Sunday, August 26, 2007

How to allow only certain users to access the Exchange Server Information Store?

The Exchange server information store be default allows all users to connect. There are some scenarios when the administrator wants to connect to the server and verify things, without having the end users connecting to the server. This is a typical requirement post maintenance, when an administrator wants to check the functionality of the server, but at the same time he does not wants any user to connect to the server. This can be done using the methods below:

1) Getting the LegacyExchangeDN attribute of the user to whom access needs to be given
2) Restricting access only to that user from the registry

We will see below how to do the above steps:

1) Getting the LegacyExchangeDN attribute of the user to whom access needs to be given.

LegacyExchangeDN attribute for the user can be obtained by using the ADSIEdit.exe or LDP.exe to run a LDAP query against the Active Directory.

2) Restricting access only to that user from the registry

1. Run the Windows NT Registry Editor (REGEDT32, not REGEDIT).
2. Locate the HKLM\System\CurrentControlSet\Services\MExchangeIS\ParametersSystem Registry key.
3. Select Edit Add Value, type Logon Only As, and select REG_DWORD in the Data Type box.
4. Enter 0 to allow anyone to access the Information Store or enter 1 to block access to the Information Store.
5. Create another Registry value by choosing Edit Add Value, type Trace User LegacyDN, and select REG_SZ in the Data Type box.
6. In the Data box that appears, enter the legacyExchangeDN of the mailbox that will be allowed to access the server. If you leave this box empty, no one will be able to access the server. The DN should be in the following format:

/O=Domain/OU=Sales/CN=Recipients/CN=Mathew
7. Stop and restart the Information Store service for the change to take effect.

Friday, August 24, 2007

What is new in the Move Mailbox wizard of Exchange 2003?

Following are the additions in the Move Mailbox wizard of Exchange 2003:

1) The Move Mailbox wizard is now multi-threaded. Hence moving mailboxes will be less time consuming, because 4 mailboxes can be moved simultaneously
2) There is an option to ignore the alerts received while moving mailboxes and carry on the movement. Also the number of errors to pass before halting the movement can be specified.
3) Now a start time and end time can be specified for moving mailboxes. So if the activity is scheduled for late night start, someone need not wait by the server to start the moves.
4) The wizard provides an XML report after completing the move with the details of mailboxes moved and errors encountered.

Thursday, August 23, 2007

How is availability calculated?

There are 2 terms which goes into the calculation of availability:

Mean Time Between Failures (MTBF)
Mean Time to Recover (MTTR)

Availability is calculated by applying the formula below:


For example, if a network switch fails after 500,000 hours of service and it takes 24 hours to repair it, then the availability becomes 99.99520

If this availability is not acceptable and the repair time cannot be reduced, the alternative is to keep spares. In the previous example, let’s say, replacing the switch with a spare switch takes just 1 hour, then the availability comes down to 99.99980.

Saturday, August 18, 2007

What does Exchange do during online maintenance?

Following is the list of activities done during an online maintenance for Exchange:

1) If the mailbox retention period is 1 month, and a deleted mailbox has reached 1 month, it is deleted during the online maintenance process.
2) If deleted item retention period is 1 month, and a deleted item has reached 1 month, it is deleted during the online maintenance process.
3) An online defragmentation is performed on the store which rearranges all the white space in the database. This does not compacts the database file size.
4) The online maintenance process queries the Active Directory to verify that the mailbox’s associated user account is still available.
5) For public folder stores, the online maintenance purges all messages marked for expiration.

Online maintenance and online backup cannot run simultaneously. If an online backup of a single store is triggered during online maintenance, the online maintenance will halt.

Saturday, August 11, 2007

How to determine whether Exchange 2003 is running Standard or Enterprise Edition?

Reply 1)

We can find out which Exchange Version is running by using the event viewer. The following event id will get generated when exchange server installed.

Standard Edition: Event ID 1216
Enterprise Edition: Event ID 1217

Reply 2)

Great. Any other ways???

Reply 3)

Also if, under the servers Protocol container, you see an X.400 container, it has to be an Enterprise Edition

Reply 4)

Just to elaborate my point
Click start -> Run -> Type regedit.
Expand HKEY_LOCAL_MACHINE
Find software, expand software
Scroll to find Microsoft and expand it.
Then expand windows followed by current version and then finally uninstall.
Locate the GUID key which tells you what version you are running.
Like on my VM it is F95DE19F-CF69-4b03-81B6-9ec050D20D3b which says the server running is Enterprise Full Packed Product.
If you select the above key it also gives you the details like Installation path, display name, publisher name, uninstall path. You can also right click and modify the path but this may land you in nasty trouble.

Friday, August 10, 2007

What is brute force attack?

Reply 1)

Brute force attack is nothing but trying each and every combination of the password with the authority.
Let’s say we know that password 3 character long – taking this as just a example.

These 3 characters will be from following sets

A-Z
a-z
1-9

So attacker will start from A and check that till 9 for first set.
Then he will start with 2 characters – AA till he reaches till end 99.
Then he will start with 3 characters – AAA till 999
Here I am not considering the symbol set (~!@#$%^&*()_+|{}:”<>?,./;’[]. )
That is how the brute force method works.

There is one more common method which is used more.
That is Dictionary attack.
In dictionary attack, there is a file which contains all words – which generally people may use as passwords
Using such files, number of attempts gets reduced.

Let’s talk about something about Active directory, what is the functionality provided by AD to avoid such attacks.

In AD we see that if we type a wrong password for about 3 or 4 times then it gets locked for some period. (we can set count in password policy in Default Domain policy)

This functionality reduces the attack surface.

By locking your account, attacker can’t attempt any more passwords for 20 or 30 min as your account gets locked out. ( again account lockout period can be set in password policy)
This increases time for attacker. Also gives time and notifications to admins that something is going on for specific account.

Thursday, August 9, 2007

What are rootkits?

Reply 1)

The word “rootkits” comes from the two words “root” and “kit”. Root refers to the user with maximum rights in UNIX systems (this can be UNIX, AIX, Linux, etc.). This person is called the “super-user”, the “administrator”, or one of a host of other names. Specifically, it represents the highest level of authority present within a given IT system. On the other hand, the “kit” is a group of tools, so a rootkits is therefore a group of tools with a root category.

A rootkits is a program or set of programs used by an intruder to both hide their presence on a computer system and allow future access to that same system. A rootkits is designed to hide logins, processes, files, and logs, and may include software to intercept data from terminals, network connections, and the keyboard.

Reply 2)

Perfect. Is there any way to detect and remove rootkits?

Reply 3)

Hi,

There are effective measures we can implement to minimize the risk of being afflicted by root kits or spyware. We can maintain below steps to minimize the risk of root kits.

• Maintain up-to-date antivirus and antispyware software.
• Deploy network and host-based firewalls.
• Stay current on patches for operating systems and applications.
• Harden the operating system.
• Use strong authentication.
• Never use software from sources you do not trust.

However, there are several tools to detect rootkit, including Vice, Patchfinder2 and klister.Many tools are written by the same people who created rootkits.

Microsoft's "GhostBuster" Can Detect Root Kits and Trojans.

This program will stop all other user programs. flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could auto start the system, writing out the results to a file on the hard drive.

This program CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Reply 4)

Perfect. Some more points that come to mind:

1) Rootkits are generally mistaken for ‘exploits’. They are not exploits, but a bunch of tools left behind on an exploited system by the hacker. The objective is to easily access the exploited system again
2) Generally, it is believed that Rootkits are associated with UNIX systems and Windows are safe from it. It is far from reality and rootkits exists for Windows systems as well. Some examples are Subseven and NetBus. They operate in the User mode of Windows and if the anti-virus signature files contain the right definitions, they can be detected.
3) Rootkits which operates from the Kernel mode are impossible to detect, since they are placed between the OS and the applications. Most anti-virus applications only scan the user mode.
4) One of the signs of the presence of a rootkit in the system is the incorrect display of disk space. For example, if the disk capacity is 200 GB and the files occupy about 150 GB. If the free space displayed is less than 50 GB, there is a possibility of a rootkit running on the system.

Reply 5)

I would like to add couple of things more here:

1. We can run utility called UnhackMe, which will detect Rootkit on the systems
2. We can run ProceXP to detect any malicious services running (usually service with no description or company name)
3. Check if FTP anonymous access is turned on.
4. Check MSConfig for any suspicious services/SW configured to run on StartUP
5. Check for FXSVC and scanner.ini files
6. Check for files with .DIC extensions
7. Check Java folder
8. Check …/system32/LogFiles for logs and any malicious activities or IPs connecting to server (exXXXX.log and httpXXXX.log)
9. Check Desktop folder for user used in attack and see if anything stored there which looks suspicious
10. run c:/>cmt /f to check for malicious software
11. go to pandasoftware.com and run free AV check (caution on Exchange servers)
12. run netstat to check malicious software
13. run nbtstat –a to check routing table
14. run rout print

We normally perform above steps whenever we found that any server is compromised. If anybody has any queries please let me know.

Reply 6)

There is one more tool provided by Microsoft called WOLF, but for this we need to call Microsoft and create a ticket then Microsoft Security Team will run this tool on your system and it will remove rootkit from your system.

What is the difference between share level permissions and NTFS permissions...??

Hello All,

What is the difference between share level permissions and NTFS permissions...??

Is there any changes in Windows server 2003 for share level permissions??

Thanking you.

Reply 1)

1 difference between NTFS and share level permissions is that NTFS permissions are applied irrespective of the folder being accesses locally or over the network. Share level permissions are applied ONLY when accessing the folder over a network.

Please contribute guys, there are many more differences between NTFS and share permissions.

Reply 2)

Alright, since no one is answering, below are the difference:

NTFS permissions can be applied to files as well as folders. These are applied at the NTFS level, which means that anyone who needs access to the file or folder must have NTFS permissions for it.

Share permissions can only be applied to folders. A person can access the folder locally, even if there is no explicit permission given to him. The only condition is, there should not be an explicit “Deny” share permission for the user.

A user can have different levels of NTFS and Share permissions. Let’s say a user has Read (NTFS) permission and Change (Share) permission, in this case, the most restrictive of the combined permissions gets effected.

Wednesday, August 1, 2007

What is ExMerge and what can it be used for?

Reply 1)

Exmerge is Microsoft Exchange Mailbox Merge Program.It is used to extract data from Mailboxes on a Microsoft Exchange server and merge this data in to Mailboxes on
another Microsoft Exchange server. The program copies data from the source server in to personal folders (.pst) files, and then merges the data, in to Mailboxes of destination server.
It is useful in Disaster recovery & Migration.

Reply 2)

ExMerge stands for Microsoft Exchange Server Mailbox Merge.

Mailbox Merge is used to extract data from mailboxes on a Microsoft Exchange Server and then merge this data into another Microsoft Exchange Server. The program copies data from the source server into Personal Folders (.PST files) and then merges the data, in the Personal Folders, into mailboxes on the destination server.

How to index pdf files using Full Text Indexing of Exchange 2003?

Reply 1)

There is a ifilter available from Adobe, which we need to install.
Then we can perform indexing on PDF files as well.

There is ifilter available for WordPerfect files as well from Corel.

Note :
What is iFilter ?
We can say its Indexing filter.
IFilters extract textual information from particular document formats.

Reply 2)

This is correct. However, the configuration is not done from within Exchange System Manager, but is done from Microsoft Search MMC. This console is not visible by default and a dll file called mssmmcsi.dll needs to be registered using the command

Regsvr32 mssmmcsi.dll

This will display “Microsoft Search” as one of the consoles in MMC

Need to follow the steps below to enable Full Text Indexing to start indexing the pdf files:

1. Open the Search MMC, and navigate through the servername ExchangeServer_servername Catalog Build Server.
2. Right-click the index catalog name on which you want to include PDF attachments in the full-text index, and choose Properties.
3. Click the File Types property page.
4. Click the Add button, include PDF in the list, and then click OK.
5. If the index exists, delete the index, and re-create it. If not, simply create the index.

Acrobat PDF documents will now be included in your full-text index searches.