Author: Adam Fowler

LinkedIn Security/Information Risks with Exchange

Posted on by Adam Fowler

Hi,

Today after logging on to LinkedIn, I was greeted with a new screen I found rather worrying. It is commonplace for services like LinkedIn and Facebook to scan through your address book, and ask for credentials to do so (which is rather concerning already), but a new option has popped up:

 

linkedin

 

This is asking for your work username and password. No 3rd party should be asking for corporate credentials like this, even more so a company that’s been hacked before http://www.pcworld.com/article/257045/6_5m_linkedin_passwords_posted_online_after_apparent_hack.html . I tried this with a test account, entering the username and temporary password. It then asked for further information, which was the address for the Outlook webmail link and then connected and started showing contacts.

LinkedIn on this page says “We’ll import your address book to suggest connections and help you manage your contacts. And we won’t store your password or email anyone without your permission.” which is a start, but it’s just such a bad practise to get into, and encouraging people to do this is irresponsible of LinkedIn in my opinion. On top of this, it’s providing an easy mechanism for staff to mass extract their contacts outside the company, which many companies frown upon or even have strict policies in place.

You can’t stop people from entering in these details of course, but you can block the connection from working at the Exchange end, as long as you have at least Exchange 2010 SP1.

There are a few settings to check. First, under the Set-OrganizationConfig area, you’ll need to check that EwsApplicationAccessPolicy is set to ‘EnforceBlockList’. If it’s not, it’s going to be “EnforceAllowList” and you’re probably OK, as it’s using a whitelist for access to only what’s listed rather than a blacklist, to only block what’s listed.

Next, you need to add LinkedIn into the BlockList. This is done with the command “Set-OrganizationConfig -EwsBlockList LinkedInEWS

How do we know it’s the string “LinkedInEWS” to block? The IIS log files from Exchange will reveal this. After doing your test of trying LinkedIn (or any other Exchange Web Services connection) there will be a log entry. You can read this blog post from Microsoft for some great details http://blogs.technet.com/b/matabra/archive/2012/08/23/block-mobile-apps-that-use-exchange-web-services.aspx but the abbreviated version is to look at what’s connecting fir POST /EWS/Exchange.asmx, and you’ll see the username you used to test, then the named connection. Here’s an example (with domain, username and IP changed):

2013-06-02 10:37:48 192.1.1.135 POST /EWS/Exchange.asmx – 443 domain\testusername 192.168.1.1 LinkedInEWS+(ExchangeServicesClient/0.0.0.0) 200 0 0 296

After applying, I retested and it seemed to still connect, but couldn’t find any contacts. My guess is that it’s authenticating OK, but then refusing to do much else. If anyone else would like to test this and post the results, I’d be very happy to find out update this.

 

Funnily enough, after writing this I found that LinkedIn had posted a very short version of the above:

From: http://help.linkedin.com/app/answers/detail/a_id/5025

Disabling Contact Import Process – Corporate IT Managers Instructions

How do I disable the ability for employees at my company to import contacts from their work email account?

Last Reviewed: 10/10/2012

Report Answer Inaccuracies

If you’re a Corporate IT manager, you can disable an employee’s ability to import contacts from their work email accounts.

Use Set-OrganizationConfig cmdlet to:

  • Set the value of config parameter EwsApplicationAccessPolicy to EnforceBlockList.
  • Add value LinkedInEWS to config parameter EwsBlockList.

For more information on using Set-OrganizationConfig cmdlet, please refer to Microsoft’s Managing Access for EWS Managed API Applications.

 

Further reading is available here:

http://thoughtsofanidlemind.wordpress.com/2010/08/12/controlling-ews-access-in-exchange-2010-sp1/

http://security.stackexchange.com/questions/36560/how-do-i-block-linkedin-from-extracting-data-from-microsoft-exchange-server

 

Update:

Paul Cunningham has done a great writeup about this with some extra investigation and details, have a read: http://exchangeserverpro.com/blocking-linkedin-access-to-your-exchange-server-organization/

 

Update 2:

This story had now been picked up by The Register, have a read here: http://www.theregister.co.uk/2013/06/06/linkedin_snarfing_contacts_from_exchange/

 

Update 3:

Seems to be getting picked up all over the place, so I’ll just keep updating this point as I find other articles. There’s some good discussion and opinions on this out there, such as why is Exchange configured to allow everything by default?

http://securencrypt.com/blog/linkedin-has-major-privacy-issue/

http://webwereld.nl/beveiliging/78036-linkedin-slurpt-data-van-zakelijke-exchange-servers

Unable to Map Drives from Windows 8 and Server 2012

Posted on by Adam Fowler

Hi,

Came across this issue recently and thought it was worth sharing. From a Windows 8 machine, trying to map drives to either Windows Server 2003 or Windows Server 2008 and failing. It was just the generic ‘Windows cannot access *blah*” but the details had ‘System error 2148073478’. Some googling found this Microsoft Support article: http://support.microsoft.com/kb/2686098

First, this only talks about 3rd party SMB v2 file servers which is a bit strange, but applying this client fix fixed it on an individual basis:

  • Disable “Secure Negotiate” on the client. 
    You can do this using PowerShell on a Windows Server 2012 or Windows 8 client, using the command:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” RequireSecureNegotiate -Value 0 -Force
  • Note: If you get a long access denied error, try running Windows PowerShell as an Administrator.

Fixes it, but not ideal. A better solution may be to disable SMB signing on the particular server you’re connecting to. The next set of instructions are fromExinda: http://support.exinda.com/topic/how-to-disable-smb-signing-on-windows-servers-to-improve-smb-performance

To disable SMB signing on the Windows Server 2000 and 2003 perform the following:

  1. Start the Registry Editor (regedit.exe).
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters.
  3. From the Edit menu select New – DWORD value.
  4. Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do not exist.
  5. You should set to 0 for disable (the default) or 1 to enable. Enabling EnableSecuritySignature means if the client also has SMB signing enabled then that is the preferred communication method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and so if the client is not SMB signature enabled then communication will fail.
  6. Close the registry editor.
  7. Shut down and restart Windows NT.

In addition, default Domain Controller Security Policies may also force these values to “enabled” on Windows Servers. 

On Windows 2003 Servers, open Domain Controller Security Policy under Administritive Tools. Expand the Local Policies tree, then expand the Security Options tree and look for:Set both of these values to “Disabled”.

  • – Microsoft network server: Digitally sign communications (always)
  • – Microsoft network server: Digitally sign communications (if client agrees)

To disable SMB signing on the Windows Server 2008 and 2008 R2 perform the following: 

Changes need to be applied in the Group Policy management console. 
      Start –> Administrative Tools –> Group Policy Management 
Configure the Default Domain and Default Domain Controller Policies. The settings you are looking for are under: 
      Computer Configuration –> Policies –> Windows Settings –> Security Settings –> LocalPolicies –> Security

 Turning off SMB signing isn’t a best practise security thing to do, but if you need to get out of trouble and it’s only on your internal network then the risk of someone modifying SMB packets in transit is rather low, plus you’ll get a 15% boost due to losing the overhead of SMB signing. This is still a preferred option to just completely disabling it on the client, because at least the client can still do secure SMB to other servers.
Update: Trying this from Windows 8 PC to a Windows 7 PC had a similar issue, but the error code was 0x80004005. Another workaround is running the powershell command Set-SmbClientConfiguration -RequireSecuritySignature $true on the Windows 8 client. This may break other stuff again, if you try to connect to something that doesn’t have a Security Signature. Investigate this for yourself :)
All of the above should apply to Windows Server 2012 too.

Samsung ATIV Smart PC Pro 700T Review

Posted on by Adam Fowler

Hi,

I’ve been using the Samsung ATIV Smart PC Pro 700T solidly for a week for work purposes while travelling, so I thought it was about time to put up a brief review.

What is it? A hybrid laptop/tablet from Samsung that runs Windows 8. It’s a hybrid as you can undock it from the keyboard (similar to a Microsoft Surface, but the docking/undocking mechanism is nowhere near as nice) and use it as a tablet.

Here’s the Samsung site for it: http://www.samsung.com/us/computer/tablet-pcs/XE700T1C-A01US

…and here’s the specs from the same site:

 

Processor
 
Processor
 
Intel® Core™ i5-3317U Processor
 
Speed (GHz)
 
1.70 GHz
 
CPU Cache
 
3MB L3
 
Display
 
LCD Size
 
11.6"
 
Type
 
LED Full HD
 
Resolution
 
1920 x 1080
 
Brightness
 
400 nits SuperBright™ Plus Technology
 
System Memory
 
System Memory
 
4GB
 
Memory Type
 
DDR3 (1600MHz)
 
Max. System Memory
 
4GB (On Board)
 
Storage
 
HDD
 
128GB SSD
 
HDD RPM
 
SSD
 
SATA
 
SATA2
 
Graphics
 
Chipset
 
Intel® HD Graphics 4000
 
External or Integrated
 
Integrated
 
Maximum Graphics Memory
 
Shared
 
Sound & Camera
 
Speaker
 
Stereo Speakers (1 W x 2)
 
Sound Effect
 
SoundAlive™
 
Web Cam
 
2.0 MP HD(Front)
 5.0 MP HD (Rear)
 
Internal Mic
 
Yes
 
Wireless
 
Wireless LAN
 
802.11 a/b/g/n
 
Bluetooth
 
4.0
 
WiDi
 
Yes
 
I/O Ports
 
HDMI
 
Micro HDMI
 
Headphone Out
 
Yes (Headphone/MIC combo)
 
Microphone In
 
Yes
 
USB Ports (Total)
 
1 x USB 3.0
 
Multi Card Slot
 
1 Micro SD
 
Docking Port
 
Yes
 
Input Devices
 
Touch Pad / Track Point
 
Available with Keyboard Dock Accessory
 
Power
 
AC Adapter
 
40 W
 
Number of Cells/Cell Type
 
4 cell / Li-Po
 
Watt Hours
 
49
 
Dimensions
 
System Dimensions (L x W x H, Inch)
 
11.97" x 7.46" x 0.47"
 
Weight
 
System Weight (w/Std. Battery, lb.)
 
1.96 lb.

 

As you can see, it’s grunty enough with an i5 CPU and has the current standard Intel graphics chipset, but the screen runs at a rather high 1920 x 1080 for an 11.6″ screen. For general day to day use, this is just makes text a bit too small, and makes the cursor difficult to use with a small trackpad and a lot of pixels to cover distance wise.

The undockable keyboard is quite nice to use (I’m typing on it right now) so no complaints there, but due to the weight of the screen being a stand-alone tablet, there are two annoyances. First, it’s top heavy so can easily fall backwards as the keyboard is quite light. Secondly, the joints that hold up the screen aren’t tight enough so if you’re trying to type in bed on your back, the screen will just collapse onto you.

Other things like battery life were adequate at 3-4 hours, screen orientation detection works quite well and the 3 USB ports are again adequate, but 1 or 2 more wouldn’t go astray. There’s only one USB port on the tablet, and an extra 2 on the keyboard. The touchpad is nice to use, but I kept triggering right clicks when I didn’t intend to.

Overall a decent device depending on your needs, but in my eyes the Surface is a better pick.

Exchange 2010 – Out of Office for HelpDesk

Posted on by Adam Fowler

Hi,

One of the pains of looking after Exchange 2010 is putting in an Out of Office message for someone who forgot to do it before they went away, and either can’t or won’t do it themselves remotely. If you’re lucky enough to be able to delegate this task out to others, you can easily do so with “Role Based Access Control”. There’s a nice built in group called ‘Help Desk’ which gives the members access to everyone’s Outlook Web Access Options (not their actual emails). These options include Out of Office as well as several other useful settings that are not particularly private or contain confidential information.

To do this, from the Exchange Management Console go to Toolbox > Role Based Access Control (RBAC) User Editor. This will bring up a web page that is a part of Outlook Web Access – log in with the relevant credentials for Exchange Administration, and you can navigate to the Roles & Auditing Section:

rbac

From this, you can double click on the Help Desk entry from the list of Role Groups, and add members to the list.

Once this is done, the users who were added to the group can access other user’s Out of Office by logging onto Outlook Web Access, going to Options > Set Automatic Replies. You’ll be greeted with this screen:

auto replies

From here, you can drop down the ‘Manage Myself’ menu and choose ‘Another User…’, select your user and you’ll see the selected users options screen, allowing you to set Out of Office.

Hope that helps!

Update 7th October 2014:

I had someone ask as the above didn’t work for them, but it was due to one of the Assigned Roles being removed against Help Desk. They should be:

Assigned Roles:
Message Tracking
User Options
View-Only Recipients

Exchange 2010 Unified Messaging – Unrecognised Voicemail Extension

Posted on by Adam Fowler

Hi,

I had an issue where a particular user’s voicemail on Exchange 2010 wasn’t working. When they called the voicemail number, they were asked “To access your mailbox, please enter the extension” rather than being greeted with their name and messages. The user was on Lync 2010, and Unified Messaging was enabled on their account with the matching extension number. Also, when dialing voicemail and trying to enter the extension number just met the message ‘XXX isn’t a valid mailbox’.

Disabling and re-enabling Unified Messaging made no difference. I was rather confident this was an Exchange/Unified Messaging issue, so I had the idea of checking ADSI edit to see if UM was properly enabled.

Checking the attribute “msExchUMEnabledFlags” found the issue. When a user has UM enabled, the value of this field should be 831, or 830 when disabled. I’ve come across this issue before, where it’s the wrong value and needs to be changed, but this was the first time I’d come across it as being 832.

Never a good sign when you google something, and you get zero results:

exchange

Changing the Attribute value back to 831 instantly fixed the issue, didn’t even require disabling and re-enabling Unified Messaging. If all else fails, change the value back to 830, refresh your Exchange Management Console and the user should show as being disabled for Unified Messaging, then re-enable as you normally would.

Hope this helps anyone else who comes across a similar issue.