We can all generally agree that encryption is good, and that implementing regularly updated anti-malware software is also good. But the two have never been compatible. The only way that encrypted email traffic can be scanned for malware is to decrypt it before scanning, then recrypt it afterwards before sending it on the rest of its journey to the email server. It’s certainly possible to do so, but it’s tricky and can introduce delay into the equation. So why can’t we just scan the encrypted email traffic for viruses?

As reported in Forbes this week, an IBM researcher has made some progress towards solving that dilemma. Although there is no current commercial implementation of the solution, the researcher, Craig Gentry, has effectively set the wheels in motion. Gentry has solved the problem of fully homomorphic encryption, which allows the anti-malware analysis, as well as other processes, to be performed directly on encrypted data, without having to decrypt it first. No software is currently able to do that, and in reality, it may be several years before it is commercially available–but it’s nonetheless a big breakthrough in security.

There are more than a couple of situations when you may receive the error code, 0×80040005. Here are some of those situations:

1. when you cannot move, synchronize, or autoarchive messages
2. if active mail session with Exchange server was broken
3. when emailing a report using the tree email from within FRx Report Designer
4. when you use Distributed Authoring and Versioning (DAV) to query for message properties on the information store in Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003

If you are in a situation where you (1) cannot move, synchronize or autoarchive messages then you may receive the error code 0×80040005. When you try to AutoArchive messages, move messages, or synchronize items while Microsoft Outlook is connected to a Microsoft Exchange Server mailbox, you may receive the following error message:

Error while archiving folder <folder name - Inbox> in store “Archive Folders”. The source and destination folders for this operation cannot be the same.

Read more »

In Part 1 of this series I explored the backup requirements for each of the Exchange Server 2007 server roles.  In Part 2 I demonstrated Mailbox server database backup and recovery, and then in Part 3 I demonstrated the backup and recovery process for Hub Transport and Edge Transport servers.  In this part 4 of the series I will discuss the backup and restore process for Client Access servers.

The Client Access Server Role

Client Access servers perform a similar role to that of “front end” servers in previous versions of Exchange.  The Client Access server is responsible for all non-MAPI connectivity to Exchange server data.  In other words, anything that is not a Microsoft Office Outlook connection to a mailbox or public folder is handled by the Client Access server.  This includes Outlook Web Access, ActiveSync, and Exchange Web Services.

The nature of this role is such that it relies on Microsoft IIS to make these services available.  Because of this the Client Access server is one of the more complex when it comes to backup and recovery.

Read more »

Liked this post? Share it!

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

During the US Presidential election, when Sarah Palin’s Yahoo! email account got hacked, two things became apparent: First, don’t use free public email accounts for business, and second, be careful of the “secret question” password recovery tool. The latter allowed the hacker to gain access to Gov. Palin’s account.

Microsoft released a report this week highlighting just how vulnerable the secret question gambit really is. Sure, password resets take up time, but letting end-users retrieve them on their own this way is just a bad idea. Microsoft’s study, which was reported on in the New Scientist, showed that the secret question is often easily guessed. The study looked at webmail users’ acquaintances, and asked them to try to guess the secret question of the webmail user’s account. The acquaintances guessed right about 20 percent of the time.

But you don’t have to know the person to make a good guess. Social networking sites are typically full of personal tidbits of information. What’s your dog’s name? Chances are, if you’re a dog lover, you’ve posted a few pictures of your pooch here and there, and have mentioned the lovable mutt’s name a couple times on your blog, Twitter, or social networking page. It’s easy to find. What was the name of your high school? That’s an easy one to discover. Ever hear of Classmates.com?

The Microsoft study recommends an alternative to the secret question, which involves a user selecting multiple individuals to act as trustees; if the user gets locked out, they ask the trustees to download a recovery code. The user collects the recovery codes, and then can gain access to the account. 

There are several reasons why you may have received the 0×8004011C error code. Sometimes an Extended MAPI function will return a numeric result codes that is the equivalent of the MAPI_E_UNCONFIGURED error code.

Other times you will receive this error in conjunction with using the MAPI component of ASP. The Mail Application Programming Interface (MAPI) is a component used in Active Server Page (ASP) code. It was formerly called Active Messaging, but is now called Collaboration Data Objects (CDO). To allow for greater functionality from the object library than was available in Active Messaging 1.1, the objects were replaced by CDOs. CDOs are objects that support capabilities beyond simple messaging into the areas of calendaring, collaboration, and workflow.

ASP technology is used very widely in Exchange 2000 conferencing and as a result, you may encounter a variety of MAPI warnings and error messages one of which will be the 0×8004011C error code.

Read more »

Have you, or any of your users, received an email announcement that looks like it’s from Microsoft, talking about an update to Microsoft Outlook or Outlook Express? The email itself looks remarkably legitimate, and it would be easy to take it at face value. But receiving an email from Microsoft about an update is in itself a red flag, because Microsoft doesn’t issue updates or security warnings in that manner. Bloggers and security experts have been quick to pick up on this one, and are educating the public about the warning.

When unsuspecting users click on the link, thinking they will get an update to Outlook, they are taken to a rogue Web site that sends a Trojan horse to their computer.

The tricky attackers may actually get some takers, not only because of the realistic-looking email, but also because the notice comes out at about the same time Microsoft really is getting ready to release its monthly security patch.

Like most such bogus emails, the link contained in the email appears to go to Microsoft.com, but looking at the actual HTML (pass your cursor over it and see) will show that it goes somewhere else entirely. If you fall victim, you’ll get a piece of malware that appears to be a variant of Zbot, a Trojan used often to steal login details and take control of computers.

Smartphones have become part of the corporate landscape, and email admins must contend with remote email. There’s no avoiding it, and the productivity gains are just too big to veto them due to security concerns and administrative complexities.

The Apple iPhone may not be the most technologically superior smartphone, but it is the most trendy and cool-looking, and it’s what road warriors ask for. And with the latest iteration of the iPhone now out on the market, that demand is only going to increase. A Silicon.com survey recently asked IT chiefs if they have plans to offer the iPhone, and most responded that they are not. Two out of the 12 panel members said that they would agree to offer it.

When road warriors send and receive email from a smartphone, there are natural security concerns, regardless of which smartphone platform is being used. These include:

1. Is the smartphone secured against malware?
2. Is the user taking advantage of a secure connection (https) to the mail server when checking and sending email?
3. Is there authentication in place?
4. Are there any precautions against physical theft?

More rigorous authentication is needed for remote email, whether it’s from a smartphone or a notebook, simply because of the increased risk of theft. A desktop in the office may typically be configured so that email is automatically checked every 15 minutes, and typically, the user does not have to manually enter the email password to retrieve or send. With a smartphone though, there’s an obvious attraction to a thief, especially if it’s a trendy little goodie like the iPhone. And when they do steal it, if there is no manual password requirement, the thief can get into the owner’s email with no trouble at all.

I am sure that at some point your users have come to you and complained that they can’t send email. You can take a look at the logs and also at a particular user’s setting to see if there if anything different about their profile.

Sometimes they will try to send an email but get back a message similar to the following: This message could not be sent. Try sending the message again later, or contact your network administrator. The Microsoft Exchange server is currently busy. If this message is still displayed in 30 minutes, contact your Exchange server administrator. Error is
[0x80040111-0x80040111-0x000520].

There are other situations when you may get the error code 0×80040111 such as:

• PRB: Error “ClassFactory Cannot Supply Requested Class” (80040111 …  (279129).
• Attempting to install Microsoft Windows Live OneCare.
• If you have two instances of Microsoft SQL Server 2000 on the same computer, and SQL Mail is configured with separate mail profiles on each instance.
• Move Mailbox operation is unsuccessful.
• Logons to the Microsoft Exchange server computer fail and you get “The information store could not be opened” error message.
• If the MSSQLServer Service startup account is set to the local system account and xp_startmail fails.
• Exchange 2000 Management Pack MAPI Logon Check Reports Logon Failures.

Read more »

In Part 1 of this series I discussed backup and recovery for each of the Exchange Server 2007 server roles and associated systems such as Active Directory.  In Part 2 I then described the process of backing up and recovering a Mailbox Server from the loss of a mailbox database.  In this part of the series I will demonstrate backup and recovery of the Hub Transport Server and Edge Transport Server roles.

Backing up Transport Servers

Unlike Mailbox Servers, the Hub Transport and Edge Transport roles do not require any special Exchange-aware backup software.  All of the necessary data for recovering a Transport server is contained within:

• Active Directory (for Hub Transport servers, but not Edge Transport servers)
• The Active Directory Application Mode (ADAM) database (for Edge Transport servers)
• The server’s file system
• The server’s System State

Hub Transport servers can be backed up using the built in Backup utility in Windows Server.  At the very least the backup should include the System State and the C:\Program Files\Microsoft\Exchange Server\TransportRoles location of the file system (and all sub directories).

Edge Transport servers are backed up in the same way as Hub Transport servers except for the Exchange Server configuration.  Because this is stored in ADAM it must first be cloned using the Export-EdgeConfig.ps1 script located in C:\Program Files\Microsoft\Exchange Server\Scripts.  Execute the script with the name of the file you wish to export to. Note this is a single command run on one line in the Exchange Management Shell.

export-edgeconfig.ps1 c:\edgeconfig.xml
 -key "abcdefghijklmnop"

It is recommended to either include this config file in your Edge Transport backups or use a path that is a shared folder on a remote server.

Recovering Hub Transport Servers

In this scenario the EXCHHUB server has been lost due to hardware failure.  Spare server hardware has been used to reinstall Windows Server 2003 along with the Exchange Server 2007 pre-requisites.  The newly built server has the same name and IP address of EXCHHUB.  Now we can begin the recovery of the Hub Transport server.
Read more »

The city of Bozeman, Montana was taken to the cyberspace woodshed recently over a policy of asking job applicants for their passwords and logins to social neworking sites. News reports about the policy quickly gained the attention of bloggers all over the world.

The city’s background check policy required applicants to provide login details, including passwords, for all social networking sites they belong to. The requirement, which is included on a waiver statement, asks applicants to “Please list any and all current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.” Forcing applicants to turn over their passwords, especially for Google and Yahoo, may even cause the applicants’ personal email to be vulnerable to snooping as well. Bozeman’s City Attorney defended the policy in true lawyerly fashion, claiming the policy was necessary to protect the public trust.

Read more »