April 2015 Contents

Home , Get Help

April 2015 Contents

Keeping Your Exchange Server Secure 3 by Orin Thomas

Exchange Server Security: Three 5 Simple Ways by Russell Smith

Ten Simple Ways to Prevent Security Breaches 7 in Microsoft Exchange by Krishna Kumar

5 Security and Compliance Improvements 10 with Exchange 2013 SP1 by Brian Keith Winstead

How to Detect Full Access Permission 12 Changes to Exchange Mailbox

April 2015 SysAdmin Magazine Understanding the Mailbox Move Request 13 in Exchange 2010 by Krishna Kumar

Exchange Server Down: You Only Have 16 Minutes by Nick Cavalancia

4 Ways to Avoid Malware Like 19 Lenovo Superfish by Russell Smith

22 Another Vector for Malware Spread by Richard Muniz

24 Quick Reference Guide: Exchange Server Auditing

April 2015 SysAdmin Magazine Keeping Your Exchange Server

by Orin Thomas 20+ years in IT: a speaker, trainer Secure and contributor on topics of Windows security.

If communication is the lifeblood of an organization, it could be fair to assume that Exchange functions as its heart. An Exchange server, especially one that hosts the mailbox server role, stores messages ? both external and internal. An attacker that gains administrative access to Exchange deployment can also gain access to all stored communication and to every user?s mailbox. Having access to email messages stored on an Exchange mailbox server, the attacker would be able to learn almost everything about the organization, from its most important secrets through to mundane trivia.

3 April 2015 SysAdmin Magazine Messages stored in to be a must. into employee?s actions. individual mailboxes often 1. Limit the number of RBAC allows any ability to include attachments; people who have access to be limited to a specific many organizations use accounts with scope. This means that Exchange public folders to administrative privileges when granting someone store important and ensure that those from the HR the ability to documents. When accounts are protected scan mailboxes, this ability considering Exchange with strong authentication will be limited to a specific security, remember that technologies, such as set of mailboxes, rather attacks won?t just come smart cards or a two than all mailboxes in the from people outside the factor authentication. organization. organization: internal 2. Configure a built-in Role 3. The third step is to threats, even from Based Access Control configure extensive Exchange administrators, (RBAC) functionality. RBAC auditing. Having a record are to be kept in mind. allows organizations to of each action taken by an Securing Exchange limit the actions an Exchange administrator involves more than administrator can perform allows an organization to hardening it against an and the scope across reconstruct what has outside attack. It means which those actions can happened when a breach making sure that the be performed. For occurs or something goes number of trusted example, rather than wrong. Additionally, when insiders is limited so they giving the permission to privileged users know that only have access to the perform a mailbox search their actions are being information and to all Exchange saved to a tamper proof components required to administrators, it is log, they are less likely to perform their jobs, and possible to grant this perform actions that they tracked so that each of permission only to some might later have to explain their actions can be trusted members from the to a superior. reconstructed, should an organization?s HR investigation be department: they are the necessary. people who would There are several steps an ultimately be required to organization can take to check the contents of make Exchange more mailboxes when secure. These three seem performing investigations 4 April 2015 SysAdmin Magazine Exchange Server Security: Three Simple Ways by Russell Smith Specializing in the management and security of Microsoft-based IT systems, Russell is the author of a book on Windows security and a contributing author and blogger.

Microsoft killed off most of its Forefront Protection range of security products in 2012, leaving customers deploying on premise Exchange servers without a clear choice for their security needs. While it goes without saying that you should keep your server software up-to-date, and not disable built-in security features, such as Windows Firewall, in this article I?ll outline some of the alternative solutions to Microsoft?s retired Threat Management Gateway (TMG) product, which was often the go-to solution for securing Exchange, and other best practices you should consider when securing Exchange Server.

5 April 2015 SysAdmin Magazine 1. Email Hygiene Whether you decide to use a cloud server role in the latest version of service, such as Microsoft?s Exchange Exchange. Additionally Exchange 2013 Online Protection, or an on premise Edge Transport servers can block SMTP solution, removing spam and senders and domains, synchronization malware-infected content before it even with Active Directory allows email not reaches your Exchange Server helps to destined for valid SMTP addresses to be improve security and performance. The rejected at the perimeter, and Internet Edge Transport server role in Exchange mail can be blocked to designated Server 2013 Service Pack 1 provides spam internal distribution lists or addresses filtering, but only limited antivirus that should only receive mail from inside scanning is carried out by the Mailbox the organization.

2. Publish OWA, MAPI/HTTP, ActiveSync and Outlook Anywhere using a Reverse Proxy With Microsoft?s Forefront Threat that a server not joined to a domain can Management Gateway (TMG) now receive SSL requests bound for your discontinued, you need to consider a Exchange servers, but it doesn?t provide different reverse proxy solution for pre-authentication. While WAP doesn?t publishing Exchange resources on the offer pre-authentication for Outlook Internet. The Web Application Proxy Anywhere or ActiveSync either, the (WAP) feature included free in Windows Exchange team at Microsoft thinks that Server 2012 R2 is designed for publishing pre-authentication offers little extra value. HTML-based applications, and is This is partly because anonymous users recommended for publishing Outlook don?t have the same level of access to the Web Access. One advantage of WAP is system in modern versions of Windows that it provides pre-authentication by Server that was once the case, the core utilizing Active Directory Federation software is much less vulnerable than in Services (ADFS). Another option is the past, and authenticated users are able Internet Information Services (IIS) to bad things too, with malicious activity Application Request Routing (ARR), which often goes unnoticed anyway. provides reverse proxy functionality so

3. Use the Best Practices Analyzer

The Best Practices Analyzer for Exchange environments as well. Not only can ExBPA Server 2013 (ExBPA) is built in to the identify performance, configuration and Exchange Admin Center post Service Pack architectural issues with your Exchange 1, and no longer requires Office 365 deployment, but also potential security tenant credentials, although the tool can problems. still be used to check Office 365

6 April 2015 SysAdmin Magazine Ten Simple Ways to Prevent Security Breaches in

by Krishna Kumar 10+ years in IT Industry Microsoft Exchange specializing in designing, implementation and administration Exchange data is the heart of any enterprise and is considered to be a critical business application, because it is used for record keeping and as a low-cost communication solution. Today, emails are not just accessible from the workstation within the corporate network; they can also be accessed from remote computers or mobile devices. This makes them a very common target for an attack: about 95% of vulnerabilities spread via email attachments.

Email attacks can be categorized into three types: spamming, spoofing and phishing. - Most of the emails sent via the Internet are spam. Spammers get these email addresses from various sources like newsgroups or service providers and use these email addresses to bombard the mailboxes, which can cause denial of service. - Spoofing means sending emails as an unidentified person or as a banker asking for account credentials or personal information. - Phishing is the process of extracting sensitive information like credit card details or personal information from an email.

Needless to say, it is crucial to maintain Exchange data protection on a regular basis. Given below are ten simple steps to prevent security breaches in Exchange 2010.

7 April 2015 SysAdmin Magazine 1. Update operating system and antivirus 5. Implement Kerberos authentication Always have Exchange running on the latest Exchange servers can be configured with NTLM supported operating system and make sure to or Kerberos for client authentication. An NTLM upgrade it with the latest service pack and can be less secured than Kerberos and it also hotfix. Make sure to have the updated version applies excessive load on the Client Access of antivirus as well. Servers in the authentication process. On the other hand, Kerberos protocol is more secured Most of the spamming and and can provide a swift authentication process phishing emails contains with less burden on the Client Access Server. One can also implement dual factor attachments with malware which authentication where users have to use can cause impact on the users and additional authentication by providing a digital the organization. token number or a pin number.

2. Update Exchange server A SAN certificate is recommended, Microsoft regularly releases updated service while a Wild Card certificate might packs and rollups. Some of features like be easier to implement but has updates or changes are the security rollups that some constraints in use. fix some of the vulnerabilities and threats on the Exchange server. 6. Use a commercial CA certificate Users access email from various clients like 3. Regularly run Exchange Best Practices remote / home computers or mobile devices Analyzer and it?s important to make sure you have them Use it for Active Directory, Exchange, Registry encrypted. Self-signed certificates which get and Performance Monitor. It helps get detailed created by default are not trusted by external reports and recommendations of settings clients and mobile devices. There are various application to secure the environment from types of certificates available, such as Subject most threats and attacks. Alternative Name (SAN) / Unified Communication (UC) Certificate, Wildcard Kerberos is more secured can provide Certificate etc. A SAN certificate is a swift authentication process with recommended, while a Wild Card certificate might be easier to implement but has some less burden on the Client Access constraints in use. Server. 7. Apply Role-Based Access Control (RBAC) Permission 4. Attachment filtering It is a new permissions model in the latest Most of the spamming and phishing emails version of Exchange, which allows providing contains attachments with malware which can more granular permission to the administrator. cause impact on the users and the organization. It only provides access to the team or to those Block these attachments (.zip, .rar, .bat, .exe users who need to perform. This device protects etc.) and apply a policy defining which action the Exchange environment from any accidental has to be performed on the blocked deleting or modification. attachments. 8 April 2015 SysAdmin Magazine 8. Avoid Open Relay Configuration Exchange servers can be configured to accept Update and relay emails for various applications and operating system systems. Make sure to configure application server to authentication with Exchange server and antivirus before relaying emails. One can also enable Transport Layer Security (TLS) authentication to secure the communication. Update Exchange server 9. Digitally sign and encrypt messages Data leak is another biggest threat which can Regularly run cause damage to any organization. Use S/MIME Exchange Best to digitally sign outgoing emails using the certificate on the local client machines. This Practices Analyzer method can help the message to be encrypted during the transmission until it has reached the Filter attachments target mailbox and thus can provide end-to-end security. Implement Kerberos 10. Enable and Monitor the Exchange authentication environment Enable and monitor user mailbox activity and Exchange environment. Exchange logs any Use a commercial CA events / actions performed in the environment. certificate Monitoring these logs helps keep a tab on the environment and protects it from abnormal activities or security threats. Apply Role-Based Protecting Exchange data is very important, Access Control (RBAC) because vulnerabilities can cause a huge damage. Permission Also, the latest version of Exchange offers some good inbuilt security features to audit and report Avoid Open Relay any kind of breaches in the organization and also has anti-malware and anti-spam capabilities. It is Configuration highly recommended to use a change auditing solution which keeps track of all changes made to Digitally sign and Exchange server allowing to react to a possible incident just in time. encrypt messages

Want to read more articles like this? Enable and Monitor Subscribe to our blog: the Exchange blog.netwrix.com environment

9 April 2015 SysAdmin Magazine 5 Security and Compliance Improvements with Exchange 2013 SP1

by Brian Keith Winstead Writer and editor specializing in Exchange Server, messaging, mobility, unified communications, and cloud computing

Microsoft released service pack 1 (SP1) for Exchange Server 2013 in February, ahead of the Microsoft Exchange Conference (MEC) in Austin, Texas. Many companies refuse to consider upgrading before the release of SP1, when it?s believed the product is finally ?finished?, while other organizations are moving to subscription services such as Microsoft Office 365 to avoid the whole upgrade cycle.

In any case, Exchange 2013 SP1 brings with it the usual bug fixes and performance improvements, but it also includes new features and functionality, many of which will have an impact on the security and compliance aspects of Exchange organizations, both for on-premises and cloud deployments. Here?s a list of some of the top new features to be aware of, whether you?re using Exchange 2013 now or considering an upgrade.

10 April 2015 SysAdmin Magazine 1. Support for Windows Server 2012 R2 What this means is that any action you can With the release of Exchange 2013 SP1, it?s perform through the GUI, you can learn how to finally supported to run Exchange 2013 on the perform in PowerShell. From a security latest release of Windows Server. Although this perspective, it also means you have access to isn?t directly a security upgrade to Exchange, it that steam of commands in order to lets you take advantage of the many security troubleshoot problems or see why something enhancements and new features made didn?t happen as you might have expected. available with Windows Server 2012 R2. For a list of what you can expect, take a look at the 4. S/ MIME support for OWA Microsoft TechNet article, ?Security and S/MIME is a protocol for secure, encrypted Protection.? Windows 2012 R2 also includes email, but its support was dropped in Outlook many improvements in Hyper-V virtualization, Web App (OWA) for Exchange 2013. With the which will be of interest if you choose to run release of SP1, S/MIME support has been Exchange in a virtual environment. In addition reintroduced to OWA, although only on Internet to this Exchange 2013 SP1 update, Exchange Explorer 9 and later. Other browsers that run 2010 and Exchange 2007 also received updates OWA (i.e., Chrome, Firefox, Safari) will have to to provide compatibility with Windows 2012 R2; wait and see if S/MIME support is added later. check theExchange Team Blog for details. 5. Enhancements to DLP capabilities 2. Return of the Edge Transport server Exchange 2013 SP1 improves its data loss When Exchange 2013 was initially released, it protection (DLP) feature set in a number of didn?t include the Edge Transport server role, ways. First, DLP policy tips will now appear in which provides perimeter security for an OWA as well as Outlook 2013. This means when Exchange network. The Edge Transport server a policy violation in an email is detected, the can provide anti-spam and virus protection as user will see a warning (and potentially the well as handling mail flow. Before SP1, you message can be blocked) before it?s sent. Next, could use an Edge Transport server from in addition to built-in detection of common Exchange 2010, but that required running a information (financial or personal hybrid environment. Now, Exchange 2013 has information), Document Fingerprinting lets you its own Edge Transport role. You?ll have to create custom policies for forms specific to your manage the Edge role through PowerShell, as organization. Together, policy tips and there?s no GUI, but hopefully Exchange admins Document Fingerprinting give admins a great have come to terms with PowerShell by now. deal of help in preventing sensitive information from inadvertently leaving your organization. 3. Cmdlet logging back in EAC If you?re not adept at PowerShell, you?re certainly familiar with the Exchange Admin Center (EAC). The Exchange 2010 version of EAC included cmdlet logging, which let you see the Want to read more articles like this? PowerShell commands that were executed with Subscribe to our blog: each action you took in the GUI. This feature blog.netwrix.com was dropped in Exchange 2013? until now. Cmdlet logging returns with Exchange 2013 SP1.

11 April 2015 SysAdmin Magazine How to Detect Full Access Permission Changes to Exchange Mailbox

Granting full access permissions to a mailbox in Exchange server should be well justified. Having received these permissions, users gain access to the mailbox content and can delete it or move to another location. Misuse of the full access permissions may lead to data losses and leaks. Below you will find the steps to follow while setting up native auditing.

Navigate to Site Settings ? Site Collection Administration ? Site collection features ? Choose 1. ?Reporting? ? Press ?Activate?.

Navigate to Site Settings ? Site Collection Administration ? Site collection audit settings ? Mark 2. ?Editing Users and Permissions? events to audit in ?List Libraries and Sites? settings.

Navigate to Site Settings ? Site Collection Administration ? Site collection audit settings ? Set 3. ?Automatically trim the audit log for this site?? to ?Yes? ? Set trimming range time (30 days default) ? Set the location you want to save the log before it will be trimmed ? Click ?OK?.

Navigate to Site Settings ? Site Collection Administration ? Audit log reports ? Choose ?Security 4. Settings? report to view all permission changes made in your SharePoint.

See Real-Life Use Cases: netwrix.com/go/exchange_permissions

12 April 2015 SysAdmin Magazine Understanding the Mailbox Move Request by Krishna Kumar in Exchange 2010 10+ years in IT Industry specializing in designing, implementation and administration Mailbox Move Request is the process of moving a mailbox from its source mailbox database to a target mailbox database. Target mailbox database can be either on the same server or on a different server or even in a different domain/forest. Mailboxes are moved for various reasons like transitioning to the new environment or investigating an issue or corruption in the mailbox or user physical local changes, company acquisition and mergers, etc.

Exchange 2010 Mailbox Move Request is processed by two services running on the Exchange 2010 Client Access Server: Microsoft Exchange Mailbox Replication Service (MRS) and Microsoft Exchange Mailbox Replication Proxy (MRSProxy) Service. Microsoft Exchange Mailbox Replication Microsoft Exchange Mailbox Replication Service (MRS) Proxy (MRSProxy) Service MRS processes the move process and performs MRSProxy service is disabled by default and it asynchronous online move. In this process the needs to be turned on when cross-forest end user can still access his/her email account mailbox move request is performed. This during the move. The mailbox gets locked-out service helps to facilitate the cross-forest move only at the end of the process for the brief request and it needs to be running on remote / period of time when final synchronization is target forest where the mailbox has been performed between the source and destination. moved to. Basically there are two types of Move Requests: New Local Move request and New Remote Move Request. 13 April 2015 SysAdmin Magazine New Local Move Request - Remote Move Request where both source It is the process of moving the mailbox from and target forest are in Exchange 2010. one database to other within the same site or - Remote Move Request where target forest is different Active Directory site and within the in Exchange 2010 and the source is the same Exchange organization. In this process legacy forest with Exchange 2003 SP2, MRS plays a major role in moving the mailbox Exchange 2007 SP3, or a combination of from source to target database. both, and no Exchange 2010 Client Access server is installed. 1. When a new move request command is executed, it updates Active Directory and then places a message in the system mailbox within the Active Directory site where the move request was initiated and marks the move request status as Queued. 2. All MRS instances periodically check the system mailbox in every Active Directory site and verify if there is any move request queued. 3. MRS initiates the move of data from source to the target database and marks the move status as ?In Progress?. 4. Once the move is completed, new mailbox at the target database is activated and move request is marked as ?Completion in Progress?. Until this point, users will be able to access their email without any distraction. During this final mailbox synchronization phase, source mailbox is locked only for a short duration. 5. Once the synchronization is completed, mailbox at the target database is activated and the old mailbox at source is soft deleted. Finally, the move request status is marked as ?Completed?. 6. Once the migration is completed, the user needs to close and re-open Outlook or log off and login back to allow Outlook to connect the mailbox from the new database. New Remote Move Request Remote mailbox move request is the process of moving mailbox from one forest to the other forest or performing cross-forest migration. It can further be divided into two scenarios:

14 April 2015 SysAdmin Magazine Remote move request with source and online, and the users can continue accessing target forest on Exchange 2010 their mailboxes during the move. In this scenario we have one forest in Exchange 2. When a New-Moverequest cmdlet is 2010, and the other forest has the latest executed in the target forest, MRS at the Exchange 2010 client Access Server, and MRS source target initiates the move request. The and MRSProxy is started on all the Client Access Servers. cmdlet updates the Active Directory and places a message in the system mailbox 1. When a New-Moverequest cmdlet is within the Active Directory site where the executed in the target forest, MRS at the move request is initiated and marks the source target initiates the move request. The cmdlet updates the Active Directory and status as Queued. places a message in the system mailbox 3. MRS in the Exchange 2010 forest will directly within the Active Directory site where the access the remote legacy database and the move request was initiated and marks the remote organization?s Active Directory move request status as Queued. server. 2. MRS at the target forest communicates with 4. When the mailbox move is complete, the the MRS proxy at the source forest and pulls source mailbox is locked for the short period mailbox data from the mailbox server of time to perform the final synchronization. through the MRSProxy server in the target During this period, the status changes to forest Mail Enabled User. ?Completion in Progress?. 3. When the mailbox move is complete, MRSProxy locks the source mailbox for a 5. Finally, MRS converts the source mailbox to short period of time to perform the final MEU and in the target forest MEU is synchronization. During this period, the converted to Mailbox, then finally status is status changes to ?Completion In Progress?. marked as ?Completed?. 4. Finally, MRS converts the source mailbox to Make sure Autodiscover is configured at the MEU and in the target forest, MRSProxy target forest, so the Outlook client from the converts the MEU to the mailbox, then the status is marked as completed. target forest is able to resolve the source forest 5. Once the migration is completed, the user mailbox. Once the autodiscover is configured, needs to close and re-open Outlook or log users just need to close and re-open Outlook or off and login back to allow Outlook to just log off and login back to continue to access connect the mailbox from the new database. their email from the new Exchange server. To Remote Move Request where target forest is avoid any performance impact on the in Exchange 2010 and the source is the production Client Access server, you can stop legacy forest MRS on the production server and have some In this scenario, where you have source forest migration servers only running MRS Service. inExchange 2010.

1. Moving mailboxes from Exchange 2003 to Want to read more articles like this? Exchange 2010, the mailbox move will go Subscribe to our blog: offline and user will not be able to access blog.netwrix.com their mailbox during the move. Move from Exchange 2007 SP3 to Exchange 2010 will be

15 April 2015 SysAdmin Magazine Exchange Server Down: You Only Have Minutes

by Nick Cavalancia 20 years of enterprise IT experience, an accomplished consultant, speaker, trainer, writer, and columnist You just got the call: your Exchange server is not sending or receiving email. Your one and only Exchange server. OK, this is bad. You drop everything and begin to check the Exchange server for problems.

It is up? Yes. While this is a hypothetical problem for you, it was a real problem for one of our customers. Are the needed services running? Yes. How much time do you think you really have to Does it have enough disk space? Yes. solve this problem? With your only Exchange OK ? time to check the Event Logs. down, you obviously don?t have weeks or days. You really don?t have hours and seconds are, of It can?t find a domain controller. Time for a ping course, unrealistic. So we?re really talking about test. Check. NSLookup? Check. minutes. You have minutes. So how can you OK? what in the world is going on? quickly figure out the source of the problem? 16 April 2015 SysAdmin Magazine Back to the Exchange server. It appears to be something that isn?t consistently used) or a working fine. So what?s the issue? The old change auditing solution that tracks every standard ?what changed? is a key part of the change by auditing the systems themselves in answer. You?ve (hypothetically) already started place, you?re never going to be able to easily tell down the path of seeing what?s changed by Who did What, When and Where and, therefore, looking at the state of the server, and it all looks determine how to fix the problem within good. minutes.

And the clock is still ticking? You have minutes. So how can you Now everyone?s aware of the issue and helpdesk quickly figure out the source of the calls are coming in like crazy. If only you knew how problem? to pull up all changes made in the last 10 minutes. Our customer had a change auditing solution in To solve this problem, and any one like it, you?re place and was able to do exactly that. going to need to know what?s changed on your With your only Exchange down, servers and, possibly within your entire environment. Could a password have been you obviously don?t have weeks or changed? Did someone change permissions in AD? days. Hmmm? this is going to be tougher than you thought. The cause of the problem? You?ll never guess. Without a change auditing One of the AD admins was making changes to solution that tracks every change, the Active Directory Sites and modified a subnet you're never going to be able to mask just perfectly that it isolated the Exchange server logically into its own AD Site, so the easily tell Who did What, When Exchange server couldn?t find a Domain and Where and, therefore, Controller to function. determine how to fix the problem Think you would have guessed that one? Yeah, within minutes. me neither. Glad they had a change auditing solution. Otherwise, minutes would have taken hours or, worse, days. Without a system where IT Pros can log each and every change made in your environment (which our "2014 State of IT Changes" survey shows is

Want to read more articles like this? Subscribe to our blog: blog.netwrix.com

17 April 2015 SysAdmin Magazine April 2015 SysAdmin Magazine 4 Ways to Avoid Malware Like Lenovo Superfish

by Russell Smith Specializing in the management and security of Microsoft-based IT systems, Russell is the author of a book on Windows security and a contributing author and blogger.

PCs sold by Lenovo between September 2014 and January 2015 came pre-installed with Superfish VisualDiscovery, a piece of malware claiming to improve users? Internet experience by adding visual results to Google search and other websites. But in reality, the main purpose of the software was to add third-party advertisements.

Superfish installs its own Certification Authority private key from the software, enabling (CA) on the local device, and adds a trusted root man-in-the-middle attacks by generating a CA certificate to the local machine certificate certificate for a spoof website that is store, so that encrypted web traffic can be automatically trusted by any system where intercepted to insert adverts. This is necessary Superfish is installed. because many sites, including Google, use HTTPS In addition to common protection measures like by default. antivirus and endpoint firewalls, here are four While this is worrying in itself, Lenovo admitted ways you can prevent malware similar to that it was possible for a hacker to recover the Superfish from infecting your systems.

19 April 2015 SysAdmin Magazine 1. Install a Clean Windows Image changes to the certificate stores that might Even if your organization doesn?t have its own indicate a malware infection. custom Windows image, don?t rely on the It?s easy to search for the Superfish certificate configuration provided by PC manufacturers. The using the PowerShell Get-ChildItem cmdlet, only way to be sure there?s no malware installed because we know the thumbprint of the on the device out-of-the-box is to wipe the disk certificate: and reload Windows from scratch. Get-ChildItem -Recurse cert:\ | where 2. Remove Administrative Privileges {$_.Thumbprint Superfish installs a certificate in the local -eq?c864484869d41d2b0d32319c5a62f9315aaf2cbd?} machine Trusted Root Certification Authorities Alternatively, you can go straight for the kill and certificate store. That means the certificate is remove the certificate if present using the available globally to all users of the device, and is Remove-Itemcmdlet: inherited by the current user Trusted Root Certification Authorities certificate store. To install Remove-Item -Path cert:\LocalMachine\root\ a certificate in the local machineTrusted Root c864484869d41d2b0d32319c5a62f9315aaf2cbd Certification Authorities certificate store, users PowerShell Remoting makes it easy to run the must have administrative privileges on the PC. above cmdlets across all devices on your The only way to be sure there?s no network, and you could write a script to monitor for known certificates, such as the one used by malware installed on the device Superfish, or to monitor for changes to a known out-of-the-box is to wipe the disk configuration. and reload Windows from scratch. 4. Application Control Some applications maintain their own certificate 3. Monitor Certificate Stores stores, such as popular browser Firefox and While Superfish requires access to the local email client Thunderbird, so ultimately you need machine certificate store to install a certificate to determine which apps are allowed to run on from its own certification authority, there?s no your devices. AppLocker is built in to Windows 7 reason why a malicious process couldn?t add a (and later), and can be used to create whitelists trusted root CA to the current user store. While of applications and processes approved by your this can be prevented using application control IT department, while blocking all others. (see below), you could monitor PCs to check for

Want to read more articles like this? Subscribe to our blog: blog.netwrix.com

20 April 2015 SysAdmin Magazine Top 10 Free Tools for Change Auditing and Password Management Track changes to Active Directory, Exchange, file servers, manage passwords and troubleshoot account lockouts at absolutely no cost.

Change Notifier for File Servers he following freeware tools can save you 6. Tracks changes to files and shares a lot of time and make your network permissions, detects deleted and more efficient ? at absolutely no cost. newly-created files, and reports on T Some of these tools have advanced file-access attempts. This freeware tool strengthens commercial versions with additional security of your Windowsbased file servers. features, but none of them will expire and stop Free Download working when you urgently need them.

Change Notifier for Active Directory Password Manager Tracks changes to Active Directory (AD) 7 . Allows users to reset forgotten passwords 1. users, group memberships, OUs, and unlock their accounts through a permissions, and provides visibility into convenient, web-based, self-service portal what?s happening inside your AD. and integration with the standard Windows logon produre. The tool supports up to 100 users. Free Download Free Download

Change Notifier for Group Policy Change Notifier for SQL Server 2. Tracks every change made to your group 8. Detects changes made to your SQL Server policy objects (GPOs), including GPO links, configurations, including database creation audit policy, password policy, and software and deletion, changes to database users, deployment changes, and fills major gaps found in roles, and schemas. It also reports ?before? and native auditing tools. ?after? values for every change, and sends daily Free Download reports showing all changes made. Free Download

Account Lockout Examiner Change Notifier for VMware 3. Alerts on account lockouts, helps 9. Allows you to control changes in your virtual troubleshoot these events, and analyzes environments. It notifies you about changes their potential causes. The accounts can be to VMware virtual machine settings, creation unlocked via Netwrix Account Lockout Examiner and deletion of virtual machines. It also sends daily console or mobile device. reports of all changes made in the past 24 hours Free Download with ?before?? and ?after? values. Free Download

Change Notifier for Exchange Change Notifier for Windows Server 4. Reports on what?s happening inside your 10. Alerts you about changes made to your Exchange servers, and tracks both Windows Server configurations, including configuration and permission changes with installed software and hardware, services ?before? and ?after? values. and scheduled tasks. It sends summary reports Free Download listing changes of the last 24 hours with ?before? and ?after?? values. Free Download Password Expiration Notifier Automatically reminds your users to change 5. their passwords before they expire so you can avoid password reset calls. It works JOHN BAGLEY nicely for users who don't log on interactively and Awar d-winning professional wr iter never receive standard password change reminders and independent consultant at logon time (e.g., VPN users). Free Download

21 April 2015 SysAdmin Magazine Another Vector for Malware Spread by Richard Muniz 20+ years in IT industry, a practicing systems administrator and a teacher.

Those who study epidemics, talk about the spread of disease through what they call ?vectors?. Some are spread through food, water, human contact, and so on. In the computer world, viruses and malware spread through vectors. Most are rather familiar, like viruses from downloading things you shouldn?t, e-mail, and so forth. Most IT types would think of only three vectors, but I want to introduce you to the fourth one.

So, what is the Fourth Vector? Basically, it is from other trusted sources. And so the question malware spread through a trusted medium becomes, what are you doing to defend such as software. What, people actually do that? yourself? Before we try to answer that question, Of course they do. A lot of browsers will track let me tell you a story. your Internet activities, and no, they don?t Once upon a time, there was a simply brilliant, report it to some super-secret government handsome (and above all, modest) system agency. It?s much worse than that. This administrator who worked for a major information is reported to advertisers who in company. The company was run by a very nice turn target your web browser to show boss who made sure his company ran very advertisements that might interest you. Of informally, and everyone was happy. Then one course that?s something most of us don?t even day something dark and sinister happened. The give a second thought. users in the company called it ?The Weirdness?. This vector of malware spread can also come 22 April 2015 SysAdmin Magazine Users experiencing The Weirdness would us to use,? their leader proclaimed grandly. suddenly become unable to log on. Printers ?It?s also the source of The Weirdness,? he said. they could reach an hour ago became He opened a few more windows. ?This is a inaccessible. Email would stop flowing. And yet, domain controller!? He turned it off. ?I?m sorry; some of the users were still happy, because they they installed the software on a VM that?s also a could reach what they needed. The Weirdness Windows Domain Controller. Worse, it?s also a had passed them by. And then The Weirdness DNS server and has been handing out leases, would leave as suddenly as it had come, and and that?s what?s been causing us so much everyone would be happy again. trouble. You can?t use it,? he said. But sometimes, minutes, or hours, or even days ?But they want us to test the software.? later, The Weirdness would come back, and then vanish as suddenly as it had come, leaving Our sysadmin thought for a second, got on the our handsome sysadmin very perplexed. He ESXi server, and set up a virtual network that spent days trying to figure out The Weirdness. had no connection to the outside world, and But there was no figuring it out until one day . . . then moved the offending VM to it. He called this virtual network ?Vegas? because what A user complained she couldn?t reach a network happens in Vegas, stays in Vegas. He then printer. The sysadmin sat down at her limited access to the location to just the workstation and typed ?IPConfig /all?. As the marketing team, and when finished told them: numbers appeared on the screen, his eyes went wide with amazement. He saw The Weirdness ?In the future, if they ever send you another VM, with his own eyes. ?That?s not our internal make sure you let us look at it first?. He then addressing scheme,? he stammered. ?And that wrote a blistering e-mail to the corporate office certainly isn?t our DNS server!? concerning the incident. Someplace, somewhere, The Weirdness had And everyone lived happily ever after. entered disguised as Windows Domain Virtualization makes it possible for us to build a Controller. Knowing there were many setup where we can test new software before developers who dabbled in the black arts of we ever introduce it into our environment. This virtualization, the sysadmin began asking just helps us know exactly what it?s doing internally. who was being stupid out of season putting the Some things you really should watch for company through security risks. He glared at incoming and outgoing traffic. While there the developers, watching them cringe under his might be a lot of information to sift through, steel-like gaze. But The Weirdness was not to be you can filter traffic and start sorting things out. found with them. Searching further, he finally If the machine you set up is trying to reach found the keeper of The Weirdness. It was the external IP addresses, you need to ask why. Wizards of Promotion, the marketing team. Bottom line, just because you paid for it, or it ?What is this?? he asked as he stared at the was sent to you by someone you supposed to offending users screen. be trustable, doesn?t mean it?s good to go. ?Oh that? It?s a VM the main office sent us so we Sometimes the Fourth Vector should be the can look at some marketing software they want scariest one of all.

Want to read more articles like this? Subscribe to our blog: blog.netwrix.com

23 April 2015 SysAdmin Magazine Quick Reference Guide

Exchange Server Auditing

How to enable logging of important Exchange Server changes

Common Cmdlets Exchange Server Audit Settings - Enable-Mailbox ? creates a mailbox for Open the Exchange Management Shell, and run the following cmdlets: an existing AD user - Disable-Mailbox ? Removes user?s - Set-AdminAuditLogConfig ?AdminAuditLogEnabled $true mailbox - Set-AdminAuditLogConfig ?AdminAuditLogCmdlets - Set-Mailbox ? modifies the settings of - Set-AdminAuditLogConfig ?AdminAuditLogParameters an existing mailbox - Set-AdminAuditLogConfig ?LogLevel Verbose (for Exchange 2013) - New-MailboxDatabase ? creates a new mailbox database Audit Log View in Exchange 2010 - Mount(Dismount)-Database ? Open the Exchange Control Panel in your browser > navigate to ?Roles & Mounts(dismounts) an existing Auditing? > Auditing (Tab) : mailbox database - Set-MailboxDatabase ? configures a - Run an administrator role group report variety of properties for a mailbox - Export the Administrator Audit Log database Specify the date range. Search for cmdlets listed in ?Common Cmdlets? box - New-SendConnector - creates a new Send connector Audit Log Log View in Exchange 2013 - New-ReceiveConnector - creates a - Open the Exchange Admin Center in your browser > Compliance new Receive connector Management > Auditing > click ?View the administrator audit log? - Add(Remove)- MailboxPermission ? - Specify the date range. Search for cmdlets listed in ?Common Cmdlets? adds (removes) permissions to a box mailbox MSExchange Management Log - You can find full list of cmdlets herehttp://url2open.com/cmdlets Run eventvwr.msc > Applications and Services Logs > MSExchange Management > search for cmdlets listed in ?Common Cmdlets? box Audit Log Search via Exhange Management Shell

- Open the Exchange Management Shell - Run the following cmdlets in order to search Admin audit log: - Search-AdminAuditLog - New-AdminAuditLogSearch - You can specify search date by adding ??Parameters ?StartDate MM/DD/YYYY ? EndDate MM/DD/YYYY? - You can also specify cmdlets and parameters. Run ?get-help SearchAdminAuditLog? for more information For Detailed Exchange Server Auditing, Try Netwrix Auditor ? netwrix.com/go/ex-trial

- Change auditing: detection, reporting and alerting on all configuration changes across your entire IT infrastructure with Who, What, When, Where details and Before/After values. - Predefied reports and dashboards with filtering, grouping, sorting, export (PDF, XLS etc.), email subscriptions, drill-down, access via web, granular permissions and ability to create custom reports. - AuditArchive? : scalable two-tiered storage (file-based + SQL database) holding consolidated audit data for 10 years or more. - Unified platform to audit the entire IT infrastructure, unlike other vendors with a set of hard-to-integrate standalone tools. 24 April 2015 SysAdmin Magazine Next Steps Try #1 Change and Configuration Auditing Platform: Free Trial: setup in your own test environment netwrix.com/go/completevisibility Test Drive: virtual POC, try in a Netwrix-hosted test lab netwrix.com/go/test_drive Live Demo: product tour with Netwrix expert netwrix.com/go/live_demo Contact Sales to obtain more information netwrix.com/go/contact_sales

netwrix.com | netwrix.com/ social

Corporate Headquarters: 8001 Irvine Phone: 1-949-407-5125 Center Drive, Suite 820 Irvine, CA 92618 Toll-free: 888-638-9749 EMEA: +44 (0) 203-318-02

Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/ or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.