Security Flaw in Remote Desktop
3/16/2012 UPDATE:
Exploit code published for RDP worm hole
————————————-
I don’t always post on Windows security updates, but when I do, it’s a Dos Equis near to my heart! Do you use Remote Desktop? Of course you do. That’s why you need to install this update immediately:
MS12-020: Vulnerabilities in Remote Desktop could allow remote code execution
This is important for anyone running just about any version of Windows, but especially if you’ve got any machine exposing Remote Desktop directly to the internet (such as a Terminal Server). Fortunately there is a mitigation for those who just cannot patch tonight: enable NLA for your Remote Desktop connections.
Read more here.
Hop to it! Microsoft says not to wait for a normal patch-cycle on this one…
Dealing with PST Files
Chances are, if you read my site, you also read the Exchange team blog. This means you’ve seen the PST Capture Tool! I’ve had a chance to work with this tool for a little while now and have found it to be a delight!
“PSTs are bad M’kay?“
This is a line we’ve all recited a time or two (ok maybe not exactly that line), but do we even know why? Are we just parrots, or do we actually have a reason for condemning this hugely prolific file format?
Let’s start by acknowledging that PST files aren’t all bad. M’kay? If you run Outlook at home, or if you use IMAP/POP-based accounts (Gmail, Hotmail, etc) at work, using a PST file can actually be a good idea. While it is possible to direct internet mail to the Exchange mailbox, this would create several problems:
- Wasting expensive Exchange disk space
- Potential violation of company policies
- Internet mail is now subject to corporate retention (and discovery!) policies
- Makes moving to a job more painful
- etc.
I’d even go so far as to say you might want to use PST files for archiving corporate email! If you run a small shop – or a big one that isn’t subject to any retention policies. A group policy configuring AutoArchive (and a note to your users) might be a good way to implement spring cleaning in your Exchange data stores.
See, PST files actually can serve a purpose!
Then there is the other side of the coin:
In most situations, PST files represent unmanaged storage of email. For someone who is charged with administering an email environment, this means we aren’t able to do our job. If users begin to rely on something that we aren’t taking care of; what happens when it breaks? We’ve all had the uncomfortable task of telling someone we can’t get their data back at least once in our careers. It doesn’t make for fun times.
More important than our comfort; many organizations are subject to regulations which require them to turn email data over to the courts upon request. A judge wont want to hear your sob story about how PST files aren’t searchable, and how you’re going to have to look across the whole network by hand to find that email thread.
I recently completed an Exchange 2010 deployment for a government organization that was subject to such legislation. Once we activated the Personal Archive for their users, they decided to put the kibosh on PST files. To enforce this, we laid out a three phased approach:
- Prevent the users from making new PST files
- Prevent the users from adding content to existing PST files
- Use the abovementioned PST Capture Tool to import PSTs as necessary
The first two steps were quite simple to accomplish. Outlook reads a registry value called PSTDisableGrow (REG_DWORD). We deployed a GPO to implement this as follows:
|
Outlook 2003 |
HKCU\Software\Microsoft\Office\11.0\Outlook\PST\ |
|
Outlook 2007 |
HKCU\Software\Microsoft\Office\12.0\Outlook\PST\ |
|
Outlook 2010 |
HKCU\Software\Microsoft\Office\14.0\Outlook\PST\ |
Set PSTDisableGrow to “1” (without the quotes). This will allow users to mount PST files in Outlook, but it will not allow any new content to be placed within. Don’t worry about overkill here. I used a single GPO for all 3 settings. Outlook version X doesn’t care about extra registry settings in Outlook Y’s key.
PSTDisableGrow has some siblings; read more about DisablePST, DisableCrossAccountCopy and DisableCopyToFileSystem here.
That’s all for now, have a great week!
Exchange 2010 Service Pack 2
Today, Microsoft released SP2 for Exchange 2010. 
You can download the RTM here.
As previously announced, the major features for this update focus on the following areas:
- A “Hybrid Configuration Wizard” (HCW) – which is used to guide administrators through the Office 365 Rich Coexistence setup. BTW, you’ll notice Microsoft actually no longer uses the phrase “Rich Coexistence”, but instead prefers “hybrid” configuration.
- Address Book Policies (ABP) – which allow an Exchange organization to segment the address list so that separate user populations can be hidden from each other (such as in a multi-tenant environment). Here is an article that describes how this works, as well as another discussing some of the limitations.
- Cross-Site Silent Redirection for OWA – which allows more seamless OWA redirection in a multi-site topology.
- OWA Mini – which provides a text-only OWA experience so that you can use OWA from phones that do not support ActiveSync.
Here are some other fun facts:
- Exchange 2010 SP2 extends the schema. One interesting change is the new msExchExtensionAttribute attributes. We’ve had 15 custom attributes for a while now, but this adds 30 more, all of which are multi-valued. For your reference, Microsoft tracks Exchange schema extensions on this page.
- Administrators can now disable the auto-mapping of user mailboxes in Outlook 2007/2010. This may be helpful if a user has the “Full Access” permission to many other mailboxes. By default, Outlook will try to mount all of them which could cause performance issues.
You’ll need to add the “IIS 6 WMI Compatibility” component if you are upgrading from RTM or SP1. A fresh install would offer to add this for you, but if you’re upgrading, you’ll need add it yourself. You can easily add the IIS role service with the following two PowerShell commands:
Import-Module servermanager
Add-WindowsFeature Web-WMI
- On some new hardware, I clocked the upgrade at ~22 minutes. Ironically, Exchange Update Rollups often take longer than this!
- There are many new Wiki pages discussing the features of SP2. Use these until formal TechNet documentation is available.
- UPDATE: TechNet documentation is here: http://technet.microsoft.com/en-us/library/hh529924.aspx
Office 365: Past, Present and Future – a Planet Technologies Webcast
Planet Technologies is hosting a free webcast in which we will be providing some tips, insights and updates on Office 365 and Exchange Online.
If you’re interested in attending, or would like to read the agenda, please see the registration page below.
About Planet Technologies
Planet Technologies, a leading Microsoft partner with multiple gold competencies, is recognized world-wide as a leading expert in the integration and customization of Microsoft technologies, architecture, security and management consulting. Planet’s clients include some of the largest public sector and commercial organizations in the world.
Learn more at www.go-planet.com
Office 365 DirSync (x64) Installation Walkthrough
As Microsoft has already stated, the new 64-bit version of DirSync.exe is not installed or configured differently than its 32-bit predecessor. However, as a tinkerer, I wanted to verify this and have a look under the hood anyway!
Below are some screenshots of my experiences and insights along the way:
Before you start: Read and follow the instructions! In this article, I assume you’re at the point where you’re actually ready to install this product.
|
1. First I installed the .Net Framework prerequisites as well as my favorite MMC snap-ins onto a new Windows 2008 R2 server. You can do this using the following two lines in PowerShell |
Import-Module ServerManager Add-WindowsFeature NET-Framework,RSAT-ADDS -Restart |
|
2. Then I ran dirsync.exe (downloaded from the portal.microsoftonline.com site). a. NOTE: Microsoft didn’t bother to change the installer’s executable name (dirsync.exe). This may be confusing if you plan to download and store both x86 and x64 versions. |
|
|
3. A few clicks of the “Next” button… |
|
|
a. NOTE: We install to the “Program Files” directory. If this were a x86 application we’d be using “\Program Files (x86)” |
|
|
b. NOTE: This screen may take 5-10 minutes. It’s installing a few things in the background: i. SQL 2008 R2 Express ii. Forefront Identity Manager 2010 (FIM) iii. Configuration of the FIM Management Agents (MAs) |
|
|
… |
|
|
4. Once the background tasks have completed, you’re able to run the Configuration Wizard. This is where you will need to have your Office 365 tenant prepared and credentials identified, etc. |
|
|
5. Next… |
|
|
6. You should have created this account earlier. Whatever you put in here will be stored within FIM, and if you ever change the credentials, you’ll need to re-run this setup wizard. |
|
|
a. Or for the expert user: Dive into FIM directly |
|
|
7. Here you need to supply your forest’s Enterprise Admin credentials. This username is not saved anywhere, and is only needed once to set permissions for these new objects: a. b. |
|
|
8. Selecting this box enables some extra features required for a “hybrid deployment” / “rich coexistence”, and by doing so you’ll allow FIM to update attributes IN YOUR Active Directory. If this box is not checked, FIM will read-only. |
|
|
9. Next.. |
|
|
10. If you’re ready, you can run the initial full synchronization now. Otherwise, you can run it manually at any time. a. Once configured, DirSync runs every 3 hours. |
|
|
11. If you promise to be careful, you can poke around in the FIM configuration. a. Note the “hidden” client UI b. If you get an error when opening the FIM console, log out and then back in. Your account was added to some groups that are not yet part of your login ticket. c. Clicking the Management Agents tab shows both sides of your configuration. “TargetWebService” is responsible for all of the Office 365 configurations and the “SourceAD” management agent contains your Active Directory connector information (double-click them to open). NOTE: Changing the DirSync configuration directly within FIM is unsupported by Microsoft. They would prefer you rerun the previously mentioned Configuration Wizard if you need to make any changes. |
C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
|
|
12. Finally, be sure to run Microsoft Update again. You’ll notice that SQL 2008 R2 does not have SP1. |
 |
A New Version Of Office 365′s Directory Synchronization Tool Has Arrived!
Most medium and large organizations using Microsoft’s Office 365 service will also be using “DirSync” to provision and manage user identities. Until now, DirSync has been based on ILM 2007 FP1, which is a functional, but older application, with no x64 support. This means when installing DirSync onto a server, you had to go out of your way to deploy the Windows Server 2008 operating system since the Server 2008 R2 OS is x64 only.
ILM was replaced by Forefront Identity Manager (FIM) 2010, which uses the x64 CPU architecture and as therefore Windows Server 2008 R2 as well.
Today (finally), Microsoft announced DirSync can now be downloaded for use with the 64-bit architecture. This is great news for new Office 365 customers – no more legacy software needed. However, this does raise a question for existing DirSync users: How do we migrate?
You should check out the announcement for details, but essentially, you reformat and rebuild. Wait! Before you start muttering nasty things about Microsoft – the new installation of DirSync will find all of the identities currently in Office 365 and match them up with the appropriate Active Directory accounts in your environment. There is no downtime for the users.
Exchange Connections Slide Decks
Thanks to all who attended my sessions at Exchange Connections in Las Vegas this week!
As promised, I have uploaded the slides. You can download them here:
If you’re looking for slides from other presenters, you can find them here:
