On January 11, 2022, Microsoft released Windows 10 KB5009543 and Windows 11 KB5009566 as a part of their January 2022 roll-up. After applying the patches, administrators found that L2TP connections from remote Windows computers using the L2TP client would fail on connection.

At the time of this writing, Microsoft hasn’t pulled the roll-up and hasn’t issued a hotfix, suggesting instead that the IPSEC server be modified to disable the VendorID field in negotiation.

As this isn’t an option for most firewalls and would require vendors to post firmware updates for tens of thousands of product SKU’s, this effectively turned this problem into a pissing match between hardware vendors and Microsoft. Hardware vendors claim this is a Microsoft issue and advise customers to reverse the patch; Microsoft claims their implementation of the IPSEC client is correct. Meanwhile, VPN’s for millions of people working from home don’t work.

Reversing the patch may not be a suitable option when dealing with classified networks; as a system administrator, I’ve an obligation to apply Microsoft’s roll-ups to protect my clients’ data and network. Doing so may not only jeopardize IT assets that I’m responsible for but may just invalidate cyberinsurance policies because I did the exact opposite that I was supposed to do: I sacrificed a bunch of security patches in favor of one working feature; a feature that would break again unless I disabled patching on a remote machine, only exacerbating the problem over time.

The real fix for this, then, is for Microsoft to either pull the patch or issue a hotfix. Since Microsoft is (again) not stepping up to address messes that it makes, there’s a good work-around.

1. On a machine that doesn’t have the KB updates mentioned above (or reverse the KB on the affected machine), find the file c:\windows\system32\ikeext.dll. It’ll be dated 2021.

2. Copy this file out to where you have a copy of it.

3. Apply the Jan 2022 patches and reboot.

4. You’ll now find a 2022 version of ikeext.dll in the c:\windows\system32 folder.

5. Take control of that file by changing its ownership to a local administrator (perhaps the user account you’re using), and change your permissions to Full Control.

6. Using Task Manager, under the Services Tab, find ikeet.dll and stop it.

7. Rename c:\windows\system32\ikeext.dll to *.old, providing administrator elevation to do so.

8. Copy in your 2021 version of ikeext.dll to the same path.

9. Restart the ikeet.dll under the Services Tab or reboot the machine.

You’ll find that your L2TP VPN will now work, keeping the Jan 2022 patches and isolating the roll-back to just one DLL.

R

** Update: Microsoft has now issued a out-of-band update KB5010793 to address this issue.

As of July 2020, Microsoft Windows 7 still controls around 20% of total desktop operating systems worldwide.

A couple of reasons why you don’t want to still be using Microsoft Windows 7:

• It’s no longer receiving security updates as Microsoft ended mainstream support for the product in January 2020. That means its existing vulnerabilities are forever; aggressors will be able to exploit those problems forever.
  

• Consequently, the US FBI issued a warning on August 3, 2020 about continuing to use the legacy operating system, as has the UK’s National Cyber Security Centre has directly warned users not to use Windows 7 for commercial activities like email or banking.
  

• If the appeal-to-authority doesn’t work for you, how about money? IBM recently reported that the average cost of a data breach in the United States is $3.86 million.
  

• And, yeah, cyber security insurance. You think you’re covered. It’s not like your cyber security policy is going to cover you if you’re running a known-bad o/s. That’s just raw negligence, kids.

Now, you have options.

• Like Mac’s? After January 2021, Apple will be transitioning to ARM microprocessors. Lots of techie stuff here but the bottom line is that Macs are soon going to get hundreds of dollars cheaper. Cool! Upgrades!
  

• But if don’t have a cool $1k to drop on a new machine, and if you’re married to the Google Cloud Ecosystem, there’s never been a better time to update to a Chromebook or a Chromebox. There’s a lot of great boxes out there, some priced at a 1/3rd of the cost of a comparable Microsoft Windows 10 computer. They boot in eight seconds, they’re encrypted, they receive automatic updates that don’t break them, they are significantly more secure than Windows will ever be … why not?
  

• Okay, so maybe Google ain’t your thing. If you have an older machine still running Windows 7, and you’re comfortable with the machine’s overall performance and still want to use it, and you’re mostly using a web browser to access online services, consider installing Linux. I’d recommend Ubuntu or its cousin, Zorin. They’re more secure than Windows, won’t break your system, and will make the older machines run like they were new.
  

• If you’re still using Microsoft Word and Excel? Are you dependent on some 3rd party application that has to run on Windows? You could upgrade your Windows 7 machine to Windows 10, sure, it’s only a $100. That’s a lot cheaper than $3.86 million. But watch the performance hit. You’d probably be better off just replacing the asset.

Here’s the thing: continuing to use an obsolete product is only making you more vulnerable, and, more of a target to aggressors who look at you and your data as an easy target. There’s no reason why you’d rationally want to be an easier target for hackers. Take action today to replace that old machine. Do something!

R

Earlier this year, an experiment was conducted. 200 unbranded USB drives were dropped in high-traffic public areas in Chicago, San Francisco, Cleveland, and Washington DC. 20-percent of those who found the USB sticks picked them up and just plugged them right in to an electronic device. The users then proceeded with clicking on files and browsing to websites.

Okay, "people are stupid" isn't necessary a newsflash but let's go ahead and say that you might not understand why this is a risky behavior and, in fact, you don't see why sticking USB sticks in computers is a problem.

USB sticks are unencrypted storage devices that are read by computers when they're "mounted", or, inserted into a USB port. When that happens, it's possible that the USB drive can deliver a virus to the computer. Further, the files found on the USB drive can be double-clicked or opened, allowing for a virus to then launch on the infected computer. Finally, browsing to websites introduced by a USB stick could also introduce a virus to your computer.

Viruses, naturally, can then steal personal private information or harm your computer system.

Why did the stupid people do this? They wanted to see if there were any naked pictures on the drive, of course, or, wanted to invade the potential privacy of others by looting their personal files. They also wanted to see how big the drive was to see if they wanted to keep it for themselves, because people are greedy pigs. And finally, they just weren't trained not to do so, or, didn't care about the potential security risk - simply ignorant. Peoples do as peoples does.

So two take-aways here:

1. Don't store your crap on USB drives. It's an insecure medium and can easily fall out of your control, leaving your data to the sex-starved, greedy, ignorant masses.

2. Don't be stupid. Don't take any unknown USB drive and stick it into a computer you own, or, your work computer. Naturally you should do it on your friends computer or you mom's or something, but if you're not going to be a jerk about it, just throw it away. Well, okay, e-recycle the thing.

R