ADV190007 | Guidance for PrivExchange Elevation of Privilege Vulnerability

Aside


Exchange on-prem only
Security Advisory
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
A planned update is in development. If you determine that your system is at high risk then you should evaluate the proposed workaround.
After installing the update you can undo the above action with this command:
New-ThrottlingPolicy AllUsersEWSSubscriptionBlockPolicy

 

for more about ThrottlingPolicy

How to

Run the following command to create throttling policy

New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0

Then create white list for adding user who had a problem in EWS subscription

New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000

Assign users to the white list policy

Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions

 

From <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

Please read well

  • The issue described in the Blog post: Abusing Exchange: One API call away from Domain Admin only affects OnPrem deployments. Exchange Online is not affected.
  • The attack scenario described in the blog referenced above requires NTLM. Systems that have disabled NTLM are not affected.
  • ttackers cannot compromise a Domain Admin account if an OnPrem deployment follows Microsoft’s security best practice guidance and has implemented Active Directory Split Permissions. For more information on using Active Directory Split Permissions with Exchange, see Understanding split permissions: Exchange 2013 Help.
     
     
    Note:
    This document refers to Exchange Server 2013, but the same model can be used for later versions of Exchange Server.

     

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

    Note:

    about this EWS Subscription throttling workaround:

    A customer’s risk assessment must weigh the protections gained by the workaround as compared to the possible unwanted side effects of the workaround. The following are possible side effects of the EWS Subscription throttling policy:

    This workaround may be disruptive to Outlook for Mac, Skype for Business Client, and Apple Mail Clients, causing them to not function properly. Importantly, the throttling policy won’t block Autodiscover and Free/Busy requests. The EWS throttling policy will also negatively impact LOB and other third-party Applications that require EWS Notifications. A second policy can be created to whitelist trusted accounts.

     

    From <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

     

     

     

     

Advertisements

Preparing users and groups for Azure Information Protection

Aside


To authorize users, two attributes in Azure AD are used: proxyAddresses and userPrincipalName

Your first check is to make sure that the users you want to use with Azure Information Protection are displayed.

Then check whether the ProxyAddresses column is populated. If it is, the email values in this column can be used to authorize the user for Azure Information Protection.

 

The Azure AD proxyAddresses attribute stores all email addresses for an account and can be populated in different ways. For example, a user in Office 365 that has an Exchange Online mailbox automatically has an email address that is stored in this attribute. If you assign an alternative email address for an Office 365 user, it is also saved in this attribute. It can also be populated by the email addresses that are synchronized from on-premises accounts.
Azure Information Protection can use any value in this Azure AD proxyAddresses attribute, providing the domain has been added to your tenant (a “verified domain”). For more information about verifying domains:

 

 
 

The Azure AD userPrincipalName attribute is used only when an account in your tenant doesn’t have values in the Azure AD proxyAddresses attribute. For example, you create a user in the Azure portal, or create a user for Office 365 that doesn’t have a mailbox

 

 

In most cases, the value for UserPrincipalName matches one of the values in the ProxyAddresses field. This is the recommended configuration but if you cannot change your UPN to match the email address, you must take the following steps:

 
 

If the ProxyAddresses column is not populated, the value in the UserPrincipalName is used to authorize the user for the Azure Rights Management service.

 
 

Your first check is to make sure that the users you want to use with Azure Information Protection are displayed.

Then check whether the ProxyAddresses column is populated. If it is, the email values in this column can be used to authorize the user for Azure Information Protection.

 

Connect-MsolService

Note: If this command doesn’t work, you can run Install-Module MSOnline to install the MSOnline module.

 
 

Next, configure your PowerShell session so that it doesn’t truncate the values:

 

$Formatenumerationlimit =-1

 
 

Get-Msoluser | select DisplayName, UserPrincipalName, ProxyAddresses


Ref: https://docs.microsoft.com/en-us/azure/information-protection/prepare#group-membership-caching-by-azure-information-protection

 

Convert label from PPDF to be PDF

Aside


The following command assigns or remove label to a shared folder

Connect to azure online PowerShell

Connect-AadrmService

Get list of all PDF files only make sure to add the *.PPDF

Get-ChildItem \\servername\foldername\*.PPDF -File -Recurse | Get-AIPFileStatus

Note: Must add justification

Get-ChildItem \\servername\sharename\*.ppdf -File -Recurse | Set-AIPFileLabel -RemoveLabel -JustificationMessage “The previous label no longer applies”

Then to make sure

Get-AIPFileStatus “\\servername\sharename\*.ppdf

Add any other label to all any extension files

Get-ChildItem drive:\folder\*.docx -File -Recurse | Get-AIPFileStatus | where {$_.IsLabeled -eq $False} | Set-AIPFileLabel -LabelId the ID of the label

for all details

https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipfilelabel?view=azureipps

AZURE INFORMATION PROTECTION (AIP) overview

Aside


The following is general view for the Labels

Azure portal View

This is how it looks like

labels on office

How to connect to AIP module

Connect-AadrmService

how to connect to Azure Information protection PowerShell module
The PowerShell is Connected

This is how you classify the PDF

Classify and Protect from explorer View

PowerShell for Azure Portal Admin tasks

Install the module

Import-Module AzureInformationProtection

Gets the Azure Information Protection label and protection information for a specified file or files.

https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/get-aipfilestatus?view=azureipps

The following command to view the file status

Get-aipfilestatus

The following is how you get the label ID

Set-AIPFileLabel(you will need the label ID)

Sets or removes an Azure Information Protection label for a file, and sets the protection according to the label configuration.

The following is the permissions for labels

these are the permission used for labels


Azure Rights Management usage logs

Aside


Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-document-tracking

Your subscription must support it

https://azure.microsoft.com/en-us/pricing/details/information-protection/

When the document tracking site is enabled, by default, it shows information such as the email addresses of the people who attempted to access the protected documents, when these people tried to access them, and their location

 

Azure Information Protection Premium P1

Azure Information Protection Premium P2

Document tracking and revocation

 

Check the PowerShell module version you must have at least version
2.3.0.0
of the AADRM module for PowerShell

Install the module

Install-Module -Name AADRM press yes

Get all the module commands

Get-Command
-Module
AADRM

 

 

Or update the module

Update-Module -Name AADRM

 

(Get-Module aadrm –ListAvailable).Version

 

First you need to connect to the azure

Connect-AadrmService

The check if the tracking is enabled

Get-AadrmDocumentTrackingFeature

You can enable it by

Enable-AadrmDocumentTrackingFeature

 

For event log monitoring

The client logs user activity to the local Windows event log Applications and Services Logs
> Azure Information Protection. The events include the following information:

 
 

Client version, policy ID

 
 

IP addresses of the signed in user

 
 

File name and location

 
 

Action:

 
 

Set Label: Information ID 101

 
 

Set Label (lower): Information ID 101

 
 

Set Label (higher): Information ID 101

 
 

Remove label: Information ID 104

 
 

Recommended tip: Information 105

 
 

Apply custom protection: Information ID 201

 
 

Remove custom protection: Information ID 202

 
 

Sign in (operational): Information ID 902

 
 

Download policy (operational): Information ID 901

 

The event id: 102

I think this is the most important event

 

Item Name: wordpressv1intro.docx

Item Directory: path

Process Name: WINWORD Action: Set Label Protection

Before Action: Protected

Protection After Action: Unprotected

Owner Before Action: anyname@domain.com

Label Before Action: Internal Label ID Before Action: labelidnaylabel

Label After Action: Public Label ID After Action: labelidnaylabel

User Justification: teta

Labeled Before Action: Automatically Action Source: Manual

How to clear windows credentials

Aside


 

How to clear windows credentials

Control Panel\All Control Panel Items\Credential Manager

 

 

 

 

Step 2

Remove connected services from your Office 2013 profile

  1. Go to File, and then click Account.
  2. Under Connected Services, remove all the services for the existing account.

 

 

Step 3 Clear cached credentials on the computer

Edit the registry to remove cached credentials. To do this, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry subkey:
  3. For office 2013use the following key
  4. For Office 2016, the correct location would be (16.0 instead of 15.0):

    HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\Identities

     

    Copy and paste

    This path in the regedit

    HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\Identities

     


     

    1. Select the Office account that you want to delete, and then click Delete.


    2. For office 2016 use the following key
    3. For Office 2016, the correct location would be (16.0 instead of 15.0):
      HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities

      All of the following tickets are using the identity to log on


    4. In the Identity subkey, locate Profiles, right-click the same Office account that you deleted in step A3 of this procedure, and then click Delete.
  5. Exit Registry Editor.

     

     

The last step

You can go to the following path

%localappdata%\Microsoft\MSIP

And deleted the token


Log off, and then log on to the computer.

Ref:

How to clear windows credentials

Aside


 

How to clear windows credentials

Control Panel\All Control Panel Items\Credential Manager

 

 

 

 

Step 2

Remove connected services from your Office 2013 profile

  1. Go to File, and then click Account.
  2. Under Connected Services, remove all the services for the existing account.

 

 

Step 3 Clear cached credentials on the computer

Edit the registry to remove cached credentials. To do this, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\Identities

     

    Copy and paste

    This path in the regedit

    HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\Identities

     


     

    1. Select the Office account that you want to delete, and then click Delete.

    2. In the Identity subkey, locate Profiles, right-click the same Office account that you deleted in step A3 of this procedure, and then click Delete.
  3. Exit Registry Editor.
  4.  

     

The last step

You can go to the following path

%localappdata%\Microsoft\MSIP

And deleted the token


Log off, and then log on to the computer.

Ref: