Archive

Archive for the ‘Security’ Category

Exchange read-only mailbox rights

April 11th, 2013 1 comment

Couple of days I’ve got question from my friend if there is way to setup Exchange mailbox to be Read-only for other users in company. I never needed it, because when someone else needed to access other’s mailbox, I just set FullAccess rights on mailbox and everythin worked fine.

Testing scenario

Exchange 2010

Tester user called Tester with following content of mailbox:

Tester mailbox

Tester user called Tester02 wich wants to access whole mailbox of user Tester, but Read-only.

When I set Reviewer for user Tester02 on mailbox Tester under Outlook:

Reviewer permissions

Problem

When I connect Tester’s mailbox into Tester02’s Outlook profile I can see following:

Inbox view

So I can see only Inbox. I don’t see any folder underneath it. We can check this permissions also using Powershell:

Get-MailboxFolderPermission

When we look on mailbox folder permissions underneath Inbox, for example “Inbox\My friends” folder, we can see following:

Permission on subfolder

This means that mailbox folder permissions are not inherited. So we can set permission per folder. So let’s test to add permission to folder Inbox and subfolder “My friends”:

Set-Folder Permissions

and now we can see also subfolders under account Tester02:

Accessible subfolders

This means that using Outlook or powershell commandlet Add-MailboxFolderPermission can set permissions only on one folder and these settings are not inherited! This is really weird. I couldn’t find any setting to allow inheritance.

Another way to set permissions of mailbox folders is set permissions on whole mailbox. This can be set by users which have rights to manage exchange mailboxes. Let’s look on powershell cmd-let Add-MailboxPermission. This cmdlet allows you to set just following access rights: FullAccess, SendAs, ExternalAccount, DeleteItem, ReadPermision, ChangePermision and ChangeOwner. Neither one of these rights define Read-only access to mailbox.

Solution

So there is no easy way to share whole mailbox between users in read-only manner. Only way I can think of is to run some powershell script. For example:

Add-MailboxFolderPermission tester -User tester02 -AccessRights Reviewer

 

ForEach($folder in (Get-MailboxFolderStatistics -Identity tester) )

{

$fname = “tester:” + $folder.FolderPath.Replace(“/”,”\”);

Add-MailboxFolderPermission $fname -User tester02 -AccessRights Reviewer

}

where “tester” is account with shared mailbox and “tester02” is account which want to access shared mailbox.

After this powershell commands are done, Tester02 can see Tester’s mailbox:

 

Shared mailbox accessible

 

But when user Tester creates new folder in his mailbox, user Tester02 will not see it unless user Tester sets permissions on new mailbox folder.

I hope guys from Microsoft will solve this issue in next release of Exchange. 🙂

 

What’s new in WSUS in Windows Server 2012

March 27th, 2013 No comments

Installation of WSUS on Windows Server 2012

I started to install WSUS service on Windows Server 2012. I selected to install Windows Internal Database as store of WSUS metadata.

WSUS installation

I selected to store updates on local C:\ drive (it’s just testing machine):

Store updates localy

After first run on Windows Server Update Services management tool WSUS asks again if I want to store updates locally or not:

WSUS complete installation

When I click Run, post-installation starts to run:

Post-installation

And I received Post-installation “notification” 🙂 in Microsoft word it means I have a problem (Failed to restart the current database. The currecnt database is switched to master):

Post-installation error

So if computer has problem with restarting database, let’s restart service. Didn’t help 🙂 Let’s restart whole computer. Didn’t help either. So the problem will be somewhere else.

I tried to install WSUS from scratch. I uninstalled WSUS and also Windows Internal Database feature. I also deleted data for Windows Internal Database from directory C:\Windows\WID. Then I installed WSUS with all dependecies – WID, IIS, …

Now I’m getting different error:

WSUS illegal character in path

Problem was backslash in input window for defining directory to store updates 😀 This path was predefined by wizard and it was wrong. This is really funny 🙂

So after reinstallation of WSUS and WID and defining “correct” path to update store directory (without backslash on the end 🙂 ) everything looks to be done correctly:

Post-installation done

Let click Close and look what’s new in WSUS. First we need to configure WSUS and I did it using WSUS Wizard. I don’t see any news in this Wizard compared to older one.

Exploring WSUS

I haven’t notice any news in WSUS mmc console. I always use client side group targeting. This feature allows you to create groups of computers in WSUS structure. It can be used to target updates specified for testing to just group of computers and so on. To make this working you need to set client side of group targeting by defining name of Group and also you need to create new Computer Group in WSUS structure. What I always forget it to create these Computer Groups in WSUS structure 🙂 I would love to see some option to allow WSUS to create these Computer Groups automatically. But this didn’t happend of this version of WSUS.

I think the most powerful thing Microsoft added into WSUS is support for Powershell cmd-lets. Most of the time WSUS settings about update Classifications and update Products are same from customer to cutosmer, so you can automate this settings using cmd-lets Get-WsusClassification, Set-WsusClassification, Get-WsusProduct and Set-WsusProduct.

To get some information about WSUS Server it selft you can use cmd-let Get-WsusServer:

Get-WsusServer

There are more interesting cmd-lets. One is Get-WsusComputer which prints out some more information about computer reported into WSUS:

Get-WsusComputer

Get-WsusComputer has lot of ability to filter out computers on some conditions. Failed, Needed, …

To manage updates from powershell you can use cmd-lets Get-WsusUpdate, Approve-WsusUpdate and Deny-WsusUpdate. You can for example approve all updates that are Unapproved and FailedOrNeeded:

Get-WsusUpdate -Classification All -Approval Unapproved -Status FailedOrNeeded | Approve-WsusUpdate -Action Install -TargetGroupName “All Computers”

And the last cmd-let I really love, because I can make scheduled task to run Clean-up Wizard. Cmd-let is Invoke-WsusServerCleanup. You can do every cleanup task you can make from GUI.

Conclusion

I don’t think there is too much to improve on WSUS, but little powershell support for WSUS is handy.

Quickie: Kerio has also some bug

March 14th, 2013 No comments

Today I solved one network issue. Customer has Tomcat webserver. This server is located at central site. Users which use this Tomcat website are located at branches. These branches are connected via MLPS network. There is Kerio in between MPLS network and central site. Problem was that people from central site could use Tomcat website, but people from branch offices couldn’t use it. After couple minutes of analyzing network using Wireshark, I found out that problem is caused by IP fragmentation.

I solved it by Enabling PMTU black hole detection and Disabling PMTU Discovery as described HERE.

I found also old article about this issue at Kerio support forum.

Quickie: Exchange analyzer as stant-alone applications

March 12th, 2013 No comments

Today was new version of Exchange testing applications released. More about it is HERE.

Run script in elevated mode with active UAC

March 4th, 2013 No comments

I had to run one vbs script on Windows 7 with UAC enabled. This script was implemented as part of Run/RunOnce technology in Windows. When you want some script/application to run everytime you log in or just once you log in, you can use this technology built-in Windows. You can read about it here. Implementation of these registry keys was easy. Problem raised when I found out that script doesn’t run in elevated mode – without administrative privileges.

If you need to run some script in elevated mode, you can right-click on script and select “Run as administrator”. This is fine, but what about script that is part of registries? There is no way to right-click 🙂 You have to use UNDOCUMENTED parameter “runas” of parameter ShellExecute of object Shell.Application. It’s really undocumented on official sites!

Another bad thing of running script in elevated mode is that you cannot access network drives which you have mapped. You need to remap them and then you can use them.

There are nice articles which describe how to run scripts in elevated mode:

This saved me couple hours of fight with scripts 🙂

 

Quickie: Lync Server 2010 has same problem Exchange does

February 28th, 2013 2 comments

When I wanted to Enable AD users in Lync Server 2010 which were members of Domain Administrators and Enterprise Administrators I received error:

Active Directory operations failed on “DC_server”.  You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0”

It’s same problem as Exchange has. You cannot be member of those two groups, because periodically all accounts in this groups have cleared Include inheritable permissions from this object’s parent and set explicit permissions by AD. But if you want to add members of those administrative groups into Lync you can check checkbox Include inheritable permissions from this object’s parent, enable user in Lync and uncheck checkbox Include inheritable permissions from this object’s parent after you are done.

Inheritance AD User

Exchange fixed this issue after couple year in Exchange 2010 SP3. Hopefully we will have some fix also for Lync Server.

Quickie: I really don’t like Antiviruses especially ESET

February 22nd, 2013 No comments

Here is one reason why I don’t like ESET Antivirus:

Fuck the ESET

I don’t think it needs any comments 😀

Here is official website I saw it at.

TrendMicro Worry-Free Business Security debug logs

February 22nd, 2013 2 comments

Problem

Today I was at one customer which recently installed TrendMicro Worry-Free Business Security solution. It’s firewall and anti-* product. Today I noticed there is no free space on C:\ disk. Trend Micro ate 19 GB! The biggest portion of space was located at C:\Program Files\Trend Micro\Security Server\PCCSRV\Log. There were files called ofcdebug-*.log which were about 150 MB of size and there was lots of them. And there new comming and comming 🙂

Solution

Those file are debugging log files. There is really weird way to disable them. In management website you need to click on little small letter “M” in the logo:

TrendMicro Worry-Free

New window appears where you can enable/disable debug logs:

TrendMicro Debuging Log

This is really weird way to set logging by looking for some small letter “M” 🙂

More about it on official site.

Maximum Validity For Certificates

February 19th, 2013 No comments

You can configure expiration period for Certification Template. By default there are default maximum validation periods set to:

  • One year for Stand-alone Certification Authority
  • Two years for Enterprise Certification Authority

This means you have Certification Template set its validity for example for 10 years, but you can enroll certificates with validity 1 or 2 years (Stand-alone / Enterprise Certification Authority).

This can be changed via registry keys described in KB254632.

Thank you for my colleague Róbert Švec.

Disable Exclusive Rights for roaming profiles

January 25th, 2013 No comments

When administrators implement Roaming Profiles they define folder where roaming profile should be stored on fileserver. By default file permissions for the newly generated profile are full control for the user, full control to SYSTEM and no file access for the administrators group. You can not access this profiles with administrator account and clean it up. First you had to take ownership and then you can change ACL, but this is not what you want, because owner should be user.

You can fix this in two steps:

New roaming profile folders

You can change default behaviour on new profile folder creation. It can be changed by applying GPO to domain controllers with following setting Enabled:

Change new roaming profile security

Change ACLs for existing profile folders

This will be in couple steps:

  • Download SubInACL.exe
  • Download PsExec
  • Log into fileserver where profiles are stored
  • Run cmd.exe under SYSTEM account by running command

psexec -sid cmd.exe

  •  In new cmd.exe window go into directory where roaming profiles are stored. For example: cd G:\Profiles\
  • Add BUILTIN\Administrators into ACLs of roaming profiles by running following command:

subinacl /subdirectories=directoriesonly G:\Profiles\*.* /GRANT=Administrators=F

Enjoy accessible roaming profile  folders 🙂