Nice Little Tool To Kill Applied Group Policies

Ive been using a freeware tool for a while that I wanted to share with you - its developed by GanoTools is called KillPol and it removes and reapplies group policies for the currently logged on user (Needs username/password of a member of the admin group). Its especially useful when troubleshooting locked down environments like highly secure desktops or Terminal Services environments (Of course you could use runas on regedit and delete the registry keys yourself - but this is much easier and also provides an easy restore method).

CPU / Memory Scalability of Exchange 2000/3

Interesting article regarding the scalability of Exchange 2000 and 2003 in terms of memory and CPU.
The maximum amount of memory that Exchange can make use of is 4 GB (old news) but more interestingly is that the article recommends disabling the use of PAE (Physical Address Extension) on Enterprise and Datacenter versions of Windows with the use of the /nopae boot.ini switch (If using the /3GB switch) - as it puts unnecessary strains on the system.
New facts to me are the notes regarding the scalability of Exchange in terms of CPU's - on a 8 CPU system Exchange supposedly can fully utilize 900 MHz CPU's but it isn't able to utilize e.g. 8 1400 MHz Xeon CPU's (Unless you are running e.g. anti-virus products on the same boxes).

Phishing - Paypal example

Read this one about Paypal - 'Your Account Will Be Suspended' - just to see how good the phishers are...

Phishing

As virus scanners, firewalls, anti-spyware etc. improves, phishing becomes (is?) the next big threat. Studies show that many will reveal their password when asked. Other people will send their credit card information by email or in the phone based on 'you won' ads. Read this excellent NGS whitepaper - The Phishing Guide - Understanding & Preventing Phishing Attacks. Is your web safe? I also stumbled across another interesting homepage - the Anti-Phishing Working Group.

Get in the Christmas mood ;-)

I just found a cute litte Christmas Theme complete with 3D screensaver, icons and background - it can be downloaded directly from Microsoft here (Don't expect to much in terms of design/graphic quality though ;-)

WINS Security Issue #3

Microsoft now has a patch ready - MS04-045 (thanks to the anonymous commentor informing me of this). Apply it right away.
Unfortunately, the original KB article does not say anything about the patch.

Exchange 2003 Operations Checklists

Microsoft has released a set of Exchange Server 2003 Operations Checklists that contains "guidelines for disaster recovery tasks, and for daily, weekly, and monthly maintenance tasks".

I would classify the content in these checklists as very good things-to-remember lists - as they by no means are complete. But they are indeed a good start when preparing the disaster recovery procedures and operational processes for an Exchange 2000/2003 deployment (and of course many of the checks on the lists could be implemented in e.g. MOM 2005 instead of doing it manually).

Protecting your administrative permissions #2

As a follow-up to my own post - and as Aaron closed his PrivBar blog for further comments - I want to offer an alternative that does not require any add-on software. Simply enter %userprofile% as address. This will show you the root directory of the user profile e.g. C:\Documents and Settings\user and tell you the user account being used. %userprofile% will switch the window into 'file mode'. Use 'back' or enter an HTTP URL, if you need to get back into 'internet explorer' mode.

WINS Security Issue #2

As a follow-up to my earlier post I have now looked at the proposed option 2 Run a script to automatically configure the IPSec filters. The provided script seems to do a pretty good job of blocking WINS replication traffic only - and have the option of specifying your replication partners as exceptions. Unfortunately the script does not take the current replication partner(s) (which are obtainable with netsh wins show partner) automatically nor does it allow you to specify multiple servers at a time - but the script can be called several times. For further details see the embedded readme file.
If you do not have an existing IPSec policy, I recommend that you deploy this method right away. The easist deployment may be to do it with psexec or modify the script as ipseccmd.exe can take a server name as the first argument.

Using a Dedicated AD Site for Exchange

Microsoft just released a new paper on this. When running Microsoft® Exchange Server 2003 or Exchange 2000 Server in larger environments, the frequency of queries to the Active Directory® directory service can be very high. Exchange Server uses its directory access component to communicate with Active Directory domain controllers and global catalog servers to perform tasks such as e-mail address lookups, distribution group expansion, Microsoft Outlook® client proxy, and referral services. With such a heavy load being placed on domain controllers, Microsoft IT optimized the performance of Exchange when communicating with Active Directory by creating a new Active Directory site and isolating domain controllers and global catalog servers just for Exchange. Get it here.

Protecting your administrative permissions

Surfing the web, reading email or testing software with administrative permissions is a risky business. Came across Aaron Margosis' blog and he addresses this problem in an interesting way. By using double-run-as he first logs on as local admin, stick himself into the Administrators group and logs on again this time having the required administrative permissions. Good solution, but only works when the user has the local administrator password.
Microsoft has an article called Browsing the Web and Reading E-mail Safely as an Administrator - which actually refers to Aaron's blog :). The article has a DropMyRights utility, which is able to remove your permissions while starting an application. This is also a useful approach - e.g. run Internet Explorer and Outlook with lower permissions.
Finally, there is work-around of how to start Windows Explorer as another user from runas - Aaron again. I used to start iexplore.exe to do this trick, but it seems that if only you start it with the /root argument, it will start in its own instance. Read about that here. You can also read about a useful toolbar, that shows the current credentials.

WINS Security Issue

Bad things happen. Very bad things happen when a widely-used piece of software can be buffer overflowed. This time it is WINS. Microsoft is still investigating the problem, but you can protect yourself by following the steps in the 890710 KB. Unfortunately, they only have suggestions, both being hard to implement: Block TCP/UDP port 42 and open it for your replication partners or get rid of WINS (as if that was easy).
Currently, there are no known incidents - and maybe WINS servers are too few worth attacking. If you do not implement one of the suggestions - after you have considered the situation carefully - at least follow the situation in the press and be ready to take action.

The Portable Script Center v3.0

has been released for download here. This nifty little .chm file contains all scripts included on the TechNet Script Center as of November 2004 - including an easy to use copy-and-paste feature. The content ranges from Active Directory (User, Groups, Sites etc.) to Hardware, Scripting Techniques, Software Update Services to Services For Unix and much more - check it out ;-)

Windows 2003 SP1 RC - updated

The long and eagerly awaited SP1 for Windows Server 2003 has just been released in a RC version for both Intel and Itanium. The SP1 for Windows Server 2003 is essentially a follow up to the security initiatives that was first seen (in large scale) in Windows XP SP2.

It goes beyond this posting to describe the complete list of functionality changes and updates in SP1 but its sure that as consultants and system administrators we are most eagerly awaiting the release of the Security Configuration Wizard that promises to deliver role based lockdown of servers including the ability to -

• Disable unnecessary services.
• Disable unnecessary IIS Web extensions.
• Block unused ports, including support for multi-homed scenarios.
• Secure ports that are left open using IPSec.
• Reduce protocol exposure for Lightweight Directory Access Protocol (LDAP), LAN Manager, and server message block (SMB).
• Configure audit settings with a high signal-to-noise ratio.

Furthermore it uses an extensible XML knowledge base, which lets administrators import existing Windows security templates and lets developers extend the SCW to handle new user defined roles.

You can get access to the SP1 Technical Preview Program and the bits here - so while waiting for the final version of the SP1 - go ahead and test/play with the RC version ;-)

Update ! Remember to download the updated release notes and readme file for SP1 - it contains important information on problems/solutions for e.g. HP Insight Manager and Clustering.

Windows Based Hosting 3.0 & Webcast Series

Tahoma a.k.a. Windows Based Hosting (WBH) 3.0 was released in November and is available for download; so while waiting for the final bits on the Krakatoa release (Hosted Exchange) you can start by looking at the WBH 3.0 solution and the extensive information in the excellent new Documentation Viewer (Although the massive amount of documentation is a bit "scary" at first glance).

Furthermore Microsoft is kicking off a series of Windows Based Hosting Webcasts with the Experts from the Hosting Solutions Unit at Microsoft -

See live demonstrations of technical best practices on the full range of Windows-based Hosting topics, including interactive presentations, product overviews, and question-and-answer sessions. Each Webcast session will be hosted by one of the Windows-based Hosting Solutions program managers discussing how-to technical best practices and thought-provoking business perspectives.

Especially the "Active Directory Guidance for Hosting Service Providers" webcast looks interesting and this time they done something really friendly to us Europeans with 3 timeslots (Based on timezones) for each webcasts (Thanks MS - maybe I'll finally manage to see one of these webcasts ;-)

msgoodies - not an experimental blog anymore

We've been blogging for approx. 2 months now and have found it to be really fun to share some of our knowledge and experiences that we've until now only have shared with our customers and internally (and a bit in newsgroups).
We've already been mentioned on the MS Exchange blog (Thanks Chris ;-) and also our favorite MS bloggers at You Had Me At EHLO... has created a link to our blog (Check the front page under "Other Exchange Blogs") - so now we have decided to remove the "experimental" word from our about box, 'cause Per and I have decided to continue posting and enhancing the content and features of this blog.
Personally I'm finally back from my paternity leave (See my daughter Ida here) and will be back with more info on Exchange, IMF and ISA and updates to some of the topics I've been posting earlier (use our Atom Site Feed for subscription to new/updated posts) .
Per will continue to cover his main areas - from security, networking, AD over to management (MOM 2005 and SMS 2003).

Exchange 2003 IMF / VSAPI fix released for public download

On Exchange 2003 SP1 Servers with VSAPI 2.5 enabled antivirus scanners and IMF installed (On the same box) infected messages are deleted (if configured to do this) but a copy stays in the SMTP queue (until it times out) - Microsoft has publicly released the post SP1 fix for this and you can get further info about the problem and solution here.

Best practice guide for Offline Address Books

I just noticed that a new best practice guide for Exchange has been released. This one discusses "all you need to know" about the Offline Address Books used by Outlook 2003. It's primarily of interest for administrators of enterprise and/or complex Exchange environments - such as Hosted Exchange deployments that in the official HE2003 solution uses separate servers for generation of OAB's.
It also explains how to use the new SP1 OAB network bandwidth throttling option and how SP1 better handles mismatched SMTP addresses (Causing full instead of partial download on Pre-SP1 systems). Check it out here and don't miss out the add'l resources section in the appendix.

Re-released KB 817379 on ActiveSync and OMA errors that occur when SSL or FBA is enabled

This re-released KB discusses a problem (sometimes) occuring on a single server configuration (both Front-End and Back-End Exchange functions on same box). The problem it solves occurs when Forms Based Authentication and/or SSL is enabled on OWA - making the OMA/ActiveSync inaccessible.
The KB has gone through several iterations in both KB 817379 and later KB 822177 and they were both withdrawn from the web. KB 817379 appearently has been updated and re-released - I don't usually memorize KB's but as I can remember the now only 23 step procedure has been updated with both an export and an import (new step) of the Virtual Directory and a new solution (Setting up an FE server) has been introduced (And E2K3 SP1 fixes some of the problems we had with the old solution).

Improvements in Management of Dells

Seems like our job got a little easier.

Microsoft and Dell reports that Dell will deliver management software working with the Dynamic Systems Initiative (DSI) (what we in the real world call SMS and MOM). Read more at Dell Unites with Microsoft to Provide Better Management Solutions and at Dell, Microsoft make a patch pact for servers

Pass Phrases vs. Passwords - Parts 2 and 3

Or “Why you shouldn't be using passwords of any kind on your Windows networks . . .” as my first blog about this subject was called The discussion continues in part 2 and in part 3 of 3 – worth reading.

WUS Open Evaluation program - updated

For those of you who hasn't noticed this yet - Windows Update Services has reached Beta 2 (finally - the last version of WUS that was publicly released was in March as I recall) so Microsoft has relaunched its evaluation program. Information on WUS and registration for Beta download can be found here.
The current version version of WUS will of course update Windows (As SUS already does), but more interestingly it will also update Microsoft Office, Exchange and SQL (Including MSDE) and will in the "near future" also include other Microsoft products.
It will still leverage the BITS (Background Intelligent Transfer Service) platform but now in an updated version 2.0 (As does Windows Update v5) and much more interestingly it will now have the targeting and reporting features that we missed so much from SUS (making it much more applicable for other than small to medium organizations).
I've played a lot with the earlier versions of WUS and it's a big step forward - so go ahead download and test it so that you will be ready for the final release (Check out screenshots of WUS in this article).

ISA Server 2000 Spoofing fix updated (890097)

As I reported earlier there we're issues with the first version of the security hotfix for the problems reported in the Microsoft Security bulletin MS04-039 - this is now corrected in a new version of the hotfix as reported in KB article 890097 "Multiple failures after you install Microsoft Security Update MS04-039" (Thank's to Per for noticing me about this update).

...files that are required for the package to install correctly on ISA Server 2000 Service Pack 1 (SP1) are missing. Additionally, the installer package included a setting that limited installation to Windows 2000 Service Pack 4 (SP4) only.

I haven't had the time to test this hotfix yet so do test the hotfix extensively (as always ;-) before applying it to your environment.

Detecting USN Rollbacks

While reading the Microsoft whitepaper about the support for domain controllers in virtual environments (see earlier post), I came across the KB 875495 article called How to detect and recover from a USN rollback in Windows Server 2003. If you ever setup operational procedures for rolling back your domain controller or your are afraid it could happen in your environment, go ahead and install the 875495 hotfix, so you at least can detect the situation. I recommend that you always install it - better safe than sorry.

Domain Controllers in a Virtual Environment

My normal strategy for handling failed domain controllers is to re-built it from scratch. This is a simple and safe strategy - restores are complex. Virtual environments (and imaging) increases at the risk of having a domain controller restored in an unsupported fashion. The 875495 hotfix is required by Microsoft, if you want support of your virtualized domain controller. If you have plans for virtual DCs, you must read the whitepaper, it also contains other important issues - e.g. remember that your virtual disk must be just as safe as a physical one.

RSS feed for Microsoft Downloads

Working with RSS feeds lately, I contacted Microsoft for an RSS feed for MS downloads. They do not have one, by dragged my attention to a third party one provided by ThunderMain. Very satisfying support from Microsoft. To give ThunderMain credit, I will not link you directly to the feed ;) - but select Resources on their site and find the link below Tools.

XP SP2 / OWA S/MIME fix for Exchange 2003 (KB883543)

I just noticed that Microsoft has publicly released a Post SP1 fix for Exchange 2003 - it corrects a problem that I've been experiencing with S/MIME since the SP2 beta's. It does this by updating OWA to be able to find the S/MIME control (Handles S/MIME and functions like drag-and-drop of files/attachments) on computers running Windows XP SP2. You can find the hotfix here - including a link to the KB (that hasn't been published as of yet).

Make USB Storage Devices Read-Only

A few feature in Windows XP SP2 enables you to prevent writes to these devices. Could be useful in high-security or public environments, when you want to keep data on your systems. Read more in the section called Controlling block storage devices on USB buses in this Micrsoft article.

ISA Server 2000 Spoofing fix (888258)

Just an early warning from me - I've just installed this security fix in two completely different customer environments (and different OS'es - Windows 2000 and Windows 2003) and both of them had to be rolled back. During installation/test there are no problems, but under load the Web Proxy will repeatedly terminate "unexpectedly" and no in or outbound web acces will work. The solution was to uninstall the hotfix on both systems (And one of them actually required me to visit the customer on-site at 04:30 AM) - for now I recommend you to test the patch extensively in your environment and/or use the workaround published at http://support.microsoft.com/kb/889189.

Script Tales - script debugger

Here’s an introduction to the script debugger. If you are running VS.NET use can use that as well. Anyway, the Tales from the Script articles are quite funny to read, so even though you may not learn that much, it’s entertaining.

Configure TCP/IP to use DHCP and a Static IP Address at the Same Time

Sometimes this could be useful - e.g. in a Virtual PC setup, you could have a server with a static address for server-to-server communication and a DHCP address (via NAT or whatever) for accessing the external network. The same could be configured using two NICs, but that typically gives other problems.

Microsoft PasswordUpdater.exe

The MOM 2005 Resource Kit contains a cool utility called passwordupdater.exe. This tool updates passwords (after you change it for the user in AD) on multiple servers in:
- Windows Services (Account Name)
- COM+ Applications (Identity)
- Task Scheduler (Run As)
- AT (Service Account)
- VDirs in IIS (Anonymous User & UNC User)

Force FRS replication from command line!

Finally – a pre Windows Server 2003 FRS update contains several fixes and an important new command argument to ntfrsutl called forcerepl.

Get Microsoft Photo Story 3 for free

Read Paul Thurrott’s review and download it afterwards (use Get Offer button). It is an interesting product, although I find it limited in two ways: you cannot resize and utilize a high-resolution and the maximum playback target is 1024x768.

The Sender ID Standard

With AOL now backing Sender ID it seems like it is going to be the standard. Consequently, it is time to read more about in this winntmag article.

Why you shouldn't be using passwords of any kind on your Windows networks . . .

Read this excellent blog by Robert Hensing, Microsoft. Remember to read all the comments. Great stuff!

Madam, I'm ADAM

A Scripting Clinic article worth reading of that name first gives a good introduction of setting up Active Directory Application Mode and then introduces scripting – which is very much like normal AD scripting.

MOM Product feedback center ...

For a while now it has been been possible to interact directly through the Product feedback center with Microsofts development teams on their development tools/technologies. This has now been extended to include Microsoft Operations Manager (Select MOM under Product/technology and search). Use your chance to provide MS with suggestions on how to further develop MOM and on Bugs they need to resolve - and not least get a response from the development team!

Hex to decimal to error text

Just figured out that hex-to-decimal can be very, very easy from the command prompt:

Set /a 0x7a

Next step might be to convert it into an error message:

Net helpmsg 122

This can be done in a one-liner:

Set /a e=0x7a & (net helpmsg %e%)

Note the parenthesis – without, the e environment variable does not exist when net… is parsed by the interpreter. With parenthesis, it is treated like a separate line.

If you get an error number like -2147024891, you have to remove the upper 16 bits before you get the real error number:

set /a "-2147024891 & 0xffff"

Note that the quotes are necessary to treat & like a bit-wise and.

Calc R.I.P.

Everything you ever wanted to know on how to configure SMTP

You might already have seen this blog on You had me at EHLO... but I thought it was worth mentioning as it it a great blog on the inner-workings of SMTP (That you newer can know enough about ;-)

If you don't know the You had me at EHLO... blog i would suggest that you check it out - IMHO it's a must read for everyone working with Exchange.

You Must Rename the SYSVOL Member Object to Rename a Windows Server 2003 Domain Controller

Looking for information about File Replication Service (NTFRS) I found this interesting KB.
In Windows Server 2003, administrators can change the computer name of a Windows Server 2003 domain controller by using My Computer or Netdom.exe, but neither method renames the domain controller's corresponding NTFRSmember object for SYSVOL from the old computer name to the new computer name. The difference between a domain controller's NetBIOS name and the common name for its NTFRSmember object does not break any functionality until a new domain controller is promoted into the forest with the old NetBIOS name of the renamed domain controller. When this behavior occurs, the new domain controller deletes the existing (duplicate) NTFRSmember object and recreates a new NTFRSmember object for itself. The renamed domain controller that originally created the NTFRSMember object ends up without an NTFRSmember object.
Read the rest in this KB

Xcacls v5.2 was released 2004-07-02

Can be downloaded. Note that this version is implemented fully in VBScript! and has some new features. You can also look in the file to get a good understanding on how to do the same yourself from your own scripts or get a general understanding on how access control lists works.

PsLogList - now a tail -f feature

If you know tail -f and want the same functionality for eventlogs or if you are just sick and tired of pressing F5 in Event Viewer – get PsLogList from Sysinternals. The new –w switch will show the events as they are logged.

File based Antivirus scanners and Exchange ...

Hmmm.... after all these years working with Exchange I thought that everyone knew how to configure file-level antivirus scanners on an Exchange Server - but this apparently isn't the case (My gut feeling tells me that I'd prefer not to install an file-level on-access scanner on an Exchange server - but Multi-Purpose servers and other security measures often makes it a requirement).
I've just finished recovering a SBS 2003 Exchange installation from the results of an antivirus scanner which found a variant of Netsky in the e00.log file (The "working" log file in use by exchange, which will be renamed to Exxxxxxx when it reaches 5.120 KB) and deleted it - resulting in a dirty shutdown and an -1811 error from Exchange which prevents mounting the Store.
The person who installed it had excluded the catalogs containing the .EDB files but had forgotten to exclude the catalog where the log files resides - so when you configure this remember that the Exchange Stores and their log files can be placed in many different directories and also to exclude the SRS folder.
To make things worse the Anti-Virus client was configured to delete files instead of quarantining them (so I weren't able to recover the file) and the customers last backup was more than 5 days old. So I had to do a full repair of the databases (Luckily there wasn't any serious corruptions - it was primarily inconsistencies due to dirty shutdown and the missing log file).
This time I used the dial tone restore method, which starts by creating a blank database so all the users got access to e-mail (Sending and receiving new mail, not old e-mail or public folders), while I had the time to repair the old Information Stores and mounting them in a RSG for testing. Afhter this I switched the Dial tone Mailbox Store and the now repaired Mailbox Store around between the Storage Groups and ran Exmerge (The purpose of switching databases is that you retain all outlook rules etc. and just has to Exmerge the content of the smaller Dial tone Store into the older/repaired Store).
Check this page for 4 security best practices for Exchange - including info and links to articles on configuration of filebased antivirus scanners and what to do when everything has gone wrong.

Fun dept. - Customized Windows XP boot bitmap

Check the /BOOTLOGO BOOT.INI switch at the excellent Sysinternals site.

MOM 2005 resource kit - updated

Microsofts Operations Manager 2005 Toolkit is now available for download. It contains several nifty tools like webparts for SharePoint integration, Troubleshooting tools, MOM product connectors, best practice guides etc. check out more information about the tool here

Windows Server 2003 SP1 delayed

Expect it to appear in first half of 2005. RC is due by the end of 2004.

Sorry, but we’ll have to wait for the Security Configuration Wizard a little longer…

Ever wanted to test Microsoft's newest software in a sandbox environment?

Wouldn't it be great to be able to test new servers immediately, without formatting hard drives, using Virtual Something or dedicating one or more computers to the project? Now you can, with the TechNet Virtual Lab

Registry tweaks for services on Windows Server 2003

Microsoft has a reference at MSDN. But I know for sure, that it is not complete. Anyway, it is a good starting point.

Thanks, Linux

(Being a little out of focus of this blog, I decided to include it anyway.)

Is Linus Torvalds secretly working for Microsoft? That sounds crazy until you consider that lately, the free operating system he created, Linux, has been helping Microsoft close deals.
Read the rest of this article. Beware of the annoying ads.

Virtual PC and hiberation

If you need to play around with hibernation on a Virtual PC client, you have to uninstall the Virtual PC Additions. Read more here

TechNet WebCast: Welcome to Hosted Exchange 2003

Interesting WebCast for those of you new to Hosted Exchange 2003 and/or those of you who have already created your own hosting solution based on Exchange 200x -

This Support WebCast discusses Windows-based Hosting, including Hosted Exchange 2003 ... Hosted Exchange 2003 enables service providers to offer flexible and scalable rich e-mail, messaging, and collaboration services to consumers, and to both small and medium businesses. Hosted Exchange is a tested, pre-engineered solution that is based on standard Microsoft server products ... The Support WebCast also reviews the important components of the solution and addresses common challenges in the hosting world. This includes multi-tenancy (address isolation between customers), automation and provisioning (creating new customers by using automation and without the RUS), client auto-configuration for Outlook by using RPC over HTTP, active user reporting, three-year CALs versus Service Provider Licensing Agreement, multiple services per hosted organization, and user namespace per organization.

SMTP and NNTP security issues ..

Microsooft has just released two hotfixes for SMTP and NNTP that are of interest to hosters and enterprise customers. Both the exploits could lead to Remote Code Execution and should, according to Microsoft, be implemented as soon as possible.

Scriptaholic - Get the current site of a computer

Just use this function:

function GetSite
dim objInfo
set objInfo = CreateObject("ADSystemInfo")
GetSite = objInfo.SiteName
end function

Want more information about ADSystemInfo?

msNPAllowDialin, script and mixed-mode domains

As you may know (kb252398 and KB257341) you cannot grant dial-in access to a user simply by setting the msNPAllowDialin property on the user object in Active Directory. For some reason this attribute must be synchronized with information in the userParameters blob – sic!

Instead of chasing a way to make this happen, simply ask your Windows Server 2003 IAS server to ignore the dial-in attribute and stick to group membership or whatever you feel like. This is done by setting Ignore-User-Dialin-Properties on the remote access policy. For more information click here and read the section called Ignoring the dial-in properties of user accounts.

SMS 2003 OSD Feature Pack RC and SP1

The SMS 2003 OS Deployment feature pack that provides the capabilibity of distributing new OS'es through SMS 2003 has now been released to the web in a Release candidate version. Furthermore SP1 for SMS 2003 has also been released in German and Japanes versions - checkout the new capabilities of SP1 here.

Intelligent Messaging Filtering, Outlook and SCL tips - updated

If you've been using or looking at Intelligent Messaging Filtering for Exchange 2003 you've probably heard about SCL (Spam Confidence Level). SCL is a basically a "rating system" that on a scale from -1 (only used for authenticated users) to 10 will tell Outlook or OWA whether or not the e-mail should be moved to the Junk E-mail folder (Depending on the users settings) - the problem is that the SCL isn't viewable from Outlook, which is very interesting for you as an administrator when evaluating how to set your thresholds in IMF. Paul Bowden from Microsoft has created a Outlook Configuration file that will do the job of exposing SCL in Outlook 2003 and it's posted by James Webster here. If you're planning on implementing IMF (Which in my experience is very easy) I would also recommend that you look at the updated readme file that includes important known issues and updates to the IMF deployment guide. Furthermore if you plan on using the archiving features of IMF I would recommend that you take a look at the IMF Archive Manager that will enable you to easily view, delete and resubmit the archived e-mails. IMF Archive Mangager is posted at gotdotnet as a shared source tool (Written in C#).

ASP.Net Vulnerability alert update

Microsoft has created a temporary fix for the ASP.Net vulnerability (Until a security update has been developed). It is a ASP.Net module that protects all ASP.Net applications on a web server from canonicalization problems, you can find more info on the HTTP module here.

ASP.Net Vulnerability alert ...

Microsoft is currently investigating reports of a security vulnerability in ASP.NET that could be a potential issue for hosters and other users of ASP.NET.

... Our initial investigation has revealed that the vulnerability could allow an attacker to bypass authentication on a Web site running ASP.NET applications on Windows 2000, Windows 2000 Server, Windows Server 2003, Windows XP Professional by sending a malicious request to a Web server. This could allow an attacker to make changes to the content of a Web site, but would not allow the attacker to control the computer or run software on it.
... Microsoft is providing this prescriptive guidance in order to inform customers as quickly as possible about the vulnerability and information on how to prevent an attack. Microsoft is actively investigating the issue and plans to release additional guidance

Ultrasound - Monitoring and Troubleshooting of FRS

If you've been working with FRS and Sysvol and/or DFS replication then you've probably also been looking for a way to troubleshoot and monitor the FRS replication beyond the rudimentary dfscmd and the usn related tools and registry settings for FRS. Microsoft has a not so well known tool on the web called Ultrasound that should be a part of all AD/Server administrators toolkit - check it out here

ADModify.NET is here!

Cool new tool from Microsoft – spotted at You Had Me At EHLO...

ADModify is a tool that was (and is still) developed and maintaned out of our Support Services (aka PSS) team, and was created to make it easier to modify / import / export objects in Active Directory in bulk .... ADModify.NET (v2.0) was written from the ground up using Visual C# .NET 2003. When benchmarked against its predecessor, it made the same modifications in less than half the time. Its new feature set allows administrators to bulk modify any AD attribute from any AD partition with almost limitless flexibility.

Active Directory Data Store Tools and Settings

A quick overview of the tools, registry entries, Group Policy settings, Windows Management Instrumentation (WMI) classes, and network ports that are associated with the data store.

Exchange Server Best Practices Analyzer Tool ...

Microsoft released their Exchange Server Best Practices Analyzer tool to the web. The tool in different versions has been used for quite some time by PSS and is now subject to general availability. I can only recommend that you Download and start using the tool today on your own systems (its agentless) – it analyses more than thousand different parameters also including Active Directory and Exchange clustering. Check out the blog at You had me at EHLO… for more information on this exciting “new” tool.

SMS 2003 Software Updates to Support Uninstall (KB885438 and KB885266)

After getting used to SUS with less than optimal reporting capabilities it was a relief to see that some of the issues with SUS was solved with the Software Update management capabilities of SMS 2003 (Making it applicable for enterprise customers). With Windows Installer 3.0 technology then came the possibility of completely uninstalling patches and now there's an update out there to support uninstalling patches deployed with SMS 2003. Of course at most times this shouldn't be necessary with the right amount of testing - but one newer knows what kinds of ravage a innocent looking hotfix can do to older production systems (Not speaking from experience of course ;-)

Welcome

Welcome to my blog on the topics that I find interesting in my work life. The topics centers mainly around Microsoft infrastructure related technologies like Active Directory and Microsoft Exchange and most of my time is spent working with large-scale enterprise customers or hosters (Hosted Exchange) so my blog subjects will be primarily centered around the learnings I get and the issues that I face in my daily life.