Security on Zachary Loeber's Blog

Understanding Organizational Secrets

Mon, 03 Mar 2025 00:00:00 +0000

Let’s face it, IT often struggles with secrets management. From API keys that need to be registered/rotated, certificates that need to be requested/renewed, LDAP/AD credentials that need to be maintained, password complexity requirements to be enforced, and more. It can be cognitively difficult to manage the various secrets for a single project let alone an entire organization. This discussion will help define the credential categories and the tools used to manage them.

Email Reputation and Design: A Condensed Guide

Sat, 24 Feb 2018 15:59:26 +0000

Very few domains implement the holy grail of email identity reputation frameworks, DMARC. This guide will cover all the steps required to get it implemented for your domain along with some best practices for overall email reputation design.

Powershell: New-ADPasswordReminder

Thu, 13 Oct 2016 19:03:55 +0000

A single, self-extracting, self-scheduling, AD password change notice PowerShell script.

Powershell: New-ADPasswordReminder

Thu, 13 Oct 2016 19:03:55 +0000

A single, self-extracting, self-scheduling, AD password change notice PowerShell script.

PowerShell: My Profile

Thu, 05 May 2016 02:31:54 +0000

I’m always interested to see how other people setup their working environment or get things done. But rarely do I share my own environment. Since I’m putting the effort into pushing my scripting environment publicly to github I may as well explain a bit more about some of what I’ve setup.

Exchange: Stop Email Exfiltration

Fri, 25 Sep 2015 01:41:25 +0000

When your users leave or get removed from the organization they may still be getting company confidential information. Here is how you can find out and stop this from happening.

Exchange: Stop Email Exfiltration

Fri, 25 Sep 2015 01:41:25 +0000

When your users leave or get removed from the organization they may still be getting company confidential information. Here is how you can find out and stop this from happening.

Powershell: Login As Batch Job Security Rights

Sat, 18 Jul 2015 04:09:12 +0000

Here is a quick bit of PowerShell. It is some snippets of C# code wrapped up with PowerShell which will allow you to assign accounts to the ‘login as batch job’ local security rights of a local machine. The code is no great shakes but it is a good example of how you might take some existing online code and modify to suit your needs in PowerShell. This function also compliments another script I’ve released in the past for automatically scheduling PowerShell scheduled tasks rather well.

Powershell: Check For Misplaced Certificates

Thu, 11 Dec 2014 03:02:28 +0000

Here is a script I absentmindedly put together one evening while power watching a TV series on Netflix with the wife. The general idea of this script is to check local machine, trusted root, and intermediate trusted root stores for misplaced or duplicate certificates.

Powershell: Check For Misplaced Certificates

Thu, 11 Dec 2014 03:02:28 +0000

Exchange Mailbox Auditing with Powershell

Tue, 25 Nov 2014 05:55:01 +0000

Some time ago I wrote a script and GUI for performing security audits of Exchange mailbox and calendar rights in an environment. This script was far more popular than I anticipated and, I’m ashamed to say, was rather poorly written by my current Powershell standards. There is an obvious need to simplify the extraction of mailbox permissions or my old script would not still be so popular. So I’ve started to revisit my old code for this project in hopes of remaking it with my PowerShell reporting engine. The first step in this process is to pull out the several bits of code that do the actual rights/permissions extraction. I think I’ve finally got this part done and see no reason not to release this mini-library of functions first.

Lync and UM Correlation with Powershell

Fri, 14 Nov 2014 03:31:13 +0000

I’ve been working on an Exchange/Lync voice deployment lately and have found a new level of frustration for the lack of connectivity between the several voice components involved in turning up such a solution. That being said it is not very difficult to validate your deployment with a bit of Powershell.

There are a few necessary results to gather where I believe it can be easy to ‘miss’ configuration steps when turning up or disabling users:

Powershell: System Report Script Design

Thu, 09 Oct 2014 21:29:24 +0000

In this post I go back and explain some of my reasoning behind decisions I made in the design of an already released script, Get-AssetReport. This was written over a year ago and forgotten about as one of the many unpublished drafts on my blog. The code behind the script I discuss has been upgraded and used in several of my more popular scripts (AD Asset Report, F5 LTM Report, and Lync 2013 Status Report). Some of this content is slightly dated as I’ve since changed some of the coding but the core concepts are the same. Those digging through my crazy work or learning powershell may get some value from this content so I tidied it up a bit and here it is. Cheers!

Update: Get-CalendarPermission

Wed, 24 Sep 2014 17:43:07 +0000

Going through older code is a bit like looking through an old yearbook or photo album. If the pictures within are old enough you usually end up laughing at how little you recognize yourself and maybe even marvel a bit at how far you have come. This old function I wrote isn’t the worst of my code but I was still able to update it for measurable improvements.

Exchange: Receive Connector Tango! – Part 2

Sat, 23 Aug 2014 21:20:31 +0000

In part 1 of this series I discussed some basic knowledge requirements to get a better grip on receive connectors in Exchange. I continue that conversation with some examples of improperly configured connectors and the issues they may cause. I finish up the discussion with a script you can use to scan your environment for such configurations.

Exchange: Receive Connector Tango! – Part 1

Mon, 07 Jul 2014 03:25:13 +0000

Exchange receive connectors are often configured incorrectly or worse, insecurely. This is the first of a two part series about Exchange receive connectors and what to look out for when setting them up.

Gather Remote Event Logs With Powershell

Wed, 16 Oct 2013 17:01:13 +0000

About

Gather the remote event log information for one or more systems using wmi, alternate credentials, and multiple runspaces. Function supports custom timeout parameters in case of wmi problems and returns Event Log information for the specified number of past hours. You can view verbose information on each runspace thread in realtime with the -Verbose option.

Version History

1.0.0 – 10/16/2013

Initial release

Notes

By default 24 hours is what we filter against for the results. I’m retroactively releasing this function individually from the new-assetreport project I’ve released a little while ago.

Gather Remote Command Results With Powershell

Thu, 19 Sep 2013 16:22:41 +0000

Send a remote command using wmi, alternate credentials, and multiple runspaces then retrieve the results serially using mapped secure channels to the remote host. The remote command execution function supports custom timeout parameters in case of wmi problems and returns the remote tmp file information containing the command results. You can view verbose information on each runspace thread in realtime with the -Verbose option.

Gather Local Group Membership With Powershell

Wed, 11 Sep 2013 14:11:52 +0000

Gather system local groups and their members for one or more systems using wmi, alternate credentials, and multiple runspaces. Function supports custom timeout parameters in case of wmi problems, a switch for inclusion of empty groups in the results, and returns group names with their members. You can view verbose information on each runspace thread in realtime with the -Verbose option.

Version History

1.0.0 – 09/11/2013

Initial release

Notes

None, this is an independent release of a function I’ve recently included in a larger project.

Excel and HTML Asset Reports With Powershell

Sun, 08 Sep 2013 05:07:29 +0000

This set of powershell functions collates and generates reports upon system information it gathers. Information gathered includes hardware health, system information, networking information and much much more. Multiple types of html reports can be generated and all data can be exported directly to an excel workbook, saved as individual reports, and emailed.

Gather Applied GPOs from Remote Systems With Powershell

Wed, 04 Sep 2013 04:16:09 +0000

Gather the applied GPO information for one or more systems using wmi, alternate credentials, and multiple runspaces. Function supports custom timeout parameters in case of wmi problems and returns GPO name, applied order, source, no override settings, and more. You can view verbose information on each runspace thread in realtime with the -Verbose option.

Multithreaded System Asset Gathering with Powershell

Mon, 05 Aug 2013 17:35:31 +0000

This function gathers a plethora of useful system information via WMI and multithreading with powershell.

Use Powershell to Create a Windows Service Dependency Diagrams

Mon, 17 Jun 2013 15:32:42 +0000

I use powershell with graphviz to generate color coded service dependency diagrams for windows services. Besides creating useful and beautiful diagrams for your environment, this will also provide some interesting functions for gathering remote service information with alternate credentials.

Exchange 2010 Mailbox Audit Report Script

Fri, 10 May 2013 02:33:54 +0000

Exchange 2010 Mailbox Audit Report Script

Recently I’ve released a number of scripts such as the HTML Table Colorizer, Exchange Mailbox Calendar Permission Function, and the Exchange Mailbox GUI. These were all actually created specifically as support scripts for a report generation powershell tool I’ve been working on, the Exchange Mailbox Auditing Tool.

Exchange: Mailbox GUI

Mon, 08 Apr 2013 01:10:21 +0000

Exchange 2010 Mailbox GUI

A powershell GUI for selecting and performing actions against multiple Exchange mailboxes.

Exchange 2010: Automated Firewall Rule Generation 1.5

Sat, 11 Aug 2012 10:17:15 +0000

Just some aesthetic changes for upload to the Microsoft scripting repository. Biggest addition is the ability to run the script without parameters (just upgrade the included environment csv to your liking and run the script). Other big addition is the help section.

GenerateExchangeFirewallRequirements_1-5

At the Microsoft Script Repository

Create Your Own Network Assessment Appliance

Mon, 09 Apr 2012 00:49:19 +0000

In this write-up I setup several network assessment tools which can be used in the discovery process of a new environment. This can be useful for a newly hired sysadmin or a consultant in rapidly gathering information to assess the health and/or state of a network.

Introduction

I often find myself assessing a foreign network infrastructure for performance or other issues. Depending on the size of the environment, digesting everything can be daunting without the help of some third party tools. I’ve been using a custom Linux VM on my workstation that has all kinds of tools specifically for gathering information about a network’s performance, layout, and statistics. I’ve decided to retool the VM I currently use and take better notes on what I install so others may do the same if they so desire.

Active Directory: Essential Tools

Thu, 11 Aug 2011 18:35:00 +0000

During my many years of working with active directory I’ve used several tools. Here are some of the best that I’ve used which are not baked into windows. Good thing about this list is that most of these tools are fee! Another bonus is that most of the information gathering tools don’t require elevated rights as, by default, domain users have read-only access to active directory.

Exchange 2010: Network Communication Table

Sat, 30 Jul 2011 17:06:36 +0000

I figured I’d post the massive table of firewall rules I compiled for my Exchange 2010 firewall generation script. It has both the source and destination roles for many aspects of an Exchange environment. Where there are ???’s is where I’m simply not certain (mainly around encryption between certain roles). If anyone spots any mistakes or omissions please let me know and I’ll update the accordingly.

Exchange 2010 Network Communication Table By Role

Exchange 2010: Automated Firewall Rule Generation 1.4

Fri, 29 Jul 2011 15:28:07 +0000

I made some updates to the automated firewall rule generation script. This includes some updates to the firewall rule spreadsheet to give information on setting setic ports and port ranges for RPC based services. This csv file may be a good general reference even without the script.

Exchange 2010: Automated Firewall Rule Generation 1.2

Wed, 20 Jul 2011 16:35:08 +0000

I made a few changes to this script to make it more modular and to allow for more exceptions in regards to DAGs and sites. Enjoy!

Exchange 2010 Firewall Rule Generation Script

Exchange 2010: Certificate Install Script

Thu, 30 Jun 2011 15:39:27 +0000

Many of the cert providers require that you install both an intermediary and a root trusted cert on the servers which you are configuring your newly requested Unified Communications certificate on. If you are doing an Exchange migration including several ISA/TMG/Exchange (2003 and 2010) servers this can be a tedious process. Here is the quick way to install all three certificates once they are on the server

Exchange 2010: Automated Firewall Rule Generation

Fri, 24 Jun 2011 16:40:50 +0000

A single, or even a dual site Exchange 2010 deployment does not usually require too much internal firewall manipulation. But if you have to setup a Exchange 2010 environment where there are many global sites or a heavily segmented network, the number of firewall requests required to get a fully functioning configuration working can be daunting. Wouldn’t it be nice to have some of those firewall rules automatically generated for you?

Exchange 2010: Protect VIP Mailboxes with Exclusive Scopes

Wed, 04 May 2011 21:26:37 +0000

Prior to starting my new job I wanted to ensure that my previous employer was able to protect VIP mailboxes in their Exchange 2010 SP1 organization. I had to do this with exclusive scopes and these are the steps I had to follow. A general knowledge of role based security is assumed in this post.

OCS 2007 R2: CRL Issue Causing Address Book Download Error

Thu, 31 Mar 2011 15:21:09 +0000

I ran into this issue recently. End users experienced a red splat in communicator exhibiting that there was an issue syncing the corporate address book. I found this excellent article explaining how an invalid Certificate Revocation List error may be causing this issue. My issue was slightly similar in nature but with some caveats.

Windows: 2003 to 2008 R2 RADIUS Migration

Thu, 17 Mar 2011 12:58:12 +0000

I found myself doing yet another Windows 2003 IAS Radius server migration to 2008 R2 NPS. I found that I had my prior notes and was able to do this quickly but, hell, if I’m looking this up in my own notes I may as well just post this succinct little procedure.

Windows: 2003 to 2008 R2 RADIUS Migration

Thu, 17 Mar 2011 12:58:12 +0000

Active Directory: Role Based Access Modeling

Tue, 22 Feb 2011 04:22:28 +0000

Much of my time is spend delving into the minutia of a particular technology to resolve issues or improve department processes. But sometimes understanding and implementing a technology is not the best “fix” for an issue. Sometimes it is a mindset or a model that needs to change. I came up with this security grouping model to address some of the pains of managing permissions across large groups of systems in our environment. Ok, I modified a long standing Microsoft recommendation of AGDLP (an abbreviation of “account, global, domain local, permission”) to meet our needs. Regardless here is a quick rundown of this security group model I devised if anyone is interested.