Pages

Tuesday, July 26, 2016

Auditing administrators granting “Full Access” permissions to mailboxes in Exchange 2016

One of the most common questions I’ve been asked by clients is whether there is a way to audit administrators granting Full Access permissions to mailboxes in Exchange and the answer to that is yes because every action made within the Exchange Admin Center or Exchange Management Console can be logged by a feature named Administrator Audit Logging which basically logs every mirror Exchange cmdlet executed that isn’t a Get-.

Enable Administrator Audit Logging

The first step in the process of providing auditing logs is to execute the following cmdlet to ensure that logging is turned on:

Get-AdminAuditLogConfig | FL

image

Notice that the AdminAuditLogEnabled is set to True while the LogLevel is set to Verbose.  If the configuration is set to any other setting, execute the following to change it:

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
Set-AdminAuditLogConfig -LogLevel Verbose

More information about the Set-AdminAuditLogConfig can found at the following TechNet article: https://technet.microsoft.com/en-us/library/dd298169(v=exchg.160).aspx

Audit Option #1 - Review Admin Audit Log Report

Once administrator audit logging is enabled, we can review the Compliance Management > auditing > Admin Audit Log Report from within the Exchange Admin Center:

image

… configure a Start date and End date to narrow the return results:

image

Then sort the CMDLET column by alphabetical order and look for the cmdlet:

Add-MailboxPermission

or

Remove-MailboxPermission

… to review when and which administrator made the changes:

image

Audit Option #2 – Using PowerShell to search admin audit log

Another method for reviewing the admin audit log is to use PowerShell to search it and the cmdlet that allows us to accomplish this is Search-AdminAuditLog (TechNet: https://technet.microsoft.com/en-us/library/ff459250(v=exchg.160).aspx). The following cmdlets searches for either Add or Remove of mailbox permissions:

Search-AdminAuditLog -cmdlets Add-MailboxPermission

Search-AdminAuditLog -cmdlets Remove-MailboxPermission

image

Note that executing Search-AdminAuditLog without any parameters will only parse through 1,000 entries which may not cover a wide range of days so to ensure that specific dates are covered, include the StartDate and EndDate switches as such:

Search-AdminAuditLog -cmdlets Add-MailboxPermission -StartDate 01/24/2016 –EndDate 07/26/2016

image

Audit Option #3 - Review Admin Audit Log Report

The last option available is to review the event logs Applications and Services Logs > MSExchange Management logs in the Event Viewer:

image

Simply right click on MSExchange Management select Find…:

image

Then search for Add-MailboxPermission:

image

image

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Hope this helps anyone out there looking for a way to audit actions performed within Exchange.

Friday, July 8, 2016

Attempting to connect to a wireless network requiring machine certificate authentication fails with: “Can’t connect to this network”

Problem

You’ve configured a new Network Policies policy on your Microsoft NPS server:

image

… with the following settings that will authenticate devices with machine certificates:

imageimage

imageimage

image

You configure the SSID on the wireless client with the certificate with the following settings:

imageimage

… but notice that you receive the following error when attempting to connect:

image

Reviewing the INXXXX.log file in the directory C:\Windows\System32\LogFiles on the NPS server show that the wireless client authentication makes the connection attempt and the policy is matched:

"DC03","IAS",07/07/2016,20:32:46,3,,"contoso.internal/contoso/Computers/Desktops/Victoria_Place/IT/WKS-MXL2451S3K",,,,,,,,9,"10.80.9.249","contosobm-wlc2500-1",,,,,,,5,"Secure Wireless Connections Machine Authentication",262,"311 1 10.70.1.3 07/07/2016 23:09:55 79",,,,"Microsoft: Smart Card or other certificate",,,,,"577ee697/60:57:18:a7:ea:18/70380",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

image

Reviewing the Security event logs on the NPS server show the following event ID 6273 Audit Failure event from the Microsoft Windows security auditing source:

image

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            contoso\WKS-MXL2451S3K$
    Account Name:            host/WKS-MXL2451S3K.contoso.internal
    Account Domain:            contoso
    Fully Qualified Account Name:    contoso.internal/contoso/Computers/Desktops/Victoria_Place/IT/WKS-MXL2451S3K

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        d8-b1-90-d0-6c-b0:corp-data
    Calling Station Identifier:        60-57-18-a7-ea-18

NAS:
    NAS IPv4 Address:        10.80.9.249
    NAS IPv6 Address:        -
    NAS Identifier:            contosobm-wlc2500-1
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:        contosobm-wlc2500-1
    Client IP Address:            10.80.9.249

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        Secure Wireless Connections Machine Authentication
    Authentication Provider:        Windows
    Authentication Server:        SVRARDC03.contoso.internal
    Authentication Type:        EAP
    EAP Type:            Microsoft: Smart Card or other certificate
    Account Session Identifier:        35373765653762652F36303A35373A31383A61373A65613A31382F3730333831
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            262
    Reason:                The supplied message is incomplete.  The signature was not verified.

image

Solution

The key indicator of what would be causing this issue is the following line in the security event entry:

Reason:                The supplied message is incomplete.  The signature was not verified.

This usually indicates that the certificate presented by the NPS (RADIUS) server is not trusted by the wireless client.  The wireless client in this situation was not joined to the domain and since the certificate used by the server to verify its identity:

imageimage

… is signed by an internal Microsoft CA, the wireless client did not trust it.  To correct the issue, simply export the Root and any intermediate CA certificates and import it onto the wireless client’s local computer store.

Attempting to configure email server settings in Citrix Command Center throws the error: “Connection to mail server failed, provide accurate mail settings”

Problem

You’re attempting to configure the email server settings in Citrix Command Center but notice that you receive the following error when you save the configuration:

Error

Connection to mail server failed, provide accurate mail settings

image

Solution

While there could be several reasons why this error is thrown, one of the more common causes I’ve seen at clients is that they’ve configured their anonymous receive connector correct to receive mail but had forgotten to uncheck the Require that all senders are authenticated option:

imageimage

… for the Microsoft Exchange distribution group they’ve specified in the To Address:

image

If Require that all senders are authenticated option for the distribution group is required to be enabled then a receive connector that requires authentication should be created and user credentials should be filled in for the Configure Email Server Settings.

Wednesday, July 6, 2016

Using Group Policy to configure UAC (User Account Control) on a Windows 7 desktop

One of the more common questions I get asked by clients and colleagues is how to use group policy to configure UAC settings for Windows clients that mirror the 4 level presets that is available from within a Windows 7 desktop.  While I don’t have the configuration for levels 1 and 2, I do have the settings for 3 and 4 so I thought I’d write this quick blog post for others and my self to reference.

Level 3 UAC

To configure a Windows 7 desktop with level 3 UAC settings as shown in the following screenshot:

clip_image002

Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:

Policy Setting
User Account Control: Admin Approval Mode for the built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Disabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

image

Level 4 UAC

To configure a Windows 7 desktop with level 4 UAC settings as shown in the following screenshot:

clip_image002[6]

Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:

Policy Setting
User Account Control: Admin Approval Mode for the built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

image

Hope this helps anyone who may be looking for this information.

Saturday, July 2, 2016

Attempting to use Windows Azure Active Directory Module for Windows PowerShell "Connect-MsolService" to connect to Azure throws the error: "Connect-MsolService : Method not found: 'Void"

Problem

You attempt to use the cmdlet Connect-MsolService in Windows Azure Active Directory Module for Windows PowerShell to connect to Azure but receive the following error:

PS C:\> Connect-MsolService
Connect-MsolService : Method not found: 'Void
System.Runtime.InteropServices.Marshal.PtrToStructure(IntPtr, !!0)'.
At line:1 char:1
+ Connect-MsolService
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], Mis
   singMethodException
    + FullyQualifiedErrorId : System.MissingMethodException,Microsoft.Online.A
   dministration.Automation.ConnectMsolService

PS C:\>

image

Solution

One of the reasons why this error would be thrown is if you have an outdated Microsoft .NET Framework 4.5 on the operating system you are trying to connect from. If you are using Microsoft .NET Framework 4.5 as shown in the screenshot below then proceed by downloading Microsoft .NET Framework 4.5.2 and install it to correct the problem:

image

image