{"id":1910,"date":"2022-04-01T11:54:49","date_gmt":"2022-04-01T15:54:49","guid":{"rendered":"https:\/\/increasec.com\/?p=1910"},"modified":"2022-05-12T15:36:15","modified_gmt":"2022-05-12T19:36:15","slug":"exchange-onsite-removal","status":"publish","type":"post","link":"https:\/\/increasec.com\/?p=1910","title":{"rendered":"Exchange Onsite Removal"},"content":{"rendered":"\n<p>I encountered this while running PingCastle and cleaning up domain<\/p>\n\n\n\n<p>Company had Exchange Onsite then moved to Exchange365<\/p>\n\n\n\n<p>PingCastle reports vulnerable schema class msExchStorageGroup\/PossSuperiorComputer<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>logon with a user that is a member of SchemaAdmins.  Remember they need to be a member before logging in, the user gets their ticket when logging in.<\/p>\n\n\n\n<p>run this super-secret command in powershell\/cmd as Administrator<br><strong class=\"\">regsvr32.exe schmmgmt.dll<\/strong><\/p>\n\n\n\n<p>now you can add a very dangerous Snap-In to MMC<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2018\/08\/Adding-schema-snap-in.png\" alt=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2018\/08\/Adding-schema-snap-in.png\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"520\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-2-1024x520.png\" alt=\"\" class=\"wp-image-1912\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-2-1024x520.png 1024w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-2-300x152.png 300w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-2-768x390.png 768w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-2.png 1048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>You may need to make this change, if not continue to remove the possible superior instead.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"233\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-3.png\" alt=\"\" class=\"wp-image-1914\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-3.png 582w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-3-300x120.png 300w\" sizes=\"auto, (max-width: 582px) 100vw, 582px\" \/><\/figure>\n\n\n\n<p>removing the Possible Superior<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"482\" height=\"517\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-5.png\" alt=\"\" class=\"wp-image-1917\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-5.png 482w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/03\/image-5-280x300.png 280w\" sizes=\"auto, (max-width: 482px) 100vw, 482px\" \/><\/figure>\n\n\n\n<p>more info here   https:\/\/www.zubairalexander.com\/blog\/active-directory-schema-management\/<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Step 2 aka HA you thought you were done but NOOOOO<\/p>\n\n\n\n<p>privileges in a GPO is a way to become administrator without being part of a group<\/p>\n\n\n\n<p>Download a program called PingCastle and run it against your domain controller, just choose the defaults, it creates an HTML report.  Open report and scroll all the way down to GPO, Privileges.  Note there may be multiple pages.<br>you will see entries for DomainName\\Exchange Servers,  and  DomainName\\Exchange Enterprise Servers<\/p>\n\n\n\n<p>to change this you need to start up group policy editor, PingCastle listed the name of the policy to edit, Local Policies\/User Rights Assignment edit and remove any entries referring to your mail server.   Remember to take a screenshot in case you delete something by accident, there is no UNDO button in Group Policy.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"311\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-1-1024x311.png\" alt=\"\" class=\"wp-image-1990\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-1-1024x311.png 1024w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-1-300x91.png 300w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-1-768x234.png 768w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-1.png 1161w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Step 3; aka  WTF more steps?!?!<\/p>\n\n\n\n<p>Check your published AD services<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"577\" height=\"372\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-3.png\" alt=\"\" class=\"wp-image-1999\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-3.png 577w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-3-300x193.png 300w\" sizes=\"auto, (max-width: 577px) 100vw, 577px\" \/><figcaption>To show AD Services they need to be turned on<\/figcaption><\/figure>\n\n\n\n<p>Now we can see there is an Exchange Server listed with an AutoDiscover record<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"584\" height=\"658\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-4.png\" alt=\"\" class=\"wp-image-2000\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-4.png 584w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/05\/image-4-266x300.png 266w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I encountered this while running PingCastle and cleaning up domain Company had Exchange Onsite then moved to Exchange365 PingCastle reports vulnerable schema class msExchStorageGroup\/PossSuperiorComputer logon with a user that is&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[194],"class_list":["post-1910","post","type-post","status-publish","format-standard","hentry","category-uncategorised","tag-exchange"],"_links":{"self":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/1910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1910"}],"version-history":[{"count":8,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/1910\/revisions"}],"predecessor-version":[{"id":2001,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/1910\/revisions\/2001"}],"wp:attachment":[{"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}