Verify Message Tracking Log Shares locked down WA

Verify_Message_Tracking_Log_shares_are_locked_down.WriteAction (WriteActionModuleType)

Element properties:

Member Modules:

Overrideable Parameters:

Source Code:

<WriteActionModuleType ID="Verify_Message_Tracking_Log_shares_are_locked_down.WriteAction" Accessibility="Internal" RunAs="System!System.PrivilegedMonitoringAccount" Batching="false">

  <Configuration>

    <xsd:element name="TargetNetbiosComputer" type="xsd:string"/>

    <xsd:element name="TimeoutSeconds" type="xsd:int"/>

  </Configuration>

  <OverrideableParameters>

    <OverrideableParameter ID="TimeoutSeconds" Selector="$Config/TimeoutSeconds$" ParameterType="int"/>

  </OverrideableParameters>

  <ModuleImplementation Isolation="Any">

    <Composite>

      <MemberModules>

        <WriteAction ID="Script" TypeID="Windows!Microsoft.Windows.ScriptWriteAction">

          <ScriptName>Verify_Message_Tracking_Log_shares_are_locked_down.vbs</ScriptName>

          <Arguments>$Config/TargetNetbiosComputer$</Arguments>

          <ScriptBody><Script>

                  'Copyright (c) Microsoft Corporation. All rights reserved.

'*************************************************************************

' $ScriptName: "Common" $

'

' Purpose: To have one place for common stuff across various Exchange VBScripts

'

' $File: Common.vbs $

'*************************************************************************

' Option Explicit



SetLocale("en-us")



Dim EVENT_SOURCE

EVENT_SOURCE = "Exchange MOM"



'=============

'Event Type Constants

'=============

Const EVENT_TYPE_SUCCESS      = 0

Const EVENT_TYPE_ERROR        = 1

Const EVENT_TYPE_WARNING      = 2

Const EVENT_TYPE_INFORMATION  = 4



'=============

'Error Constants

'=============

Const ERROR_FILE_NOT_FOUND    = -2147024894 'win32 error: 0x80070002



'=============

'Other Constants

'=============

Const MAX_LONG                = 2147483647

Const MIN_LONG                = -2147483648 



'=============

'Initialize MOM Scripting Variables

'=============

Dim oAPI

Set oAPI = CreateObject("Mom.ScriptAPI")   

If Err &lt;&gt; 0 Then

  Wscript.Quit -1

End If 



'=============

'Helper methods 

'=============

' Method:       CreateEvent

' Description:  Logs Event

' Parameters:   source, eventId, eventtype(error/warning/info/success), errormsg

'=============

Sub CreateEvent(lngEventID, lngEventType, strMsg)

  Call oAPI.LogScriptEvent(EVENT_SOURCE, lngEventID, lngEventType, strMsg)    

End Sub



'=============

' Method:       HResultToString

' Description:  Returns hresult value in string format 0x00000000(0)

' Parameters:   hresult

'=============

Function HResultToString(hresult)

  HResultToString = "0x" &amp; Hex(hresult) &amp; "(" &amp; hresult &amp; ")"

End Function



'=============

' Method:       RegRead

' Description:  Returns registry location value

' Parameters:   strKey

'=============

Function RegRead(strKey)

  On Error Resume Next

  RegRead = "..."



  Dim objShell

  Set objShell = CreateObject("WScript.Shell")

  RegRead = objShell.RegRead(strKey)

  Set objShell = Nothing

End Function



'=============

' Method:       ConvertDateTime

' Description:  Returns datetime as formatted string

' Parameters:   dtDateTime

'=============

Function ConvertDateTime(dtDateTime)

  Dim objDate, objTime

  objDate = DateSerial(Left(dtDateTime, 4), Mid(dtDateTime, 5, 2), Mid(dtDateTime, 7, 2))

  objTime = TimeSerial(Mid(dtDateTime, 9, 2), Mid(dtDateTime, 11, 2), Mid(dtDateTime, 13, 2))

  

  ConvertDateTime = FormatDateTime(objDate) &amp; " " &amp; FormatDateTime(objTime)

End Function



'=============

' Method:       IsWMIRunning

' Description:  Returns true/false

' Parameters:   -

'=============

Function IsWMIRunning()

  Dim objWMI



  On Error Resume Next

  Set objWMI = GetObject("winmgmts:root\cimv2")

  If Err Then

    IsWMIRunning = False

    CreateEvent _

        9013, _

        EVENT_TYPE_ERROR, _

        "The 'Windows Management Instrumentation' service (WinMgmt.exe) was not running when MOM tried to run a script that is dependent on this service. Check if the start up mode of this service is not set to 'disabled'."

  Else

    IsWMIRunning =  True

  End If

  

End Function



'=============

' Method:       WMIExecQuery

' Description:  Returns an object of type SWbemObjectSet

' Parameters:

'               sNamespace           - A WMI Namespace (ex. winmgmts:\\COMPUTERNAME\ROOT\cimv2).

'               sQuery               - A SQL Query (ex. SELECT * FROM Win32_OperatingSystem)

'               iAlert               - To echo/raise error

'=============

Function WMIExecQuery(sNamespace, sQuery, iAlert)

    Dim oWMI, oQuery

    Dim nErrNumber, sErrDescription

    Dim nInstanceCount



    On Error Resume Next

    Set oWMI = GetObject(sNamespace)

    On Error Goto 0

    

    If IsEmpty(oWMI) And iAlert &lt;&gt; 0 Then

        WScript.Echo "Unable to open WMI Namespace " &amp; sNamespace

        Err.Raise 9100, "Unable to open WMI Namespace " &amp; sNamespace, "Check to see if the WMI service is enabled and running, and ensure this WMI namespace."

    End If



    On Error Resume Next

    Set oQuery = oWMI.ExecQuery(sQuery)

    nErrNumber = Err.Number

    sErrDescription = Err.Description

    On Error Goto 0

    

    If (IsEmpty(oQuery) Or nErrNumber &lt;&gt; 0) And iAlert &lt;&gt; 0 Then

        WScript.Echo "The Query '" &amp; sQuery &amp; "' returned an invalid result set.  Error:" &amp; nErrNumber &amp; ", " &amp; sErrDescription &amp; "."

        Err.Raise 9100, "The Query '" &amp; sQuery &amp; "' returned an invalid result set.", "Please check to see if this is a valid WMI Query.  Error:" &amp; nErrNumber &amp; ", " &amp; sErrDescription &amp; "."

    End If

    

    'Determine if we queried a valid WMI class - Count will return 0 or empty

    On Error Resume Next

    nInstanceCount = oQuery.Count

    nErrNumber = Err.Number

    sErrDescription = Err.Description

    On Error Goto 0

    

    If nErrNumber &lt;&gt; 0 And iAlert &lt;&gt; 0 Then

        WScript.Echo "The Query '" &amp; sQuery &amp; "' did not return any valid instances.  Error:" &amp; nErrNumber &amp; ", " &amp; sErrDescription &amp; "."

        Err.Raise 9100, "The Query '" &amp; sQuery &amp; "' did not return any valid instances.", "Please check to see if this is a valid WMI Query.  Error:" &amp; nErrNumber &amp; ", " &amp; sErrDescription &amp; "."

    End If



    Set WMIExecQuery = oQuery

    Set oQuery = Nothing

    Set oWMI = Nothing

End Function



'=============

' Method:       IsRunningAsSystem

' Description:  Returns true/false

' Parameters:   -

' Comments:     If IsRunningAsSystem is False the caller should check if there is any error (If Err Then ...).

'=============

Function IsRunningAsSystem

  Dim WshNetwork

  Dim WMISystemAcct

  

  IsRunningAsSystem = False

  

  Set WshNetwork = CreateObject("WScript.Network")



  ' Use the well-known SID of the system account ("S-1-5-18") to get the correspondent object

  Set WMISystemAcct = GetObject("WinMgmts:root/cimv2:Win32_SID='S-1-5-18'")



  ' WshNetwork.UserName gives the account running the current thread

  ' WMISystemAcct.AccountName gets the localized name of the system account



  ' No worries with string case in the comparsion below since, if the account is

  ' system, the name is extracted from the same location for both objects

  If WshNetwork.UserName = WMISystemAcct.AccountName Then

    IsRunningAsSystem = True

  End If

End Function



'=============

'=============

'Exchange specific Helper methods

'=============

'=============



'=============

' Method:       GetNamingContext

' Description:  Returns propertyValue from rootDSE object

' Parameters:   strPropertyName

'=============

Function GetNamingContext(strPropertyName)

  GetNamingContext = ""



  Dim IADsRootDSE

  Set IADsRootDSE = GetObject("LDAP://rootDSE")



  GetNamingContext = IADsRootDSE.Get(strPropertyName)

  Set IADsRootDSE = Nothing

End Function



'=============

' Method:       GetRootGC

' Description:  Returns RootGC

' Parameters:   -

'=============

Function GetRootGC()

  Dim oGCCollection, oGC

  Set oGCCollection = GetObject("GC:")

  For each oGC in oGCCollection

    Set GetRootGC = oGC

  Next

End Function



'=============

' Method:       GetCNValue

' Description:  -

' Parameters:   iOcurr, strData

'=============

Function GetCNValue(iOcurr, strData)

  GetCNValue = GetTokValue(iOcurr, "CN=", ",", strData)

End Function  



'=============

' Method:       GetTokValue

' Description:  -

' Parameters:   iOcurr, strStartTok, strEndTok, strData

'=============

Function GetTokValue(iOcurr, strStartTok, strEndTok, strData)

  Dim iIni, iEnd, iTokLen

  iTokLen = Len(strStartTok)

  iIni = 1

  While iOcurr &gt; 0 ' Skip to the desired occurence

    iIni = InStr(iIni, strData, strStartTok, vbTextCompare) + iTokLen

    iOcurr = iOcurr - 1

  WEnd

  iEnd = InStr(iIni, strData, strEndTok, vbTextCompare)

  GetTokValue = Mid(strData, iIni, (iEnd - iIni))

End Function



'=============

' Format Constants

'=============

Dim REC_DELIM, INFO_DELIM, IDENT

REC_DELIM = vbCr

INFO_DELIM = vbCr &amp; vbCr

IDENT = "  "



'=============

' Method:       OutputInfo

' Description:  -

' Parameters:   strValues, strProps, iPropsFrom, iLevel, blnHierarchical

' Remarks:      Very similar to OutDiskInfo sub in Disk_Space_Problem.vbs

'=============

Function OutputInfo(strValues, strProps, iPropsFrom, iLevel, blnHierarchical)

  Dim arrValues, arrProps, strLvl

  Dim i

  

  If strValues = "" Then Exit Function

  

  On Error Resume Next

  OutputInfo = ""

  arrValues = Split(strValues, ";")

  arrProps  = Split(strProps,  ",")

  

  While iLevel &gt; 0

    strLvl = strLvl &amp; IDENT

    iLevel = iLevel - 1

  WEnd

  

  For i = iPropsFrom To UBound(arrProps)

    OutputInfo = OutputInfo &amp; strLvl &amp; arrProps(i) &amp; ": " &amp; arrValues(i) &amp; REC_DELIM

    If i = iPropsFrom and blnHierarchical Then strLvl = strLvl &amp; IDENT     

  Next

  On Error GoTo 0 

End Function





                  'Copyright (c) Microsoft Corporation. All rights reserved.

'******************************************************************************* 

' $ScriptName: "Verify Message Tracking Log shares are locked down" $

' 

' Purpose  - This script verifies that Everyone does not have access to the MessageTacking logs on an Exchange server. 

' 

' Parameters  - "myParam" = this parameter is for... 

' 

'  Events - 

'SOURCE         ID      DESCRIPTION 

'Exchange MOM   8103    Message Tracking Logs have "Everyone" listed as OK to access. 

'Exchange MOM   8104    WMI error from Win32_Share. 

'Exchange MOM   8105    WMI error from Win32_LogicalShareSecuritySetting. 

' 

' $File: Verify_Message_Tracking_Share_Protected.vbs $

'************************************************************************* 



EVENT_SOURCE = "Verify Message Tracking Log shares are locked down"



'Events IDs for this script 

Const MESSAGE_TRACKING_LOGS_EVERYONE_PERMS_ID = 8103 

Const MESSAGE_TRACKING_LOGS_EVERYONE_PERMS_MSG = "The 'Everyone' group has permissions on the Exchange Message Tracking log share (SERVERNAME.log directory).  It is recomended that you lock down this directory for security purposes.  The 'EVERYONE' group should not be given any access to this share including Full Control, Change or Read.  Please remove 'EVERYONE' and add only users that are required to access this share, i.e. your exchange system administrators."



'CDO Creating Exchange Server error

Const WMI_ERROR_FROM_WIN32_SHARE_EVENT_ID = 8104

Const WMI_ERROR_FROM_WIN32_SHARE_MSG = "WMI failed to GetObject('winmgmts://Server_Name/root/cimv2').execquery('select * from Win32_Share')"



'CDO Creating Exchange Server error

Const WMI_ERROR_FROM_WIN32_LOGICALSHARESECURITYSETTING_EVENT_ID = 8105

Const WMI_ERROR_FROM_WIN32_LOGICALSHARESECURITYSETTING_MSG = "WMI failed to GetObject('winmgmts://Server_Name/root/cimv2').execquery('select * from Win32_LogicalShareSecuritySetting')"



Dim TargetNetbiosComputer

if WScript.Arguments.Count = 1 then

    TargetNetbiosComputer = WScript.Arguments(0)

else

    WScript.quit()

end if



CheckSERVERNAMELOGShare TargetNetbiosComputer



'=================================================================================

' Get the Message tracking log data for each Exchange computer

'=================================================================================

Sub CheckSERVERNAMELOGShare (strExchangeServerName) 



    Dim strServer, shareExists, boolFireEvent, SDExists

    Dim oShares, share, strShareName, retval, descriptor, x, strAccountName  

    



    strServer = UCase(strExchangeServerName) 

    shareExists = False 

    boolFireEvent = False 

    SDExists = False 

    

    Set oShares = WMIExecQuery("winmgmts://" &amp; strServer &amp; "/root/cimv2", "select * from Win32_Share", 0)

    If (Err) Then

        CreateEvent WMI_ERROR_FROM_WIN32_SHARE_EVENT_ID, EVENT_TYPE_INFORMATION, WMI_ERROR_FROM_WIN32_SHARE_MSG

    Else

        For Each share in oShares 

            share = UCase(share.name) 

            If share = strServer &amp; ".LOG" Then 

                shareExists = True 

                Exit For

            End If

        Next 

        

        Set oShares = Nothing 

        Set share = Nothing 

        

        If shareExists = True Then 

            Set oShares = WMIExecQuery( _

                "winmgmts://" &amp; strServer &amp; "/root/cimv2", _ 

                "select * from Win32_LogicalShareSecuritySetting", _

                0)

                

            If (Err) Then

                CreateEvent _

                    WMI_ERROR_FROM_WIN32_LOGICALSHARESECURITYSETTING_EVENT_ID, _

                    EVENT_TYPE_INFORMATION, _

                    WMI_ERROR_FROM_WIN32_LOGICALSHARESECURITYSETTING_MSG

            Else

                For Each share in oShares 

                    strShareName = UCase(share.name) 

                    If strShareName = strServer &amp; ".LOG" Then 

                        SDExists = True 

                        retval = share.GetSecurityDescriptor(descriptor) 

                        

                        For x = 0 to UBound(descriptor.DACL) 

                            strAccountName = (descriptor.DACL(x).Trustee.Name) 

                            strAccountName = UCase(strAccountName) 

                            If strAccountName = "EVERYONE" Then boolFireEvent = True 

                        Next 

                    End If 

                Next 

                

                If SDExists = False Then 

                    boolFireEvent = True 

                End If 

            End If

        End If



        If boolFireEvent = True Then 

          CreateEvent MESSAGE_TRACKING_LOGS_EVERYONE_PERMS_ID, EVENT_TYPE_WARNING, MESSAGE_TRACKING_LOGS_EVERYONE_PERMS_MSG

        else

          CreateEvent 10000, EVENT_TYPE_SUCCESS, "Everyone does not have access to the MessageTacking logs on an Exchange server"

        end if

    End If

End Sub 



                  </Script></ScriptBody>

          <TimeoutSeconds>$Config/TimeoutSeconds$</TimeoutSeconds>

        </WriteAction>

      </MemberModules>

      <Composition>

        <Node ID="Script"/>

      </Composition>

    </Composite>

  </ModuleImplementation>

  <InputType>System!System.BaseData</InputType>

</WriteActionModuleType>