While the Edge server role is a great idea for Exchange 2007, it seems to lack some basic functionality. I had one client that wished to have the Outlook client safe sender lists aggregated automatically every day…so I cooked this up. Seems to work fine!

Schedule this to run every 24 hours to update user’s safe list’s generated in Outlook (put code below into a .bat file on the edge server).

“%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe” -psconsolefile “e:\exchange\bin\exshell.psc1″
-command “Get-Mailbox | where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::MailboxUser } | Update-Safelist”

After you save your file, run this on the edge server to create the scheduled task

at 23:00 /every:M,T,W,Th,F,S,Su  cmd /c "c:\[path to file]\[file name].bat"

I recently had a challenging experience with Windows XP clients using single-sign-on (SSO) for terminal server (TS) 2008 RemoteApp.

After Windows XP service pack 3 is applied, you are able to “turn on” the feature by following an article such as this…Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3. Note that while the article says you can’t control the client’s settings for SSO servers, you can…if you upgrade your group policy objects on your sysvol share and use Vista or Windows 2008 to manage group policy! You must follow the article to enable SSO, but you can control which server connections make use of it via a GPO.

This magic is already present in Vista and 7 when used as TS clients for RemoteApp.

My experience was different, as I applied the proper registry tweaks…but my RemoteApp window was still prompting users for login to the TS environment instead of merely passing the username/password on!

After banging my head on my desk for awhile, I finally “googled” the right combination of words to find a nifty hotfix for credssp and the exact issue I was experiencing!

Behold (it is properly named!) – When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server.

I created a batch file to apply both hotfixes silently at start up…seems to do the trick…the magic now works as stated!

I have seen several broken instances of autodiscover and other Exchange 2007 web services.

Generally fixing these involves…

• Verifying internal and external DNS matches (for a single server setup)
  • autodiscover.domain.com -> cname to mail.domain.com
  • mail.domain.com -> points to actual exchange server
  • Make sure this matches on the outside to make things smooth -> external dns should point to those public IPs used for publishing http/https to the CAS
  • I have seen people set up confusing and improper firewall and public DNS entries that cause havoc and are hard to track down initially! Pay attention when publishing your mail server and editing public DNS. A fix for a mistake can take hours to propagate in public DNS!
  • Verify certificate names
    • **A UCC is needed (godaddy.com has cheap ones)…follow the installation instructions – or check my blog for an earlier article about this.**
      • Correction ** a UCC is not needed ** a colleague (thanks Rob!) tipped me off about this – http://msexchangeteam.com/archive/2007/09/21/447067.aspx
    • If you didn’t install it and question if it was done right, just reinstall it – usually is faster anyway.
    • Rebuilding virtual directories my do it…
      • Most can be done with remove-…virtualdirectory (like remove-oabvirtualdirectory)
      • Check this article for a great overview -
        • http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/
• I have seen that you should stop IIS before running the new-…virtualdirectory commands…restart IIS after the new VD is created successfully.
• For a missing OAB the web distribution point…
  • http://blogs.msdn.com/dgoldman/archive/2006/11/27/Error-0×80190194-when-using-an-outlook-2007-client-to-download-a-web-distribution-enabled-oab.aspx
  • When in doubt, test it out
    • GREAT testing site for Outlook web services and Exchange services
      • https://www.testexchangeconnectivity.com/
• Test with outlook client
  • OAB – tools -> send/receive -> download address book -> hit OK.
  • OOF – tools -> out of office assistant (will bomb out if not working, otherwise will show up nicely!)
  • Free/busy – attempt to schedule a meeting and using the schedule assistant
  • Change to folder view and view the Sync Issues container for any other problem hints
• With outlook open, hold ctrl and right-click the tray icon for it. Try out connection status (should have directory & mail service connections via TCP (LAN/VPN) or HTTP(S) (outlook anywhere)) and the test autoconfiguration.
• test-outlookwebservices
  • I have seen 401 unauthorized errors before, but have had the autodiscover working despite these.
  • Note that autodiscover.xml is a placeholder file (there isn’t actually anything in it!)
  • If you are running Exchange 2007 on Windows 2008…you may want to disable IPv6…but do it RIGHT – don’t just uncheck the box in network control panel and call it good – RTFM
    • http://support.microsoft.com/kb/929852

Having trouble with Symantec Endpoint Protection (SEP) and Windows Server? You are not alone.

While a reputable product, Symantec anti-virus products seem to have become more troublesome lately (in my opinion).

I have recently seen a few strange examples related to file share problems when Windows Server 2008 has SEP installed. The example I have in mind was set up with a vanilla SEP install.

Windows XP clients would drop connections with the file server – any shares would be inaccessible.  You could ping the server and hit the Internet, but no file shares, which means no group policy, no roaming profiles or redirected folders. Rebooting the server fixed the issue temporarily.

I found a solution by hitting the forums and Symantec’s site.

See Document ID 2008100113145148

They recommend maintenance release 3 (MR3) and 2008 SP 2 be applied.

In my case, I couldn’t apply SP 2, so I used a work-around instead. I disabled auto-protect altogether and set a scheduled scan (daily) instead. This fixed the issue until I can put SP 2 on. Also don’t forget to disable all features but anti-virus on the SEP client (i.e. axe pro-active threat protection and the rest).

If you do some digging, you’ll find there are A LOT of issues with SEP breaking things in general. Security software issues like this are hard to track down and highly disruptive.

Not surprisingly, my recommendations for SEP are few and far between.

I have done this before, but it’s been awhile, so I thought I would refresh my memory on password cracking.

My tools (used on Windows XP VM)

• L0phtCrack (15 day trial for downloads, GUI, professional-grade)
• Cain and Abel (freeware, GUI)
• OphCrack (freeware, GUI)
• pwdump (used for grabbing the SAM)

My victim

I have a Windows XP Professional SP3 virtual machine with a SAM that has several accounts with passwords of  varying strength.

• user1 / asdfjkl;
• user2 / weak
• user3 / asdfjkl;12345
• user4 / 123ikm852
• user5 / jasonlives
• user6 / jasonalmostlives
• user7 / jason1lives
• user8 / biec?32z

The Process – Part 1

1. First, I boot up the VM with my linux ISO (use the try ubuntu without making changes option)
2. I open the Places -> Computer area and open the 8.6 GB media drive (my local file system). Then I navigate to the SAM stored in c:\windows\system32\config. Click the thumbnails for a larger picture.
   1. 
   2. 
3. Copy the SAM somewhere…in this case, I put it on my host machine as a temporary storage area. Then I rebooted my victim machine & installed L0phtCrack on it to start a brute force attack on the hashes in the SAM.
4. I love drag-and-drop features in VMware Workstation!
5. L0phtCrack can import the local machine’s SAM with it’s wizard interface, but you need admin access to do that. I just skipped the wizard and imported my SAM file.
6. I modified the session options like so (to include characters)…you can also see the proc is maxed out (lc.exe)! This translates to 50% utilization on my host machine.
   1. 
7. Now it is time to wait…
8. After a long wait, my somewhat under-powered VM came up with the following…
   1. 
   2. Note that only the weakest were cracked. It seems the demo of this tool only allows 6 accounts and does not allow brute force cracking (although you can select it). Too bad I can’t actually try all of the features with this demo (on a budget for this experiment). So I will attempt another method…

The Process – Part 2

1. I decided to try other password tools – like Cain. This is part of the Cain & Abel suite here. I also needed to use Ophcrack available here.
   1. A word about the efficiency for Ophcrack – it uses rainbow tables, which are precomputed hashes for sets of passwords…so instead of trying every password in the dictionary (with a dictionary-only table), the program will just search for the matching hash.
   2. So if (for example) my password was “mice” and the hash was “x94lfrj94j48dk”, then Ophcrack would just search it’s large table to find that hash.
2. I also used pwdump7 available here. This dumps the live SAM to a text file that contains the hashes that various tools can import.
   1. For instance – I ran the following on my XP victim machine.
      1. c:\pwdump7\pwdump7.exe > c:\samdump.txt
      2. Here is the sample I got from it -> samdump.
   2. I can then import my dump file to Cain or Ophcrack
3. First – Cain.
   1. Cracker tab -> Right-click to load my samdump.txt file.
   2. I tried a modified dictionary attack with all possible characters and numbers. I loaded the default word list included with Cain – c:\program files\cain\wordlists\wordlist.txt.
   3. My results are here in a screen shot, again, just click to get a larger view.
   4. 
   5. In summary, Cain was not as effective as I would have hoped, as a full dictionary and hybrid attack did not reveal many of the passwords. I also tried a brute force with all possible characters, but that would have taken years to complete (by Cain’s estimate). I still think Cain is an easy-to-use security tool and do not wish to discredit it – there are many other features I have not tested yet. For this exercise, I turned to rainbow tables. Note that the online rainbow crack with Cain is not free.
4. Enter Ophcrack – the basic rainbow tables are free (lowercase, uppercase, numbers – about 750 MB). Tables with characters are quite large (8 GB) and cost a couple hundred bucks.
   1. I downloaded the fast free xp tables. This was a large download but was no challenge for my Internet pipe!
   2. I installed the table download in Ophcrack by unzipping it and using Ophcrack to point to its location.
   3. I loaded my samdump.txt file and began cracking. You can also load a local or remote live SAM.
   4. It did not take long for the program to compare against the table – only about 5 minutes on my VM.
   5. Here are the results – ophcrack results
   6. Note that Users 3, 6, and 8 were note cracked – they were either too long for the computed tables or the tables lacked the characters used in the password. Thus, there would be no match in the table. I believe that purchasing a commercial table set would be quite useful in cracking most passwords.

Conclusion

While cracking passwords is easier than it used to be, strong passwords will still keep you pretty safe. I recommend following best practices on this – upper-case and lower-case letters, numbers, and symbols for a password of 8 or more characters. Avoid words in a dictionary – I was able to crack the password “weak” in seconds with all three tools.

Also – if you think “3″ for “e” or “@” for “a” is clever – think again. I could search for these variations on dictionary words in Cain by ticking a box. L0phtCrack had a similar option.

I think rainbow tables are the best way to go for general cracking…they are much faster. However, you have to purchase the larger tables that have all possible combinations. Even these giant tables have limits (usually like 16 character passwords). Brute force is the ultimate, but you will be well aged by the time you brute force a password with letters, numbers, and symbols with a length of 8 or 10 characters.

Cain seems similar to L0phtCrack, but it is free. If I had a serious password audit need, I would definitely purchase rainbow table sets and probably L0phtCrack. However, there are plenty of free tools for password cracking – finding a jem among them is the hard part.

In addition, you can see from above that there are numerous ways to get a password hash dump from a system – whether you have admin-level access or not.

Note that this article represents an experiment with my own property and systems – I do not condone cracking other people’s systems without their consent. Use this information at your own risk.

GFI recently released a few freeware editions for programs they use under the “We Care” initiative.

See it at www.gfi.com/frw

3 of the 4 products are light versions of commercial products, but there is a new one – a home backup software. I decided to install it on a Windows XP VM and test its feature set.

I acquired version 3.0 and installed it – painless. I had to give up my name and email address to get the download link…

Backup Features

The interface seems clean. Backup, restore, and sync are the main focus of this product (Figure 1).

Figure 1

First, I tried a backup job. See Figure 2. This software, at first glance, offers more than other freebie backup software I have used in the past. The source, for example, allows us to select types of files with a few clicks, parts of the registry, program settings, etc. Impressive. See Figure 3, 4, and 5.

Figure 2

Figure 3

Figure 4

Figure 5

For this exercise, I selected My Documents. It is also worth noting that I can grab backups from network locations. Not bad.

Next is the destination selection. I can send it to network or local storage. There is an FTP function…but I hesitate to use it – especially for home backup…how many users using freebie backup software have a FTP server running? There’s a great risk using FTP and little benefit if you don’t have a FTP server offsite. If you are sending on the LAN, use a file share instead…

Note worthy – the file share destination option allows you to authenticate.

I’m going to use the default local folder for this, as shown in Figure 6. This points to C:\Program Files\GFI\GFI Backup 2009 – Home Edition\Backup

Figure 6

Why is “Floppy” even mentioned in the removable device option? Does anyone still use floppies? If you do, please put them down now and go buy a USB flash media immediately, if not sooner.

Ahh…options…this one includes encryption and compression. Better than NT Backup! See Figure 7. Versioning is supported! This is a great way to prune backups without thinking. I would choose the stack option and keep 3 versions. AES encryption is great for securing your backups if they are lost or stolen, while zip compression is ubiquitous. Good choice, GFI. Note that if you encrypt here, you must compress as well.

Figure 7

I choose to encrypt with AES and a simple key.

Next up, the scheduling options seem powerful, even allowing you to run the job as a certain user. See Figure 8. I will just use the manual schedule for this.

Figure 8

Finally, the events option tab – I will leave the defaults, as they seem fine, but I will add the verify option. I detest taking backups without verification.

Figure 9

My backup of less than 1 MB took 5 minutes + to finish. Not the best performance.

I wanted to test to see if it backs up open files, so I added a WordPad document and left it open while the backup ran. It worked. The second backup was very fast. I’m unsure of why the first one took so long…

In summary, I ran a restore and could see my two versions of the archive. I was prompted for my password, as expected. Restores worked as expected.

Thoughts…

Overall, the software does offer a lot for free. I would say it is superior to NT Backup for file-level backup. I wouldn’t back up a domain controller or exchange server with it, but it would be adequate for a poor man’s backup solution for files.

I don’t think I’m going to throw my Acronis disk out the window, but I would carry this software package with me to clients and use it if they had nothing. I would also recommend it to people for basic home use (it’s target audience, which it would serve well).

With tools like Carbonite and MozyHome/Pro paired with a broadband connection, I don’t see a need for software like this. I personally rely on Carbonite and have not been disappointed in 8 months (I currently have 60 GB and counting in their cloud!).  I also use Acronis (home edition) for PC images, if needed, which is overkill for average users.

If you have dial-up Internet and no budget for backup, I would use this software. If you have a decent pipe, I would spend 50 bucks per year for Carbonite or MozyHome – they are far less hassle to maintain (there are no backup “jobs” – it just works), and you don’t have to worry about offsite backup as a separate issue.

Thanks for caring GFI, but I will stick with Carbonite for now.

A complicated beast, SharePoint is!

I have worked with various installations of different sizes and importance.

A quick-and-dirty way to back the entire site and db is to use the stsadm tool.

—

Part 1

“C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\stsadm.exe” -o backup -directory C:\SharePointBackups -backupmethod full

I would put this into a batch file to run daily. One thing Microsoft sorely overlooked was how to clean up old backups! Unlike SQL server (which easily allows you to cap the number of backups you want around).

Part 2

Since the stsadm tool creates folder heirarchies, you can clean it out using a simple script. I have a small program that will clean out folders and anything in them over a certain time limit.

DirectoryCleaner

*Checks folders in root folder passed as parameter for modified date related to second parameter (# of days).

Deletes folders and child folders/files if parent folder modified date is greater than day # specified.

Part 3

One drawback – this version will not delete files in root directory – use this vbscript for that!

Delete files older than X

Download this and rename with a vbs extension. You can easily edit it to change the date range. Just make sure to test this and the directorycleaner tool before deploying!

—

Whew! This is a lot of tinkering to fine-tune SharePoint backups without buying a third-party add-on…but it works.

I recently discovered a way to make use of the runas command in Windows 2003/xp (not sure about vista).

Using a special switch “/netonly” allows the credentials to be passed on without them being verified first.

Example 1 (excel)
runas /netonly /user:domain\administrator “C:\Program Files\Microsoft Office\Office12\excel.exe”

Example 2 (sql mgmt studio 2008)
runas /netonly /user:domain\administrator “C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe”

See excerpt below…

****

http://www.pcreview.co.uk/forums/thread-2382043.php

“All this function does is replace the *default remote credentials* used if

the token is used in conjunction with a remote machine. It doesn’t even try

to validate the credentials when you call the function, so you could pass a

totally invalid username/password/domain and you wouldn’t know that anything

went wrong until you actually tried to use that token to access some kind of

network resource that requires valid credentials.”

****

Although trivial, this helped me work around an issue dealing with a co-located domain controller/sql server. I was attempting to launch SQL server mgmt studio as a specific domain user. The /netonly switch saved the day by passing on the credentials over the VPN to the server’s private IP even though I couldn’t really authenticate with the server on the other side of the VPN using AD.

His site provides impressive VBS examples for group drive mapping, printer mapping, and other scenarios.

Perhaps it is becoming more outdated due to the rise of PowerShell, but I have yet to work at a place that uses PowerShell exclusively.

http://www.rlmueller.net/index.html

Below are a few examples I have created by working on his examples.

Here’s Richard’s logon3.txt example that I had used in production…Map Drives By Group

Here’s the same but used for printers. I also added a piece to satisfy those that use local printers…Map Printers by Group

Again, use at your own risk. I place them here so that others may get the same benefits I did by learning about VBS.

Ever been working with a lab of computers and have to do something manually as a certain user?

I have…and I got tired of logging onto each one. So I got creative and found some tidbits of customized group policy templates to make this.

AutoLogon

This custom administrative template will allow you to set auto logon for windows 2000/xp (haven’t tested it on vista).

Brief steps…

1. You have to download this adm file and put it into a share accessible by authenticated users (i like to use \\domain\netlogon)
2. Open the desired group policy object using the GPO management tool and right-click the computer-based administrative templates. Select the add/remote templates option and browse to your file.
3. With the administrative templates folder highlighted, go to view -> filtering. Uncheck the box that says “only show settings that can be fully managed”.
4. You can now drill down to the imported template. A restart will be needed to make the policy work.

A word of warning…this GPO template tattoos the registry. When you are done with this policy, simply setting it to “not configured” will NOT work. The autologin will continue to function. To undo it, you have to disable the GP preference and have it apply to the computers.

Read more about GP policies vs. preferences here.

Use at your own risk.