Friday, December 17, 2004

Nice Little Tool To Kill Applied Group Policies

Ive been using a freeware tool for a while that I wanted to share with you - its developed by GanoTools is called KillPol and it removes and reapplies group policies for the currently logged on user (Needs username/password of a member of the admin group). Its especially useful when troubleshooting locked down environments like highly secure desktops or Terminal Services environments (Of course you could use runas on regedit and delete the registry keys yourself - but this is much easier and also provides an easy restore method).

Thursday, December 16, 2004

CPU / Memory Scalability of Exchange 2000/3

Interesting article regarding the scalability of Exchange 2000 and 2003 in terms of memory and CPU.
The maximum amount of memory that Exchange can make use of is 4 GB (old news) but more interestingly is that the article recommends disabling the use of PAE (Physical Address Extension) on Enterprise and Datacenter versions of Windows with the use of the
/nopae boot.ini switch (If using the /3GB switch) - as it puts unnecessary strains on the system.
New facts to me are the notes regarding the scalability of Exchange in terms of CPU's - on a 8 CPU system Exchange supposedly can fully utilize 900 MHz CPU's but it isn't able to utilize e.g. 8 1400 MHz Xeon CPU's (Unless you are running e.g. anti-virus products on the same boxes).

Phishing - Paypal example

Read this one about Paypal - 'Your Account Will Be Suspended' - just to see how good the phishers are...


As virus scanners, firewalls, anti-spyware etc. improves, phishing becomes (is?) the next big threat. Studies show that many will reveal their password when asked. Other people will send their credit card information by email or in the phone based on 'you won' ads. Read this excellent NGS whitepaper - The Phishing Guide - Understanding & Preventing Phishing Attacks. Is your web safe? I also stumbled across another interesting homepage - the Anti-Phishing Working Group.

Get in the Christmas mood ;-)

I just found a cute litte Christmas Theme complete with 3D screensaver, icons and background - it can be downloaded directly from Microsoft here (Don't expect to much in terms of design/graphic quality though ;-)

Wednesday, December 15, 2004

WINS Security Issue #3

Microsoft now has a patch ready - MS04-045 (thanks to the anonymous commentor informing me of this). Apply it right away.
Unfortunately, the original KB article does not say anything about the patch.

Exchange 2003 Operations Checklists

Microsoft has released a set of Exchange Server 2003 Operations Checklists that contains "guidelines for disaster recovery tasks, and for daily, weekly, and monthly maintenance tasks".

I would classify the content in these checklists as very good things-to-remember lists - as they by no means are complete. But they are indeed a good start when preparing the disaster recovery procedures and operational processes for an Exchange 2000/2003 deployment (and of course many of the checks on the lists could be implemented in e.g. MOM 2005 instead of doing it manually).

Protecting your administrative permissions #2

As a follow-up to my own post - and as Aaron closed his PrivBar blog for further comments - I want to offer an alternative that does not require any add-on software. Simply enter %userprofile% as address. This will show you the root directory of the user profile e.g. C:\Documents and Settings\user and tell you the user account being used. %userprofile% will switch the window into 'file mode'. Use 'back' or enter an HTTP URL, if you need to get back into 'internet explorer' mode.

Sunday, December 12, 2004

WINS Security Issue #2

As a follow-up to my earlier post I have now looked at the proposed option 2 Run a script to automatically configure the IPSec filters. The provided script seems to do a pretty good job of blocking WINS replication traffic only - and have the option of specifying your replication partners as exceptions. Unfortunately the script does not take the current replication partner(s) (which are obtainable with netsh wins show partner) automatically nor does it allow you to specify multiple servers at a time - but the script can be called several times. For further details see the embedded readme file.
If you do not have an existing IPSec policy, I recommend that you deploy this method right away. The easist deployment may be to do it with psexec or modify the script as ipseccmd.exe can take a server name as the first argument.

Friday, December 10, 2004

Using a Dedicated AD Site for Exchange

Microsoft just released a new paper on this. When running Microsoft® Exchange Server 2003 or Exchange 2000 Server in larger environments, the frequency of queries to the Active Directory® directory service can be very high. Exchange Server uses its directory access component to communicate with Active Directory domain controllers and global catalog servers to perform tasks such as e-mail address lookups, distribution group expansion, Microsoft Outlook® client proxy, and referral services. With such a heavy load being placed on domain controllers, Microsoft IT optimized the performance of Exchange when communicating with Active Directory by creating a new Active Directory site and isolating domain controllers and global catalog servers just for Exchange. Get it here.

Thursday, December 09, 2004

Protecting your administrative permissions

Surfing the web, reading email or testing software with administrative permissions is a risky business. Came across Aaron Margosis' blog and he addresses this problem in an interesting way. By using double-run-as he first logs on as local admin, stick himself into the Administrators group and logs on again this time having the required administrative permissions. Good solution, but only works when the user has the local administrator password.
Microsoft has an article called Browsing the Web and Reading E-mail Safely as an Administrator - which actually refers to Aaron's blog :). The article has a DropMyRights utility, which is able to remove your permissions while starting an application. This is also a useful approach - e.g. run Internet Explorer and Outlook with lower permissions.
Finally, there is work-around of how to start Windows Explorer as another user from runas - Aaron again. I used to start iexplore.exe to do this trick, but it seems that if only you start it with the /root argument, it will start in its own instance. Read about that here. You can also read about a useful toolbar, that shows the current credentials.

Tuesday, December 07, 2004

WINS Security Issue

Bad things happen. Very bad things happen when a widely-used piece of software can be buffer overflowed. This time it is WINS. Microsoft is still investigating the problem, but you can protect yourself by following the steps in the 890710 KB. Unfortunately, they only have suggestions, both being hard to implement: Block TCP/UDP port 42 and open it for your replication partners or get rid of WINS (as if that was easy).
Currently, there are no known incidents - and maybe WINS servers are too few worth attacking. If you do not implement one of the suggestions - after you have considered the situation carefully - at least follow the situation in the press and be ready to take action.

The Portable Script Center v3.0

has been released for download here. This nifty little .chm file contains all scripts included on the TechNet Script Center as of November 2004 - including an easy to use copy-and-paste feature. The content ranges from Active Directory (User, Groups, Sites etc.) to Hardware, Scripting Techniques, Software Update Services to Services For Unix and much more - check it out ;-)

Windows 2003 SP1 RC - updated

The long and eagerly awaited SP1 for Windows Server 2003 has just been released in a RC version for both Intel and Itanium. The SP1 for Windows Server 2003 is essentially a follow up to the security initiatives that was first seen (in large scale) in Windows XP SP2.

It goes beyond this posting to describe the complete list of functionality changes and updates in SP1 but its sure that as consultants and system administrators we are most eagerly awaiting the release of the Security Configuration Wizard that promises to deliver role based lockdown of servers including the ability to -

• Disable unnecessary services.
• Disable unnecessary IIS Web extensions.
• Block unused ports, including support for multi-homed scenarios.
• Secure ports that are left open using IPSec.
• Reduce protocol exposure for Lightweight Directory Access Protocol (LDAP), LAN Manager, and server message block (SMB).
• Configure audit settings with a high signal-to-noise ratio.

Furthermore it uses an extensible XML knowledge base, which lets administrators import existing Windows security templates and lets developers extend the SCW to handle new user defined roles.

You can get access to the SP1 Technical Preview Program and the bits here - so while waiting for the final version of the SP1 - go ahead and test/play with the RC version ;-)

Update ! Remember to download the updated release notes and readme file for SP1 - it contains important information on problems/solutions for e.g. HP Insight Manager and Clustering.

Windows Based Hosting 3.0 & Webcast Series

Tahoma a.k.a. Windows Based Hosting (WBH) 3.0 was released in November and is available for download; so while waiting for the final bits on the Krakatoa release (Hosted Exchange) you can start by looking at the WBH 3.0 solution and the extensive information in the excellent new Documentation Viewer (Although the massive amount of documentation is a bit "scary" at first glance).

Furthermore Microsoft is kicking off a series of Windows Based Hosting Webcasts with the Experts from the Hosting Solutions Unit at Microsoft -

See live demonstrations of technical best practices on the full range of Windows-based Hosting topics, including interactive presentations, product overviews, and question-and-answer sessions. Each Webcast session will be hosted by one of the Windows-based Hosting Solutions program managers discussing how-to technical best practices and thought-provoking business perspectives.

Especially the "Active Directory Guidance for Hosting Service Providers" webcast looks interesting and this time they done something really friendly to us Europeans with 3 timeslots (Based on timezones) for each webcasts (Thanks MS - maybe I'll finally manage to see one of these webcasts ;-)

Saturday, December 04, 2004

msgoodies - not an experimental blog anymore

We've been blogging for approx. 2 months now and have found it to be really fun to share some of our knowledge and experiences that we've until now only have shared with our customers and internally (and a bit in newsgroups).
We've already been mentioned on the MS Exchange blog (Thanks Chris ;-) and also our favorite MS bloggers at You Had Me At EHLO... has created a link to our blog (Check the front page under "Other Exchange Blogs") - so now we have decided to remove the "experimental" word from our about box, 'cause Per and I have decided to continue posting and enhancing the content and features of this blog.
Personally I'm finally back from my paternity leave (See my daughter Ida here) and will be back with more info on Exchange, IMF and ISA and updates to some of the topics I've been posting earlier (use our Atom Site Feed for subscription to new/updated posts) .
Per will continue to cover his main areas - from security, networking, AD over to management (MOM 2005 and SMS 2003).

Exchange 2003 IMF / VSAPI fix released for public download

On Exchange 2003 SP1 Servers with VSAPI 2.5 enabled antivirus scanners and IMF installed (On the same box) infected messages are deleted (if configured to do this) but a copy stays in the SMTP queue (until it times out) - Microsoft has publicly released the post SP1 fix for this and you can get further info about the problem and solution here.

Thursday, December 02, 2004

Best practice guide for Offline Address Books

I just noticed that a new best practice guide for Exchange has been released. This one discusses "all you need to know" about the Offline Address Books used by Outlook 2003. It's primarily of interest for administrators of enterprise and/or complex Exchange environments - such as Hosted Exchange deployments that in the official HE2003 solution uses separate servers for generation of OAB's.
It also explains how to use the new SP1 OAB network bandwidth throttling option and how SP1 better handles mismatched SMTP addresses (Causing full instead of partial download on Pre-SP1 systems). Check it out here and don't miss out the add'l resources section in the appendix.

Re-released KB 817379 on ActiveSync and OMA errors that occur when SSL or FBA is enabled

This re-released KB discusses a problem (sometimes) occuring on a single server configuration (both Front-End and Back-End Exchange functions on same box). The problem it solves occurs when Forms Based Authentication and/or SSL is enabled on OWA - making the OMA/ActiveSync inaccessible.
The KB has gone through several iterations in both KB 817379 and later KB 822177 and they were both withdrawn from the web. KB 817379 appearently has been updated and re-released - I don't usually memorize KB's but as I can remember the now only 23 step procedure has been updated with both an export and an import (new step) of the Virtual Directory and a new solution (Setting up an FE server) has been introduced (And E2K3 SP1 fixes some of the problems we had with the old solution).