How To Connect to Sonicwall VPN With NetExtender

 

Likely you are on this page because you are trying to connect to NetExtender, Sonicwall’s preferred VPN software. Below are the steps to connect to your Sonicwall’s VPN.

SonicWall NetExtender Login Screen

    1. Download and install NetExtender. This can be downloaded through mysonicwall.com or via a link we sent you.
    2. After installing, run NetExtender.
    3. For Server: enter the server name provided for you by your technician. This is typically followed by a :portnumber, which by default is 4433.
    4. For Username: enter the server name provided for you by your technician.
    5. For Password: enter the password provided for you by your technician.
    6. For Domain: enter the domain name provided for you by your technician. This is commonly LocalDomain.
    7. Click Connect.
    8. You will likely get a Security Alert. You can accept or Always Trust this alert in most cases. (If you click Always Trust you will not receive a Security Alert in the future.)Optional Step (skip if not necessary): An extra (unnecessary) step for further validation before accepting this certificate, you can click on View Certificate, click Details, and click on Issuer. You should see “HTTPS Management Certificate for SonicWALL (self-signed)“.

      A common security alert from SonicWall NetExtender.

    9. Click Connect again.
    10. You should now be connected to your network!

Powershell Script to Check if Office 365 Tenants (Partners) Are Using Outlook 2007 – Run Before October 31, 2017

UPDATE: Microsoft has softened their stance and are not going to cut-off Outlook 2007 connections. More info here.

Microsoft recently announced ‘RPC over HTTP reaches end of support in Office 365 on October 31, 2017‘. “MAPI over HTTP was not backported to Outlook 2007 or earlier versions. If you’re using Outlook 2007, you will be in an unsupported state on October 31, 2017. If you want to continue to access Exchange Online mailboxes through the Office 365 portal (portal.office.com), we recommend that you move to a current version of Outlook that is under mainstream support, or use Outlook on the web.”

This basically means if anyone is using Outlook 2007, they need to upgrade their Outlook to a newer version to continue using Outlook with Office 365.

Microsoft provided some Powershell scripts to help with checking your organization for Outlook 2007 connections. This is clearly documented in the section titled ‘How can I identify which Outlook version and build number my users are connecting with?‘ If you only have one organization to manage, these Powershell commands are your best bet.

But what about if you manage multiple organizations as a partner/delegated admin? Microsoft doesn’t offer a solution for this. Since we manage multiple Office 365 tenants and want our customers to get email on November 1st we wrote a little script to check all tenants for Outlook 2007 connections.

Show Auditing

The first step is to document who has auditing turned on or off. This way, you can return auditing back to the client’s preferred setting if necessary. Auditing is turned off by default in Office 365. For this, we wrote the function “ShowAuditing”.

function ShowAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"
        Get-Mailbox | Select-Object Identity, AuditEnabled, AuditOwner
        Get-PSSession | Remove-PSSession
    }
}

Enable Auditing

The next step is to enable auditing on every mailbox. For this, we wrote the function “EnableAuditing”. After enabling auditing you will have to wait a few days for users to connect to Office 365 and have their connections logged. Microsoft says auditing may take 24 hours to turn enable.

# Function to enable auditing on every mailbox on every domain.
function EnableAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"

        Get-Mailbox | Set-Mailbox -AuditOwner MailboxLogin -AuditEnabled $true
        Get-PSSession | Remove-PSSession
    }
}

Search Through All Tenants, Find Users Using Outlook 2007

At this point, you should have waiting 24 hours for auditing to turn on and 2-3 days for users to connect to Office 365 and have their connections logged in auditing. Finally, we can loop through each tenant and see who is using Outlook 2007. This will create a file called “UnsupportedOutlookConnections.csv” in the same folder you are running this script from.

# Function to check each partner managed domain for unsupported Outlook connections (2003 and 2007), dump to UnsupportedOutlookConnections.csv in current folder
function SearchOutlookUnsupported{
    # Create a new CSV/wipe out the old one
    Write-Host "" | export-csv .\UnsupportedOutlookConnections.csv

    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential     $UserCredential -Authentication Basic -AllowRedirection
       Import-PSSession $Session
        Write-Host "Session connect complete"
       # Dig through the audits and look for version 12.x
       # Outlook 2007 is 12.x - bad
       # Outlook 2010 is 14.x - good
       Get-Mailbox | Search-MailboxAuditLog -LogonTypes owner -ShowDetails | ? { $_.ClientInfoString -like "*Outlook 12*" } | select MailboxOwnerUPN,Operation,LogonType,LastAccessed,ClientInfoString | export-csv -Append .\UnsupportedOutlookConnections.csv
       Get-PSSession | Remove-PSSession
    }
}

The Full Script

Now that you have read through the code and have an understanding of what it will do – show you who has auditing turned on, enable auditing on all mailboxes, and check each mailbox to see if the user is connecting with Office 2007 – you can run it. We have run this on our clients without issue. CSSI provides no warranty. Run at your own risk.

# Office 365 Parter Outlook Unsupported Checker
#
# cssi.us
#
# By default this script does nothing but connect to MSOL. Go to the bottom of the script to uncomment appropriate lines.
# Microsoft says it can take up to 24 hours for auditing to be enabled. You should enable auditing and wait a few days so you can log the connections.

#### Functions ####
# Function to check if tenants have Auditing Enabled. Good for documenting before/after.
function ShowAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
       Import-PSSession $Session
       Write-Host "Session connect complete"
       Get-Mailbox | Select-Object Identity, AuditEnabled, AuditOwner
       Get-PSSession | Remove-PSSession
    }
}

# Function to enable auditing on every mailbox on every domain.
function EnableAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"

        Get-Mailbox | Set-Mailbox -AuditOwner MailboxLogin -AuditEnabled $true
        Get-PSSession | Remove-PSSession
    }
}

# Function to check each partner managed domain for unsupported Outlook connections (2003 and 2007), dump to UnsupportedOutlookConnections.csv in current folder
function SearchOutlookUnsupported{
    # Create a new CSV/wipe out the old one
    Write-Host "" | export-csv .\UnsupportedOutlookConnections.csv

    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"

        # Dig through the audits and look for version 12.x
        # Outlook 2007 is 12.x - bad
        # Outlook 2010 is 14.x - good
        Get-Mailbox | Search-MailboxAuditLog -LogonTypes owner -ShowDetails | ? { $_.ClientInfoString -like "*Outlook 12*" } | select MailboxOwnerUPN,Operation,LogonType,LastAccessed,ClientInfoString | export-csv -Append .\UnsupportedOutlookConnections.csv
        Get-PSSession | Remove-PSSession
        }
}

#### MAIN Procedure ####
# Connect to MSOL
Import-Module MSOnline
$UserCredential = Get-Credential
Connect-MsolService –Credential $UserCredential

# Get the list of partner managed clients
$Clients = (Get-MSOLPartnerContract)

# Get the default domain name from each client
$Domains = $Clients.defaultdomainname

# Uncomment the next line to show if users have auditing turned on or not (Suggested to do on day 1)
#ShowAuditing

# Uncomment the next line to enable Auditing on each client (Suggested to do on day 1)
#EnableAuditing

# Uncomment the next line to export multiple CSVs so you can see if there are any Outlook 2007 connections (Suggested to do on day 3+)
#SearchOutlookUnsupported

Send from Office 365 Shared Mailbox with Thunderbird

We have a client that wanted to authenticate with SMTP to send out from a shared mailbox. noreply was the name of the shared mailbox. Below is the configuration. User has to have full access and send-as permissions for the mailbox. Hopefully this helps someone trying to accomplish the same thing.


Exchange Configuration:
USER EMAIL: user@domain.com
PASSWORD: password

SHARED MAILBOX: shared@domain.com
SHARED MAILBOX ALIAS: noreply

Settings for IMAP Configuration:
EMAIL ADDRESS: noreply@domain.com (shared mailbox)
IMAP SERVER: outlook.office365.com
SMTP SERVER: smtp.office365.com (port 587)
USERNAME: user@domain.com\noreply (user\shared mailbox alias)
PASSWORD: password (user’s password)
SMTP LOGIN IS DIFFERENT (!)
USERNAME: user@domain.com (users email)
PASSWORD: password (user’s password)

Source for information

PDF Attachments Phishing Attacks

Recently we’ve seen an influx in spam emails containing PDF documents. The PDFs contain a link, which when clicked  takes the victim to a website prompting them for usernames and passwords. By entering the username and password, the victim is giving the thieves their email password – compromising the account. This type of attack is called phishing.

Phishing
noun
the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.



What Can Be Done?

Please be on guard for emails with PDF attachments, especially those from unknown senders. Even if the email comes from a trusted sender, that person’s account may be compromised. Above are some common templates for gathering credentials.

Additionally, some email systems (Office 365, G Suite) can be configured to warn users whenever a PDF attachment with a link is included in an email, as seen in the Office 365 rule below.

 

 

 

Tracking Down Repeat Failed Login Attempts to Domain Controller

One of our clients kept getting repeat failed login attempts on their domain controller. Usually this is an issue with a port being open on the firewall and brute-force attacks being run to guess the password, but ports were closed on the firewall and it didn’t look like a dictionary attack. Instead, it looked like something was running every 2 minutes, attempting to use the guest account.

The first thing we did was filter the security log in the Event Log by keyword: Audit Failure. This allowed us to see how often all the audit failures were. Conveniently, they were about every 2 minutes. (Convenient because we have a few chances to catch the culprit!) We could see that the source port was changing every time, adding complexity to the issue.

The audit log provided the IP address of the workstation as well as the username that was trying to authenticate.

We were interested in what the hostname was of the workstation, so we ran ping -a 192.168.10.15 and got the hostname. Now we know the PCs name and the account that is failing authentication. We have found the offender!

We used our remote support tools to connect to the PC, then wrote a script to monitor the port traffic. This script is just an infinite loop, dumping out the output of netstat -ano.

:loop
netstat -ano >> ports.txt
goto loop

We saved this as monitor.bat and ran on the offending machine. Then we went to the domain controller and watched for the event to happen. Once we had the Source Port from the new event, we went back to the offending machine, pressed Ctrl+C, terminated the script, and opened the ports.txt file. We were able to search the text file for the Source Port and get the Process ID of the offending process.

With this information, we were able to open a command prompt and find the offending process.

tasklist /v | findstr /i "54042"

From there we were able to make changes to the process to allow it to authenticate correctly, if necessary, or remove the process if not necessary.

Guide Realty Mixer at Lexington Beerworks

Last night we went to a Guide Realty mixer hosted by Raquel Carter. Special thanks to Lexington Beerworks for hosting the event!

Fix Random Black Box Popping Up And Disappearing In Windows

Some of our clients are having issues with a random or intermittent black box popping up while they are working (starting around June 2017). This is an issue with Microsoft Office and can be resolved by doing the following.

  1. Click Start
  2. Start typing task scheduler
  3. Drill down to Task Scheduler Library – Microsoft – Office
  4.  If available, right click on OfficeBackgroundTaskHandlerRegistration and click Disable
  5. If available, right click on OfficeBackgroundTaskHandlerLogon and click Disable
  6. Close out of Task Scheduler

If neither of those options are available you likely have a different issue.

 

 

How to Tell Which Version of Windows You Are Running

There are many different versions of Windows that your PC may be running. This is a short guide to determining which version you are using.

Windows 10

Windows 10 has a start menu with tiles in it, and black task bar.

 

Windows 8

Windows 8 has a hidden start button. When clicked it opens tiles.

Windows 7

Windows 7 has a start orb and a blue taskbar. The start menu also has a search box in it.

Windows Vista

Windows Vista has a start orb and a black task bar.

Windows XP

Windows XP has a green start button and blue task bar.