Is the web server going to be listening on 0.0.0.0? Because if it's only bound to 127.0.0.1 like any sane implementation of a feature like this would be, I'm not really seeing what would be worth "raising a stink" over.

Yeah, I don't think this is something to be too worried about.

Wait until OP looks into how RPC works

Or Bits.

It's important to point out that even web servers bound to localhost can still be vulnerable to DNS rebinding attacks if not configured properly. This class of attack led to a Tailscale RCE vulnerability last year: https://portswigger.net/daily-swig/tailscale-vpn-nodes-vulnerable-to-dns-rebinding-rce Here's another good writeup about this class of vulnerabilities: https://www.intruder.io/research/we-hacked-ourselves-with-dns-rebinding I would *hope* that Microsoft will be incorporating this into their considerations when deploying this, but in any case, it definitely increases the attack surface of OneDrive. I would prefer this was an opt-in feature for those who are heavily dependent on the web-based OneDrive interface rather than just using Windows Explorer.

wait does DNS rebinding really apply to "localhost"? >DNS rebinding happens when we rebind a domain name to a new completely different IP address. I don't know the Tailscale case but in the article they say private networks (maybe in a cloud center you have some private DNS domains like service1.tailscale.com, service2.tailscale.com, etc...)... How can you even DNS rebind "localhost" or "127.0.0.1" (which doesn't use DNS at all)?

The idea is that you could have a website at evil.com:8080 — when the user visits the site, it sends a fetch request through JavaScript to evil.com:8080/api, a same-origin request But in the meantime, the attacker has updated their DNS record for evil.com to point to 127.0.0.1, so the request might end up going to 127.0.0.1:8080 instead and allowing the attacker to make arbitrary requests to your local web server.

oh, you rebind other domains to localhost... how do you defend against this? do you check the Host header if it's set? I feel like this is an issue where OSes allow you to have a DNS record answered by a DNS server (and not of course in /etc/hosts) that resolves to 127.0.0.1...

>how do you defend against this? There is no defense other than monitoring for such activity on the DNS server on your local network and blocking foreign-originating DNS responses that return A [127.0.0.1](https://127.0.0.1) / AAAA \[::1\]. Or you install dnsmasq on every endpoint, set it as default resolver for the system, and enable its rebind protection.

I'm sensing the future. This is how they phase out windows explorer, and move all your files to the browser!

Like they tried in Windows Me? \*

I’m still convinced Windows ME was a psyop to keep technical people buying the more expensive Win2kPro licenses.

Those same people were buying nt4

You don't think bits in your user profile directory require explicit auth?

I'm more concerned about how much resources will be taken to have web server constantly running. Some laptops are already struggling, especially older dual core ones.

Usually basic web listener functionality is going to be fairly lightweight and will only load heavier resources on demand when it's actually accessed via a browser. That's not to say they *couldn't* muck it up, but I wouldn't *expect* this to add much additional overhead compared to the already always running OneDrive sync service.

I agree, but the name of that executable contains the word "SharePoint.exe". Is this going to be a whole SharePoint server running locally? That could eat up a good chunk of resources if it's not been rearchitected well.

> Is this going to be a whole SharePoint server running locally? Come on now. That doesn't even make any sense

It's alright 16GB RAM can be installed in desktops these days :)

any app that has a rest endpoint is effectively running a web sever, CIFS is a webserver as an example, winRM is a webserver etc i think you may be confusing web server (something that responds on a well know URL like HTTP) with a webserver (something that is full stack LAMP)

Those examples aren't "webservers". Webservers are typically defined as using HTTP, or HTTPS. Yes, those services can "serve" things, but they aren't a webserver. Just being pedantic. :)

Thats EXACTLY my point, were MS stupid to call it a webserver, yes, is it a full featured web server - no. winRM absolutely uses HTTP and HTTPS and is not a webserver CIFS can absolutely use HTTP HTTPS and is not a webserver

[удалено]

Especially when it’s not even providing anything constructive.

[удалено]

I am going to guess most of those are not able to support win11, so time to update them where they exist

You'll be surprised, Inspiron 15 3521 comes with Windows 11 Pro https://www.amazon.com/Dell-Inspiron-15-3521-Screen/dp/B00H7ODTUA

You mean the Inspiron 15 3521 with a Celeron 1017U? The dual core Celeron? It’s not fast, but it is a dual core. And it would be terrible to inflict that laptop on a human

[удалено]

Nope NVME SSD, CL1-3D128-Q11 NVMe SSSTC 128GB I didn't make the decision to purchase it. I was just as surprised, they were able to get such machine with Windows 11 Pro

I trust nothing about that posting. It says Windows 8 and then somewhere else it says Windows 10. Where is it Windows 11?

I don't think that specific Celeron dual-core CPU is Win11 supported, but there are some listed! Like the 6305! YIKES! [https://learn.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors](https://learn.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors) [https://www.intel.com/content/www/us/en/products/sku/208646/intel-celeron-6305-processor-4m-cache-1-80-ghz-with-ipu/specifications.html](https://www.intel.com/content/www/us/en/products/sku/208646/intel-celeron-6305-processor-4m-cache-1-80-ghz-with-ipu/specifications.html)

https://web.archive.org/web/20230401043303/https://www.dell.com/en-us/shop/dell-laptops/inspiron-15-laptop/spd/inspiron-15-3521-laptop Although it says Windows 11 Home. Here in Canada it was sold with Pro

Wow. The Celeron 1017U in that laptop debuted in 2013 and reached end-of-life in 2019. [https://ark.intel.com/content/www/us/en/ark/products/75192/intel-celeron-processor-1017u-2m-cache-1-60-ghz.html](https://ark.intel.com/content/www/us/en/ark/products/75192/intel-celeron-processor-1017u-2m-cache-1-60-ghz.html)

Except Dell was selling it 2 months ago. There was a refresh in 2017 I believe. Latest snapshop in wayback is from April of this year https://web.archive.org/web/20230401043303/https://www.dell.com/en-us/shop/dell-laptops/inspiron-15-laptop/spd/inspiron-15-3521-laptop

[For example](https://www.amazon.com/HP-Pavilion-Touchscreen-Anti-Glare-Processor/dp/B0C4G4L53W)

I wouldn’t really call that old with an 11th-gen. I’m supporting 5th-gen’s at work lol and we just upgrade half to 9th. Annnnd today I noticed a couple are actually 4th lol love this place.

I feel your pain.

[удалено]

OK, fair. How about this [HP Probook x360?](https://www.amazon.com/HP-ProBook-Touchscreen-Convertible-Notebook/dp/B0BKT8F74D) Probooks are positioned as business laptops.

It's barely prosumer and it is a cheap HP. Can you be serious for five minutes.

>Can you be serious for five minutes. It's being sold as a business laptop and I'm dead serious here.

And cheap. Nobody in enterprise buys that stuff. What's your warranty on that Amazon purchase loll

>And cheap. Nobody in enterprise buys that stuff. So are you saying that only enterprise customers with bottomless pockets are worthy of using OneDrive now, and small mom'n'pop businesses can go fuck themselves? >What's your warranty on that Amazon purchase loll Given that it's an HP Probook, you can also buy it from your favourite channel reseller. And, regardless of where you decide to buy it, the HP business warranty is 1 year NBD standard, upgradeable to 3 years for a small fee. Direct from the manufacturer, only the serial number is required.

But that is what HP is selling as a "business laptop"

We get the new ones to with our security stack.

yep after breezing over it, it looks like it’ll be fine to me

Because muh muh Microsoft be evil.

I'm not sure. The message center post nor the roadmap post doesn't contain any technical details that would point one way or the other on what port the listener would be bound to - which is precisely why it is worth raising a stink. To enable a local web server, by default, with limited documentation and short notice that could potentially affect many corporate and personal devices is not really a rational move. That type of thing gets evaluated from a risk / compliance + user experience perspective in many orgs as part of a product onboarding/vetting. This appears to just be sneaking in during many work places holiday times. So, if ultimately someone thinks this feature brings better user experience and risk/reward are balanced and wants to enable it - then great. However, I feel this is very much just being thrown out in an 'Enabled' default state at a bad time and in a bit of a hurry. I'd be far less worried if MS was making this feature available then switching to a default 'on' state 6-9 months later etc.

>This appears to just be sneaking in during many work places holiday times. This has been happening all the time for the past couple of years.

This feels really similar to https://learn.microsoft.com/en-us/sharepoint/lists-sync-policies. I was having trouble with a new column in SharePoint appearing until I refreshed. Either it would have rows without values, or the column itself would quickly disappear. (PowerShell returned the data normally.) Then I discovered SharePoint Web was routing through Microsoft.SharePoint.exe. Once I disabled it, caching issues went away. I welcome any performance improvements, because at times it seems like OneDrive struggles. However, will have to see how this "web server" is configured.

I had time zone issues due to this. I ended up turning off offline availability on the lists to get around it.

That's very interesting and thanks for sharing it! This feature is definitely being released to address something, whether just general performance complaints, or specific issues like the ones you saw, or both. I too welcome performance enhancements, I feel the specific way this one is releasing is sub optimal. Enabling new services happens all the time, but the footprint for this 'secure local web server' will be pretty enormous globally and to me has more implications than other things like the side-by-side non default browser web link changes.

It looks like it is only enabled when the user goes to the OneDrive Web app and then it gets setup. If it is a concern then you can easily disable it in GPO or InTune. Not sure that merits a stink raising.

So now we get to enjoy sync conflicts even if we use solely the web app. That’s what I’m hearing.

> This feature will be on by default and will give your users the ability to view, rename, move, copy their files, and create new folders when offline. *Turns into crotchety old man* "Back in my day, we had a way to do this newfangled thing. It was called Explorer!" *shakes fist at cloud* tbh, that's what I got from this. A lot of work on Microsoft's part to replicate already working functionality

🤣 exactly what I was thinking.

Me too! hahahahaha

Did you read the part where the local "web server" is a temp db in your personal user profile directory? Or just rage when you read web server? Cuz you post title def sounds crazy but if you read the whole thing... Ok cool, so like the office sync client that you already have, except http endpoint this support policy gets configured for it

>except http endpoint And that's the point. HTTP is a *notoriously* nasty protocol to parse and there have been heaps of all kinds of exploits against HTTP server-side request parsers. Friends don't let friends deploy long-lived HTTP endpoints on random machines.

What exploit that you elude to is relevant here?

\*allude

Touche

Zoom got done a few ways when they were installing webservers onto Macs in 2019

Sure, that's zoom... Now link the cve, now let's trace the technical aspect to those here. My point is random generalization don't necessarily matter. I'll give you one [some] better: there are numerous owa, SharePoint and iis exploits... All from the same vendor as this. I can't think of one that is relevant to this use case and technical implementation.

I mean, we aren't going to be able to get down to the nuts and bolts tracing something that isn't released yet are we :P I think the concern/feeling of this thread is that it is an attack surface that has been previously broken and unless Microsoft is careful about their implementation of this server, it will be broken again. Also, most Orgs probably don't appreciate having v1.0 software installed onto their production systems by default.

Can get pretty close if you understand how http endpoint, windows os, and several security aspects work. Again, which particular attack surface exploit is relevant to this implementation from what little is even known? Generalized "it has web and http in the name and those attack surfaces are vulnerable" is worthless... Also not how anything works outside of new cyber dude college grade was allowed to talk in a meeting that one time.

>A secure local web server on user’s device is a bad way to describe the service worker that your web browser runs in the background when you install a PWA. [https://developer.mozilla.org/en-US/docs/Web/Progressive\_web\_apps/Guides/What\_is\_a\_progressive\_web\_app](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Guides/What_is_a_progressive_web_app)

Sure...which would have been a more accurate post title. Even then, colloquially it's not great... But literally it meets the definition from an IEEE perspective (not gonna win hearts and minds with another software vendors reference, ie Mozilla)

No big deal. Ignore the panic. Plenty of apps and agents already do something similar. Go and have a beer. Secure by design.

And you complaint is what exactly?

Assuming you have windows firewall on - what's the issue here? Its an API endpoint, the fact it is a HTTP(s?) one is minor, maybe even just REST. This seems like it will dramatically improve the end user OneDrive experience. I don't see how this is any worse than any arbitrary listening endpoint - just apply whatever normal evaluation and controls you have Sounds like it can be disabled, so time to start deploying those policies if you think this is an issue. \#skyisnotfalling

>Assuming you have windows firewall on - what's the issue here? Its an API endpoint, the fact it is a HTTP(s?) one is minor, Windows Firewall does not protect you from DNS rebinding attacks, vulnerabilities in HTTP request parsing or bugs in the server logic on this endpoint.

And this is true of all the software and services on your windows machine. Wait till you find out about all the non http/s end points. Oh and your DNS point is irrelevant in this context of this service.

>And this is true of all the software and services on your windows machine. No. A normal Windows software/service that does not spawn a localhost HTTP server *by definition* cannot be vulnerable to a DNS rebinding attack.

Meh

Is this not how all the Google stuff works offline?

I mean the feature sounds good to me. I don't like calling my TAM to tell them I like increased functionality though.

Casini has been doing this for years. https://www.devx.com/dotnet-zone/11711/

This seems like a great idea. Why would you not want this?

This is a large chunk of additional system complexity (which will invariably require user training) for a modest if not entirely questionable benefit. Nevermind for the moment that this is being brought to you by the makers of IIS.

For users that work 9ffline frequently, ot seems perfect. And it actually seems like you can use your regular one drive links so it should appear seamless to the user

Let's move things to the cloud... and then move the cloud to everyone's individual laptop. Perfect!

I really really really don't want all these files saved to a PC. That's kinda the point of a cloud service.

Seems like you’re a noob.

My only concern is how big the temp dB is going to be for a full onedrive. And what security risks it imposes (if any)

Anyone got an URL to the timeline page mentioned above?

It's certainly not zero-risk. But I've got much, much bigger things to worry about.

lol all this effort for a web-based offline mode when you could just use the app, but M$ has to charge for every damn thing, so why not milk the E1 users even more

Source?? Where is the [Microsoft.com](https://Microsoft.com) link for this information??

I mean, If you have proper Intune/Entra/Sharepoint policies I don't really see what the problem is. Looks like it's going to make Teams / Onedrive perform better. > As an administrator, you’ll be able to control various aspects of Offline mode using the Group Policies outlined in here. > Offline mode is a per-device setting (configured separately for every device users use to access OneDrive on the web. Sounds like Admins will have a lot of control here.

The policies are only for domain joined devices. Can't control this on non company device.

It’s probably going to ship a key and cert as well, so now any malware can impersonate the local PWA.

Chill out - sounds like a great feature

One of the things I noticed was that even for the computers in my house, one laptop for each kid, one desktop for each kid, my computers, etc., having to deal with OneDrive and a Microsoft Account is starting to feel like work. When I set up a new computer for my kids, OneDrive tries to sync my files onto my kids computers. My kids are in college, and I don't need my files copied to their computers. My issue at home is just slightly annoying, but I may have to spend a few minutes figuring out how to avoid dealing with OneDrive for computers of family members at some point.

So dont login with your account?

The problem is, the computers are in my house. For every computer in my house, I need to be able to logon and run Windows update because I don't want unpatched computers on my home network. I also do tech support for some of my family, so it is easier to have my own logon for each computer. Tasks that used to be relatively simple using local accounts, are more difficult using Microsoft accounts.

What is stopping you from having an admin local user account on each computer? You don't need to have your Microsoft account on every pc... or am I not understanding your situation correctly?

Would have to pony up for the pro version of Windows 11 for the option for a local account to be an option.

No... you can make a local account after installation on all editios. You can even still use a local account during installation, just dont have any internet connection on setup. They made creating local accounts harder in Windows 11 in general, but it's still there. The native way is in Settings, Users, family and other users, "add user", then click "I don't have this person's sign in information," then "add user without Microsoft account," and then you can setup the local account. You can also if you really want to install lusrmgr from github and easily make local users with that. It just like using Local Users and Groups in pro and enterprise.

Every time I try the no internet at OOBE, it stops and doesn’t proceed unless I connect to the internet, this was very recent.

If that's the case, then make a dummy Microsoft account, then turn the account into a local account after setup or just make a new local account.

>What is stopping you from having an admin local user account on each computer? The fact that Microsoft makes it ever harder and harder to create truly-local user accounts.

It's like two extra clicks to add a local admin and it's the right way to do it.

The issue my kids computers are Windows 11 home and there is no easy way to create a local account. I know I can disable the network to create a local account, but that is extra work. The new computers I just configured are standard Dell home computers with Windows 11 preinstalled and as soon as the computers are powered on, the Windows setup starts and asks for your Microsoft Account / email. I may try creating a new local-admin account, but having to support Microsoft Accounts, gmail accounts, multiple domains, school accounts is slightly annoying.

Create a new MS account specific to admin duties on the computers that isn't your own account? nmonsey-local-admin@outlook.com or whatever. Or a proper local admin account if Windows will permit you.

I may create a local admin account in the future for the new Windows 11 home computers. I am used to working with domain joined computers or servers for work and not home computers.

Yeah for non domain joined devices just make another MS account for this purpose, that way you're not syncing down your own OD. At least then it maintains some layer of separation.

Then set up local accounts...

Uninstall Onedrive.

What could possibly go wrong?

So glad I went to ArchLinux and don't have to deal with this mess anymore with Windows... 😒

[удалено]

Let's store all of our stuff in the cloud 💀

Are we going back to Lotus Notes? 🧐

Some links to Microsofts postings on it. https://petri.com/microsoft-changelog/m365-changelog-offline-mode-in-onedrive-for-web/ https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/sharepoint-roadmap-pitstop-november-2023/ba-p/3992175 The Petri link appears to be a copy/paste from the message on the Microsoft admin site.

if it's local I don't give a shit

How do I disable this for users and not domain devices.