I was recently working on a project that involved creating some Retention policies for our Exchange 2010 sp1 environment. The project got a bit scary in the testing phase when we realized that the Inbox deletion policies were also deleting emails in the user’s sub-folder.  The came as a surprise to us since we were able to use the same type of policy in Exchange 2003 prior to upgrading.

To solve this issue we had to create retention policies to manage our deleted items, sent items, and drafts but use message record management to handle our inbox. Since MRM was being phased out of 2010 this solution needed to be implemented via the Exchange management shell (Powershell).

Implementing MRM:

Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2010 that helps organizations reduce the legal risks associated with e-mail. MRM makes it easier to keep the messages needed to comply with company policy, government regulations, or legal needs, and to remove content that has no legal or business value.

Prior to implementing this its best to check to see if any additional policies were created and if you don’t play on using them going forward delete them. You can do so with the below commands:

Review commands:

ManagedFolderMailboxPolicy

 [PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy

Name                      ManagedFolderLinks

—-                              ——————

Test Policy1            {Inbox}

ManagedContentSettings

 [PS] C:\Windows\system32>Get-ManagedContentSettings

 Name                      MessageClass              ManagedFolderName

—-                            ————- ————              —————–

Inbox Content               *                                           Inbox1

ManagedFolder

 [PS] C:\Windows\system32>Get-ManagedFolder

 Name                      FolderName                Description

—-                              ———-                ———–

Inbox1                    Inbox                     ManagedDefaultFolder

After retrieving this information you can now issue the following commands to remove any old or test policy:

Remove Policy from users

Set-Mailbox username -ManagedFolderMailboxPolicy $null

Removed ManagedFolder Mailbox Policy

[PS] C:\Windows\system32>Remove-ManagedFolderMailboxPolicy “Test Inbox Policy”

Remove Manage Content Setting

 [PS] C:\Windows\system32>Remove-ManagedContentSettings “Inbox Content”
Creating and Implementing MRM:

1. Create your managed folder
2. Create your managed folder content setting
3. Create your manage mailbox folder policy
4. Apply your policy to a user or to an exchange data store.
5. Start the managed folder assistant service or wait for it process on schedule

The below policy will delete all emails from the user mailbox that are 60 days old without touching any sub folders in the user’s Inbox.

Managed Folder Creation

 New-ManagedFolder -Name “Test Inbox” -DefaultFolderType Inbox -BaseFolderOnly $true -Comment “Items would be moved to deleted items for 60 days” -MustDisplayCommentEnabled  $true

Managed Folder Content Settings

New-ManagedContentSettings -Name “Test Content” -FolderName “Test Inbox” -MessageClass * -AgeLimitForRetention 60 -RetentionAction MoveToDeletedItems -RetentionEnabled $true -TriggerForRetention WhenDelivered

 Managed Mailbox Folder Policy

New-ManagedFolderMailboxPolicy -Name “TestPolicy” -ManagedFolderLinks “Test Inbox”

Verify settings

[PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy “TestPolicy” |fl

[PS] C:\Windows\system32>Get-ManagedContentSettings “Test Content”|fl

[PS] C:\Windows\system32>Get-ManagedFolder “Test Inbox” |fl

Start the Managed Folder Assistant to process the mailbox.

Apply to single user:

 Set-Mailbox -Identity testuser -ManagedFolderMailboxPolicy “TestPolicy”

Start-ManagedFolderAssistant -ID  testuser

Apply to a database level:

Get-Mailbox –database “Database Name” | Set-Mailbox –ManagedFolderMailboxPolicy “Name of the Policy”

Tip:

If you run into issues wait about 30 mins for the folders to replicate after created them. You can also stop and restart the “Managed Folder Assistant” service.

Would love to know how others handled this issue.

References:

http://technet.microsoft.com/en-us/library/bb508901%28EXCHG.80%29.aspx
http://technet.microsoft.com/en-us/library/dd335093.aspx

Hello all, I hope your year is going well so far; I just wanted to drop a line and mention that a few weeks ago I appeared on “Attack of the Androids” podcast esp 16. A little background about the podcast, the are a weekly audio podcast focused on the Google Android operating system and community.

You can find them on Google + or follow them on twitter @aotaradio    kool cast check them out!

I first posted about this issue back in Dec 18th of 2011, Handcent SMS one of the most popular SMS applications on the android market with over 10,000,000 downloads was doing some things that raised a few privacy questions.  As stated in my last post Handcent was  logging all your sent messages even after you deleted them from within the application.

I tried contacting them via email and twitter but the refused to comment on my findings. However 5 days later to my amazement I noticed the released a new version “3.9.9.9″. Take a look at the change log:

• #3.9.9.9

• Improve Galaxy Nexus (Android 4.0) support

• New Skin for XMas 2012,Cool.

• Add auto delete old message option

• Add Mms signature option

• Merry XMas to all users

Now after installing the new version I noticed I was still able to see my sent messages after I deleted them so I am not so certain the issue was addressed. I would however like to know if “Add auto delete old message option

“ means the will purge the messages from the database on a random schedule at some point. Again since Handcent refuse to comment on this issue we can only assume for now.

Don’t think that all hope is lost or that you are stuck with the stock messaging application, thanks to brilliant mind of Moxie Marlinspike and others over at Whisper System, “TextSecure Beta” was birthed on Dec 21, 2011.

TextSecure is a security enhanced text messaging application that serves as a full replacement for the default text messaging application. Messages to other TextSecure users are encrypted over the air, and all text messages are stored in an encrypted database on the device. If your phone is lost or stolen, your messages will be safe, and communication with other TextSecure users can’t be monitored over the air.

In short if you are ready to give up on Handcent this might be a good alternative, I know so far I feel much more secure using this application. I even tried browsing the db and I can confirm that the messages are indeed encrypted.

In light of all the CarrierIQ press I started wondering what others applications on my phone might be doing things that I am not aware of. So I installed SQLite Editor and started poking around my phone, that’s when I decided to see what my sms client “Handcent” was up too. Since I wanted to view my out on a bigger monitor I fired up a adb shell and used SQLite see what Handcent sms was hiding under the hood.

I used the following command to search my /data/data folder on my device to look for any files with a .db extension since that indicated it was a database file.

adb shell find /data -name *.db

As you can see I found several databases on my phone but today
we will be looking at one in particular. Handcent's "hc_sms.db".

For this part we will use sqlite to view the database layout (schema)
and its contents:

sqlite> .schema
CREATE TABLE DELIVERY_REPORT (MESSAGE_ID INTEGER Primary KEY,TIMESTAMP text,UPDATE_TIMESTAMP text);

CREATE TABLE SEND_LOG (ID Integer Primary KEY,SID INTEGER ,SEND_TYPE INTEGER,BEGIN_SEND_TIME text,END_SEND_TIME text,SEND_CONTENT TEXT,
SENDING_PERSON_NUBER INTEGER,SUCCESS_NUMBER INTEGER,FAIL_NUMBER INTEGER);

CREATE TABLE SEND_LOG_DETAIL (SID INTEGER,PID INTEGER,BEGIN_SEND_TIME TEXT,END_SEND_TIME TEXT,PERSON_NAME TEXT,PERSON_NUMBER TEXT,SENDI
NG_MESSAGE_NUMBER INTEGER,SENT_SUCCESS_NUMBER INTEGER,SENT_FAIL_NUMBER INTEGER);
CREATE TABLE android_metadata (locale TEXT);

sqlite> .tables
DELIVERY_REPORT   SEND_LOG          SEND_LOG_DETAIL   android_metadata
sqlite>

And now after doing a select * from SEND_LOG; to my amazement
I saw all my text messages that were sent since I installed
the handcent application both DELETED and undeleted.


Also looking at select * from SEND_LOG_DETAIL I saw the same
information but this log also held the receiver of the sms name
and phone number.

Now my question is, if I am deleting a message and thinking
its being deleted why would handcent chose to keep a copy of
this message in an unencrypted database where anyone can access
it? I would love to hear from them and try to understand why
this is being done.


  So after having my Droid Bionic for a few months now I have decided to take the leap from rooting to roming. A quick definition on Rooting and Roming from the nice people over at droidlessons.com:

What is Rooting?

“Rooting” your device means obtaining “superuser” rights and permissions to your Android’s software. With these elevated user privileges, you gain the ability to load custom software (ROM’s), install custom themes, increase performance, increase battery life, and the ability to install software that would otherwise cost extra money (ex: WiFi tethering). Rooting is essentially “hacking” your Android device. In the iPhone world, this would be the equivalent to “Jailbreaking” your phone.

Custom Software (ROM’s)

You may have heard of people loading custom “ROM’s” on their devices. A “ROM” is the software that runs your device. It is stored in the “Read Only Memory” of your device. There are many great custom ROM’s available that can make your Android device look and perform drastically different.

After hanging around rootzwiki forum, listening to Droid Nation and Android App Addictspodcast I felt like I was ready to install my first custom  rom. My rom of choice was [K]IN3TX v1.0 some features about this rom:

• Latest BusyBox
• Superuser (Updated Binary)
  
• Battery Optimization
• Fully ROOTED
• SD Card Read tweaks
• Built Off of 5.8.894 OTA
  
• Advance Power Menu
• Scrollable Power Toggles in Pull Down
• FULL Custom UI
• PNG Optimization
• init.d Run Support

Just to name a few..

You can read the full posting about this rom over at the rootzwiki forum their you will also find the various downloads that you would need. However I will highlight a few steps I took:

• Root your device
• Install clockworkmod recovery 
• Install Titanium backup pro or MyBackup root (backup your apps and data)
• ***COPY THE ROM TO YOUR SD CARD***
• Boot into recovery mode with CWM while there do the following
• WIPE DATA/FACTORY RESET
• WIPE CACHE
• UNDER MOUNTS AND STORAGE, FORMAT SYSTEM
• UNDER ADVANCED, WIPE DALVIK
• INSTALL AND HAVE FUN!

After you are finish installing log-in setup your device, then you can boot back into CWM wipe your cache, and dalvik then install add-on or tpak of your choice, I installed the ICS tpak.

Now as anyone might expect the first time you are doing something like this you have to realize that you might make a mistake, but you can only hope it doesn’t hurt you too much. The mistake I made was that I copied the wrong add-on pack to my sdcard but not the base rom, and since I already wiped my system partition I was unable to reboot my phone into recovery mode after I copied the correct file via another device.

How I corrected this issue you might ask yourself, I had some help from my buddy Highlander-:  over at the Podnutz IRC chat room. He pointed me to a tool call RSDlite, which allowed me to flash my phone back to the stock rom and from there I followed the steps outlined above and all was well the second time around . You have got to love the power of the Internet and great communities.

Have fun roming and you can comment back and let me know which rom is your favorite. I have only tried one and I must say I absolutely love it!

Reference Links:

http://droidlessons.com/what-is-rooting-on-android-the-advantages-and-disadvantages/
http://forum.xda-developers.com/showthread.php?t=1348587

Objective:  I goal of this document is meant to outline a few steps that will allow you to troubleshoot the cause behind why users were unable to access the internet while behind a Fortigate 100A device.

Problem: I received a ticket today stating that users in one our computer labs were unable to access the internet.

After arriving onsite I discounted the device and plugged directly into the ISP link and confirmed that they were no issues with the ISP connection. Now is time to open a ticket with support and start the series of troubleshooting to figure out the root cause of the issue.

Step one: Information gathering

After opening the ticket I was told that the issue could have possibly been caused by a bad firmware image, or a corrupted configuration. I needed to log into the device to find out more information and the only way to do so was via the console port.

Connecting to the Fortigate 100A console port:

• Start your favorite terminal emulator program use the following settings:
• Baud rate: 9600
• Data bits: 8
• Parity: None
• Stop bit: 1
• Flow control: None
• Next, reboot the device and watch the screen for any error message.

After rebooting the first time I got the following message, “You must format the boot device”,  I then rebooted a second time and got the following message “The config file may contain errors, Please see details by the command ‘diagnose debug config-error-log read”.  This was somewhat good news because I would have had to RMA the device if the system RAM was corrupted.

At this point I know I had the following options:

• Backup the current configs
• Reset the device to it’s default state
• Reload a new configs

Backing up the device to USB via the console port:

• Plug a usb device into one of the ports on the back of the device
• Login to the device, if you are unable to use your admin login you can login with the maintainer account, this account is only valid for 30 sec after the device has been rebooted; so copy the username and password to a text file then cut/paste to the console. Username: maintainer Password: bcpb<input device serial number using uppercase letters>

• Issue the following command: execute backup configs usb filename<use any name here>
  FG100 # execute backup full-config usb fg100a-10-15-11
  Please wait…
  Copy onfigs fg100a-10-15-11 to USB disk …
  Copy onfigs file to USB disk OK.
  Setting timestamp

Before reloading a new configs its best to run a few diagnostic commands to try and understand what happened:

FG100 #  diag sys top –> Look at CPU load and any processor that running hot

FG100 # diag debug crashlog –> Look for clues as to what service crashed

          Ex Output:

89: 2011-11-14 16:06:42 <04434> application cmdbsvr

 290: 2011-11-14 16:06:42 <04434> *** signal 7 (Bus error) received ***

 291: 2011-11-14 16:06:42 <04434> Register dump:

298: 2011-11-14 16:06:42 <04434> Backtrace:

 299: 2011-11-14 16:06:42 <04434> [0x0893277b] => /bin/cmdbsvr 

 300: 2011-11-14 16:06:42 <04434> [0x08932a96] => /bin/cmdbsvr 

 301: 2011-11-14 16:06:42 <04434> [0x08910473] => /bin/cmdbsvr 

Reload new configs via console port:

• Rename your most recent backup configs file to fgt_system.conf, then place file on the root of your USB drive.
• Plug the USB into one of USB ports on the back of the unit and reboot the unit and you should see a similar output:

Reading boot image 1370111 bytes.
Initializing firewall…
System is started.
Get image from USB disk …Can not get image from USB disk.
Get config file from USB disk OK.
File check OK.

The system is going down NOW !!

 If you are not certain and you leave the drive in after the system reboots you will see the following message indication that the configs file on the disk is the same as the file on the system.

 Get config file from USB disk OK.
Checksum check synced! Don’t need restore config.

 Additional Troubleshooting:

After I restored the config file I was still unable to connect out to the internet, so I issued the following command to verify my IP address setting:

FG100A # get system interface  

After discovering that the IP address for my external interface WAN1 had a different subnet than the one I wrote down previously when I connected directly to my ISP modem with my PC. I decided to change the interface type to DHCP.

Configuring external interface for DHCP:

FG100A #  configs system interface –> To enter into Interface config mode

FG100A (interface) # edit wan1 –> Choose your external interface in our case it was wan1

FG100A (wan1) # unset ip –>  Removing current static IP entry

FG100A (wan1) # set mode dhcp –> To change mode to DHCP from static

FG100A (wan1) # show –> To confirm that the change was made

config system interface
edit “wan1″
set vdom “root”
set mode dhcp
set allowaccess https ssh fgfm
set type physical
next
end

 FG100A (wan1) # end

 I was now able to access the internet!!

Discovering what happened:

Wrap-up:

Given that the logs were lost due the fact the FortiGate was reset and the unit is storing it’s logs in RAM, I can’t diagnose the exact cause. But we did see in the Crashlog “diag debug crashlog read”, which is written to flash that the cmdbsvr was crashing. We have identified a issue with cmdbsvr on the version of fortios on your fortigate.

Bug #’s : 117281, 144277
Summary : cmdbsvr crash in conserve mode may cause configuration loss

I updated the device to MR3 patch 2, since this version addressed the issue.
Reference Documentation:

http://emea.fortinet.net/fortinet/bht/index.php

http://bit.ly/uRSdYJ

http://docs.fortinet.com/fscan/fortiscan_cli_40.pdf

Hello all, so once more I have another post that’s Exchange 2010 related; why you ask because with so much to learn about Exchange you can never stop talking about it. So the issue I was faced with a few weeks ago was trying to figure out how to stop the students at the Uni I worked for from created their personal  groups and publishing it to the GAL (Global Address List) for everyone to see.

Just picture the president of the college trying to search for a contact and seeing something like “HackerContacts” as an option, that might trigger a few calls to the IT department.

I release that by default Exchange 2010 “Default Role Assignment Policy” allow all users to login via Outlook Web App, go to options –> see all options, then click on the groups options and on the right under “Public Groups I Own” a user can create a new group which would be published in the GAL.

After doing some research I release to block this you need to edit the “Default Role Assignment Policy” and uncheck the options under “Distribution groups, and Distribution group membership”.

• On your exchange server go to the toolbox->Role Based Access Control, This will launch IE and attempt to open the permissions area. If this does not open/work double check the account your logged in has a mailbox on 2010 first or is in the Enterprise admin group.
• You should see 2 menu items, “Users & Groups” and “Reporting” , You want “Users & Groups” then switch to the “User Roles” tab. In there edit the “Default Role Assignment Policy” which will pop up in a new window. All you have to do is remove the checkboxes as required  and it will get rid of the option for you.

Hope you found this useful, leave a comment if you have a better way or doing this or if these steps did not solve the issue for you. Thanks for reading!

Resource:

http://help.outlook.com/en-gb/140/ee424427.aspx

http://www.edugeek.net/forums/windows/53916-outlook-web-app-exchange-2010-public-groups.html

Hello all, I know I have been a bit lazy on the posting of new content for a while, hopefully my busy schedule is now getting a little  more manageable and I can start back blogging. Apart from work being crazy recently I was involved with assisting my wife with her debut album that will be released by year end, check her out on www.facebookcom/yonetteodessa and become a fan .

Ok back to reason why you visited the blog, I recently got a new phone “Verizon Droid Bionic”,  this for me was a big change from my current Blackberry storm, so after playing around with the phone for about 2 weeks I started wondering what else can I do with this powerful little machine in my pocket.

I went ahead like any techno enthusiast powered up my Linux net-book and rooted my device using a guide found over at www.droidbionicroot.com , and I was up and running in a few mins.

Next I started to ask myself, ok I have rooted my Droid now what? While doing some searching online I came across a few things that you might want to do after rooting your device:

• Tweak your device for longer battery life –> courtesy of http://forums.androidcenteral.com
• Start learning about ROMs, how to backup/install
• Useful forums you should signup for:
• http://forum.cyanogenmod.com/
• http://rootzwiki.com/register.php
• http://forums.androidcentral.com/
• If  you want to start installing custom ROMs you need “ROM Manager” ->  http://www.clockworkmod.com/
• Other interesting apps I have installed so far:
• Droidsheep (Awesome Session Hijacking Android app) –Need root
• Titanium Backup ( Backup ALL apps,remove bloatware & MORE) –Need root
• Arpspoof (Broadcast spoofed ARP messages) –Need root
• AdFree ( removes most ads in the browser and other apps) –Need root
• DroidWall (Allows you to restrict which apps can access the network) –Need root
• Lookout Security & AV (Antivirus, Phone Locator, Data Backup) –Does not need root
• Wifi Analyzer (Turns your  phone into a Wi-Fi analyzer) –Does not need root 
• Prey (Track download your lost of stolen device) –Does not need root 
• Dropbox (cloud storage access) –Does not need root 
• KeePassDroid (Securely store your passwords) – Does not need root 
• Apps referred by friends  but I have not tested them as yet:
• AndGuard (Powerful Ad-Blocker and Internet Security App) –need root 
• Netmonitor (Monitor GSM/CDMA network) –Does not need root 

I would love to know what are others doing with there device, please leave a comment and share.

Hello all, so  I know its been a while since my last post and I have not really posted anything Infosec related recently but to be honest I have been so busy at work I have not had any time for anything else.

Today I wanted to share with you a script that I originally got from  http://www.myexchangeworld.com , I have been working on tweaking this script as part of our migration to 2010. We normally get a list csv file with (Firstname, Lastname, StudentID) from our registra department and we have to create AD, and Exchange user account for these users.

The script would have worked as it is but instead of adding the following fields in the csv file I wanted to have the script input these vaules on the fly:

•  User principal name
• Alias
• Database
• OU
• Display Name
• Retention policy

We have recently upgraded to Exchange 2010 from 2003 and with that update comes new ways of dealing with old recurring task, I will try to outline over the new few blog posting how to accomplish these task. If you are ask to remove or grant someone access to a user’s mailbox below is the recommended approach.

You can do this two ways first is via the Exchange management console (EMC) or via the PowerShell:

EMC approach:

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Permissions and delegation” entry in the Mailbox Permissions topic.

1. In the console tree, navigate to Recipient Configuration > Mailbox.
2. In the result pane, select the mailbox for which you want to grant Full Access permission.
3. In the action pane, under the mailbox name, click Manage Full Access Permission. The Manage Full Access Permission wizard opens.
4. On the Manage Full Access Permission page, click Add.
5. In Select User or Group, select the user to which you want to grant Full Access permission, and then click OK.
6. Click Manage.
7. On the Completion page, the Summary states whether Full Access permission was successfully granted. The summary also displays the Shell command used to grant Full Access permission.
8. Click Finish.

PowerShell approach:

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Permissions and delegation” entry in the Mailbox Permissions topic.
First verify who currently has access to the user’s mailbox with the Get-MailboxPremission cmdlet, you will notice several default system accords you are only concern with user accounts.

Get-GmailboxPermission “John Doe”

If you want to remove Jane Doe  from having full access to John’s  mailbox you can do the following:

Remove-MailboxPermission “John Doe” -AccessRights FullAccess -User “Jane Doe”

If  you are ask to  grant the user Marry Full Access permission to Frank’s mailbox do the following:

Add-MailboxPermission “Frank Loew” -User “Mary May” -AccessRights FullAccess

Once you are finish granting access just mount the mailbox via outlook and close and reopen outlook and it should be accessible.

Source:

http://technet.microsoft.com/en-us/library/aa996343.aspx