Creating Custom DLP Classification Rules and Policy

When at first I was looking into this the TechNet documentation was extensive and yet not as specific as I would prefer, so here is the quick and dirty DLP classification!

Creating and importing custom Classifications

1. First you need to create your custom policy XML (Example Below)
2. Save as XML Unicode file type (C:\MyNewPolicy.xml)
3. Open the XML in internet explorer if its formatted correctly you will see the XML.
4. Then import with Powershell
   New-ClassificationRuleCollection –FileData ([Byte[]]$(Get-Content -path C:\MyNewPolicy.xml -Encoding byte -ReadCount 0))
5. Once its imported you should be able to create a new DLP policy using the EAC

Creating a custom DLP Rule

1. Login to EAC (i.e https://mail.domain.com/ecp)
2. Click Compliance Management, data loss prevention
3. Click the Plus , then New custom policy
   
4. Name your policy and Choose your mode (I like to test with Policy tags), and click Save
   
5. Select the policy and click the edit your new policy
6. Select Rules from the left
7. Click the to Create a new rule
8. On the Apply this rule if field choose The message contains Sensitive information..
9. Click *Select sensitive information types….. (if applicable)
10. Click the to choose from the list,
11. You should now see your new classification (from the example below it would be Secure Product Codes\ DLP by Exchangemasters.info)

Useful Tools

• Regex – http://gskinner.com/RegExr/
• GUID creator – http://www.guidgenerator.com/online-guid-generator.aspx
• Technet – http://technet.microsoft.com/en-us/library/jj674704(v=exchg.150).aspx

 

Example of a Rule Classification XML

<?xml version=”1.0″ encoding=”utf-16″?>

<RulePackage xmlns=”http://schemas.microsoft.com/office/2011/mce”&gt;

 

  <RulePack id=”b4b4c60e-2ff7-47b2-a672-86e36cf608be”>

    <Version major=”1″ minor=”0″ build=”0″ revision=”0″/>

    <Publisher id=”7ea13c35-0e58-472a-b864-5f2e717edec6″/>

    <Details defaultLangCode=”en-us”>

      <LocalizedDetails langcode=”en-us”>

        <PublisherName>DLP by Exchangemasters.info</PublisherName>

        <Name>Secure Product Codes</Name>

        <Description>Secure Products</Description>

      </LocalizedDetails>

    </Details>

  </RulePack>

 

  <Rules>

 

    <!– Product Code –>

    <Entity id=”acc59528-ff01-433e-aeee-13ca8aaee159″ patternsProximity=”300″ recommendedConfidence=”75″>

      <Pattern confidenceLevel=”75″>

        <IdMatch idRef=”Regex_Product_Code” />

        <Match idRef=”Code” />

      </Pattern>

    </Entity>

 

    <Regex id=”Regex_Product_Code”>[A-Z]{3}[0-9]{9}

</Regex>

    <Keyword id=”Code”>

      <Group matchStyle=”word”>

        <Term>Code</Term>

      </Group>

    </Keyword>

 

 

    <LocalizedStrings>

 

      <Resource idRef=”acc59528-ff01-433e-aeee-13ca8aaee159″>

        <Name default=”true” langcode=”en-us”>

          Product Code

        </Name>

        <Description default=”true” langcode=”en-us”>

          A custom classification for detecting product codes that have 3 uppercase letters and 9 numbers

        </Description>

      </Resource>

 

    </LocalizedStrings>

  </Rules>

</RulePackage>

Checking for Open Relay in Exchange 2007/2010

Scenario:

So this is a fairly common scenario & I figured I’d post an easy method to diagnose the issue. Customers will often suspect that they’re an open relay due to being placed on a blacklist or having issues sending email to certain domains. There’s some general confusion as to what constitutes as an Open Relay & even the difference between a Relay & a Submit action in SMTP terminology. Hopefully this can clear some of the confusion.

Background:

Submit = Submitting an email message to an SMTP server that is destined for a domain that exists on that server (or in that server’s environment). You’re sending it to an address that the server is authoritative for.

Relay = Submitting an email message to an SMTP server that is destined for a domain that exists in another messaging environment. You’re sending to an address that the server is not authoritative for.

So there’s nothing inherently wrong with relaying. It’s what happens if you use your Hotmail account to send an email to someone’s Gmail account. It happens every time you email someone outside of your own messaging system. The key detail is whether or not you have authenticated to the SMTP server beforehand. So when you’re using Hotmail or Exchange via Outlook/OWA then you have obviously authenticated either via an Authentication Prompt, OWA Form, or using NTLM.

So this typically comes up when a customer needs to have an application, network printer, or other device be able to send emails through Exchange (or any internal SMTP server).

So the important thing to point out here is that as long as the application/device only needs to be able to send to addresses that your SMTP server is authoritative for then it is a Submit action & not a Relay action. This just means you only need it to be able to hit a Receive Connector that allows Anonymous Submit; which is how most of the world’s SMTP servers are configured to accept email from the Internet.

However, if your application/device needs to be able to send to an address not under the authority of the local SMTP server then it will be performing an SMTP Relay action & will require additional configuration.

The recommended approach is to have the Application/Device authenticate to your SMTP server if it supports it. Alternatively, you can configure the Receive Connector (Exchange) to allow Anonymous Relaying from that Application/Device’s IP address.

For instructions please see this Microsoft Post.

http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx

This is a very common issue amongst customers because they may not be familiar with how to configure this. However, unfortunately I will often see customers make an even worse mistake; allowing Anonymous Relaying from an entire range of IP Addresses or possibly the entire Internet. It won’t take long for Internet folks with malicious intent to figure this out & start using your server to SPAM whoever they wish. This typically results in your Exchange Server’s sending IP being placed on various Blacklists which can prevent you from sending to certain email domains.

Resolution:

It is ALWAYS recommended to create a separate Receive Connector for this purpose. In fact I tell customers to never mess with the Default Receive Connectors if they can get away with it. But what will ultimately happen is the customer will use the steps in the Microsoft article above to enable Anonymous Relaying on their Default Receive Connector instead, which they’re probably also using as their Internet ingress point. The problem with this is that the Remote IP range of that connector is 0.0.0.0-255.255.255.255 out of the box; meaning the entire Internet.

Another thing the customer might do is create a new Receive Connector for Relaying but instead of just having 1 IP address in there (the IP of their Application Server or Network Device) they’ll add an entire range or more IPs than are needed. This can get pretty complicated to troubleshoot if you have many different Receive Connectors on many different Exchange Servers in the environment.

So I’m hoping people can use my explanation to help them configure this properly as well as troubleshoot any issues they may have. In addition to that, here’s a very useful command to use in Exchange Management Shell to list out all Receive Connectors in the environment that have the Anonymous Relay permission enabled. Use this to track these connectors down & then verify the RemoteIP Ranges are properly scoped/configured to be as secure as possible.

Get-ReceiveConnector | Get-ADPermission -User “NT Authority\Anonymous Logon” | Where-Object {$_.ExtendedRights -like “ms-Exch-SMTP-Accept-Any-Recipient”} | Format-List Identity,ExtendedRights

Exchange 2010 Powershell Lab Tools

Recently a good friend of mine pointed out some great tools that Mike Pfeiffer posted and I have to say they are pretty awesome and I would recommend checking them out.

Populating Exchange Labs with Mailboxes using PowerShell

Provision Exchange Mailboxes from CSV using PowerShell Advanced Functions

Generating Test Email Data for Exchange Labs with PowerShell

Can’t run Tracking Log Explorer : Access Denied

 

Issue: User is a standard user (not a domain admin) and his RBAC permissions allow him to do message tracking but he is not not an Organization Admin.

• Running with Exchange PowerShell (get-messagetrackinglog): works
• Running with ECP: works
• Running with Tracking Log Explorer : Broken

“Failed to connect to the Microsoft Exchange Transport Log Search service on computer “Exchange_Servername”. Verify that a valid computer name was used and the Microsoft Exchange Transport Log Search service is started on the target computer.” The error message is: Access is denied.”

Reason: EXTra.exe is what is used to run Tracking Log Explorer and it doesn’t use remote PowerShell therefore your permissions are based on  your AD login permissions not RBAC.

Solutions:

1. Add the users to the “Exchange View-Only Administrators” (2007) or “Public Folder Management” (2010 Green Field) AD Group to be able to use the GUI.
2. Use Exchange PowerShell or ECP to pull the tracking logs.

Thanks to Andrew and Ron for Figuring this out!

Note: Walkthrough on setting up ECP\ EMS Message tracking access

Getting Lync PowerShell to use RBAC

You may find that some things will work in the Lync GUI that will not work in PowerShell (Access Denied), the reason for this is that RBAC only applies to remote PowerShell and local PowerShell uses the AD permissions and not RBAC.

To resolve this you can login to PowerShell using the following script: (Copy the contents to a file and name it Connect-Lync.ps1)

$usercredential = get-credential
$pso = new-pssessionoption -skipcacheck -SkipCNCheck -SkipRevocationCheck
$session= New-PSSession -ConnectionUri https://localhost/ocspowershell -credential $usercredential -sessionoption $pso
import-pssession $session

Note: 1. This script ignores the certificate (so it will work if your using a self signed cert)
          2. You may need to modify the execution policy to run this unsigned script in PowerShell “set-executionpolicy remote”

References:

http://technet.microsoft.com/en-us/library/gg399050.aspx
“Note that RBAC applies only to remote management. If you are logged on to a computer running Lync Server 2010 and you open Lync Server Management Shell, RBAC roles will not be enforced. Instead, security is enforced primarily through the security groups RTCUniversalServerAdmins; RTCUniversalUserAdmins; and RTCUniversalReadOnlyAdmins.”

Configure your target URL for OWA redirect when migrating users to the cloud

 

When you migrate  a user to Office 365  you want OWA users to have a simple redirect to office 365 and not get this error:

Also you want to give your users an easy OWA url not http://outlook.com/owa/mysupercooldomain.com

The solution is 2 steps

1. create a cname record that points to outlook.com ( i.e. OWA.mysupercooldomain.com = outlook.com)
2. add that record to your organization relationship
1. set-orginaizationrelationship –targetOwaUrl http://owa.mysupercooldomain.com/owa
3. Give OWA.mysupercooldomain.com to your users as there new owa page

Note: the domain you create the CNAME in must be one of your federated or accepted domains in office 365 for realm discovery to work.

Problem with Exchange MMC Snap-in after April 11\2011 updates.

 

 

We have seen a recent rash of issues with Exchange MMC after April 11 updates, this is due to a .net change in the latest updates.

This issue is very specific to a system with

• .NET Framework 3.5 Service Pack 1
• .NET Framework 2.0 Service Pack 2
• Windows Vista Service Pack 2 or Windows Server 2008 Service Pack 2
• April 11 windows updates. (Specifically 2449742 or 2446709)

This problem occurs when the broken version of Hotfix 979744 is installed on your computer, and when security update 2449742 or 2446709 (part of security bulletin MS11-028) is installed in the affected environments, this problem generates the issues that are described in the "Symptoms" section.

You can apply the fix here to resolve http://support.microsoft.com/kb/2449742

Here is the KB that explains the issue http://support.microsoft.com/kb/2540222

Configure Send email to Sharepoint on SBS 2011

Update for RTM (thanks Glenn!)

Note this works for the public beta and is subject to change

This assumes that your domain is domain.com and WSF is the domain specific to Sharepoint, everything that is RED is a value you need to set

· Configure Address Space in Exchange

New-AcceptedDomain –Domainname WSF.Domain.com –domaintype ExternalRelay –name WSF.Domain.com

· Configure Foreign Connector with drop folder

From PowerShell:

• Mkdir “C:\Drop Directory\WSF”
• CACLS “C:\Drop Directory\WSF” /e /p administrator:f %userdomain%\jedidiah_hammond:f “network service”:f
• New-ForeignConnector -Name “WSF Connector” -AddressSpaces “smtp:WSF.domain.com” -SourceTransportServers “Hub01″,”Hub02″
• Set-TransportServer Hub01 -RootDropDirectoryPath “C:\Drop Directory“
• Set-ForeignConnector “WSF Connector” -DropDirectory “WSF”

· Configure WSF to use drop folder

• Start –> All Programs –> MS SP 2010 Prod –> SP 2010 Central Admin
• System Settings –> Configure incoming e-mail Settings
• Enable Sites on this server to receive e-mail = yes
• E-Mail server display address = WSF.domain.com
• E-mail Drop Folder = “C:\Drop Directory\WSF”

· Mail enable a WSF document library

• Browse to site ex: http://companyweb
• Click on the Document Library you want to mail enable Ex: Shared Documents
• Click Library in the Ribbon
• Click Library Settings
• Under Communications click “Incoming e-mail settings”
• Click allow this document library to receive e-email
• Fill out the Email address Field Ex: “Docs@WSF.domain.com”
• Click Yes under “Save original email?”
• Click OK to save

· Create contact for WSF document library

• New-mailcontact –ExternalEmailaddress “SMTP:Docs@WSF.domain.com” –name Docs –alias Docs –Firstname WSFFirst –Lastname WSFLast

Problem after removing arbitration mailbox using ADSIEdit

If you removed the arbitration mailbox from ADSI and not via EMS (Here’s how to use EMS) you may get the following errors when trying to reinstall the mailbox role.

Log Name: Application
Source: MSExchangeSetup
Event ID: 1002
Task Category: Microsoft Exchange Setup
Level: Error
Keywords: Classic
User: N/A

Exchange Server component Mailbox Role failed.
Error: Error:
The following error was generated when "$error.Clear();
if ($RoleIsDatacenter -ne $true)
{if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
{# upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
if ( $mbxs.length -eq 0)
{$dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
if($dbs.Length -ne 0)
{$mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
if ($mbxUser.Length -ne 0)
{enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;}}}}
else
{write-exchangesetuplog -info "Skipping creating Discovery Search Mailbox because of insufficient permission."} }

Active Directory operation failed on server.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152392, #1:0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 200f4 (homeMDB)

Normally this error indicates a problem contacting a DC or the Server not being in the “exchange servers” AD group, in this specific instance this can be caused because the discovery mailbox missing the HomeMDB and HomeMTA attributes.

Here is how to manually add them back

1. Start –> Run –> ADSIEDIT.MSC (should already know this since you used it to remove the MBX)
2. Default Naming Context –> “DC=Domain, DC=Local” –> CN=Users –> CN=DiscoverySearchMailbox {}
3. 
4. Right Click –> Properties
5. Find HomeMDB and HomeMTA this needs to be populated with the DN of the server and Database.

Also to recreate the arbitration mailbox use new-mailbox commandlet with the –arbitration parameter

Configure Send email to Sharepoint on SBS 2011–Preview

 

Note this works for the public beta and is subject to change

This assumes that your domain is domain.com and WSF is the domain specific to Sharepoint, everything that is RED is a value you need to set

· Configure Address Space in Exchange

New-AcceptedDomain –Domainname WSF.Domain.com –domaintype ExternalRelay –name WSF.Domain.com

· Configure Foreign Connector with drop folder

• Mkdir “C:\Drop Directory\WSF”
• New-ForeignConnector -Name "WSF Connector" -AddressSpaces "smtp:WSF.domain.com" -SourceTransportServers "Hub01","Hub02"
• Set-TransportServer Hub01 -RootDropDirectoryPath "C:\Drop Directory"
• Set-ForeignConnector "WSF Connector" -DropDirectory "WSF"

· Configure WSF to use drop folder

• Start –> All Programs –> MS SP 2010 Prod –> SP 2010 Central Admin
• System Settings –> Configure incoming e-mail Settings
• Enable Sites on this server to receive e-mail = yes
• E-Mail server display address = WSF.domain.com
• E-mail Drop Folder = “C:\Drop Directory\WSF”

· Mail enable a WSF document library

• Browse to site ex: http://companyweb
• Click on the Document Library you want to mail enable Ex: Shared Documents
• Click Library in the Ribbon
• Click Library Settings
• Under Communications click “Incoming e-mail settings”
• Click allow this document library to receive e-email
• Fill out the Email address Field Ex: “Docs@WSF.domain.com”

· Create contact for WSF document library

• New-mailcontact –ExternalEmailaddress “SMTP:Docs@WSF.domain.com” –name Docs –alias Docs –Firstname WSFFirst –Lastname WSFLast