – NAS units, Linux machines, et cetera. While using these as a “backup” DNS provider is not a best practice, we aim to provide the best tech support we can while utilizing resources a client already has in place – thus saving them money!
In the following, we outline steps to convert a Synology NAS device into a backup DNS server for an Active Directory (Windows Server 2019) environment.
1. Install DNS Package on Synology NAS – straightforward, by opening Package Manager.
2. Set up a “Slave Zone” – Within Synology’s DNS manager, create a slave zone, set domain type to Forward Lookup Zone, and enter your PDC’s DNS information.
3. Set up DNS Resolution and forwarding on the NAS – In the below, we have enabled the resolution service, and also forwarders. In our lab, we actually do have a backup local DNS server (192.168.1.8 here), but also forward on DNS requests to Google (8.8.8.8/8.8.6.6) to allow for internet connectivity during PDC downtime.
4. Configure DNS Forwarding on PDC – On your server, open DNS, select your AD’s forward lookup zone, open properties.
4.1 Under Zone Transfers, ensure Allow Zone Transfers is enabled, to servers listed in the DNS Tab.
4.2 Under Notify – Ensure the same setting is enabled.
4.3 Add your Slave Name Server to the list of configured name servers. Important – ensure your server validates, with a green check once its FQDN is added.
5. Verify DNS records and Zone Transfer has completed – On the Synology DNS Manager, under ‘Zones’, select ‘Edit’ and open ‘Resource Record’ you should find propagated records.
Optional but recommended – repeat steps 2-5 for the Reverse Lookup Zone (EG, 1.168.192.in-addr.arpa) and _msdcs.yourlocal.domain. You *do* have a reverse lookup zone configured, don’t you? =)
6. Add your New DNS Server to DHCP – Don’t forget to configure your DHCP leases to include your new backup DNS server!
7. Test out DNS resolution – Finally, test your new server to ensure it’s resolving external domain names correctly, and test a failure of your PDC by taking it offline. Success!
If this writeup has been helpful to you, please share your comments below. And as always, if you’re looking for proactive managed IT service in Atlanta, Euclid is here to help!
Many of Euclid Networks’ clients approach us, regularly asking for feedback on the validity of e-mails and mails they have received. Most typically, scammers have targeted a business owner, or senior partner – and are attempting to gain access to the company’s computer network.
In some cases, the attack is not targeted directly at the servers or network itself – but rather the employees themselves in an attempt to bypass all security measures that have been put into place. These attempts often appeal to authority – either by impersonating senior members of staff – or by appearing as credible communications from outside vendors or service providers.
The most recent attempt we’ve seen along these lines is a scam being run in states nationwide, where a sender impersonates a state’s department of revenue / licensing office – example below.
The above document shows a scam being run in Hawaii, but in Atlanta, Fulton County, and Georgia as well, similar schemes have been set up.
On the document we were asked about, an entity calling itself “C.P.F.S , 4279 Roswell Rd. NE – #208-339, Atlanta, GA 30342” requested payment on a “2020 – Annual Registration Instruction Form” for Georgia LLCs.
How to Spot Misleading Communications
The key indicator that a solicitation is not a valid request can be found in the fine print. By law, the soliciting company (the company that sends out these mailings) must include some variation of the following disclaimers:“SOLICITING COMPANY is not a government agency and does not represent a government agency.”
“SOLICITING COMPANY is not a government agency and does not have a contract with any government agency to provide this service.”
“SOLICITING COMPANY is not a government agency and is not affiliated with the Secretary of State or any other government agency.”
In this case, it’s relatively easy to spot – but in other cases, where businesses and their IT systems have been targeted by more malicious actors, the consequences can be more dire! Having a trusted technology partner on your side can help prevent targeted attacks – and when your business comes under attack, you’ll have someone in your corner to help fight back.
If you have been a victim of a mailing like the one we highlighted today, we strongly encourage you to report these misleading solicitations to the Secretary of State or Attorney General of the state where your business is registered. Many of these offices have been cracking down on those entities sending out fraudulent mailings, enforcing heavy fines and even taking legal action.
Also contact the Secretary of State or Attorney General if you have remitted payment in response to a solicitation that you suspect was fraudulent. You may be able to have your money refunded.
For more information and to contact the Georgia Secretary of State, you can visit :
https://sos.ga.gov/index.php/corporations/kemp_warns_businesses_about_scam_mail
Godaddy Domain and Subdomain Forwarding times out without forwarding, unexpectedly, when using a Sonicwall Firewall.
Domain Forwarding is typically used to redirect a user to a different website when they type in a URL in a browser. In this case, the forwarding will time out – with either a browser 404 error – or a CONNECTION_TIMED_OUT message. DNS resolution will work properly – subdomain.domain.com for example will return the correct A record, pointing to Godaddy’s IP addresses.
The domain redirect may work sporadically on some phones or computers where traffic is not directly passing through a Sonicwall firewall.
The reason for the failed domain forwarding is that by default the Sonicwall enables TCP Packet Sequence Randomization which causes Godaddy’s Domain Forwarding service to break. When doing packet analysis in Wireshark, we saw TCP ACK connections out of sequence and dropped connections.
To fix this issue:
Verify you can now access a Domain forwarded address. Note that servers behind the firewall will be slightly more vulnerable to host identification by disabling this TCP Sequence Randomization. But in this case, it would be a fairly targetted attack, so the overall risk is low.
