Friday, January 27, 2006

Exchange admin job in Dallas-Fort Worth area

Hi all, I received a messages this morning from a headhunter in the Dallas-Fort Worth area looking for an Exchange 2000 guru for a position. Below is the text. While I don't normally pay much attention to this type of thing, there is a referral fee if one of my readers is qualified and gets the job, so I figured I would try and be greedy. If you are interested, send me your resume to exchange24seven (at) and I'll pass your information along.

MS Exchange Experts’ responsibilities include:
Managing the entire Exchange 2000 network for a 240 gigabyte email database
Designing, implementing, and maintaining the processes surrounding the network architecture and any pertinent issues involving the Exchange environment
Leading the firm through a migration to Exchange 2003
Clustering the network, including clustering the disaster recovery site
Creating redundancy everywhere in the environment including: enhancing network backbone switches, setting up VLANs, and creating internet mail redundancy over the firm’s two internet connections.
Fine tuning the firm’s recently purchased hardware mail gateways and making related network architecture changes for better mail flow
Optimizing the firm’s Exchange database configuration
Enhance mail flow monitoring to help isolate slowdowns and proactively eliminate them

The successful candidate will have had:
A demonstrated level of expertise in all areas of Microsoft Exchange servers.
A demonstrated track record of business decision-making.
A reputable undergraduate education.
A proven record of IT leadership

Wednesday, January 25, 2006

Never *assume* your virus protection is good

I used to have a flight instructor whose favorite expression was "You *assume*! You *assume*! Son, you know what *assume* means.....", but you did not come here to hear about tales of me learning to fly a helicopter. Anywho, besides landing on the tops of mountains, you should also never assume that your virus protection is good.

There are a couple of nasty viruses going around right including variants of Blackmal. Organizations that have "pretty good" virus protection strategies are getting hit. Ensure that EVERY workstation on your network has virus software installed and that the signtures are being updated at least once per day. Make sure that your mail servers have software scanning all inbound (and outbound) mail and that the signatures and scanning engines are up to date.

Sunday, January 22, 2006

Quote of the day

"Easy reading is damn hard writing."
Nathaniel Hawthorne

Saturday, January 21, 2006

I'm quotable! Comments I made on Security360

I was just reading through an article on Microsoft's web site about messaging security and came across my own quotes (attibuted to me, too). *blush* It was kinda cool, too. I figured it was worth blogging.

Exchange Connections 2006 - Security for Exchange: Assessment, Auditing, and Hardening session

I am presenting a full-day session at the Exchange Connections 2006 conference in Orlando (April 9 - 12) and again at the Exchange Connections - Europe conference in Nice (April 25 - 28), France. Here is a brief outline of some of the topics that will be covered. I'm hoping that this session will nicely mesh with an eBook I am currently working on for Hope to see some of my regular readers either in Orlando or Nice.

Security for Exchange: Assessment, Auditing, and Hardening
Protecting your Exchange services, data, and users

Keeping the Exchange data secure, allowing access to Exchange serves both remotely and locally, protecting users from malicious e-mail content, reducing the amount of spam users receive, and keeping the Exchange services available is a significant part of the typical Exchange administrator’s job. In this tutorial, we will cover the following topics:

  • The common (and uncommon) vulnerabilities including many that a typical administrator may not think about until it is too late.
  • Best practices for Exchange administration with security and stability in mind
  • How to implement auditing of Exchange to learn the most about typical activities and to diagnose potential intrusions.
  • The Exchange antivirus API, virus detection methodologies, multi-layer virus detection, and some common approaches to preventing viruses from disrupting a user’s daily routine.
  • Real-world solutions for fighting spam including multiple approaches to content inspection, spam detection, and preventing false positives. Approaches such as white-listing, grey listing, black-listing, sender address verification technologies, Sender Id (SPF), and Domain Keys will be covered.
  • Using a Managed Provider for inbound SMTP message hygiene.
  • Discuss the top antivirus and anti-spam 3rd party and Microsoft solutions on the market and the pros and cons of each.
  • How to most securely provide Exchange services to users outside of your corporate network whether they use the Outlook client, Outlook Web Access, mobile devices, or a POP3/IMAP4 client.
  • Understanding PKI and S/MIME for providing end-to-end protection of e-mail content.
  • Examining Enterprise Rights Management for use with messaging systems.
  • Best practices for Exchange server security and content security

Updated Exchange 2003 SP2 Release Notes

If you are preparing to use Exchange 2003 Service Pack 2, Microsoft has updated the

Thursday, January 19, 2006

MAPI errors when moving mailboxes

I spent the better part of the day today working through a problem with the Move Mailbox wizard. I was in the final phase of an Exchange 5.5 to Exchange 2003. Moving the mailboxes one or two at a time seemed to work okay, but they would timeout when more than two or three mailboxes were being moved at a time. The message in the move mailbox log showed:

An unexpected, unknown error has occurred.MAPI or an unspecified service provider.
ID no: 80040115-0000-00000000

The following event showed up in the event viewer each time a move mailbox failed:

Event Type: Error
Event Source: MSExchangeAdmin
Event Category: Move Mailbox
Event ID: 1023
Date: 1/19/2006
Time: 9:26:13 AM
User: N/A
Computer: xxxxxxxx
Description:Unable to set a property on the message store on 'xxxxxx'. Result: Network problems are preventing connection to the Microsoft Exchange Server computer.An unexpected, unknown error has occurred.Microsoft Exchange Server Information StoreID no: 80040115-0514-000006be

My first instinct was network problems. We hard-coded the network adapters on both the source and destination servers to 100Mb/s, full duplex and put the servers on a different switch. None of these things had any affect, so I did Google searches and came up with possibilities such as corrupted messages. After running ESEUTIL and ISINTEG a couple of times with no success, we were just about to use ExMerge to archive everything to PST and then move the mailboxes once they were smaller.

However, simply copying the first mailbox's PST file (80MB) took 30 minutes. However, it copied fine from the 5.5 server to a different server. So, yep, you guessed it, something about the network adapter was not working properly. We switched it over to a GB Ethernet switch and everything was just shiny!

I never got to the bottom of why network performance for that one server was so bad when it was in a 100MB switch, but the moral of the story is to not forget the basics.

Wednesday, January 18, 2006

Hasta la vista, Cingular

If you have been on a cell phone with me, you have probably heard me rant about how bad Cingular's service is; especially in Hawaii. After a trips to Steamboat Springs, San Francisco, Los Angeles, and San Diego over the past few months, I was pretty unhappy with my coverage there as well. I switched to T-Mobile a few weeks ago and thus far I am pretty happy with them. 1500 minutes for $39.99 is a good deal. And for an extra $5.99 per month, I get unlimited data access. Time to set my iMate Jasjar up to synchronize with my Exchange mailbox!

Monday, January 09, 2006

Windows security fix MS05-051 can cause you problems

I have been meaning to blog this for the last 6 weeks, but have been distracted with writing, in-law visting, traveling, Christmas / New Years parties, deck staining, Exchange 12 betas, snowboarding, trying to squeak out an honest living, and the usual holiday dramas. (Actually, I went in to hiding for Christmas this year; I hid out at Steamboat Springs.)

Anywho, I had a conversation with Mark Minasi and Steve Riley (yes, I'm name dropping, but how often does one get to talk to Mark and Steve) back in October about MS05-051. It plugs a fairly nasty little bug that can allow remote code to be executed. See KB 902400: "MS05-051: Vulnerabilities in MS DTC and COM+ could allow remote code execution" for more information on the fix.

However, this fix assumes that the default permissions still exist on the \Windows subdirectory structure, particularly the %windir%\registration folder. See KB article 909444: "Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC" (Whew! That was a mouthful!) for more information on some of the problems.

I have seen this fix cause problems on many occaisions since it was released a few months ago. And most of the symptons are not the same from one incident to another. On one Windows 2003 clustered system, the passive node would not rejoin the cluster after applying the fix. On an Exchange 2003 server, the web service would not start. Almost all of these situations, though, if you bring up the properties of My Network Places or explore the Network Connections, you will NOT see any network adapters in the list, nor will the New Connection Wizard show up.

In one situation, we simply removed the hotfix and everything went back to normal. However, the long term fix is to reapply the default permissions to the %windir%\registration folder so that it includes allowing the Everyone group "Read" permissions. (See KB 909444 for more information.)

You may be asking yourself "Self, why is Jim seeing this problem, but I'm not". The problem has only been appearing in situations where the default NTFS file system permissions for the %windir% folder have been changed. This used to be a fairly common practice and is still performed in some large environments, especially government systems where a security template is often provided for you by someone else.

My advice to people applying custom security templates is to remove the NTFS permission changes for the Windows directories and leave them at the default.

Wednesday, January 04, 2006

Slowing down the Sober worm

The numerous variants of the Sober worm include a nasty feature where if it infects even one machine, it has its own SMTP engine and will begin sending out copies of itself via SMTP. Many times over the last few months, I have heard of situations where one or two machines on a network did not have proper virus protection installed and thus were sending out Sober varitants to the world.

One suggestion to help slow down Sober and worms like this. Block outbound SMTP on your firewall so that only authorized servers (your SMTP gateways or Exchange servers) can send outbound SMTP. This is a pretty simple thing to block and IMHO should be done on ALL networks.