Tuesday, February 21, 2006

The Tips and Tricks Guide to Secure Messaging - Chapter 1 published

I have been working on an eBook for realtimepublishers.com called The Tips and Tricks Guide to Secure Messaging. The first chapter (free download) is now published (yay!!!). There is something for all levels of expertise in this book if you are interested in protecting your mail system from hostile content and hackers as well as learning about new technologies that affect messaging such as Enterprise Rights Managment. The first chapter is pretty basic stuff; when your boss asks why you need a firewall or antivirus software, pass along this chapter. Here is realtimepublisher's description.

Threats against email systems have evolved to the point that protecting users, mail servers and bandwidth is no longer as simple as installing antivirus software. By some estimates, spam, phishing schemes, viruses, and other unwanted content now make up 70% of all email traffic into an organization's mail servers. The Tips and Tricks Guide to Secure Messaging by messaging expert Jim McBee introduces IT managers and messaging system administrators to the evolving threat landscape, emerging technologies for data protection, and best practices for protecting users, messaging system resources, and organizational data.

Sunday, February 19, 2006

RSA Conference 2006 musings

My week at the RSA Conference in San Jose was well spent. It is a good experience to spend time at a conference that is somewhat "out of your area", but still relevant and related. I got to hear "Mudge" speak this past week; he is the guy that wrote l0phtcrack. Interesting guy, very spastic, though. I also got to hear Robert Mueller, Director of the FBI, speak; he gave a good speech on how the FBI is adapting to cyber crime fighting. I attended a couple of interesting sessions on hacking; saw some neat tools and enough scary wireless hacking stuff to make me think twice about ever using wireless again. :-)

I spent quite a bit of time on the exhibits floor talking to vendors and figuring out what is "hot" and emerging. Here are some thoughts that I disseminated from sessions and exhibitors.
  • Network access protection (systems that will quarantine a host that does not have the correct configuration, patches, service pack, antivirus software, etc...) are going to be hot over the next couple of years. Right now much of it seems to be 'vaporware' though.
  • Wireless access detection and "prevention" were hot topics and some nice software/hardware solutions.
  • Smartcards and other two factor authentication is hot.
  • 'Intrusion detection' has gone a generation further. Now, more intelligent systems monitor network traffic and learn the patterns of each host. Alarms are raised when a host starts doing something unexpected (such as a server starts web surfing.)
  • Compliance is hot. Software that helps organizations to learn "what they have" and to monitor compliance is a big.
  • Enterprise Rights Management is gaining more mainstream recognization in the market. Microsoft, Adobe, and Liquid Machines all had ERM demonstrations going in their booths.
  • E-mail / message hygiene vendors were plentiful. Lots of appliances for antispam/anti-virus/content inspection.

Recovery Storage Group, Dial-tone, and Outlook 2003 clients in Cached Exchange Mode

WAY back in November, I was giving a presentation at Exchange Connections in San Diego about using the Recovery Storage Group in combination with a dial-tone recovery. Someone from the audience asked me about the behavior of Outlook 2003 clients that are in Cached Exchange Mode (since they have a complete or near-complete copy) of their mailboxes stored locally. I did not have a really good answer and promised to blog this. Well, here we are 3 1/2 months later and I'm finally getting around to this. I did the testing for this back in December, but I'm just now getting around to posting this information.

First some background, a "dial-tone" restore occurs when you start out with empty databases. Exchange 2000/2003 lets you delete the database files and mount the databases; Exchange creates empty databases which allows users to go back to work immediately. Well, they can send and receive messages, but all of their existing data is now gone.

Your users are now back at work, albeit with a no data. But this lets you get them off your back long enough to get their data restored. When the dial-tone database is mounted, any Outlook 2003 user that is currently in Outlook (and working offline) may see a message like this:
"The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook."

When Outlook is reloaded, you may see the following message:
"Exchange is currently in recovery mode. You can either connect to your Exchange server using the network, work offline, or cancel this logon."

However, once the client starts up, Outlook is still working properly. Outlook will not purge the local data in the OST file.

Now you can go about restoring the original database to the Recovery Storage Group (RSG). Here is where the terminology gets tricky if you are going to do a database "swap". The database that is now mounted and in production (the empty one) is the "dial-tone database." It is going to slowly accumulate data as the users start receiving mail. The original production database you going to restore is the RSG database. Create a mailbox store in the Recovery Storage Group and restore the most recent copy of the database to the RSG.

You now have the option of merging the data from the mailboxes in the RSG database in to the dial-tone database. You can do this once the RSG database is mounted, but you will lose some of the mailbox "metadata" may not be transferred and some rules that move messages between folders may no longer work.

The other option (instead of merging from the RSG to the dial-tone database) is to "swap the databases out" and then merge the data from the smaller amount of data in to the database with that was originally restored from backup. This will, of course, require some downtime since the production database needs to be dismounted and there will be some file copying.

To "swap out" the database files, dismount both the RSG and the dial-tone databases. Take note of the RSG database file names and the dial-tone database file names. Rename the dial-tone database files to a temporary file name. Move the RSG database files back in to the original location for the production database files and rename them to the production database. You have moved the RSG database back in to production. On the Database property page of the production database, check the "This Database Can Be Overwritten By A Restore" checkbox and then mount the database.

Copy the "dial-tone" database files to the RSG database location, rename the files to the RSG database file names. On the Database property page of the RSG database, check the "This Database Can Be Overwritten By A Restore" checkbox and then mount the database. The database that is now mounted in the RSG is the database that contains everything that changed (new messages, sent messages, etc...). You can now use the Recover Storage Group's Recover Mailbox Data to merge data from the mailboxes in the RSG to the production database.

Thursday, February 16, 2006

Exchange Connections 2006 - Florida and France

Currently, I am working on a full-day session for the Exchange Connections conferences in Orlando (April 13) and in France (Nice) on April 24. The session is called Security for Exchange: Assessment, Auditing, and Hardening

As I have started adding content to this session, I realized that I'm pretty much putting together an outline of how I do a Exchange Server Security Audit for which I normally charge a minimum of $4,000 (well, THAT includes a final report, too). There should still be spaces available for both the session in Nice and in Orlando. Topics include:

  • Best practices for Exchange administration with security and stability in mind
  • How to implement auditing of Exchange to learn the most about typical activities and to diagnose potential intrusions.
  • The Exchange antivirus API, virus detection methodologies, multi-layer virus detection, and some common approaches to preventing viruses from disrupting a user’s daily routine.
  • Real-world solutions for fighting spam including multiple approaches to content inspection, spam detection, and preventing false positives. Approaches such as white-listing, grey listing, black-listing, sender address verification technologies, Sender Id (SPF), and Domain Keys will be covered.
  • Using a Managed Provider for inbound SMTP message hygiene.
  • Discuss the top antivirus and anti-spam 3rd party and Microsoft solutions on the market and the pros and cons of each.
  • How to most securely provide Exchange services to users outside of your corporate network whether they use the Outlook client, Outlook Web Access, mobile devices, or a POP3/IMAP4 client.
  • Understanding PKI and S/MIME for providing end-to-end protection of e-mail content.
  • Examining Enterprise Rights Management for use with messaging systems.
  • Best practices for Exchange server security and message hygiene

I am working on a series of checklists that will make this process easy to go back to your own servers and confirm that you are following best practices.

Wednesday, February 15, 2006

RSA Conference Secure Messaging presentation

If you are interested in the Powerpoint presentation that I did at the RSA Conference in the Microsoft theater, here is the link. The presentation is called Tips and Tricks for Secure Messaging. The gist of the presentation using multi-layer message hygiene protection to protect your messaging infrastructure, secure publication of mail resources (OWA, ActiveSync, and RPC over HTTP), and using Enterprise Rights Management technology to protect message content from accidental disclosure.

RSA Conference insights - "Due care" Security Liability

Thus far, the most interesting session that I have attended at the RSA Conference is a session called "Due Care" Security Liability. The session was presented by Thomas Smedinghoff, a lawyer from Baker & McKenzie in Chicago. The session talked about the definition (or rather lack thereof) for regulatory compliance and "reasonable security". Though I took 4 pages of notes, there were two extremely interesting and important points that resonate with me from this session.
  1. The process of doing an asset assessment, risk assessment, security program development, and ongoing security assessment/monitoring/adjustment is just as important as the technical, administrative, and physical measures that are put in to place. Everything about the process must be documented.
  2. For organizations that are affected by regulatory compliance, the CEO/CFO/Board of Directors/Upper Management ultimately bear the responsibility for the technical, administrative, and physical measures that are developed and deployed. If your senior management are not involved, then they should be.

Tuesday, February 14, 2006

San Jose has a few things to learn about large conferences

Aloha everyone from San Jose! The RSA Conference is off to a good start. I did a short presentation for Microsoft last night and then spent the rest of the evening talking to exhibitors. I learned about a couple of new products (including a Notes to Exchange migration tool that I need RIGHT NOW!)

This morning was a bit of a bummer. Absolutely no parking within a 1/2 mile of the convention center. Even the expensive spaces in the convention center building were full. I missed the first session I wanted to attend because I spent an hour looking for parking. So, I missed the Cryptographers Panel that includes Whidfield Diffie and Martin Hellman (aka Diffie Hellman. :-( Plus, I did want the opportunity to see Bill Gates and Scott McNealy on the same stage at the Keynote Address! So, now I'm savoring my $3.00 bottle of Diet Coke and using the wireless area to catch up on e-mail (and rant). I don't think the San Jose Convention Center is really prepared to host a conference of this size.

Thursday, February 09, 2006

Quote of the day

Information is the currency of democracy.
- Thomas Jefferson

(By gosh, I love quoting Jefferson!)

Wednesday, February 08, 2006

RSA Conference 2006 - I'll be there!

I'll be speaking next week in the Microsoft booth at the RSA Conference in San Jose. I have presentations on Monday the 13th at 6:15PM, Tuesday the 14th at 2:30PM, 1:15PM, and 4:15PM. The topic is messaging security. If anyone of my friends or regular readers is in the neighborhood, please stop by and say "Howdy!"

Monday, February 06, 2006

Exchange Performance Tools

Over the past few years, the Exchange team at Microsoft has been busy releasing tools to help Exchange administrators tune their systems and follow best practices. Microsoft recently released some new tools so I figured it would be a good time to summarize all of these. They can all be found on the Exchange 2003 Tools page.

The most popular of these tools is the Microsoft Exchange Server Best Practices Analyzer Tool. The ExBPA analyzes dozens of configuration settings for each Exchange server in your organization and provides a report of possible problems and recommendations for improving your Exchange organization.

The Microsoft Exchange Server Performance Troubleshooting Analyzer tool analyzes memory, disk, and other components of your Exchange server and provides recommendations for solving performance problems.

The Microsoft Exchange Server User Monitor (a.k.a. ExMon) gathers data about Outlook clients in real-time including client usage patterns, client versions, and CPU usage that each client generates.

The Microsoft Exchange Server Profile Analyzer is used to collect estimated statistical information from a single mailbox store or across an Exchange Server organization. The collected data can be used for such tasks as analyzing the performance and health of a server that has mailboxes, improving capacity planning models, and improving testing methodologies and tools.

Can't send mail to another server or move mailboxes...

I have spent most of the afternoon troubleshooting a weird Exchange 2000 to Exchange 2003 problem. Installed a new E2K3 server in to an E2K admin group. I could send mail from E2K to E2K3, but not from E2K3 to E2K. Outbound messages on E2K3 were sitting in the "Messages Awaiting Directory Lookup" queue and the queue went in to a retry state. Once messages would arrive in the E2K3 server from E2K, they would also go in to the "Messages Awaiting Directory Lookup" queue.

I also found that I could not move mailboxes from the E2K server to the E2K3 server. I turned Diagnostics Logging on the MSExchangeTransport's Categorizer category up to maximum and saw these two events.

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Categorizer
Event ID: 6004
Date: 2/6/2006
Time: 2:40:24 PM
User: N/A
Computer: EXCHANGE01
Description:The categorizer is unable to categorize messages due to a retryable error.

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Categorizer
Event ID: 9035
Date: 2/6/2006
Time: 2:40:24 PM
User: N/A
Computer: EXCHANGE01
Description:Categorization of the message failed with a retryable error. Either some of the admin objects were renamed recently and changes were not picked or journaling was turned on for MDB (CN=mbxXXXX,CN=XXXXXX,CN=InformationStore,CN=EXCHANGE,
CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=XXXXX,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=XXXXX,DC=corp) and the journal recipient's mailbox is deleted.

I looked this up in the Microsoft Knowledge Base and saw a number of threads on journaling that related to having journaling configured to a mailbox or public folder that no longer existed. This was not the case, but nonetheless, I actually enabled journaling for the stores and then disabled it just be sure. No luck.

I then switched the Categorizer diagnostics logging to "Field Engineering" level (setting the registry key to "7". I came up with these errors:

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Categorizer
Event ID: 9003
Date: 2/6/2006
Time: 2:53:03 PM
User: N/A
Computer: EXCHANGE01
Description:Categorizer is temporarily unable to process a message. While processing user 'smtp:USERNAME@XXXX.com', the function 'CPhatCat::CompleteMailDrop' called 'CompleteUserMailDrop' which returned error code '0xc0040559' (The categorizer encountered an error. The operation will be restarted.). ( f:\tisp2\transmt\src\cat\sinks\phatcat\cptmaildrop.cpp@110 )

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Categorizer
Event ID: 9003
Date: 2/6/2006
Time: 2:53:03 PM
User: N/AComputer: EXCHANGE01
Description:Categorizer is temporarily unable to process a message. While processing user 'smtp:USERNAME@XXXXX.com', the function 'CompleteRecipient' called 'CompleteMailDrop' which returned error code '0xc0040559' (The categorizer encountered an error. The operation will be restarted.). ( f:\tisp2\transmt\src\cat\sinks\phatcat\cptcomplete.cpp@52 )

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Categorizer
Event ID: 9003
Date: 2/6/2006
Time: 2:53:03 PM
User: N/A
Computer: EXCHANGE01
Description:Categorizer is temporarily unable to process a message. While processing user 'smtp:USERNAME@XXXX.com', the function 'CPhatCat::CompleteUserMailDrop' called 'SetTargetServer' which returned error code '0xc0040559' (The categorizer encountered an error. The operation will be restarted.). ( f:\tisp2\transmt\src\cat\sinks\phatcat\cptmaildrop.cpp@336 )

Upon some other checking, I was still being directed to "journaling" problems and was just about ready to open up a PSS incident. However, stumbled across an obscure problem in the newsgroup archives (Abe Famoti from Microsoft had posted the answer) where the inheritiable permissions are removed from the server object. When I checked, sure enough the "Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With Entries Explicitly Defined Here. Thanks Abe! I thought I was going nuts!

Sunday, February 05, 2006

Delta Airlines rant

Okay, so I'm a pretty dedicated Delta frequent flyer. I have been flying them for years and years. You can't be a Southerner (or former Southerner) without flying Delta. We used to have an expression that "it did not matter if you were going to heaven or hell, you were going to change planes in Atlanta". And, Delta OWNS Atlanta. But, I digress...

Frequent flyer programs are simply brilliant. The inspire tremendous amounts of loyalty on the part of customers. Loyalty that is surely not deserved based on cost, service, comfort (my butt still hurts from the 6.5 hour SLC to HNL flight yesterday), or on-time arrivals alone. Yet, I religously fly Delta and even pick my international flights based on airlines that I can get "code-share" tickets or at the very least Delta points. I endure bad customer service, clueless gate agents, inconsistent answers (ask the same question from two different people), and even deragatory treatment just so I can continue to accumulate miles on Delta. I know that the other airlines are not any better, though

About 2 years ago, Delta changed their "base miles" accumlation rules. Base miles are what gets you to a premeir status. Cheaper tickets only allowed you to accumulate 50% of the total miles towards your Delta Medallion status. I stopped flying Delta that year I was so peeved. But, they changed that the following year. I'm assuming I was not the only one that felt that way.

On to THIS year. Airfares are pricey and Delta is usually more expensive than most. Since much of my flying is paid for by someone else, I often have to agree to pay the difference between the cheapest fare and the Delta fare. I will do this up to about $150 - $200 per ticket just so I can get miles and use my segment points for free upgrades.

Since I usually have "Gold Medallion" status (50,000 base miles or more each year), I usually qualify for free upgrades. However, their new upgrade policy is that fares to AND from Hawaii are NOT upgradeable. I can use my miles or points all I want within the continental US, but even though I LIVE in Hawaii, I am out of luck on upgrades (unless I want to fork over $200 more each trip).

That is adding insult to injury. I am usually already giving out $100 to $200 MORE per ticket than I am being reimbursed. Now, if I want the UPGRADE, I need to pay ANOTHER $200. Sigh......

Well on the bright side, United has more flights and destinations out of Hawaii anyway. And usually cheaper fares.