Tuesday, December 12, 2017

Domain admins, in insecure network devices?

A vendor is at a clients site:
"Hey Oliver, I was told to give you a call. I'm having difficulty saving this file across the network. I've:
given the account admin access,and tried domain admin access
Shared the C:\ drive with everyone,
turned off the firewall,
and disabled antivirus,
and it's still not working. "

I look, finding that at somepoint the device has been given the topmost level administrator account to save the occasional file.
No, that device is not secure.

I start pulling at threads: of the machines have their C:\ and C:\users folder shared with the group "everyone".

What? Why aren't policies propogating?
We purposely create policies and settings to prevent this. But, over the years various vendors have defacto removed computers & users from the domain to get their solutions to work. Security & fallout are not their concerns.
I found the workstations had their network settings changed to take them out of the domain controllers' authority.

"How did this happen?" you may ask.
This client was setup before we became serious about preventing end-users from having admin access.

This is why we don't want end-users to have admin access. Or if we do give it to them, it's limited and can't change the settings which

Now i've spent 4 hours at a 10 device office cleaning this up. I know, I know, monitoring should have highlighted an issue much sooner. But some of these sites are hourly, or were configured many years ago and policy changes (like no admin access) aren't verified or truly enacted. Left forgotten. Really, both I & the client are appreciative this was brought to light before an issue happened.

edit; some policies I have which should interact with all this: - Enable Logging & syslog
- Force windows firewall on - and log
- define workstation administrators group
- password expiry




Wednesday, October 11, 2017

Delegate Access Recursively in Exchange 2010 using Powershell


It wasn't straight forward to add an ex-employees mailbox to another user, or set of users, with readpermissions only or reviewer access

Problems:

- "cannot expand folders" error after mailbox was added
- there were no folders in the mailbox which was added
- A bit of a shuffle and wait in regards to adding the read-only data to the user's mailbox
- You want to add/remote/change access to multiple, nested folders using Powershell.

I only wanted to give read access, not the ability to make changes - for a number of reasons - but really to maintain the integrity and authenticity of the mailbox (didn't want other employeees removing data, etc)


Keep in Mind:

ADD-Item adds new entries, but does not modify entries if they already exist
SET-Item modifies entries, but does not add new entries if they don't exist
REMOVE-item removes items
Following any command by |whatif will show you what it would do, opposed to doing it. 
Following any command with |out-file C:\myresults.txt will output the console to text file, so you can browse or search & use as strings.
 Gee, powershell is cool! 

With this in mind, if you're modifying or removing access, simply change your the appropriate verb in any powershell command.. mostly. 

Solutions:

Using exchange 2010 Powershell:

First, add the generic permission:

add-mailboxpermission -identity UserBeingShared -user UserReceivingAccess -AccessRights ReadPermissions -InheritanceType All -AutoMapping $True

( Reference: https://technet.microsoft.com/en-us/library/bb124097(v=exchg.160).aspx )

This gives access and maps the folder - but you will probably get a cannot expand folder error when attempting to open it.


Next, add the permissions you want: 
If you just want to add a single folder, that's easy:

Add-mailboxfolderpermission -identity UserBeingShared:\Inbox -user UserReceivingAccess -AccessRights Reviewer

( Reference: https://technet.microsoft.com/en-us/library/dd298062(v=exchg.141).aspx

You'll notice that just the inbox comes through.

If you want to add everything:

ForEach($f in (Get-MailboxFolderStatistics UserBeingShared| Where { $_.FolderPath} ) ) { $fname = "UserBeingShared:" + $f.FolderPath.Replace("/","\"); Add-MailboxFolderPermission $fname -User UserReceivingAccess -AccessRights Reviewer }

If you don't want to share everything but do need recursion check out:

ForEach($f in (Get-MailboxFolderStatistics UserA | Where { $_.FolderPath.Contains("/Inbox") -eq $True } ) ) {
 $fname = "UserA:" + $f.FolderPath.Replace("/","\");
 Add-MailboxFolderPermission $fname -User UserB -AccessRights Reviewer }


Credit due here, and, recursively :-)
https://social.technet.microsoft.com/Forums/exchange/en-US/ab720430-8b3a-4a31-8f29-b0ddbf064ea6/grant-full-inbox-access?forum=exchange2010


Misc: 


If the delegated mailbox does not appear in outlook, try closing & re-opening Outlook, waiting 15 minutes, or, add it manually by opening that users' email setup, choosing advanced, then add the mailbox in question.

You should see the Delegated User's Name, with an expanding-karet next to it.


Friday, July 7, 2017

ASCII Art in Google Docs - Font Character Spacing Determined by Font / Typeface.

There's seemingly no option to adjust individual character spacing in google docs.

You can adjust the spacing which occurs when you start a new line, but not of letters or font characters.

Simply: the solution is to change fonts. The font spacing is seemingly controlled through this.

I was attempting to ASCII art and found it askew, however I pasted it into word and it immediately looked perfect in Courier New font -- I then pasted the text into google, highlighted it and matched the font, and, done!

I recommend that you ensure you're copying a blank line above and below the ASCII so you're sure you've got all the pieces!

Oh, and make sure that the lines of your ASCII art fit on a single line, in the google doc. If it starts a line where it shouldn't, it'll ruin the art.. adjust page margins and font size to hit this - and ensure you're on single spacing in the formatting menu-option :-)



████████╗ ██████╗ ████████╗ █████╗ ██╗     ██╗     ██╗   ██╗
╚══██╔══╝██╔═══██╗╚══██╔══╝██╔══██╗██║     ██║     ╚██╗ ██╔╝
   ██║   ██║   ██║   ██║   ███████║██║     ██║      ╚████╔╝ 
   ██║   ██║   ██║   ██║   ██╔══██║██║     ██║       ╚██╔╝  
   ██║   ╚██████╔╝   ██║   ██║  ██║███████╗███████╗   ██║   
   ╚═╝    ╚═════╝    ╚═╝   ╚═╝  ╚═╝╚══════╝╚══════╝   ╚═╝
             __          __  ______    _____    ____    __  __   ______ 
     /\     \ \        / / |  ____|  / ____|  / __ \  |  \/  | |  ____|
    /  \     \ \  /\  / /  | |__    | (___   | |  | | | \  / | | |__   
   / /\ \     \ \/  \/ /   |  __|    \___ \  | |  | | | |\/| | |  __|  
  / ____ \     \  /\  /    | |____   ____) | | |__| | | |  | | | |____ 
 /_/    \_\     \/  \/     |______| |_____/   \____/  |_|  |_| |______|


Saturday, March 18, 2017

Myfordmobile , reset your cars modem



I have an Ford Energi car. Sometimes it loses the ability to communicate alerts specifically through the app.

The solution is simple, pull fuse # 10.

To do this most easily, you'll need a pair of needle-nose plyers, or similar.

1. Find the fusebox below the dash - the bottom panel pulls out.
2. Find fuse #10, it's a red one which says 5.5 on it.
3. Pull the fuse, and set it aside. wait 5 or so minutes.
4. Re-insert the fuse.

Done.

If you happen to lose the fuse (I did, it fell behind the carpet in the car) you'll likely have to order a new one online. It's called an ALT fuse (https://jet.com/product/THE-INSTALL-BAY-BY-METRA-75-Amp-ATL-3-Prong-Fuse-5-Pack-ATL755/c1b8824720444c4a963da72d16349ade)

The photo from below the dash show the larger power connector and it's release mechanism
This is a 2015 Ford Fusion Energi.

Monday, March 6, 2017

Filemaker Pro & APEasy - user receiving alert that there's a licensing conflict with themselves.

Problem:


When opening APEasy, it displays an error that you've reached your maximum number of licensed users.

In my instance, this error was only affecting one user on one computer.

Though this is comprehensive, it is not refined. At a point I threw up my hands and just hit all the bases.


Solution:


Prep:

Open Filemaker Pro, by itself, without launching the attached service, in this instance, apeasy. Just hit start and open filemaker pro. Go to the help, about, and click on info - grab that license key!

-Try holding control as you click to open the APeasy FMP on the local computer - this will task it to reinitalize and it may be that simple!

Steps:


- Reboot the server.

If that doesn't do it, try:

- On the server, open a web browser and navigate to http://localhost:16000 - this is FileMaker Pro's setup.

You may see that there's an update for the server -- only apply the update if all users are down. Else, don't stir that pot!

Note, if it says that the server is more updated than the workstation, you will want to update the workstations!

-Launch the admin control panel

Username: master  | Password: master

look under clients. If your troubled user is here, force them out and test again.

If that doesn't do it try:

- Ensure server is on intranet sites, for the workstation having trouble, in multiple capacities, to include IP address (remember to remove this. For security, only use FQDN!)

- Uninstall newer versions of Java - APEasy provides version 6.11 or something silly like that - it's good to go back to basics when testing - remember to reinstall the newer versions of java after it's fixed.

Remove the following folders:
%userprofile%\appdata\local\apeasy
%userprofile%\appdata\local\filemaker pro
%userprofile%\appdata\local\filemaker
%userprofile%\appdata\roaming\apeasy
%userprofile%\appdata\roaming\filemaker pro (may not exist)
%userprofile%\appdata\roaming\filemaker (may not exist)
C:\programdata\apeasy (may not exist)
C:\programdata\filemaker (pro)  (may not exist)

Backup and remove the following registry keys:
HKCU\Software\Apeasy
HKCU\Software\Filemaker (pro)

Run a repair of filemaker pro from "programs and features" in the control panel-- you will need both your license key AND the name of the software company, in this instance "Small Business Computers of NE" - said otherwise, the "company" field is not you or your clients' company, but the group which is using filemaker pro as the platform for their software.

Try launching again, if still failure:
after all of the above, hold control while launching.
There's another shortcut, holding shift while launching - this seemed to allow progress but I didn't make it down this path - I was told this would allow me to manage the APeasy interface.

TO test:
Log into another users account on the same workstation, does the program launch?
If so, it's something in their user profile,
if not, it's something on the workstation
if it doesn't launch for anyone, it's a problem on the server.

Also try:
Copying a new "APEasy Startup" file over, from the server to the workstation. or from a working computer to the non-working.

Making sure the APeasy Startup item is not on a redirected, roaming, or network location, at least for testing purposes.