Compaq Professional Workstation SP750

Dual Xeon 1 GHz, 1 GB of RDRAM.

9 GB IBM SCSI.

I get this stupid boot message:

The drive is definitely screwy.  No time to debug this one.

Argh.  Downtime.

Wow.  That was a headache and a half.
Here's the setup:
Internet --> ISA --> Single Exchange 2003
RPC over HTTPS needs a SSL cert, and there were definitely some problems involving "target principal names" and then just a severe LACK of logging/diagnosis/error messages!  How are you supposed to fix problems if programs don't give you logs?!  Reminds me of Mac FTP clients like Transmit =)
I don't understand why logs are stashed away in GUIs.

Anyway, here's the useful information:
http://www.mcpmag.com/columns/article.asp?EditorialsID=758 (I've uploaded the PDF here: 0804mcp_rpchttp.pdf (496.24 KB)
and remember this:
Hold down CTRL and right click on the Outlook 2003 yellow icon in your tray, and say, "Connection Status"
There's the logging you need! =)
http://support.microsoft.com/default.aspx?scid=kb;en-us;833401 also helped.
isaserver.org wasn't very helpful at all - and neither were most of the sites I found via Google.
I got everything working by these two resources alone - so you should be able to too! =)

I was alerted this morning by an email from Trend Micro running on my file server.

Apparantly, a copy of iroffer I have on there is a virus.

I've always thought that the whole "antivirus" paradigm was flawed.  Just as we run into problems when the FBI or CIA decide to write a virus (Its not a virus anymore, right?) ... just because someone uses some code in a virus doesn't make all applications of the code bad.  In my case, the copy of iroffer was actually sitting there in an archive - I use it on a Linux box to send some software I wrote to people on IRC.  Obscure use, right?

Hardly.  As spyware becomes a more serious problem, I wonder how these "antivirus" vendors will react.  Add everything in sight into their signature databases, updated every minute?

The signature detection years are gone.  We need to throw those stupid signatures away and start using more intelligent detection methods.  Heuristic ones, perhaps, but definitely ones that analyze behaviour, given a certain expected profile for the machine.  Because malicious code to a developer may not be malicious code to a gamer.  And someone on a P2P network who needs certain packages (hah ) may find it very annoying that they can't run their program because Symantec has decided for them that whatever they run is not permitted.

I really like the "sandbox" detection idea used by the Finjan people.  Its definitely a paradigm that makes sense to me.  I had tried their client-side protection software some time ago, and I remember it causing more headaches than it was worth.  It was like antivirus software that kept asking me if I really wanted to open the file.  I should give the Surfingate a try sometime and see what they've done since.

An immediately addressable problem though, is the fact that client-based antivirus doesn't even seem to work.  Virus get exectued by the end user, say, by clicking on an infected file.  Out pops the message... but then it pops up again every 5 minutes telling you that its found something else!  It pops up again later, when you reboot the computer.  It seems to be purely reactive.

I was testing the "new" Microsoft antispyware (I say "new" 'cause they just repackaged the thing...) application the other day.  I downloaded a known, bad, "crack.exe".  And executed it.  About 15 seconds later, the popups from the application started.  "Blah blah blah is trying to make a change to your start page.  Are you sure?" and "so and so wants to install an IE toolbar"

*sigh*

Happily in Kingston now.  Lunch went well, and so did all the travel.  I wish I had gotten the chance to meet up with more people in Toronto.  Namely Dorcas!

I tried to establish a VPN tunnel to my newly setup ISA 2004 Enterprise Edition box... this is why we do test deployments .  Suffice it to say, I'm locked out.

I guess I could hack this up, but I think its time I setup the Remote Access Quarantine Control service in 2003 Server and ISA 2004.

I'll post up a little guide for those who care, once I get this working!

P.S. So much for studying PHGY214...

So I'm setting up a SMTP gateway that sits behind my ISA box, yet in front of my Exchange Front/Backend configuration.  SMTP is gone from the IIS MMC.  I open port 25 locally fine.  The service is definitely installed and functioning.  And yet I have no way to do anything to it.  Microsoft Exchange isn't installed on here, so it hasn't hidden in the Exchange System Manager.  Fantastic.

Found this:

SYMPTOMS
After the installation of the SMTP service on Windows Server 2003, the SMTP tree may not appear in the IIS Manager console.
 
For the Windows 2000/IIS 5.0 version of this article, please see:
"IIS 5: SMTP and NNTP Virtual Server Missing in Internet Services Manager"
http://support.microsoft.com/?id=297261

RESOLUTION
Method 1: Click the "Start" button, then "Run…" and type:
regsvr32 %systemroot%\system32\inetsrv\smtpsnap.dll
Alternatively, %systemroot% can be replaced with the drive Windows Server 2003 is installed on
 
Method 2: Uninstalling and re-installing IIS including the SMTP service has also proven to fix the problem, it is, however, recommended to try method 1 first.

http://www.chapters.indigo.ca/item.asp?Item=978046502656&Catalog=Books&N=35&Lang=en&Section=books&zxac=1

The relationships between art and math are not always apparent. That is, until you read Douglas Hofstadter's brilliant, Pulitzer prize-winning Godel Escher Bach. It explores the patterns and symbols in the thinking of mathematician Kurt Godel, artist M.C. Escher and composer Johann Sebastian Bach. Hofstadter explores the links between formal systems. This 20th anniversary edition will delight, inform and entertain all readers.

Brilliant book.  Hurts my head each time I read it.  Read this book.

HOW TO: Configure Firewall and Web Proxy Client Autodiscovery in Windows 2003

MSKB 816320 - HOW TO: Configure Firewall and Web Proxy Client Autodiscovery in Windows 2003

You'd think they'd get ISA 2004 to auto detect proxies in clients.  Weird that you have to do all this...

MSKB 315631 - HOW TO: Forward Mail with Unresolved Recipients to a Single Mailbox

http://support.microsoft.com/?id=315631

This step-by-step article describes how to forward mail with unresolved recipients to a single mailbox.

In Exchange 2000, you can configure any Simple Mail Transfer Protocol (SMTP) virtual server to forward all the mail with unresolved recipients to a single host, but you cannot have all such mail sent to a single mailbox.

However, to work around this limitation, you can create an additional SMTP virtual server, forward all the mail with unresolved recipients to the additional SMTP server, and then use an event sink on the server that rewrites the recipient address.

http://support.microsoft.com/?id=842851

This article discusses a software update that you can install to help prevent the enumeration of e-mail addresses in your Microsoft Exchange organization. You can install this update if you run Microsoft Exchange Server 2003 on a Microsoft Windows Server 2003-based computer.

Exchange Server 2003 provides a recipient filtering feature that can block an e-mail message that has been sent to a recipient that does not exist. The recipient filtering feature blocks the e-mail message by rejecting the recipient that does not exist. The recipient filtering feature blocks the e-mail message at the Simple Mail Transfer Protocol (SMTP) level. A side effect of this feature is that a malicious sender or a sender of unsolicited commercial e-mail can enumerate e-mail addresses that do exist by using a technique that is known as a directory harvest attack.

If you click to select the Filter recipients who are not in the Directory check box when you configure recipient filtering, directory lookup for recipients is enabled. If directory lookup is enabled, senders of unsolicited e-mail may discover valid e-mail addresses in your Exchange organization.

This software update adds a feature that you can use to delay the SMTP address verification responses for each address that is not valid that is submitted. This feature is referred to as the tar pit feature. This feature makes it extremely expensive in terms of time and cost for an attacker to try to obtain the Global Address List by using a directory harvest attack against an SMTP server that has the tar pit feature enabled. You can control the delay time by setting the value of the TarpitTime registry entry. By default, this feature is disabled.

Note Only anonymous connections are affected by the TarpitTime registry entry. Therefore, we recommend that you only enable this registry entry on the Internet-facing mail gateway servers.

Software update information
A supported feature that modifies the default behavior of the product is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if you are not severely affected by the lack of this feature, we recommend that you wait for the next Microsoft Windows Server 2003 Service Pack that contains this feature.

Grab Microsoft Installer 3.0 Redistributable here

http://www.microsoft.com/downloads/details.aspx?amp;amp;amp;displaylang=en&familyid=5fbc5470-b259-4733-a914-a956122e08e8&displaylang=en

All mail stopped flowing on a Microsoft SBS 2003 box with Exchange 2003 running the POP3 downloader.  Small Business Server 2003 Exchange routing services spat errors:

Event Type:      Error
Event Source:   MSExchangeSA
Event Category:            RFR Interface
Event ID:          9074
Date:                21/02/2005
Time:               8:43:18 AM
User:                N/A

Description:
The Directory Service Referral interface failed to service a client request. RFRI is returning the error code:[0x3f0].

The mail is POP3ed from an ISP.

Cause: There were two NICs on the box.  The second disconnected NIC didn’t have File and Printer Sharing enabled, as per http://support.microsoft.com/default.aspx?scid=kb;EN-US;279742

You think they would have come up with a workaround by now.  Such a dirty solution.  The NIC didn't even have an IP bound to it.

More than once now, I've logged into a Vertias Backup Exec box to discover that my backups failed.  Then, the following day, the job also fails since the job is "not in time window"

What's up with that? The previous day's job fails.  And this somehow cascades into all future jobs.  How annoying.  I go in, edit the job, and click Submit without making any changes.  Wow!  It works again...

Time to give version 10 a try.

Tried installing IIS 5.1 on a freshly formatted Windows XP SP2 laptop.
Setup cannot copy the file staxmem.dll
…insert “Windows XP Professional Service Pack 2 CD”

Wonderful.
Took about 15 minutes on Google to find this:

esentutl /p %windir%/security/database/secedit.sdb

Got it from here:
http://www.ilovett.com/blog/archives/2004/10/03/dealing-with-staxmemdll/
He says it best... "Why didn't I think of that?"

The latest versions of GFI MailEssentials and MailSecurity still seem to have some serious design flaws, in my opinion.

I had another server this week stop responding; MSEC had managed to fill the Quarantine folder with all the junk that comes in.  A quick a dirty Google search tells me that its supposed to keep only 4 days worth of files - this is definitely not the case!  There were WMVs, MPEGs (I have my filters dump all that junk since no one at this company should need access to such files!) filling the system drive.  Almost 6 GB of it.

They also tell you to "manually" compact the Access database that is supposed to keep track of all these attachments for the "Moderator Client."  Give me a break.  The world's dirtiest interface... what kind of system administrator has time to click through that thing looking for email?  "Take your IIS Admin service offline during off-peak hours. Defragment the database in Access."  Really?  This is a Microsoft Certified Partner's application?

The "live" monitors for MailEssentials and MailSecurity should have context sensitive links.  You should be able to see what filters were sequentially applied to email... (ie. Keyword: PASS, Headers: PASS, SPF: Fail [reason:]).  Simply telling me that mail was "processed successfully" seems completely useless.  They haven't improved this from as far back as version 6, as far as I know.

The POP3 interface suffers from the same problem, forcing the admin to go digging in lots of other windows.

Definitely bloatware.  I bought a nice fat maintenance contract, hoping that they eventually, slowly, gradually clean this mess up.

The detection rates seem okay.  Once again, it'd be nice to see the result of filters from an administrative perspective instead of having to watch users' mailboxes to watch for the [SPAM] header.

In GFI's defense, I've used the latest version of Symantec Mail Security.  I couldn't get a hold of a "premium antispam" license, but its clear that this also lacks some serious, but necessary reporting features.  If I wanted to, I should be able to intercept mail as it came in and override GFI's "rules".  I have yet to encounter something like this.

I also don't understand why everyone seems to like to write their own SMTP engines.  A search of SecurityFocus reveals a plethora of security issues with these "custom" IIS SMTP proxies.  Who are they kidding?  Run Microsoft IIS SMTP and add your filters as an event sink!  Its proven and stable.  Why re-invent the wheel?

The only place I'd ever deploy stuff like Paessler's antispam, Symantec Brightmail's SMTP engine, or even F-Secure's antispam products are inline, behind a perimeter Microsoft IIS SMTP.  I don't like 3rd party code - especially code with nasty track records.  Has anyone used McAfee's stuff?  Or any others?

Microsoft's perimeter SMTP says this:
220 IGR-IMC-02.redmond.corp.microsoft.com <Inbound SMTP Virtual Server> Wed, 23
Feb 2005 16:53:52 -0800
They hacked up the banner?  Or are they running something else...?
Just for fun, I checked my Symantec Mail Security Brightmail 4.1 and got this:
220 mailserver.justinho.com SMTP; Wed, 23 Feb 2005 19:58:15 -0500
mx-a.brightmail.com greeted me like this:
220 [216.10.194.106] ESMTP

Very strange.
There's some cool stuff here though, that I came across:
http://blogs.msdn.com/exchange/archive/2005/01/24/359677.aspx

A document from Microsoft Entitled "Security at Microsoft" (whitepaper) says:
OTG’s approach to managing virus risk goes beyond filtering software alone. The layered defense includes deploying antivirus software on all desktop computers, servers, e-mail gateways, internet gateways, and Personal Digital Assistants (PDAs). Computer Associates eTrust is used on all desktop computers and fully managed servers, except the gateways, which run Trend Micro InterScan Viruswall and also Brightmail software. About 5 million inbound e-mail messages are scanned every day. On average, 800 viruses are stripped per day, and approximately 2.4 million junk e-mail messages are filtered per day...  OTG manages intrusion detection with a number of third-party and internally developed programs and tools, including Microsoft Audit Collections System (MACS), BlackICE and RealSecure from Internet Security Systems, and proxy traffic monitoring and antivirus software.

There's my answer then.  I'll go digging for a copy of Trend Micro's InterScan Viruswall sometime... if that's what Microsoft runs at the perimeter, and, considering how much of the world "hates" them, I'm pretty sure the solid and stable.  Maybe put Symantec's Brightmail SMS proxy behind it inline before my Exchange boxes?

I was clicking about, trying to add some clipart to a Word document.  Did the "Office online" search on the side taskbar, and the whole app hung.

Seems Office 2003 doesn't handle web proxies properly.  I went into Internet Explorer 6 SP2 and disabled the HTTP proxy I had specified for my ISA Server and it went fine.  I suspect it had to do with the Integrated authentication that ISA uses to verify user credentials at connection time across the proxy.  Strange.