Email is one of the most important communications tools for businesses. When it stops working, people start to get nervous.

While there are many things that a user can do to mess up their email, many of these problems can be resolved with a restart of the software or the computer.

However when the old standby of restarting doesn’t work, it is time for the email administrator to start looking into the issue a bit more deeply.

Here are some of the more common errors found in Outlook 2007 along with some of the ways you can make things right again:

1. Error message that reads: “Cannot open your default e-mail folders. The information store could not be opened.”

This issue can be fixed by first locating Outlook.exe that can be found here: C:\Program Files\Microsoft Office\Office12.

Next, right click Outlook.exe and then click on Properties.

On the Compatibility tab, clear the check box that reads ‘Run this program in compatibility mode’. Then click Ok and restart Outlook.

2. Error message that reads: “Your Microsoft Exchange Server is unavailable.”

This error is a bit trickier to resolve only because there can be many different causes.

No data connection – test your SMTP connection using telnet. If you are unsure how to do this, Microsoft has provided a guide on their TechNet site that walks you through this process: http://technet.microsoft.com/en-us/library/bb123686.aspx.

Office Outlook files are locked – there are times when .ost and .pst files are accidentally, or purposefully, set to read only. Check the permissions of these two files by navigating to:

C:\Users\<username>\AppData\Local\Microsoft\Outlook\ for .pst files and C:\Program Files\Microsoft Office\Office12\ for .ost files. Make sure that neither is set to read only.

Third party applications are interfering with Outlook – many programs, including anti-malware solutions, can interfere with Outlook connecting to the Exchange Server. To check to see if this is the cause, start Outlook in safe mode.

Outlook files are corrupted – this can happen after an upgrade is applied to Outlook. If any of the .dat files listed below are present they should be deleted or renamed.

• Extend.dat – Located in C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook\
• Frmcache.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Forms\
• Views.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Outlook\
• Outcmd.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Outlook\

All the files, with the exception of Outcmd.dat will be re-created. The Outcmd.dat file saves customized toolbar settings so if it is removed these settings will have to be re-applied.

3. Office Outlook will not open personal folders or personal folders do not show up in Outlook.

Personal folders are often the root of many problems related to Outlook. Microsoft has published the Inbox Repair tool, Scanpst.exe, that can be used to scan .pst and .ost files for errors in the file structure. If this is not intact, it will reset the file structure and rebuild the headers.

This tool will only work on the files that reside on your computer’s hard drive, not the files on the Microsoft Exchange Server.

This will also help to resolve the error message: “Cannot open your default e-mail folder. The file c:\users\owner\documents\software info\outlook.pst is not a personal folders file”.

4. Error messages that read either: “The action cannot be completed. The connection to the Microsoft Exchange Server is unavailable. Your network adapter does not have a default gateway” or “Your Microsoft Exchange Server is unavailable”.

This error occurs when Outlook is unsure of the default gateway address. The former is the error message that shows when the Outlook profile is configured automatically and the latter appears when the profile is manually configured. Both have the same fix.

To repair this you will need to edit the registry so clicking on Start and then Run is necessary. Then, enter regedit in the Open box and click OK.

Next, navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC. On the Edit menu, point to New, and then click DWORD Value.  Type DefConnectOpts, and then press ENTER. Now, right-click DefConnectOpts, and then click Modify. In the Value data box, type 0, and then click OK.

5. None of the authentication methods supported by this client are supported by your server.

This happens to people when they use their computer in multiple locations. For example, a laptop is taken home and connected to the home network or perhaps a computer is taken on the road. Basically, it comes from authentication rules for the SMTP server.

When this error occurs go to the Account Settings tab and click on Change then More Settings. Now select the Outgoing Server tab.

The option that reads: “My outgoing server requires authentication” and the one that reads: “Log on to incoming mail server before sending mail” should both be looked at. If there is a check in the option box remove it.

5 Common Outlook Errors and How to Fix Them

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gates: Momentous security memo

For computer security experts, January 15 marked the anniversary of a red letter day. It was the 10th anniversary of the day that Microsoft decided to get serious about security.

On that day in 2002, a memo from Bill Gates to Microsoft employees declared the company would be entering a new era, an era of “Trustworthy Computing.”

“In the past,” Gates wrote, “we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software.”

“So now,” he continued, “when we face a choice between adding features and resolving security issues, we need to choose security.”

Gates’ commitment to security came when the Windows world was reeling from two monster malware attacks from the previous year Code Red and Nimda. Code Red exploited buffer overflows to attack Internet Information Services (ISS) running under Windows Server. It infected an estimated 300,000 PCs.

Unlike Code Red, Nimda was a worm that used multiple attack vectors to rapidly infect computers connected to the Internet. The technique was extremely effective and within 22 minutes of its release on September 18, 2012, it became the most widespread malware in the world.

It’s with that backdrop that Gates emailed his memo to his employees. One group of workers was particularly glad to see their boss’s missive: the company’s malware fighters.

“It’s not an understatement that the memo felt, to me, like the arrival of Gandalf and Eomer at Helm’s Deep in the film The Lord of the Rings: The Two Towers at a moment of great despair; at last we were getting some relief and might survive” Christopher Budd, who worked on security issues for 10 years at Microsoft, wrote in Betanews.

“In a single movement, Gates enshrined security, privacy and reliability as central, aspirational ideals,” Budd observed. “Like all ideals, there have been better and worse times in realizing them, but their central importance was never open to question. That memo eliminated the resistance that made our work so hard and gave us the power to do the right thing for customers.”

Budd asserted that the memo gave the security and privacy factions in the company the power to stand toe-to-toe with those primarily concerned with revenue and growth. He wrote:

“In a way, it represents a statement of conscience for the company and we used it as such, with success.”

Since the memo was issued, Microsoft has made security an important part of its product development cycle. That’s led to security features like library randomization and BitLocker drive encryption in Windows 7 and Secure Boot, a way in Windows 8 to foil BIOS attacks. It has made Windows Server IIS as secure as its open source competitor, Apache, too.

It has also lifted Microsoft’s browser, Internet Explorer, from a security nightmare to one of the most secure ways to surf the Web today. A 2010 report from independent software tester NSS Labs found:

“Internet Explorer 9 was by far the best at protecting users against socially-engineered malware.”

Unfortunately, it’s hard to change a bad security reputation forged over many years and IE’s user share has fallen from its once dominant position of more than 90 percent to under 50 percent of all users.

Microsoft’s Trustworthy Computing Program Turns 10

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When starting out, many small businesses set up their email using one of the free accounts available to them. Services like Gmail by Google, Hotmail from Microsoft or Yahoo!’s mail service, provide a working email address with almost no maintenance for a business just getting its feet wet.

However this may not be the best way to make a first impression with your potential customers.

Listed below are seven reasons why you need to ditch the yourcompany@freeemail.com and go with an address that better reflects the image you want your company to have.

1. Free email looks less professional

People associate free email services like Gmail or Hotmail as a personal accounts. Businesses, on the other hand, should have an email address that looks more professional. In fact, a study by Visible Logic in Amsterdam found that 70 percent of people view email messages coming from free email services as less professional when used by a business.

2. Free email looks spammy

Over the years, people have been burned so often by spam that they have become very adept at spotting shady looking emails in their inbox. One way to spot an email that may have malicious intent is by looking at the address. If you email address doesn’t look legitimate, your messages may be overlooked by overly cautious recipients.

3. Free email looks cheap

When people receive an email from your company and it has the @freeemail.com trailing it, your company looks cheap. For less than five bucks a month, you can set up an email address with your company’s domain. Sometimes you can even get a few of these for free when you host your company’s website. Customers who see that you are unwilling to spend a few dollars on this are often left to wonder what else your company may be skimping on.

4. You lose credibility when you use free email

A legitimate, professional looking email address tells your customers that you are here to stay.

Not only that, but having multiple email addresses such as: info@yourcompany.com, sales@yourcompany.com or service@yourcompany.com shows others that you are a well structured organization. The impression one gets when there is one, free email as the sole contact is that one person is handling everything for a company. This may scare larger clients away for fear that the company cannot handle their needs.

In today’s business atmosphere, trust is everything. Especially when it comes to online sales. Every little thing your company can do to establish trust and credibility will help your business grow.

5. Free email is less secure

Remember the old saying: there is no such thing as a free lunch? Well that applies to email as well.

True, Google, Yahoo!, Microsoft and the other free email providers do everything they can to make sure that their email services are as secure as possible, but things can slip through the cracks.

To pay for “free” email, users are subject to advertisements. While these help pay for the servers and storage space, they also have been linked to spam and hijacking. There have been several cases where businesses have had bank accounts and other confidential information compromised by cyber criminals who intercept email messages of companies that use free email services.

6. Free email may put you out of compliance

Nowadays, there are regulations and laws that govern so many industries and their record keeping that many large companies have entire legal teams dedicated to just compliance related issues.

But smaller companies are not immune to compliance. Companies of all sizes need to be aware of HIPPA when it comes to healthcare, PCI DSS when dealing with credit cards, and CAN-SPAM Act when it comes to marketing.

Free email likely does not offer you the tools required to be in compliance with any of these, or the many other, laws or regulations for email use.

7. You miss out on marketing your brand

Having your website’s domain name in every email you send out gives you the opportunity to build your company’s brand. Info@yourcompany.com puts your web site address in the minds of your customers. They know where to turn to when they need your services because they are so used to seeing your domain in every communication from you.

7 Reasons to Ditch That Free Email Address

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Now that Exchange 2010 SP2 is available for download, I’m sure many of you (like me) have already downloaded the binary and are testing it in the lab. Of course, the reason we test is because we want to ensure that we don’t create problems in production which is prudent and a best practice for administration. SP2 is a great service pack, and in a vanilla Exchange 2010 organization I seriously doubt you will encounter a single issue with this service pack, but how many of us are running a vanilla org, freshly installed from scratch? For the majority of us who aren’t, here are some pointers about SP2 that should prove useful.

Network timeouts and long installation times

The Exchange 2010 SP2 binary is a slipstreamed copy of Exchange 2010 with SP2. You can use it to patch an existing server, or to install a new server from scratch, so keep it handy, but also keep in mind it isn’t exactly small. The download is 535 MB, but when you run it, it will expand to 1.38 GB. Make sure you have room for that wherever you decide to expand it, and consider whether to place it on a network share where all your Exchange servers can access it, or if you should copy the downloaded EXE to Exchange servers in remote offices before you expand it.

Schema extension errors

Yes, you must extend the schema for SP2. That means you need Schema Admin rights, or to have your AD administrator extend the schema before you can apply SP2 to any server. If you are not also the AD admin, engage that person now.

CAS Server update fails

SP2 requires some additional components for CAS servers that SP1 and RTM did not. Make sure that your CAS server has the following IIS role services installed before applying SP2, or it will fail. If you are running Windows 2008 SP2 use Server Manager to install:

• IIS 6 WMI Compatibility
• ASP.NET
• ISAPI Filters
• Client Certificate Mapping Authentication
• Directory Browsing
• HTTP Errors
• HTTP Logging
• HTTP Redirection
• Tracing
• Request Monitor
• Static Content

If you are running Windows 2008 R2 you can use PowerShell to install the required modules by running:

Import-Module ServerManager [enter]

Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,
Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,
Web-Static-Content [enter]

If that’t too much effort, you can install SP2 in unattended mode like this in a normal administrative command prompt.

Setup /Mode:Upgrade /InstallWindowsComponents [enter]

Errors managing RBAC

SP2 changes some of the Role Based Access Control definitions in Active Directory. If you try to manage any RBAC roles from a server that has not yet been updated, you will encounter errors in both the Exchange Management Shell, and the Exchange Control Panel.

In the shell you will see:
WARNING: The object MyMailboxDelegation has been corrupted, and it’s in an inconsistent state. The following validation errors happened:
WARNING: The property value you specified, “15″, isn’t defined in the Enum type “ScopeType”.

In the control panel you will see:
There are multiple warnings. Click here to see more
The object MyMailboxDelegation has been corrupted, and it’s in an inconsistent state. The following validation errors happened:
The property value you specified, “15″, isn’t defined in the Enum type “ScopeType”.

Upgrade all Exchange servers to SP2, or use a server that has already been upgraded to manage RBAC until you can finish patching the other servers.

Redirs for OWA fail

If you are using a simple URL and not requiring HTTPS (like http://mail.example.com) to redirect your users to their OWA, this will fail after updating to SP2. To avoid this, as soon as SP2 has been applied to the CAS server, modify your web.config file using the steps found in http://technet.microsoft.com/en-us/library/aa998359.aspx.

Cross-forest mailbox moves fail

If you have a multi-forest Exchange org, or are migrating to Office 365, this is a big one. The way MRSProxy works has changed with SP2, so the service is disabled by SP2 and settings in the EWS\web.config file are no longer used. Use the EMS command to reenable the MRSProxy.

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -MRSProxyEnabled $true [enter]

Hybrid Configuration Wizard fails

There’s a known issue setting up hybrid configuration using the wizard if the FQDN of your Hub Transport server starts with a number. You can either use a different HT server, rename your HT server, or use the EMS Update-HybridConfiguration cmdlet to set up hybrid coexistence instead of using the wizard.

Knowing these ahead of time can help to ensure your testing, and production deployment, of SP2 goes off without a hitch. Good hunting!

Troubleshooting Exchange 2010 SP2 Installation

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

With 26 days left in calendar year 2011, the Exchange team at Microsoft stayed true to their word, and have delivered an early Christmas present to email admins all over the world. Exchange 2010 Service Pack 2 has arrived! We’ve covered some of the things you could expect with the latest service pack to Exchange 2010, both here and here, and offered advice on getting ready for testing the service pack in your environment, and extending the schema as required for this service pack.

Service Pack 2 includes all the update from the release of Exchange 2010 RTM through Rollup 6, so some of you may be asking yourselves if you really need to rush right out and apply SP2. As with any patch or update, testing is required, so a measured and careful pacing is far better than a rush, but there’s a lot of great stuff inside SP2 that should appeal to you. Here’s the list from the TechNet article What’s New in Exchange 2010 SP2.

Hybrid Configuration Wizard

Exchange 2010 SP2 introduces the Hybrid Configuration Wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises and Office 365 Exchange organizations. Hybrid deployments provide the seamless look and feel of a single Exchange organization and offer administrators the ability to extend the feature-rich experience and administrative control of an on-premises organization to the cloud. For more information, see Understanding the Hybrid Configuration Wizard.

Address Book Policies

Exchange 2010 SP2 introduces the address book policy object which can be assigned to a mailbox user. The ABP determines the global address list (GAL), offline address book (OAB), room list, and address lists that are visible to the mailbox user that is assigned the policy. Address book policies provide a simpler mechanism to accomplish GAL separation for the on-premises organization that needs to run disparate GALs. For more information, see Understanding Address Book Policies.

Cross-Site Silent Redirection for Outlook Web App

With Exchange 2010 SP2, you can enable a silent redirection when a Client Access server receives a client request that is better serviced by a Client Access server located in another Active Directory site. This silent redirection can also provide a single sign-on experience when forms-based authentication is enabled on each Client Access server. For more information, see Understanding Proxying and Redirection.

Mini Version of Outlook Web App

The mini version of Outlook Web App is a lightweight browser-based client, similar to the Outlook Mobile Access client in Exchange 2003. It’s designed to be used on a mobile operating system. The mini version of Outlook Web App provides users with the following basic functionality:

• Access to e-mail, calendar, contacts, tasks and the global address list.
• Access to e-mail subfolders.
• Compose, reply to, and forward e-mail messages.
• Create and edit calendar, contact, and task items.
• Handle meeting requests.
• Set the time zone and automatic reply messages.

For more information, see Understanding the Mini Version of Outlook Web App.

Mailbox Replication Service

In Exchange 2010 SP1, if you wanted to move mailboxes from on-premises to Outlook.com or to another forest, you had to enable MRSProxy on the remote Client Access server. To do this, you had to manually configure the web.config file on every Client Access server. In Exchange 2010 SP2, two parameters have been added to the New-WebServicesVirtualDirectory and Set-WebServicesVirtualDirectory cmdlets so that you don’t have to perform the manual configuration: MRSProxyEnabled and MaxMRSProxyConnections. For more information, see Start the MRSProxy Service on a Remote Client Access Server.

Mailbox Auto-Mapping

In Exchange 2010 SP1, Office Outlook 2007 and Outlook 2010 clients can automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user’s mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. However, if the user has full access to a large number of mailboxes, performance issues may occur when starting Outlook. Therefore, in Exchange 2010 SP2, administrators can turn off the auto-mapping feature by setting the value of the new Automapping parameter to false on the Add-MailboxPermission cmdlets. For more information, see Disable Outlook Auto-Mapping with Full Access Mailboxes.

Multi-Valued Custom Attributes

Exchange 2010 SP2 introduces five new multi-value custom attributes that you can use to store additional information for mail recipient objects. The ExtensionCustomAttribute1 to ExtensionCustomAttribute5 parameters can each hold up to 1,300 values. You can specify multiple values as a comma-delimited list. The following cmdlets support these new parameters:

• Set-DistributionGroup
• Set-DynamicDistributionGroup
• Set-Mailbox
• Set-MailContact
• Set-MailPublicFolder
• Set-RemoteMailbox

Litigation Hold

In Exchange 2010 SP2, you can’t disable or remove a mailbox that has been placed on litigation hold. To bypass this restriction, you must either remove litigation hold from the mailbox, or use the new IgnoreLegalHold switch parameter when removing or disabling the mailbox. The IgnoreLegalHold parameter has been added to the following cmdlets:

• Disable-Mailbox
• Remove-Mailbox
• Disable-RemoteMailbox
• Remove-RemoteMailbox
• Disable-MailUser
• Remove-MailUser

You can download SP2 from this link http://www.microsoft.com/download/en/details.aspx?id=28190. At 535 MB, it isn’t the smallest update you have ever had to download. It comes down as an EXE, so saving it to a common location that all of your Exchange servers can access will keep you from having to do multiple downloads. Remember, both during testing, and when it comes time for production deployment, patching should follow this order for servers:

1. Client Access Servers (all servers in a CAS array consecutively)
2. Hub Transport Servers
3. Unified Messaging Servers
4. Mailbox Servers
5. Edge Transport Servers (which can actually be done whenever, but it makes sense to leave them to last just for consistency).

I’m not saying Steve Balmer is a jolly old elf, but Santa’s helpers on the Exchange team worked very hard on SP2, and it’s the best early Christmas present I’ve gotten this year. Now, off to submit that change request!

Christmas Comes Early – Exchange 2010 SP2 is here!

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

With the imminent release of Exchange 2010’s Service Pack 2, I thought it would be nice to share some of the more interesting details that may be in store. I was digging around the Microsoft site looking for some documentation on what changes are actually made to the Active Directory schema when you extend it, as some fellow engineers had (unfounded) concerns about extending the schema. In my quest for documentation, I came across some very interesting documentation made available by Microsoft.

The Exchange Server Active Directory Schema Changes Reference is a Microsoft Word document that defines every change made to the Active Directory schema since Exchange 2003. This one hundred and seventy-one page tome goes into specific detail, and will no doubt prove to be immensely useful to developers and AD archaeologists in the future. The reason I am sharing it with you now is because it details even those changes that SP2 will make to the schema (yes, that’s correct, you will need to extend the schema to apply SP2, as mentioned in this article).

SP2’s schema extensions will modify several of the common classes we’re used to dealing with, including Mail-Recipient and ms-Exch-Mail-Storage, and our favourite ms-Exch-CustomAttributes, but where it gets interesting is in what classes and attributes are being added. A quick scan of these supports some of the new features we know are coming in SP2, including Address Book Policies, but take a look at the full list.

Classes Added By Exchange 2010 SP2

The following classes are added when you install Exchange 2010 SP2:

•             ms-Exch-Address-Book-Mailbox-Policy

•             ms-Exch-Coexistence-Relationship

•             ms-Exch-ActiveSync-Device-Autoblock-Threshold

Attributes Added by Exchange 2010 SP2

The following attributes are added when you install Exchange 2010 SP2:

•             ms-Exch-Content-Byte-Encoder-Type-For-7-Bit-Charsets

•             ms-Exch-Content-Preferred-Internet-Code-Page-For-Shift-Jis

•             ms-Exch-Content-Required-Char-Set-Coverage

•             ms-Exch-Address-Book-Policy-Link

•             ms-Exch-Address-Book-Policy-BL

•             ms-Exch-Address-Lists-Link

•             ms-Exch-Address-Lists-BL

•             ms-Exch-Global-Address-List-Link

•             ms-Exch-Global-Address-List-BL

•             ms-Exch-Offline-Address-Book-Link

•             ms-Exch-Offline-Address-Book-BL

•             ms-Exch-All-Room-List-Link

•             ms-Exch-All-Room-List-BL

•             ms-Exch-Coexistence-Domains

•             ms-Exch-Coexistence-External-IP-Addresses

•             ms-Exch-Coexistence-Feature-Flags

•             ms-Exch-Coexistence-Servers

•             ms-Exch-Extension-Attribute-16

•             ms-Exch-Extension-Attribute-17

•             ms-Exch-Extension-Attribute-18

•             ms-Exch-Extension-Attribute-19

•             ms-Exch-Extension-Attribute-20

•             ms-Exch-Extension-Attribute-21

•             ms-Exch-Extension-Attribute-22

•             ms-Exch-Extension-Attribute-23

•             ms-Exch-Extension-Attribute-24

•             ms-Exch-Extension-Attribute-25

•             ms-Exch-Extension-Attribute-26

•             ms-Exch-Extension-Attribute-27

•             ms-Exch-Extension-Attribute-28

•             ms-Exch-Extension-Attribute-29

•             ms-Exch-Extension-Attribute-30

•             ms-Exch-Extension-Attribute-31

•             ms-Exch-Extension-Attribute-32

•             ms-Exch-Extension-Attribute-33

•             ms-Exch-Extension-Attribute-34

•             ms-Exch-Extension-Attribute-35

•             ms-Exch-Extension-Attribute-36

•             ms-Exch-Extension-Attribute-37

•             ms-Exch-Extension-Attribute-38

•             ms-Exch-Extension-Attribute-39

•             ms-Exch-Extension-Attribute-41

•             ms-Exch-Extension-Attribute-40

•             ms-Exch-Extension-Attribute-42

•             ms-Exch-Extension-Attribute-43

•             ms-Exch-Extension-Attribute-44

•             ms-Exch-Extension-Attribute-45

•             ms-Exch-Coexistence-On-Premises-Smart-Host

•             ms-Exch-Coexistence-Secure-Mail-Certificate-Thumbprint

•             ms-Exch-Coexistence-Transport-Servers

•             ms-Exch-extension-custom-attribute-1

•             ms-Exch-extension-custom-attribute-2

•             ms-Exch-extension-custom-attribute-3

•             ms-Exch-extension-custom-attribute-4

•             ms-Exch-extension-custom-attribute-5

•             ms-Exch-ActiveSync-Device-AutoBlock-Duration

•             ms-Exch-ActiveSync-Device-Autoblock-Threshold-Incidence-Duration

•             ms-Exch-ActiveSync-Device-Autoblock-Threshold-Incidence-Limit

•             ms-Exch-ActiveSync-Device-Autoblock-Threshold-Type

Notice all those new Extension Attributes? If you have ever worked in a company that wanted to store more data in ms-Exch-Extension attributes instead of deploying their own schema extensions, you have probably run into a supply and demand situation where there just weren’t enough attributes to go around. Well SP2 adds another thirty, tripling the available extension attributes. For a couple of my customers, that’s reason enough to extend the schema with a beta of SP2 even if you don’t plan to actually deploy the service pack until next Spring! All of these new extension attributes will be indexed and replicated to the Global Catalog, making searches across AD for whatever you store in those attributes easier to execute across the forest.

Close to thirty MAPI ID’s are also being added, which may hint at new capabilities in store for the next version of Outlook. Time will have to tell on that one, but the note at the end holds a clue.

Only attributes with MAPI IDs can be retrieved directly from Active Directory Domain Services (AD DS) by Microsoft Outlook or other MAPI clients.

You can download the Schema reference from http://www.microsoft.com/download/en/details.aspx?id=5401 but be aware; for reasons that defy all logic, Microsoft chose to make this download an MSI file, that “installs” the documentation to your Program Files directory. Yes, that’s right, what at the end is just simple docx must be installed, invoke ConsentUI, build a directory path in your Program Files directory, and then drop a docx. With so much other documentation available from Microsoft in docx or PDF, this makes no sense, so you might want to just crack the MSI open and extract the docx by hand. It’ll be quicker!

However you choose to get the file, have a look and keep it handy. It’s a good history lesson in the evolution of Exchange, and I’m sure many of you will find a use for all those new extension attributes!

A Deeper Look into Exchange 2010 SP2

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Back in October of 2009 the City of Los Angeles voted unanimously to outsource their email services to Google. While many other organizations have made similar moves, this move made Los Angeles the largest city in the United States to hand over its messaging services to Google, Inc.

For $7.2 million, all 30,000 city employees would be turning to the cloud for email.

This was a huge win for Google because not only did they beat out their rival, Microsoft, but a successful implementation would easily pave the way for future business with local governments.

Fast forward two years and one Los Angeles city councilman is asking why nearly half of the 30,000 employees haven’t yet moved to the new Google Mail system.

The answer is Google has “been unable to meet the security requirements of the city and LAPD for all data and information.”

Basically, there have been legal obstacles concerning whether or not Google can house law enforcement data, such as criminal histories and data related to investigations, on its servers.

Shame on Google?

From an outsider’s point of view, it looks as if Google is to blame for this catastrophe.

Especially when news stories lead in with headlines like, “Google ‘unable to meet’ security needs of city email.”

However Google isn’t exactly at fault here. They claim that working with the regulations surrounding municipalities, “is so new that the legal requirements around data protection are still evolving — and that some of those regulations came to light only after the contract was signed in late 2009.”

Instead of making the jump, the LAPD and other agencies have remained on their older email system using Novell’s email software with Google footing the bill.

But costs aren’t the only thing at stake. Using two different email systems has caused headaches and productivity problems for city employees, especially the IT department.

Who is to blame?

In all actuality, it is the Los Angeles City Council who is at fault here.

Google provides a product. When a customer wants to use that product, they have to do their research.

Most likely, the question arose at some point, “will our information be secure with you?” And most likely Google answered yes.

But that can’t be sufficient. When you are talking to a salesperson, you need to understand that A) the nature of their job is to sell you a product and B) their legal knowledge will not be on the same level as that of a lawyer’s. Before the vote even came before the city council a thorough review of the product and its adherence to federal, state and local regulations should have been completed by the legal team for the city or an outside agency. End of story.

Best practices

There are plenty of news articles floating around in cyber space about how a school district or government agency dropped the ball when making a huge technology purchase.

A simple search of Google Apps for Government + regulations in the time period of October 2007 to October 2009 returns quite a few results about how Google is ramping up its offerings for government agencies. There are even some pretty high profile publications that covered what Google is doing to get ready for what it hoped would be a wave of government clients.

But if you go past the first few pages of the search results you start to see a different picture. Many more results caution users who need to adhere to specific regulations to stay away from cloud based providers for certain services. Email being one of them.

Of course quite a bit has changed since 2009, and Google has gone a long way to make sure that their products are certified under FISMA (The Federal Information Security Management Act of 2002) so that the federal government regulations that govern email are met.

And while Los Angeles still sorts out its email mess, other municipalities and agencies continue to move email services to the cloud. Some of them successful, some of them plagued by problems.

However one thing that hasn’t changed is that organizations will continue to sign large contract for products and services without getting the whole picture ahead of time.

For Los Angeles, Not Every Cloud Has A Silver Lining

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Have you checked the spam flowing into your organization lately? Microsoft has, and it has reported its findings in its Security Intelligence Report for the first half of this year.

The report, which is based data collected from 600 million computers worldwide, noted that pharmacy spam remains a favorite of junk emailers. An analysis of telemetry data from Microsoft customers who process tens of billions of messages a month using the company’s Forefront Online Protection for Exchange (FOPE) shows that 28 percent of all spam is non-sexual pharmacy junk. By comparison, sexual pharma spam is at the low end of the spectrum at 3.1 percent.

Behind pharma junk are non-pharmacy product ads (17.2 percent), 419 or “Nigerian” scams (13.2 percent), financial services (8.9 percent) and gambling (6.1 percent).

In the past, the report noted, some spammers tried to evade content filters by sending messages composed entirely of one or more images. This tactic appears to be losing favor among junko artists, as only 3.1 percent of the spam blocked by FOPE during the first half of the year was image spam, compared to 8.7 percent in 2010.

Microsoft researchers also found fewer “spikes” in spam activity during the period than in the past. Typically, volumes for a spam category spike as junksters mount short-lived, large-scale campaigns for it. Month to month volume changes were much more gradual during the first half of 2011, they discovered, except in one category: fraudulent university diplomas. That’s usually a very low volume type of spam, but in February it spiked to four percent of all spam. A similar spike occurred around the same time in 2010.

While the kind of junk spammers are flinging at organizations remains similar to the past, the amount of it has decreased significantly, according to Microsoft. From July 2010 to May 2011, the amount of spam blocked by FOPE plummeted from 89.2 billion to 21.9 billion messages. Microsoft attributed the volume declines to two botnet takedowns: Cutwail, in August 2010, and Rustock, in March 2011. “The magnitude of this decrease suggests that coordinated takedown efforts such as the ones directed at Cutwail and Rustock can have a positive effect on improving the health of the email ecosystem”, its report said.

FOPE is stopping most spam at the perimeter of the organization’s using it, the report noted, which frees up resources that would be consumed by more-intensive anti-spam methods. From 85 to 95 percent of incoming messages are blocked at the network edge each month, while the remaining five to 15 percent must have content-based rules applied to them. However, over the last year, the report showed the amount of edge blocked spam steadily declining, from 95 percent in July 2010 to around 85 percent in June 2011.

Much of the world’s spam is delivered through botnets, networks of compromised computers that respond to spammers’ commands remotely. During the first half of the year, Microsoft researchers found some interesting jockeying for position among the nations hosting spambot IP addresses.

While India remained at the top of the heap, with around 11 percent of all spambot IP addresses, and Russia remained strong with around a 7.7 percent share, some newcomers broke into the top five ranks from the first to second quarter of the year. Korea, for instance went from a 2.9 percent share to 8.4 percent to claim second place. Meanwhile, Vietnam jumped from four percent to 7.3 percent and Indonesia increased from 2.4 percent to 5.6 percent.

What Spam Is in Your Inbox? Microsoft Breaks it Down

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Over the years, Microsoft has taken its lumps when it comes to security however as a company, they have taken some pretty impressive strides to make sure that their products are more secure.

However, their security efforts have not been limited to just their products. They have launched several educational campaigns aimed at helping users better secure their computers and networks.

These efforts can be seen by Microsoft’s latest report, Microsoft Security Intelligence Report, and its corresponding website.

This project was set up to provide businesses and consumers with hard data concerning security risks and best practices from Microsoft themselves on how to mitigate the various risks.

Being the producer of the most popular email client software packages – Outlook, Hotmail, Outlook Express and Windows Live Mail – they have a definite interest when it comes to helping users guard against email threats.

Spam, according to Microsoft:

• Wastes resources
• Distracts recipients
• Puts assets at risk for greater security problems
• Provides an avenue for social and criminal hacking attempts
• Provides an avenue for phishing scams against users

While stopping these issues definitely is a concern for Microsoft internally, educating their customers on how to eliminate the problems associated with spam will certainly help them sell more products to people looking for the most secure product on the market.

A Look Inside Microsoft

According to their website, Microsoft filters between five to ten million email messages every day that contain malware and/or spam. On a daily basis, they see threats that include spyware, worms, attacks from botnets and polymorphic viruses attacking their email messaging systems. Each day more than 100 different types of executable files are removed from incoming messages sent to Microsoft employees.

So we can safely say that as an organization, there is little that they haven’t seen when it comes to protecting email systems.

To best fight the many different threats facing email, all inbound email to Microsoft much pass a three-tiered process to include anti-malware scanning, file removal and spam filtering.

The importance of this approach is simple. Stop threats before they reach the user.

Incorporating an anti-malware scan into messaging systems helps protect the integrity of your systems because threats can be stopped before a user has the opportunity to allow infected files to compromise a computer or network.

Likewise, a file removal process prevents malicious executables sent via email attachment from ever having the chance to launch. Followed with adequate spam filtering, this process reduces the need for organizations to rely solely on a desktop based security solution or a network firewall. Both of which do not provide comprehensive protection on their own.

These strategies seem like common sense steps that we would hardly need to rely on Microsoft to provide. However many organizations neglect to incorporate these simple strategies into their planning.

Other Ideas from Redmond

Keeping systems protected cannot be done by simply scanning incoming messages for threats. Other steps need to be taken. The best practices that Microsoft recommends to organizations are as follows:

• Provide email submission services on port 587.
• Require SMTP authentication for email submissions.
• Abstain from interfering with connectivity to port 587.
• Configure email client software to use port 587 and authentication for email submission.
• Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions.
• Monitor outbound email traffic patterns and look for deviations from normal behavior, such as abnormally large bursts of email traffic.
• Disable computers or individual email accounts that have been compromised and are being used to send out spam.
• When possible, process abuse complaints from third parties for email that originated from your mail servers. These complaints often point the way to a compromised computer.

As email administrators, we tend to look to hardware and software solutions to keep things running smoothly and securely. However, protecting systems and users from threats is ultimately our responsibility. Knowing the best way to do so is part of the job description.

Turning to experts for advice when it comes to security does not mean we are unable to do things on our own, it means we are wise enough to use what works and smart enough to know where to look.

Email Security Best Practices from Microsoft

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There was a time when using PST files were thought to be the solution to file storage problems. Getting emails out of the user’s mailbox and onto a shared repository not only freed up email inboxes from increasing file sizes, but also gave admins a central location in which all emails could be backed up and archived.

Add to these benefits the fact that PST files could be separated so emails related to a project, client, subject, etc could be stored and archived separately, and many would think that this solution was all that an IT department would need to manage their archiving and storage needs.

Of course PST files aren’t a panacea; they have many problems associated with them.

Working offline

More and more frequently, workers find themselves working remotely. When this happens, they don’t always have access to network resources so they find themselves working offline. This makes accessing PST files stored on a network device difficult, if not impossible, to use.

Workers who need to refer back to emails in their personal folders are pretty much out of luck.

Another, more common situation, arises when PST files are stored on a desktop computer at the home office and a remote worker is using a different computer; let’s say a laptop at home.

This user could not access his or her PST files if they cannot access that desktop computer where the file is housed. Now you may wonder why anyone would keep their PST files on the local computer as opposed to a shared network resource, but the scenario is actually quite common.

In fact, it was considered a best practice since Exchange 4.0.

According to the Technet blog:

“A .pst file is a file-access-driven method of message storage. File-access-driven means that the computer uses special file access commands that the operating system provides to read and write data to the file.

This is not efficient on WAN or LAN links because WAN/LAN links use network-access-driven methods, commands the operating system provides to send data to or receive from another networked computer. If there is a remote .pst (over a network link), Microsoft Outlook tries to use the file commands to read from the file or write to the file, but the operating system then has to send those commands over the network because the file is not on the local computer. This creates a great deal of overhead and increases the time it takes to read and write to the file. Additionally, the use of a .pst file over a network connection may result in a corrupted .pst file if the connection degrades or fails.”

Bad files

Anyone who has worked with PST files knows that they have a tendency to become corrupted or damaged. There is an entire industry dedicated to developing tools to help email administrators fix damaged PST files, and Microsoft themselves have published a number of tools to help fix specific problems.

These problems can occur due to hardware failures, such as:

• A failure in the storage device
• A power failure
• Failure in a networking device
• Failure in the network infrastructure

Of course, the software itself also has been known to create problems:

• Incorrect file system recovery where PST data is incomplete or incorrect
• Malware infections that damage PST files
• Outlook being terminated abnormally
• Deficiencies in Outlook itself

Regardless of what caused the problem, if you encounter damaged PST files it costs money to repair them. It can cost even more if you are required to provide information from them but can’t because they are corrupted.

The intent behind personal storage tables makes perfect sense. However, in practice email administrators need to find a better solution if they want to stop wasting time with the hassles presented to them by Outlook’s PST problems.

Solutions that are made to be stored on network file stores and less likely to be corrupted by common tasks, not only make life easier for the IT department, but legal departments as well, since accurate, reliable information can be provided when it is requested, not when a company eventually finds a specialist to piece everything together.

Two Big Problems With PST Files

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There are many reasons why an organization would make the move to Exchange Server 2010. Features like email archiving, increased discovery capabilities, greater flexibility and the lure of anywhere access make this email solution a promising one.

However, these features are generally ones that are used to sell management on an upgrade or switch. For administrators, the PowerShell is usually a feature that gets them on board.

The PowerShell feature of Microsoft Exchange is similar to what some email administrators who worked in a UNIX-based environment are accustomed to.

Giving admins the ability to automate repetitive tasks with scripts, called cmdlets, helps save time as many find navigating through GUI menus and submenus looking for the right actions to be wasteful when the same thing can be done by running a few lines of code.

Understanding the basics

PowerShell is installed by default on Exchange 2010. To launch it you will need to be on a workstation, or server, where you have installed the Exchange Management Tools. By clicking on Start | All Programs | Exchange Server 2010, you will be presented with the Exchange Management Shell shortcut. Clicking on this icon will launch the shell for you to get started.

Cmdlets follow a pretty simple syntax. To run a command in PowerShell you simply type in the name of the cmdlet followed by a hyphen and then any parameters. The value of the parameter comes after the parameter name itself and can be wither option or required depending upon which cmdlet you are running. So an example cmdlet would look like this:

Set –Mailbox username –MaxSendSize 5mb -MaxReceive Size 10mb

The result would be to modify the user’s mailbox so that he or she could only send messages under 5mb but would allow them to receive messages up to 10mb. Of course you would need to supply an actual username.

There are times when PowerShell will ask for confirmation before the cmdlet takes the requested action. For example, if you were removing a mailbox the shell will ask you “Are you sure you want to perform this action?” followed by an explanation of what you are about to do.

While you can easily hit the Y key to confirm, or the A key to say Yes to All, you can also turn off the confirmation with the –Confirm:$false parameter.

Parameters also don’t always have to be typed out fully. You can use a shortcut by typing enough characters of the parameter name to differentiate it from any other parameters. An example of this is the –Identity parameter. A valid substitution for this can be –id since this is unique enough to meet the requirement. Since –Identity is one of the most frequently used parameters, this shortcut can be quite helpful.

Wildcards can also be used cmdlets. To use a wildcard the asterisk, “*”, is entered after the characters you select. An example of this can be seen in the following where we set the mailbox sizes for only those that start with the letter “a”:

Set –Mailbox –id a* –MaxSendSize 5mb -MaxReceive Size 10mb

The final tip to getting started in PowerShell deals with the use of single and double quotes in your scripts.

Whenever the values for your parameters require a space, the values need to be enclosed. Most commonly the single quotes would be used for this as in the following example:

Get-Mailbox -OrganizationalUnit 'yourdomain.com/Management Users/Chicago'

This cmdlet will retrieve information for all uses in the specified OU.

Double quotes are used when you expand a variable within a string:

&City=Chicago

Get-Mailbox -OrganizationalUnit “yourdomain.com/Management Users/$City”

Get yourself some help

The help system for any scripting should be your first resource if you run into trouble. When it comes to the PowerShell, help is just a command away.

Get –Help followed by the name of the cmdlet is all you need to type. If you want to get more information about the Get –Mailbox cmdlet then you would enter:

Get –Help Get –Mailbox

To get more specific information, you can use these switches:

• -Detailed – Provides parameter descriptions and examples
• -Examples – Provides multiple examples of how the cmdlet can be used
• -Full – Provides you with the all the help content regarding the cmdlet

So for everything dealing with the Get –Mailbox cmdlet you would type:

Get –Help Get –Mailbox –Full

Again, all of these actions can be completed using the GUI provided with Microsoft Exchange 2010, but having a strong familiarity with the PowerShell not only allows you to get through some tasks a bit quicker, but can be a lifesaver in many circumstances.

PowerShell Basics in Microsoft Exchange 2010

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

With another round of issues facing users of Microsoft’s Exchange Online service the launch of the Business Professional Online Services replacement, Office 365, is starting to face questions by consumers who are starting to think that Microsoft’s cloud based services may not have much of a silver lining.

Exchange Online is a hosted messaging solution, like Google’s Gmail for businesses, and is based on the same technologies that run the ever popular Exchange server. However as this is a hosted solution, the business does not need to dedicate the same resources towards messaging as they would if they were running their own email servers on-site. Since messages are stored in the cloud, Exchange Online users have “From virtually-anywhere” access to e-mail. Also touted by Microsoft’s website is:

• Improved email security
• Enhanced operations efficiency for a company’s IT staff
• 25-gigabyte mailbox storage size for the standard license

Most importantly, users who have become reliant on Microsoft Outlook and its tools can find the move to hosted email seamless unlike the issues that arise when using Outlook with other hosted email services.

What seems to be the problem?

In early May, most BPOS users experienced loss of service for up to nine hours one day followed by sporadic outages over the next couple of days. Without email services, many businesses found their productivity crippled.

Ironically, email services hosted in Microsoft’s beta offering of Office 365 were not affected by the outages and service here did not have any of the issues that BPOS had. However the timing of these recent problems couldn’t be any worse.

Microsoft’s reputation is still tarnished by the problems associated with Windows Vista and Internet Explorer is often thought of as an inferior product when compared to competitors, so making headlines once again due to service related issues is not the best thing when launching a new product. Even if the product addresses the problems you are infamous for.

Is there light at the end of the tunnel?

Most people understand that there is no such thing as 100 percent uptime when it comes to technology. Ask Gmail users if their service is always up. Things are bound to fail at times. And to Microsoft’s credit they responded to the problems quickly, provided users with a temporary workaround to restore service and they identified the root cause of the issue in a short period of time. Unfortunately most people aren’t in the habit of giving Microsoft much credit for anything.

What we can learn from this

Email administrators understand all too well the importance email service plays in the ability for a business to operate efficiently. When email is down workers grow impatient, management grows frustrated and the email administrator’s popularity rapidly wanes.

In order to handle a disruption in productivity any business that relies on the cloud for essential services, like email, should have a back-up plan. One thing that is promising with Office 365 is that it offers a hybrid approach to email. Using Exchange Server 2010 on site in the hybrid deployment scenario that Microsoft offers can help an organization better deal with outages in their cloud services. Conversely, being able to access email via the cloud keeps things moving when the Exchange server goes down as well.

Microsoft’s Office 365 community website points out that the cross-premise messaging solution (hybrid deployment) offers the following features to help lure potential customers:

• Mail routing between on-premises and cloud-based organizations
• Mail routing with a shared domain namespace (For example, both on-premises and cloud-based organizations use the @contoso.com SMTP domain)
• Unified global address list, also called a “shared address book”
• Free/busy and calendar sharing between on-premises and cloud-based organizations
• Centralized mail flow control; the on-premises organization can control mail flow for both organizations.
• A single Outlook Web App URL for both the on-premises and cloud-based organizations
• Move existing on-premises mailboxes to the cloud-based organization
• Centralized mailbox administration using the on-premises Exchange Management Console (EMC)
• Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based organizations

Despite recent problems, Office 365’s email solution looks rather promising. One Microsoft is able to do some PR related damage control it looks like they will be able to make a solid run at cloud based email services and give Google Mail something to think about.

Is Microsoft Exchange Online Only Half-Baked?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft frequently develops and releases some great tools, and does so with little to no fanfare whatsoever. Some of my favourite tools; ones that I keep on a USB key and carry with me everywhere, are free downloads that almost no one has ever heard of. Occasionally I like to share the better ones with readers, and today I want to introduce you to a great tool for those of you getting ready to make the move to Exchange 2010.

The Exchange 2010 Pre-Deployment Analyzer is a free download from Microsoft, and is based in part on the Exchange Best Practices Analyzer. Some of the tests the Pre-Deployment Analyzer runs are the same as those run during the prerequisite checks the Exchange installer runs, but the approach of this tool is different in several notable ways.

First, the Exchange Pre-Deployment Analyzer is targeted towards users who are evaluating their overall environment. The checks that run during the initial steps of an Exchange installation are more focused on the actual server on to which you are trying to install Exchange. The tool checks your Active Directory forest and domains, and analyzes any existing Exchange 2003 or 2007 servers you are running to ensure that they are at the correct patch level to support the introduction of Exchange 2010 into the organization. If problems are found they are reported as either Critical, or Warning. Critical issues are those that will stop your Exchange 2010 deployment in its tracks, and must be addressed before proceeding. Warnings are those things that may cause issues or reduce performance, but are not show stoppers.

The checks that are run can be found in the XML file, and include the following:

• Reporting on the forest structure, including trees, domains, sites, admin groups, routing groups, Exchange 5.5 servers, Exchange 2000 servers, Exchange 2003 servers, total mailboxes, domain controllers, and how many Active Directory domain/sites have Exchange servers installed.
• Verifying that the Schema Master is Windows 2003 SP1 or later.
• Identifying Active Directory domains that are not in native mode.
• Identifying Active Directory sites that do not have a global catalog server running Windows 2003 SP1 or later.
• Verifying that there are no Active Directory Connector servers.
• Identifying all SMTP site links.
• Verifying that the Exchange organization is in native mode.
• Identifying any non-standard proxy address generators.
• Identifying any ambiguously defined email addresses in your recipient policies.
• Identifying any non-MAPI public folder hierarchies in use.
• Identifying Routing Groups that span Active Directory sites.
• Identifying any Active Directory sites that span Routing Groups.
• Identifying any Routing Group Connectors that have specialized settings.
• Identifying any SMTP Connectors that support non-SMTP address spaces.
• Identifying any SMTP Connectors that use inline domain.
• Identifying any X.400 Connectors in the topology.
• Identifying any EDK-based Connectors in the topology (excluding Notes).
• Verifying that any servers running Exchange 2003 have SP2 or later.
• Verifying that any servers running Exchange 2007 have SP2 or later.
• Identifying any SMTP virtual servers that are not using port 25 for incoming/outgoing.
• Verifying that all Exchange 2003 servers have SuppressStateChanges set.
• Identifying any Exchange 2003 servers that have active NNTP newsfeeds.
• Identifying any Exchange 2003 servers that use the Event Scripting service.
• Identifying any Exchange 2003 servers that have the ExIFS (a.k.a. M:) drive enabled.
• Identifying any parts of Active Directory that have Access Control Entry inheritance disabled.

That’s quite a list. Sure, you could check all of these manually, but would you really want to? Anything that the Pre-Deployment Analyzer finds that could cause you problems is brought to your attention in the final report, which lets you quickly identify things you need to change, upgrade, or decommission before proceeding with your first Exchange 2010 server installation.

The Exchange Pre-Deployment analyzer runs on any current server or workstation operating system, requires the .Net Framework 2.0, and should be run by an Enterprise admin who is also a member of the  Exchange Organization Administrators groups to get a full analysis of everything involved.

Getting ready for Exchange? Check out the Exchange Pre-Deployment Analyzer

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The fruits of a partnership announced last year by HP and Microsoft have finally ripened with the announcement of a new series of application appliances aimed at simplifying the deployment of critical business software programs, including Exchange 2010.

The Exchange appliance, the HP E5000 Messaging System, will be available in March starting at $36,000, plus the cost of a software license. It’s designed to meet the design goals of Exchange 2010–including the creation of low-cost large mailboxes that can be scaled quickly to meet growing data demands and are available 24 hours a day, seven days a week–and to reduce the complexity of deploying and optimizing storage for critical business messaging.

With the new appliance, an organization can cash in, with a minimum of pain, on Exchange 2010 benefits, such as boosting user productivity by removing archival functions from the desktop with the elimination of *.pst files, improving performance by adopting new IO patterns that reduce IOPS requirements by 85 percent and decrease storage demands and costs with built-in replication for direct attached storage.

According to HP, in the next 12 months, more than a third of all IT organizations will be upgrading to Exchange 2010 to take advantage of those benefits. When doing so, those enterprises will be facing some hard questions. For example, how should they configure their server? What type of storage should be used? How much network bandwidth will be enough, and should they virtualize or not?

Those questions and others can be easily addressed by the new messaging appliance, HP maintains. It claims the new box can “radically simplify” the delivery of Exchange 2010′s innovations to an organization and because it’s optimized for the software, it can give an outfit everything it needs to streamline deployment, ensure high performance and availability and keep the total cost of ownership for the deployment attractive.

When designing the E5000 system, the HP design team had three goals, according to Dean Steadman, the company’s worldwide product manager focusing on unified storage solutions for Microsoft applications. It wanted the product to be complete, simple and agile.

• Complete. It had to address highly available servers, storage, networking, Windows licensing, support services and Exchange best practices. For example, it addresses high availability by combining HP hardware redundancy with Exchange’s Database Availability Group features. “E5000 customers can sleep at night knowing that their high availability, performance tuning and capacity planning was designed by the industry experts,” Steadman boasted.
• Simple. As much of the system as possible is pre-configured at the factory. Microsoft Windows Server 2008 R2 Enterprise Edition is preloaded on the hardware and all its storage formatted and configured. Those moves alone should save administrators a day’s worth of deployment time, according to Steadman. What’s more, the system contains custom tools to further speed up deployment and quickly integrate the system into an existing Windows infrastructure. In addition, the system plays nicely with management suites like HP SIM and Microsoft System Center.
• Agile. The system is built to accommodate the requirements for a variety of architectures and to adjust to changing business requirements. “We knew that a one size fits all approach wouldn’t work for Exchange,” Steadman said. That’s why the system is designed to work in a single site or standalone deployment, as well as in organizations with multiple data centers or branch offices. To boost the availability of a deployment or address a growing need for mailboxes, up to eight E5000′s can be clustered together. Moreover, adding storage to the hardware is as simple as plugging in an additional disk-shelf.

Steadman acknowledged that HP’s announcement was a little light on hardware specifics. “That’s because the E5000 Messaging System will be available in March and we’re keeping some of the cool geeky details to ourselves for just a bit longer,” he explained.

When HP and Microsoft announced their collaborative agreement a year ago, the companies pledged to jointly spend $250 million to produce appliances that combined technologies from both companies. The goal of the combine was to deliver hardware that was pre-installed and pre-configured to optimize it for maximum performance and smooth deployment.

“Customers are looking to significantly reduce implementation and decision times,” Mark Potter, HP senior vice president and general manager for industry standard servers and software said in a statement. “With our converged application appliances, HP and Microsoft enable customers to shorten the time required to deliver information, which helps to reduce risk and cost.”

New Exchange hardware released by HP-Microsoft

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Most companies need an internal SMTP relay at some point. Whether this is for alerting systems, or the scan to email features of their printers, or the “phone home” capabilities many hardware systems offer, the ability for an internal device to send an email to both your internal systems, and out to the world is often needed, and frequently either over, or under engineered. 

Microsoft includes an SMTP service with all versions of the Windows operating system, and the SMTP service is perfect for the job of taking all the non-Exchange based emails in your company and passing them through a single point without having to pass them through your Exchange system unless they are destined for an internal mailbox.

I have seen companies establish dedicated servers, or purchase third party applications, for what is really a very light-weight task that can be added to any available file server or other server with minimal resources. Let’s look at how to add the service, how to configure the service, and some considerations for its use.

Identifying the need

If you have printers with a scan to email feature, SANs or other vendor supported systems that want to email reports and alerts to the vendor, alerting systems that like to send SMTP messages about events, or anything else that needs to send email out to the Internet but that you don’t want to assign an Exchange CAL, then this service is for you.

Choosing which server(s) to use

The SMTP service is available on all versions of the server platform, and requires almost no RAM, CPU, or disk, so it can be installed on essentially any system you have. I like to use file servers, as they tend to have resources to spare (other than free disk space) and are in a central location. This is good, as you want this service to be available to your entire network. I like to deploy two systems, and set up DNS round robin so that the service is highly available. Of course, many older printer/scanners can only be pointed to an ip.addr, so if this is really critical, you need to set up a pair and use NLB.

Getting ready to install

If you are going to let your SMTP relay send mail directly out to the Internet, identify the external address your relay will be NAT’d to on your firewall. Establish an MX record with a weight of 99, and update your SPF record to include this system. If you are going to pass email through your content inspection system, get that internal ip.addr or FQDN, and ensure it is setup to accept mail from your relay.

How to install the service

In Windows 2008, the SMTP service is considered a feature. Here is how you add that. Open an administrative command prompt and run this command as a single line (wrapped to fit the column.)

servermanagercmd.exe -i web-metabase web-lgcy-mgmt-console
 rsat-smtp smtp-server [enter]

How to manage the service

To manage this feature, use the Internet Information Services (IIS) 6.0 Manager, which was added to your Administrative Tools menu when you installed the SMTP Service. In the 2008 SMTP service, the default configuration will NOT relay for any host, which is a good thing. We want to provide a service, but we don’t want to open the floodgates.

1. Right-click your server to access the properties.
2. On the General tab, the defaults should be acceptable for most uses, but you might want to enable logging so that you can see how your relay is being used.
3. Click the Access tab.
4. If you want to require authentication, click the Authentication button. However, since most printers won’t support that, you probably want to leave Authentication alone.
5. Click the Relay button. Notice that by default, no relay is allowed. If you are absolutely certain that this server is will not be abused, and you do not want to restrict relay, you can click the radio button for “All except the list below.” Do not do this on a system in the DMZ, or that has a static NAT assigned to it on the external interface of your firewall. Doing so would create an ‘open relay’ and we all know how bad a thing that is. I recommend that you add the individual addresses of systems you want to permit, or as a compromise, add your internal subnet(s.) This is less work than adding each individual machine, means new systems can start relaying mail without your involvement, and still ensures that your server won’t become an open relay to the world.
6. Click the Messages tab, and review the default limits on number and size of messages. Adjust to taste.
7. Click on the Delivery tab, and then the Advanced button. If you are going to let your SMTP relay send mail directly out to other MTAs on the Internet, fill in the FQDN of your system with a name that will map to the MX record you created in “Getting ready to install” section. If you are going to send email through another system that does anti-malware and content inspection (recommended) then fill in the “Smart host:” field with the ip.addr or FQDN of that system. Smaller business that use an ISP for email will want probably need to fill in the FQDN of their ISP’s relay here. Click OK.
8. If the upstream relay requires authentication, click the Outbound Security button, and set the appropriate credentials. If not, you are done.
9. Test your relay out, using the telnet process we covered in this article.

If all is well, your server should be sending emails like a champ. Remember, whether you assign it a dedicated NAT address on the firewall, or let it use the global, you will want to add that to your SPF records so that external systems will accept your email. And since email is something you should keep an eye on, make sure your egress filtering doesn’t allow all systems to send email directly out; only your SMTP relay and mail infrastructure should have that privilege.

Got relay? Using the Microsoft SMTP service

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft and VMware are at odds over some “guidance” the virtualizaton software maker has issued about Exchange and disaster recovery.

At issue is a section in a document published by VMware titled “Microsoft Exchange 2010 on VMware Availability and Recovery Options.” which discusses using Database Availability Groups (DAG) clustering for fast recovery following a disaster.

“Database level high availability can be achieved through the use of database availability groups.,” VMware said.

“In the event of a server host failure, a passive copy of the affected mailbox databases is activated,” it continued. “Client access servers establish MAPI connectivity to the newly active database copy and client connections are reestablished.”

“In the background, VMware HA powers-on the failed virtual machine on another server host, restoring the DAG membership and bringing the newly passive database up to date and ready to take over in case of a failure, or to be manually reactivated as the primary active database,” it said.

“While the use of database availability groups on top of hypervisor based clustering is not a formerly supported configuration, internal VMware tests have shown that the two technologies can co-exist and can be a viable solution to ensure maximum recoverability in the case of a host failure.,” it added.

That advice from VMware was bleakly viewed by Microsoft.

“While Microsoft embraces virtualizing Exchange servers because virtualization gives organizations additional choice and deployment flexibility to meet business requirements and lower IT costs, we’re concerned by deployment guidance that doesn’t accurately follow our Exchange best practices and deployment guidelines,” the company wrote at the Micrsoft Exchange Team blog.

“For example,” it continued, “we feel VMware’s misleading guidance represented in their recent “Exchange 2010 on VMware Availability and Recovery Options” document (and accompanying “Exchange 2010 on VMware Best Practices Guide”) puts Exchange customers at risk, and brushes aside important system requirements and supported configurations.”

“Their guidance could also greatly increase the overall cost of managing your Exchange infrastructure,” it added.

Microsoft went on to argue,

“Because hypervisor HA solutions are not application aware, they cannot adapt to non-hardware failures. Combining these solutions adds complexity and cost, without adding additional high availability.

“On the other hand,” it added, “an Exchange high availability solution does detect both hardware and application failures, and will automatically failover to another member server in the DAG, while reducing complexity.”

Needless to say, VMware didn’t take kindly to Microsoft’s criticism of the virtualization software maker’s advice. Far from reckless, Alex Fontana and Scott Salyer wrote at VMware’s Virtual Reality blog, the advice “can help our customers get greater value out of virtualizing Exchange.”

The VMware solution reduces complexity, they maintain.

“VMware HA is a very simple mechanism that automatically reboots a failed virtual machine on any available host in the vSphere cluster in the case of a host failure,” they explained. “From an application standpoint, the behavior of VMware HA is equivalent to a simple power-on of the machine on which the application is running. It is completely transparent to the OS and the application.”

When a DAG fails in the real world, an administrator will power on that node to restore availability protection. VMware HA does the same thing, only automatically, Fontana and Salyer asserted.

“Seems to us like that’s a pretty reasonable thing to do, and many of our customers agree and are happily using this in production,” the pair wrote.

The approach doesn’t increase the cost of deploying Exchange, the argued, because computing requirements remained unchanged since HA doesn’t rely on failover instances. Neither does it affect overall storage requirements, they contended.

Moreover, what could be simpler for administrators? “When a DAG node fails, you no longer need to manually detect the failure and bring the node back up–VMware HA does that automatically,” they added. “And VMware HA doesn’t require any OS- or app-level configuration changes.”

While VMware makes a strong case for its advice, when the rubber meets the road, that is, when something goes wrong and an administrator needs Microsoft to come to the rescue, the advice could backfire on those who heed it.

As Scott Lowe points out in his blog at VirtualizationAdmin.com:

“VMware is probably in the wrong when it comes to actively recommending to customers what Microsoft considers an unsupported configuration. While the solution is almost 100 percent likely to work from a technical perspective (and, this has been tested), Microsoft is known for their strict support policies when it comes to virtualization and, from the standpoint of ability to get support when necessary, this unsupported configuration could leave customers at risk for not getting support.”

Nevertheless, Lowe called Microsoft on the carpet for its position on the VMware solution.

“Microsoft: If you have solid technical reasons for not supporting HA (not DRS) for DAG members complete with the test results and numbers to back up the ‘cost and complexity’ claim, we want to hear it!” he wrote. “If there is something to the claim, additional information will help customers make much better decisions regarding availability and will go a long way toward helping us understand this stance.”

Microsoft tangles with VMware over Exchange “guidance”

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Clarke: Defends forced migration.

More than a few administrators have been annoyed by Microsoft’s decision to omit an in-place upgrade when moving to recent versions of Exchange. Exchange General Manager Perry Clarke recently defended the policy in his Ask Perry blog.

Contrary to the opinion of some critics of the practice, in-place upgrades weren’t ignored because the Exchange team is full of lazy programmers, he joked.

As any Windows user knows, Microsoft designs its software for the latest hardware on the market. Sure, you can run it on legacy iron, but it will be a problematic proposition that will eventually force you to buy new hardware in frustration. That logic appears to be behind the forced migration policy for Exchange.

 ”In major releases we tend to make substantial changes to our architecture to take advantage of exponential changes occurring on the hardware front,” Perry wrote on his blog. “Doing this in a backwards compatible way often leads to substantial compromises that leads to a more expensive and less reliable TCO [Total Cost of Ownership].”

The new software can produce significant cost savings for organizations, but only if it’s run on new hardware, he maintained.

“Certainly to fully take advantage of the changes in the release requires rethinking the hardware design,” he wrote. “Over the past couple of releases, doing this properly will reduce costs so substantially that continuing to run the old hardware would be un-economic even through it is fully depreciated.”

In defending forced migration, Perry makes it sound like Microsoft is doing IT managers a favor by coercing them to buy new hardware to accommodate an Exchange upgrade.

“Given the rapidly improving hardware and the fact that the most expensive component (storage) wears out [r]egular hardware refreshes in the order of every 3-4 years are needed,” he wrote. “Doing both a major-version in-place upgrade followed by a migration to new hardware is a model that combines the worst of both approaches.”

“The migration model is well suited to most organizations because it allows you to move your least sensitive mailboxes first, your most sensitive mailboxes ( execs? application mailboxes?) last and have a great coexistence story,” he argued.

In a video accompanying Perry’s blog, he added that changes in the way recent iterations of Exchange treat storage has made it difficult to do in-place upgrades. The first time Microsoft faced that problem was when it went from Exchange 2003 to Exchange 2007. At that time, it was decided to make the software 64-bit only. That essentially shut the door on in-place upgrades.

“That was a tough decison at the time,” he said. “Marketing was really concerned that it would be a big blocker. But when we looked at the hard data, our customers largely were doing migrations.”

“Well more than 80 percent of the people upgrading from 2003 had done a migration approach, and almost all of the rest, had done an in-place upgrade followed by hardware migration,” he added.

To salve the sting of migration to Exchange 2010, Microsoft has incorporated features into the program to minimize disruption to the daily operations of an organization. In previous versions of Exchange, migrations had to take place after normal business hours, Clarke explained. With Exchange 2007, which supported larger mailboxes, it became more and more difficult to restrict migrations to that “after hours” window.

“The single biggest thing that we did to improve this was to enable online moves between versions,” he said. “So between 2007 and 2010 your mailbox moves can actually occur during your migration period 24-by-7 and users will see absolutely no impact,” he contended.

Clarke’s defense of forced migration attracted more than a few gadflies to his blog.

“Excuse me,” commented “Thomas,” “but did you ever hear about virtualization? You know, you can add RAM and processor power dynamically there. No need to move to a new machine.”

Another irrate commenter, ‘Ferdy’, complained, “It is ridiculous that a software vendor gets to decide that their clients need to replace their hardware, no matter how large your technical changes are.”

“Yeah I’m sorry, but that sounds a lot like a desperate defense of the indefensible,” wrote ‘Mark’ of Clarke’s remarks. “We administrators are perfectly capable of analyzing our hardware and it’s capabilities ourselves.  We don’t need Exchange Developers deciding for us whether or not we need to upgrade our hardware with every single major release.”

Microsoft defends Exchange migration policy

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft’s reboot of its efforts in the mobile market with Windows Phone 7 has been greeted with kudos from some quarters, but its integration with Exchange Server leaves something to be desired, at least in the view of one Redmond watcher.

“While I’ve been an enthusiastic supporter of Windows Phone 7 since, well, Microsoft announced the new smart phone platform back in February, it’s time for a reality check,” writes Paul Thurrott at the SuperSite for Windows blog.

“Yes,” he continued, “Windows Phone 7 offers excellent competition to the current industry favorites, Apple iPhone and Google Android. And yes, I do think it will establish itself as one of the key mobile platforms going forward. But Windows Phone 7 is not an acceptable enterprise smart phone solution, at least not in its initial release.”

That’s a bit surprising, since Windows-based mobile phones have a reputation for being extememly enterprise friendly, sometimes at the cost of providing a satisfying user experience. With WP7, Microsoft appears to have gone in the opposite direction. It’s finally got the user experience thing down pat, but at the expense of its enterprise prowess.

“We’re still extremely impressed by the software’s touch responsiveness and speed,” observed Joshua Topolsky comparing, at Engadget, the final version of the platform to earlier editions. “In fact, this is probably the most accurate and nuanced touch response this side of iOS4.”

“It’s kind of stunning how much work Microsoft has done on the user experience since we first saw this interface–everything now comes off as a tight, cohesive whole. We haven’t seen any substantial interface lag while using the device, and the short transitions between applications or pages are well suited to the overall experience,” he continued.

“Overall, though, day to day use inside of this UI has been solid,” he added. “Microsoft actually created a fairly intuitive, tightly woven operating system. We did see some occasional lagginess and freezes, and we had some troubling issues with third-party app performance…but for a first generation, brand new OS, the folks in Redmond have done a pretty impressive job.”

While Thurrott raps WP7′s Exchange integration, he does praise some enterprise aspects of the platform. For example, WP7 supports multiple Exchange Server accounts, including accounts based on non-Microsoft systems that support Exchange ActiveSync or EAS. He also raved about the platform’s email client, which he called “an email triaging wonder.”

He also noted that WP7 has a “decent” Office Mobile client, although it isn’t as robust as Office Mobile 2010 for Windows Mobile, and a “terrific” SharePoint Workspace client with seamless over-the-air access to multiple SharePoint servers and the documents on them.

The problem with WP7, as Thurrott sees it, is that with it, Microsoft has conceded that if it wants to be player in the mobile market, it has to cater to consumers, not IT departments.

“This is the way the world’s going, of course,” he wrote, “and though I’ve expressed my fears over the so-called consumerization of IT before, allow me to reiterate a key theme: Businesses think they are saving money by letting workers use their own phones with work-related data and resources, but the resulting lowering of the guard may ultimately come back to haunt them.”

It’s hard to blame Microsoft for facing the realities of the mobile market. The plain truth is that individuals buy cell phones, not corporations. By Microsoft’s own calculations, 82 percent of Windows mobile phones are bought by users, with only 11 percent bought by employers. That user figure is probably even higher for the leaders in the market, the iPhone and Google’s Android handsets.

Thurrott acknowledges that WP7 has few security features to protect Exchange Server from mobile users. For example, an administrator can impose a policy requirement on WP7 phones so users must protect their phone with a PIN before they can access the server. Applications in the phone are sandboxed from each other to prevent the spread of electronic infections. In addition, the phones can’t be configured as portable hard drives and used for wholesale theft of data.

However, the platform doesn’t support a full set of Exchange policies, as Windows Mobile did. Although the phones will work with Exchange Server 2003, 2007 and 2010, it only works with Sharepoint 2010 and only within the corporate firewall.

What’s more, the phone is tightly integrated with Microsoft’s Zune ecosystem. That means the only way to get apps in the thing is through Windows Phone Marketplace, which is similar to Apple’s App Store. That will be a real pain for organizations who want to run custom apps on the phone.

“Put simply,” Thurrott wrote, “Windows Phone 7 is a wonderful platform for end users. But for the enterprise that wants to really manage what happens on the devices they deploy to end users, the initial shipping version is going to fall a bit short.”

WinPho 7 Exchange security questioned

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Seven Deadliest Microsoft Attacks is part of a series of “attack” books published by Syngress, a book maker specializing in security titles. This compact volume in the series (192 pages, $24.95) provides system defenders with a solid reference to the most common ways Black Hats compromise Microsoft software, including Exchange server.

The book, authored by Rob Kraus, Brian Barber, Mike Borkin and Naomi Alpern, begins with a discussion of password attacks on Windows, moves to besieging Active Directory to escalate privileges, goes to stored procedure attacks on SQL servers, then focuses on mail service attacks on Exchange Server. From there it touches on assaulting Microsoft Office with poisoned macro and ActiveX controls, ravaging Internet Information Services with web service attacks and mounting multi-tier assaults on SharePoint.

The chapter on Exchange server attacks will be very enlightening to email administrators. In it, the authors discourse on how mail service attacks work, the dangers associated with the attacks, the future of the attacks and how to defend against them. Some of the attacks talked about in the chapter include:

• Directory Harvest Attacks - By targeting Active Directory, miscreants collect e-mail addresses from the repository and send spam and other kinds of spoiled messages to them.
• Cache Poisoning - That occurs when corrupt information is planted in the Domain Name Services (DNS) cache in order to redirect messages to an outlaw server.
• Denial of Service - DoS attacks are aimed at incapacitating a system by flooding it with more traffic than it’s designed to handle. Such an assault on a mail server could mean an organization would be without one of its mission critical resources for a substantial amount of time.
• Buffer Overruns - They’re similar to DoS attacks but seek to go beyond merely interrupting service on a targeted system. By inundating a buffer, a cyber bounder can get malicious code to be executed by the system, which can raise all kinds of havoc in a system.
• Spoofing - It’s used by net cads to hide their tracks and disguise the origin of an email message. Phishers use the tactic all the time to give their malevolent payloads legitimate airs–make them appear to be coming from a bank, for instance, or an Internet store  front.
• NDR Attacks - They’re used to turn a legitimate email server into a spam server. It works like this: a spammer floods an email server with messages. The addresses of the recipients of the messages don’t exist. When that’s the case, an email server will attach the message to one of its own in which it explains the message is undeliverable, and ships it to the return address in the spammer’s message. That return address, though, isn’t where the message originated. It’s the address of someone the spammer has targeted for his or her junk. So the legitimate server acts as a relay for the spam and helps anonymize the spammer.

In the chapter, the authors also discuss a variety of defense strategies that administrators can deploy to foil digital blackguards.

One recommendation they suggest is to make sure there is some SMTP presence in your organization’s perimeter defenses. It should be maintained separately from the mail servers that are housing user data and performing internal routing.

Mail traffic should not be allowed to flow from the Internet directly into your internal network, and your internal Exchange servers should not be transmitting data to the Internet. In order to reduce exposure whenever possible, Exchange servers should be placed on the internal network. There’s an exception to that though.

Both Exchange 2007 and 2010 support the configuration of Edge servers. Those servers deployed into a screened subnet on your perimeter network can be used as smart hosts for forwarding email from the Exchange servers on the internal network to the Internet.

“Utilizing Exchange Edge servers allows for minimal surface exposure to the Internet,” the authors explained, “and since Edge servers are designed to be Internet facing, they are an SMTP deployment which is secured by default.”

“As the messaging administrator, you must remain aware of potential messaging system attacks,” the authors noted. “By understanding the characteristics of attacks that may be executed against your system, you are better prepared to identify them and respond to them in a defensive manner.”

“One of the factors that helps to make your job easier is that Exchange Server has evolved over time to be installed defensively straight out of the box,” they added. “Since by default you are more protected than ever before, attackers have had to become increasingly more creative in their attack approaches.”

Seven deadliest Microsoft attacks targeted by book

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Exploit creating new rule in Outlook Web Access.

Microsoft has finally patched a vulnerability in its Outlook Web Access application that has been known to the public since early summer. If successfully exploited by a hacker, the vulnerability could have been used to use the identity of an authenticated user to perform actions with that user’s computer without the user’s knowledge.

Although the vulnerability does not affect Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010, it does affect earlier versions of Exchange 2007, as well as Exchange 2003 and Exchange 2000.

Microsoft’s solution to the problem may not please some system in administrators. It recommends that customers running versions of the program affected by the vulnerability upgrade those programs to versions unaffected by the flaw.

“Of course system administrators have nothing better to do than upgrade the version of Exchange on all of their mail servers and shift thousands of mailboxes to a new version of Exchange,” Lawrence Latif observed snidely in the Inquirer.

Potential damage from the vulnerability can be minimized by segmenting user rights in OWA. Segmentation lets an administrator control many of the features in the web application. Segmentation can be managed using the Exchange Management Console (EMC) or the Exchange Management Shell. With segmentation administrators can control:

• Address Lists. With Address Lists enabled, users can see all address lists in the Exchange organization. With it disabled, users can only see the default global address list.
• Calendar. Enabled, OWA users can see calendar folders. Disabled, they can’t see them.
• Change Password. Enabled, OWA users can change their Active Directory account password.
• Contacts. Enabled, OWA users can see contact folders. Disabled, they can’t.
• Email Signature. Enabled, OWA users can use their options to manage signatures on outgoing email messages.
• Exchange ActiveSync Integration. Enabled, users can manage mobile phones using OWA options.
• Instant Messaging. Enabled, instant messaging is available to OWA users.
• Journal. Enabled, OWA users can see the journal folder. Disabled, they can’t see it.
• Junk Email Filtering. Enabled, OWA users can control their junk mail settings. Disabled, they can’t control the settings, but system settings or settings created by the administrator will still apply to the mailbox.
• Notes. Enabled, OWA users have full access to the notes folder. Disabled, they can only view notes in the folder.
• Premium Client. Enabled, users can access the full version of OWA. Disabled, they can only access the light version.
• Public Folders. Enabled, OWA users can browse or read items in public folders.
• Recover Deleted Items. Enabled, OWA users can view recover or permanently delete items that were deleted from the Deleted Items folder.
• Reminders and Notifications. Enabled, OWA users can receive reminders for calendar items and tasks and notifications for new messages. Disabled, they will not receive reminders and notifications.
• Rules. Enabled, OWA users can view, create or modify server-side rules.
• S/MIME. Enabled, users can download S/MIME control for OWA and use it to read and compose signed and encrypted messages.
• Search Folders. Enabled, users can see the Search Folders icon in the OWA navigation pane and can access any search folders that exist on the server.
• Spelling Checker. Enabled, users can access spell checking in OWA.
• Tasks. Enabled, users have access to the Tasks features in OWA.
• Text Messaging. Enabled, users can send and receive text messages in OWA.
• Unified Messaging Integration. Enabled, users can manage Unified Messaging through OWA.

A particularly useless defense tactic recommended by Microsoft to address exposures created by the vulnerability is to hide the display of the OWA options panel, according to the Inquirer. That “should flummox only the most novice of script kiddies,” it declared.

A proof of concept of the vulnerability was released on July 8. It was described at that time by security experts as “a cross-site request forgery vulnerability… present in some versions of Microsoft Exchange (Outlook Web Access). A cross-site request forgery (CSRF) vulnerability in Microsoft Outlook Web Access… allows remote attackers to hijack the authentication of email users for requests that perform Outlook requests, as demonstrated by setting the auto-forward rule.”

In August, the Exploit Database tested the reported vulnerability and described it as a “straight forward” exploit.

“As soon as the target user visits the proper webpage,” it explained “the hidden form executes and a forwarding rule is created without drawing too much attention. The attacker could certainly try to hide any visible elements on the page and invoke the submission of a hidden form data to a simple javascript without any user involvement.”

Microsoft finds another vulnerability in OWA

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators