Category Archives: Security

Gmail Account Hacked?

I was asked recently, “What do I do if my gmail account is hacked?” Came across the following links when doing some research and thought I’d pass them on and save them for the next time I’m asked.

http://www.friedbeef.com/how-to-check-if-your-gmail-account-has-been-hacked/

http://sciencenotes.wordpress.com/2010/05/06/what-to-do-if-your-gmail-account-is-hacked/

I enjoyed reading this one (not that I hated the other two…)

http://www.hmtweb.com/blog/2009/04/hacked-gmail-accounts-what-to-do-if.html

Leave a comment

Filed under Security

Quick Hits

Just a few tidbits from the field…

1. Open File – Security Warning

Had this annoying error when trying to open .ADP files from a network share.  Read many posts but found the solution to be the following:

Using a GPO:
a. Go to User Configuration | Administrative Templates | Windows Components | Attachment Manager
b. Edit the setting Inclusion list for low file types
c. Set it to Enabled and then enter the file types you don’t want to be warned about.

2. I was working with a XenServer support engineer who, when not quite sure of a command he had entered earlier, entered the “history” command and it displayed a list of all commands previously executed.  Being that I spend most of my time on Windows servers, I found this little command to be pretty neat.  I’ve already used it several times since.

3. If you get an Invalid Login with code 0000C801 when logging into an App-V Management Server running on Windows Server 2008, enable the IIS Windows Authentication role service as pointed out here:

http://social.technet.microsoft.com/Forums/en/appvbeta/thread/7ee7d9de-a82f-4e2d-9673-01f4ffd9de85
 

Leave a comment

Filed under Citrix, Security

Two-Factor Authentication for Outlook Anywhere

Many companies use RSA SecurID to support two-factor authentication and have implemented with Microsoft ISA to support two-factor authentication for OWA and ActiveSync with fantastic results. I’ve been asked lately if it is possible to support two-factor authentication with Outlook Anywhere. Using RSA products, it does not appear possible. I have read a couple blogs about creating a custom website that could be used as an RSA “front-end” to Outlook Anywhere but I prefer not to overcomplicate matters.

When researching for RSA solutions, I came across Deepnet Unified Authentication for Outlook that looks like a promising solution for enabling two-factor authentication for Outlook Anywhere.

http://www.deepnetsecurity.com/solutions2/outlook.asp

I spoke to a Deepnet sales manager today and the Deepnet product suite addresses the following security concerns shared by most security administrators:

1. Weak Authentication
Deepnet allows you to enable two-factor authentication for Outlook Anywhere

2. Unmanaged devices
Only those client PCs with the Deepnet agent installed can access Outlook Anywhere. The client software we discussed was DevicePass, which is used to create a machine fingerprint. The “fingerprint” information can include the machine’s serial number, motherboard ID, CPU ID, BIOS, MAC Address, etc, etc. This ensures that only those machines approved by the company can connect to the email system using Outlook Anywhere.

3. Insecure Local Data
Deepnet can be used to enforce a disk encryption policy thereby protecting local data should a laptop be stolen.

They sent me a small PowerPoint file which provided a high-level overview of the Deepnet architecture and I hope they don’t mind me sharing it here:

Basically, 3 items are going to be required. A Deepnet Authentication Server (which can be a VM), the Deepnet Agent for IIS (installed on the Exchange 2007 CAS), and the Deepnet Agent on the client machines. Deepnet stated that the installation of these components is very easy as no consulting time is needed, in fact, they said the solution could be up and active within a day. Also, it can work with RSA so there’s no cutover required. Deepnet can replace RSA, but it can be a migration.

I’m very excited about the possibilities and hope to have more posts very soon as we should receive a fully functional 30-day evaluation license on Monday.

3 Comments

Filed under Microsoft, Security, Windows Server

Accessing OWA thru ISA using RSA

Have you ever wondered how to properly setup access to OWA 2007 thru ISA 2006 using RSA authentication? Quite honestly, this is not a subject I have spent much time thinking about, but the current work project has required that I do so. Fortunately, there are many articles out there on how to set it up. After completing the initial setup, my personal favorite is this one: http://smtp25.blogspot.com/2009/09/rsa-securid-ready-implementation-guide.html

However, I didn’t find this one at the start, so I got to have some fun and mess around a bit with these 3 components. If you follow Oz’s steps, you shouldn’t see any of these things, but I thought it may be fun to share what can happen if you don’t follow his steps.

1. 106: The Web server is busy. Try again later.

I got the 106: The Web server is busy message because I did not copy the sdconf.rec to the Program Files\Microsoft ISA Server\sdconfig directory.

2. YES! I finally got to my login prompt, but upon entering my username and SecurID passcode and PIN, I saw this: 100: Access denied. RSA ACE/Server rejected the passcode that you supplied. Try again with a valid passcode.

In this case, I received this because I had not copied the SecurID file to the Program Files\Microsoft ISA Server\sdconfig directory.

3. Awesome! Now I see Authentication Success, I’m getting somewhere:

But now I get the following: Error Code: 500 Internal Server Error. The parameter is incorrect. (87)

Looking at the Publishing Rule on ISA, specifically the Web Farm tab, the Requests appear to come from the: option was not set to ISA Server Computer. Upon changing, and applying the ISA configuration, I could access my mailbox using OWA.

Though I am able to get in to OWA, it looks like my rules could use a little tweaking to improve the user experience. Once those are hashed out, I’ll post them.

Leave a comment

Filed under Microsoft, Security, Windows Server

Exchange Servers need the Manage Auditing and Security Log right

If troubleshooting why your Exchange services are not starting, be sure to double-check the Manage auditing and security log permission on the Default Domain Controller Policy. When the “Manage auditing and security log” permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers(Exchange 2000/2003) or the Exchange Servers (Exchange 2007) groups, many issues may arise, including those found here:

http://support.microsoft.com/kb/896703

Why does Exchange need the Manage Security and Auditing Log permission?

The SeSecurityPrivilege right is required to support various Exchange security functions, including the ability to report which Windows accounts are being used to gain access to mailboxes. These groups are granted the required access rights as Exchange no longer uses it own security/service account, but the Local System account, which does not have permissions to machines other than its own. Thus, the Exchange server groups are required for proper authentication.

By default, the only group in the domain with SeSecurityPrivilege right is the built-in Administrators group. When Exchange 2003 is installed, the /domainprep process grants this privilege to the Exchange Enterprise Servers. For Exchange 2007, the /PrepareDomain process grants this privilege to the Exchange Servers group.

How can this privilege be revoked?

There are several reasons which could lead to this privilege being reset or revoked. First, if the Security.inf template if reapplied to the domain, the SeSecurityPrivilege right is reset to its default. Also, third-party security auditing or configuration tools may provide a general security recommendation stating a group other than Built-In\Administrators has the SeSecurityPrivilege. Wanting to ensure security “best practices” are followed, an administrator may remove the Exchange Enterprise Servers group.

How can you verify the privilege is in place?

The Policytest.exe utility, included on the Exchange installation CD-ROM, can be used to verify the privilege is in place. Simply execute the .exe to view output similar to that shown below:

Policytest will check each domain controller to verify the right is in place.

The solution…

I suppose you have a couple choices:
1. Rerun Exchange setup using the /DomainPrep (2000/2003) or /PrepareDomain (2007) switch depending on your version of Exchange.
2. Edit the Default Domain Controller, or create a new GPO and go to: Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment. From there, add the required Exchange Servers group to the Manage Auditing and Security Log privilege.

If the SeSecurityPrivilege right is being reset repeatedly, and you cannot determine why, audit changes made to domain controller security policy:
1. On each domain controller, change the size and rollover settings for the Security log as much as necessary to support increased amounts of logging information.
2. Start the Domain Controllers Security Policy console.
3. Expand Local Policies, expand Audit Policy, and then turn on Success auditing for Directory Access and Policy Changes.

4 Comments

Filed under Microsoft, Security, Windows Server