Scanning Microsoft Exchange & Office 365

Introduction

All information and guides regarding Microsoft Exchange & Office 365 scanning shall be documented here.

Please note that scanning Microsoft Exchange via the MAPI protocol has been deprecated as of ER 2.0.17.
You must scan Microsoft Exchange mailboxes via Exchange Web Services (EWS).

Minimum requirements

  • Enterprise Recon v2.0.15 (2.0.16 for Office 365)
  • Microsoft Exchange 2007
  • Outlook 2007 (only required for MAPI)
  • Node Agents on Windows 7 and above (for workstations), Windows Server 2008 R2 and above (for servers)

 

Scanning on EWS

Setting up the Exchange account used for scanning

The user account used for scanning all mailboxes must have impersonation enabled.

You may use the following command in your Exchange Management Shell to enable impersonation:

New-ManagementRoleAssignment –name:<impersonationAssignmentName> –Role:ApplicationImpersonation –User:<serviceAccount>

Where <impersonationAssignmentName> is any name of your choice for the assignment and <serviceAccount> is name of account used for scanning.

Scanning Shared Mailboxes

In order for Enterprise Recon to be able to scan Shared Mailboxes, the user account used for scanning must be granted 'FullAccess' to the Shared Mailbox you wish to scan.

You may use the following command in your Exchange Management Shell to grant FullAccess to a specific mailbox:

Add-MailboxPermission -Identity <SHARED_MAILBOX> -User <SCAN_USER> -AccessRights FullAccess

Where <SHARED_MAILBOX> is the ID/name of the Shared Mailbox to scan and <SCAN_USER> is the user account used in ER.

Use this command to grant FullAccess to all Shared Mailboxes:

Get-Recipient -Resultsize unlimited | where {$_.RecipientTypeDetails -eq "SharedMailbox"} | Add-MailboxPermission -User <SCAN_USER> -AccessRights FullAccess

Where <SCAN_USER> is the user account used in ER.

Adding your Exchange server as a scan target in ER

  1. In your Enterprise Recon web console dashboard, click on 'Start Search'
  2. Click on 'Add Unlisted Target'

    exchange1.png

  3. Enter your Exchange server's hostname and click on 'Test

    exchange2.png

  4. In the following window, select 'Email' on the left side and the 'Customise' button beside "Microsoft Exchange Web Services (EWS)" on the right side

    exchange3.png

  5. In the following window;
    'Path' should be left blank if you wish to scan all mailboxes. Otherwise, please enter the mailbox display name to scan individually. (eg. John Harry)
    'Credential Label' can be anything. Note that all credentials are automatically stored in ER for convenience.
    'Username' should be entered as Domain\Username (or Domain\CAS Array FQDN\Username if using a CAS server). Please make sure to enter the full domain name.
    Finally, select any Windows system with a Node Agent package installed as the proxy agent and click 'Test'.

    exchange_4.png

    * Domain name can be retrieved from your Exchange server by going to Start > Computer > Properties

    domain.jpg

    * CAS Array FQDN can be retrieved by opening up an Exchange Management Shell window and entering the following command:
        Get-ClientAccessArray | Select Name,Fqdn

    cas_array.png

  6. You may now proceed with your scan

 

Scanning on MAPI

Please note that scanning Microsoft Exchange via the MAPI protocol has been deprecated as of ER 2.0.17.

First of all, verify if 32-bit or 64-bit Outlook is installed in your Node Agent. If 32-bit Outlook is installed on a 64-bit Windows system, change the 'Target OS' from 'Remote access only' to any Windows 32-bit OS.

  1. To do this, go to the 'Targets' page
  2. Hover your pointer over your Node Agent and click the 'Settings icon' on the right
  3. Select 'Edit Target'

    exchange5.png

  4. In the following window, click on 'Change OS' and select a 32-bit Windows OS

    exchange6.png

Setting up the Exchange account used for scanning

  1. In your Exchange server, ensure the 'Credentials Manager' service is running
  2. Open Control Panel > User Accounts > Credentials Manager
  3. Ensure 'Windows Credentials' does not contain “Windows credentials have been disabled by your system administrator

    If 'Windows Credentials' has been disabled then go to Start > Run and enter “gpedit.msc” to open the Local Group Policy Editor.
    In Local Group Policy Editor go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
    Double click “Network access: Do not allow storage of passwords and credentials for network authentication” and set it to 'disabled'.
  4. The user to be used to scan all mailboxes must have full read access to all the mailboxes on the server to be scanned.
    This can be achieved by one of the following:

    - Make the user a member of 'Domain Admins' in your 'Active Directory'
    - Run the following command in 'Exchange Management Shell' to grant access for a particular server:
        Get-MailboxDatabase -server server name" | Add-ADPermission -User "username" -AccessRights GenericAll
    - Run the following command in 'Exchange Management Shell' to check access for a particular server and user:
        Get-MailboxDatabase -server “server name" | Get-ADPermission -User "username"

Adding your Exchange server as a scan target in ER

Do ensure that your Node Agent is logged into the Active Directory domain in which the mailbox and CAS server reside beforehand.

  1. In your Enterprise Recon web console dashboard, click on 'Start Search'
  2. Click on 'Add Unlisted Target'

    exchange1.png

  3. Enter your Exchange server's hostname and click on 'Test

    exchange2.png

  4. In the following window, select 'Email' on the left side and the 'Customise' button beside "Microsoft Exchange Web Services (EWS)" on the right side

    exchange3.png

  5. In the following window;
    'Path' should be left blank if you wish to scan all mailboxes. Otherwise, please enter the mailbox display/user name to scan individually. (eg. John Harry)
    'Credential Label' can be anything. Note that all credentials are automatically stored in ER for convenience.
    'Username' should be entered as Domain\Username (or Domain\CAS Array FQDN\Username if using a CAS server). Please make sure to enter the full domain name.
    Finally, select your Node Agent as the proxy agent and click 'Test'.

    exchange_4.png

    * Domain name can be retrieved from your Exchange server by going to Start > Computer > Properties

    domain.jpg

    * CAS Array FQDN can be retrieved by opening up an Exchange Management Shell window and entering the following command:
       
    Get-ClientAccessArray | Select Name,Fqdn

    cas_array.png

  6. You may now proceed with your scan

 

Scanning Office 365

Setting up the Office 365 account used for scanning

The user account to be used for scanning all mailboxes must have impersonation enabled.
For this you need to create a new admin role and add the 'ApplicationImpersonation' and 'Mailbox Search' roles to it and ensure the user account to be used is a member of this group.

Changes made usually takes about 15 minutes to take effect.

exchange7.png

exchange8.png

Adding your Office 365 as a scan target in ER

  1. In your Enterprise Recon web console dashboard, click on 'Start Search'
  2. Click on 'Add Unlisted Target'

    exchange1.png
  3. Select 'Office 365 Mail'

    'Office 365 Domain' should be your Office 365 domain name (eg. groundlabs.onmicrosoft.com)
    To scan a specific mailbox, please use the format; Domain/Mailbox name
    For the credentials, please use the account to be used to scan all mailboxes configured beforehand (with Impersonation capability) - in the format; "user@domain", as the 'Username' (eg. administrator@groundlabs.onmicrosoft.com)

    exchange10.png

  4. You may now proceed with your scan

 

Troubleshooting

  • Use the command; 
        nslookup -type=srv _ldap._tcp.<domain name>
    to verify you can lookup the Active Directory server name from your Node Agent.
  • Verify you can access the Active Directory server from your Node Agent.
  • Verify you can access https://<CAS array FQDN>/owa from your Node Agent.
  • Please ensure 'Cached Exchange Mode' is turned off in Outlook clients.

 

All information in this article is accurate and true as of the last edited date.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.