How to Enable/Search Users in Lync 2013 Control Panel ?

Posted by Ahmed Nabil In | 0 comments»
Lately I received several inquiries about enabling Lync 2013 features as Enterprise Voice for new domain users in the Lync Control Panel and the difference between enabling a user and searching for a user. Power Shell is my default location for any action as adding new user however i started checking this issue and discussing it with several admins as well as Microsoft Support team.

The User Search Option as shown in the below image with its two option (Search or LDAP) is limited to searching for users that are already enabled for Lync not new users who are not enabled yet for Lync


To Search for Existing enabled users, you can use the Search button and enter the user name for the user you are looking for. If you would like to use the LDAP search then you need to search using LDAP Expression. If you tried to enter normal username in the LDAP search you will get an error "Active Directory Operation Failed. The Search filer is invalid"


So to use the LDAP search for existing users you need to enter LDAP expression. To get the LDAP expression for the user you can get it from AD ADSIEDIT by navigating to the user location or by running the below PowerShell command in Lync Server

"Get-Aduser -identity -username"

The Value of the distinguished name is the one that you need to enter in LDAP Search



So back to the first question, How to enable new users that joined the domain and are not yet enabled for Lync. To add/Enable new user you need to click on Enable Users in the User Search Menu (Lync Control Panel) then Click Add






Now you will get a new Search Window where you can search here for New users either using normal username (Search Check box) or using LDAP expression as explained earlier.


Now you can enable this new user and assign him to the correct pool



Hopefully this can clarify the difference between Searching for Existing users and adding new users using the Lync Control Panel.





Windows 10 Security Part 2 : Enable Credentials Guard / Pass the Hash Mitigation

Posted by Ahmed Nabil In | 0 comments»
For checking Part 1 of Windows 10 Security, please check the below link

http://itcalls.blogspot.com.eg/2015/09/windows-10-security-part-1-windows-10.html

Pass the Hash was really one of the hottest attacks in 2015, No major attack happened last year without having a flavor of PTH either on local accounts or domain accounts by stealing the Hash and passing it to other services.........etc

Windows 10 introduced a new feature which is Credential Guard or Virtual Secure Mode (VSM). The main idea is utilizing Microsoft hyper-V by enabling Hyper-V on the Windows 10 machine and having a special secure kernel mode based on the virtualization technology to store critical process as the Local Security Authority (Your passwords). This new feature provides a promise to finally get rid of Pass the Hash attack and stealing passwords/Hashes. This secure Kernel mode has no GUI or network access and it communicates with the OS in a new format that cannot be replayed or passed (at least for the time being)

How to Enable Credential Guard

  1. First of all we need to add the Hyper-V from Control Panel - Programs and Features - Turn windows Features on or off.                                                                                                                             
  2. Secure Boot need to be enabled.                                                                                                                           
  3. This feature will work only on Windows 10 Enterprise.                                                                                    
  4. Machine should be domain joined as this will protect domain accounts, its not for local accounts. For local accounts you should have other protection mechanisms as Microsoft LAPS                                                                                                                                                  
  5. VSM or Credential Guard can be enabled using Group Policy (Updated group policy for Windows 10 copied to the Domain Controller Central store), In my case i am enabling it manually on my Laptop using Local Group Policy Editor as shown below (Computer configuration - Administrative Templates - System - Device Guard - Turn on Virtualization based Security)                                                                                                                                                         
                                                                         
  6. Enable the setting, I picked Enabled without Lock so it can be controlled/Disabled later using Group policy. Detailed description is shown in Help section.                                                                                               
                                                                        
  7. Start the special VSM process by editing the boot Configuration data as shown below from an elevated command prompt                                                                                                                              
                                                                                                                                             
To verify its running and working normally as designed, you will need first to reboot the computer and after booting go to the computer system information (From Cortana Search for System Information or msinfo) and check the system summary as shown below.


Also in the Task Manager you will find Credential Guard Process as well as in the details Tab.




This is a very new nice feature to secure your credentials and i would advice Windows 10 users to go ahead and try it.




How to Upgrade/Move your Enterprise Certification Authority (CA) from 2008 R2 to 2012 R2 - Part 1

Posted by Ahmed Nabil In | 0 comments»
In this series we will be going through the main steps to migrate and move our Enterprise Subordinate Certification Authority from Windows 2008 R2 server to Windows 2012 R2 Server (Side by Side move). In Part 1 of this series I will be discussing the main requirements and preparation done on the Source Server (CA on 2008 R2)

Key things to note:


  1. If you would like to have the new CA server computer name same as the old one then you will need to decommission and remove the old server from the domain prior to building the new server. In our case i will keep the old server (Just disable the Certificate Windows services) and have the new server with new name (Just in case you need to revert back at any time)                                                                    
  2. During the Migration and setup of CA on the new server no certificates or CRLs will be issued. Its preferred to run this after hours. Plan to publish a CRL that will cover the downtime period.                                                                                 
  3. User running the migration should be member of Enterprise Admins or Domain Admins group.

Source Server (2008 R2) Preparation

  1. Publish a new CRL to ensure that your migration period is covered. Open Certification Authority - Right Click Revoked Certificates - All Tasks - Publish                                                                                  
                                                            
  2. Take a backup from the Current Source CA (2008R2 server) - Right Click Certification Authority - All Tasks - Back Up CA                                                                                                        
                                                  Make sure to pick both check boxes as shown above   (Private Key, CA Cert and DB). Store them in a dedicated empty folder (will be copied later to the destination server).                              
                                                                
              
  3. After picking a password and finishing the Wizard check the Backup folder (In our case C:\CA_Backup). We should have a CAname.P12 file and a Database folder.                                                        
  4. Next step will be taking a backup from the CA configuration in the registry as another check point/line of defense (hopefully won't be needed). Navigate to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and right click configuration and take an Export and save the output REG file in the same Backup location.                                                                                                      
                                                                                                  
  5. If a Custom CApolicy is used then we need to copy the CApolicy.inf file from the C:\Windows (Default location) to the backup folder created earlier.                                                                                 
  6. Final step to be done on the Source CA server is to stop the certification Authority service and change its start up to be disabled in case anyone by mistake tried to start it (Remember we will be keeping the source server for some time till everything is up on the new server)                                                             

This should conclude Part 1 of this series, In Part 2 we will install the CA on the new 2012 R2 and restore the backup taken on the old  2008 R2.  Hopefully this has been beneficial and see you on the next Part.










PKIView OCSP Location#1 Error

Posted by Ahmed Nabil In | 0 comments»
After configuring and installing OCSP on an Enterprise Certification Authority I noticed that the OCSP location in the PKIView is displaying an error as per below screen shot.



The OCSP was working fine with current certificate and I verified and validated it using the

Certutil -url (Check below article for more details)

http://blogs.technet.com/b/askds/archive/2009/06/29/implementing-an-ocsp-responder-part-iii-configuring-ocsp-for-use-with-enterprise-cas.aspx

It turned to be that the original AIA path that was used has been changed on my CA extensions with another path which led to this error. So in order to fix this issue, the following was done:


  1. Revoked the Latest CA Exchange certificate, this can be done by checking your Certification Authority - Issued Certificate - Arrange them by Certificate template and check the latest CA Exchange Certificate                                                                                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                   
  2. From an Admin Command prompt run "certutil -cainfo xchg"                                                                                                                                                                                                                                   
                                                                                                                                                                                            
This did the trick and it was fixed back in the PKIView.



Accessing Exchange 2013 On-Premise Public folders for Office 365 Users

Posted by Ahmed Nabil In | 0 comments»
Recently I have been working with a friend on his Exchange 2013 Hybrid configuration. After the Hybrid configuration is setup and configured its becomes easy to start migrating and moving on-premise mailboxes to the cloud (Office 365) and assign them the needed licenses.........etc.

One issue we received from the users was that being not able to see and access their Public folders from their Outlook client. Yes its Legacy and Microsoft have been trying to phase it out however still many companies depend on it and users love it.

Microsoft has a very good document for configuring legacy public folders for Exchange hybrid configuration however its mainly on Exchange 2007 and 2010.

For more info, check it on https://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx

So little background on Public folders in Exchange 2013, starting 2013 there is no longer a specific separate database for Public folders but rather there are now special mailboxes which store both the public folder hierarchy and content.

When you create the first public folder mailbox, it will be the Primary Hierarchy Mailbox (Check below image)

 
 






So in the above screenshots the Public folders are stored in MasterHierarchy Mailbox. This was the tricky point. So how to configure the cloud/Office365 users access the On-Premise Exchange 2013 Public folders:

  1. First of all we need to sync this mailbox (MasterHierarchy) to the cloud using DirSync or whatever tool you are using for syncing your On-premise users to the cloud, this user/Mailbox should be synced from the local on-premise AD to the Cloud/Office 365.
  2. Open an Exchange online Power shell (To do this follow this document https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx )
  3. Run the below command from the Exchange online Power. Shell "Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes MasterHierarchy@domain.com" You will replace domain.com with your actual domain name.
  4. To make sure the public folders are set for remote access and can be viewed for Exchange online users run the following Power Shell command " Get-OrganizationConfig | fl *public* "
This should do the trick and you can access your public folders. One more thing is what if you have a mail enabled public folders that you need to send emails. Well this is not synced using the DirSync or whatever tool you are using. In this case we will go back to the first document I mentioned https://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx


  1. Go to Step 2 in the document referred above and download the 2 scripts.
  2. Follow Step 3 and run the needed commands from your Exchange 2013 to Sync your mail enabled public folders.

Hopefully this post will help users facing this common issue with Hybrid configurations.




How to Remove Old Domain Network Adapter Profiles

Posted by Ahmed Nabil | 0 comments»
A common simple issue that sometimes pass by you while building a new server or virtual machine is noticing that the Network Card/Local Area Connection is not displaying domain.com Name but rather domain.com 1, 2.....etc (Check below picture).





It should be noted that the network adapter name is controlled by the Registry entry "ProfileName" value under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles.

The first network adapter profile name  when doing clean fresh installation should be "Domain Name" as in our example "Test.com". If a new network adapter is created a new GUID registry key will get created in the above mentioned Registry location. This will be a new profile and will take the name "Domain.com 2"




It might happen especially on Virtual Machines to remove Network cards or install new drivers that remove Network cards and re-install them back which will create the new network profiles since the old registry key still exists.

In order to remove all these network profiles to get the default "Domain.com" profile you need to remove all these GUIDs from the Registry under profiles then disable your network adapter and Enable it again. It will come back with the default Domain.com.





 

Windows 10 Security Part 1 :Windows 10 Defender is Microsoft SCEP Client

Posted by Ahmed Nabil | 1 comments»
Windows defender is shipped free of charge with Windows starting Windows 8 to protect the PC against Malware (Viruses, Spyware......etc.). It was mainly geared towards personal computers/Home computers providing adequate malware protection free of charge out of the box. For Enterprises Microsoft had another offering which was Microsoft System Center Endpoint Protection (SCEP) with its policy based templates based on your workload and fully configured and controlled with Microsoft System Center Configuration Manager.

Lately i was trying to install Microsoft SCEP on a new Windows 10 RTM Enterprise machine, after pushing the SCEP client the following was noticed:

  1. There is no SCEP on the machine !
  2. CCMSETUP and Endpointprotection logs showed successfully installation
  3. Windows Defender (shipped on windows 10) can't get disabled !
  4. All my SCEP policies and settings are applied on the windows defender.
  5. When checking the Programs and Features, I noticed that the System Center End Point Protection is installed.                                                                                                                                        

It turned out to be that in Windows 10, Microsoft SCEP will manage the built in Defender. No SCEP agent will get installed as previous versions with Microsoft 8. All reporting and Management are coming now from the defender.

I found one article on TechNet referring to this issue for Windows Technical Preview






Few members of Server 2012R2 Protected Users Group are not able to log in locally or remotely to their computers and servers

Posted by Ahmed Nabil | 1 comments»
Microsoft introduced a new security group named "Protected Users Group" with Server 2012 R2 and windows 8.1 clients to offer additional protections against the credential theft/compromise and help in your overall mitigation plan for Pass of the Hash (PtH) attack. Its highly recommended to add all your service and high privileged accounts to this group for more protection.

For more information on this Security group, please check the below link.

https://technet.microsoft.com/en-us/library/dn466518.aspx


Microsoft Published two documents (Version 1 & 2) explaining in details the Pass of Hash Attack and possible mitigation, i would highly advice downloading these documents from the below link

http://www.microsoft.com/en-eg/download/details.aspx?id=36036


Problem:

Back to our main post, we had a scenario with some companies adding their main critical service accounts and admin accounts in the Protected Users Group. Some of these accounts (not all of them) reported that they were not able to log in to their local machines or remotely to any server whether its 2008 or 2012 family. The error message the user receives is as shown below:





As soon as these users are removed from the Protected group, they just work back normally. The weird thing is that this error occurred only for few accounts in the Protected Users group and not all accounts.

The following event was logged in the Event viewer at the same time of log in failure



Solution:

Upon further investigation on this problem we were able to identify a common factor for all these accounts that were unable to log in after being added to the Protected Users group:


  1. They were old accounts, created few years ago when the domain was 2003 Domain/Forest Functional Level.
  2. These accounts have Non-Expiry passwords (Since most of them are service accounts) !

Microsoft SCOM sent alerts when one of these users tried to connect/log in to the domain controller which helped understanding and solving the problem.



As per the SCOM alert, this was the fix. Resetting and changing these specific user passwords fixed the problem and they were able to log in either locally or remotely normally.


What was the problem ?

As we mentioned before these accounts were created long time ago when the domain/Forest functional level was 2003 and at that time there were no Kerberos hash created and password didn't change from that time.


Password hashes are kept on the domain controller with all available etypes (Encryption Types). It seems that the passwords for these accounts which were set not to expire did not have the AES hash but only got the NTLM hash. Protected Users group is only using AES and that's why these users were not able to connect because their passwords can't be verified since there is no AES hash.

After resetting the password all those hashes were available and the problem was fixed :)

For more information on Hashes and how passwords works in Windows environment please check the below articles.







Hopefully this post can help any user with the same problem and shed some light on how passwords work in Windows environment.









Lenovo CTO admits SuperFish adware Spoof attack, Is this the end of problem ? or Just the Beginning ?

Posted by Ahmed Nabil | 0 comments»
Lenovo CTO admits the problem of SuperFish adware which was loaded on several consumer Lenovo PCs/Laptops and confirms the company has published the needed removal tools

http://www.pcworld.com/article/2886690/lenovo-cto-admits-company-messed-up-and-will-publish-superfish-removal-tool-on-friday.html

Lenovo additionally is promising its customers with a more cleaner and safer future products in attempt to save its reputation after what happened lately with the SuperFish.

http://news.lenovo.com/article_display.cfm?article_id=1934


How did the story begin ?

Lenovo came under fire last Month (February) after it was discovered that it was preinstalling the SuperFish Adware on Lenovo Laptops since 2010. The reports came heavily from different sources confirming this fact until Lenovo itself admitted the issue and released a removal tool.


http://www.cyberdefensemagazine.com/lenovo-sold-laptop-with-pre-installed-superfish-malware/

http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/


The United States Cert (US-Cert) released this issue as a spoofing attack https://www.us-cert.gov/ncas/alerts/TA15-051A

Lately The United States Department of Homeland security asked Lenovo to uninstall SuperFish from its products http://www.reuters.com/article/2015/02/20/us-lenovo-cybersecurity-dhs-idUSKBN0LO21U20150220


What is SuperFish ?

Its an advertising company based in California and was founded in Israel back in 2006 developing various advertising software based on visual search engine. This Adware installs its own certificate and act as a Man in the Middle proxy with HTTPS connections that are encrypted making users vulnerable.

For More details on how it work, please check the following link:

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/



Microsoft and MacAfee Antivirus reacted quickly and their engines were updated to remove the SuperFish vulnerability from Lenovo Laptops

http://mashable.com/2015/02/21/microsoft-mcafee-lenovo-superfish/



Will this end the problem ? Well many of the consumers and IT professionals already blacklisted Lenovo Laptops and they won't be using it anymore. A Lawsuit is already filed against Lenovo although they admitted it was a mistake. For more details please check the following article:

http://www.computerweekly.com/news/2240241032/Lenovo-faces-lawsuit-for-pre-installing-Superfish-adware


Things didn't stop on the Lenovo reputation or the legal actions, Actually things are getting worse, it was tracked that the SuperFish is based on a 3rd party SDK (Software Development Kit) called SSL Decoder created by an Israeli company named Komodia. Several users now are compiling lists of software and applications using this SDK.

For more details, please check the following article:

http://www.pcworld.com/article/2887253/superfish-vulnerability-traced-to-other-apps-too.html

So what should we do in this totally un-secure environment, I believe we should stick back to the basis as educating users and our selves. The Internet can be a good educational place but at the same time there is this dark side that no one would like to face nowadays.

We need to be extra cautious for Public Wi-Fi networks, regularly check our passwords and ensure they are hardened, regularly check our Credit Cards and ensure our devices are protected by at least two protection layers (Personal Firewall, Antivirus/Spyware and Vulnerability scanners).


Securing our devices is getting harder and threats are changing all the time and sometimes are shipped with trusted software. We need to be extra cautious as long as we are on the Internet.