Users of practically every supported version of Windows, whether desktop or server, 32 bit or 64 bit, and even the low attack surface Windows Server Core should immediately review Microsoft Security Bulletin MS11-100 and begin testing and deployment of this patch as soon as possible. The patch, covered in KB2638420 addresses four vulnerabilities in the Microsoft .NET Framework, including 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4. Three of the four were privately reported, while the last one has been publicly disclosed. Continue reading Microsoft Releases Critical, Out Of Band Update

December’s round of patches from Microsoft includes a patch for Microsoft Exchange 2007 SP2. This vulnerability is rated as a moderate, but I know several C level types who would consider anything that interrupts email as nothing short of a national disaster.

This vulnerability, which may also be discussed in CVE-2010-3937 (under review at the time of this writing,) can be exploited by an authenticated user making a specially crafted RPC call to an Exchange 2007 SP2 server running the mailbox role. Microsoft rates this as a moderate severity. Respectfully, I beg to differ.

Continue reading MS10-106 patches DoS vulnerability in Exchange 2007

The Mail Exchanger (MX) record is part of the Domain Name Server (DNS) system designed to translate human readable domain names into IP addresses.  Much like how Web browsers determine the IP address of web servers via DNS, the MX entry directs incoming mails towards the email server for the associated domain.  On this front, administrators with a more technical interest will want to check out the exhaustive details of the MX record is defined under RFC 1035.

So how does the MX record concern the mail administrator?  Similar to how DNS can be used to implement advanced solutions such as load-balancing or failover hardware, the MX record can also be used to bolster the capability and robustness of your email server.  Obviously, deployment scenarios vary greatly depending on actual requirements and needs; I’ve briefly summarized a list of possible ways that tweaking the inbound MX record can help you better manage your Exchange Server deployment. Continue reading 4 Ways to Supercharge your Exchange Server using the MX record

Changing passwords in Exchange 2007 is improved by SP3.

In a move that’s bound to make Exchange 2007 shops happy, Microsoft has released Service Pack 3 (SP3) for the application, which makes it compatible with Windows Server 2008 R2. The development is good news for organizations who may have moved to Server 2008 R2, but are balking at embracing Exchange 2010 because they’re not ready to make the infrastructure changes needed to accommodate the new software.

“We heard you loud and clear that this is enormously important to our Exchange 2007 customers, so we worked quickly to deliver SP3 in order to meet this requirement,” Microsoft General Manager for Exchange Customer Experience Kevin Allison wrote in a Microsoft blog announcing the release of SP3.

Here are six new features incorporated into Exchange 2007 by the service pack.

Continue reading Six new features added to Exchange 2007 by SP3

While Service Pack 1 for Exchange Server 2010 captured most of the buzz at Microsoft’s TechEd 2010 conference earlier this month, for many IT departments the news of most interest to them was the Redmond software maker’s announcement about another service pack, one for Exchange Server 2007.

Microsoft told its faithful at the conference that Service Pack 3 for Exchange Server 2007 would be ready at the end of this month. The service pack is needed to make Exchange 2007 compatible with Windows Server 2008 R2.

Windows Server 2008 R2, the server variant of Windows 7 and Microsoft’s only 64-bit only operating system, reached retail shelves in October 2009. When the server software was released to manufacturers in July of that year, however, Microsoft declared the operating system would not be supporting Exchange 2007. That Draconian decision produced ululations from many in the company’s user base, some who believed Microsoft was leveraging Server 2008 to coerce companies to move to its latest mail management application Exchange 2010.

The official word from Microsoft as to why it was choking off Exchange 2007 from Server 2008 was lack of resources. It asserted that it was pulling out all the stops on bringing online Exchange 2010, and it didn’t want to dissipate those efforts on a legacy technology like Exchange 2007. While Server 2008 R2 would support Exchange 2007′s domain controllers, the company said at the time, the mail application itself won’t be supported on the server software. Anyone who wants to upgrade to Server 2008 R2, it added, will have to bite the bullet and move to Exchange 2010.

The announcement to abandon Exchange 2007 users who wanted to upgrade to Server 2008 R2 didn’t surprise pundits, but that didn’t dampen the uproar that ensued. For an IT administrator, stepping up to a new operating system like Server 2008 R2 is challenging enough, but to add to that burden another major upgrade, one to  another email program, was not going to win Microsoft any happy points with info tech stalwarts.

Continue reading Microsoft set to deliver on Exchange 2007 promise

In Exchange Server the term “Out of Office” refers to the ability of mailbox users to configure a message to be sent automatically as a reply to new messages that informs the sender that they are not available.  Sometimes this is also referred to as a “vacation message”.

In earlier versions of Exchange Server there were two settings for Out of Office – on or off.  However starting with Exchange Server 2007 and continuing with Exchange Server 2010 there are more options available to mailbox users for Out of Office.

Internal vs External

Unlike previous version of Exchange a mailbox user on Exchange Server 2007 or 2010 who is using Outlook 2007 or above can configure two distinct Out of Office messages.  One message is sent to internal senders, and the other is sent to external senders.

The reasoning for this makes a lot of sense – the information that is included in an internal message might be more personal or sensitive than that which can be included in an external message.  Or alternatively, the mailbox user may wish to have only an internal Out of Office reply and send no external message at all. Continue reading Exchange Server 2010 Out of Office

Exchange Server 2010 ships with eight very useful Powershell scripts that can be used for managing Public Folders.  The scripts perform tasks relating to Public Folder replicas and permissions that are otherwise not easily manageable through the management console or shell.

Each of the scripts is developed for making recursive changes to public folders.  This means that when you target the script at a particular folder, or the root of the public folder tree, it applies the action to all subfolders of that folder.

These scripts only apply to servers running Exchange 2007 or Exchange 2010, you can not specify a server running older versions of Exchange Server.

Managing Public Folder Replicas

These public folder replica scripts are used to manage which servers hold replica data for the public folders.  When a script does not specify a server to run against it will default to the nearest convenient server for the public folder being targeted.

AddReplicaToPFRecursive.ps1 – this script adds a server to the replica list for a public folder and its subfolders.

For example, to add EXCH02 as a replica for all public folders on server EXCH01 starting at the root folder of \\ you would run this command.

AddReplicaToPFRecursive.ps1 –Server EXCH01
 –TopPublicFolder \\ –ServerToAdd EXCH02

RemoveReplicaFromPFRecursive.ps1 – this script will remove a server from the list of replicas for a folder and its subfolders.  A server must have all of its public folder replicas removed before it can be decommissioned.

For example, to remove EXCH02 as a replica for all public folders on EXCH01 starting at the root folder you would run this command.

RemoveReplicaFromPFRecursive.ps1 –Server EXCH01
 –TopPublicFolder \\ –ServerToRemove EXCH02

ReplaceReplicaOnPFRecursive.ps1 – this script replaces a server in the replica list of the public folders with another server.  This is useful when public folders are already replicated to more than one server, and one of those servers is being replaced. Continue reading 8 Useful Public Folder Management Scripts in Exchange Server 2010

Microsoft released some security patches last month without revealing them to the public. Some of the fixes affected software in mission critical Exchange mail servers.

The patches were hidden in one of Microsoft’s periodic updates issued April 13, namely “Microsoft Security Bulletin MS10-024 – Important: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832).”

“This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service,” Microsoft said in the security bulletin’s executive summary.

“The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service,” it continued. “By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition.

It added: “This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003; 32-bit and x64-based editions of Windows Server 2008; Windows Server 2008 R2 for x64-based Systems; and Microsoft Exchange Server 2003. This security update is rated Moderate for Microsoft Exchange Server 2000.”

Continue reading Microsoft releases stealth patches for Exchange

Email is one of the most heavily used communications method which makes your Exchange servers critical to your business.

The health and performance of your Exchange servers should be a top priority, and this means that you must monitor the server performance as part of your routine so that problems can be discovered early and resolved before they begin to make a serious impact.

Here are 5 performance counters to monitor on your Exchange servers today.

1. % Processor Time

This counter shows the amount of time that the CPU is processing a task.  This counter should typically be below 75%, although it may run higher during heavy workloads such as backups.  If the processor time is consistently high you will want to look into which processes are utilizing the CPU the most.

2. Processor Queue Length

When instructions are sent to the CPU they go into a queue to be scheduled for execution.  This counter shows the length of that queue, and should ideally be no higher than 5 for each processor in the server.

When this counter is above the ideal threshold along with a high % Processor Time it indicates that the server workload is too high for the CPU resources available.

3. Memory Available MBytes

This counter shows the amount of memory that is not in use and is available for new tasks or processes, and should be at least 100Mb at all times. Continue reading 5 Performance Counters to Monitor on Your Exchange Servers

Email is not just for people.  It is also used by other services, applications and devices for a multitude of communication scenarios.

Some examples of this are applications that send email reports to users, such as enterprise backup software; devices that offer email capabilities, such as scan-to-email; and applications that receive and parse email messages, such as job ticketing systems.

With these types of requirements it is very common for an Exchange Server environment to host a lot of non-user mailboxes.  In larger environments this can present some challenges.  Each mailbox requires a corresponding user account, which presents some security risks.

And if not tracked and managed properly the number of mailboxes can grow and result in mailboxes that no one knows about or understands the actual purpose for.  This type of mismanagement will crop up at key times such as when migrating to a new Exchange Server, which makes planning and risk management difficult for the project team.

With all of that in mind here are some tips for maintaining a well managed Exchange Server environment for service and application mailboxes.

Only Use a Mailbox When Necessary

This may seem an obvious statement, but a mailbox is usually only required to receive email, not to send it.  For devices and applications that simply need to send out messages over SMTP there is usually no need to create them a dedicated mailbox.

For Meeting Rooms and Equipment Use Those Mailbox Types

Exchange Server 2007 and 2010 come with a dedicated mailbox type for room and equipment facilities.  Using the correct mailbox type ensures that the room or equipment is shown correctly in address lists and calendar appointments.

For more information about these mailbox types check out this three part series on managing Exchange resource mailboxes.

Secure the Mailboxes

When you do create mailboxes for non-user access always set a very strong password, and disable the user object in Active Directory.  When you use the special Room and Equipment mailbox types the account is automatically disabled for you. Continue reading How to Manage Service and Application Mailboxes in Exchange