Today I had a chance to interview the accomplished author and founder of KnowBe4, Stu Sjouwerman on the subject of Ransomware. Stu shared some great insight and real world experiences in dealing with ransomware outbreaks and the realities we’re faced with (e.g. actually paying the ransom).
If you missed it, you can view the recording for free, here:
A few days back, I had an opportunity to chat with Paul Cunningham on his Exchange Server Pro Podcast. Paul is a world-renowned Exchange Server expert and Microsoft MVP, based out of Australia. We discussed ways to protect Exchange from attack, along with other security concepts while responding to the recent news around “OWA Vulnerabilities”.
If you’ve got 30 minutes , check it out!
Podcast Episode 4: Securing Outlook Web App (OWA) and Exchange Server with Mike Crowley
3/16/2012 UPDATE:
Exploit code published for RDP worm hole
————————————-
I don’t always post on Windows security updates, but when I do, it’s a Dos Equis near to my heart! Do you use Remote Desktop? Of course you do. That’s why you need to install this update immediately:
MS12-020: Vulnerabilities in Remote Desktop could allow remote code execution
This is important for anyone running just about any version of Windows, but especially if you’ve got any machine exposing Remote Desktop directly to the internet (such as a Terminal Server). Fortunately there is a mitigation for those who just cannot patch tonight: enable NLA for your Remote Desktop connections.
Read more here.
Hop to it! Microsoft says not to wait for a normal patch-cycle on this one…
Recently, I had a chance to chat with Richard Campbell and Greg Hughes on the popular RunAS Radio Show. The topic was Information Rights Management and how it relates to Exchange Server. This was also a feature I demonstrated on stage at the Exchange Connections event in Orlando earlier this year.
If you’re not sure what IRM is or does, or if you wish to learn more about it, be sure to tune in on May 4th to listen to show #210!
There has been a security breach identified with many Comodo Certificates.
Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the September 11th terror attacks!
If you’re running Windows you need to apply this patch immediately.
http://support.microsoft.com/?kbid=2524375
If you’re using Mac or Linux, this affects you too, however I do not have links for you at this time.
Just a quick note to remind everyone that Service Pack 1 for Windows 7 and Windows 2008 R2 has just now become available for download on TechNet & MSDN.
If you don’t have a TechNet or MSDN subscription you should see it on the Microsoft Download sites next Tuesday. [EDIT: Here is the download Link]
Be sure to check with each product group before installing this. Obviously it is supported with the OS itself (clustering, Hyper-V, RDS, etc) but you should seek a direct support statement like the one the Exchange group published.
You should also validate your 3rd party applications. You’ll note there may be some issues with VMware, for example…
For more information such as release notes or articles on what’s new, visit this page:
Windows Server 2008 R2 Service Pack 1
Finally, here is a screenshot:
Version 6.1.7601 Service Pack 1 Build 7601
In a previous post, we took a look at Microsoft’s Forefront product line and saw where the new server management tool: Forefront Protection Server Management Console (FPSMC) fit in. In this article, we will install FPSMC.
Before we start clicking, I’d like to point out a few important notes:
As well as some system requirements:
You’ll also want to create a service account for the encryption of data between primary and backup servers.
Once you’ve got the above prerequisites in place, you’ll run the setup file and complete the product installation. In the below demonstration, I did not deploy a SQL server, so the installer configured SQL 2008 Express on my behalf. Additionally, if you do not have the Chart Control component listed above, you’ll be given a link to go get it.
Here are the installation screenshots:
![clip_image002[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0024.jpg "clip_image002[4]")
![clip_image006[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0064.jpg "clip_image006[4]")
![clip_image008[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0084.jpg "clip_image008[4]")
![clip_image010[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0104.jpg "clip_image010[4]")
![clip_image012[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0124.jpg "clip_image012[4]")
![clip_image014[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0144.jpg "clip_image014[4]")
![clip_image016[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0164.jpg "clip_image016[4]")
![clip_image018[4]](https://mikecrowley.files.wordpress.com/2010/12/clip_image0184.jpg "clip_image018[4]")
Once the installation has completed, a program shortcut will be placed in the Start menu’s program list. You can launch FPSMC from here, or directly via the following hyperlink:
In the next article, we’ll discuss adding and managing servers running Forefront Protection for Exchange 2010.
I try to avoid reposting other people’s blog articles, as I am a man of efficiency and do not appreciate the extra clutter on the internet. 
However sometimes I cannot resist!
In a previous post, I claimed Microsoft’s Network Monitor was my favorite protocol analyzer. Recently I learned about a site with several instructional videos on this product; which is good, because using a protocol analyzer is anything but intuitive!
Apparently some of the videos date back to the ancient times of 2008, but there are fresh ones included as well:
To view them, check out this site:
Do you use Forefront products to protect your Exchange or SharePoint environment? Do you have more than one server that you’d like to manage centrally?
If your answer is “yes” to both of those questions, this post is for you! In this multi-part article, I’ll show you how to install and use Microsoft’s latest (free) Forefront management product:
Forefront Protection Server Management Console (FPSMC) 2010 (Release Candidate)
However, before we start, I’d like to provide you with some Forefront orientation. It seems that title “Forefront” is starting to mean so many things these days. Hopefully this table will help put some of the product names into perspective:
(Online services not listed)
That’s quite the moving target for us trying to learn!!
As you can see FPSMC has had a few different names so far. In fact, Microsoft was going to release this as “Forefront Protection Manager”. Talk about an identity crisis!
Now, if you are familiar with the existing Forefront Server Security Management Console (FSSMC) product, take a moment to note the differences between it and the new FPSMC:
So now that you have some background, let’s get on with it, shall we?
As I suggested above, FPSMC is a product we’d install to centralize our management of Forefront Protection 2010 for Exchange Server and SharePoint. It does this through a web-interface, SQL and FPSMC agents running on each Forefront-protected server.
For a brief intro on the console, read this help article excerpt:
…[FPSMC] deployment allows administrators to deploy various files and settings to all or selected servers in the enterprise. Using the FPSMC, you can deploy the following to remote servers:
- FPE and FPSP service packs and patches
- Policies for configuration management
- Forefront Protection product activation keys
- Scan engine signature file updates (to centralize the update procedure)
- Jobs that send reports on a fixed schedule
In addition, you can retrieve the following from remote servers:
- Quarantined data.
- Centralized reporting allows administrators to more closely monitor the servers in the enterprise and evaluate the effectiveness of antivirus software. The FPSMC collects statistics from all of its managed servers and stores them in a central repository for later analysis. Reports provide information about the trends in virus, filter, and update activity for each individual server or the entire enterprise.
Data retrieved by FPSMC will be stored in Microsoft SQL Server®. It can be stored in SQL Server 2008 Express Edition, which is a version of SQL Server with limited features. Alternately, data can also be stored on an existing Enterprise SQL Server 2008—locally or remotely—using SQL or Microsoft Windows® authentication.
In addition to the help article, here are some additional published resources on this product:
We’ll compare the scripts to the new FPSMC product later in this article.
In the next part of this article, we’ll identify the prerequisites for FPSMC and begin our installation.
Read Part 2: http://wp.me/pAAoj-8h
Many of my colleagues use tools like Wireshark or Ethereal to capture network packets, but I can honestly say that I prefer Microsoft’s “native” tool over the 3rd party alternatives.
Early on, there was no competition. NetMon was lacking in many key features, but over the years (especially since version 3x) it’s gotten a lot better.
My favorite feature is NetMon’s ability to group traffic by the application that generated it. To my knowledge, Wireshark and Ethereal cannot do this. The feature is of course useful when you want to quickly locate traffic from a source without first filtering on ports and addresses.
So as mentioned in the title, version 3.4 of Network Monitor was released today! You can download it for yourself here:
If you have an earlier version installed, you do not need to uninstall. The 3.4 installer will upgrade it.
For more information about Network Monitor, including this version, stop by the NetMon blog here: http://blogs.technet.com/b/netmon
I have not seen any release notes published on the web, but you can find them, including a “What’s new” within the program installation directory.
I’ll save you the trouble by listing them here:
—————————————–
What’s New in Network Monitor 3.4
—————————————–• User Interface Refresh: The Network Monitor UI has evolved. New features
have been added and previously hard-to-find features have been made more
readily available:
• Parser Configuration Management: Parsers are now installed with profiles
that allow you to easily switch between parser configurations with the
Parser Profiles toolbar button. These configurations are also cached,
removing the need to recompile when you switch between them.
• Column Management: Network Monitor will automatically choose a column layout
based on the type of file being opened. This column layout is applied to the
Frame Summary Window. This layout can be modified and saved for future use.
In addition, two extra layouts for HTTP and TCP diagnostics are included.• Color Rules: Network Monitor can now save sets of Color Rules to files for
easy sharing. You can also right-click in the Frame Summary and Frame Details
windows to add a new Color Rule.• Window Layout Dropdown: The new window layout dropdown provides multiple
configurations for window arrangement. You can move windows by holding down
the Shift key while clicking on their title bars. Arrangements are saved
for each of the three layout options. The Restore Default Layout option
will reset the currently selected layout back to the default.
• “Live” Experts: Experts can now be run during a live capture session. Also,
experts that have been recently installed now appear automatically in the
Experts menu, without requiring you to open another tab.
• Fixed-Width Font: You can now use a fixed-width font in the Frame Summary window.
• Auto-Apply Aliases: Aliases are now automatically applied and re-applied
when created using the right-click add-to-alias feature.
• High Performance Filtering: Network Monitor will now enter a high-performance
capturing mode when you specify fully qualified capture filters with certain
fields in the UI or nmcap (e.g. Frame.Ethernet.IPv4.TCP.Port == 8080).
• UTC Timestamps: Network Monitor will now capture and save Time Zone related
information in a trace. By default, traces opened with Time Zone information
will automatically have times adjusted to your local Time Zone. The original
time or Time Zone can be viewed by adding the “Time and Date” column or viewing
the Properties under the File menu.
• 802.11n & Raw IP Frame Support – Network Monitor now supports monitor mode on
802.11n network on Microsoft Windows Vista SP1 and later operating systems as
well as Raw IP Frames on Microsoft Windows 7.• Process Tracking in NMCap: It is now possible to capture process tracking
information in the NMCap command-line tool. It will automatically be enabled
when using a filter, or can be manually enabled using the “/CaptureProcesses” flag.
1. Use this link to generate the cmdlet structure for your PowerShell command. This will output the CSR https://www.digicert.com/easy-csr/exchange2007.htm
2. Send the CSR to a trusted provider.
a. Entrust is my favorite but GoDaddy is the cheapest. Other UCC vendors include DigiCert and Comodo.
b. More detail here: http://support.microsoft.com/kb/929395
c. You’ll notice VeriSign isn’t on this list. They DO offer UCC but only if you spend thousands in their managed PKI program…
3. While Windows Mobile support all of these vendors, understand that the iPhone and Palm may not.
a. Palm doesn’t support UCC at all, but you can get around that by using a UCC / SAN cert anyway, and just putting the OWA/ActiveSync FQDN as the primary name in the certificate. It just can’t read the alternate fields.
4. Once you get the certificate back, rename it to a .cer file
5. Open PowerShell again and type: Import-ExchangeCertificate c:\filename.cer
6. Type Get-ExchangeCertficate to see your new cert at the top of the list. Copy the thumbprint to the clipboard.
7. Then type: Enable-ExchangeCertificate –Thumbprint xxx –services iis, smtp, pop, imap, um
a. Don’t list all the services unless the role is actually installed on the box itself
b. If you intend to use the same cert on multiple servers, understand that may break your agreement with the Certificate Authority, and you have to import the key pair on the 2nd server before step 6 works.
Misc:
Mike Crowley's Whiteboard 