Tuesday, June 23, 2020

Tweaks and best practices for Office 365

A list of tweaks and best practices for configuring Office 365 most of these were shamelessly stolen from the sysadmin today podcast, some were also taken from Microsoft Office 365 deployment guidance. As Microsoft continues to develop their platform much of this will change but I think at the moment this is a great starting point.
  1. Establish main tenant administrator with strong password and MFA and create a break glass global admin account using yourtenet.onmicrosoft.com so if a mistake is made you can still login to Office 365 as a global admin. 

  2. Enable/Verify that modern authentication is enabled and or enable security defaults in azure AD, if you are deploying hybrid configure conditional access rules so your Exchange service account is never prompted for 2fa from your exchange servers IP.

  3. Setup tenant profile with organization information: https://admin.microsoft.com/AdminPortal/Home#/companyprofile

  4. Configure Account Recovery Options: https://aka.ms/ssprsetup

  5. Grant Delegated Admin to CSP (if MS Partner)

  6. Disable self service Purchases across the board:

Install-Module -Name MSCommerce #once you install you should remove this line
Import-Module -Name MSCommerce 
Connect-MSCommerce #sign-in with your global or billing administrator account when prompted
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | forEach { 
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false  }
  1. Consider limiting group creation so that only users of the group “Group Admins” security group are allowed to create office 365 groups: https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide

  2. Configure Tenant alerts email addresses as a distribution group and set it in powershell.

Set-AzureADTenantDetail -SecurityComplianceNotificationMails "alerts@domain.com" - TechnicalNotificationMails "alerts@domain.com" -MarketingNotificationEmails "alerts@domain.com"
  1. Enable Unified Audit Logging
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
  1. Enable Mailbox Audit Logging
$AuditSettings = @{
AuditEnabled = $True AuditLogAgeLimit = 365 AuditOwner =
"Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update,UpdateCale ndarDelegation,UpdateFolderPermissions,UpdateInboxRules"
AuditDelegate = "Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelet e,Update,UpdateFolderPermissions"
AuditAdmin = "Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,Soft Delete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"
Get-Mailbox | Set-Mailbox @AuditSettings
  1. Set Language and Time Zone for All Users this will save them a step when they first sign in
Get-Mailbox | Get-MailboxRegionalConfiguration | ? {$_.TimeZone -eq $null} | Set-MailboxRegionalConfiguration -Language 1033 -TimeZone "Central Standard Time"
  1. Increase Deleted Item Retention from 14 to 30 Days
Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetainDeletedItemsFor 30
  1. Show mailtip for External Recipients
Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $True
  1. Show mailtip for large number of recipients (Shows tip Beyond threshold)
Set-OrganizationConfig -MailTipsLargeAudienceThreshold 10
  1. Set Outbound Spam Notifications
Set-HostedOutboundSpamFilterPolicy Default -NotifyOutboundSpam $true - NotifyOutboundSpamRecipients “alerts@domain.com”
  1. Prevent Inbox Rules Forwarding Messages Externally, strongly recommend. 
Set-RemoteDomain Default -AutoForwardEnabled $false
  1. Prepend Disclaimer on External Messages
$TransportSettings = @{
Name = 'External Sender Warning'
FromScope = 'NotInOrganization'
SentToScope = 'InOrganization'
ApplyHtmlDisclaimerLocation = 'Prepend' ApplyHtmlDisclaimerText = "<p><div style='border:solid #9C6500
1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line- height:12.0pt;background:#FFEB9C'><b><span style='font- size:10.0pt;color:#9C6500'></span></b><span style='font- size:10.0pt;color:black'>[EXTERNAL]<o:p></o:p></span></p>"
ApplyHtmlDisclaimerFallbackAction = 'Wrap' }
New-TransportRule @TransportSettings
  1. Increase OneDrive Deleted User Retention (up to 3650 days) no typo 10 years is correct and can be configured.
Set-SPOTenant -OrphanedPersonalSitesRetentionPeriod 180
  1. Disable IMAP / POP Protocols For Current Users, also strongly recommend.
Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

and for Future Users

Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false
  1. If migrating a large environment call Microsoft and ask them to disable throttling for your tenet.


Azure AD Notes (Some features may require advanced licensing like Azure AD Premium P1)

Reporting Audits

Saturday, June 13, 2020

Useful Group Policy WMI Filters

One of group policy’s best yet seldom used features is WMI filtering which allows an admin to apply policies to windows computers conditionally instead of statically based on what OU a computer or user object is in. Here are a few of my favorites, all of them are in root\CIMv2 unless otherwise specified.

Filter by OS Install Date Incredibly useful if you are looking to push new software automatically to only new computer or computers that have been freshly imaged with MDT. The example below will only apply to computers that have an install date greater than 2016-04-09

SELECT * FROM win32_operatingsystem WHERE Installdate>="20160409111400.0+0"

Filter by Memory Type This allows you to filter by desktops and laptops if you have desktops that do not have sodimm memory. If you do have desktops with sodimm memory you might combine this with another WMI filter that queries if systems have a battery present

Note that If you have systems which are small form factor and have UPS’s attached this may not work for you.

Desktops (devices not using SODIMMs)

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

Laptops (devices using SODIMMs)

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

Filter by Windows Desktop Operating Systems Filtering by Windows Desktop Operating Systems is useful if you have changed the default Computers Container to an OU with policies applied, doing this ensures that when Servers are joined to the domain and appear in an OU instead of a container they do not pickup group policies designed for desktops.

select * from Win32_OperatingSystem WHERE ProductType = "1"

Filter for Windows 10

select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"

Filter for a specific build of windows 10 In this case windows 10 1909 useful if you want to control windows update with group policy.

select * from Win32_OperatingSystem where Version like "10.0.18363" and ProductType="1"

Filter for 64 Bit Windows Servers

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

From these you should find that you can filter just about all the various parts of your windows 10 infrastructure.

Saturday, April 25, 2020

Changing Default Containers to OU's in AD

In windows by default there are two containers, the Computers container and Users Containers. When you join new workstations, servers or add new users to your domain they will show up in either of these by default and no policies will be applied to them until you move the user or computer object into an OU. This is because Group Policy Objects do not apply to containers only OU’s. Luckily you can change where active directory puts computers and users upon creation using the following commands:

Set the default OU for new computers to land in using redircmp

C:\Windows\system32>redircmp "OU=New Computers,OU=Computers,OU=Your OU,DC=ORG,DC=COM"
Redirection was successful.

Set the default OU for new user accounts to land in using redirusr

C:\Windows\system32>redirusr "OU=New Accounts,OU=Accounts,OU=Your OU,DC=ORG,DC=COM"
Redirection was successful.

Once done you should find that newly added users and computer land in your newly designated OU’s which will allow you to do things like automatically push software to new workstations via group policy or make sure that new users get their home folders and network drives mapped without any further changes.

Useful Links

A collection of things that I’ve found useful for one reason or another during my time troubleshooting windows workstations and helping end users. Hopefully you will find them as helpful as I have.

The links to these tools contain the MD5 as the downloads are hosted by myself from a Backblaze bucket you should check the MD5 of what you download before you run any of it, checking the MD5 does not make the software safe but it does make sure that at least you got what you attempted to download check your MD5 elsewhere to confirm. None of this software is mine this is just a collection of links to acquire it use at your own risk.

TFC MD5: 788fcddd88240a85039f7f561093b118
The temp file cleaner by old-timer is a classic utility designed to clean all the old temp files off of windows systems, works with Windows xp - Windows 10
Take Ownership MD5: 38a8674b9bb64a27ec999fcc9e3df662
An old registry hack that enables a take ownership right click option, useful for when you’re stuck with a file you can’t seem to change the permissions of even though you have admin access.
hpflash1 MD5: e30ffd26b45c78303085dc4f35a24a80
The HP flash utility, great for making DOS boot drives.
DoubleDriver MD5: 98f948a5806cf6d84bfb2dabc8c48a95
Double Driver, the unsung hero of printer migrations and new system builds. This utility can suck the drivers right out of an existing windows install and throw them directly at a new one.
Putty! For all your SSH, Serial and Telnetting needs, no direct download provided go get it from the source.
for when you really need to check and see if you can configure something with Group Policy.
Windows CLI things Get the service tag of dell PC’s from Command Prompt or PowerShell
wmic bios get serialnumber
Expire a computers kerberos ticket thus forcing the computer to get a new one this helps windows detect a change in AD OU’s without rebooting so that you can run gpupdate /force without needing to reboot. Useful for systems that cant be shut down but do need to be moved in AD.
klist -li 0x3e7 purge

Group Policy Troubleshooting from the Command Prompt

A series of useful tips and tools for diagnosing group policy issues in windows.

Force a system to expire its current kerberos ticket, this will make the system check what OU its in and thus apply any new group policy’s. Useful if you have moved a computer to a new OU and need it to apply the new policies of that OU but cant afford the down time of a reboot.

klist -li 0x3e7 purge

Change what domain controller group policy is being pulled from. This is especially useful if you have just discovered that your DFSR SYSVOL is no longer replicating correctly.

nltest /dsgetdc:example.com
nltest /Server:$ClientComputerName /SC_RESET:example.com\dc.example.com

See policies applied to the local computer

gpresult /r

Getting the group policy results from a workstation through psexec

gpresult /user User-Logged-In /scope computer /r

See remotely installed printers I use:

wmic printer list brief
wmic printer get name

This just shows a short list of printer attached to the system you run the command on. It will also show what computer a printer is connected to if there’s a network printer.

You can also use this to get a very detailed list of configuration for each printer installed on a system:

wmic printer list full

To output it to a text file, nothing fancy can be done with basicly any command that has an output.

wmic printer list brief >> c:\users\admin\documents\printerlist.txt

Friday, April 24, 2020

Implementing Software Restriction Policy on Windows

A guide for setting up Software Restrictions in Group Policy.
Under Enforcement Properties set “All software files except libraries (such as DLLs)”, “All users except local administrators” (which will allow members of the local administrators group to bypass the policy completely) and ignore certificate rules unless you are planning to whitelist software via certificates, this can be handy for allowing user to install some programs to %appdata% such as slack, and or certain video conferencing software.

Under Designated File Types remove .lnk files, leaving this option enabled can cause start menu items to stop working as well as all shortcuts to exe files which are now pervasive through the windows operating system. This is mentioned in the NSA document but they list making a rule to allow it, other sources recommend removing it from the designated file types list which seems to be the correct way to do this. Under Security Levels set the policy to Disallow, this will prevent software from running regardless of the access rights of the user.

Paths the NSA recommends restricting

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Debug
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Registration
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\catroot2
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\com\dmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\FxsTmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\drivers\color
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\PRINTERS
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\SERVERS
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\com\dmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\FxsTmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Temp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\tracing

Paths the NSA recommends allowing

In the original document there is an invisible space right before “Windows” to be cautious of the below line has been corrected.
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
as well as sysvol so any logon scripts you have will still run, not adding this will break any logon scripts you have.
An alternate value for the x86 directory might be needed in certain versions of windows, it is not needed for windows 10. to add if the x86 exception listed by the NSA is causing difficulties adding the below line might resolve them. This should not be necessary in most cases.

Blocking The Windows Store and Xbox apps in Windows 10

Windows Store, blocking this will disable users from launching the windows store and thus prevent users from installing apps from it.
Xbox Apps, Windows 10 ships with a couple different xbox applications, removing these is problematic but blocking them from running is not. This will prevent users from downloading PC games or connecting to and streaming from xbox systems on the network or outside of it. (Microsoft is adding an ability to connect to a home xbox in a future xbox release.)

Whitelisting modern applications

Some windows applications such as OneDrive run from appdata, as such you may need to whitelist additional locations so that these applications can function properly, this also goes for windows store applications. In the case of OneDrive the path is
Applications installed from the windows app store (if you have chosen not to block them) will install to the directory C:\Program Files\WindowsApps whitelisting the specific directory can allow these to run, windows will allow you to use wildcards in the path names so for example
C:\Program Files\WindowsApps\spo*
Will allow any app contained within any folder under WindowsApps that begins with “spo” to run, in this example spotify as installed from the windows app store would run.

Other Considerations