Describe the issue

I seem to be getting a false positive in one of my labs:

Expected behavior

My one and only admin is definitely an org admin. But he wasn't when this server was installed, because this is the first server installed.

Script Output

See above.

Additional context

Investigating.

Describe the work
Script discrepancy

Additional Context
Found some discrepancy between this post and the script currently in github.
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
On the post above, for CVE-2021-26855, it contains -
Where-Object { $.AuthenticatedUser -eq '' -and $.AnchorMailbox -like 'ServerInfo~*/*' }

But current version on github it doesn't contain ($_.AuthenticatedUser -eq '') condition.

Would you please explain why the current script did not include the authenticateduser as one of conditions or should it be included? Thanks.

Seeing the following occur when trying to run VSSTester.ps1 on Exchange 2019

Creating Exchange Trace data collector set...

Error:
Element not found.
Starting Exchange Trace data collector...

Error:
Data Collector Set was not found.

Likely due to the fact that we are calling the provider by a name vs the GUID

        " "
        "Creating Exchange Trace data collector set..."
        logman create trace VSSTester -p "Microsoft Exchange Server 2010" -o $path\vsstester.etl -ow
        "Starting Exchange Trace data collector..."
        logman start VSSTester
        " "

Describe the issue
A clear and concise description of what the issue is, including what script you are seeing the error in.

Expected behavior
A clear and concise description of what you expected to happen.

Script Output
If applicable, add the exception that you are seeing that wasn't handled.

Additional context
Add any other context about the problem here.

I was able to try running the Test-ProxyLogon.ps1 on our server 2012r2 with PS v4, since our original exchange server was 2008r2.

However, the script errored out at line 122 character 66, screenshot below.

I ensured the PS v4 was being used and opened a new powershell window on the server:

The account running the script is a domain admin.

on the release page include a format of the script released and their version. This allows people to know that they have the latest version or not without needing to download or look over all the commits for the 1 script that they are looking for.

Describe the issue
When running the script locally on the CAS server or remotely using the get-exchangeserver command, it returns an error

Expected behavior
Script output and testing

Script Output
Unable to find type [pscredential]: make sure that the assembly containing this type is loaded.

Additional context
Exchange 2010.

Describe the issue
We have an Exchange Server 2019 that has detected CVE-2021-27065 in a former version of the script. We have patched the Exchange Server and tried running the script again with the following change below:

Modifying line 205 from
Invoke-Command @parameters -ComputerName $ComputerName
to
Invoke-Command @parameters
(to workaround the PSRemoting issues described in #96)
The script no longer finds CVE-2021-27065

Expected behavior
Expectation is the script will find CVE-2021-27065

We can find CVE-2021-27065 using the following:
Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'

Script Output

PS C:\Temp> C:\Temp\Test-ProxyLogon.ps1
ProxyLogon Status: Exchange Server exchangeserver
  [CVE-2021-26855] Suspicious activity found in Http Proxy log!

DateTime                 AnchorMailbox                                                                                                       
--------                 -------------                                                                                                       
2021-03-03T09:32:46.036Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-03T09:32:50.102Z ServerInfo~a]@exchangeserver.somewhere.tld:444/mapi/emsmdb/?#                                                      
2021-03-03T09:33:01.489Z ServerInfo~a]@exchangeserver.somewhere.tld:444/ecp/proxyLogon.ecp?#                                                
2021-03-03T09:33:19.654Z ServerInfo~a]@exchangeserver.somewhere.tld:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=sl9h5aSbYUC55dlV...
2021-03-03T09:33:33.846Z ServerInfo~a]@exchangeserver.somewhere.tld:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=sl9h5aSbYUC55dlV...
2021-03-03T09:33:40.492Z ServerInfo~a]@exchangeserver.somewhere.tld:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=sl9h5aSbYUC55dlV...
2021-03-05T11:02:33.380Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-05T11:03:05.833Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-05T11:03:09.128Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-05T11:03:12.156Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-05T11:03:14.736Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-05T11:03:17.937Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-05T11:03:21.125Z ServerInfo~a]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                     
2021-03-05T16:14:15.123Z ServerInfo~akak]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                  
2021-03-05T16:14:15.995Z ServerInfo~akak]@exchangeserver.somewhere.tld:444/mapi/emsmdb/?#                                                   
2021-03-05T19:37:14.129Z ServerInfo~akak]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                  
2021-03-05T19:37:14.642Z ServerInfo~akak]@exchangeserver.somewhere.tld:444/mapi/emsmdb/?#                                                   
2021-03-06T02:00:31.197Z ServerInfo~akak]@exchangeserver.somewhere.tld:444/autodiscover/autodiscover.xml?#                                  
2021-03-06T02:00:31.780Z ServerInfo~akak]@exchangeserver.somewhere.tld:444/mapi/emsmdb/?#                                                   



  Other suspicious files found: 15
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\PME\archives\32D1FA26-FEA0-45E5-80FD-0887ECF49F99.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\PME\archives\4E91ABA2-C0AC-411F-818C-F244403D3DA7.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\PME\archives\5B270229-985E-43BC-867F-B923C7421A31.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\PME\ThirdPartyPatch\Downloads\Chrome.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\037EFB12-0EAF-4EAD-BEA6-580240FD6CAE.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\0e3dc4b3-4757-43e3-a5d4-bf64c1856363.archive.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\1e857e5a-9432-4eaa-8c29-a755cc55f91d.archive.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\32D1FA26-FEA0-45E5-80FD-0887ECF49F99.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\4E91ABA2-C0AC-411F-818C-F244403D3DA7.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\5B270229-985E-43BC-867F-B923C7421A31.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\79a95e38-d1bc-434b-8a49-eb0e05941333.archive.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\82fbc89e-25e4-4f1d-bf47-66740801163d.archive.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ad2a7677-fd89-46cf-8513-54cecaf14d31.archive.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\b8c3207f-4469-46b3-9a0f-b4057b54add3.archive.zip
   SuspiciousArchive : C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\fea8af61-1701-4440-bbef-155c07f36cee.archive.zip

Additional context
Add any other context about the problem here.

Follow all the best practices that are called out in this article:

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-public-folder-deployment-best-practices/ba-p/606172#:~:text=Since%20Exchange%20Server%202016%20CU3%20has%20released%2C%20you,remaining%20900%20can%20be%20used%20for%20content%20storage.

When ran in powershell in Server 2012 R2, Exchange 2013 CU23. I get the following error:

path to iis url rewrite module msi not provided and module is not installed

Describe the issue
There is no indication whatsoever what the output from the script Test-ProxyLogon.ps1 indicates.

Expected behavior
I would like it to indicate whether or not what it has found is a problem.

Script Output
DateTime AnchorMailbox

2021-02-27T19:53:36.865Z ServerInfoa]@ExServer.Exorg.com:444/autodiscover/autodiscover.xml?#
2021-02-27T19:53:37.329Z ServerInfoa]@ExServer.Exorg.com:444/mapi/emsmdb/?#
2021-02-27T19:53:38.288Z ServerInfoa]@ExServer.Exorg.com:444/ecp/proxyLogon.ecp?#
2021-02-27T19:53:46.310Z ServerInfoa]@ExServer.Exorg.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=Oq94rnXI5Uy0CrZyZSP-Wbed1rTr3NgIZ0xfQjb8S5eZv8mRd5WStWIpsDOhvCJOjdv2lRqlD6w.&schema=OABVirtualDirectory#
2021-02-28T15:14:09.180Z ServerInfoa]@ExServer.Exorg.com:444/autodiscover/autodiscover.xml?#
2021-03-01T15:34:47.336Z ServerInfoa]@ExServer.Exorg.com:444/autodiscover/autodiscover.xml?#
2021-03-01T15:34:47.465Z ServerInfoa]@ExServer.Exorg.com:444/mapi/emsmdb/?#
2021-03-01T15:34:48.149Z ServerInfoa]@ExServer.Exorg.com:444/ecp/proxyLogon.ecp?#
2021-03-01T15:34:53.097Z ServerInfo~a]@ExServer.Exorg.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=ljHL75525kG2lQU9e-dvvmsJAuFZ3tgI6QWEPgOkOwAt1Eud4pIxRNGjX6J1zSi3SeqlPUShi4c.&schema=OABVirtualDirectory#

Other suspicious files found: 25
SuspiciousArchive : C:\ProgramData\McAfee\Agent\Current\EPOAGENT3000\Install\0409\FrameworkConfig.zip
SuspiciousArchive : C:\ProgramData\McAfee\Agent\Current\EPOAGENT3000\Install\0409\FrameworkInstall.zip
SuspiciousArchive : C:\ProgramData\McAfee\Agent\data\contrib\DXL.zip
SuspiciousArchive : C:\ProgramData\McAfee\Agent\data\InstallerFiles\f0b6a1fd303534793f9cff6645a7044f1ee38bf3e8e30b98f96c0c0f1cc1577f_DXL.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\2021-02-25_Svc.VeeamEndpointBackup.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2020-11-07_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2020-11-20_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2020-12-03_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2020-12-16_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2020-12-29_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2021-01-11_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2021-01-24_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2021-02-06_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2021-02-19_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Exchange_2k19\2021-03-05_Exchange_2k19.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2020-11-07_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2020-11-20_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2020-12-03_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2020-12-16_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2020-12-29_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2021-01-11_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2021-01-24_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2021-02-06_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2021-02-19_Utils.zip
SuspiciousArchive : C:\ProgramData\Veeam\Endpoint\Utils\2021-03-05_Utils.zip

Additional context
How am I supposed to determine if the system has been compromised from this output?

So aside from Exchange the only other things installed on this server are Veeam agents and McAfee and it appears to be telling me that Veeam and McAfee are suspicious.

Is your request related to a problem? Please describe.
setup.exe /preparead fails with the following information

[03/04/2021 15:07:37.0470] [2] [ERROR] Active Directory operation failed on Solo-DC1.contoso.local. The object 'CN=Folder Hierarchies,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SoloORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=solo,DC=local' already exists.

Describe The Request
When finding this in the setup log provide setups of how to resolve it.

Additional context
Rough outline of steps here: https://social.technet.microsoft.com/Forums/en-US/5d7c1770-e669-4eac-ac29-918943bc812a/exchange-2016-stand-alone-install-install-fails-the-object-exists?forum=Exch2016SD

Can you provide what version of IIS Rewrite Module or additional information? Is this expected behaviour.

Describe the issue
[ERROR] Unable to proceed on SBE-PZEXHYBRID, path to IIS URL Rewrite Module MSI not provided and module is not
installed.

Expected behavior
This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies

Script Output
[ERROR] Unable to proceed on SBE-PZEXHYBRID, path to IIS URL Rewrite Module MSI not provided and module is not
installed.
At C:\utilities\zero day ioc tool\BackendCookieMitigation.ps1:94 char:13

•         throw "[ERROR] Unable to proceed on $env:computername, pa ...
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: ([ERROR] Unable ... not installed.:String) [], RuntimeException
  • FullyQualifiedErrorId : [ERROR] Unable to proceed on SBE-PZEXHYBRID, path to IIS URL Rewrite Module MSI not pro
    vided and module is not installed.

Additional context
Exchange 2016 Hybrid server

This is a clarification question more so than an issue.

In the text of the http-vuln-cve2021-26855.nse file it provides sample output of:

-- @output
-- PORT STATE SERVICE
-- 443/tcp open https
-- | http-vuln-cve2021-26855:
-- | VULNERABLE
-- | Exchange Server SSRF Vulnerability
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2021-26855
-- |
-- | Disclosure date: 2021-03-02
-- | References:
-- | http://aka.ms/exchangevulns

Does that mean if I do not get this output my server is not vulnerable? Sorry, I am an nmap noob.

When I ran the script I got this output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-08 14:42 US Mountain Standard Time
Nmap scan report for myserver.mydomain.local (10.1.2.108)
Host is up (0.0045s latency).

PORT STATE SERVICE
443/tcp open https
MAC Address: 02:50:41:00:00:02 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 8.92 seconds

Since I did not get the additional output under the "443/tcp" line does that mean I am good?

Is your request related to a problem? Please describe.
Seen a few cases on this, should add this to collect as well

Describe The Request
It appears we will attempt to create critical system mailboxes. We try to find them based off the Last Name. If admins delete the Last Names of the system mailboxes, it causes this issue.

Additional context

          $arbMbxname = "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}";
          $arbMbxLastName = "MsExchDiscovery e0dc1c29-89c3-4034-b678-e6c29d823ed9";
          $arbUser = @(Get-User -Filter {LastName -eq $arbMbxLastName} -IgnoreDefaultScope -ResultSize 1);
          if ($arbUser.Length -eq 0) 
          {
            $arbUser = @(Get-User -Arbitration -Filter {LastName -eq $arbMbxLastName} -IgnoreDefaultScope -ResultSize 1);
          }

          if ($arbUser.Length -eq 0)
          {
            Install-UserAccount -Name $arbMbxname -LastName $arbMbxLastName;
          }

Is your request related to a problem? Please describe.
Provide a better error for checking the following

• Who the schema master is
• the FQDN of this server
• the site of this server
• The site of the Schema master

Is your request related to a problem? Please describe.
If you reboot a computer yet you still can't upgrade, need to know where it is set at.

Describe The Request
Provide the location of where the reboot flag is set.

Test-Hafnium is showing an error on Windows 2019. I can reproduce this on Exchange 2019 in my lab:

Get-ChildItem : Access is denied
At C:\Users\Administrator\Desktop\Test-Hafnium.ps1:95 char:17
+ ... $zipFiles = Get-ChildItem -Recurse -Path "$env:ProgramData" -Include  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetChildItemCommand

When a file has at least one issue that is not related to case changes, then the output will show both types of issues:

Notice on the second line, the only thing that changed in FormattedScript is "Foreach" to "ForEach". If the indent on the first highlighted line is fixed, CodeFormatter no longer throws an error on this file. This is because the '-ne' operator is not case-sensitive:

    if ($scriptFormatter.StringContent -ne $scriptFormatter.FormattedScript -or
        $null -ne $scriptFormatter.AnalyzedResults) {

Describe the issue
nmap scripting is not reliable in scanning HTTPS, see these issues:
GossiTheDog/scanning#2
nmap/nmap#2094

I haven't done a complete analysis, but the following is a header from an Exchange 2013 server (I won't put the IP here as it's very likely a real server, but I've shared it with @GossiTheDog:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
--
  | <!-- Copyright (c) 2011 Microsoft Corporation.  All rights reserved. -->
  | <!-- OwaPage = ASP.auth_logon_aspx -->
  |  
  | <!-- {57A118C6-2DA9-419d-BE9A-F92B0F9A418B} -->
  | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
  | <html>
  | <head>
  | <meta http-equiv="X-UA-Compatible" content="IE=10" />
  | <link rel="shortcut icon" href="/owa/auth/15.0.1395/themes/resources/favicon.ico" type="image/x-icon">
  | <meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">
  | <meta name="Robots" content="NOINDEX, NOFOLLOW">
  | <title>Outlook Web App</title>
  | <style>
  | @font-face {
  | font-family: "Segoe UI WPC";
  | src: url("/owa/auth/15.0.1395/themes/resources/segoeui-regular.eot?#iefix") format("embedded-opentype"),
  | url("/owa/auth/15.0.1395/themes/resources/segoeui-regular.ttf") format("truetype");
  | }
  |  
  | @font-face {
  | font-family: "Segoe UI WPC Semilight";
  | src: url("/owa/auth/15.0.1395/themes/resources/segoeui-semilight.eot?#iefix") format("embedded-opentype"),
  | url("/owa/auth/15.0.1395/themes/resources/segoeui-semilight.ttf") format("truetype");
  | }
  |  
  | @font-face {
  | font-family: "Segoe UI WPC Semibold";
  | src: url("/owa/auth/15.0.1395/themes/resources/segoeui-semibold.eot?#iefix") format("embedded-opentype"),
  | url("/owa/auth/15.0.1395/themes/resources/segoeui-semibold.ttf") format("truetype");
  | }
  | </style>
  | <style>/*Copyright (c) 2003-2006 Microsoft Corporation.  All rights reserved.*/

That's an "Exchange Server 2013 Cumulative Update 21 (CU21)" server and the NSE returns:

$ nmap -p 443 --script http-vuln-cve2021-26855 XXX.XXX.XXX.XXX

Starting Nmap 7.60 ( https://nmap.org ) at 2021-03-07 01:25 UTC
Nmap scan report for XXXXXXXX (XXX.XXX.XXX.XXX)
Host is up (0.19s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds

Is it really possible some old, outdated versions of Exchange are not vulnerable?

Describe the issue
"SuspiciousArchive","C:\ProgramData\VMware\VMware Tools\vss_manifests.zip","vss_manifests.zip"

Expected behavior
vss_manifests.zip seems to be a normal VSS debug logging interaction between vmware tools and veeam backups.

Script Output
Other suspicious files found: 1

Additional context
Opening the archive file noted as suspicious C:\ProgramData\VMware\VMware Tools\vss_manifests.zip shows a bunch of xml files
backup.xml, writer1.xml through writer15.xml. Most files being only a few KB to 32KB in size, but writer7.xml being 5,055 KB in size. The text in these files look benign and not suspicious at all. A google search on this file shows legitimate internet postings. I suggest omitting this file from the search results.

SetupAssist.ps1 should detect when otherWellKnownGroups contains DEL objects and should generate an ldifde import file so the user can easily clean them up if desired.

Describe the issue
I ran Test-ProxyLogon.ps1 it showed that my machine was impacted by the 0day CVEs.
I ran MSERT and it reported nothing on a full scan.
Expected behavior

I would expect that both of them would show IOCs or neither of them would show IOCs.

How is anyone supposed to know what is going on if two tools from the same company gives two different results?

Is your request related to a problem? Please describe.
Went round and around on a case where the customer was using two different accounts. One to test with the SetupAssist.ps1 script and verify that they are in the ORG Management group and another for when running setup on Exchange.

Describe The Request

SetupAssist.ps1

• Add User that we are running as
• Include the SID to the output if we find the group

SetupLogReviewer.ps1

• Add the user we are running as when we fail to be apart of X group
• Add the SID (SidExOrgAdmins) for the ORG Management Group if it is missing when trying to run setup
• Look and see if we have a SID for the other groups as well, add the same.

ExFolders should only be used if the server is Exchange 2010.

Hello,

First please stop publishing security content that
#1 requires powershell remoting since that is insecure and should be disabled in most environments
#2 is written in powershell,
#3 is published on github. It's inappropriate. You should be publishing scripts that assume that environments have an appropriate security posture and also on the actual website where the product lives.

Second, the script doesn't work even with powershell remoting (gag) enabled.

[PS] C:\users\user\desktop>Enable-PSRemoting
WinRM is already set up to receive requests on this computer.
WinRM has been updated for remote management.
WinRM firewall exception enabled.

[PS] C:\users\user\desktop>winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
[PS] C:\users\user\desktop>./Test-ProxyLogon.ps1
[EXSERVER] Connecting to remote server EXSERVER failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is
accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (EXSERVER:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken

We shouldn't have to put our organizations at further risk just because you guys got caught with your pants down.

Is your request related to a problem? Please describe.
Ran into a setup issue where the customer mail enabled a well known Exchange Security Group that halted the install process. Removed the mail enabled object, and it worked just fine. Currently the error message is unclear as to why this group is failing to comply and just provides that it needs to be Universal, SecurityEnabled

Describe The Request
Dig into the issue, and provide a secondary option as a resolution for this issue.

Additional context
Repro Steps

• Mail Enable Exchange Servers Security Group on a CU build that would require /PrepareAD to get to the next CU
• Try to run Setup.exe /PrepareAD and see the output.

Unable TO find type [PS Credential]: make sure that the assembly containing this step loaded

Describe the issue
Script reports to a link that doesn't exist any longer

Script Output

Write-Warning "https://gallery.technet.microsoft.com/office/Restore-the-Missing-d11de3a1"

Additional context
Find a new link if it exists somewhere

Describe the issue
I am running Test_proxyLogon.ps1 against Exchange 2010 and receive the error shown in the script output below. I have tried it for the local Exchange server and against all servers with the same results.

Expected behavior
I am expecting the script to run and provide the output report

Script Output
Unable to find type [pscredential]: make sure that the assembly containing this type is loaded
At E:\Test-ProxyLogon.ps1:84 char:27

•         [pscredential] <<<<
  

  • CategoryInfo : InvalidOperation: (pscredential:String) [], RuntimeException
  • FullyQualifiedErrorId : TypeNotFound

Additional context
It is running under an account with domain admin and organizational management rights for Exchange. The powershell version is version 2.

Is your request related to a problem? Please describe.

Seeing the following in the setup log

[03/05/2021 03:11:03.0493] [2] Beginning processing install-UMService
[03/05/2021 03:11:03.0546] [2] [ERROR] There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
[03/05/2021 03:11:03.0546] [2] [WARNING] An unexpected error has occurred and a Watson dump is being generated: There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
[03/05/2021 03:11:04.0213] [1] The following 1 error(s) occurred during task execution:
[03/05/2021 03:11:04.0213] [1] 0.  ErrorRecord: There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
[03/05/2021 03:11:04.0213] [1] 0.  ErrorRecord: System.Runtime.InteropServices.COMException (0x800706D9): There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
   at Interop.NetFw.INetFwRules.Add(NetFwRule rule)
   at Microsoft.Exchange.Security.WindowsFirewall.ExchangeFirewallRule.Add()
   at Microsoft.Exchange.Configuration.Tasks.ManageService.Install()
   at Microsoft.Exchange.Management.Tasks.UM.InstallUMService.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()

Describe The Request
Provide resolution of check for the Windows Firewall Service to see if it is disabled to set it to automatic and start it up.

Trying to execute the http-vuln-cve2021-26855 script with the following command line as provided by Microsoft:

Nmap -Pn -p T:443 --script http-vuln-cve2021-26855 IP

It fails with the following error:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-06 12:34 Romance Standard Time
NSE: failed to initialize the script engine:
C:\Program Files (x86)\Nmap/nse_main.lua:264: ...ram Files (x86)\Nmap/scripts\http-vuln-cve2021-26855.nse:7: unexpected symbol near '<'
stack traceback:
[C]: in function 'assert'
C:\Program Files (x86)\Nmap/nse_main.lua:264: in upvalue 'loadscript'
C:\Program Files (x86)\Nmap/nse_main.lua:596: in field 'new'
C:\Program Files (x86)\Nmap/nse_main.lua:823: in local 'get_chosen_scripts'
C:\Program Files (x86)\Nmap/nse_main.lua:1310: in main chunk
[C]: in ?

QUITTING!

Am I doing anything wrong?

[03/05/2021 19:04:17.0003] [1] Processing component 'UM Language Pack Configuration' (Configuring the server.).
[03/05/2021 19:04:17.0003] [1] Executing:
uninstall-MsiPackage -ProductCode $RoleProductCode -LogFile $RoleLogFilePath -PropertyValues ("ESE=1");

 uninstall-MsiPackage -ProductCode $RoleTeleProductCode -LogFile $RoleLogFilePath;
 if ( $RoleTransProductCode -ne [system.guid]::empty )
{
uninstall-MsiPackage -ProductCode $RoleTransProductCode -LogFile $RoleLogFilePath;
}

 uninstall-MsiPackage -ProductCode $RoleTtsProductCode -LogFile $RoleLogFilePath;
[03/05/2021 19:04:17.0017] [2] Active Directory session settings for 'Uninstall-MsiPackage' are: View Entire Forest: 'True', Configuration Domain Controller: 'Solo-DC.contoso.com', Preferred Global Catalog: 'Solo-DC.contoso.com', Preferred Domain Controllers: '{ Solo-DC.contoso.com }'
[03/05/2021 19:04:17.0017] [2] User specified parameters: -ProductCode:'cef60964-21ae-47e0-93c6-611aa8941b7f' -LogFile:'C:\ExchangeSetupLogs\add-UMLanguagePack.en-US.msilog' -PropertyValues:'ESE=1'
[03/05/2021 19:04:17.0017] [2] Beginning processing uninstall-MsiPackage
[03/05/2021 19:04:17.0023] [2] Removing MSI package with code 'cef60964-21ae-47e0-93c6-611aa8941b7f'.

Used https://support.microsoft.com/en-in/help/17588/windows-fix-problems-that-block-programs-being-installed-or-removed to remove the MS Speech recognition for En-us from the list of products. When running, click Next, then Uninstall..

Is your request related to a problem? Please describe.
In the setup log, display an error if the setup version is the same as the installed version.

Describe The Request
an issue can occur if you try to run setup.exe from PowerShell without including the full path. This should call that out.

I replaced line 45 where the eventlog is searched using CMDlet "Get-Eventlog" with CMDlet "Get-WinEvent" using FilterableHashtable as follows:

$eventLogs = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='MSExchange Unified Messaging'; Level='2'} | Where-Object { $_.Message -like "*System.InvalidCastException*"}

This speeds up the query approx by factor 10 on my systems. Eventlog search now only takes about 3 minutes per system instead of 30 minutes

The provided script fails. Following is the output. How can I resolved the issue?

[PS] C:\Windows\system32>Get-ExchangeServer | ".\Test-ProxyLogon.ps1" -OutPath $home\desktop\logs
You must provide a value expression on the right-hand side of the '-' operator.
At line:1 char:47

• Get-ExchangeServer | ".\Test-ProxyLogon.ps1" - <<<< OutPath $home\desktop\logs
  • CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : ExpectedValueExpression

running Test-ProxyLogon.ps1 on my Exchange Server 2013 throws an error...

.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

[TESTMACHINE] Beim Verbinden mit dem Remoteserver "TESTMACHINE" ist folgender Fehler aufgetreten: Der Client kann keine Verbindung
mit dem in der Anforderung angegebenen Ziel herstellen. Stellen Sie sicher, dass der Dienst auf dem Ziel ausgeführt
wird und die Anforderungen akzeptiert. Lesen Sie die Protokolle und die Dokumentation für den WS-Verwaltungsdienst,
der auf dem Ziel ausgeführt wird. Hierbei handelt es sich meistens um IIS oder WinRM. Wenn das Ziel der WinRM-Dienst
ist, führen Sie den folgenden Befehl auf dem Ziel aus, um den WinRM-Dienst zu analysieren und zu konfigurieren: "winrm
quickconfig". Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting".
+ CategoryInfo : OpenError: (TESTMACHINE:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken

sorry, the error message is in German language.
The machine on which I ran the script is an Windows Server 2008 R2 Standard Edition with Exchange 2013 Standard.
I already applied the Exchange patch KB5000871, so I don't know if this behavior is 'normal' when the patch has been applied.

I ran the command with my exchange admin account in powershell, with the elevated Administrator account in Powershell and in my Exchange Management shell. No success so far to get it working.

We also need to decide on a consistent set of styling rules and shift-alt-F these files in VSCode. For example, in some places we have Javascript-style braces (my own preference), and in some places we have C# style braces. In some places we have <# #> multiline comments, and in other places we have # multiline comments. But we can address styling consistency in a separate PR.

Originally posted by @bill-long in #8 (comment)

+++++++++++++++++++++++++++++++++

Not sure if we can get the comments in there, but we can align to something within a build pipeline for this. This makes it easier for other people to contribute to the project as well without having them need to setup VSCode and pressing shift-alt-F.

One option that I have played around with is this one:

https://github.com/PowerShell/PSScriptAnalyzer/blob/master/docs/markdown/Invoke-Formatter.md

We should be able to easily add this to a build pipeline.

Import-Module PSScriptAnalyzer
$content = Get-Content .\Setup\SetupAssist.ps1
$stringContent = [string]::Empty
foreach($line in $content)
{
    $stringContent += "{0}`r`n" -f $line
}

$test = Invoke-Formatter $stringContent -Setting .\settings\codeformatting.psd1
if ($test -ne $content)
{
    throw "failed to meet code formatting requirements"
}

another option appears to be this one:

https://sumtips.com/software/powershell-beautifier-free-tool-to-pretty-print-ps1-script-files/#:~:text=%20How%20to%20Use%20PowerShell%20Beautifier%20%201,Save%20Formatted%20Code%20as%20New%20File.%20More%20

I haven't looked much into it.

Is your request related to a problem? Please describe.

Getting this error when trying to run /PrepareAd on the environment

Configuring Microsoft Exchange Server

    Organization Preparation                                                                          FAILED
     The following error was generated when "$error.Clear();
          $createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
          $createMsoSyncRoot = $RoleIsDatacenter;

          #$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false
          [bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);

          if ($RolePrepareAllDomains)
          {
              initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$cre
ateMsoSyncRoot -IsManagementForest:$isManagementForest;
          }
          elseif ($RoleDomain -ne $null)
          {
              initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$c
reateMsoSyncRoot -IsManagementForest:$isManagementForest;
          }
          else
          {
              initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -Is
ManagementForest:$isManagementForest;
          }
        " was run: "Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on Solo-DC
1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, Resu
ltAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOpe
ration, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest reques
t, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRe
quest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest reques
t, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean by
passValidation)
   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSession.Save(ADConfigurationObject instanceTo
Save)
   at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer mes
o)
   at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePip
elineIfFailed)".

Was thinking at first it was denies, but it is likely the lack of permissions to do anything.

Describe The Request

In the SetupLogReviewer script find the object that we are trying to set permissions on. Example in the below text should result in "CN=Microsoft Exchange System Objects,DC=Solo,DC=net" and provide the list of ACE that we need. Need to find out the min that we need yet, but it is from this list here:

Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS

The user doesn't need to be administrators, just that you in a group or nested group that provides you the permissions required to add ACEs to the object in AD.

[03/05/2021 01:53:42.0819] [2] Used domain controller Solo-DC1.Solo.net to write object CN=AdminSDHolder,CN=System,DC=Solo,DC=net.
[03/05/2021 01:53:42.0819] [2] Used domain controller Solo-DC1.Solo.net to read object CN=Microsoft Exchange System Objects,DC=Solo,DC=net.
[03/05/2021 01:53:42.0835] [2] [ERROR] Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[03/05/2021 01:53:42.0835] [2] [ERROR] The user has insufficient access rights.
[03/05/2021 01:53:42.0835] [2] Ending processing initialize-DomainPermissions
[03/05/2021 01:53:42.0835] [1] The following 1 error(s) occurred during task execution:
[03/05/2021 01:53:42.0835] [1] 0.  ErrorRecord: Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[03/05/2021 01:53:42.0835] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSession.Save(ADConfigurationObject instanceToSave)
   at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer meso)
   at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[03/05/2021 01:53:42.0835] [1] [ERROR] The following error was generated when "$error.Clear(); 
          $createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
          $createMsoSyncRoot = $RoleIsDatacenter;

          #$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false
          [bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);

          if ($RolePrepareAllDomains)
          {
              initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
          }
          elseif ($RoleDomain -ne $null)
          {
              initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
          }
          else
          {
              initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
          }
        " was run: "Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSession.Save(ADConfigurationObject instanceToSave)
   at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer meso)
   at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[03/05/2021 01:53:42.0835] [1] [ERROR] Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Additional context

• SetupLogReviewer

  • Add logic to catch AD INSUFF_ACCESS_RIGHTS
  • determine what object we are getting the issue on
  • provide the user we are running as
  • provide to go run SetupAssist.ps1 on the server with X params
  • possibly provide hacky workaround of provide full access perms to X - last resort option

• SetupAssist.ps1

  • Add logic to check Permissions on an object for the user that we are running as
  • Dump out the ACEs with dsacls on the object
  • Dump out the user's group

Thanks for the great scripts!

I used an earlier version of your script as the base for an enhanced versions that checks all of the servers in an environment. If any request match the 26855 IOCs it then searches the specific service logs to get more details about the request.

I also cache the results of the log search to make additional runs faster (speeds up debugging)

just sharing here because thought others might find that helpful.

https://gist.github.com/TonyBunce/13eb919a3838b146603dd1200fb4a092

Is your request related to a problem? Please describe.
Running into the following error in the setup logs

[03/07/2021 16:22:39.0536] [2] [WARNING] Database is mandatory on UserMailbox.
[03/07/2021 16:22:39.0537] [2] [WARNING] Database is mandatory on UserMailbox.
[03/07/2021 16:22:39.0538] [2] Ending processing get-mailbox
[03/07/2021 16:22:39.0540] [1] The following 2 error(s) occurred during task execution:
[03/07/2021 16:22:39.0540] [1] 0.  ErrorRecord: Database is mandatory on UserMailbox.
[03/07/2021 16:22:39.0540] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.
[03/07/2021 16:22:39.0549] [1] [ERROR] The following error was generated when "$error.Clear(); 
          if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
          {
            if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
            {
              # upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
              get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
              $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
              $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
              $mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
              if ( $mbxs.length -eq 0) 
              {
                $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
                if($dbs.Length -ne 0) 
                {
                  $mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
                  if ($mbxUser.Length -ne 0) 
                  {
                    enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
                  }
                }
              }
            }
            else
            {
              write-exchangesetuplog -info "Skipping creating Discovery Search Mailbox because of insufficient permission."
            }  
          }
        " was run: "Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.".
[03/07/2021 16:22:39.0549] [1] [ERROR] Database is mandatory on UserMailbox.

Describe The Request
Add a check for this and action plan

Additional context

Current ldide command that we have, but returns a lot of things for when they have a hybrid environment. So need to add additional filtering

ldifde -t 3268 -r "(&(objectClass=user)(mailnickname=*)(!(homeMDB=*)))" -l distinguishedName -f noHomeMdb.txt

Has anyone else been having this issue on 2010 servers? It's working fine on our 2013 (separate forest) but our won't let me run this on any of our 4 servers.

Is your request related to a problem? Please describe.

It might be a problem, that Security/Test-ProxyLogon.ps1 checks logfiles which don't date back to a potential exploitation. If the logs are gone, nothing can be done about it, but at least it should be clear, that if the logs just go back for e.g. 3 days, it doesn't cover the perdiod until 26th Feb when the exploiting started.

Describe The Request
Please include the few lines of code to show the date range covered by the checked logfiles:
$exchangePath\Logging\ECP\Server*.log
$exchangePath\Logging\OABGeneratorLog
$exchangePath\Logging\HttpProxy

Additional context
There are It providers, which have discovered, that disk space costs money and unless the clients pays extra for it, they reduce the log retention time to some days or even hours. That might cover basic debugging needs but not security.

We're not even talking about attackers which might have deleted parts of the logs ;)

Ran Ok Saturday but version since throw errors:
Running on Exchange management shell locally on server 2016 with exc 2016,
also tried running remote powershell from latest build Windows 10 machine and loading EMS but same errors.
Go back to the ps1 I downloaded saturday and I get no errors....

•              ~
  

Missing file specification after redirection operator.
At C:\temp\Test-ProxyLogon.ps1:168 char:35

•             {"hydro-click"=>"{\"event_type ...
  

•                               ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\temp\Test-ProxyLogon.ps1:168 char:42

•             {"hydro-click"=>"{\"event_type ...
  

•                                      ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string. At C:\temp\Test-ProxyLogon.ps1:168 char:54 + {"hydro-click"=>"{&quot;event_type ... + ~ The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\temp\Test-ProxyLogon.ps1:168 char:71

• ... {"hydro-click"=>"{&quot;event_type&quot;:& ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\temp\Test-ProxyLogon.ps1:168 char:79

• ... quot;hydro-click"=>"{&quot;event_type&quot;:&quot;ana ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\temp\Test-ProxyLogon.ps1:168 char:101

• ... =>"{&quot;event_type&quot;:&quot;analytics.click&quot;,& ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\temp\Test-ProxyLogon.ps1:168 char:108

• ... quot;{&quot;event_type&quot;:&quot;analytics.click&quot;,&quot;p ...

•                                                              ~
  

Missing expression after unary operator ','.
At C:\temp\Test-ProxyLogon.ps1:168 char:108

• ... uot;{&quot;event_type&quot;:&quot;analytics.click&quot;,&quot;pa ...

•                                                             ~
  

Unexpected token '' in expression or statement.
At C:\temp\Test-ProxyLogon.ps1:168 char:109

• ... ot;{&quot;event_type&quot;:&quot;analytics.click&quot;,&quot;pay ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingFileSpecificationDescribe the issue
A clear and concise description of what the issue is, including what script you are seeing the error in.

Expected behavior
A clear and concise description of what you expected to happen.

Script Output
If applicable, add the exception that you are seeing that wasn't handled.

Additional context
Add any other context about the problem here.

Test-Hafnium.ps1's Get-26855() calls Write-Progress for each file, and this is hurting throughput.

For a sample dataset of 150 HttpProxy logs, Get-26855() took 128 seconds.
After simply commenting out Write-Progress, it takes only 25 seconds.

Environment: PowerShell 5.1 on Win10

Suggestion:
Use Write-Progress less frequently. For example, every 10% progress:

  $prevProgress = 0  
  $allResults = @()
  $files | ForEach-Object {
      $count++
      $progress = $count * 100 / $files.Count
      if ($progress -gt $prevProgress + 10) {
          Write-Progress -Activity "Checking for CVE-2021-26855 in the HttpProxy logs" -Status "$count / $($files.Count)" -PercentComplete $progress
          $prevProgress = $progress
      }

Repro Steps:

• open ADSIEDIT to the schema container and change one of the names of the Exchange Schema files
• Run /prepareSchema (in my lab an upgrade was required when i did the test)

Seeing the following:

Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

    Extending Active Directory schema                                                                 FAILED

The following error was generated when "$error.Clear();
 install-ExchangeSchema -LdapFileName ($roleInstallPath +
"Setup\Data\"+$RoleSchemaPrefix + "schema80.ldf")

" was run: "Microsoft.Exchange.Configuration.Tasks.TaskException:
There was an error while running 'ldifde.exe' to import the schema file
'C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema80.ldf'. The error code is: 8245. More details can be
found in the error file: 'C:\Users\Han\AppData\Local\Temp\ldif.err'
 at
Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target,
String helpUrl)
 at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchemaFile(String
schemaMasterServer, String schemaFilePath, String macroName, String macroValue, WriteVerboseDelegate writeVerbose)
 at
Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalProcessRecord()
 at
Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
 at
Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean
terminatePipelineIfFailed)".


The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
<SystemDrive>:\ExchangeSetupLogs folder.

In the ldif.err file you see the following:

Entry DN: CN=ms-Exch-Coexistence-Domains,CN=Schema,CN=Configuration,DC=Solo,DC=local
Add error on entry starting on line 78: Unwilling To Perform

The server side error is: 0x20bb Schema update failed: duplicate OID.

The extended server error is:

000020BB: SvcErr: DSID-0326036D, problem 5003 (WILL_NOT_PERFORM), data 8379


An error has occurred in the program

The error code 8245 from the setup log appears to be "Unwilling to perform". This might be why it doesn't line up with the error code in the ldif.err file.

Need to add a check in the SetupLogReviewer.ps1 to find this and provide more insight.

When ValidateMailEnabledPublicFolders.ps1 produces the MailPublicFolderOrphans.txt file, it provides a command to delete all the folders listed in that file. That command uses DirectoryEntry.DeleteTree(). Unfortunately, that fails in certain permissions configurations, because DeleteTree permissions are different from DeleteChild permissions.

Another way to delete these objects is to call DirectoryEntry.Children.Remove() from the parent container, and this requires less permissions.