In the last week, Microsoft have published about a significant zero day vulnerability in Exchange Server – you can read about it here.
This attack required a valid username and password for one of the vulnerabilities to be executed. Microsoft have advised in their security guidance to disable RemotePowerShell for non-admins. In their article on Controlling remote PowerShell access to Exchange Servers, Microsoft do clearly show that you should not do this for Admin users, but they give no solution on what to do if you have done this already. I’m also told that the blue box below was not present a few days ago.
This is very valid guidance, HOWEVER, in some of the initial articles floating around have indicated that you should execute the following command to disable it for ALL USERS.
Get-User -ResultSize unlimited | Set-User -RemotePowerShellEnabled:$falseIf you have done this command then you will find you now cannot use the Exchange PowerShell Management Console AT ALL. It will an error message showing you that RemotePowerShell is DISABLED for your admin user.
I was reached out to by a client who had executed this and was in a panic. He had run this command on their server, and had issues later getting into the Exchange Management Shell.
He had googled and could not find a solution. There appears to be no information on the Internet on how to resolve this issue. I started digging into it, and I even found the attribute in AD which is set when you manipulate this setting via Powershell commands.
For reference it is the protocolSettings attribute and it has RemotePowerShell set to either 1 for enabled or 0 for disabled.
Now ADSIEdit is a beast of a tool and I use it only as a last resort… THIS IS NOT THE TIME TO USE IT.
The dead simple way around this is even easier.
Given you executed the command on ALL USERS then a newly created user won’t have the issue
Create a new user, make it a member of Domain Admins, Enterprise Admins, Schema Admins and the Exchange Organization Admins group.
Login to the Exchange server as the new user and then use the command below to reset the attribute to change RemotePowerShellEnabled to True
Set-User MyAdminUser -RemotePowerShellEnabled:$true
You can now use your original admin account without a problem. You see – sometimes not everything is about using the sledgehammer to crack the nut, sometimes the solution is simple.
Beware of the -OR condition when *excluding* records from a result (it is more appropriate when including records in results). I believe that should be a -AND condition in order to not select the two admin accounts in this PowerShell.
OR example: Selecting a user record needs to not meet either condition *separately*, so Admin1 is selected as it meets the condition of not being Admin2, and Admin2 is selected as it meets the condition of not being Admin1. Either condition needs to be true, but not both.
In this case you want selected users to not meet *both* conditions so they need meet the first condition (not Admin1) AND ALSO the second condition (not Admin2) at the same time.