Ransomware– lesson learnt

With the recent outbreak of ransomware like WannaCry, Petya, there could be more similar exploit lining up. The above 2 variant ransomware propagate via the NSA's EternalBlue exploit - the vulnerability exists due to insufficient input validation in the Microsoft Windows SMBv1 server when handling a crafted SMB request. As a result, a remote attacker utilise the SMB request to gain unauthorized access to sensitive information. Most Enterprise class Anti-virus has claimed that their product can detect and stop the exploit as long as you stay updated, but is this enough for systems administrator to sit back and relax?

Below is what I've learnt from the exploit and what else can we do,

1. Disable SMBv1

The 30 years old protocol should be disabled. Understand some vendor / products might still require SMBv1 and hopefully after the May and June global cyber-attack , vendors will start looking into transition to SMBv2 or SMBv3. You can check on your windows device if SMBv1 is enabled via the powershell below,

# Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

You can disable SMBv1 via GPO, with registry below,

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled

REG_DWORD: 1 = Enabled

Default: 1 = Enabled

if you are running windows 7, or server 2012 (not R2) and below, please refer to https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

For more information, here is a good reference, https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

Intensive testing is required as there are still many vendor / products still rely on SMBv1.

2. Patch windows regularly

Microsoft released a critical security bulletin, MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx to patch SMBv1, if you still haven’t installed this security patch, your infrastructure is at risk. System administrator should regularly patch their infrastructure, including SAN, router, switches, server, desktop client etc.

3. Layered security with up to date security products

Relying only the desktop Anti-virus is not enough to keep you secure nowadays. Security products is very important to must stay up to date, as vendor release update to cover any exploit once samples being analysed. All vendor has product specialise in different OSI model layer, like Network IDS and IPS, web content filtering, Web application firewalls, anti-virus tools, Anti-spam, host level IPS with DLP, eDiscovery & forensics tools, decryption and encryption at rest and etc, all should be stacked and layered from the Application Layer all the way down to the physical layer to provide a stronger protection.

4. Backup

Say no more, backup and DR plan is a must have for every business.

Exchange 2013 Multi-Tenant setup

Create Tenant

 

# 1. create a OU for the first Tenant “Tenant A”

New-ADOrganizationalUnit -Name TenantA –Path “OU=Hosted,DC=mycloud,DC=local”

# 2. register the new UPN Suffix

Set-ADForest -Identity hosted.exchange -UPNSuffixes @{add=”tenanta.com”}

This is what need’s to be done in Active Directory. Now let’s continue using the Exchange Management Shell (EMS). We can “load” the EMS directly from this shell (assuming that you’re working with the Domain Administrator now)

# 3. connect to EMS

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://mycloudex01/PowerShell/ -Authentication Kerberos

Import-PSSession $Session

make sure you adjust the path according to your setup. PowerShell is now loading the Exchange cmd-lets

# 4. Add a new accepted Domain for the new Tenant

New-AcceptedDomain -Name “TenantA” -DomainName tenanta.com -DomainType:Authoritative

# 5. Create Global Address List for Tenant A

New-GlobalAddressList -Name “TenantA – GAL” -ConditionalCustomAttribute1 “TenantA” -IncludedRecipients MailboxUsers -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 6. Create All Rooms Address List (Make sure to check the signs, i.e, paste to command to notepad and manually change “ to “

New-AddressList -Name “TenantA – All Rooms” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (RecipientDisplayType -eq ‘ConferenceRoomMailbox’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 7. Create All Users Address List

New-AddressList -Name “TenantA – All Users” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (ObjectClass -eq ‘User’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 8. Create All Contacts Address List

New-AddressList -Name “TenantA – All Contacts” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (ObjectClass -eq ‘Contact’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 9. Create All Groups Address List

New-AddressList -Name “TenantA – All Groups” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (ObjectClass -eq ‘Group’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 10. Create Offline Address Book

New-OfflineAddressBook -Name “TenantA” -AddressLists “TenantA – GAL”

# 11. Create Email Address Policy

New-EmailAddressPolicy -Name “TenantA – EAP” -RecipientContainer “hosted.exchange/Tenants/TenantA” -IncludedRecipients “AllRecipients” -ConditionalCustomAttribute1 “TenantA” -EnabledEmailAddressTemplates “SMTP:%m@tenanta.com”,”smtp:%g.%s@tenanta.com”

You may want to play around with the parameter: -EnabledPrimarySMTPAddressTemplate “SMTP:%g.%s@tenanta.com” that will set Firstname.Lastname@domain.tld for the default Email Address Policy (EAP)

# 12. Create Address Book Policy

New-AddressBookPolicy -Name “TenantA” -AddressLists “TenantA – All Users”, “TenantA – All Contacts”, “TenantA – All Groups” -GlobalAddressList “TenantA – GAL” -OfflineAddressBook “TenantA” -RoomList “TenantA – All Rooms”

# 13. Create a Room Mailbox (optional)

New-Mailbox -Name ‘Tenant A Conference Room 1′ -Alias ‘TenantA_ConfRoom1′ -OrganizationalUnit ‘hosted.exchange/Tenants/TenantA’ -UserPrincipalName ‘confroom1@tenanta.com’ -SamAccountName ‘TenantA_ConfRoom1′ -FirstName ‘Conference’ -Initials ” -LastName ‘Room 1′ -AddressBookPolicy ‘TenantA’ -Room

Set-Mailbox TenantA_ConfRoom1 -CustomAttribute1 ‘TenantA’

It is important that Tenant-wide Objects do have the CustomAttribute1 Set to the according Tenant.

Now that we have all the address books and policies configured we can start with the first user mailbox. The new user will have the same password as the account you enter after the first command. You can adjust the New-Mailbox command to your needs.

$c = Get-Credential

New-Mailbox -Name ‘Tenant User 1′ -Alias ‘TenantA_user1′ -OrganizationalUnit ‘hosted.exchange/Tenants/Tenant A’ -UserPrincipalName ‘User1@tenanta.com’ -SamAccountName ‘tenanta_user1′ -FirstName ‘Tenant’ -Initials ’1′ -LastName ‘User’ -Password $c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy ‘TenantA’

Set-Mailbox user1@tenanta.com -CustomAttribute1 “TenantA”

After you’re done, you want to close the Session to the EMS

Remove-PSSession $Session

 

 

You can now log on to owa with the user you just created and check the configuration. You will find all the Tenant related Address Lists. You can create another user for this Tenant and find him in your address book. They can share calendars and book conference rooms. You can repeat the steps above to create another Tenant, with its own accepted domainname, address lists and policies.

Microsoft DPM 2010 MMC crashed when client join to protection group

 

Problem Details:

 

 

<FatalServiceError><__System><ID>19</ID><Seq>0</Seq><TimeCreated>22.12.2010 08:35:36</TimeCreated><Source>DpmThreadPool.cs</Source><Line>163</Line><HasError>True</HasError></__System><ExceptionType>DlsException</ExceptionType><ExceptionMessage>Eine Ausnahme vom Typ "Microsoft.Internal.EnterpriseStorage.Dls.Utils.DlsException" wurde ausgelöst.</ExceptionMessage><ExceptionDetails>Microsoft.Internal.EnterpriseStorage.Dls.Utils.DlsException: Eine Ausnahme vom Typ "Microsoft.Internal.EnterpriseStorage.Dls.Utils.DlsException" wurde ausgelöst.
   bei Microsoft.Internal.EnterpriseStorage.Dls.UI.UICommon.CmdLetWrapper.HandleError(Pipeline pipeline)
   bei Microsoft.Internal.EnterpriseStorage.Dls.UI.UICommon.CmdLetWrapper.Invoke()
   bei Microsoft.Internal.EnterpriseStorage.Dls.UI.Dpw.ProtectionGroupProgressPage.FinishWizard()
   bei Microsoft.Internal.EnterpriseStorage.Dls.UI.Dpw.ProtectionGroupProgressPage.OnEnteredPage(EventArgs e)
   bei Microsoft.Internal.EnterpriseStorage.UI.WizardFramework.WizardForm.InternalNavigateToPage(WizardPage targetPage, NavigateEventArgs e)
   bei Microsoft.Internal.EnterpriseStorage.UI.WizardFramework.WizardForm.NextPage()
   bei System.Windows.Forms.Control.OnClick(EventArgs e)
   bei System.Windows.Forms.Button.WndProc(Message&amp; m)
   bei System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message&amp; m)
   bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
*** Mojito error was: InsufficientSpaceOnReplica; 0; None</ExceptionDetails></FatalServiceError>

 

 

 

 

 

 

Resolution

This is a known bug in DPM 2010 and a fix is in progress, however, in the meantime you can use the following power shell script to add the client to the secondary DPM servers protection group.

***************** Start Script here ***************
# Change variables as per need
$PGName = "Protection Group 1"
$primaryDPMName = "PrimaryDPM.corp.contoso.com"
$clientName = "laptop123.corp.contoso.com"

$dpmservername = &"hostname"
$dpmservername = $dpmservername.Substring(0, [Math]::Min(15, $dpmservername.Length))

# Get the modifiable PG object
$pg = Get-ProtectionGroup -DPMServerName $dpmservername | where { $_.FriendlyName -eq $PGName }
$mpg = Get-ModifiableProtectionGroup -ProtectionGroup $pg

# Run datasource inquiry on Primary DPM
$ps = Get-ProductionServer -DPMServerName $dpmservername | where {$_.Name -eq $primaryDPMName }
$clientToAdd = Get-Datasource -ProductionServer $ps -Inquire | where { ($_.Type.Id -eq "7b2e4c3d-876f-4535-b5c9-b344d4f05120") -and ($_.LogicalPath -like ($clientName + "\*")) }

if ($clientToAdd)
{
    # Add client to PG
    Add-ChildDatasource -ProtectionGroup $mpg -ChildDatasource $clientToAdd

    # Set disk allocation
    Set-DatasourceDiskAllocation -ProtectionGroup $mpg -ExpectedDataSizePerClientInMB ($mpg.ClientPGDetailsField.ExpectedDataSizePerClient/(1024*1024))

    # Set the IR method for newly added client. (Uncomment to start immediate IR)
    #Set-ReplicaCreationMethod -ProtectionGroup $mpg -Now

    # Commit the changes
    Set-ProtectionGroup -ProtectionGroup $mpg
}

***************  End script here *****

Azure AD Connect - object not sync a single or more objects because of linked mailbox

 

 

I was at client site configuring Azure AD Connect sync to Office 365 and noticed a few user not synced. I’ve checked the filtering options like OU filtering, object filtering, security permissions etc and they all seems fine. There are no duplicate UPN or proxyaddress attribute and idfix tool doesn’t reveal anything major. From the Azure AD Connect, https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnectsync-understanding-users-and-contacts/

“
An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed that an active account will be found later.

“

Looking at the Synchornization Service Manager, ("C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"). Go to metaverse search, find the user and double click, under the “connector tab”, you’ll see there is only 1 connectors. Compare with another user, they are 2 connectors.

 

Issue:
An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed that an active account will be found later.

 

 

Workaround:

 

It is normally safe to convert a linked mailbox to user mailbox. You must do it from Exchange management shell.

To see the LinkedMasterAccount run this command

Get-User -Identity “user” | FL LinkedMasterAccount

To convert to user mailbox, run the following command

Set-User -Identity “user” -LinkedMasterAccount $null”

Once converted to user mailbox, you can either wait for the next sync or force run a sync from Synchornization Service Manager by following this link, https://blogs.technet.microsoft.com/rmilne/2014/10/01/how-to-run-manual-dirsync-azure-active-directory-sync-updates/

Retrieve BIOS embedded Windows product key

 

New PC shipped with windows OEM version from vendor no loner comes with Certificate of Authenticity attached, instead, PC manufacture embedded the windows key into BIOS or EFI.

 

Please read the link below carefully to understand your downgrade rights, https://www.microsoft.com/OEM/en/licensing/sblicensing/Pages/downgrade_rights.aspx#fbid=OtIyotJ5rw5

 

So, I just ordered a new PC that comes with windows 10 but due to some application compatibility, the software only support windows 8.1. So i have to downgrade and format the PC to windows 8.1.

I need a product key but it is embedded with the BIOS. I downloaded this tool to get they key, https://neosmart.net/OemKey/ . This product key can be used to re-install window 10 or downgrade to 8.1 with a clean windows setup CD.

 

 

AWS Simple AD–change subnet

i was working on a AWS project and setting up a workspace (desktop on the cloud) and 1 of the pre-requisite is active directories. I am using AWS in Sydney region. I setup my active directories (Simple AD)and realized AWS workspace does not support Sydney region on availability zone b and c, only availability Zone A is supported. I get error message like below when i tried to register workspace using my simple AD directories on availability zone b and c,

“

Unsupported Subnet

The selected directory was created in a subnet that is not supported by the WorkSpaces service, and cannot be registered. Please try with a different directory or contact the AWS Support Team on the community forums and via AWS Premium Support.

“

Workaround:

I've logged a support call with AWS support but the answer i get back is not possible to change the directories subnet. The workaround is to create a new AD connector. Make sure the AD connector is on the correct subnet (availability zone A)

make sure

- connected directory DNS is the same as simple AD

- NETBIOS name is the same as simple AD

- username and password – which is the user with domain admins rights in simple AD

- DNS must matched. you can get DNS by going into workspace – directories and expand the directories,

Once the AD connector is configured, you can now register the workspace with the new AD connector and start workspace.

 

It is an additional monthly charges but since my workspace also required MFA, which only support AD connector, hence this is ok for me.

Linux Services - From Oracle Linux 6 to Oracle Linux 7

Oracle Linux 7 is based on Fedora19, where the previous Oracle Linux 6, 5 are based on Red hat Enterprise. The switch from sysvinit to systemd is now part of the Enterprise Linux distributions. Below is just some simple commands to start/stop services

 

Starting and stopping service

#systemctl stop httpd

#systemctl start httpd

#systemctl restart httpd

#systemctl status httpd

 

Autostart service when boot, chkcofig replaced with

# systemctl start dbora.service

# systemctl enable dbora.service

 

List of services currently running

systemctl list-units --type service

 

I’ll update this post when new commands discovered.