22
Feb 13

Delete A Message From All Mailboxes in Exchange 2010

I have an external service which provides blacklist and RBL filtering, as well as SPAM fingerprinting.  It’s pretty effective.  Even so, here’s one that comes up fairly regularly:  an email with a malicious link makes it into many user’s mailboxes.

Usually this sender is trusted, such as an employee’s personal email address, a customer’s address, or the like.  With that, lots of people will assume it’s legit and click the link…and it’s off to the races depending how well you’re patched against things like the recent wave of Java 0-days.

In this scenario, I received such email from a known good customer.  In the To and CC lines, I saw many people in my organization ended up on the receiving end of this email, too.

Here’s a quick Powershell script to run that’ll scoop out emails from your Exchange store using any combination of subject, from sender, and sent date.

1
Get-Mailbox -resultsize unlimited | Search-Mailbox -SearchQuery “Subject:xxxxxx",”From:user@yahoo.com”,”Sent:02/22/2013" –DeleteContent -TargetMailbox “youraddress@domain.com” -TargetFolder “export-folder”  -loglevel full

Ok, so let’s look at that really quickly.  We’re using the Exchange Powershell module and calling the Get-Mailbox cmdlet with no extra arguments other than “-resultsize unlimited”.  This makes the entire mailstore your searchbase.  Next, we pipe the search base to “search-mailbox” with our query criteria.  Like I mentioned, you can mix and match based on what you have to work with – so if the message you need deleted has no subject, take that out, if it’s from random email addresses but has a common subject, take that out.

The last part is DeleteContent with a target mailbox.  This should be an admin users’ box – what this does is it deletes mail from any other users’ box and drops it into your TargetFolder (if this folder doesn’t exist, it’ll be created for you).  Now you can verify all the messages you wanted deleted are present in Outlook/OWA and erase the folder.  Malicious message gone from your Exchange server!

ExportFolderPowershell

Remember, the more specific you are, the better.  Searching for any email with the subject of “Hey” mailed last Thursday WILL delete all messages that match, legit or not.

Also useful for when you send the embarrassing tale of your weekend escapades to “All” instead of “Allie”, the cute girl in accounting.

Cheers,

Marcus


15
Feb 13

Hyper-V 2008 R2 Virtual Switch Issues

Just came across an issue in Hyper-V:  I was making changes to a network adapter’s binding in Hyper-V manager under the Virtual Network Manager when MMC crashed, closing out Hyper-V manager.  Upon reopening, trying to bind the virtual switch to an External Adapter resulted in the following error:

[Window Title]
Virtual Network Manager

[Main Instruction]
Error Applying New Virtual Network Changes

[Content]
Setup switch failed.

Cannot bind to ‘HP NC373i Multifunction Gigabit Server Adapter #8’ because it is already bound to another virtual network.

[Close]

Searching the error resulted in the following KB, KB2486812:

http://support.microsoft.com/kb/2486812

Essentially, download the NVSPbind tool and extract it.  Copy the EXE to your server, run it with no switches to list all adapters.  nvspbind no switches

The format is:

{6B360F51-C6C4-4EA0-AFEF-E4D1056B498E}
“pci\ven_14e4&dev_1600&subsys_3015103c”
“Friendly NIC Name”
“Local Area Connection”:
disabled: ms_netbios       (NetBIOS Interface)
disabled: ms_server        (File and Printer Sharing for…

After finding the offending adapter, run:

nvspbind /u Friendly NIC Name

 

This will scrub the binding and allow you to try again via the GUI or Powershell.

 

 


08
Feb 13

Connecting to Watchguard SSLVPN from Android

PingTestI’ve used Android phones since way back in 2008 (version 1.5? Maybe 2.1).  At the moment I’ve got a Galaxy S3 running a 4.2.1 Jellybean ROM.

On the remote side, I have Watchguard firewalls deployed in my HQ and branch offices.  HQ terminates SSL VPN connections and routes traffic appropriately.

Being out and about, the inevitable support call comes up. It’d be nice to fire off a SQL query, RDP to a machine, SSH into a box, etc, without opening these services up to the world. Running to the nearest PC isn’t always ideal — my phone is ALWAYS with me, but VPN support has been lacking. This reddit post on apps for IT professionals finally motivated me to sit down today and get it working.

In the past I’ve looked at Watchguard’s client files in order to get SSL VPN working on Ubuntu.  This arms me with the knowledge that they’re using nothing more than an OpenVPN wrapper. This works out wonderfully because OpenVPN is pretty mature and fully embraced.

After some trial and error, I found the right Android client and the correct combo of settings to make this work.

First off, download the OpenVPN for Android client from the Play Store or hit the QR code.

QR Code

My setup is detailed below — depending on your config, settings will vary.

  • Watchguard XTM 505’s running 11.6.1
  • Watchguard SSL VPN client configured and working from Windows 7 (OS X has a client, too, but I’m more familiar with the Windows locations of its certs).
  • Default advanced settings (SHA-1 authentication, AES 256 encryption, TCP data channel, port of your choice — I use 450)

Android:

  • S3 running 4.2.1 (Cyanogenmod 10.1)
  • OpenVPN for Android (no root required)

Settings:

  • Start a manual profile with a profile name of your liking.
  • Edit Basic Settings.
    • Server Address can be a DNS record or the external IP address to your firewall
    • Server port: Port taken advanced settings on your firewall – default is 443, mine is set to 450 to avoid port conflicts
    • TCP
    • No LZO compression

From a machine that you’ve connected with the SSL VPN client before, copy your ca.crt, client.crt and client.pem to your phone. In Windows 7, these are located at %appdata%/Watchguard/Mobile VPN.

Back in the OpenVPN client, change type to User/PW + Certificates. Now, click CA Certificate and browse to your ca.crt file and import. Click client certificate, browse to your client.crt and import. Click Client certificate key, brose to your client.pem file and import.

Next, input your username and password that you use to authenticate from the Watchguard SSL VPN client on Windows – I’m using Active Directory, so it’s my Windows username and password.  Your setup will certainly vary here – check your SSL VPN settings on the firewall for authentication type (Firebox-DB, AD, Radius, LDAP, etc.)

  • Go back. Leave IP settings unchanged.
  • Under routing, clear the check for default route under IPV6.
  • Under authentication, add AES-256-CBC under encryption cipher.
  • Leave advanced settings unchanged.

Go back to the main menu and tap your newly configured profile.  If all goes well, the logs will fly by and you’ll get a notification that the VPN is connected.

Fire up a terminal window and try pinging a resource on the remote side to confirm connectivity.