Exchange-Genie

Today Microsoft announced that is has RTM’d the Winodws 7 phone

http://windowsteamblog.com/windows_phone/b/windowsphone/archive/2010/09/01/windows-phone-7-released-to-manufacturing.aspx

Today Microsoft announced that Exchange 2010 SP1 has been released (http://msexchangeteam.com/archive/2010/08/25/455861.aspx). As with most service packs, Exchange SP1 has introduced a number of new features and improves on an already stable and scalable mail system.

Today Microsoft released a tool to block Dll load hijacking attacks, more information can be found in the articles below.

http://www.computerworld.com/s/article/9181518/Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks

The tool can be downloaded here

http://support.microsoft.com/kb/2264107

There have been reports of issues with some Droids and Exchange Server reported http://phandroid.com/2010/08/10/issues-with-exchange-on-the-droid-x-motorolas-giving-you-touchdown-for-free/ Motorolla is giving droid users a free liscense for thier TouchDown Exchange Active Sync program.

the droid market place has been an open environment and recently malicous apps have been found on the market place and downloaded by millions

http://androidcommunity.com/android-users-hit-with-data-theft-by-malicious-app-20100729/

http://www.phonearena.com/htmls/Malicious-banking-app-found-in-the-Android-Marketplace-article-a_8744.html

Third party audits now show Apple lead the industry in security issues 

http://www.esecurityplanet.com/trends/article.php/3894886/Apple-Has-the-Most-Security-Vulnerabilities-Report.htm

Secunia study

http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf

Did you know that you can share and colaborate information for free on facebook with Docs.Com that is run by Microsoft

http://www.docs.com

Did you know that you can use Microsoft office in the cloud for free, thats right Word, Excel, PowerPoint and OneNote for free

http://office.microsoft.com/en-us/web-apps

Today Microsoft released the Exchange UM 2010 Troubleshooting Tool the tool can be downloaded here

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=10d2e48f-0846-40b6-b08f-d282309811a2

1. Introduction

Windows Vista introduced a new feature called Bitlocker that can be enabled to provide volume level encryption for hard drives and is commonly used for portable devices like laptops. Bitlocker can also be used to secure server hard drive or any other machine/device.  Windows 7 have expanded on the feature of Bitlocker and enables the ability to encrypt portable devices like flash drives as well.

 

2. Enable Trusted Platform Module (TPM)

TPM is chip that is added to the local motherboard that can be used for encryption purposes (more information can be found here http://en.wikipedia.org/wiki/Trusted_Platform_Module ) and will need to be enabled if we are using TPM based encryption. I must note that your machine does not require a TPM chip to enable bitlock as other methods can be enabled.

**Note there a many BIOS manufactures and each one may have different steps to enable TPM**

1. Reboot/Boot machine

2. Press F2 to access the BIOS setup (this may be different depending on the BIOS)

3. Scroll down to the Security section

4. Expand TPM Security

5. Select ON-> Enter

6. Press ESC -> Save/Exit changes

7. Select F2 to access the Bios setup

8. Scroll down to the Security section

9. TPM Activation -> Activate

10. Press ESC

11. Exit BIOS and boot to OS

3. Enable Bitlocker

To enable Bitlocker functionality we need to enable the group policies that provide the functionality we with to deploy like requiring a startup pin at boot.

Enable Pin

1. Start –Run –MMC (if prompted to elevate permission click continue)

2. File – > Add –Remove snap in

3. Select Group Policy Object Editor -> Add

4. Leave the default of local and click finish

5. Click OK

6. In the Local Computer Policy window expand Computer configuration -> Administrative Templates -> Windows Componets -> BitLocker Drive Encryption

7. Select Control Panel Setup: Enable advanced startup options -> Properties

8. On the properties menu – select Enabled and under Configure TPM startup Pin set the option to Allow users to create or skip

9. Click OK

10. Close the MMC Window

11. Click Start -> Settings -> Control Panel

12. Launch the BitLocker Drive Encryption icon (if prompted to elevate permission click continue)

** If you receive the warning message below please verify you have done the steps outlined in the section Enable TPM (Dell D620) **

1. If you have not installed the Bitlocker/EFS update please see section 3.1 – Preparing Your Drive.

14. Select the Turn On Bitlocker icon

Note: Once you have encrypted your system drive you will be able to encrypt other volumes

15. The initialization screen is presented

16. On the Set Bitlocker startup preferences select the Require PIN at every startup

17. Input a pin that has a minimum of 4 numbers

18. Click SET PIN

19. Select Save the password in a folder

Note: This key cannot be stored on the drive you are encrypting, as this may be needed if a recovery scenario occurs

20. After saving the files click Next

21. Leave the default to run a system check and click continue

22. Select Restart Now to reboot and start the bitlocker process

23. On reboot you will be prompted to enter your Bitlocker pin to boot the computer

24. If you have additional drives please go back to step 13 and repeat the required steps for the additional drives

3.1 Preparing Your drive

1. Select “Setup your hard disk for BitLocker Drive Encryption”

2. Run Windows Update and download “Bitlocker and EFS enhancements”

3. Launch the “BitLocker Drive Preparation Tool”

4. Click “I Accept” on the BitLocker Drive Preperation Tool

5. Click “Continue”

6. Allow the drive preperation to complete

7. click “Finish”

8. Click “Restart Now” to reboot the computer

9. After the reboot, you are returned to the screen presented in Section 3 – Enable BitLocker, Step 14

If you have been an administrator of an Exchange Server for a number of years you know there has been a few pain points related to OWA logon and expiring passwords.  I have managed system that we sent out regular system messages to the user before their password expired to remind them to change their password yet quite often the user would forget. 

There are two common password scenarios that occur:

1. When a users password has expired and they attempt to logon to OWA the user fails to logon and receive a generic error message.

2. When a new user account is created and an administrator wants to force the user to change their password at next logon, however the user will not be able to logon to OWA

Exchange 2007 SP3 and Exchange 2010 SP1 have remedied the two issues above by creating a new module in IIS that detects a user has an expired password or the user account is set to “user must change password at next logon”. 

You may ask what do I need to do?

http://technet.microsoft.com/en-us/library/ff607232(EXCHG.80).aspx

1. Log on to the Exchange server that is running the CAS role by using an account that has local administrator rights

2. Start Registry Editor, and then locate the following registry subkey:

3. HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA

4. Create the following DWORD value if it does not already exist:

5. Value name: ChangeExpiredPasswordEnabledValue type: REG_DWORDValue data: 1

6. Exit Registry Editor

7.  From a command window perform an IISReset

Let walk through some tests:

1. Create a new user called PwdTest

a. Open EMC

b.  Expand Recipient Configuration and select Mailbox

c. From the actions pane select New Mailbox

d. On the new Mailbox wizard select “User Mailbox” and click Next

e. Select New User and click Next

f.  Input PwdTest for the userId information and validate the check box “User must change password at next logon”

 

g. On the Mailbox Settings page leave the default and click Next

h. On the Archive Settings check the radius button “don’t create an archive” and click Next

i. On the New Mailbox page click New

j.  Click Finish to complete the mailbox creation

2. Now that we have created our new mailbox and have the account set to force a password change for our user we need to attempt to logon to OWA

a.  Open the OWA logon Page and attempt to logon with our new user PwdTest

b.  Notice we receive a generic password error message

3.  As we see the logon fails until we modify the Registry of our CAS server

a. Start the Registry editor : Start – Run –RegEdit
b. Expand to  HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA

c. Create the following DWORD Value: ChangeExpiredPasswordEnabled

d.  Set the value to 1

e. Exit Registry Editor

f.  From a command window perform an IISReset

4.  Now that we have created the appropriate Registry key we can attempt to logon to OWA again

a.  Open the OWA logon page and attempt to logon with the PwdTest user

b. We are now presented a change password form

c. After completing the form you will receive and successful change message

d. You are now presented the OWA logon form again. Attempt to logon with the newly created password

e. you now have a successful OWA logon