tools

Using SPF to block mail account spoofing

Introduction

Did you ever got a mail from yourself, but you’re sure you did not send it?

This week I got that mail from a mail alias I’m using, so it’s actually not a native mailbox, but a mail forwarder address, which makes the claim that “the mailbox is hacked” pretty silly…

But if you got this message from a native mailbox, it does sound scary, isn’t it?

I already had some similar symptoms on other mail addresses in the same domain.

Symptoms

You get a mail from your own mail address… which is called mail spoofing.
And it looks like:

mailspoof

Spoofed mail message content

Hi!

As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.

I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this,
transfer the amount of $778 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: 1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio

After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best regards!

Root cause

The DNS setting of your domain is missing SPF records, that counter mail spoofing (an unauthorized mail server, user or hacker sending mail as “you”)…

Troubleshooting

When looking at the mail properties it’s pretty difficult (if not impossible) to find out who actually has sent the mail….

Solution

Basic domain settings

Add an SPF record to your domain DNS settings.

To get started, look up your mail provider or hosting provider’s name + SFP.

FYI, I’m hosting my domains at one.com, they’ve got some straight forward advise to configure the DNS. For any other domain, at any other provider it’s similar.

Office 365

When you buy a domain, but host your mail on O365, there are some additional settings to configure. But Office 365 will explain.

The easy part, logon to your O365 tenant, and check your domain health (see video below)

For more info, check these documents:

References

SPF tooling

Other security options

See also

Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Short URL: Http://aka.ms/outlook.com/help

While SPF is the first step, you should also consider DMARC and DKIM.

 

Note-to-self: Blocking ‘Promoted’ feed from your LinkedIn page (with Adblock Plus for Edge, Firefox, Chrome… not IE)

Do you also get these annoying ‘Promoted’ advertisement posts on your LinkedIn feed?
I managed to configure AdBlock Plus to kick out the ‘Promoted’ advertisements on LinkedIn… works on FireFox, Chrome, a bit slow on Edge, … (forget about IE…)

I know from the AdBlock forums, it’s not always easy to get it working. It might change with updates to the adblocker or the way the websites work, … so I hope it’s worth sharing it.

The filter configuration might have some duplicates, but at least it works.

Essentially, it’s hiding the ‘Promoted’ ads in your newsfeed and it’s hiding the “Promoted” right hand side of the LinkedIn page…

This is the filter to use in your AdBlock Plus.

linkedin.com#?#.feed-shared-update:-abp-contains(Promoted)
linkedin.com##.ad-banner
linkedin.com#?#.feed-shared-update-v2:-abp-contains(Promoted)
linkedin.com##iframe[src=”about:blank”]

How to configure?

First install AdBlock Plus

Install AdBlock Plus…. for Edge, Chrome, Firefox… (v3+)
Just FYI, the version for IE (1.6) is not supporting the advanced custom filters, AFAIK.

Configure AdBlock Plus

adblockplus1

In the latest version (on Edge), you need to click the configuration button, on the upper right corner

adblock config

Then click the ‘Advanced’ settings / Edit Filters, then paste the filter text mentioned above.

adblockplus2

Done.

IMPORTANT REMARK

You leave the “allow acceptable ads” option unchecked, because this will override some of the promotion or marketing banners…

When you check this option, “less aggressive” banners will still show.

And typically these are the ads that are shown on LinkedIn, because they adhere to the content you view on LinkedIn… so it’s not considered ‘out-of-band” spam.

adblock setting acceptable ads.png

Note-to-self: #MIM2016 & #FIM2010 Config documenter released on GitHub

Source: Announcement on MIM 2016 Group on LinkedIn by  Jef Kazimer

Source Code: https://github.com/Microsoft/MIMConfigDocumenter

Jef announced that the Identity Community Projects team has published the MIM Config Documenter tool to the Microsoft GitHub Organization as an open source community project.

The MIM configuration documenter is a very nice and easy tool to generate documentation of a MIM / FIM synchronization or service installation.

It allows to: 

  • Document deployment configuration details for the MIM / FIM solution, including MIMWAL Workflow definitions
  • Track any configuration changes you have made since a specific baseline
  • Build confidence in getting things right when making changes to the deployed solution

You can find the project code, releases, and documentation at https://github.com/Microsoft/MIMConfigDocumenter

 

Active Directory PowerShell: List items with “Protect object from accidental deletion” setting

Freshly posted for you on TNWiki: http://social.technet.microsoft.com/wiki/contents/articles/36088.active-directory-powershell-list-items-with-protect-object-from-accidental-deletion-setting.aspx

 


Introduction

Ever got in a situation where you as AD domain admin were blocked from
deleting items?

Or did you ever receive an “Access denied” when you tried to delete items
from AD, even with full admin rights?

Then you better check if AD has the “protect from accidental deletion”
activated on the object, container or OU…

In case you want to check a larger collection of items for this setting, it
quickly becomes complicated.

This article helps you to get an overview by using Powershell, and an export
of the impacted items to a CSV file.

As explained by : James ONeill (Windows Server 2008 Protection from Accidental Deletion)

“The functionality to prevent accidental deletion is not based on a new attribute in Active Directory.  It is enabled by ticking a check box on the Object tab of the particular object you wish to protect.  The Object tab is only visible when the Advanced Features option is selected from the View menu of Active Directory Users and Computers. When the tick box is checked the permissions on the object are changed. A “Deny” permission is created which stops deletion of the object.  “

 


Overview

This script finds all AD objects protected from accidental deletions.

 


Credits

This script uses logic that has been developed by:

 


Source references



Active Directory OU Permissions Report: Free PowerShell Script Download

 


Preventing Unwanted/Accidental deletions and Restore deleted objects in Active
Directory

 


Windows Server 2008 Protection from Accidental Deletion

 


Prerequisites

This script only runs if you can load the AD PS module eg. run the analysis
on a DC.

 


Downloads (Gallery)

 


Source Code

Full Version (with progress bar)

001002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122


<##############################################################################
Author: Peter Geelen

Quest For Security

October 2016
https://identityunderground.wordpress.com

This script finds all AD objects protected by accidental deletions.

Credits: This script uses logic that has been developed by:

– Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE

– Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989

LEGAL DISCLAIMER

This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.

THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code,

provided that You agree:

(i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;

(ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and

(iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys  fees, that arise or result from the use or distribution of the Sample Code.

 

This posting is provided “AS IS” with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

##############################################################################>


#—————————————————————————–

#Source references


#—————————————————————————–


#Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

#abizer_hazratJune 9, 2009


#https://blogs.technet.microsoft.com/abizerh/2009/06/09/preventing-unwantedaccidental-deletions-and-restore-deleted-objects-in-active-directory/


#Windows Server 2008 Protection from Accidental Deletion

#James ONeill, October 31, 2007


#https://blogs.technet.microsoft.com/industry_insiders/2007/10/31/windows-server-2008-protection-from-accidental-deletion/


#—————————————————————————–

#Prerequisites: 


#this script only runs if you can load the AD PS module

#eg. run the analysis on a DC


#—————————————————————————–

cls

import-module activedirectory


#—————————————————————————–

#initialisation


#—————————————————————————–


#the CSV file is saved in the same directory as the PS file

$csvFile = $MyInvocation.MyCommand.Definition -replace ‘ps1’,‘csv’

$report = @()

#(*) Credits 

$schemaIDGUID = @{}


### NEED TO RECONCILE THE CONFLICTS ###

$ErrorActionPreference = ‘SilentlyContinue’

Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter ‘(schemaIDGUID=*)’ -Properties name, schemaIDGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}

Get-ADObject -SearchBase “CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)” -LDAPFilter ‘(objectClass=controlAccessRight)’ -Properties name, rightsGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}

$ErrorActionPreference = ‘Continue’

#(*)


#—————————————————————————–

#Functions


#—————————————————————————–

function CheckProtection

{

    param($obj)

    $path = “AD:\” + $obj

    Get-Acl -Path $path | `

    Select-Object -ExpandProperty Access | `

    Where-Object {($_.ActiveDirectoryRights -like “*DeleteTree*”-AND ($_.AccessControlType -eq “Deny”)} | `

        #(*)

        Select-Object @{name=‘Object’;expression={$obj}}, `

        @{name=‘objectTypeName’;expression={if ($_.objectType.ToString() -eq ‘00000000-0000-0000-0000-000000000000’) {‘All’Else {$schemaIDGUID.Item($_.objectType)}}}, `

        @{name=‘inheritedObjectTypeName’;expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `

        #(*)

        ActiveDirectoryRights,

        ObjectFlags,

        AccessControlType,

        IdentityReference,

        IsInherited,

        InheritanceFlags,

        PropagationFlags

}


#—————————————————————————–

#MAIN


#—————————————————————————–

#add the top domain

$OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName)

#add the OUs

$OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName

#add other containers

$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(|(objectClass=container)(objectClass=builtinDomain))’ | Select-Object -ExpandProperty DistinguishedName


#if you don’t want to scan the builtin container use line below instead of line above


#$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(objectClass=container)’ | Select-Object -ExpandProperty DistinguishedName


#set the target objects types to investigate


#including users, groups, contacts, computers

$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))’


#$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer)(objectclass=Foreign-Security-Principal))’


#not included: Foreign-Security-Principal, msTPM-InformationObjectsContainer, msDS-QuotaContainer, lostAndFound,

$iSeqNo = 0

$OUCount = $OUs.Count

ForEach ($OU in $OUs

{

    $iSeqNo++

    $pct = ([int]($iSeqNo/$OUCount * 100))

    $activity = “Analyzing container: “+ $OU

    Write-Progress -activity $activity -status “Please wait” -percentcomplete $pct -currentoperation “now processing container $iSeqNo of $OUCount” -id 1

    #check the protection of the parent container

    $isProtected = 

    $isProtected = CheckProtection $OU

    if ($isProtected -ne $null) {$report += $isProtected}

    

    #Lookup the child target objects in the parent container

    $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName

    $iSubSeqNo = 0

    $ObjCount = $objects.Count

    

    #check the protection of the child objects

    ForEach ($object in $objects)

    {

        $iSubSeqNo++

        $iSubpct = ([int]($iSubSeqNo/$ObjCount * 100))

        $SubActivity = “Analyzing object: “+ $object 

        Write-Progress -activity $SubActivity -status “Please wait” -percentcomplete $iSubpct -currentoperation “now processing object $iSubSeqNo of $ObjCount” -ParentId 1 -id 2

    

        $isProtected = 

        $isProtected = CheckProtection $object

        if ($isProtected -ne $null) {$report += $isProtected}

    }

        Write-Progress -activity “Analyzing object completed.” -status “Proceeding” -Completed -ParentId 1 -id 2

}

$report | Format-Table -Wrap

$report | Export-Csv -Path $csvFile -NoTypeInformation

 

Light version (without progress bar)

001002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102


<##############################################################################
Author: Peter Geelen Quest For Security  October 2016

https://identityunderground.wordpress.com

This script finds all AD objects protected by accidental deletions.

Credits: This script uses logic that has been developed by:

– Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE

– Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989

LEGAL DISCLAIMER

This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.

THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code,

provided that You agree:

(i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;

(ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and

(iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys  fees, that arise or result from the use or distribution of the Sample Code.

 

This posting is provided “AS IS” with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

##############################################################################>


#—————————————————————————–

#Source references


#—————————————————————————–


#Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

#abizer_hazratJune 9, 2009


#https://blogs.technet.microsoft.com/abizerh/2009/06/09/preventing-unwantedaccidental-deletions-and-restore-deleted-objects-in-active-directory/


#Windows Server 2008 Protection from Accidental Deletion

#James ONeill, October 31, 2007


#https://blogs.technet.microsoft.com/industry_insiders/2007/10/31/windows-server-2008-protection-from-accidental-deletion/


#—————————————————————————–

#Prerequisites: 


#this script only runs if you can load the AD PS module

#eg. run the analysis on a DC


#—————————————————————————–

cls

import-module activedirectory


#—————————————————————————–

#initialisation


#—————————————————————————–


#the CSV file is saved in the same directory as the PS file

$csvFile = $MyInvocation.MyCommand.Definition -replace ‘ps1’,‘csv’

$report = @()

#(*) Credits 

$schemaIDGUID = @{}


### NEED TO RECONCILE THE CONFLICTS ###

$ErrorActionPreference = ‘SilentlyContinue’

Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter ‘(schemaIDGUID=*)’ -Properties name, schemaIDGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}

Get-ADObject -SearchBase “CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)” -LDAPFilter ‘(objectClass=controlAccessRight)’ -Properties name, rightsGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}

$ErrorActionPreference = ‘Continue’

#(*)


#—————————————————————————–

#Functions


#—————————————————————————–

function CheckProtection

{

    param($obj)

    $path = “AD:\” + $obj

    Get-Acl -Path $path | `

    Select-Object -ExpandProperty Access | `

    Where-Object {($_.ActiveDirectoryRights -like “*DeleteTree*”-AND ($_.AccessControlType -eq “Deny”)} | `

        #(*)

        Select-Object @{name=‘Object’;expression={$obj}}, `

        @{name=‘objectTypeName’;expression={if ($_.objectType.ToString() -eq ‘00000000-0000-0000-0000-000000000000’) {‘All’Else {$schemaIDGUID.Item($_.objectType)}}}, `

        @{name=‘inheritedObjectTypeName’;expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `

        #(*)

        ActiveDirectoryRights,

        ObjectFlags,

        AccessControlType,

        IdentityReference,

        IsInherited,

        InheritanceFlags,

        PropagationFlags

}


#—————————————————————————–

#MAIN


#—————————————————————————–

#add the top domain

$OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName)

#add the OUs

$OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName

#add other containers

$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(|(objectClass=container)(objectClass=builtinDomain))’ | Select-Object -ExpandProperty DistinguishedName


#if you don’t want to scan the builtin container use line below instead of line above


#$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(objectClass=container)’ | Select-Object -ExpandProperty DistinguishedName


#set the target objects types to investigate


#including users, groups, contacts, computers

$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))’


#$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer)(objectclass=Foreign-Security-Principal))’


#not included: Foreign-Security-Principal, msTPM-InformationObjectsContainer, msDS-QuotaContainer, lostAndFound,

ForEach ($OU in $OUs

{

    #check the protection of the parent container

    $isProtected = 

    $isProtected = CheckProtection $OU

    if ($isProtected -ne $null) {$report += $isProtected}

    

    #Lookup the child target objects in the parent container

    $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName

    #check the protection of the child objects

    ForEach ($object in $objects)

    {

        $isProtected = 

        $isProtected = CheckProtection $object

        if ($isProtected -ne $null) {$report += $isProtected}

    }

}

$report | Format-Table -Wrap

$report | Export-Csv -Path $csvFile -NoTypeInformation

 

 


Disclaimer

LEGAL DISCLAIMER

This Sample Code is provided for the purpose of
illustration only and is not intended to be used in a production environment.

THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR  PURPOSE.

We grant You a nonexclusive, royalty-free right to use and modify
the Sample Code and to reproduce and distribute the object code form of the
Sample Code,

provided that You agree:

(i) to not use Our name, logo, or
trademarks to market Your software product in which the Sample Code is embedded;

(ii) to include a valid copyright notice on Your software product in which
the Sample Code is embedded; and

(iii) to indemnify, hold harmless, and
defend Us and Our suppliers from and against any claims or lawsuits, including
attorneys’ fees, that arise or result from the use or distribution of the Sample
Code.

This posting is provided “AS IS” with no warranties, and confers no
rights.


Using Powershell to generate eventviewer statistics and event exports

During FIM health checks we need to have a good overview of the event viewer on the FIM Servers.
In almost any case the event viewer is a good measure of the server’s health.

The more red and yellow you see, the more errors and warnings, the more work you’ll have to get your server in a healthy state.

First goal is to have a general temperature of the health.
Second goal is to have the details to fix the issues.

I’ve created a Powershell to analyse the event viewer logs.

Instead of posting the Powershell in this blog, I’ve published it on TechNet Gallery, over here:

https://gallery.technet.microsoft.com/Powershell-Event-log-ab0ded45

There is a companion Wiki article with some guidance and configuration manual.

http://social.technet.microsoft.com/wiki/contents/articles/32204.powershell-event-viewer-statistics.aspx

In short, the Powerscript below is a modular script that offers following functions:

  • display the event log properties
  • analyse number of events per category
  • analyse number of events per severity
  • overview of error events with source, severity and sample message
  • detailed list of last event per eventID

You can configure the script:

  • choice of event logs
  • history length (period of events to report on)
  • enable/disable logging
  • enable/disable result export to file

 

Before you start

  • validate your script execution policy
  • copy the script to a separate folder where you can execute the script
  • validate the script parameters

Script configuration parameters

  • $enableLogging
    • $TRUE = create a transcript of the script during run (does not work in ISE)
    • $FALSE = do not create a verbose log
  • $ExportEnabled
    • $FALSE = do not export the result to file
    • $TRUE = export the results, statistics and event details to file
  • $EventLogList
    • Default: ‘System’,’Application’,’Setup’,’Forefront Identity Manager’,’Forefront Identity Manager Management Agent’
  • $startdate
    • Defines from which point in time the event logs must be analysed
    • HINT: on a system with a large size of event logs, it’s advised to limit the history to x days or x weeks. A large volume event log will impact the usage of script memory.

I’m more than happy if you would test the script and provide me feedback to improve the script.

 

No excuse for lack of documentation

Of course, everybody hates to write documentation.

But never say again you didn’t do it, because you can easily have documentation created for you while you’re on the job.

It’s all about PSR (Problem Steps Recorder): http://lmgtfy.com/?q=psr.exe