Month: July 2007

Forefront Server Security for Exchange 2007

by ucinfo, posted in Flaphead, MsExchange, Security

This is another product I have been playing .. found two great things.

First was this error my Hub Transport Server.  It looks very much like Forefront caused this .. don’t know what or why, but still it’s a bit scarey!

This is my favorite.  In the Forefront Server Security administrator I have specified the following under Scanner Update for the Primary network Update path:

file://engines$</FONT></P> <P>Now check out what the application log says:</P> <P><FONT face=Courier>Event Type:&nbsp;&nbsp; &nbsp;Error<BR>Event Source:&nbsp;&nbsp; &nbsp;GetEngineFiles<BR>Event Category:&nbsp;&nbsp; &nbsp;Engine Error <BR>Event ID:&nbsp;&nbsp; &nbsp;6014<BR>Description:<BR>Microsoft Forefront Server Security encountered an error while performing a scan engine update.<BR>&nbsp;&nbsp; Scan Engine: Kaspersky5<BR>&nbsp;&nbsp; Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky5<BR>&nbsp;&nbsp; Proxy Settings: Disabled<BR>&nbsp;&nbsp; Error Code: 0x80004005<BR>&nbsp;&nbsp; Description: An error occurred while checking if an update was available.<BR><BR></FONT></P> <P><FONT size=+0>Err this server is not connected to the internet, and you shouldn’t be getting the updates from it anyway!”&nbsp;</FONT></P>

Visto Corporation

by ucinfo, posted in Flaphead, Mobile, MsExchange

This is interesting, these guys (http://www.visto.com/about/ip.asp) are after a load of companies, check this out

http://www.manatt.com/Attorneys.aspx?id=1437 

# *Visto Corp. v. Research In Motion (E.D. Tex.) – Patent infringement action pending against RIM in the Eastern District of Texas (Marshall) involving the Visto patent portfolio.  RIM is the provider of the Blackberry wireless messaging hardware and software.

# *Visto Corp. v. Good Technology, Inc. (E.D. Tex.) – Patent infringement action pending in the Eastern District of Texas (Marshall) involving the Visto patent portfolio.  Good is the provider of GoodLink wireless messaging software.

# *Visto Corp. v. Seven Networks, Inc. (E.D. Tex.) – Patent infringement action pending in the Eastern District of Texas (Marshall) involving the Visto patent portfolio.  Seven is the provider of Sprint Business Connection software and Cingular Xpress Mail software.  The parties are awaiting entry of final judgment following a jury verdict of infringement in favor of Visto earlier this year.

This is a bit close to my heart .. the Patent seem a bit vague and not specific … how they can justify all these actions is interesting … maybe the patent system in the USA has a small flaw … looks like the only people that will make money out of this are the lawyers :-| # Visto Corp. v. Microsoft (E.D. Tex.) – Patent infringement action pending against Microsoft in the Eastern District of Texas (Marshall/Texarkana). Visto holds a portfolio of patents directed to wireless messaging and email, calendar and contact synchronization, including U.S. Patent No. 6,085,192, which recently emerged from reexamination. Microsoft recently announced Messaging and Security Feature Pack (MSFP) for Windows Mobile 5.0 and Service Pack 2 (SP2) for Microsoft Exchange Server 2003. Direct Push technology in MSFP and Exchange Server 2003 SP2 is designed to allow Exchange Server to send messages and other PIM information directly to Windows Mobile 5.0 devices over the air (OTA) through wireless accounts.

http://www.freepatentsonline.com/6023708.html
A system uses a global translator to automatically synchronize multiple copies of a workspace element across different formats between multiple sites in a secure network environment, independent of whether the sites are protected by site firewalls. The secure network environment includes a global server connected to multiple clients. The system includes a first store for storing a first workspace element in a first format, a second store for storing a second workspace element which is an independently modifiable copy of the first workspace element in a second format, a communications channel coupling the first store to the second store, synchronization means for synchronizing the first workspace element and the second workspace element, and a translator for translating between the first format and the second format.

Actually looks like this has been going on for a while .. check this out: http://whohastimeforthis.blogspot.com/2005/12/truth-behind-vistos-lawsuit-against.html

WindowsPowerShell [Get-Acl / Set-Acl]

by ucinfo, posted in Flaphead, MsExchange, Powershell

So might have guessed with my previous transport post that now I wanted to automated the moving of the logs and database to another drive.

It is nice and simple, you can create a folder on the new drive and change the paths in the EdgeTransport.exe.config and by using Set-TransportServer.

BUT I discovered that some of the folders have specific permissions, mainly for the NetworkService.

So what to do?

Well you can use Get-Acl and the acl list from the source folder, and you can then apply that to the new destination and it works like a dream, except for two gotchas.

1) You can’t have the Network Service as the owner of a folder

2) You need to remove all the permissions on the destination folder and then add the new ones.

 

#1 was quite simple, basically to set the owner of the source folder (oldpath) to be the administrators group and then take a snap shot of the acls and transfer them:

$tmpACL = Get-Acl $OldPath

IF ($tmpACL.owner -MATCH “NT Authority”)
{
#You can’t have any NT Authority groups as an owner.
#replace with administrators
#Reset the Owner and get the permission again
[System.Security.Principal.NTAccount]$newOwner=”Administrators”
$var=get-item $Oldpath
$acl=$var.GetAccessControl()
$acl.SetOwner($NewOwner)
$var.SetAccessControl($acl)
$tmpACL = Get-Acl $OldPath
}

#2 was a challenge.  I was going round and round in circle as I couldn’t remove the premissions on the newfolder.  Then then penny dropped, they are inherited from the folder above, so you need to remove the inheritance.

#Remove inheritance from the folder so you can remove the ACLs
$newAcl.SetAccessRuleProtection($true,$false)
Set-Acl -AclObject $tmpACL -Path $NewPath
$NewAcl = Get-acl $NewPath

And that was it .. cool!

So I created this function.  To use it pass the following:

DoNewFolder -old  -new  -makefldr 1

Enjoy and let me know what you think

 

Function doNewFolder($OldPath,$NewPath, $makefldr)
#Get original ACL and put it on new path
#Create the new folder
{

$makefldr=1 #0=No, 1=Yes

## Parse paramaters (specified as “-paramname paramvalue”)
for($i = 0; $i -lt $args.Length; $i++)
{
switch ($args[$i])
{
“-makefldr”
{
If ($args[$i+1]) {$makefldr = $args[$i+1] ; $i++}
}
“-Old”
{
If ($args[$i+1]) {$OldPath = $args[$i+1] ; $i++}
}
“-new” {
if ($args[$i+1]) {$NewPath = $args[$i+1] ; $i++}
}
}
}

IF ($doDebug) {write-Host $OldPath}
IF ($doDebug) {write-Host $NewPath}
IF ($doDebug) {write-Host $makeFldr}

#Test the OldPath to make sure it actually exists
$tmpErr = “Nothing”
$tmpErr = get-item $oldPath -ErrorAction SilentlyContinue
if ($tmpErr -eq $Null)
{
If ($makefldr = 1) #create folder for newPath of its equal to 1
{
Write-Host “Creating ” $Oldpath
MD $Oldpath -ErrorAction SilentlyContinue | out-Null
}
}

If ($makefldr = 1) #create folder for newPath of its equal to 1
{
Write-Host “C
reating ” $Newpath
MD $Newpath | out-Null
}

$tmpACL = Get-Acl $OldPath

IF ($tmpACL.owner -MATCH “NT Authority”)
{
#You can’t have any NT Authority groups as an owner.
#replace with administrators
#Reset the Owner and get the permission again
[System.Security.Principal.NTAccount]$newOwner=”Administrators”
$var=get-item $Oldpath
$acl=$var.GetAccessControl()
$acl.SetOwner($NewOwner)
$var.SetAccessControl($acl)
$tmpACL = Get-Acl $OldPath
}

#Get the ACLs for the new path
$NewAcl = Get-acl $NewPath

#Remove inheritance from the folder so you can remove the ACLs
$newAcl.SetAccessRuleProtection($true,$false)
Set-Acl -AclObject $tmpACL -Path $NewPath
$NewAcl = Get-acl $NewPath

#Loop the existing ACLs on the NewFolder and remove them
$tmpcnt = $newacl.access.count
for ($i = 0; $i -lt $tmpcnt; $i ++)
{
$NewAcl.RemoveAccessRule($Newacl.Access[0])
}

#Add SDDL from the old path
$NewAcl.SetSecurityDescriptorSddlForm($tmpACL.SDDL)

$tmpAclAccessCount = 0
$tmpAclAccessCount = $tmpACL.Access.count

#Loop the Access Rules from the old path and add them to the new one
for ($i=0; $i -lt $tmpAclAccessCount; $i++)
{
$NewAcl.SetAccessRule($tmpAcl.Access[$i])
}

Set-Acl -AclObject $tmpACL -Path $NewPath
}

Exchange 2007 Server Roles

by ucinfo, posted in Flaphead, MsExchange

So we all know that you run Get-ExchangeServer it will list all the Exchange servers you have the roles that have installed on them.

This cool, but it you want to anything clever, you may think you need to parse the ServerRole value to find the role.

Well I discovered this.  The ServerRole value actually has a Value__ (that is 2x underscore suffix) that give you what looks like a bitmask for the ServerRoles.  How cool is that.

Get Server Roles for the current Server
$server = hostname
$serverroles = get-exchangeserver -identity $server
$RoleVar = $serverroles.ServerRole.Value__

2 #MBX Role
4 #CAS Role
6 #MBX & CAS
32 #HUB Role
34 #MBX & HUB
36 #HUB & CAS
38 #MBX & CAS & HUB
64 #EDG Role

So does anyone have a UM server isntalled so I can complete the bitmask map above?

Exchange 2007 Transport Server

by ucinfo, posted in Flaphead, MsExchange

So here I am playing with my test lab.  I installed ForeFront my my Hub and Edge transport servers and I started to get these in the application event log:

Event Type:    Warning
Event Source:    MSExchangeTransport
Event Category:    ResourceManager
Event ID:    15002
Description:
The resource pressure is constant at High. Statistics:
Queue database and disk space (“C:Program FilesMicrosoftExchange ServerTransportRolesdataQueuemail.que”) = 59% [High] [Normal=55% MediumHigh=57% High=59%]
Queue database logging disk space (“C:Program FilesMicrosoftExchange ServerTransportRolesdataQueue”) = 59% [Normal] [Normal=91% MediumHigh=93% High=95%]
Version buckets = 1 [Normal] [Normal=40 MediumHigh=60 High=100]
Private bytes = 40% [Normal] [Normal=71% MediumHigh=73% High=75%]
Physical memory load = 69% [limit is 94% to start dehydrating messages.]
Inbound mail submission from other Hub Transport servers, the Internet, the Pickup directory, the Replay directory, and the Mailbox server, if it is on a Hub Transport server, has stopped.
Loading of e-mail from the queuing database, if available, continues.

And when I telneted to the server I would get this:

452 4.3.1 Insufficient system resources

… good ole back pressure! So, what to do?  Well I slapped another disk in and now I need to move the paths to my new G drive.  I thought, I know, run Get-TransportServer, find the paths and just change them!

Typically the folder structure under TransPortRules looks like this:

These are changed in EdgeTransport.exe.config:
 -data
–IpFilter <-IPFilterDatabasePath + IPFilterDatabaseLoggingPath
–Queue <-QueueDatabasePath + QueueDatabaseLoggingPath
–Temp <-TemporaryStoragePath

These are change by using Set-TransportServer
-Logs
–Connectivity <-ConnectivityLogPath ** Sometimes this does exist!?!
–MessageTracking <-MessageTrackingLogPath
–ProtocolLog
—SmtpReceive <-ReceiveProtocolLogPath
—SmtpSend <-SendProtocolLogPath
–Routing <-RoutingTableLogPath
–PipelineTracing <-PipelineTracingPath
-Pickup <-PickupDirectoryPath
-Replay <-ReplayDirectoryPath
-Shared

As I found out some of the folders may not exist, but they can still be changed using Set-TransportServer

Err no, you have one more step, as this doesn’t move the mail.que file.  You actually have to update EdgeTransport.exe.config.  When you open it up, you need to change the following lines

Oh by the way, you need to stop the MsExchangeTransport first before you can do this.