Friday, November 30, 2007

How Strong is Your Password?

Think you have a strong password?

Microsoft has a nifty password checker that evaluates the strength of your password. Check it out here.

If a string of random characters is hard to remember, try using a passphrase instead. Something like, "I love my job!" turns out to be the best strength and is easy to remember.

Office Mobile 6.1 Update

Microsoft has released the highly anticipated Office Mobile 6.1. This upgrade, which is free to existing Office Mobile users, finally adds support for Office 2007 file formats. It includes new Word Mobile, Excel Mobile, and PowerPoint Mobile applications.

Other improvements include:
• Enhanced viewing experience for charts in Excel Mobile
• Ability to view SmartArt in PowerPoint Mobile
• Ability to view and extract files from compressed (.zip) folders

If you don't have Office Mobile on your device, it's $49 to purchase.

Thursday, November 29, 2007

Installation Notes for Exchange 2007 SP1 RTM

In an earlier post I documented my installation notes for installing Exchange 2007 Service Pack 1 RC1. Now that Exchange 2007 SP1 has been released, I'm including my notes from installing the RTM version.

A recommended prerequisite is to ensure that .NET Framework 2.0 SP1 is installed. Check my previous article to determine which SP version is installed.


Upgrade the Edge Server First

  • First, you must disable Forefront for Exchange according to KB929080. When I followed this, the Microsoft Exchange Transport and FSCController services could not be stopped. I used Task Manager to end task the MSExchangeTransport and FSCController *32 processes.

  • Run the following command to disable Forefront:
C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\fscutility /disableInstall SP1
  • Proceed with the installation of SP1. Here were my times:
  • UpgradePreparing Setup - 00:12
  • Removing Exchange Files - 01:33
  • Preparing Files - 00:01
  • Copy Exchange Files - 01:27
  • Edge Transport Server Role - 09:31
  • Management Tools - 00:30
  • Finalizing Setup - 00:15
  • Elapsed time: 13:32
  • Download and install Microsoft Forefront Security for Exchange Server with Service Pack 1. Be aware that this requires a restart at end of setup.

  • Restart the Edge Server

  • Stop all Microsoft Exchange services

  • Run the following command to enable Forefront again:

  • C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\fscutility /enable

    • Ensure that the Forefront services are set to Manual startup (FSCController, FSCMonitor, FSCStatisticsService, FDEMailPickup, and FSEIMC)

    • Start the FSCController service (all other Forefront services will start)

    • Start all Microsoft Exchange services and test mailflow

    Upgrade Mailbox/HT/CAS Server (in my case, these roles are all on the same server)

    • Proceed with the SP1 upgrade. Times were as follows:
  • Organization Preparation - 01:05
  • Preparing Setup - 01:37
  • Remove Exchange Files - 05:18
  • Preparing Files - 00:02
  • Copy Exchange Files - 05:32
  • Hub Transport Role - 11:53
  • Client Access Role - 03:27
  • Mailbox Role - 06:21
  • Management Tools - 00:46
  • Finalizing Setup - 02:05
  • Elapsed time: 38:12
    • Check that all services are started and test mailflow again
    • Restart all servers because I'm anal and test again.

    Hope your SP1 upgrade goes as smooth as mine!



    How to tell which .NET Framework SP is installed

    Here's an easy way to tell which .NET Framework 2.0 service pack is installed. Open a command line and enter the following command as a single line:

    reg query "HKLM\software\Microsoft\NET Framework Setup\NDP\v2.0.50727" /v SP

    For .NET Framework 3.0, enter:

    reg query "HKLM\software\Microsoft\NET Framework Setup\NDP\v3.0" /v SP
    The commands will return the REG_DWORD value for the SP version (0x0 for RTM or 0x1 for SP1).

    Various .NET Framework updates and releases are available for download:


    Wednesday, November 28, 2007

    Exchange 2007 SP1 is coming!

    Get ready! Microsoft Exchange Server 2007 Service Pack 1 is due to be released on November 30.

    Check out the list of new features in SP1, including new deployment options, new features and improvements for each server role, improved integration with other applications, and the new Standby Continuous Replication (SCR). There are also general updates to almost all of the high availability topics for SP1, as well as significant updates in other content areas, such as those related to the Mailbox, Client Access, Hub Transport and Edge Transport, and the Unified Messaging server roles.
    You can find documentation on the new features by browsing or searching the Exchange Server TechCenter Library.

    Restart Script, Part Deux

    In a previous post I listed a batch file that will restart a given service, either on the local machine or a remote one. I rewrote the script to include processing for multiple computers. Simply create a file named "computers.txt" in the folder where you run RESTART.BAT from. Add each remote computer, one per line, to the computers.txt file.

    Syntax for RESTART.BAT is: RESTART [\\Computer -OR- COMPUTERS.TXT] ServiceName

    @echo off
    If "%1" == "" Goto Syntax
    If "%1" == "?" Goto Syntax
    If "%1" == "/?" Goto Syntax
    If "%2" == "" Goto RunLocal
    If /I "%1" == "computers.txt" Goto RunMultiple
    Goto RunRemote

    :RunMultiple
    FOR /F "tokens=1" %%i in (computers.txt) do Call :MRunRemote %%i %2
    Goto End

    :MRunRemote
    echo %1 Find "\\" > nul
    If %ERRORLEVEL% == 1 Goto Syntax
    echo.
    echo Working on %1...
    sc %1 query %2 Find "."
    If %ERRORLEVEL% == 0 Goto :End
    sc %1 qc %2 Find "DISABLED" > nul
    If %ERRORLEVEL% == 0 echo The requested restart is not valid for this service. & Goto :End

    :MStopLoop
    echo The %2 service is stopping...
    sc %1 stop %2 > nul find "started" > nul
    If %ERRORLEVEL% == 0 Goto :MStopLoop
    echo The %2 service was stopped successfully.
    echo.
    echo The %2 service is starting...

    :MStartLoop
    sc %1 start %2 find "running" > nul
    If %ERRORLEVEL% == 0 Goto :MStartLoop
    echo The %2 service was started successfully.
    Goto :EOF

    :RunRemote
    echo %1 Find "\\" > nul
    If %ERRORLEVEL% == 1 Goto :Syntax
    sc %1 query %2 Find "."
    If %ERRORLEVEL% == 0 Goto :End
    sc %1 qc %2 Find "DISABLED" > nul
    If %ERRORLEVEL% == 0 echo The requested restart is not valid for this service. & Goto :End

    :StopLoop
    echo The %2 service is stopping...
    sc %1 stop %2 > nul find "started" > nul
    If %ERRORLEVEL% == 0 Goto :StopLoop
    echo The %2 service was stopped successfully.
    echo.
    echo The %2 service is starting...

    :StartLoop
    sc %1 start %2 find "running" > nul
    If %ERRORLEVEL% == 0 Goto :StartLoop
    echo The %2 service was started successfully.
    Goto :End

    :RunLocal
    net stop %1 & net start %1
    Goto :End

    :Syntax
    echo.
    echo Stops and starts a service on the local or remote computer(s).
    echo.
    echo Syntax: RESTART [\\Computer -OR- COMPUTERS.TXT] ServiceName
    echo.
    echo COMPUTERS.TXT is a list of computers to run against. The file must exist
    echo in the same working directory. Each computer must begin with \\ and be on
    echo its own line.

    :End
    echo.

    Please let me know if you find this useful.

    Monday, November 19, 2007

    How to Enable Remote Desktop from a Remote Machine


    [Note: Also see my other article that explains how to enable Remote Desktop for Windows XP computers]
    Have you ever tried to connect to a server or workstation via RDP, but can’t because Remote Desktop isn’t enabled? Here’s how you can enable Remote Desktop remotely.

    The following procedures assume that you have administrator rights on the target machine.
    1. Run Regedit
    2. Select File Connect Network Registry
    3. Enter the name of the remote computer and click OK
    4. At the bottom of the registry tree you will see two hives appear for the remote machine: HKEY_LOCAL_MACHINE and HKEY_USERS
    5. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    6. Double-click fDenyTSConnections in the right-hand pane and change the value from 1 to 0
    Another way to accomplish the same task is by using WMIC, the WMI command line utility in Windows 2000, XP, Vista and 2003 Server. Here’s the one line command:

    wmic /node:TargetComputer PATH Win32_TerminalServiceSetting WHERE AllowTSConnections=0 CALL SetAllowTSConnections 1
    The command above is not case sensitive, by the way.

    Note that neither of these methods require a restart of the remote machine, however I have seen it sometimes take a minute to take affect. Remember, patience is a virtue. :)

    Saturday, November 17, 2007

    Automatically Reset the FTP Service


    [Click here for a Windows Server 2008 version of this article]

    A client of mine utilizes the Microsoft FTP service in Windows Server 2003 IIS 6.0 on a public web server.

    Unfortunately, the FTP service is notoriously insecure since it transmits passwords in plain text. It also does not offer any way to block brute force or dictionary attacks. Because of this, the client was seeing multiple failed logins from the Administrator account, several times per second. These show up as warnings in the System event log from the MSFTPSVC source with event ID 100. Since I always rename the Administrator account as a standard best practice, it was obvious these attempted logins were coming from an attacker.

    Windows Server 2008 will offer Secure FTP (or FTP over SSL) as a separate download for IIS7, which will be the first major improvement to the protocol since it was developed. But being that my client is running Windows 2003, this isn't an option.

    The solution I used involves the Windows EventTriggers utility. I created a batch file named C:\Scripts\ResetFTPService.bat, as follows:

    net stop msftpsvc
    ping -n 10 127.0.0.1
    net start msftpsvc
    The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

    To make the script run automatically on the correct event, I use EventTriggers as follows:


    eventtriggers /CREATE /TR "Reset FTP Service" /TK C:\Scripts\ResetFTPSVC.bat /L System /EID 100 /SO MSFTPSVC /RU ""
    This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source MSFTPSVC is logged in the System event log. The /RU switch causes the task to run under the Local System account, which has the rights necessary to run unattended.

    Tuesday, November 6, 2007

    Custom Address Lists in Exchange 2003/2007

    The following procedures describe how to create custom address lists in Exchange Server 2003.

    Custom address lists can be used to provide a filtered view of the Global Address List (GAL) based on an LDAP query, similar to the way Query Based Distribution Groups work. It leverages the same mechanism used for the built-in address lists provided by Exchange ("All Contacts", "All Users", etc.). Custom address lists are dynamic and are available to all users in the organization. Common custom address lists might be "All Resources", "All Pagers", etc.

    Microsoft article How to Create an Address List describes how to create a custom address list in Exchange 2003. The similarly titled, How to Create an Address List describes how to create one in Exchange 2007.

    Once you create the new address list, you must configure a filter. The following is an LDAP query example that will filter all contacts with the word "carpenter" in the Notes field in the Telephone tab in AD. It is written as a single line, but is wrapped here for clarity.

    (&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=contact)) )))(objectCategory=user)(info=*carpenter*)))
    Note that objectClass could be changed from "contact" to "user" to filter user objects. The word "info" in this query is the AD attribute we're searching for. Any AD attribute can be used. Use ADSIEdit to view attribute names and values.

    The search string above is "*carpenter*, which uses wildcards and means "contains the word 'carpenter'". A search for "carpenter" (no wildcards) will match only the word. The string "carpenter*" (trailing *) means "begins with the word". The string "*carpenter" means "ends with the word". The search sting is not case sensitive, but it must be spelled correctly to match the filter.

    If you were to create two address lists, one for "All Plumbers" and another for "All Carpenters", and the Notes field for a contact contains "Plumber, Carpenter", the contact will be included in both custom address lists.

    As another example, this filter can be used for an address list for resource mailboxes, such as conference rooms. Just be sure to begin the display name for the resource mailboxes with "ZZ-".

    (&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=user)) )))(objectCategory=user)(displayName=zz-*)))
    Note: Because custom address lists are dynamically created by Exchange, they are only available to users who are connected to an Exchange server. Users using Cached Exchange Mode who are working offline will not have access to the custom address lists since Outlook can only display one container (the OAB). All contacts will still show up in the OAB.

    I've used this process for many clients of all sizes and it works great, with no noticeable affect on AD or Exchange performance.

    Monday, November 5, 2007

    Installing or switching ASP.NET versions on x64 platforms

    When installing SQL 2005 on an x64 server, I came across the following warning:


    32-bit ASP.Net is Registered. Required 64-bit ASP.Net to install Microsoft Reporting Services 2005(64-bit).
    This article explains how to install and enable the correct version of ASP.NET for x64 platforms to fix this error.

    After you install the ASP.NET redistributable packages, you can switch between the different versions of ASP.NET. To do this, follow these steps for each ASP.NET version:





    ASP.NET 1.1, 32-bit version
    To run the 32-bit version of ASP.NET 1.1, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. Type the following command to enable the 32-bit mode:


    cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
    3. Type the following command to install the version of ASP.NET 1.1 and to install the script maps at the IIS root and under:


    %SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i
    4. Make sure that the status of ASP.NET version 1.1.4322 is set to Allowed in the Web service extension list in Internet Information Services Manager.





    ASP.NET 2.0, 32-bit version
    To run the 32-bit version of ASP.NET 2.0, follow these steps:

    1. Click Start, click Run, type cmd, and then click OK.
    2. Type the following command to enable the 32-bit mode:


    cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
    3. Type the following command to install the version of ASP.NET 2.0 (32-bit) and to install the script maps at the IIS root and under:


    %SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i
    4. Make sure that the status of ASP.NET version 2.0.50727 (32-bit) is set to Allowed in the Web service extension list in Internet Information Services Manager.





    ASP.NET 2.0, 64-bit version
    To run the 64-bit version of ASP.NET 2.0, follow these steps:

    1. Click Start, click Run, type cmd, and then click OK.
    2. Type the following command to disable the 32-bit mode:


    cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
    3. Type the following command to install the version of ASP.NET 2.0 and to install the script maps at the IIS root and under:


    %SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i
    4. Make sure that the status of ASP.NET version 2.0.50727 is set to Allowed in the Web service extension list in Internet Information Services Manager.





    ASP.NET on Windows Server 2008
    The bits for the correct platform of ASP.NET on Windows Server 2008 are included in the OS cache. To install ASP.NET on Windows Server 2008 (x86 or x64) follow these steps:

    1. Run Server Manager
    2. Select Roles and click Add Roles
    3. Select Web Server (IIS). Click Add Required Features if prompted
    4. Select ASP.NET in Role Services and run through the rest of the wizard to complete the installation

    If the Web Server (IIS) role has already been installed on your server, do the following to add ASP.NET:

    1. Run Server Manager
    2. Expand Roles and select Web Server (IIS)
    3. Click Add Role Services in the right-hand pane
    4. Add the ASP.NET role service and run through the wizard to complete the installation

    Friday, November 2, 2007

    Windows Mobile Codenamed "Neo"


    While I'm on the subject of Windows Mobile, you ought to check out this video of what's to come. Windows codenamed "Neo" is Microsofts new "carousel" OS that changes the way you interact with your mobile device.

    As discussed in an article at WMExperts, Microsoft recently applied for a patent on the interface. The new interface lets you think "what do I want to do right now" instead of "what do I want to do right now, what application do I need to open to do it, and how to I interact with that particular application."
    Very cool! Right now it's available on the T-Mobile Shadow.

    Finally! WM6 is available for AT&T 8525


    Windows Mobile 6 is finally available for the AT&T 8525, also known as the HTC Hermes. 8525 users can download the new ROM from the HTC 8525 download site.

    Get it while it's hot! According to HTC,

    "This ROM is available from November 1, 2007 to February 1, 2008. After this date, the ROM will be removed from the website and will no longer be available for distribution."
    WM6 offers HTML email, improved calendaring, and a host of other goodies. I've been running it for a few months now and I'm quite impressed.