Archive for February, 2019


Troubleshooting Logs and Tools

https://blogs.technet.microsoft.com/exchange/2016/05/31/checklist-for-troubleshooting-outlook-connectivity-in-exchange-2013-and-2016-on-premises/

SaRA tool to assess OUTLOOK client: https://diagnostics.outlook.com/#/

Also on CTRL + right click on OUTLOOK icon on the system tray! to get the connection status

Test connectivity from outside using: https://testconnectivity.microsoft.com/

Also check potential source of problems:

  • Check ADFS policies
  • Check set-CASmailbox – (post authentication) ; if POP or imap protocols are blocked for example
  • AzureAD Conditional access policies – (post authentication)
  • Authentication policies – in Exchange online (“new-authenticationpolicy”)- (pre authentication)
  • Client access rules – exchange online
  • Org level – IP blacklist – legacy authentication can be blocked
  • Org level – blacklist – EWS connections can be blocked
  • Org level – disable SMTP auth legacy – recommended
  • To protect from DDOS attack, enable ADFS extranet lockout protection and check audit log
  • IdFIX tool: https://www.microsoft.com/en-us/download/details.aspx?id=36832

Side-effect on Modern authentication:

If ADFS WAP and Internal servers are stopped ! What are the side-effects to access Outlook ??

https://www.peters.com/modern-authentication-part-2/

  1. On clients with Modern authentication or ADAL! => thanks to the access tokens but we can limit the issues (valid 90 days!)
    1. If ADFS internal is restarted => Only => problem solved (no need WAP)
  2. But for OL 2010 or OL 2013 without ADAL, we are prompted to enter USER/PASSWORD (but without success)
    1. We need also the WAP working! And not only ADFS internal… to solve the problem on old clients not supporting ADAL

 

And also check logs:

HTTP Proxy RPCHTTP Logs

In Exchange 2013, there are several logs in the logging folder. For Outlook clients one of the first logs to examine are the HTTP Proxy logs on CAS. The connection walk-through section shows the process that is used to connect to Exchange 2013. This complete process is logged in the HTTP Proxy log. Also, if it is possible, add Hosts file to the client for one specific CAS to reduce the number of logs.

The logs on CAS are located here by default: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\RpcHttp

HTTP Proxy AutoDiscover Logs

Exchange 2013 has HTTP Proxy logs for AutoDiscover that are similar to the logs shown earlier that can be used to determine whether AutoDiscover is failing.

The logs on CAS are located here by default: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\AutoDiscover

HTTP Error Logs

HTTP Error logs are failures that occur with HTTP.SYS before hitting IIS. However, not all errors for connections to web sites and app pools are seen in the httperr log. For example, if ASP.NET threw the error it may not be logged in the HTTP Error log. By default, HTTP error logs are located in C:\Windows\System32\LogFiles\HTTPERR. Information on the httperr log and codes can be found here.

IIS Logs

IIS logs can be used to review the connection for RPC/HTTP, MAPI/HTTP, EWS, OAB, and AutoDiscover. The full data for the MAPI/HTTP and RPC/HTTP is not always put in the IIS logs. Therefore, there is a possibility that the 200 connection successful may not be seen. IIS codes.

In Exchange 2013 IIS logs on the CAS should contain all user connections on port 443. IIS logs on the Mailbox server should only contain connections from the CAS server on port 444.

Most HTTP connections are first sent anonymously which results in a 401 challenge response. This response includes the authentication types available in the response header. The client should then try to connect again by using one of these authentication methods. Therefore, a 401 status found inside an IIS log does not necessarily indicate an error.

Note that an anonymous request is expected to show a 401 response. You can identify anonymous requests because the domain\username is not listed in the request.

RPC Client Access (RCA) Logs

The RCA logs can be used to find when a user has made a connection to their mailbox, or a connection to an alternate mailbox, errors that occur with the connection, and more information. RCA logs are located in the logging directory which is located at %ExchangeInstallPath%\Logging\RpcClientAccess. By default, these logs have a maximum size of 10MB and roll over when size limit is reached or at the end of the day (based on GMT), and the server keeps 1GB in the log directory.

Outlook ETL Logging (requires a support case with Microsoft to analyze the log) 

ETL logs are located in %temp%/Outlook Logging and are named Outlook-#####.ETL. The numbers are randomly generated by the system.

To enable Outlook logging

In the Outlook interface:

  • Open Outlook.
  • Click File, Options, Advanced.
  • Enable “Enable troubleshooting logging (requires restarting Outlook)”
  • Restart Outlook.

How to enable Outlook logging in the registry:

  • Browse to HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\Options\Mail
  • DWORD: EnableLogging
  • Value: 1
  • Note: xx.0 is a placeholder for your version of Office. 15.0 = Office 2013, 14.0 = Office 2010

ExPerfwiz (Perfmon for Exchange)

You can use Perfmon for issues that you suspect are caused by performance. http://experfwiz.codeplex.com/

Exchange 2013 has daily performance logs that captures the majority of what is needed. These logs are by default located in C:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\DailyPerformanceLogs

Log Parser Studio

Log Parser Studio is a GUI for Log Parser 2.2. LPS greatly reduces complexity when parsing logs. Additionally, it can parse many kinds of logs including IIS Logs, HTTPErr Logs, Event Logs (both live and EVT/EVTX/CSV), all Exchange protocol logs from 2003-2013, any text based logs, CSV logs and ExTRA traces that were converted to CSV logs. LPS can parse many GB of logs concurrently (we have tested with total log sizes of >60GB).

Blog with tips/how to about LPS: http://blogs.technet.com/b/karywa/

Exmon tool (aka Microsoft Exchange Server User Monitor)

We use this tool to get detailed information about client traffic.

 

Advertisements
  • Microsoft Security Response Center: Protection, detection, and response.
  • Malware Protection Center: The Microsoft Malware Protection Center (MMPC) provides world class antimalware research and response capabilities that support Microsoft’s range of security products and services. With laboratories in multiple locations around the globe the MMPC is able to respond quickly and effectively to new malicious and potentially unwanted software threats wherever and whenever they arise.
  • My Bulletins: Is an online tool that provides you with a personalized list of the Microsoft security bulletins that matter most to you. Support for My Bulletins is being deprecated as Microsoft moves to simplify the update terminology and process. Going forward please use the Security Update Guide (SUG) for a more relevant and customizable way to track updates.
  • Security Update Guide (SUG): The Security Update Guide is the authoritative source of information on our security updates. It provides guidance, response, bulletin and advisory information and you can even get Security Update information through the API.
  • CSS YouTube Channel for customers: Now customers get a seamless self-service experience across our support sites and social channels. Check out the new CSS channel on YouTube – view it, like it, subscribe to it. The more activity, the easier it is for customers to find us when they need our help.
  • Blog MS Monthly: Blog MS consolidates a large number of highly relevant and up to date information sources across the Microsoft product and online services portfolio. You can expect to find important announcements and details of Microsoft news, product releases, service packs and important support issues.
  • Microsoft Premier Support: The Microsoft Premier Support (MPS) site is a secure Web site for the exclusive use of Premier Support customers. Note some of the links below may only be available to Premier Support customers. If you currently have Premier Support and don’t have access to MPS, please let your TAM know. Your TAM can get you access to the site.
  • Premier Services Twitter: Microsoft Premier Services is now on Twitter!  This account will share new proactive offerings and product information, links to important articles on TechNet or Microsoft Blogs, important lifecycle updates, and security alerts.  Start following us today!
  • otection, detection, and response.
  • Malware Protection Center: The Microsoft Malware Protection Center (MMPC) provides world class antimalware research and response capabilities that support Microsoft’s range of security products and services. With laboratories in multiple locations around the globe the MMPC is able to respond quickly and effectively to new malicious and potentially unwanted software threats wherever and whenever they arise.
  • My Bulletins: Is an online tool that provides you with a personalized list of the Microsoft security bulletins that matter most to you. Support for My Bulletins is being deprecated as Microsoft moves to simplify the update terminology and process. Going forward please use the Security Update Guide (SUG) for a more relevant and customizable way to track updates.
  • Security Update Guide (SUG): The Security Update Guide is the authoritative source of information on our security updates. It provides guidance, response, bulletin and advisory information and you can even get Security Update information through the API.
  • CSS YouTube Channel for customers: Now customers get a seamless self-service experience across our support sites and social channels. Check out the new CSS channel on YouTube – view it, like it, subscribe to it. The more activity, the easier it is for customers to find us when they need our help.
  • Blog MS Monthly: Blog MS consolidates a large number of highly relevant and up to date information sources across the Microsoft product and online services portfolio. You can expect to find important announcements and details of Microsoft news, product releases, service packs and important support issues.
  • Microsoft Premier Support: The Microsoft Premier Support (MPS) site is a secure Web site for the exclusive use of Premier Support customers. Note some of the links below may only be available to Premier Support customers. If you currently have Premier Support and don’t have access to MPS, please let your TAM know. Your TAM can get you access to the site.
  • Premier Services Twitter: Microsoft Premier Services is now on Twitter!  This account will share new proactive offerings and product information, links to important articles on TechNet or Microsoft Blogs, important lifecycle updates, and security alerts.  Start following us today!

 

Security News!

Security News:

 

2019/06/11:

Two critical vulnerabilities in Microsoft’s NTLM authentication protocol consisting of three logical flaws make it possible for attackers to run remote code and authenticate on machines running any Windows version.

https://www.bleepingcomputer.com/news/security/microsoft-ntlm-flaws-expose-all-windows-machines-to-rce-attacks/

 

2019/03/11:

Operating Systems can be detected using Ping Command, Ping is a computer network administration software utility, which used to find the Availability of a host on an Internet Protocol (IP) network.

https://gbhackers.com/operating-systems-can-be-detected-using-ping-command/

 

2019/02/22:

Corporate firewalls can block reverse and bind TCP connections.However, corporate firewalls are behind internal networks.So we can use PING ICMP Shell:

https://gbhackers.com/icmp-shell-secret/

 

2019/02/03:

Exploiting Malwarebytes antimalware!

https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit/

 

2019/01/24: redteam

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript):

https://github.com/zerosum0x0/koadic

 

 

 

Azure AD B2B resources

https://docs.microsoft.com/fr-fr/azure/active-directory/b2b/what-is-b2b

  • The partner uses their own identities and credentials; Azure AD is not required.
  • You don’t need to manage external accounts or passwords.
  • You don’t need to sync accounts or manage account lifecycles.

Managing externals:

https://predica.pl/blog/guests-in-the-cloud-how-to-safely-manage-external-users-using-azure-ad-b2b/

SharePoint Online Azure AD B2B – Custom email invites for users using PowerShell

Powershell to invite B2B users:

https://github.com/Azure/azure-docs-powershell-azuread/blob/master/azureadps-2.0/AzureAD/New-AzureADMSInvitation.md

https://www.adamfowlerit.com/2017/03/azure-ad-b2b-powershell-invites/

https://justidm.wordpress.com/2017/05/07/azure-ad-b2b-how-to-bulk-add-guest-users-without-invitation-redemption/

How to identify stale guest users:

https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/

script: https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5

External sharing:

with SPO: https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview

with OneDrive: https://docs.microsoft.com/en-us/onedrive/manage-sharing

with MS Teams: https://docs.microsoft.com/en-us/microsoftteams/let-your-teams-users-communicate-with-other-people

Sharing and collaboration:

https://docs.microsoft.com/en-us/office365/enterprise/office-365-inter-tenant-collaboration

B2B Collaboration in Hybrid Identity Scenario

B2B Collaboration in Hybrid Identity Scenario – Part II

A collection of security articles and web sites, KB, tips and tricks especially for System and Network Administrators, DevOps, Pentesters or Security Researchers.

https://github.com/trimstray/the-book-of-secret-knowledge

 

hacking web sites:

https://thehackernews.com/

https://www.bleepingcomputer.com/

https://www.zataz.com/

 

Passwords databases:

https://haveibeenpwned.com/

https://www.dehashed.com/

https://ghostproject.fr/

https://leaksify.com/

 

The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis:

https://gchq.github.io/CyberChef/

 

 

 

By default Azure AD connect will synchronize disabled accounts from AD to AAD. It is normal and is it recommended due to Exchange hybrid and EXO requirements.

 

It is possible to create a custom rule on AD Sync rules editor to not synchronize disabled AD accounts:

https://spanougakis.wordpress.com/2016/02/28/how-to-stop-disabled-user-accounts-from-syncing-with-azure-ad-connect/

 

Office 365 – Assigning licenses

Managing licenses with AzureAD module:

https://practical365.com/blog/managing-office-365-licenses-with-azure-ad-v2-powershell-module/

 

Managing licenses with MSonline module:

https://gcits.com/knowledge-base/get-office-365-users-specific-license-type-via-powershell/

https://www.morgantechspace.com/2018/02/check-if-office-365-user-is-licensed-or-not-powershell.html

 

Assign licenses with AzureAD groups:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal

 

 

 

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

  1. Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development)
  2. Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download
  3. Netsh Trace – built-in to operating system
  4. Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226

Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx

How to message analyzer on YouTube: https://www.youtube.com/watch?v=e0v0RsQVdT8

As you might guess from the name, Message Analyzer is much more than a network sniffer or packet tracing tool.  Key capabilities include:

  • Integrated “live” event and message capture at various system levels and endpoints (client and server remotely !)
  • Remote capture (capture multiple point concurrently)
  • Parsing and validation of protocol messages and sequences
  • Automatic parsing of event messages described by ETW manifests
  • Summarized grid display – top level is  “operations”, (requests matched with responses)
  • User controlled “on the fly” grouping by message attributes
  • Ability to browse for logs of different types (.cap, .etl, .txt) and import them together
  • Automatic re-assembly and ability to render payloads
  • Ability to import text logs, parsing them into key element/value pairs
  • Support for “Trace Scenarios” (one or more message providers, filters, and views)

Other articles:

Use message analyzer to convert a .etl to .cap: https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/analyze-netsh-traces-with-wireshark-or-network-monitor/

 

Capture a network trace using netsh:

https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/capture-a-netsh-network-trace/

 

  1. To learn more about your nmcap options, enter “nmcap /?” or “nmcap /examples”
  2. Wireshark training can be found at https://www.wireshark.org/#learnWS.
  3. For more information on Message Analyzer, check out the blog at https://blogs.technet.microsoft.com/messageanalyzer/.
  4. Message Analyzer training videos can be found at https://www.youtube.com/playlist?list=PLszrKxVJQz5Uwi90w9j4sQorZosTYgDO4.
  5. Message Analyzer Operating Guide – https://technet.microsoft.com/en-us/library/jj649776.aspx
  6. Information on the Message Analyzer PowerShell module can be found at https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx.
  7. Remote captures with MMA – https://blogs.technet.microsoft.com/messageanalyzer/2013/10/17/remote-capture-with-message-analyzer-and-windows-8-1/

AADConnect filtering options

With AAD Connect,

The following filtering configuration types can be applied to the Directory Synchronization tool:

  • Group based: Filtering based on a single group can only be configured on initial install using the installation wizard. It is not further covered in this topic.
  • Domain-based: This option enables you to select which domains will synchronize to Azure AD. It also allows you to add and remove domains from the sync engine configuration if you make changes to your on-premises infrastructure after you installed Azure AD Connect sync.
  • Organizational-Unit–based: This filtering option enables you to select which OUs will synchronize to Azure AD. This option will be on all object types in selected OUs.
  • Attribute–based: This option allows you to filter objects based on attribute values on the objects. You can also have different filters for different object types.

You can use multiple filtering options at the same time. For example you can use OU-based filtering to only include objects in one OU and at the same time attribute-based filtering to filter the objects further. When you use multiple filtering methods, the filters use a logical AND between the filters.

Filtering can be applied both on the inbound from Active Directory to the metaverse and outbound from the metaverse to Azure AD. It is recommended to apply filtering on inbound since that is the easiest to maintain. Outbound filtering should only be used if is required to join objects from more than one forest before the evaluation can take place.

Articles about AAD Connect filtering customization:

https://dirteam.com/dave/2015/04/06/azure-active-directory-synchronization-filtering-part-1/

https://help.bittitan.com/hc/en-us/articles/115008113387-How-do-I-filter-objects-using-Azure-Active-Directory-AAD-Connect-

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/connect/active-directory-aadconnectsync-configure-filtering.md

 

When a full synchronization is required?

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration

In general, a full synchronization cycle is required because you have added new attributes to both the Active Directory and Azure AD Connector schemas, and introduced custom synchronization rules or modified the OU filtering.

 

 

 

As we prepare for the migration from on-premises Skype for Business to Skype for Business Online, there are a few important considerations to bear in mind before you take the leap. I will be covering these in a series of posts (hopefully), today I want to share with you a common scenario we will face while preparing for migration.

We are well aware of the pre-requisite for Office 365 that demands an Active Directory synchronised user must have a publically routable User Principal Name (UPN). So critical is this requirement that it is now engrained in every consultant’s mind and increasingly customers are becoming more aware of this without us even mentioning it. However, this can often produce its own unique challenges.

Many organisations set their users up with an ambiguous username, something that does not immediately identify a user by name e.g. a134g@domain.com rather than markv@domain.com. This is to avoid name conflicts and was often used as an additional domain security measure. When a user is synchronised to Office 365 their UPN is used to provision the identity and service addresses for Exchange and Skype for Business. Often the case is that users UPNs do not match their publically available contact information such as their e-mail address. E-mail addresses are usually more personable to each users and contain their true identity e.g markv@domain.com. In order to integrate Skype for Business Online with Exchange properly it is important that the user’s SIP address matches their primary e-mail address i.e. markv@domain.com and not a134g@domain.com.

However, when you perform an AD Sync with Office 365 the user’s Skype for Business Online identity is provisioned using the UPN like so:

On-premises Identity (UPN = a134g@domain.org)

Synchronised Identity in Office 365 Portal also a134g@domain.org

PowerShell output showing primary SIP Address in Skype for Business Online


In order to change this, the solution is to look and edit the on-premises identity, as this is the source of authority for this person’s cloud identity. Specifically, we need to modify an attribute on the user’s Active Directory account called msRTCSIP-PrimaryUserAddress. In order to find this attribute, your on-premises Active Directory domain is required to be prepared for Lync / Skype for Business On-premises. Therefore, you may need to download the on premises software and run AD schema preparation to have this property available. I say may read on.

First change find and change this attribute

Click on edit and enter the desired address in this format: sip:markv@domain.org

Perform directory synchronisation using AADSync and then check the SIP Address of the online identity. You should see that is has changed

Please note that this only works for synchronised identities. Cloud identities must be provisioned with the primary SIP address as the username.

If you have not prepared your Active Directory domain from on-premises Lync / Skype for Business and do not have the msRTCSIP-PriamryUserAddress attribute, there is an alternative method you can use. Instead we can use the ProxyAddresses attribute that is natively part of Active Directory. This attribute is the same on you use for provisioning e-mail addresses to get around the same issue as we have. Open the ProxyAddressess attribute and add a new Proxy Address into the list using the following format: sip:markv@domain.org

Perform a directory synchronisation and test the SIP address has been updated correctly