By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a  “patch cycle” which require extensive testing prior to deployment.

Now go on out and patch your systems and if you have some time load Metasploit on a host of your choice and do some testing.

Mitigation:

• If you don’t need RDP open to the external world disable it
• Change the default port everyone know its 3389
• Enable network level authentication (NLA)

http://isc.sans.edu/diary.html?storyid=12808

http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids

http://technet.microsoft.com/en-us/library/cc732713.aspx

I received a request today from one of our users who wanted to send and email from their departmental distribution group. Now this task can be easily performed if a user wanted to do a send as from a public folder however with Exchange 2010 you are unable to grant a user the correct access via the EMC.

In order to grant a user this access you have to do it via the Exchange management shell “EMS” aka PowerShell. My first question was did the user really meant to say Public folder or was it an actual DG? To answer this question I ran the following command:

get-recipient -results unlimited | where {$_.emailaddresses -match “accounting@domain.com”} | select name,emailaddresses,recipienttype

Once I realized that I was working with a distribution group I then ran  this command to grant the user “send as ” permission:

Get-DistributionGroup “accounting” | Add-ADPermission -ExtendedRights Send-As -User “Jane Doe” -AccessRights ExtendedRight | fl

And just like that I had another satisfied user . If you know of another way to accomplish this task do share in the comments.

I was recently working on a project that involved creating some Retention policies for our Exchange 2010 sp1 environment. The project got a bit scary in the testing phase when we realized that the Inbox deletion policies were also deleting emails in the user’s sub-folder.  The came as a surprise to us since we were able to use the same type of policy in Exchange 2003 prior to upgrading.

To solve this issue we had to create retention policies to manage our deleted items, sent items, and drafts but use message record management to handle our inbox. Since MRM was being phased out of 2010 this solution needed to be implemented via the Exchange management shell (Powershell).

Implementing MRM:

Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2010 that helps organizations reduce the legal risks associated with e-mail. MRM makes it easier to keep the messages needed to comply with company policy, government regulations, or legal needs, and to remove content that has no legal or business value.

Prior to implementing this its best to check to see if any additional policies were created and if you don’t play on using them going forward delete them. You can do so with the below commands:

Review commands:

ManagedFolderMailboxPolicy

 [PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy

Name                      ManagedFolderLinks

—-                              ——————

Test Policy1            {Inbox}

ManagedContentSettings

 [PS] C:\Windows\system32>Get-ManagedContentSettings

 Name                      MessageClass              ManagedFolderName

—-                            ————- ————              —————–

Inbox Content               *                                           Inbox1

ManagedFolder

 [PS] C:\Windows\system32>Get-ManagedFolder

 Name                      FolderName                Description

—-                              ———-                ———–

Inbox1                    Inbox                     ManagedDefaultFolder

After retrieving this information you can now issue the following commands to remove any old or test policy:

Remove Policy from users

Set-Mailbox username -ManagedFolderMailboxPolicy $null

Removed ManagedFolder Mailbox Policy

[PS] C:\Windows\system32>Remove-ManagedFolderMailboxPolicy “Test Inbox Policy”

Remove Manage Content Setting

 [PS] C:\Windows\system32>Remove-ManagedContentSettings “Inbox Content”
Creating and Implementing MRM:

1. Create your managed folder
2. Create your managed folder content setting
3. Create your manage mailbox folder policy
4. Apply your policy to a user or to an exchange data store.
5. Start the managed folder assistant service or wait for it process on schedule

The below policy will delete all emails from the user mailbox that are 60 days old without touching any sub folders in the user’s Inbox.

Managed Folder Creation

 New-ManagedFolder -Name “Test Inbox” -DefaultFolderType Inbox -BaseFolderOnly $true -Comment “Items would be moved to deleted items for 60 days” -MustDisplayCommentEnabled  $true

Managed Folder Content Settings

New-ManagedContentSettings -Name “Test Content” -FolderName “Test Inbox” -MessageClass * -AgeLimitForRetention 60 -RetentionAction MoveToDeletedItems -RetentionEnabled $true -TriggerForRetention WhenDelivered

 Managed Mailbox Folder Policy

New-ManagedFolderMailboxPolicy -Name “TestPolicy” -ManagedFolderLinks “Test Inbox”

Verify settings

[PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy “TestPolicy” |fl

[PS] C:\Windows\system32>Get-ManagedContentSettings “Test Content”|fl

[PS] C:\Windows\system32>Get-ManagedFolder “Test Inbox” |fl

Start the Managed Folder Assistant to process the mailbox.

Apply to single user:

 Set-Mailbox -Identity testuser -ManagedFolderMailboxPolicy “TestPolicy”

Start-ManagedFolderAssistant -ID  testuser

Apply to a database level:

Get-Mailbox –database “Database Name” | Set-Mailbox –ManagedFolderMailboxPolicy “Name of the Policy”

Tip:

If you run into issues wait about 30 mins for the folders to replicate after created them. You can also stop and restart the “Managed Folder Assistant” service.

Would love to know how others handled this issue.

References:

http://technet.microsoft.com/en-us/library/bb508901%28EXCHG.80%29.aspx
http://technet.microsoft.com/en-us/library/dd335093.aspx

  So after having my Droid Bionic for a few months now I have decided to take the leap from rooting to roming. A quick definition on Rooting and Roming from the nice people over at droidlessons.com:

What is Rooting?

“Rooting” your device means obtaining “superuser” rights and permissions to your Android’s software. With these elevated user privileges, you gain the ability to load custom software (ROM’s), install custom themes, increase performance, increase battery life, and the ability to install software that would otherwise cost extra money (ex: WiFi tethering). Rooting is essentially “hacking” your Android device. In the iPhone world, this would be the equivalent to “Jailbreaking” your phone.

Custom Software (ROM’s)

You may have heard of people loading custom “ROM’s” on their devices. A “ROM” is the software that runs your device. It is stored in the “Read Only Memory” of your device. There are many great custom ROM’s available that can make your Android device look and perform drastically different.

After hanging around rootzwiki forum, listening to Droid Nation and Android App Addictspodcast I felt like I was ready to install my first custom  rom. My rom of choice was [K]IN3TX v1.0 some features about this rom:

• Latest BusyBox
• Superuser (Updated Binary)
  
• Battery Optimization
• Fully ROOTED
• SD Card Read tweaks
• Built Off of 5.8.894 OTA
  
• Advance Power Menu
• Scrollable Power Toggles in Pull Down
• FULL Custom UI
• PNG Optimization
• init.d Run Support

Just to name a few..

You can read the full posting about this rom over at the rootzwiki forum their you will also find the various downloads that you would need. However I will highlight a few steps I took:

• Root your device
• Install clockworkmod recovery 
• Install Titanium backup pro or MyBackup root (backup your apps and data)
• ***COPY THE ROM TO YOUR SD CARD***
• Boot into recovery mode with CWM while there do the following
• WIPE DATA/FACTORY RESET
• WIPE CACHE
• UNDER MOUNTS AND STORAGE, FORMAT SYSTEM
• UNDER ADVANCED, WIPE DALVIK
• INSTALL AND HAVE FUN!

After you are finish installing log-in setup your device, then you can boot back into CWM wipe your cache, and dalvik then install add-on or tpak of your choice, I installed the ICS tpak.

Now as anyone might expect the first time you are doing something like this you have to realize that you might make a mistake, but you can only hope it doesn’t hurt you too much. The mistake I made was that I copied the wrong add-on pack to my sdcard but not the base rom, and since I already wiped my system partition I was unable to reboot my phone into recovery mode after I copied the correct file via another device.

How I corrected this issue you might ask yourself, I had some help from my buddy Highlander-:  over at the Podnutz IRC chat room. He pointed me to a tool call RSDlite, which allowed me to flash my phone back to the stock rom and from there I followed the steps outlined above and all was well the second time around . You have got to love the power of the Internet and great communities.

Have fun roming and you can comment back and let me know which rom is your favorite. I have only tried one and I must say I absolutely love it!

Reference Links:

http://droidlessons.com/what-is-rooting-on-android-the-advantages-and-disadvantages/
http://forum.xda-developers.com/showthread.php?t=1348587

Objective:  I goal of this document is meant to outline a few steps that will allow you to troubleshoot the cause behind why users were unable to access the internet while behind a Fortigate 100A device.

Problem: I received a ticket today stating that users in one our computer labs were unable to access the internet.

After arriving onsite I discounted the device and plugged directly into the ISP link and confirmed that they were no issues with the ISP connection. Now is time to open a ticket with support and start the series of troubleshooting to figure out the root cause of the issue.

Step one: Information gathering

After opening the ticket I was told that the issue could have possibly been caused by a bad firmware image, or a corrupted configuration. I needed to log into the device to find out more information and the only way to do so was via the console port.

Connecting to the Fortigate 100A console port:

• Start your favorite terminal emulator program use the following settings:
• Baud rate: 9600
• Data bits: 8
• Parity: None
• Stop bit: 1
• Flow control: None
• Next, reboot the device and watch the screen for any error message.

After rebooting the first time I got the following message, “You must format the boot device”,  I then rebooted a second time and got the following message “The config file may contain errors, Please see details by the command ‘diagnose debug config-error-log read”.  This was somewhat good news because I would have had to RMA the device if the system RAM was corrupted.

At this point I know I had the following options:

• Backup the current configs
• Reset the device to it’s default state
• Reload a new configs

Backing up the device to USB via the console port:

• Plug a usb device into one of the ports on the back of the device
• Login to the device, if you are unable to use your admin login you can login with the maintainer account, this account is only valid for 30 sec after the device has been rebooted; so copy the username and password to a text file then cut/paste to the console. Username: maintainer Password: bcpb<input device serial number using uppercase letters>

• Issue the following command: execute backup configs usb filename<use any name here>
  FG100 # execute backup full-config usb fg100a-10-15-11
  Please wait…
  Copy onfigs fg100a-10-15-11 to USB disk …
  Copy onfigs file to USB disk OK.
  Setting timestamp

Before reloading a new configs its best to run a few diagnostic commands to try and understand what happened:

FG100 #  diag sys top –> Look at CPU load and any processor that running hot

FG100 # diag debug crashlog –> Look for clues as to what service crashed

          Ex Output:

89: 2011-11-14 16:06:42 <04434> application cmdbsvr

 290: 2011-11-14 16:06:42 <04434> *** signal 7 (Bus error) received ***

 291: 2011-11-14 16:06:42 <04434> Register dump:

298: 2011-11-14 16:06:42 <04434> Backtrace:

 299: 2011-11-14 16:06:42 <04434> [0x0893277b] => /bin/cmdbsvr 

 300: 2011-11-14 16:06:42 <04434> [0x08932a96] => /bin/cmdbsvr 

 301: 2011-11-14 16:06:42 <04434> [0x08910473] => /bin/cmdbsvr 

Reload new configs via console port:

• Rename your most recent backup configs file to fgt_system.conf, then place file on the root of your USB drive.
• Plug the USB into one of USB ports on the back of the unit and reboot the unit and you should see a similar output:

Reading boot image 1370111 bytes.
Initializing firewall…
System is started.
Get image from USB disk …Can not get image from USB disk.
Get config file from USB disk OK.
File check OK.

The system is going down NOW !!

 If you are not certain and you leave the drive in after the system reboots you will see the following message indication that the configs file on the disk is the same as the file on the system.

 Get config file from USB disk OK.
Checksum check synced! Don’t need restore config.

 Additional Troubleshooting:

After I restored the config file I was still unable to connect out to the internet, so I issued the following command to verify my IP address setting:

FG100A # get system interface  

After discovering that the IP address for my external interface WAN1 had a different subnet than the one I wrote down previously when I connected directly to my ISP modem with my PC. I decided to change the interface type to DHCP.

Configuring external interface for DHCP:

FG100A #  configs system interface –> To enter into Interface config mode

FG100A (interface) # edit wan1 –> Choose your external interface in our case it was wan1

FG100A (wan1) # unset ip –>  Removing current static IP entry

FG100A (wan1) # set mode dhcp –> To change mode to DHCP from static

FG100A (wan1) # show –> To confirm that the change was made

config system interface
edit “wan1″
set vdom “root”
set mode dhcp
set allowaccess https ssh fgfm
set type physical
next
end

 FG100A (wan1) # end

 I was now able to access the internet!!

Discovering what happened:

Wrap-up:

Given that the logs were lost due the fact the FortiGate was reset and the unit is storing it’s logs in RAM, I can’t diagnose the exact cause. But we did see in the Crashlog “diag debug crashlog read”, which is written to flash that the cmdbsvr was crashing. We have identified a issue with cmdbsvr on the version of fortios on your fortigate.

Bug #’s : 117281, 144277
Summary : cmdbsvr crash in conserve mode may cause configuration loss

I updated the device to MR3 patch 2, since this version addressed the issue.
Reference Documentation:

http://emea.fortinet.net/fortinet/bht/index.php

http://bit.ly/uRSdYJ

http://docs.fortinet.com/fscan/fortiscan_cli_40.pdf

Hello all, so once more I have another post that’s Exchange 2010 related; why you ask because with so much to learn about Exchange you can never stop talking about it. So the issue I was faced with a few weeks ago was trying to figure out how to stop the students at the Uni I worked for from created their personal  groups and publishing it to the GAL (Global Address List) for everyone to see.

Just picture the president of the college trying to search for a contact and seeing something like “HackerContacts” as an option, that might trigger a few calls to the IT department.

I release that by default Exchange 2010 “Default Role Assignment Policy” allow all users to login via Outlook Web App, go to options –> see all options, then click on the groups options and on the right under “Public Groups I Own” a user can create a new group which would be published in the GAL.

After doing some research I release to block this you need to edit the “Default Role Assignment Policy” and uncheck the options under “Distribution groups, and Distribution group membership”.

• On your exchange server go to the toolbox->Role Based Access Control, This will launch IE and attempt to open the permissions area. If this does not open/work double check the account your logged in has a mailbox on 2010 first or is in the Enterprise admin group.
• You should see 2 menu items, “Users & Groups” and “Reporting” , You want “Users & Groups” then switch to the “User Roles” tab. In there edit the “Default Role Assignment Policy” which will pop up in a new window. All you have to do is remove the checkboxes as required  and it will get rid of the option for you.

Hope you found this useful, leave a comment if you have a better way or doing this or if these steps did not solve the issue for you. Thanks for reading!

Resource:

http://help.outlook.com/en-gb/140/ee424427.aspx

http://www.edugeek.net/forums/windows/53916-outlook-web-app-exchange-2010-public-groups.html

Hello all, I know I have been a bit lazy on the posting of new content for a while, hopefully my busy schedule is now getting a little  more manageable and I can start back blogging. Apart from work being crazy recently I was involved with assisting my wife with her debut album that will be released by year end, check her out on www.facebookcom/yonetteodessa and become a fan .

Ok back to reason why you visited the blog, I recently got a new phone “Verizon Droid Bionic”,  this for me was a big change from my current Blackberry storm, so after playing around with the phone for about 2 weeks I started wondering what else can I do with this powerful little machine in my pocket.

I went ahead like any techno enthusiast powered up my Linux net-book and rooted my device using a guide found over at www.droidbionicroot.com , and I was up and running in a few mins.

Next I started to ask myself, ok I have rooted my Droid now what? While doing some searching online I came across a few things that you might want to do after rooting your device:

• Tweak your device for longer battery life –> courtesy of http://forums.androidcenteral.com
• Start learning about ROMs, how to backup/install
• Useful forums you should signup for:
• http://forum.cyanogenmod.com/
• http://rootzwiki.com/register.php
• http://forums.androidcentral.com/
• If  you want to start installing custom ROMs you need “ROM Manager” ->  http://www.clockworkmod.com/
• Other interesting apps I have installed so far:
• Droidsheep (Awesome Session Hijacking Android app) –Need root
• Titanium Backup ( Backup ALL apps,remove bloatware & MORE) –Need root
• Arpspoof (Broadcast spoofed ARP messages) –Need root
• AdFree ( removes most ads in the browser and other apps) –Need root
• DroidWall (Allows you to restrict which apps can access the network) –Need root
• Lookout Security & AV (Antivirus, Phone Locator, Data Backup) –Does not need root
• Wifi Analyzer (Turns your  phone into a Wi-Fi analyzer) –Does not need root 
• Prey (Track download your lost of stolen device) –Does not need root 
• Dropbox (cloud storage access) –Does not need root 
• KeePassDroid (Securely store your passwords) – Does not need root 
• Apps referred by friends  but I have not tested them as yet:
• AndGuard (Powerful Ad-Blocker and Internet Security App) –need root 
• Netmonitor (Monitor GSM/CDMA network) –Does not need root 

I would love to know what are others doing with there device, please leave a comment and share.

We have recently upgraded to Exchange 2010 from 2003 and with that update comes new ways of dealing with old recurring task, I will try to outline over the new few blog posting how to accomplish these task. If you are ask to remove or grant someone access to a user’s mailbox below is the recommended approach.

You can do this two ways first is via the Exchange management console (EMC) or via the PowerShell:

EMC approach:

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Permissions and delegation” entry in the Mailbox Permissions topic.

1. In the console tree, navigate to Recipient Configuration > Mailbox.
2. In the result pane, select the mailbox for which you want to grant Full Access permission.
3. In the action pane, under the mailbox name, click Manage Full Access Permission. The Manage Full Access Permission wizard opens.
4. On the Manage Full Access Permission page, click Add.
5. In Select User or Group, select the user to which you want to grant Full Access permission, and then click OK.
6. Click Manage.
7. On the Completion page, the Summary states whether Full Access permission was successfully granted. The summary also displays the Shell command used to grant Full Access permission.
8. Click Finish.

PowerShell approach:

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Permissions and delegation” entry in the Mailbox Permissions topic.
First verify who currently has access to the user’s mailbox with the Get-MailboxPremission cmdlet, you will notice several default system accords you are only concern with user accounts.

Get-GmailboxPermission “John Doe”

If you want to remove Jane Doe  from having full access to John’s  mailbox you can do the following:

Remove-MailboxPermission “John Doe” -AccessRights FullAccess -User “Jane Doe”

If  you are ask to  grant the user Marry Full Access permission to Frank’s mailbox do the following:

Add-MailboxPermission “Frank Loew” -User “Mary May” -AccessRights FullAccess

Once you are finish granting access just mount the mailbox via outlook and close and reopen outlook and it should be accessible.

Source:

http://technet.microsoft.com/en-us/library/aa996343.aspx

I needed a way to effectively troubleshoot a given traffic issue on our FortiGate 100A device and the out of the box configuration didn’t have this configured. This can be accomplish using the web GUI or via an SSH session, and since I already have SSH configure I went with this option for most of the configuration.

Step 1: Enable Logging

SSH to the device with your favorite client and issue the following commands:

FG100A # show firewall policy (this command will display the details for all policies)

edit 1
set srcintf “internal”
set dstintf “wan1″
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set logtraffic disable
set nat enable

next
end

Once you know which policy you would like to troubleshoot it’s now time to enable logging

FG100A # edit 1 (to edit policy id 1)

FG100A (1) # set logtraffic enable (to enable logging for this policy)

Once you are finish you can always review your changes on the GUI if you would to do so click on Firewall tab –> Policy –> select the policy in question and click edit on the top –> Then click the check box for “Log Violation Traffic”

Next, click on the “Log&Report” tab –>Log Setting –> and check off “Local Logging & Archiving”, “Memory” –> Minimum log level “Information” –> check off “Enable IPS Packet Archive”

Apply settings!

Step 2:  Diagnose Sniffer Packet

Launch another SSH session and issue the follow command just makes sure you put the filter expressions in quotes:

diag sniffer packet <interface> <’filter’> <verbose> <count>

Simple test do a continuous ping from your workstation to an IP on the internet and then issue the command below and keep the windows open:

diag sniff packet any ‘host <workstation ip> and icmp’ 4

Step 2:  Enabling debug mode

Lastly in a another SSH window enable debug mode, set the source IP address and watch as a series of useful information flows across the console to help you narrow down the problem at hand.

diag debug enable
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow filter proto 1 (protocol 1 is for icmp)
diag debug flow filter addr <workstation ip>
diag debug flow trace start 400 (400 is a random number it’ the number of traces)

To disable the debug when you are finish run the following command:
diag debug disable

References:

http://docs.fortinet.com/fgt/techdocs/fortigate-admin.pdf

http://docs.fortinet.com/fgt/techdocs/fortigate-cli.pdf

I recently learned about this tool via twitter and decided to give it a try. According to the authors website theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.

This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

The sources supported are:

• Google – emails,subdomains/hostnames
• Google profiles – Employee names
• Bing search – emails, subdomains/hostnames,virtual hosts
• Pgp servers – emails, subdomains/hostnames
• Linkedin – Employee names
• Exalead – emails,subdomain/hostnames

New features:

• Time delays between requests
• XML results export
• Search a domain in all sources
• Virtual host verifier

Now my philosophy is that you can never have enough of these tools, whether you are a penetration tester or just want to see what information is out there on your organization this tool will come in handy.

Help Menu:

Here is a few sample queries from the authors website:

Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results:

./theharvester.py -d microsoft.com -l 500 -b google

Searching emails accounts for the domain microsoft.com in a PGP server, here it’s not necessary to specify the limit.

./theharvester.py -d microsoft.com -b pgp

Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./theharvester.py -d microsoft.com -l 200 -b linkedin

Searching in all sources at the same time, with a limit of 200 results:

./theHarvester.py -d microsoft.com -l 200 -b all

I did some testing of my own and found this tool to be useful, the only thing I was not able to find was the email address on a given company and I tried a few different queries in my test. All in all go  grab your copy and start testing away.