Category Archives: General Stuff

From an article I’m working on, the difference between high availability and business continuance succinctly expressed:

Availability measures how much use we get out of a system before it fails, or between failures. Business continuance (BC) is different; it means being able to continue business operations (possibly with some degraded capacity) while a recovery operation is in progress. A simple example might help: if your building has an automatic emergency generator, that’s HA. If you have to bring in your own generator from home, that’s BC.

Last year, I wrote about US v. Councilman, a court case in which the initial ruling seemed to indicate that it was OK to intercept others’ email under certain conditions. Yesterday the First Circuit Court of Appeals issued a new ruling, essentially reversing the old one. Councilman was indicted in 2001 for violating the US federal law covering wiretapping because he was using procmail to copy inbound messages to hosted users on his server. The case was originally dismissed based on Councilman’s claim that the messages he copied were in “electronic storage” (which has a narrow meaning under the 1968 wiretap law), and that what he did wasn’t technically “interception” as defined in the law. The government appealed, and now the Court of Appeals is siding with them. Read their ruling for yourself; after I have time to dig into it a bit more, I’ll have more to say (bearing in mind, of course, that I’m not a lawyer and don’t give legal advice.)

Finally! Microsoft’s released Microsoft Messenger:mac 5.0, which can use both the MSN Messenger service and Live Communications Server 2005. It fully supports TLS and Kerberos (although you’ll need to read this reskit paper to turn Kerberos on). It also supports PIC for LCS if you’re using it. In my tests over the last few months, I’ve found it very stable. It just works. If you’re using a Mac, give it a try. (now, if we could only get a new version of the suck-a-delic Windows Media Player for Mac…)

See above: how much would you pay for a solution that actively prevents people from using “reply-all” to mass-distribution mails? (RMS does lots of other neat stuff, too, that I’ll be writing about in the future.)

Here’s an interesting tidbit: Scalix announced today that they’re going to ship a wireless solution for their messaging product, based on Notify‘s product. Pricing and availability weren’t announced; from a functionality standpoint, Notify has a pretty nice solution in terms of the range of devices and OTA methods they support. However, this may add significantly to Scalix’ “flyaway” cost, making them potentially less attractive compared to Exchange 2003. No word yet either on whether Scalix will require device or mobile CALs in addition to mailbox CALs. Developing…

Bruce Schneier is a smart guy, but he also has a strong anti-Microsoft bias. That’s why it’s no surprise to see this article, in which he lambasts Microsoft for “building in security bypasses”. What’s he talking about? A quote from Microsoft’s Martin Taylor:

For example, this new feature tool we have would allow me to tunnel directly using HTTP into my corporate Exchange server without having to go through the whole VPN (virtual private network) process, bypassing the need to use a smart card. It’s such a huge time-saver, for me at least, compared to how long it takes me now.

Of course, that’s our friend RPC-over-HTTPS. I think Schneier missed the point because he misunderstands the intent of the feature, which is to allow mail-only access from remote systems. It’s true that VPNs allow for secure remote access to many different types of resource, often using multi-factor authentication. It’s also true that many VPN systems (particularly the clients) are unstable and difficult to use, particularly from locations like hotels and airports where the network provider may not be clueful. The RPC tunneling feature allows secure access to email only without a VPN. This is actually a security benefit.

Why? Think of what happens when you connect a remote computer via VPN: you’re allowing it unrestricted access to your entire corporate network. That means that when Joe Executive‘s home machine connects via VPN it has free roam of the network. That places a mighty high premium on ensuring that the remote machine is uncompromised, hence the interest in network access protection (but that’s a solution for another day). As an admin, if I have users who only need email, I’m perfectly happy for them to use RPC-over-HTTPS instead of VPN because then I know that their machines are very unlikely to be able to cause damage to other machines on my intranet, no matter how crap-infested they may be. Couple RPC tunneling with an application-layer RPC scanner (like the one in ISA Server 2004) and you’re better off than you would be with a pure VPN solution.

Some of the comments on Schneier’s post make good points about the tradeoff between usability and security, including one guy who asks why VPNs are so hard to use. That’s for another post, unfortunately.

The MS SQL Server 2005 and Visual Studio 2005 teams have a hysterical site called “Escape from Yesterworld” that casts IT development as something out of Flash Gordon. The overall site design is brilliant, and there are some extremely amusing video clips there, including:

• Evil Wears a Cape
• I.T. From Ages Past
• Repetitive Tasks of Doom
• Change Orders of Death
• Terror on Two Wings

Well worth a look– I give it two thumbs up.

Yesterday I wrote about Simon Butler’s quest to prevent individual users from sending messages via MAPI. In related news, the Exchange team blog has a great post today explaining how Exchange 2003 SP2 gives us the ability to block individual users from using MAPI. The good news: because the MAPI blocking is added to the existing ProtocolSettings mechanism for blocking other protocols, you can use the same script to block or allow multiple protocols at once. The bad news: as with Simon’s original question, this method doesn’t stop existing connections; it only blocks new ones. Still, this is a valuable new capability to have.

Wow, this article made my head hurt. David Berlind of ZDNet documented all the stuff he had to do to get his XV6600 to work via Bluetooth as a modem for his laptop. I admit that I never bothered to try this while I had a loaner XV6600, fearing that it would be too hard to be worthwhile. Here’s Berlind’s conclusion:

OK, now that we’re done, and some of you now have the best step by step you’ll ever find for getting a DUN connection working with Bluetooth, what does it tell you that takes nearly 40 distinctly separate screen shots or photos to document something that should be a lot simpler?

It tells me that I’m sticking with my aircard, thankyouverymuch.

Exchange MVP Simon Butler posed what seems like a simple question: how do you stop a user from sending mail? The answer is deceptively complex; we’ve been debating this on an MVP list for a few days now.

Say you have a MAPI user. You disable the associated Active Directory account, either by disabling the account or by changing the password. In either case, the user can still submit mail to the information store! In the case of a password change, the user will be asked to authenticate again, but if she cancels the password dialog, she can still send– she just can’t receive new mail! That might be a problem in case of an employee who’s leaving (voluntarily or not), although a measure of physical access control will help.

You can kill the MAPI session, but that doesn’t do anything to stop the user from reconnecting from the client side, at which point you’re back to square 1: the user can still send mail. (This doesn’t seem to be true if the user quits and relaunches the client after you kill their session, though).

For other protocols, it’s easy to prevent users from connecting and sending mail. For example, for IMAP, POP, or HTTP connections, you can just remove the user’s ability to use those protocols by using the Exchange Features tab in AD Users and Computers.

If you want to block all users, you can do that too; KB 288894 describes how to limit MAPI connections to a particular version of Outlook (so just set the regkey to deny from the current version (which I think is 11.0.6352.0) backwards. For HTTP, you can either set an IP address restriction on the Exchange vdir (thanks, KC!) or stop the w3svc, although this will have other effects. For that matter, if you want to prevent all client access, stopping store.exe will do the trick nicely at the cost of a service interruption.

Perhaps MS will fix this in Exchange 12.

I leveraged McDonald’s wireless service when I was in rural Louisiana, but it looks like I’ll have a tougher time getting connected while I’m at Sturgis. The nearest McD locations to Hill City, where we’re staying, are in Rapid City, and none have Wi-Fi. Verizon’s coverage map shows no coverage for Hill City, although the surrounding areas have digital service– hopefully I’ll be able to use my aircard. There’s a local ISP, RapidNet, that may be able to help, too.

Interesting press release this morning from Blue Security, touting their new “Do Not Intrude Registry”. The basic concept is simple: you sign up for their service and install an agent on your local computer. Blue creates honeypot mailboxes, which it then monitors. If spammers spam those mailboxes with messages that don’t comply with the CAN-SPAM law, Blue asks the spammers to stop. If they don’t, the Blue agent (which they call a Blue Frog, after the blue poison arrow frog) starts spamming the spammers by posting junk data to their order form. This is no big deal if only one agent does it– but the agents are cooperative, so if the spammer sends out 10,000 messages, they get 10,000 junk order submissions.

The PR calls this “ethical and effective”. I disagree on both counts; it’s nothing more than a botnet in disguise. If it’s wrong for J. Random Attacker to mount a DDoS against a website they don’t like, it’s wrong for Blue to mount DDoSes against spammers. Despite the fancy language deployed by Blue’s CEO in this InformationWeek article, it’s pretty clear that this is a clear-cut DDoS approach– Blue is trying to hit the spammers where it hurts by degrading their operational capacity to take orders.

I don’t condone spammers, but descending to their level isn’t an ethical approach. In a remarkable coincidence, most of the sentiment on /. seems to agree that this is a bad idea.

Update: but don’t take my word for it; legendary guru John Levine has weighed in with his thoughts (including the interesting fact that Blue tried to get sponsorship from a number of anti-spam orgs, all of whom rejected the idea).

I missed this in all the hubbub here at el rancho, but Alexander Nikolayev posted a terrific treatment of the Exchange 2003 SP2 anti-spam process at the Exchange team blog. He covers how the new SPF/Sender ID filtering process works in conjunction with the existing filtering features. Exchange 2003 SP2 is the only spam filter that Microsoft’s using for their 90,000+ worldwide mailboxes; I think that’s a pretty strong endorsement of its capabilities.

Just got the press release: Microsoft is buying FrontBridge, a hosted message hygiene service provider. This is primarily interesting because of FrontBridge’s strength in compliance solutions; they have a broad range of services built around compliance for email and IM. Their hosted anti-spam services got good props from eWeek, but I think the combination of their data centers (which promise a 99.999% uptime SLA) and their compliance services opens the door for MS to diversify beyond Windows OneCare into a broader scope of direct service provision. I can’t wait to see what part they play in the promised Exchange 12 updates for better compliance and message hygiene.

Unless you read the “Book of SP1” very closely, you might have missed out on the fact that Windows 2003 SP1 enables auditing of metabase object access. The IIS documentation for the feature is of little help, since it’s missing some steps. This can be very handy for Exchange administrators, given how much heavy lifting the IIS core components do. IIS MVP Ken Schaefer has written a simple explanation of how to configure metabase auditing here.