naphtaliYou can post your question and see if someone responds
spjps2009We have exchange 2010 server and it seems as if it is hacked somehow. Changing the users password doesnt give any results. What happens is a the guy created a similar email to ours and somehow he gets the email threads and at the time of payment sends modified email with different wire transfer details. Anyone have any idea how to deal with this?
qbrixcan't believe winmail.dat is still an issue
qbrixfeel like I battled that 15 years ago
naphtaliSame here qbrix
qbrixspjps2009: that was hard to follow
qbrixspjps2009: to confirm, your DNS/MX records are fine? just your Exchange server might be compromised?
naphtalispjps2009, first secure your Exchange server. Change everyone's password and look at how the mailboxes are accessed. i.e. Outlook Anywhere, OWA, EAS. Ensure only the users that need access outside the office can get email on outside/mobile devices. One of your user's most likely fell victim to a phishing email and gave their credentials away
naphtaliAlso look at what outside servers are allowed to connect to your Exchange, i.e. lock it down to a smarthost/filter. Then look at your email filtering to catch these phishing attempts. Next, train the end users to spot it
qbrixAlso check your registrar login to make sure you still have access to manage DNS/MX
naphtaliIf you have any of the phishing emails, check the header to see how it got to your end user. The email itself could be the basis for your end user training on how to spot it
naphtaliConsider implementing additional checks for wire transfer payments
naphtalii.e. human checks
naphtaliLook at your password policies (changing them more often, lock outs, 2FA)
spjps2009Sorry have to go. Will be back in little while with more information
Jagst3r15anyone here familiar with IIS and SMTP?
Jagst3r15when I send mails via SMTP from my domain TO users on the same domain, they do not go through
Jagst3r15using windows 2012, plesk 12.5, and IIS 8
digin4hello, which MCSE certification would one choose after doing MCSA windows server 2016?
furmeladedepends on your career path obviously
sysaceI'm trying to find a way to remotely get local users via commandline. I can successfully do this using computer management but not using WMI (latter results in access denied). I guess this has to do with WMI permissions. I have also tried using ADSI, with similar errors. Is there any other way to achieve this without using WMI or ADSI? Since i have to do this for hundreds of hosts i cannot use computer management.
furmeladepowershell
sysaceI tried ADSI and WMI using powershell
furmeladeif ps v5: Get-LocalUser
furmeladeof not: fix your permissions
sysaceNot sure why the permissions are an issue since i'm able to connect to the host using computer management (compmgmt.msc). Do you know which service is used by computer management and if that service can be accessed using some cmdline tool?
MrMojit0I have two servers and on each server I got some folders I want to included in the DFS-Namespace. Now I´m wondering if its save to install the DFS role on a DC and then map the two servers with folders for the namespace? And do I need the DFS role be installed on one server (DC in this case) or also a second server so if the DC goes down another server can host up the DFS-Namespace as well?
Alternityyour DC's already have the DFS role installed
Alternitythey just dont have the dfs gui tools installed
AlternitySYSVOL uses DFS for replication
Alternityit's fine to use them for your custom namespaces. You can straight up add them right now
MrMojit0Alternity: Cannot disagree on that part, should I use Powershell to add the namespace or install the GUI?
Alternityjust use posh if you're comfortable
MrMojit0Well its a test lab so better try,, if it breaks no worries.
MrMojit0And is it wish to rollout the DFS-Namespace on two servers, so in case one servers break with the DFS-Namespace the other can be used a backup?
Alternityyep thats the idea
MrMojit0Thanks
MrMojit0Is it normal not to see the current SYSVOL when doign Get-DFSNroot
spjps2009 We have exchange 2010 server and it seems as if it is hacked or something is hacked somehow. We changed password of user many times but it doesnt affect it. What happens is a the scammer created a similar email to ours and somehow he gets the email threads and at the time of payment sends modified email with different wire transfer details. For example this is email the original customer sent: https://imgur.com/oy2bEmA ,
CptLuxxyou know that anyone can send with any email adresse?
CptLuxxi can also send you emails with @paypal.com
spjps2009Yes, but he got ahold of the original email which only our email server and the other email server has
spjps2009That means he has access to it somehow
BobFranklyand every intermediary network device inbetween
spjps2009this has happened with multiple customers, so i think it has to do with our network
CptLuxxwell
CptLuxxcheck the eventlog for logons..
BobFranklyso you know how to produce the issue?
CptLuxxmaybe he onlines setup a forwarder for all emails
spjps2009i checked the exchange server and didnt find any forwarding address for the users
CptLuxxav?
CptLuxxeventlog?
spjps2009BobFrankly, what do you mean?
Harlockif he got to the exchange server it could be an event sink
spjps2009CptLuxx, do you know what i should be looking for
CptLuxxlogons..
CptLuxxis your rdp exposed to the interweb?
abeNd-orgspjps2009: your spf/spfv2/dkim/dmarc/ptr records all good as well?
spjps2009no we have rdp gateway with certificate
BobFranklyspjps2009: it's triggered by payment emails or activity?
CptLuxxi bet he has nothing like that abeNd-org
spjps2009abeNd-org, we have spf, didnt have chance to setup dkim, dmarc
abeNd-orgCptLuxx: guessing you are correct, but I figured I'd throw that out & go back to idling
CptLuxx:D
spjps2009BobFrankly, it looks like he has access to all the emails and only sends the crafted email when time for payment comes
CptLuxxyou have an av?
BobFranklyspjps2009: if it's triggered by that, then you should be able to send fake emails to test the trigger. If *your* fake emails trigger the spammer, then you can start using wireshark/procmon to start looking to see if it coming from your network
spjps2009we have av on all computers,not on server
CptLuxxmkay
BobFranklywhy protect the most important stuff, amirite?
Harlockif one sets up av badly on an exchange server one can screw onesself over
BobFranklyACTION guesses that downtime for patching isn't allowed either
spjps2009Actually we had it before but microsoft recommended we remove it because it was messing with exchange
CptLuxxwat
furmeladelel
spjps2009its patched lol
BobFranklysounds like the free MS support level
BobFranklyhave to get premium support to get MS to look past thier own feet
furmelade*premier support
Harlockms guys say all sorts of things, i had a azure guy on the phone yesterday and he suggested deleted and recreating our domain admin account
Harlockum, no
BobFranklyty furmelade
BobFranklyHarlock: that's when you hit HIS face with your palm
BobFranklynever ceases to amaze me when I get premier MS guys on for fixing SCCM server issues
BobFranklythey look at 3-8 logs, then make 2 changes in completely different screens that fix things
BobFranklyregular MS support would have tried to get me to reinstall the whole mess
spjps2009however i dont see anything strange on server
naph-Wspjps2009, did you get your phishing issue fixed?
furmeladeBobFrankly: the professional support doesnt even touch anything
spjps2009no not yet lol, it happened multiple times with same user , im not sure if its phishing
furmeladethey‘ll just look at it and say:“uh no this is premier support stuff, kthxbai“
BobFranklyfurmelade: ha
spjps2009CptLuxx, looking into logon event logs, thanks for the tip!
sepeckhey, BobFrankly https://blogs.technet.microsoft.com/antoni/2018/02/03/system-center-2016-operations-manager-and-operations-management-suite-oms-101-series/
BobFranklyoooo, bookmarked
gkwhchi, might anyone have experience with VPN? ive set it up correctly and have been using it for a whilenow. our network just went down and i cant seem to connect to the server. im using SSTP which is on port 443, but using a port checker it does not see the service. its supposed to be open isnt it?
naph-WIs the RRAS service running?
CptLuxxwell
CptLuxxhe cant connect so i say no
CptLuxx:D
naph-WMaybe your monero miner is using 443
gkwhcnaph-W, CptLuxx: yes and i also just restarted the service
naph-Wgkwhc, can you connect to the VPN from the inside?
naph-WAlso, check the Event Log on the RRAS server
gkwhchowever i can teamviewer in and from inside i can browse webpages
gkwhchm lemme try that
gkwhcnaph-W: nope cant vpn frominside
naph-WCheck the Event Logs, perform a websearch on the error message or numeric code in the error message
naph-WIt might point to the exact cause
gkwhcnaph-W where can i check that?
naph-Weventvwr.msc
gkwhcthanks
gkwhcnaph-W: i get an error code of 0x8007274D but cant seem to figure out what went wrong
CptLuxxdid you google that code?
gkwhcCptLuxx: yes
CptLuxxand?
gkwhcCptLuxx: the issue could be multiple reasons and i still have not yet been able to isolate the cause
CptLuxxso read what other people write to this error and see if it applies to you?
CptLuxxbasic troubleshooting?
gkwhcthats what im doing right now but i feel extremely lost
KaiForceCan Exchange 2010 autorespond for an alias?
CptLuxxi say no
KaiForceokay
qbrixcan't create a transport rule for that?
qbrixnot sure if that'll work with an alias
KaiForceI'd rather just get rid of it, the guy died a year ago
naph-WIs there a company policy on how long email forwards are retained for former employees?
naph-W1 year seems kind of long
CptLuxxnaph-W i think we need some AI bots
CptLuxxto answer all our emails when we die
naph-WEventually AI will do my IT job
naph-WSo the problem will solve itself
CptLuxxhm
CptLuxxi hope my AI will be hired by your AI
naph-WBut I have the people skills so I will not be replaced as fast as some others, like guys that write PS scripts all day
naph-WAny AI can that
CptLuxxsad BobFrankly
naph-WHe will be OK. AI can't replace toner yet
BobFranklyGet-Naph | Replace-Naph
BobFranklywoops! Forgot to add -force there
CptLuxxwhatif
BobFranklywhatif isn't super reliable
BobFranklyI wouldn't use it with the MS ActiveDirectory module again
naph-WGet-Lunch
BobFranklyACTION makes mental note.... invoke-command -user naph-W -scriptblock {Get-Lunch}
KaiForcenaph-W not likely
naphtaliYou sank my battleship!
gkwhchey CptLuxx, would you mind giving me a few ideas of where/how to look to solve this VPN issue? ive been at it since 10am and still couldnt figure it out
Dralock1I think the correct question would be why did your network go down
gkwhcDralock1: not the internal network, but WAN/internet went out
Dralock1why would it work on the internal network?
Dralock1Was your router restarted? Did you have the working config saved or was it just an unsaved running config?
Dralock1nm I'm out, peace
gkwhcboth the client and the server have to use the same certificate right?
hirogenguyz
hirogenim gonna pose a retarded question in general, but isn't the cloud placing you guys out of employement, with everything moving there ?
hirogenor atleast reducing staff eventually
naphtaliSince I am not sure if you are serious and the the answer is both long and possibly complex, I won't spend the time
hirogeno0k
hirogenok
hirogenyeah i wasnt totally
indus3alguten Abend, fellas
BobFranklyhola senor
indus3alhola
electricmilkhola
electricmilkQue paso?
indus3al"no mucho"?
BobFranklypor que idioma?
electricmilkporque espanol es muy bonita y estoy aprendiendo espanol
electricmilkOh shoot this is ##Windows-server
indus3alsi, es muy lindo
electricmilkmy bad
naphtaliPretty late for you indus3al
electricmilklol thought I was in another channel. No messing around here
indus3alnaphtali: o/ there you are, brother. or is it pretty early? ^^
naphtaliYou working late tonight?
naphtaliIt's 5pm here
indus3alno, i never do. its midnight here and i always leave work at about 6pm
indus3alone of the positive sides of working as a.. hm... what is it? public employee? no late shifts or "extra hours"
naphtaliWho monitors the servers after normal work hours to ensure your PS script doesn't consume all the I/O?
indus3alhehe if the server explodes at 6pm, i will leave anyways.
indus3alheck, i even restart my (only) dc in the middle of the day if there are people online.
BobFranklyindus have no VMWare?
indus3alBobFrankly: we are starting with virtualization now once we switch to server 2016, but its just hyper v
naphtaliBob, I think he just restarts it out of spite
BobFranklythat's still enough to setup a backup DC :P
indus3albut well, they have successfully taken away any motivation of my local team here in the past year.
BobFranklynaphtali: this, I believe
naphtaliTrotz?
indus3also in the future, i think i wont be doing much scripting or developing new ideas and stuff
indus3alhehe "out of spite", good to know
indus3alyeah its Trotz in german or trotig is the adectiv
indus3alor you can say "absichtlich" or "mit Absicht"
indus3altrotzig
naphtaliWho will do the scripting?
BobFranklyindus3al: you're able to create new VMs. The first thing you setup is a donkey VM, that all your scripts run from and your VC system lives
indus3althe new bosses at the other team
indus3althey decide everything now, but then i let them deal with eventual problems
indus3ali wont care anymore
BobFranklyoh, they're "taking charge" ?
naphtalidonkey VM?
indus3alyeah its just the boss decided, we all have to do it the way that other team does it.
BobFranklydo they do hyperV scripting?
indus3almy team was notorious to do it "our own way", but that was becaue we actually HAVE the people that are capable of doing their own stuff
indus3aland not just clicking through someone else's manual
indus3al+s
indus3alpersonally, i find the way the other team does the stuff that needs to be done not elegant, but well.. hm.. clumsy... chaotic.. without vision etc
indus3albut that does not count. at least not for the boss. they are quick and dirty, and its more important to always run the latest version than having things set up in a clean way
BobFranklydo they document their process?
indus3algranted, i am much slower at developing stuff, but im more thorough
indus3alyeah, they made up some manual we click through now
indus3aland yes, in the end, "it works"
BobFranklyso it's on them when it fails
BobFranklyawesomez
indus3alof course
BobFranklyso you write a script that automates thier process and sleep at work
indus3ali will be paying much attention to it, when something fails, i will shrug my shoulders and say, who am i to take charge, i just clicked though a manual, as it was asked from me
indus3altheir process is partly automated already, and yes, i scripted the missing things that they said we had to click through
BobFranklythat sounds an aweful lot like independant thinking indus3al
BobFranklycareful now
indus3alBobFrankly: which part sounds like that? independent thinking is exactly what my boss is trying to avoid, i guess ^^
BobFranklyexactly :P
indus3alhehe
indus3alfrom the boss perspective, i can even understand it. its easier to have 40 employess that stay dumb and are just clever enough to click through a manual. i can even let one of my students do that
indus3alas a boss he will be less dependent on work drones like that
indus3aleasier to get rid of such people.
indus3alif only 2 out of 40 are really developing new things, he just wil have to take good care of those two people since they are the really important ones
indus3althe other click drones, well... expendables
BobFranklyjust make sure you're not covering for the 2 by using your under-valued experience :)
indus3alhehe
indus3aland its really sad to see that from our 40 people in about 5 different teams, there seem to be only maybe 5 that have the capabilities of scripting etc... the other ones are on such a low level, we even have to develop GUIs for simple powershell scripts to make it clicky
indus3aland in my team, we actually went through all of their scripts and well... we were appalled or how thats spelled
indus3albut i guess the majority just doesnt care. they couldnt even care because a simple script is beyond them. all they need is a gui for the clicks.
BobFranklyI've been compiling scripts to EXE to help those people
indus3alhehe
indus3ali can understand that for end users, yeah
indus3albut we as admins... sad to see...
indus3alat least for me.
BobFranklyno, for first tier support
indus3alhm ok we arent that diversified.
BobFranklyhow many people do you have?
indus3alhere its just well the users and our group of admins.
indus3almy guess is about 40 in 5 teams
BobFrankly40 admins?
indus3albut those teams are only separated based on location, not on duties
indus3alin my team here, we are 6 people.
BobFranklyACTION suspects your management needs some training
indus3alwell, its not a big city. its an entire country with mountains and lots of valleys and we have about 400 small sites, so it makes sense to group people in the bigger "cities" here
indus3alits not like say 40 people in chicago or 40 people in berlin or whatever.
indus3alhey, we really have lots of snow this winter. and we are a big tourist region here, you people should really come over here to ski and other winter sports :-p tourism is everything here
gkwhchey guys, in SSL, is the client supposed to have the exact same certificate as on the server application to "authenticate"?
gkwhcor are the certs supposed to be different but related
BobFranklygkwhc: I think the piece you're missing is the CA
BobFranklythat's the third party used for confirming a certificate
gkwhcBobFrankly: so on the server, the CA cert should be used?
gkwhci issued my own cert
BobFranklyfrom your AD PKI?
gkwhcyeah
gkwhci think so
BobFrankly...ADCS
BobFranklywhats this key for?
gkwhcBobFrankly: sstp vpn
BobFranklysomething that I'm not super familiar with, but okay
BobFranklyare you expecting personal computers to be able to connect, or only company equipment
gkwhcBobFrankly: under routing and remote access in the server manager, there is an option for security SSL certificate
gkwhcBobFrankly: either, since both were able to connect, but not anymore after the ISP service went down and up today
BobFranklyokay, so this was working, network choked, and now it isn't
BobFranklywhat certificate was in there before?
gkwhcBobFrankly: right. the internal network should be intact though and i dont recall making any or big changes to the server this past week
gkwhcBobFrankly: what do you mean what certificate?
BobFranklydid you issue the cert we were talking about today?
gkwhcBobFrankly: no the certs were issued when the vpn was set up
HarlockAHA!
BobFranklyokay, so the way SSL works (I think) is that client connects, server hands over the certificate, client checks for the certificate authority and confirms the certificate through that, PROVIDED the client TRUSTS the certificate Authority.
BobFranklyI might be skimming/skipping some details
BobFranklyanyone else, feel free to hop in and slap me
BobFranklyin a domain, the computers trust the CA automagically. Non-domain(or non-company) computers won't trust your CA jsut because it says so. That's usually why people get one of the larger CA's to issue a certificate
indus3alhehe
BobFranklybut if your stuff was working before, I have to presume all of that was worked out
BobFranklywhat you laughing about indus?
indus3alBobFrankly: about the "hop in and slap me" part, i like learning such phrases from native speakers
BobFranklylol
indus3alit has nothing to do with your technical expertise ;)
indus3ali know nothing about certificates, so im just listening
BobFranklyI fully admit I'm operating on the edge of my knowledge here
BobFranklycertificates are always a pain
BobFranklygkwhc: I'd check the system clock. Both on your servers and your clients
BobFranklyclocks out of sync can cause issues with valid certificates
indus3alhehe same as when windows activation on a kms server fails. first thing, check date and time ^^
Harlockhehe, i just converted a dvd for a staff and copied it on a mem stick, started playing the video i just made and pulled out the mem stick and handed it to her and pointed to the video playing, "look it's wireless"
BobFranklylol
Harlockthen i had to explain i was kidding around
BobFranklythe problem is that they wont believe you
BobFranklyand they'll be calling tech support later tonight when it doesn't work
Harlockthe problem is she beleived be too readily
Harlockme
indus3alyesterday i had to do hm... rescue 911 ? for the first time in 15 years at the job... how is that called in english?
indus3ala young student kinda went out like a light ^^
indus3al"first aid"?
gkwhcBobFrankly: thanks, just read your messages. the server, which is also a CA, has 4 certificates. i believe client computers can install certs from the server so it trusts the server