Thursday, September 21, 2006

Updated NOMAS and OABInteg tools

There are a couple of very useful tools from Microsoft PSS that you may find helpful when troubleshooting Offline Address Book problems or getting rid of the annoying 9548 error messages that show up when a disabled account's mailbox receives a message.

Their author is an Exchange support expert at Microsoft named Dave Goldman. Thanks Dave!

Here are articles relating to using these tools that Dave has recently posted. Please remember that these tools are not supported by Microsoft. If you have an error with one, post your question to the Exchange newsgroups or online forums.

New Test added to OABInteg and updates on future releases
How to fix missing or duplicate Addressing Templates that cause OAB Generation errors
NoMas is now on being hosted on GotDotNet

Preventing administrators from opening user's mailboxes

Greetings, Aloha and Merhaba from Istanbul once again! We had a great event yesterday, great questions, and I met a lot of nice people. Thanks to everyone for making us feel welcome here in Istanbul. Now, on to the topic at hand!

Over the last few weeks, I have seen a number of posts to newsgroups and Web forums asking the same basic question: "How can I keep my administrators from seeing user's messages?"

I have replied to these rather tediously "Hire trustworthy administrators and set a policy that states 'mailbox surfing for recreational purposes is grounds for immediate firing.'" As my buddy Ben Schorr puts it, "this is an HR (human resources) problem. However, there is a bigger point to this on which I really should elaborate:
  • Administrators (by default) do not have the "Receive As" permission. It is explicitly denied.
  • Enterprise Admins, Domain Admins, and the Administrator user (if that was the account that installed Exchange to start with), have permissions to remove the explicit deny of Receive As permissions, but this must be changed.
  • If you have problems with administrators looking at information they should not be looking at, you have a bigger problem.
  • You can protect message content with technologies such as S/MIME or Digital Rights Management (DRM)
  • An administrator of the PKI infrastructure or the DRM infrastructure may still have access to the key escrow and can recover a user's private keys to view messages or gain access to DRM protected material.
  • If you are concerned about what the members of Domain Admins, Enterprise Admins, and Administrators are doing, it is clearly time for you to reduce the number of members in those groups and tighten restrictions on use of accounts with those permissions. If you have more than about 5 members in your Domain Admins group, that is too many. Practice the principle of least permissions. Permissions delegation is a glorious thing. :-)

Wednesday, September 20, 2006

The battle against spam gets a set back

Greetings from slightly hazy Istanbul!

An obviously uninformed US federal judge ordered Spamhaus to pay $11.7 million dollars to an "e-mail marketing company" called e360 Insight and to issue an official, public apology. Obviously this judge does not use e-mail. And, this judge does not understand that Spamhaus does not actually block anything, but provides a list that others use voluntarily. This sets a very ugly trend for those of us that thing a "well run" and "not too agressive" block list is a good thing.

Read more at MSNBC.

Friday, September 08, 2006

The Living, Living-Dead (the sasha), and Dead (the zamani)

I am prone to lament "Where are men like Thomas Jefferson? Or George Washington? Or Abraham Lincoln? Or Benjamin Franklin?" It sure seems that given our current stock of leaders that we are missing something. But I have developed a theory that we (as a species) tend to deify noteworthy people from the past. Surely, some of the U.S.'s founding fathers would not pass the discretion of modern morality. Jefferson owned slaves (and apparently had at least one affair with one), Washington and Franklin were womanizers, and even Lincoln was rumored to be gay. So, why is it that these men (whom I still believe were exceptional leaders) end up being almost deities? Certainly they are treated that way in American history books.

I'm reading a history book right now that takes a more detailed view of what we think of as traditional history. One chapter is called "Down the Memory Hole: The Disappearance of the Recent Past.

This chapter explains a Kiswahili (Swahili) concept of dividing humans in to three categories, the living, the sasha, and the zamani. The living is self-explanatory, but the sasha is a unique concept. The recently departed whose time on Earth overlaps with other living are the sasha. The sasha "live on" in the memories of others (friends, relatives, co-workers.)

A person passes on to the zamani once the last person dies who knew that person. At that point, first hand knowledge of that person (0r I guess historical events) is no longer accessible. At some point, a historical person's blemishes fades away, a good man becomes a great man, and a great man becomes a deity.

History is controlled by the present.

Who is the Dick on my site?

Over the last 10 years, I have given more conference sessions, speeches, and classes than I can count. I am always looking for ways to be a more engaging and interesting speaker. I know of a few people that could make a lecture on the different types of sand seem exciting and relevant. Paul Robichaux, Mark Minasi, Rod Fournier and Dan Holme are some of the best speakers in the IT industry.

But, I have a new hero. Dick Hardt (formerly of ActiveState) gave one of the best presentations I have ever seen; the presentation was on identity management. That had to have been one heck of a difficult presentation to generate, but it held my interest better than anything I have seen recently. See Dick Hardt's presentation "Who is the Dick on my site?"

Sunday, September 03, 2006

Subscribe to Mostly Exchange via Feedburner

Just dying for an RSS feed from my Mostly Exchange blog? I am now syndicated via Feedburner.

Tips and Tricks Guide to Secure Messaging - Download the entire eBook has finally published the entire Tips and Tricks Guide to Secure Messaging free eBook. I worked on this free eBook last fall and through this spring.

There is something for all levels of Exchange and messaging administrators in this book. Does your boss understand why you spend so much money on antivirus and antispam products? Does your boss wonder where all that spam comes from? Do your junior admins know how to best configure Outlook to protect users from malware? Do you know the differences between "managed services" for message hygiene versuses doing it yourself? How can Enterprise Rights Management further secure your important data? How can you use a reverse proxy to better secure your Internet exposed resources (Outlook Web Access, Outlook Mobile Access, RPC over HTTPS, Microsoft ActiveSync)?

In this book, you will find answers to the most common messaging security and Exchange security questions. The entire eBook is now available for free download in PDF format. I hope that everyone can find some useful information contained in the book.

OWA for PDA and OWA for WAP

I have been meaning to blog about this for a few weeks. Lee Derbyshire is an Exchange MVP and all around good guy. I just stumbled across a product that Lee has developed and sells that allows greatly improved Outlook Web Access from either a PDA screen or a WAP browser on a cell phone. Both of these options are FAR better that Exchange 2003 Outlook Mobile Access. I stumbled across these when helping some people with OMA problems in the newsgroups and I am very impressed. OWA for PDAs is on the top and OWA for WAP phones is on the top.

Misconception moment: Exchange 2007 and Forefront Security for Exchange

The Exchange 2007 hype is in full swing. I have read a couple of articles that imply that Forefront Security for Exchange (formerly known as Sybari Antigen) is included with Exchange 2007. First, anti-spam solutions ARE included and can be run from the Edge Server role or from the Hub Transport role.

Second, Forefront Security for Exchange is only included with Exchange 2007 if you have purchased Exchange Enterprise Client Access Licenses (CALs). Pricing for the Enterprise CALs have not yet been announced.

Finally, the Edge Server role is NOT required for Exchange 2007. You can continue to use whatever DMZ / perimeter message hygiene solution you are currently using if you are not ready to implement Exchange Edge services. Edge IS going to be pretty darned cool, though.

Friday, September 01, 2006

Verizon releases MSFP updates for Motorola Q phone

I have a customer that purchased a bunch of the new Motorola Q phones from Verizon just recently. I was reasonably impressed with the Q, it is lightweight and a pretty decent interface. I was just bummed that it shipped with just Windows Mobile 5 and without the Microsoft Security Feature Pack (which improves device security, PIN requirements, and allows Direct Push from Exchange 2003 SP2).

Verizon has just released the MSFP software update for the Motorola Q phone. Yay! Lots of links and information about this: