Scoble's raving about how sexy the new Lenovo Thinkpad X41 is. He's right, but here's the weird thing: where's Lenovo? In Ballmer's keynote yesterday, the X41 was on stage for a total of about 90 seconds. Instead of showing it, it got a brief mention and then Ballmer took it off-stage. The script surrounding its appearance sounded like a bad TV commercial. This would have been a perfect opportunity to showcase what makes the X41 special, or at least to include it in a demo of some kind. We've had a great deal of success including the Tablet in our line-of-business demos; for example, BJ Holtgrewe could have showed his stuff on a Tablet and then disconnected it to roam around the stage, just to highlight his claims about what Maestro and the Outlook managed-code support in Visual Studio could do. I know that IBM's former Thinkpad marketing folks now work for Lenovo, but suddenly they seem to have gone tone-deaf. What's up with that?
Update: I spent a few minutes playing with an X41 Tablet at IBM's booth. Terrific form factor, and it has the same solid feel as my T41 (and its predecessor T30, and the T20 I had before that, and the 600E I had before that). I think IBM's going to sell a lot of these.
Opening riff: Samantha Bee interviewing people in the audience. Medium-funny. We all want to give information workers a wedgie!
Paul Flessner onstage, "interviewed" by Bee. "This morning, he's the Techie Show's special senior connected systems correspondent."
Flessner: IT's a tough job. Budget's always cut. Clinton imitation: "I feel your pain." Bee: "Can you honestly echo his quote that he didn't inhale?" Big laughs. Funny story about accidentally powering down a rack of 3380s.
Now Flessner's presentation starts. "You might be asking yourself, what's a connected system?" Interesting slide showing progression of connectivity from first telegraph msg to first transoceanic cables to radio and TV to ICs and the Internet to the 2000 release of .NET.
Talking about the change in business application architecture from mainframe (monolithic, multi-function) to mini (monolithic, multi-function, with separate client). Wrong factoring for large-scale async applications. Refactor multiple functions of monolithic apps into cloud of web services, each offering well-defined independent services that are atomic and don't share context or state. Clouds of composite applications that federate data ("Federated data-- I'm not advocating it, but it's sort of a fact of life") and identity. "I'm not saying that you have to throw out your existing systems and rewrite... but it is something to think about. Think hard about breaking down into atomic services."
Three pillars: highest developer productivity, mission critical abilities, better business decisions. Have to enable both data and process.
Update: SQL Server 2005: integrated with VS and .NET to deliver integrated debugging / development. "No one in the world who wants to ship SQL Server 2005 more than me." Develop and debug code on client, midtier, and back-end from directly within VS. CLR now deeply embedded in SQL Server. Service broker (async queuing and messaging), cache sync, native XML database support. [ed: nothing new here that I can see, and I don't know much about SQL Server 2005]
Update: BizTalk Server 2006. Integrated with SQL and VS 2005, one-click deployment. Big win: simplified setup [ed: that's one of the biggest pains with BizTalk 2003-- it's extremely difficult to set up and get going] "You're going to get a lot of stuff for free in terms of ?? or SQL Server".
Announcing: RFID infrastructure from Microsoft. [ed: I got it wrong yesterday-- I thought the demo was supposed to be yesterday-- no demo yet, though] Partnership between Symbol, Printronix, and MS. No timeframe; "you should sort of expect it in the 2006 timeframe."
Update: Visual Studio and VS Team System. [ed: this is super cool and is MS' attempt to kick Rational in the butt] Load testing, profiling, test coverage, other QA tools integrated into a "more sophisticated and more scalable" source code control service. "We're super excited about it... A lot of partners already plugging in and extending this".
50-75% code reduction for most scenarios of web dev and smart client dev. Better perf and offline experience for web apps; ClickOnce for smart client apps. CacheSync provides local caching of back-end data under developer control. "It will be difficult to buy a non-64-bit machine in, say, 24 months."
Demo: Brian Keller, PM for Visual Studio. His mom's in the audience! Demoing app showing counts of attendees in various locations via RFID. Now showing graph of number of attendees vs number of proctors in hands-on labs. [ed: cool, but scary; this isn't really anonymous even though they keep saying it is] VS 2005 supports smart tags [ed: great feature!] Large library of "code snippets" "that you don't have to develop or test". Demoing RFID monitoring of a piece of equipment as it moves around.
[ed: I see something that looks like a BattleBot on stage] Sure enough, that's Flessner's missing hardware. It runs on the .NET Compact Framework. The 'bot is delivering a Portable Media Center. "First RFID raffle ever". [ed: I didn't win]
Announcing: $50K Connected Systems Developer Competition. No real details.
Video featuring Xerox application developers. [ed: Borrring.]
Update: Samantha Bee again demoing the SQL Server 2005 Technical Benefits Translator. First benefit (availability): "Downtime is for suckers" [ed: my new email signature!] Second benefit (security): "Hey, hackers, bite me!" Third (scalability): "SQL Server 2005 is like spandex pants." "No matter how big you get, they still fit!"
Update: Flessner's back. Safe synchronous database mirroring or
Talking about security now. "I apologize for [Slammer] again today." Showing critical security bulletin count of SQL vs Oracle. 2002: 11 for MS vs 20 for Oracle; 2003: 2 vs 13; 2004: 1 vs 74; 2005: 0 vs 2. [ed: source for this is vendor sites, osvdb, and Secunia]
Key security measures: surface area reduction, enhanced security (native encryption, cert mgmt, password policy enforcement, auditing & authZ). SQL Best Practices Analyzer ([ed: great! the Exchange BPA is a terrific tool].)
Rockin' TPC numbers: $5.38 TPC-C and $54 TPC-H (1 TB), compared to $6.49 and $119 for SQL 2000. Same hardware for SQL 2000, SQL 2005, and Oracle: Oracle is $8.33 TPC-C and $68 TPC-H. [ed: lots of fine print on this slide detailing the exact HW config and results]
Update: Francois Ajenstat, GPM for SQL Server, coming onstage to demo. Cool moving-bars perfmon application showing SQL 2000 vs SQL 2005 on identical HW. 64-bit version of SQL 2005 on Win 2003 x64. [ed: No surprise: much better perf due to much larger cache.] Here comes the BattleBot; it's attacking the network switch that connects the SQL Server 2005 32-bit demo machine. [ed: it's all pyro, no actual metal was bent] Failover worked well, though.
Update: Samantha Bee again with the head of "None of Your Business". "We follow the IBM/Oracle model... You pay to put information into a database, and if you really need it back, you pay to see it again."
Update: Back to Flessner. "Business activity monitoring is to business what BI is to data." Integrates SQL reporting services and "Office Scorecard Accelerator". Integrate, then analyze, then report. Announcement: SQL Server Reporting Services will be available in all SQL 2005 editions.
Demo: Donald Farmer, GPM for SQL Server. Stopwatch demo: Farmer has 8 minutes to do some reporting. Data mining over the output of a conditional split. [ed: Lots of clicking, so I can't follow step by step.] Prediction value of data seems low-- 0.26 or thereabouts. Showing wizard for creating report based on analysis. Flessner: "Kind of ugly, isn't it?" Farmer: "It does look like a report done in 5 minutes, doesn't it? Typical real-world scenario: he asked me to clean his dirty data, I did it in half the estimated time, and he's still not happy." Lots of applause and laughter.
Now showing visual report builder to prettify the report appearance.
Announcing: SQL Server 2005 launches week of November 7. BizTalk 2006 CTP starts now; SQL Server 2005 CTP starts June. Free Standard Edition of SQL Server Standard Edition for all TechEd attendees.
Gartner revenue market share numbers 2004: IBM 34.1%, Oracle 33.7%, Microsoft 20%. "sort of an option to port to Linux; haven't discussed that with Bill lately". IDC's unit share numbers: IBM has 7%, Oracle has 25%, Microsoft has 41%. "We took share" from IBM and Oracle. "How does IBM have the #1 revenue share and the lowest unit share? Let's take a look." Enterprise unit share: 9% IBM, 29% Oracle, 34% Microsoft.
Pricing: base product, 1 CPU, base price for enterprise edition of base product. Oracle $40K, IBM $25K, Microsoft $25K. Upcharges for manageability, availablity, clustering, BI, and multi-core. Final price for dual-core with all options: $232K for Oracle, $330K for IBM on AIX (they don't charge for multi-core on x86/x64).
I spent most of the day yesterday in a fairly small room that was filled to bursting... with information on Exchange 12. This release is going to rock. I'm immensely enthusiastic about some of the improvements, particularly around unified messaging, message hygeine, and scalability-- all areas where Exchange already has a strong competitive advantage. Of course, it's too early to talk about most of the changes, but Dave Thompson's presentation yesterday covered some of the biggest highlights.
This week I had to choose between going to TechEd and attending Apple's WWDC. The big WWDC news: Apple will start shipping x86 Macintoshes in
2007 next year. Wow.
Update: Edited to change the shipping date; Apple is shipping x86 machines starting next year. Also, I've seen several questions in various places asking whether Apple will allow running Mac OS X on other vendors' hardware. Phil Schiller says "heck no" in this interview.
If you're at TechEd, go by the O'Reilly Media booth and get a free sample of Exchange Cookbook content-- it's a nicely finished booklet that contains a dozen or so recipes that give you a flavor (pardon the expression) of what's in the completed book.
I couldn't get in to the "Exchange Today and Tomorrow" session-- by the time I got out of the keynote, which ran 30 minutes long, it was full. I went to John's session on FabriKam instead, and have been posting cookbook scripts in the background.
Thanks to the magic of Verizon Wireless, I'm posting live from Hall A at TechEd, where Steve Ballmer is about to take the stage for his keynote.
Update: Samatha Bee from The Daily Show is the emcee for the opener. She's doing some funny bits skewering Apple, IBM, eBay, and Google.
Update: Ballmer takes the stage and says "we got through the bubble" and we're "in a period of long-term, sustained, and positive growth". [ed: everything here on out is paraphrased unless it's in quotes] More pep and excitement in the industry. "I don't think there's ever been a better, more exciting time to be in the IT industry than right now." Impact of IT in the next 10 years will be bigger than the IT's impact in the preceding 10 years.
10-yr anniversary of Win95 launch, which had the most palpable excitement and energy of any product introduction. The next 10 years will be even more exciting and create even more opportunity for everyone in the room. Theme for my speech today: enabling people to drive business success.
"Each and every one of these scenarios is unfulfilled today": improving cust interaction, personal productivity, unified comms, supply chain optimization, team collab, finding information, spotting trends, engaging in business processes.
Update: Samantha Bee again (disclaimer: I don't know who she is and she's not all that funny). Employees are now repositioned as "free-range information workers". She's slagging users pretty bad. Top 5 most requested requests from information workers: one identity and password, online presence, network access, synchronization ("can't my BlackBerry do this now?"), self-service, rights management (labeled as "5 1/2").
Update: Ballmer takes the stage and introduces Avanade video. Ricardo Arroyo: can easily measure the benefits of self-service infrastructure. Closing line: "It's a great time to be an IT guy".
Ballmer again: Avanade wants to connect people and information. Need the tools to facilitate them delivering that connection. IWs inside Avenade are all IT professionals themselves. "Flywheel of activity": design & build with .NET, deploy and operate with Dynamic Systems Initiative (DSI), act and interact with "New World of Work" stuff. "We think we've come a long way" with .NET. Thanks to the .NET RDs.
Next piece: make sure those apps can be deployed and operated. Want to connect closely to design / build of new applications. Big DSI milestone: shipment of Visual Studio 2005, which will "actually connect the flywheel" where "you build the management instrumentation into every application you build".
New world of work builds on 3 principles: access without compromise, self-service infrastructure, "policy gives IT mgt control". built on presence, identity & rights mgmt, network access-- all implemented as shared infrastructure services. "More and more of what you provide, instead of being point solutions, can be infrastructure that IWs can provision themselves."
Rich comprehensive roadmap based on AD: 86% of large enterprises that use directories use AD, 41% use NT4 domains, 15% use NDS, 9% use eDirectory. "When we first brought AD to market, you were slow to adopt it... Good concept, but go back to work".
Windows R2 ships within the next 12 months with better branch office support, ADFS, and storage virtualization and support. New "Compute Cluster Edition" for grid computing. "We want to be the best" at a long lis of areas, including messaging, directory, and "all applications that are about connecting information workers to information. I think that is incontrovertible." "Investing in new scenarios where, if you will, we still have improvements to make and market share to gain."
"You can know without hesitation, no matter what you're trying to do, around Windows Server, it's the right tool for almost every job.
Update: Exchange 2003 SP2 and Messaging and Security feature Pack for Windows Mobile 5.0. "Some people say Microsoft's a good marketing company, but I have a hard time saying all that." "Direct Push" delivers always-up-to-date connectivity over a persistent IP connection. "The kind that we have not delivered, and RIM has historically. But we have also delivered that with no additional management cost". Policy based control for remote device wipe and PIN management. All included with Exchange. No additional licensing cost.
Exchange 2003 SP2 also ups the 16GB limit for Standard Edition and Small Business Server to 75GB. Install SP2; no other changes necessary.
Mike Hall joins Ballmer on stage. He's toting an X41 ThinkPad Tabler. [ed: I'm going to buy one as fast as I can] 6hr battery life, fingerprint reader. Ballmer took it offstage; now there's a video with a buy wo looks like Ed Brill sitting in the back of the cab calling his kids, his office, checking his email, etc. Guy drops his device as he gets out of the cab. Punk kid finds it. "Last year in Chicago, 85000 cell phones were lost-- that's 4 for every cab in Chicago". Guy's admin gets a call from his house telling her that "Dad lost the phone". She calls IT who says they can remotely wipe the device. Punk kid gives it back to the taxi driver.
Now Hall is demonstrating VoIP with Office Communicator and Exchange 2003 SP2 security features, along with MSN Desktop Search. Longhorn demo: "it's not so much about search, as about how you visualize information". Demoing filtering based on metadata (e.g. author, keywords). [ed note: Better UI than Apple's Spotlight.] Controls for minimum PIN length, inactivity lock time, local and remote wipe. Can define exceptions to wipe settings.
New Symbol MC50 device-- nice-looking device with QWERTY keyboard. Greatly simplified device-side setup user interface. Virtual Earth preview. [ed: this is wicked cool!]
Update: Samantha Bee again with interview on "IT pro-developer mediation techniques". Puppet show. Pretty funny.
Update: Ballmer again. .NET momentum is building; 43% "of all developers" use .NET as primary tool vs 35% using Java (Win32 non-.NET is #3). 90% of MS global accounts are using .NET in some way. Three important products: SQL Server 2005 with embedded .NET runtime; Visual Studio 2005 with .NET 2.0, and BizTalk Server 2006. Ideal for connected systems (instead of J2EE), lifecycle dev (instead of Rational), most demanding DB apps (instead of Oracle or DB2), and "lightweight web app development" (instead of LAMP).
.NET 2.0 is 25%-40% better than .NET 1.1 on Sun's WSTest 1.1, and up to 200% faster than WebSphere.
Update: BJ Holtgrewe showing VS 2005 features. New Outlook add-in support. Demoing integrated CRM and Maestro (new tool for BI, reporting, and scorecards). Links Outlook to SQL 2005 Reporting Services. Access to SharePoint, database, syndicated wbe search, and Outlook data. All synced using SQL Server Express for offline/mobility sync. Customer video: Bank of America and Korn/Ferry. "Everything revolves around your inbox, so why not plug everything into Outlook?" "Now it's all about funneling all of our information into Outlook." "We see Office as a platform."
Update: Ballmer again. Talking about Office 12 XML format. VS2005 delivers System Definition Model (SDM) info; SDM will be consumable by MOM and SMS in "System Center wave 2" coming in future. Bill Anderson from mgmt team doing demo showing remote reimaging and managing Solaris servers. Ballmer pulls two fans from the Sun server and MOM generates an alert. MOM-driven failover to backup Solaris box.
Update: Ballmer again. Security is job #1. Showing vulns YTD for Windows 2003 vs SuSE 9 vs RedHat 3. 1 high/29 other for Windows vs 28/136 and 14/174 for the other two. Similar counts for web server role (33 high/19 other for Win2003, 48/84 for RedHat minimum config, 77/97 for RedHat default config). Patching costs 13-14% less for Windows than Linux. "None of this is designed to tell you that our job is done. None of this is designed to tell you that we think our security job is done".
Announcing Microsoft Update: consolidated update service for consumer, small biz, medium biz, and enterprise. Automatic updates for low end, MBSA 2.0 for medium, Windows Server Update Services and SMS for medium-to-large.
Wrapup: "flywheel" graphic again. "We are committed absolutely to making sure that you have the leading-edge innovations that you need to be successful connecting people and information." Closed by thanking audience and giving out his email address.
[Ed: they handed out RFID tags at check-in, with a promised demo-- but then they didn't do the demo. I bet there's an interesting story there!]
I'd previously written about MS' support position on VERITAS Storage Foundation for Exchange. Sometime between then and now, MS released a KB article (895847) that sets out their support policy for hardware and software replication solutions. It outlines support boundaries for three important categories: asynchronous software replication, synchronous hardware replication in a geographically dispersed cluster, and sync hardware replication not in a dispersed cluster. Well worth a read if you're interested in this category of products.
I'm delighted to announce that the Exchange Server Cookbook (which I cowrote with Missy Koslosky, Devin Ganger, and Tom Meunier) is now available from Amazon! It should ship sometime next month... and yes, that is a baboon on the cover.
"Does Entourage use RPC-over-HTTP?" I've run across this question several times in the public newsgroups, on mailing lists, and in direct conversation. Now Mike Wendland's asking, so I figured I'd write a long answer and just refer to it in the future.
In the beginning, there was MAPI, the Mail Application Programming Interface. Microsoft Mail (remember that?) used MAPI, as did the long-forgotten Windows Messaging and Exchange Client applications. When the Outlook team began working on Outlook, it used MAPI also. MAPI communication between client and server are actually implemented using remote procedure calls (RPCs) that travel over the Windows RPC subsystem, which uses TCP ports 135 and 443 and UDP ports 137 and 139. Because early versions of Windows had a number of RPC-related security vulnerabilities, admins quickly learned to block these ports from the Internet, meaning that you had to dial in or establish a VPN session to get your mail with Outlook from outside the corporate network.
In the meantime, lots of other applications started tunneling their data over the standard HTTP port, TCP port 80. This has the advantage (for users) of letting these applications run without special permissions or changes to the firewall. With Outlook 2003, Microsoft implemented RPC-over-HTTP tunneling so that you can establish a native Outlook MAPI session from outside the firewall without using the default RPC ports. This is good from a security and convenience standpoint. Why security? Think about it: if you establish a VPN session, you're trusting the remote machine to be clean, and you're trusting the remote user not to do anything malicious on your network. With RPC-over-HTTP, all the remote user can do is get mail, so you don't have to worry that they're going to screw up anything else.
Entourage for Mac OS X doesn't use RPC-over-HTTP. Instead, it uses WebDAV, an XML-based technology that travels over HTTP connections. It has nothing to do with MAPI or with RPCs, and it works with Exchange 2000 and Exchange Server 2003-- RPC-over-HTTP requires Exchange Server 2003 running on Windows Server 2003.
Both technologies have the same effect: an outside user can establish a connection to the Exchange server using HTTP (which had better be protected with SSL) to talk to the server.
Now, on to Mike's specific question: Apple Mail 2 supports Exchange accounts using WebDAV, so if your employer supports WebDAV and is running Exchange 2000 or later, you should be good to go. You'll probably need to enter the same server name that you use for Outlook Web Access to get Mail to find the right server. Good luck!
Michael Murphy, a TechNet presenter for Microsoft, has been reading Secure Messaging with Microsoft Exchange Server 2003. So far, I like his approach to reviewing the book; he's posted an article that describes his reaction to the first two chapters, including an explanation of what's in them. One of the best parts of writing a security-focused book was that I had the luxury of including background material to help Exchange admins get the right vocabulary and mindset to talk security with real security folks. This makes my book very different from other Exchange books, since they normally have to cover so many topics that they can't provide much depth in any one area. In fact, the first five chapters are broad enough to be of interest to admins running any messaging or collaboration software on Windows-- so all you Notes folks who secretly read my blog, go get a copy :)
Congratulations to the Microsoft Office Communicator team! They just RTM'd their product. If you haven't already tried it, grab the evaluation version and give it a spin.
I was floored to hear about this, but maybe that just shows I need to get out more. Turns out that you can flip a metabase flag to get some additional control over SMTP relaying. By default, if you require authentication and list one or more allowed IP addresses, both of those restrictions apply. However, you can set the SMTPIPRestrictionFlag value to use the logical-OR of those two factors, so that you can relay if you authenticate or if you're coming from an allowed IP address. Mad props to Konstantin Ryvkin for admitting to this and to Devin for blogging it.
Singlefin announced today that they're giving away their hosted spam filtering service, free, to organizations with 10 or fewer mailboxes. The press release (which isn't on their site yet) quotes their CEO as saying "Of course, we know that small companies can become large companies and if we extend this generous offer now while they are still growing, we are confident it will translate into brand loyalty and solid customer referrals down the road". Here's the most interesting part:
Any organization anywhere in the world is eligible to take advantage of this protection without the need for cumbersome software or expensive hardware. Singlefin solutions are 100% managed or “hosted” meaning protection for customer networks is all enabled through network redirects. One simple change to a customer’s DNS enables 100% protection from spam, viruses and other malware via Singlefin’s Enterprise Email Filter. The Web and Instant Message Filters are enabled through similar network changes.
This is a terrific move on Singlefin's part; the incremental cost for them to host these small organizations is low, but the brand-building value is very high. There are so many anti-spam solutions on the market that it's hard for vendors to differentiate themselves, but this should definitely help build awareness of Singlefin.
My partners at 3sharp have been involved in a huge project over the last few months: building credible enterprise-level sample applications using Office as a development platform. Behold: Fabrikam, a Microsoft Office System Solutions Learning Platform! Hats off to Peter, John, Anup, Kevin, David, Chris, Greg, and Phil.
Now this is pretty slick: the Visio 2003 Connector for MBSA turns an MBSA scan into a color-coded Visio network diagram. (Actually, you have to create the network diagram first, but that's trivial with Visio 2003 Professional). What a great add-on to MBSA's built-in scanning functionality. Get it here.
Greg Hughes has a great dissection of his recent search for a replacement for his BlackBerry. In the end, he went back to the old familiar BlackBerry, but not until after he tried the Audiovox 5600, the SX66/XV6600, the Treo 650, and the BlackBerry 7100 series. He started with a BlackBerry device and tried the others to see how they compared as mobile email devices and as phones. Perhaps unsurprisingly, he ended up with his same preferred device. It's fascinating to see how big a role inertia plays in PDA/smartphone selection, compared to the larger mobile phone market. Of course, device cost (and the cost of installed software) make a huge difference. I considered the BlackBerry 7100s, but since I can't run any of my stable of useful Palm apps, that wasn't going to happen. (I still have to post a longer review of the XV6600, besides my initial thoughts).
Huge news from the Real-Time Communications product team at Microsoft. First, we'll be getting a Live Communications Server client for Windows Mobile devices sometime in the second half of this year. I've been happy using the MSN Messenger client that comes with the Windows Mobile-powered Audiovox XV6600, but being able to communicate with other corporate LCS users will be a huge win-- right now, if I want to IM with someone inside Microsoft's perimeter, I have to dig out the ol' laptop. MS hasn't yet announced pricing or functionality; I think it's safe to assume that the Windows Mobile client will have a subset of Office Communicator's functionality, in the same way that Pocket Outlook is a subset of desktop Outlook.
The other news astonished me: Research In Motion, producers of the BlackBerry line, have signed an agreement with MS to produce a Live Communications Server client for the BlackBerry platform. This is terrific news for the LCS team, and great news for BlackBerry users who want to combine their existing mobile e-mail service with IM and presence. Of course, it raises the bar for the Windows Mobile team, who now have to contend with the loss of what would otherwise have been a significant capability advantage. With Magneto around the corner, though, I bet they have some other tricks up their sleeve.
Update: looks like RIM's been busy; yesterday they also announced an agreement with IBM Lotus to provide a native Sametime client for BlackBerry. The plot thickens...
Amazon has a new feature with which they do various kinds of analysis on (many of) the books in their catalog. One of these analyses is the "statistically improbably phrase" test; this shows phrases for a given book that appear much more often in one book than in the whole corpus of books in their Search Inside program. For my book, here are the SIPs Amazon found:
relaying configuration, antivirus product vendors, relaying settings, archive sink, htr files, perimeter scanner, constrained delegation, check pox, default response rule, mailbox database, key archival, attachment access, perimeter network, message tracking, mailbox administrators, messaging security, retention categories, smart card enrollment station, machine certificates, delegate access, dialog hox, segmentation value, privilege escalation, inbound mail, event sink
Note "check pox" and "dialog hox"; those are probably my favorites. I can't wait to see what the list for the Cookbook looks like!
There's a fascinating thread of comments over at Ed Brill's blog on this post. Ed and Alan Lepofsky, along with various other luminaries in the Notes communities, have been having a generally professional discussion with Cliff Reeves of Microsoft. David Madison of Microsoft may have gotten the last word, though, as Ed has promised to turn off comments on the post. It's his blog, and so of course it's his right to do so, but I'm sorry to see it, since I think the exchange has been very illuminating-- particularly since Ed has (quite fairly) criticized Microsoft in the past for not taking part in strategy debates at various public conferences.
If Cliff, David, or any of the other participants in the thread who don't have their own blogs want to carry this on, I'll be happy to guest-post their comments here.
Another week, another event! This time, I was in DC, where I had a great group of attendees. The highlight was probably during my demo of Microsoft Office Communicator, when I accidentally called Devin. I'd forgotten that the SIP-to-PSTN gateway was active, and I right-clicked his name and used the "Call" context menu to show that his contact information was there, prefilled from my personal Contacts folder. I was quite surprised when Devin's phone started ringing in my computer speakers (and so was he), but we had a short call and the crowd loved it. It's always great to surprise people like that-- I think I may work it into my demo script as a permanent item. Live Communications Server 2005's voice and telephony integration is pretty compelling, and I'm glad that came out in the demo.
Microsoft has established a good pattern: they've been taking tools that they use internally, polishing them up, and releasing them as free tools through their web release (WR) program. This flow most recently brought us ExBPA 2.0, and now a new tool joins the family: the Exchange User Monitor, or ExMon. The cool thing (as Chris points out on the Exchange team blog) is that ExMon can both aggregate data and show you user-specific performance data. If you have a user or two who consistently complain about performance, ExMon gives you a quantitative tool to ID and fix the underlying problem. Check it out.
Wow, that's gotta hurt. This article, by Daniel Lyons, effectively claims that the air is going out of the Notes balloon, citing market share and revenue data from Gartner, IDC, Ferris, Meta, Radicati, and ITRG. It'll be interesting to see how IBM/Lotus respond to the article; with their 2004 numbers not yet released, the public data to refute some of Lyons' arguments may not be available yet.
So, yesterday I was in Manhattan, again. This time it was to attend IBM's "Microsoft Exchange Alternatives" seminar, held at IBM's building on Madison Avenue. I had to get up at 0400 to drive to Detroit and catch the first flight in to LGA; despite that, the flight was delayed. (That gave me time to finish a paper I've been working on, which I emailed from the back of the taxi on the way to IBM. Good news: I can send email from taxicabs. Bad news: sometimes I have to.) As Ed said, the seminar was well-attended, with about 20 folks in the room from a variety of customers.
There were four presenters: Ed did his overview of IBM's collab strategy; Jennifer Meade from ThroughBox IT did a somewhat lackluster review of three customer case studies, Henry Bestritsky from Binary Tree talked about their Common Migration Tool (CMT) and how it can be used to move from Exchange to Notes, and Brendan Crotty wrapped the morning up with a solid demo of the Domino Access for Microsoft Outlook (DAMO) tool.
Overall, I thought it was a good first effort. As I pointed out to Ed when I met him afterwards, there wasn't any convincing discussion about quantified business value. Interestingly, IBM had several Linux sales folks in the audience, and a common theme underlying Ed and Brendan's presentations was that IBM is promoting server OS choice. I'll save my analysis of that meme for another day :) I don't think the seminar content accurately reflected Microsoft's current collab strategy and why IBM thinks theirs is better. In fairness, that's not what this event was intended to cover. IBM did a good job of positively conveying their message, though, and I think mixing in the partners was a good touch.
How does this compare to our "Optimizing Collaboration and Communications" event? We have more demos, including an extended "day in the life" demo that lets me show how I actually use Microsoft's tools to get my daily work done. We also have a lot more quantitative information about the business benefits of extending Notes/Domino infrastructures with MS' tools. We'll see what Ed thinks when he attends our Chicago event.
Unlike Ed, I made it out of LGA before the weather turned bad :)
Getting on the bus well after it's left the station, Symbian announced today that they're licensing the Exchange ActiveSync protocol. With more than 25 million Symbian OS devices worldwide, this is a big announcement for both sides, although no firm timeline was disclosed. Symbian's already got a good mobile connectivity story; this makes it better while simultaneously highlighting Exchange 2003's advantages as a wireless messaging platform.
After seeing Ed Brill mention IBM's "Microsoft Alternatives" session in Manhattan next week, I decided to sign up for it.. or at least to attempt to. There's no online registration, so I sent mail to the listed address asking to register. No response. So, I tried again just now, and added a voicemail for good measure. Hopefully that will do the trick; it sounds like an interesting seminar.
Update: got the call yesterday; I'm confirmed, and looking forward to it. I don't know much about BinaryTree and their migration tools, so this should be a good learning opportunity.
This week I'm on the road in Boston and New York City, presenting the second and third iterations of the Microsoft "Optimizing Collaborations and Communications" roadshow that I wrote about last week. Yesterday's event was well attended, and the attendees asked some tough questions about Microsoft's C&C strategy. However, the session evaluation results indicate that they liked the answers they were hearing. MS' message-- that you can augment Notes/Domino installations by adding technologies that drive better business value-- seems to be resonating with these folks. Today, I go to Manhattan via the Acela (which I'll blog about later, or maybe during), then tomorrow it's St Paddy's Day in the Big Apple. I didn't bring anything green, so I need to do some shopping lest I face the wrath of the Irish.
The AP is reporting that Microsoft is buying Groove, which I think is great news. Groove adds some critical capacity to Office System and SharePoint. Lots of other folks will be analyzing this in more detail. The most interesting detail to me is that the AP's report says that Ray Ozzie is going to be the new Microsoft chief technology officer. That certainly raises some very interesting possibilities.
I'm supposed to be working on something else, but I couldn't resist the urge to answer Ed's post on the Microsoft Office Communicator launch, which in turn is in response to this Microsoft Monitor piece (which, by the way, contains a couple of errors).
First, let's consider public IM connectivity. Right now, if you want to interoperate with (say) AOL, you have to install AIM or an AIM-compatible client on your desktops... at which point you lose the security and compliance capabilities that Live Communications Server and Sametime/Workplace both offer. On the other hand, if you have a genuine business need for public IM connectivity, you can use the PIC feature of Live Communications Server to interoperate (selectively) with MSN Messenger, AIM, and Yahoo! Messenger users and still maintain both security and compliance. It's true that PIC is currently priced as a subscription. Ask yourself this: why did AOL suddenly decide to allow a competitor to interoperate? Normally their MO is to break interoperating clients as soon as they can get away with it. Are they getting a cut of the revenue? I don't know, but it certainly wouldn't surprise me.
Next, let's take Ed's point that the Microsoft collaboration platform has more than one piece (he actually uses the phrase "jigsaw puzzle"). Back in the day, Microsoft's claim was simple: Exchange does it all. They have since repented of that, instead delivering a broad suite of collaboration and communication tools that you can mix and match. You can deploy them together or separately. If you don't need, e.g., SharePoint Portal Server, fine-- don't buy it. There's significant stand-alone value in each of the components. In fact, I'm seeing a groundswell of interest in Live Meeting and Live Communication Server deployment among customers that aren't currently using Exchange. Why? Neither of those products require Exchange, and both add measurable business value.
Now, it's also true that the more pieces of the MS platform you deploy, the more capability you get. This is no different from Workplace, except that many of Microsoft's platform components are more mature than their Workplace equivalents. It's a little disingenuous of Microsoft Monitor to claim that you have to buy all of the features; that's like saying that I have to buy the Hemi when I buy a Dodge Magnum (well, OK, I would have to buy the Hemi, but that's another blog post).
About those Microsoft Monitor article mistakes: I count two simple typos ("Instanbul" and the confusion between SharePoint Portal and Windows SharePoint Services) and a misunderstanding of the Outlook/LCS connection. You can deploy Outlook 2003 without Exchange 2003 (in fact, you can even use Outlook 2003 against Notes/Domino servers, using either MS' or IBM's connectors). Every Exchange 2003 CAL includes an Outlook license, but Outlook is also licensable separately.
So, you might have seen Gary or Ed mention this, but now that it's underway I have time to talk about it too. 3sharp is presenting a 10-city roadshow called "Optimizing Communication and Collaboration with Microsoft Technologies". The thrust behind the roadshow is simple: you can get a lot of mileage from Microsoft's investment in communications and collaboration technologies by deploying them in parallel with-- not necessarily as a replacement for-- whatever you're currently using. The structure of the events is simple: if you're a developer, you go to John's excellent class on how to extend Notes apps by having them produce, or consume, data from .NET web services; if you're a technical decision maker, you come hear the Burton Group's forecast on market dynamics in the C&C space, then I get to explain the pieces of MS' collaboration strategy, with copious use of demos.
Our first event in Dallas this week went really well. My content was well-received; it was obvious to the attendees that we're not suggesting they rip-and-replace their existing infrastructures (well, maybe if you're using OCS). Instead, we're making a solid case for extending their business systems with Microsoft's collaboration and communications platform. Next stop: Waltham! (Personal to Ed Brill: the Chicago show got moved to 4/21, so please adjust your calendar!)
Lots of discussion about Autolink, which is good. So far, though, I haven't seen very much discussion around Adzilla. Their white paper for service providers describes their services for stripping banner ads (and other ad-related content) and letting the ISP insert its own ads. Yikes. I can't imagine that content providers are going to be too happy about that. Imagine going to CNN.com and seeing locally-inserted ads from your cable modem provider.
Back in November, I wrote about a problem with Entourage and Exchange transaction logs-- sending a message that was larger than the Exchange global message size limit would cause Entourage to resubmit the message each time it tried to send mail, and this would lead to a flood of transaction log files. There's now a server-side hotfix for this problem: MS KB 889525 (An e-mail message stays in the Outbox and the Exchange Server 2003 transaction log files grow when an Entourage user tries to send a message that exceeds the size limit in Global Settings).
Dang, I never thought I'd see this happen: the Microsoft Security Response Center (MSRC) has a blog. Pretty cool, and definitely good news for MS' ongoing attempts to broaden the degree of security communications.
The Weblogs Inc folks covered Adomo's unveiling here (including a picture that's just begging for a caption). I suggested that the Adomo folks contact Robert Scoble before the show; their product is a natural for discussion on his blog, since it's a) MS-centric b) built with .NET and c) very, very cool. I don't know if they did, and now he's offline. However, he gave them (and everyone else) the same advice.
Now this is a surprise, and a pleasant one. Nokia announced that they're licensing Exchange ActiveSync for their Series 60 and Series 80-based phones. This is excellent news for the Exchange team; clearly their effort to get EAS more widely deployed is bearing fruit. (Nokia also licensed Flash.. just what I want on my phone, not.) Interestingly, the WIndows Mobile team has been busy at 3GSM World too; they announced that Flextronics, a large original device manufacturer (ODM), will be building "Peabody", a new, lower-cost, reference platform for Windows Mobile devices. It should be interesting to see how this plays out.
Update: it turns out that Nokia is also licensing a bunch of Windows Media technologies, including Windows Media DRM and the Media Transfer Protocol. Take that, Apple and your not-yet-shipping Motorola iTunes phone!
Today a startup named Adomo is launching their new product, Adomo Voice Messaging. They briefed me on it a month or so ago, and I've been eagerly waiting for today (the start of the DEMO 2005 conference) for the embargo to lift so I could talk about it. What they're essentially trying to do is build a comprehensive unified messaging (UM) solution that uses Exchange not just as a message store (like Cisco's Unity) but as the communications backbone. I think they're on the right track, taking what I privately label the CommVault approach: they're leveraging Exchange as much as possible, instead of building a product and trying to make it work, not very well, with multiple back ends.
The Adomo system has three parts: an appliance (running their own *NIX variant, I forget which-- maybe FreeBSD?) that handles up to 36 ports from the PBX, a connector that ties the appliance to the Exchange message store, and a really slick speech-based auto-attendant. You can chain appliances to use more than 36 ports, and Adomo's literature shows smaller 12- and 24-port appliances being used in remote offices. Adomo claims that a single 36-port appliance is enough to serve between 1800 and 3600 users, depending on usage; they're purposefully targeting organizations with more than 500 users. The appliance compresses incoming messages using the GSM codec (which means that you can listen to messages on pretty much any Windows, Mac OS X, or Linux machine-- the codec is ubiquitous, unlike Cisco's ACELP implementation) and sends them to the Exchange connector.
The Exchange connector is where the action happens: incoming messages are directed to the user's mailbox, where they appear as regular email messages. This is particularly important because it allows you to deploy their solution without any desktop changes: there are no required plugins or Outlook bits to add, and VM attachments are available on any device that can handle email attachments (including handhelds, OWA, and so on). Messages are delivered using an Exchange form that includes buttons that let you play your VM on your phone, call the sender, and take other appropriate actions; Adomo has promised tighter integration with Outlook for future versions, but the existing integration is pretty darn good.
One of Adomo's big selling points is that you don't have to touch the Exchange server or Active Directory to implement their product. You only need one connector per Exchange organization. The connector doesn't have to be on an Exchange server, and there are no AD schema changes required. You provision user accounts for voicemail by specifying the associated phone numbers, so there's no need for a separate user management tool. Adomo hasn't said which AD attributes they use, but their literature does claim that you can do all the provisioning through AD Users and Computers or through scripts.
Messages appear with Caller ID data, and the connector is smart enough to match that data against the user's Contacts folder so that messages appear with the correct sender information. That makes it easy to prioritize and handle VMs (either manually or with rules) in the same way you would any other email. In addition to the ubiquitous "message waiting" light, the connector can send SMS messages to a mobile phone or alerts (including the Caller ID number in the subject line) to BlackBerry or other non-audio-capable devices.
It's hard to do the auto-attendant justice in this form, but I'll try. When you call in, the attendant answers and plays its recorded greeting. You can speak a name at any time, and their speech recognizer will attempt to find the name in the GAL (with conflict resolution, so it can ask the user which John Smith ("John Smith in Sales, or John Smith in Engineering?") to connect to based on OU, domain, or group membership. This in itself is very cool; the cooler part is that the attendant has access to a wealth of user-specific data, including your schedule and presence data from LCS. Imagine being able to set a rule that says "if my wife calls on her cell phone, IM me to tell me; otherwise, dump all incoming calls to voicemail". From a user perspective, imagine calling a contact and having the attendant tell you "Jane's in a meeting until 3pm Central; do you want me to notify her that you're calling?" (based, of course, on Jane's decision to trust you with that information as a contact in her Contacts folder). There are almost limitless possibilities for future expansion here, particularly given that the Adomo solution can be used with SIP products (conveniently including LCS 2005).
Of course, given Adomo's target market focus, their solution won't work for everyone. First, it requires Exchange 2003. Second, they haven't released pricing data (at least to me) but since their focus is on 500-plus seat organizations, it likely won't be cheap. (One interesting note: Adomo's pitch talks about the benefits of their product for organizations that sell hosted Exchange services-- this could potentially be a nice revenue sweetener for hosting companies). However, in terms of functionality, their nearest competitor is the Wildfire service, which (last I checked) was $70-150/month/user-- so they've definitely got some pricing maneuvering room. I think their product will be successful, but I'm sure it will be interesting to see how Microsoft's announced UM support in Exchange 12 plays against Adomo's solution, which now has a year or two to get traction before E12 ships.
Interesting news: Microsoft is buying Sybari, makers of the outstanding Antigen line of anti-virus products (and some pretty good anti-spam tools, too). Interestingly, there are Antigen versions for Exchange, Live Communications Server, SharePoint, and even Domino; I expect that the breadth of their product line made them a more appealing target than some of their peers. It'll be interesting to see how this acquisition works in conjunction with MS' buy of GeCAD's RAV technology. However, it will be even more interesting to see what effect this announcement has on the second-tier AV vendors-- companies like Command and Panda have got to be sweating now. (Not to mention that many organizations who have stuck with products they don't really like will now use this as an excuse to move!)
I could snark about this filter update taking so long, but at least Microsoft's making the IMF freely available-- some messaging systems have no integrated spam filtering. Anyway, there's now a filter update for the IMF available here.
Ordinarily I wouldn't post this announcement here, but I'm going to break tradition and do so because I'm one of the conference co-chairs. As such, I have to help find speakers, so I want this call for papers to go out far and wide.
Windows IT Pro is now accepting session proposals for the Oct-Nov. 2005 Windows Connections conference. We're heading to San Diego October 30 to November 2, 2005, for the premier Windows technical conference, and we'd like to hear from you!
If you're interested in speaking on Exchange-related topics at the show, send your abstracts to firstname.lastname@example.org by February 18. We want proposals for regular 75-minute sessions, as well as 1/2 day and full day pre-conference and post-conference sessions.
Note that we have a limited number of speaking slots, and all participants must be able to present a minimum of three 75-minute sessions. There are three basic requirements:
Please adhere to the February 18 deadline as we need to make speaker and session selections right away. (We plan to have a conference brochure ready to distribute at TechEd in June.)
Here's a very cool trick: Glen Scales wrote a script that finds all of your mailbox and public folder stores, then queries their servers' event logs to find event ID 1221s indicating how much white space is available. This is a slick solution to the vexing problem of monitoring how much white space is lurking in your databases.
Rui J.M. Silva posted a cool script on his blog for migrating distribution list objects between Exchange organizations. The script is meant to be run against an Exchange 5.5 directory, from which it extracts the DLs with ldifde. It then extracts the 5.5 directory with csvde, matches the display and account names, and outputs a file that can imported using ldifde. The last step actually imports the DLs as universal distribution groups. If you want the DLs to be populated, you must already be using the ADC so that user accounts are synchronized, but the script is still a nice bit of work.
As has been widely reported elsewhere, MS has released the public beta of their new anti-spyware tool. Go get it and try it out; I've been running a test build for a while now and have been very impressed with it.
I've been using the Google toolbar for a long time, but no more. Now I'm using the MSN toolbar instead. Why? Six simple reasons, five of which are security-related:
This is a pretty good deal: 50% off new licenses of Trend's ScanMail suite if you're migrating from Exchange 5.5 to Exchange 2003. You have to have more than 1,000 seats, and you have to have proof of migration (evidenced by a current SA license or Exchange 2003 CALs purchased after 6/15/04), and the offer is only good until 12/31/04.
Microsoft today released a hotfix for the Windows 2003 SMTP stack that provides tarpitting for SMTP. (If you don't already know what tarpitting is, check this explanation). The idea is that you install software that intentionally slows down SMTP throughput for bogus requests. This helps make it uneconomical for spammers to ply their trade. The hotfix requires you to install a package and set a registry key, then you're done. Highly recommended.
What do you call a hotfix that doesn't actually fix the problem it's supposed to cure?
I vote for notfix, but I welcome your suggestions. The best suggestion posted as a comment here by December 15th wins... uh... something cool. Yeah, that's it-- your choice of a signed copy of one of my books or a $25 donation to the charity of your choice. Get those creative juices flowing.
So, here's a question for Ed and any other Lotus-Knowledgeable readers out there. What's the best way to start learning about Workplace Messaging? So far I've learned some peripheral facts, like that it has outrageous system requirements (quad 2GHz procs + 2 GB of RAM), that it's licensed per-processor (so you need 4 server licenses for that 4-proc machine), and that every initial license includes 12 months of maintenance. However, I haven't found a clear, comprehensive source of getting-started information, apart from this tutorial. That's probably just because I don't know where on IBM's gargantuan web site to look, hence this post. If you do know, please share.
Update: I just spoke to a friendly IBM sales rep who made it very clear that Workplace products are not licensed per-server or per-CPU, but per-user. My earlier post was based on something I saw at vowe.net. Caveat lector.
Now this is interesting: Motorola has announced that they've licensed Exchange ActiveSync and will start supporting it when they release the A780 phone next year. That means that Exchange ActiveSync will be available on a Linux-based device, along with the PalmOS-based Treo 650. While this might seem like the kind of thing to give the Windows Mobile apoplexy, Motorola sees (and has labeled) the A780 as a midtier device that doesn't compete with the feature-rich(er) Windows Mobile devices now on the market. EAS will be integrated with Motorola's propietary MOTOSYNC protocol; it's too early for me to tell what form the integration might take.
I'm working on an article on Exchange ActiveSync for the magazine. Unfortunately, I don't have it working for my device yet-- John's iPaq 6315 works on 3sharp's server, but something is funny with my server here at home, and I'm going to be troubleshooting it this week. A couple of resources that look useful: this extremely detailed TechNet webcast and Chris De Herrera's troubleshooting guide (which mostly covers "regular" ActiveSync) on CEWindows.net.
I have re-enabled comments, with the added requirement that you use TypeKey (which, fortunately, is free). As soon as I can get MT-Blacklist to work properly, I'll enable unregistered comments, but for now you'll need to sign in before commenting. Sorry about the inconvenience.
The publisher was kind enough to send me a review copy of Tony Redmond's latest book, Tony Redmond's Microsoft Exchange Server 2003 : with SP1. I haven't had a chance to even open it yet, but I can say this: at $37.77 from Amazon, and at 4.3 lbs, it comes in at a very respectable US$8.78/lb. By way of comparison, Stanek's Exchange Server 2003 Administrator's Pocket Companion costs $14.13/lb, and my security book weighs in at $14.34/lb. Tthat's just because it's packed full of so much information. Or something.
Jeremy Kelly is reporting an unusual interaction between Entourage and Exchange 2003. The symptom: transaction log bloat. The problem seems to occur when an Entourage client tries to submit a message that's too large for the maximum message size limit set on that user's mailbox store. Instead of reporting the error (and not resubmitting the message), Entourage happily tries to send the message each time it connects. If the message is large enough, and if this goes on long enough, the server will eventually run out of log space. Jeremy recommends a temporary fix of turning off httpdav, removing the offending message from the client, and re-enabling httpdav; no word yet on an ETA for a better fix.
I just ordered an AT&T Audiovox SMT5600, so I went digging for development information. Then I found this page, which will keep me in reading material until at least this time next year. Wow. If you're at all interested in the .NET Compact Framework, this would be a great place to start.
Next week is Windows Mobile webcast week. There are two webcasts of particular interest for Exchange 2003 administrators: one on best practices for Windows Mobile deployments, and one for Windows Mobile/Exchange troubleshooting.
Tom Laciano has a new blog focused on Live Communications Server. Based on what he's posted so far, this will be one to watch. For example, this post on using certificates for mutual TLS authentication in LCS 2003 is pure technical gold. I plan to follow it regularly.
What do you get when you combine Exchange Server 2003, KVS Enterprise Vault, KVS Discovey Accelerator, and SharePoint?
An integrated solution for getting compliant with Sarbanes-Oxley, portions of HIPAA, Gramm-Leach-Bliley, or SEC 17a4, that's what. Missy Koslosky and Devin Ganger of 3sharp wrote an excellent white paper on the topic, which is finally now public.
Microsoft has what's probably the largest deployment of OMA and Exchange ActiveSync. What have they learned about how to scale and provision these services?
Quite a bit, as it turns out. See this whitepaper for the details. Basically, they provide OMA, OWA, and EAS service for 50,000 users using two Exchange 2003 front-ends and their associated back-end mailbox servers. The paper doesn't provide any real performance data, but it does mention that you can do your own stress and scalability tests with ESP-- always a good idea.
Joe has a number of really nifty free tools on his site, including the world-famous ADFind. However, I just stumbled across a new tool he wrote while working on the Exchange chapter of the Windows Server 2003 Cookbook (forthcoming from O'Reilly).
ExchMbx provides a simple command-line interface for creating and moving mailboxes, mail-enabling or disabling objects, setting the Internet mail encoding format, and performing some other miscellaneous but useful tasks. Since it's free, I highly recommend it. Joe points out that it can "quickly make some serious changes to your directory", so be careful with it.
Now <em>this</em> is interesting: Microsoft and Cisco are hooking up and exchanging some network-protection DNA. Microsoft mentioned their Network Access Protection (NAP, a somewhat unfortunate acronym) at their worldwide partner conference in July; now MS is pushing the release of NAP back to Longhorn Server in order to integrate support for Cisco's Network Access Control (NAC). This interview with Windows GM Bob Kelly says that MS and Cisco will work to ensure that NAP and NAC are fully interoperable, which is great news; since NAC is already shipping, it would have been counterproductive for MS to complete their own, incompatible, solution and make customers choose between them.
Cisco's PR has a bit more information; MS and Cisco will develop and share APIs so that NAC and NAP can share enforcement information (e.g. so a device blocked by one will be blocked by the other). According to the PR, "Cisco is giving Microsoft a license to evaluate the Cisco NAC wire protocol for use as part of the Microsoft quarantine system, and Microsoft is giving Cisco a license to evaluate the Microsoft NAP client and server APIs as a way to build interoperability into future versions of Cisco NAC." We'll have to wait to see what fruit this collaboration bears, but it certainly seems to be a step in the right direction.
Clearly Microsoft isn't kidding about the rules for ExBPA being very thorough. I was delighted to see this "critical issue" flagged while running ExBPA on an intentionally-screwed-up Exchange server image. Way to go, Paul, Jon, and team!
It's hard to keep track of who's blogging, particularly as automated tools that make RSS feeds for automated systems proliferate. Personally, I want to see as much data in RSS form as possible, especially for fast-changing or noisy systems like, oh, mailing lists.
The fine folks at Djeaux.com have a bunch of feeds, including one they just added for the bugtraq mailing list. There are verbose and brief versions, either one of which will still give you the lowdown.
Excellent! Microsoft has released Service Pack 1 for Office 2004. I haven't found a list of fixes yet, and I'm away from my Mac so I can't download it to try it out. It's supposed to be available via the Microsoft AutoUpdate tool or directly from the MS Mac page.
I commend the Mac BU on getting this out so quickly, and I'm pleased to see that the PR is pushing MERP, the Microsoft Error Reporting Protocol. MERP is the Mac version of the Office Corporate Error Reporting (CER) tool. Netscape pioneered this kind of automatic error reporting in 1996 or so, and Microsoft has refined it into a variety of tools that give them a great deal of quantitative data about what breaks, when, and under what conditions. I've been very pleased with the overall stability of Office 2004, and the quick release of this SP is an excellent sign.
This afternoon I had a call with the PR folks from PalmOne to get their take on the Exchange ActiveSync for Treo announcement. As is to be expected, they were mum on the details most people really want. The new devices, which they didn't explicitly name, are being released "this fall-- before the end of the year". When I asked if they were prepared to say which carriers would offer them, all I got was a chuckle.
Interestingly, Palm sees Exchange ActiveSync support as broadening the market for their devices by making them attractive to sites that might otherwise have standardized on Windows Mobile. Since they already support Good and BlackBerry, this is a credible argument.
Unfortunately, the initial implementation of Exchange ActiveSync doesn't have feature parity with the Windows Mobile version. You get wireless access to, and synchronization of, your inbox and calendar: no subfolders, and no wireless contact sync. For their target market, this isn't a big deal. You can still sync contacts via the desktop conduit, and you can create multiple profiles in VersaMail so that your desktop-synced mail profiles have your subfolders. There's no support for Always Up-to-Date, either. Future releases will improve the Exchange ActiveSync feature set, but the PalmOne reps said that they had not yet decided on a schedule, or a delivery method, for those future releases. That's fair, too; after all, they have to ship the first release first.
This is big and rich: Microsoft announced today that they've licensed the Exchange ActiveSync protocol to palmOne for use in their new, officially-unannounced line of Treo smartphones (including the 650). I want one.
Why is this a big deal? Well, pick your reasons. First, it shows that the Exchange team is going to do the right thing for customers by providing a broad range of supported EAS devices, even though I bet the Windows Mobile folks are really torqued off about it. Second, it puts a stake in the ground: MS is not backing away from Exchange ActiveSync in the face of vigorous competition from RIM and Good Technologies; Good is already shipping GoodLink for Treo, and RIM announced BlackBerry software for Palm OS in December 2003.
Next, it broadens the reach of ActiveSync to embrace Palm OS devices. That's good for Exchange, since many organizations have stuck with Palm as their standard mobile platform. Palm OS users can now have the crunchy Always Up-to-Date goodness formerly reserved for Windows Mobile devices.
IMHO the most significant impact of this deal has little to do with the specific technologies involved: if it is successful, it will validate Microsoft's fairly new, and still somewhat untested, approach of licensing key networking/communications protocols to all comers. Overall, this is a very important approach for MS to embrace if they want to stay competitive against the many organizations that want to knock them off their pedestal.
Updated: added a link to the MS press release.
Updated: removed note about AUTD support, which isn't in the first release.
Now, this is interesting: the IETF Sender ID working group is apparently defunct. This is more or less the equivalent of that milestone of farce comedies, the divorce due to irreconcilable differences.
The MARID working group was charged with adopting a standard, but factions within the working group were unable to reach agreement on whether Sender ID should be that standard. That's because Microsoft holds some key patents on Sender ID components, and the IETF generally doesn't want to see patented technologies enshrined as IETF standards. That's a laudable goal, but unfortunately it's torpedoed the adoption of SPF or Sender ID at this point. We'll have to wait and see what happens, and whether any vendors sign on to Sender ID despite the unlikelihood of it ever becoming an IETF standard.
This Computerworld story (and the related MS press release) announce the arrival of a new Windows product: the Data Protection Server (DPS). DPS is basically a distributed tool that puts agents on the file servers you want to protect; the agents then run scheduled disk-to-disk backups. Depending on how this is implemented, this might be a significant improvement over the kind of ad-hoc disk-to-disk backup schemes most small and medium organizations use. DPS combines replication and point-in-time copies, which places it squarely into competition with products from Legato and Veritas (among others).
It's pretty clear that MS is firing a shot across the bows of other software replication providers; it's also clear that given their market presence, and the list of partners signed up for DPS, that they'll probably get replication into a lot of shops that have resisted it so far. What's not so clear is what this means for the enterprise, and what it means for Exchange. This Q&A with Yuval Neeman says that future versions of DPS will protect SQL and Exchange, but that's awfully generic. (I wonder if you could take a VSS snap of an Exchange volume using a VSS-aware backup tool and then use DPS to replicate it? Hmmm....)
This is very, very cool: the Exchange Best Practices Analyzer is a new tool from Microsoft that checks your Exchange infrastructure for good design practices. To be more specific, the tool investigates various parameters (including some from AD, a few perfmon counters, the IIS metabase, and your DNS) to see how well your operational configuration conforms to generally accepted best practices.
ExBPA's purpose is to automate some of the basic health-and-sanity checks that an experienced Exchange administrator, consultant, or PSS engineer might do when evaluating an unfamiliar environment. It's not designed to find every possible mistake you can make (heaven knows there are plenty); instead, it's intended to help you quickly find well-known misconfigurations and administrator errors. It checks the protocol configurations for SMTP, POP, IMAP, LDAP, and HTTP; GC/DC accessibility; hop counts and routing latency for message routing; the packet size and contents of the link state table; and basic DNS configuraton stuff.
You can tweak the rules to control which specific areas ExBPA checks for, which is handy. ExBPA generates XML report files that you can parse yourself, or import into another instance of ExBPA on another machine. One output is a list of issues that the tool found-- this is similar in concept to the problem report you get from MBSA, and it serves the same purpose of allowing you to quickly pinpoint and fix whatever needs fixing. It's a very useful tool, and it nicely complements the other free diagnostic and management tools that Microsoft's been making available. Hats off to Paul Bowden and his team for getting this released!
I've been fiddling with Exchange ActiveSync lately, and I'm actually pretty impressed with it-- it's a neat feature. If you're not familiar with it, it basically sends periodic notifications of new mail to your Windows Mobile device; when the device receives the AUTD message, it wakes up and pulls new messages from your Exchange server. This gives you more-or-less continuous access to the contents of your mailbox.
However, there's no obvious way to control how often Exchange ActiveSync sends these notifications to your device. By default, it uses an interval of 15 minutes, but that may not be right for your particular installation. There's a way to control the batching behavior, but it's not obvious: you have to create a new REG_DWORD named BatchingTimer under the Software\Microsoft\Exchange\OMA key (if OMA doesn't exist, create it first). Possible values are:
At long last, Microsoft's released a document that describes what you can do to mitigate threats to your network from Windows 98 and Windows NT 4.0 machines: the Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
Of course, the best way to mitigate the threats posed by these versions of Windows is to upgrade them to Windows XP or Windows Server 2003, but that's not always feasible. The guide (downloadable here) describes some of the other things you can do, including network segmentation, appropriate use of NTLMv2, and patch management. Check it out.
While I haven't examined it in detail, it certainly seems easier to install and configure than the regexfilter. When I get a few minutes, I'll poke into it and give it a try. However, Martijn's site has a pretty active user forum where many people have made happy noises about previous releases, so that's probably a good place to start reading.
This is a pretty rare problem, but still: if you're running the Exchange IMF on a machine with a 15-character NetBIOS name, the IMF won't actually filter the inbound messages. This is kind of a silly bug.
Imagine that you have a bunch of OMA users who don't use English as their native language. Wouldn't it be nice to set the default OMA language that they see when they log on, without making them learn enough English to navigate OMA's interface and set it themselves?
Exchange MVP Richard Matheisen posed this question, and it turns out to have a surprisingly simple answer. Just set the msExchEmbCultureInfo attribute on the root folder of the user's mailbox to the LCID of the language you want that user to have for OMA, and you're done. (Updated to fix my bug; I'd originally said that this attr was on the mailbox, and it's not.)
I hate it when this happens! I just sent off a Troubleshooter column question for the December issue on how to create separate settings on separate IMF servers. My answer involved multiple forests and was fairly ugly. I then decided to relax and do a little blog surfing. Lo and behold, It turns out that (courtesy of Evan's blog) there's a much more elegant solution to this problem.
The answer is "registry override". The gateway settings are read first from the AD, but the registry on the IMF gateway server is also consulted and if there is an override setting configured, these "per-server" override settings are used instead.
It turns out that HKLM\Software\Microsoft\Exchange\ContentFilter can accept a value named GatewayThreshold; its range is 0-9, just like the SCL. Set the GatewayAction DWORD value to 0 (no action), 1 (delete), 2 (reject), or 5 (archive + delete) and you're in business. Thanks, Evan!
Larry Osterman has a terrific post up today on the guts of Windows security identifiers, or SIDs. A small taste:
Each domain controller allocates RIDs for that domain, each principal created gets its own RID. In general, for NT principals, the SID for each user in a domain will be identical, except for the last RID (that’s why it’s a “relative” ID – the value in SubAuthority[n] is relative to SubAuthority[n-1]). In Windows NT (before Win2000), RID allocation was trivial – user accounts could only be created at the primary domain controller (there was only one PDC, with multiple backup domain controllers) so the PDC could manage the list of RIDs that was allocated easily. For Windows 2000 and later, user accounts can be created on any domain controller, so the RID allocation algorithm is somewhat more complicated.
Port Reporter is a nifty tool from Microsoft that you can use to log TCP and UDP activity on Windows machines; it logs port activity on ports that you specify to a text file. It's extremely useful for monitoring traffic from specified machines or services, and it has a variety of useful features that I won't enumerate-- go download it already.
One thin Port Reporter didn't have was a good way to parse the data it recorded in an easily-readable form. Of course, this is just the sort of thing that you'd want a tool for, and the Port Reporter author delivered in spades with Port Reporter Parser (PR-Parser). The parser (described in KB article 884289) adds some pretty slick analysis and parsing capabilities that can be very useful for incident response or troubleshooting. Check it out.
Well, this is interesting: VERITAS buys KVS for $225 million in cash. Considering VERITAS' failure to turn their own archiving product for Windows into a real competitor for KVS, this is an interesting move.
Ultimately, I think it's a good one, provided that VERITAS is able to effectively leverage the addition of KVS' staff and products. One of the problems I found when I was there was that their sales force is incentivized to sell UNIX products, and so that's what they do. Perhaps the addition of these new products will change the mix enough to help get the direct and channel sales forces on track. Since I still own some VRTS stock, that'd be good news.
I've been testing the Barracuda Networks Spam Firewall 300 for the last couple of weeks. So far, I'm very pleased with it; it has done an effective job of filtering spam and virus messages. The best thing is that it incorporates rate control along with other more conventional filtering (including Bayesian and header analysis); this saved me from a huge comment-spam attack last week (see the big blue spike on the "daily mail statistics" graph in the picture below). The unit was very easy to set up and install, and it has worked without interruption since I installed it.
This summary screen shows a big blue spike for earlier in the week-- that turned out to be because of a huge comment spam attack that generated more than 2,000 messages. Fortunately, all of those got blocked so I didn't have to deal with them (although a few did leak through, slowly, after Pair sent them to my secondary MX). The ability to subject-tag suspect messages is valuable, too, since my users can easily filter them. I don't have cost information, but my guess is that the unit I have is probably price-competitive with high-end software solutions like MailMarshal and PolicyPatrol. I'll write a more detailed analysis of the Spam Firewall after I've had a chance to work with it more, but for now-- It Just Works.
So, last week I wrote a column about SURBL. This week's column, which went out today, is about the regexfilter, a free filter that-- among its many other tricks-- happens to support SURBL. No sooner did it go out than I got two press releases from Jeff Chan of SURBL.org.
First, STAT Communications has added SURBL support to their spam filter set for Mercury/32. Second, Red Earth Software added SURBL support to version 3.5 of Policy Patrol. This will hopefully be the start of a welcome trend, since it's much easier to stem spam given the "fan-out" nature of blocking spammers' target URLs.
I just finished a lengthy article on Microsoft's Sender ID specification; it should hit print in November. One of the points I had to address was the sad fact that Exchange itself currently doesn't support either SPF or Sender ID. This makes it hard to aggressively advocate that people deploy a Microsoft standard that isn't currently supported by their own products.
As it turns out, there is a solution for Exchange 2000 and Exchange Server 2003. Michael Brumm has a free SPF filter for Exchange; as a bonus, it also works with the IIS and Windows XP SMTP services. GFI has purchased this technology for possible future inclusion in MailEssentials, but they're allowing the author to continue to distribute his filter until they ship their own version. Get it and check it out. SPF and Sender ID aren't perfect technical solutions, but they can be useful if they're widely enough deployed.
So, Robert Hensing started it off by saying something simple: "you should NOT be using passwords of any kind" on your Windows network. Instead, he recommends that you use passphrases. Good advice... or is it?
Dana Epps then jumped in with a response:
However, by using passPHRASES you break down the password in distinct elements, in this case in the english language we call those WORDS. So the parser breaks down the above passphrase into 14 distinct components which are guessable. (You break out punctuation as its own word here). Attackers know this. And can use that to their advantage.
He then goes on to advocate making passwords out of passphrases, so that "From the halls of Montezuma / To the shores of Tripoli.." becomes "FthoMttsoT!", which isn't too bad of a password, as long as you can remember to type it properly. Of course, I couldn't resist adding my $0.02. If you take Dana's approach, and pick something too simple or well-known (like, say, lines from The Marines' Hymn), you are at least theoretically vulnerable to dictionary attacks that try combinations of Beatles lyrics, quotes from The Princess Bride, or whatever. One good point that Robert makes is that current tools are compute- and storage-limited, and the math favors the defender. However, cracking tools keep getting better too.
Can you do even better? Sure. Two simple words: shocking nonsense, described in the PGP passphrase FAQ. Simply pick out a shocking but nonsensical phrase, just like you might with refrigerator magnets. Something along the lines of "Vixen clowns fart noisily in church" could be a good start. Then use combination and substitution, so that you end up with "Vcl0wnsfnNc". Voila! the benefits of an easy-to-remember phrase that isn't vulnerable to dictionary attacks.
However, everyone's got some kind of sensitive information in their organizations. Are there things so secret that they shouldn't go in your mail? For example, some companies keep all discussion of legal matters out of email so they can't be subpoenaed. What do you do if those secrets do get in your mail server? It's worth considering that now so that you have a plan in place before you need it.
Wow. 400+ pages of extremely detailed information about Exchange internals. Microsoft says that this guide is "not for beginning administrators", which means they might as well be posting a big red "READ ME FIRST" on the cover. Most folks don't like to think of themselves as beginners. Ever wonder which ESM operations use MAPI and which use DAV? Want to know how ESM decides to use DNS or WINS to find the server you want to manage? Curious about exactly what's in the link state table? This guide will tell you all that, and a bunch more besides. Highly recommended. Here's a taste:
To be very clear: Microsoft will provide support for Microsoft Exchange issues if you run Exchange on a VERITAS Storage Foundation platform. However, Microsoft will only troubleshoot and attempt to resolve Exchange-specific issues up to the point that the source of the problem can be reasonably attributed to an issue or incompatibility with VERITAS software. This same principle also applies to other third party products.
The same is true, of course, from replication products from all other vendors, too: Microsoft supports Exchange, not random replication (or AV, or anti-spam, or ...) tools. PSS won't tell you to jump in a lake when you call them with a problem, but if the problem turns out to be caused by the third party product, MS will direct you to them for troubleshooting.
Thanks to fellow MVP Glen Scales, it's now trivial to create an RSS feed from a public folder. This is very, very cool. Why? Well, for starters, we keep a public folder of security bulletins and alerts from various sources-- presto! it's an RSS feed. Many of my cow orkers who don't pay attention to public folders nonetheless will read anything that shows up in their aggregator.
No, not that kind of NAP: in this case, Network Access Protection (NAP) Is Microsoft's name for the network quarantine feature they're shipping in Windows Server 2003 R2. The NAP white paper makes for an interesting read, but the NAP FAQ might be a better place to start. In brief, NAP works by allowing administrators to set policies (like "system must have version X of antivirus product Y") or ("system must have patches A, B, and C from Windows Update").
Clients that meet these policies (as assessed by an agent running on the client) are allowed to connect to the network; systems that do not meet the policies cannot. The NAP architecture description has lots more detail, including details on what kind of network isolation is available (DHCP and VPN are both supported) and how you can set up quarantine resources on an isolated subnet. This last is a particular interest of mine; being able to quarantine "unhealthy" systems is good, but it's better if they then can get immediate access to a set of resources (like AV software or signatures or your local SUS server) to get whatever updates they need to be compliant.
Microsoft's released a white paper on how to make Entourage work with Exchange. That's good. Unfortunately, some of the guidance in the troubleshooting section is frustratingly generic. For example, check this note: "In an Active Directory or network infrastructure that is heavily secured, Entourage 2004 Exchange clients can experience difficulty in locating the Active Directory global access server and authenticating the user account. Environments where the servers are locked down and the required ports are closed will experience these problems, and Entourage auto-configure might not work." So, it might not work, but you're not going to tell me why it might not work, nor what to do about it.
On the other hand, there are lots of good tips:
This is really cool: a new web-based engine for tracking product bugs and feedback for Microsoft products. It will eventually replace BetaPlace (and not a moment too soon IMHO). You and I can now report bugs, not to mention being able to find existing bugs and "vote" for them to raise their priority/visibility. This doesn't have any direct impact on Exchange, yet, but it's safe to bet that when Exchange Edge Services hits beta that this will be the feedback mechanism for it.
The really interesting part of this project (code-named "Ladybug") is that bugs reported by users are automatically loaded into Microsoft's internal product development bug tracking engine, where engineers can directly see them just like other bugs (e.g. those generated by internal tests, early adopter deployments, and so on). The sync isn't two-way, so Ladybug users don't get to see bugs filed by internal users. However, this brings Microsoft solidly ahead of a number of their competitors (including Apple's lame RADAR database), and it should provide a welcome channel for feedback on product wishes and deficiencies. You can see a demo of the new product in action here, or you can just try it yourself.
Over at the real Exchange blog, Neil posted a note about a cool web-based tool for reviewing messages archived by the Exchange Intelligent Message Filter. Written by Daryl Maunder, the tool is simple to install (create a new IIS virtual directory on your Exchange server, copy the tool files to it, and voila!) and works well. In the comments to that post, the tireless KC Lemson noted another filter, this one a C# tool written by James Webster of the Exchange team. Both work well; I currently prefer Webster's tool because it shows both the message and the contents of the P2 recipient data, using a sort of preview pane arrangement; I also like the fact that it's open-source. Maunder's web-based tool is cool too because you can access it from other machines on your LAN (or via VPN). Either tool is an improvement over the minimal functionality the IMF itself provides for reviewing archived messages-- try them both and see which you prefer. (Note to both authors: please, please implement a way to select multiple messages for action-- that would be a big help.)
This tool, which you can install on any Microsoft IIS server that runs version 1.1 of the Microsoft .NET Framework and ASP.NET, lets you remotely administer your OWA servers from anywhere in the organization. Although OWA offers quite a few features, the process of controlling OWA servers has always been a hassle because it depends on the creation of registry keys or values. Every Windows administrator knows how to do that, I know; the problem arises when you want to make configuration changes to multiple machines. Doing so manually is a bother and is even harder when you factor in common security settings that restrict or prevent remote registry access. You can always create your own Administrative Template file and attach it to a Group Policy Object (GPO), but only if you have the proper permissions in Active Directory (AD). Exchange administrators are often dependent on some other person or group to make directory changes.
You might consider this an error from the book, but it's really more of an omission: I never mentioned that you can use PFDAVAdmin to view, modify, and set public folder permissions, including fixing the "invalid windows handle ID" error that we all know and love. The MS Exchange Blog has a good overview piece, and I made PFDAVAdmin the topic of this week's UPDATE column,
During TechEd last week, Microsoft sneaked out a new white paper on Exchange 2003 journaling. It covers the new SP1 "envelope journaling" feature, as well as finally explaining where Exchange journaling doesn't work. It also, at long last, describes how to deploy journaling as part of an overall DCAR solution. Good stuff.
Jeremy Reichman of the Rochester Institute of Technology has kindly collected a page of useful hints and FAQs related to using Entourage with RIT's Exchange environment. You should also definitely see the Entourage Help Page, which is chock full of useful info on Entourage 2004. If you don't read anything else, see the FAQ.
Just landed in Cincinnati and checked my evals: 7.72. Comments were mostly favorable; a few "not technical enough" and one angry "Microsoft does too support our products" from a VERITAS product manager. However, that means that John humbled me decisively (his Word session racked up an 8.21!) In fact, I was just below the average score for messaging sessions this year. I've got to do better next time.
Update: with 108 evaluations out of a total of 522 attendees, my final score was 7.78. Since the overall for messaging sessions was 7.85, I'm still a little under the curve.
First thing yesterday, John and I met for breakfast at Cafe 222, where I had some excellent pancakes. The food at the San Diego convention center is pretty good, but it's always nice to take a break from the HUGE CROWDS of people for which TechEd is justly famous, so we did.
I did a session and a half in the "Meet the Technologist" area yesterday, where I continued to be impressed with the level of questions we got. Lots of high-end, thoughtful technical questions, with very few of the howlers or RTFMs common in years past. The cabana idea has worked well, except when Navy SH-60s fly past outside.
Yesterday was my first spin through the exhibit hall. I got to meet with some folks from Quest/Aelita; they have an impressive line of management products that oddly doesn't seem to be well known. The Authentica folks have an interesting product that can do digital rights management protection at the email gateway and via a web service-- very cool stuff. I'll write more about that when I have time to dig into it more.
Interestingly, the two overwhelming giveaway items this year were Xboxes and iPods. Some group of companies was giving away a MINI Cooper, which is kind of neat (although not as cool as the Mercedes SLK that was given away at TechTarget's Enterprise Messaging Decisions show :)
Also on the show floor, I finally met John Osborn, executive editor at O'Reilly. We had a great discussion about Offfice development and books (which we extended later at the O'Reilly author party once JohnP got there). I'm hopeful that we'll be able to turn some of the cool content we did for the Fabrikam project into a book, or two, to help build up our Office dev branding.
In a few minutes, I'm heading back over to Cafe 222 for another stack of pancakes, then it's time to present MSG381 and fly to Cincinnati to rendezvous with my family. In the meantime, let it be known that JohnP's Word dev session yesterday is holding steady at an excellent 8.09/9.00 rating, which is going to be tough for me to beat. However, the folks I linked to last week are still ruling: Steve Riley's sessions have three of the top 10 slots, including an incredible 8.81! Go Steve!
Microsoft has released a nifty automated tool for building threat modeling documents for applications you develop.
It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and will export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user.This might seem to have low relevance for Exchange, but if you take a look at what's in these documents, you'll get a good jump start on understanding how to build a threat model for your network and deployed messaging applications (yes, even if you're using something besides Exchange).
I flew out to San Diego yesterday and got to the convention center about 45 minutes before my first session, a troubleshooting panel with Chris Nelson (from Microsoft's IT group), Karl Robinson of HP, and the legendary Paul Bowden. It was fun to share the stage with three knowledgeable people, and we got some good audience questions.
Next, I had a book signing, at which I sold three whole copies of my book. It was fun nonetheless; I got to spend some time chatting with the legendary Charlie Russel, with whom I've worked but who I've never met, Paul Cayley of the MS UNIX migration team, and Eldon Nelson from Microsoft Press. After that, it was off to the "Meet the Technologist" area (aka "Ask the Experts"). The place was mobbed! Erik Ashby was drawing a steady line of folks asking 5.5 migration questions, and there were lots of miscellaneous troubleshooting questions.
John and I got together for a short visit (wherein I learned that his first session outscored mine by about 0.5-- significant on a 1.0-9.0 scale!) before I headed out to the MVP dinner organized by KC Lemson at the Zocalo Grill. I had the good fortune to sit with Andy and Kim Webb, Andy David, Scott Schnoll, David Sapery, and Sue Hill (all MVPs, save Sue, who works on the Exchange User Education team), and there were a ton of other MVPs (including Sue Mosher, Diane Poremsky [at least it looked like her from the back], Chris Scharff of MessageOne. The product team was well-represented: KC and David Lemson, Ed Wu, Nicole Bonilla, and a few others were there. As a bonus, I finally got to meet Brandon Hoff, the MVP lead for Exchange; he and I have missed each other several times in Redmond, so it was good to finally shake his hand. The food was quite good, and the company was great. (Thanks, KC, for setting it up!)
Today I'm back in the Ask the Experts area for a while, but I should be able to actually attend some sessions-- more on that later.
Very cool news: the Exchange Intelligent Message Filter is out, and it's available at no cost to all Exchange 2003 customers. Microsoft had previously said they would only offer it to SA customers, which generated a lot of discontent. I'm glad to see them reversing their stance. Get the IMF here, and be sure to read the deployment guide. (Oh yeah-- Exchange 2003 SP1 is out, too).
Very cool: Evan Dodds of Microsoft has a blog about (drum roll) Exchange clustering. You should only go there if you want actual factual technical information, though; you'll have to go somewhere else for $spin.
So, Evan, here's a clustering question: can I force all outbound SMTP traffic on a cluster to originate from the IP address of the cluster instead of one of the physical nodes therein?
Happily, there's finally a review of Secure Messaging online at the Windows IT Library. My thanks to David Sengupta. (Now, if only Amazon would start posting the reviews that I know are queued up there...)
At the 2002 MEC, John and I were both presenting multiple sessions, and we had a little friendly competition to see who did better. (I honestly don't remember the results; I just remember how psyched he was at successfully evading the wrath of the demo gods). This year, he has a crushing four sessions, all deeply technical (BPR310 is "Office Developer: Programming XML Solutions", BPR311 is "Office Developer: Programming Word XML Solutions", BPRC14 is "Building High Performance InfoPath Solutions", while I have but one (MSG381,"Designing a High Availability Exchange 2003 Solution") , so I have somewhat of an advantage. Both of us have some hard work to do to catch the top guns from last year's TechEd, though.
This sounds cool: a get-together for developers at the San Diego Automotive Museum. The big draw: remote-control racing, with trophies. I won't be there, since it's before I arrive, but I definitely think John should go.
I've been using Office 2004 for Mac OS X for the last six months or so. It's awesome. Don't take my word for it; go get the 30-day "test drive" version and see for yourself.
It's fun to see people asking for help cracking Yahoo passwords, but enough's enough. I've closed comments on that article. (Side note: I seemed to get more than my fair share of people with Indian names asking for cracking services... odd.)
The fine folks over at SearchExchange (in collaboration with MS Press) have excerpted chapter 13 from Secure Messaging with Microsoft Exchange Server 2003-- that just happens to be the Outlook security chapter. Their excerpt, "20 Tips on Securing Outlook in 20 Minutes", is well worth reading. It includes information on how to set up Outlook to use Windows Rights Management (including info on how to create your own RM templates), as well as information on controlling S/MIME through GPO templates, and how to set up and use RPC-over-HTTPs. f you like the chapter, buy the whole thing!
“Giblets” are the pieces of software that you include in your product that you don’t always remember. Like zlib, or LHA, or MSXML, or the C runtime library. Whenever you ship code, you need to consider what your response strategy is when a security hole occurs in your giblets. Do you even have a strategy? Are you monitoring all the security mailing lists (bugtraq, ntbugtraq) daily? Are you signed up for security announcements from the creator of your giblets? Are you prepared to offer a security update for your product when a problem is found in one of your giblets? How do your customers know what giblets your application includes?
As administrators, how much do you know about the giblets on your servers? Are you paying attention to them, or only to the big chunks (like Exchange or SQL Server)?
I'm speaking today at Enterprise Messaging Decisions 2004. This is actually my first day trip in a while. When I lived in Huntsville, it was possible to fly out at 0530 or 0630, change planes in Atlanta, and make it to pretty much anywhere by noon-- enough time for a meeting or presentation-- and then get home again around 11pm. In Toledo, that's just not happening because of Delta's flight schedule ex Cincinnati. So, since EMD is in Chicago, I'm going to drive-- should be fun. Here's the slide deck.
There's a new Windows worm: W32.sasser. It exploits a vulnerability in the Local Security Authority (LSASS.exe) service; the vuln was fixed by the MS04-011 patch. The original MS bulletin and patch were issued on 4/13, and the MS alert on Sasser was released on 5/1, so you can see the gap between patch and exploit is getting shorter. I'm sure all of you out there have already patched your systems, but tell a friend: install patches when they're released.
Anecdote: on Saturday, 5/1, Delta Airlines had a little dispatch problem that resulted in all their flights out of Atlanta being grounded for almost seven hours. The problem appears to have been with the airport computers used to calculate weight and balance according to FAA specs. One passenger on an affected flight reports that the flight crew attributed the delay to the "Mayday virus". I wonder what the real cause was?
Update: this WSJ article's last paragraph mentions Delta, Goldman Sachs, and JP Morgan Chase as companies affected; it also says that a Delta spokesman wouldn't say whether Sasser was to blame.
Well, it's only two weeks late, but hey, who's counting? (Besides the speaker manager at Microsoft, of course!) The first draft of my deck for MSG381, Designing High-Availability Exchange Solutions, is now available here. If you're coming to TechEd, the session is Thursday at 8:30-- stop by and say hello!
Update: Andy Webb was kind enough to point out a bad link, which is now fixed.
It doesn't matter how secure your server is if it's on fire. The other Scoble has two good posts that describe the current state of the art in fire-suppression systems: here and here. This is actually something I talk about in Chapter 5 (physical &operational security), even though most of us are stuck with whatever physical plant is already in the building. Interestingly, one commenter mentioned pre-action sprinkler systems, which use water but which aren't activated without both heat and smoke alarms. (And hey, the inert suppression gas of choice is Inergen, not "Innergen".)
Entourage 2004 has been released to manufacturing, so I can now talk about it. I've been working with it for the last several months, and it's a great piece of work. I'm working on a long article on it for Exchange & Outlook Administrator, but in the meantime, you might be able to try it for free. What? It's true. If you have valid Exchange CALs for your users, you're able to use Entourage as a client. See this "how to buy" page for more details (but don't ask me where you're supposed to get the bits, because I don't know!)
I needed to look up a piece of trivia on the Exchange routing engine for the cookbook, and after a little Googling I found this gem: the Exchange Server 2003 Transport and Routing Guide. I'm not sure how I missed it before, but it's quite comprehensive. Recommended reading if you want a better understanding of how the transport core works. In particular, its description of how the various connection filtering pieces work together is almost as good as what I wrote in Chapter 8 :)
Microsoft's finally taken the lid off a very, very cool addition to their product line: the Feature Pack for Windows Storage Server allows you to put your Exchange 2003 databases on a Windows Storage Server NAS box. There are some limitations: this approach is designed to handle up to 1500 concurrent users, and it requires good network connectivity between the Exchange server and the Windows Storage Server. However, it's a real, live, supported-by-PSS solution that can potentially deliver SAN-scale performance to organizations that can't afford Fibre Channel SANs. Check it out.
If you've been around the Internet for a while, you've probably heard of BOF, or "birds of a feather" sessions. BOFs are informal meetings held in parallel with conferences like LISA and regularly scheduled meetings like the IETF conferences. The International .NET Association is coordinating the process of setting up a series of BOFs for TechEd 2004. The cool thing about these sessions is that the BOF topics are proposed by TechEd attendees. Their content isn't driven by MS, or anyone else besides the people in the room. They're not presentations-- they're an opportunity for people with related interests, whatever they are, to get together and hang out for an hour. The MS TechEd staff is encouraging speakers to encourage "their" communities to propose BOFs here. There are tons of potential topics for Exchange, including security, anti-spam, job hunting, mobility, Notes migration, Exchange 2003 SP1... the list goes on. Let the INETA folks know what you'd like to see.
TechEdBloggers.net is back again this year. I enjoyed last year's edition; it was cool to see TechEd through the perspective of other speakers and attendees, especially folks who got to go to some of the many sessions I missed out on. To keep things simple, I'm going to post all of my TechEd-related stuff here, not on my personal blog.
I'm currently scheduled for two sessions: a troubleshooting panel discussion and a session on building high-availability Exchange 2003 deployments. Should be fun!
In 2000, I built a site of Exchange FAQs, driven by a (primitive) set of PHP scripts and a MySQL database. It mostly languished, because I didn't take on the extra effort of keeping it up to date. Meanwhile, Andy Webb and a crew of Exchange MVPs had created a good set of Exchange 2000 and Exchange 2003 FAQs. So, I gave andy the ExchangeFAQ.org domain name, and his new rendition of the site is now live. It looks great.
I just can't help myself sometimes: I am a serial columnist. (Groan. Hey, at least I didn't make a pun on serial-ATA…)
Last week's Exchange UPDATE column was an update to my previous column on iSCSI and Exchange; I'd already blogged about the change, but the column has some additional material, including a discussion of MS' KB article describing support boundaries for NAS/SAN devices with Exchange 2003.
My column this week
(which I can't link to right now, thanks to a bug at the Windows &.NET web site) was on iSCSI and Exchange. A helpful MS PR person wrote to point out an error: there's not actually a separate "certified for Exchange logo". If an iSCSI device has the "Designed for Windows" logo, it's supported for use with Exchange.
Update: it turns out that the Windows Catalog uses the "Designed for Windows XP" logo for iSCSI devices. Even though the column, and the press release which inspired it, talk about the "Designed for Windows" logo, those products listed in the catalog are certified for use with Exchange 2003.
Scott Oseychik, formerly of Microsoft's customer problem response team, has moved on to new things: he's now a stand-up comedian. No, really. I have no idea if he's funny or not, but he was very helpful in explaining the intricacies of the Exchange 2000 and 2003 transport engines when I was writing about them. I wish him luck (and I'll go see him if he's in Detroit, Toledo, or the surrounding area!)
I wrote about a security problem with Plaxo a couple of weeks ago. It's since been fixed, but now I'm starting to hear that companies are barring their employees from using Plaxo, LinkedIn, and other social software. Why? Several reasons. The biggest seems to be that these services enable wholesale exporting of your contact database, which makes it easy for you to find out which of your existing contacts already use the service. This has two problems, though. First, it runs afoul of European Union data privacy laws; many multinational companies in the US have already been working hard to make their internal operations conform to EU regulations because they have EU operations and employees who live and work in the EU. Microsoft, AT&T, General Motors, and American Express come to mind. The other reason, of course, is that companies don't like the idea of a third party getting unrestricted access to a significant portion of their internal contact data. Imagine the bonanza for a clever Sun salesman who managed to steal all of the contact data for an IBM sales rep, for example. This is precisely why very few companies expose even shadow copies of their master directories to the outside world: there's too much risk in doing so, and the reward is fairly limited.
Will these bans work? Beats me. Services like LinkedIn and Plaxo have to reach a certain degree of critical mass before they become useful, but it's difficult to see how such bans can be efficiently enforced. Interestingly, the one ban I've actually seen in written form doesn't say anything about "personal" social software like Orkut and Friendster.
Secure Messaging with Exchange Server 2003 is now in stock at Amazon. It doesn't look like anyone's actually bought it yet, but hey, you can't have everything. Update: the book has now attained the stratospheric Amazon sales rank of 92,218, despite its being paired as a bundle with Jerry Cochran's excellent Mission-Critical Microsoft Exchange 2003 for only $70. Sigh.
In a press release today, Microsoft announced that they'll be supporting iSCSI and NAS devices for Exchange. The PR doesn't mention any specific devices or vendors, merely that devices that are logo-qualified for the Designed for Windows logo will be supported. We'll have to wait and see what "supported" means in this context.
Last week, my column was on the forthcoming Exchange Edge Services product. Microsoft hasn't said much about it publicly yet, but it's pretty clear that they have two goals: provide a hardened subset of Exchange functionality for use on the edge, and displace Sendmail/postfix/qmail in shops that have Exchange at the core but not at the edge. Whether they succeed or not will have a lot to do with how they position Edge's capabilities. Personally, I'm really excited about the prospect of being able to build my own services using managed .NET code-- that approach offers a lot of potential over the current event sink model.
Computers and other electronic devices are being used increasingly to commit, enable, or support crimes against persons, organizations, or property. This NIJ Guide (NCJ 187736) is intended for use by law enforcement and other responders who have the responsibility for protecting an electronic crime scene and for the recognition, collection, and preservation of electronic evidence.For experienced admins, there's not much new here, but it's a good overview of different classes of devices and some of the forensic concerns surrounding them. One question I'm often asked when I teach is whether forensic recovery is important. The answer is a little surprising. CERT, Microsoft, and SANS all recommend flattening a machine that you know or suspect has been compromised. Why? It's very difficult to be sure that it's clean even after you clean it. For a simple compromise like Blaster or Slammer, it's easy to remove the executable, but there are much more sophisticated tools that aren't easily removed (or detected, for that matter), thus the flattening recommendation. However, as soon as you erase the disk, guess what? You'll lose much of the forensic information that you might want to help identify the scope and source of the compromise. This is critical if you want to get help from law enforcement, since there are standards of evidence that must be maintained in order to successfully prosecute an attacker. That's why most forensic investigations begin by unplugging the suspect machine and cloning its data using a tool like Encase, which is approved as a method of gathering admissible evidence (Ghost, for example, works fine but its copies aren't generally accepted as "pure" evidence). However, if all you care about is quickly getting the compromised machine back in service, flattening it is obviously the way to go. Deb Shinder's excellent book Scene of the Cybercrimediscusses forensics in more detail, and I recommend it if you're interested in the field.
This week's column focuses on Microsoft's Software Assurance (SA) licensing, how it works, and why Microsoft is (currently) making the Exchange Intelligent Message Filter available only to SA subscribers.
Late last week, Microsoft made an announcement that has many Exchange Server administrators fuming. The new Exchange Intelligent Message Filter, expected to ship later this year, will be available only to customers enrolled in Microsoft's Software Assurance (SA) program. On the face of it, this decision might seem shortsighted on Microsoft's part; after all, wouldn't the company want to sell its products to anyone who wants to buy them? However, from a long-term strategic point, the decision makes good sense for customers and for Microsoft.
This is really an "I'm tired of moving" sale. When I signed to do Secure Messaging with Exchange 2000, I asked MS Press for 50 author copies-- 10 is normal. I figured that I'd have lots of copies to send out for review, give to customers, etc. However, I just cleaned up my office and found two boxes of books-- and any day now, UPS is going to bring me my author copies of the Exchange 2003 version. That means that the E2K versions must gooooo!
So, here's the deal: $20 buys you your own brand-new, signed copy; that's $15 less than Amazon. For $25, I won't sign it :) Email paul AT robichaux DOT net if you're interested. Remember, these make great gifts
for Valentine's Day.
Thanks to my friends at Lotus, I've discovered a fun diversion to while away the afternoon. Anyone can play! Here's how:
Update: This works properly now, and Domino Web Access is actually pretty impressive as a web client. I'd really like to see a neutral evaluation of DWA against OWA from the standpoint of an average user's ability to discover and use its features.
Microsoft's Exchange user documentation team has done it again. they just released a 101-page document convering the details of how recovery storage groups work, what you can do with them, and how to use them to speed up disaster recovery. It's available here. The abstract:
Using the recovery storage group feature in Exchange Server 2003, you can mount a second copy of an Exchange mailbox database on the same server as the original database, or on any other Exchange server in the same Exchange administrative group. You can do this while the original database is still running and serving clients. The recovery storage group can also be useful in disaster recovery scenarios. This book provides information on how to determine if a recovery storage group is useful in your deployment, how to set up a recovery storage group, and how to troubleshoot common problems.
Major milestone alert: the Exchange 2003 book is in pages. What that means is that the editors and page layout folks at MS Press have turned the original lightly-formatted Word files (and accompanying screen shots and napkin-drawn line art) into camera-ready pages. Barring any major mishaps, that means that the book's insides are ready to print. The cover's already been designed (see it on Amazon), so that means that with a little luck the book's ready to be printed!
And speaking of pages: I've set up Yet Another Blog, this one focused on the Exchange Cookbook I'm writing with Missy Koslosky and Devin Ganger. Check it out.
Alain Lissoir, who probably knows more about Exchange scripting than anyone I know, has a blog of sorts. It's mostly a list of his publications, but it's still very useful if you want to know how to script Exchange or Windows using WMI, CDOEX, or CDOEXM.
The book is done! (Cue sound of cheering... all coming from my family!) I'm still waiting on the chapter on legal issues to be completed, but since I'm not writing it, I don't count it against my total. Bio, dedication, acknowledgements, and all chapters are in MS Press' hands.
In related news, Amazon finally has a page so you can preorder the book (hint, hint). When time permits, I'll update the sidebar links here to point to both the E2K and E2K3 books.
I'm facing a conundrum. The book must be finished by 12/31. Although I have early access to the Exchange Intelligent Message Filter, if I write about it now it's likely to change before the book hits the shelf; this is obviously bad. What I've decided to do is mention it in the book, limiting myself to talking about what's already been publicly disclosed by MS. Then I'll write some material that describes it in more detail. That material will appear here, either as a bonus chapter for folks who buy the 2003 book or as a separate e-book. That way I can provide fresh material without getting in trouble with the PMs for the IMF or slipping the book any further.
There are twenty chapters and three appendices. The first fifteen chapters (plus two appendices) have been written and submitted; several have already come back for author review. Of the remaining material, there are two new chapters written by contributors (one on archiving by Joshua Konkle of KVS, one on legal issues by Jay Friedman of Piper Rudnick) on the way, one revised chapter, and two new chapters (including one on Outlook Mobile Access/Exchange ActiveSync security issues) that I still have to write. Deadline: 12/31. Wish me luck!
I managed to miss this, but Microsoft Press has a book out on VPN deployment with Windows Server 2003: Deploying Virtual Private Networks with Microsoft Windows Server 2003 Technical Reference. I haven't read it yet, but it was written by two Microsoft PMs (including the guy who owns the network quarantine feature), so I expect it's pretty good. Network quarantine is an interesting feature, but no one seems to really understand how to make it work. I've asked my editors for a courtesy copy and will post a review once it arrives and I read it.
Technically this has nothing to do with security, but it's cool: Snerdware's GroupCal lets you see and share calendar information between Exchange 2000/2003 servers and iCal users. This essentially makes iCal act just like Outlook's native calendar client. I haven't tried it yet, but I'm about to install it on my wife's iMac and we'll see how it works.
From KB 831464:
n Microsoft Windows Server 2003 running Microsoft Internet Information Services (IIS) 6.0, static files that are compressed using gzip may become corrupted and may include content from other files on the Web server. If this behavior occurs, the page that is returned to the client is not rendered correctly. An access violation may also occur.
Translation: if you turn on Gzip compression for use with OWA 2003, your IIS server may get hosed. This patch fixes the problem.
I had a nice meeting with some technical folks from Aelita this morning. Among other things, I learned that they've released a free tool to help automate finding and fixing the CDO heap corruption problem (described in KB article 823343) that can occur when Outlook 2003 clients access mailboxes that are later used by CDO-based utilities or tools.
I've just turned in the first 10 chapters of Secure Messaging with Exchange 2003. That means I'm halfway done. The current milestone date for 100% completion is 12/15, which would put the book on store shelves in late February, just about a year after the first book.
This is what happens when you don't have an appropriate retention policy:
A little browsing and up pops a piece of e-mail from an Enron employee complaining about a mother-in-law: "the most selfish person on Earth." Another contains decades-old photos of former chief executive Jeffrey K. Skilling, sent him by his Beta Theta Pi fraternity brothers. A piece of e-mail written by a woman in Portland, Ore., asks an Enron energy trader, "So ... you were looking for a one night stand after all ...?"
The complete database is here. Don't let this happen to you!
Evan Marcus and Hal Stern wrote the best introductory book on high availability, Blueprints for High Availability, back in 1999. It's an easy-to-read but detailed explanation of how to design and plan HA systems. I just found out today that they have a new second edition, just published. If you care about designing reliable, redundant, or resilient systems, get this book.
While perusing the PVRBlog, I came across an excellent Exchange blog maintained by William Lefkovics, Neil Hobson, and Chris Meirick. It has a ton of good content and is more regularly maintained than my site. It now has pride of place in my RSS aggregator. Keep up the good work, guys!
I haven't been working on the book much lately. The first 9 chapters are done, leaving me with 13 more to either revise or write from scratch (plus one that's being written by a Real Live Attorney). However, I've been so busy with work (including a really cool Exchange planning guide for the MSA series) that I haven't had any spare time to work on it. If you doubt me, consider this: I haven't even turned on the Xbox in two weeks, so you know I must be busy. It now looks like the book will ship sometime after the first of the new year, or about a year after the first version.
I recently needed a new SSL server certificate, and I didn't want to pay the monopolists (wipe that smile off your face, I'm talking about these guys) an exorbitant fee. Instead, I found InstantSSL, where for a paltry $199 I got a three-year 128-bit certificate. Their administration site and ordering process are well-tuned, and I was able to get quick technical support immediately when I ran into a minor snag. If you need a cert (and you will, if you're enabling RPC-over-HTTP or Outlook Mobile Access), give these folks a try.
According to this Slashdot article, the SPEWS real-time block list is no longer operational. A comment-free version of the same basic story is here. The article points to a lot of discussion on news.admin.net-abuse.email, too, which amkes for interesting reading. Osirusoft shut down SPEWS after being the target of an ongoing distributed-denial-of-service (DDos) attack. The manner in which it was shut down caused lots of bounces (including for my friend Bob Thompson and Kent State University, among others). The problem is that when Joe Jared, Osirusoft operator, shut down his service, he did so by telling the server to blacklist every IP address. Sites that rely solely on SPEWS thus dropped all their incoming mail on the floor.
What does this mean to you, the Exchange administrator? As Andy Lester points out, outsourcing your spam protection completely to a third party puts your mail service at the mercy of that third party. Exchange 2003 includes RBL support, and it's a useful adjunct to heuristic or keyword-based filters. However, RBLs themselves don't provide a complete solution, and you should choose your RBL provider carefully to make sure that a) they provide support for their service and b) they have the resources to stick out this kind of attack.
Microsoft maintains a download page with lots of nifty tools for Exchange 2003. For example, the Archive Sink (which I talk about in ch 9 of the new book) is there, as is ExMerge and a utility for programmatically setting the allow/deny IP list on SMTP virtual servers. Check it out-- most of the tools are for Exchange 2000 and 2003, but a few (like MDBVU32) are useful for any version of Exchange.
We interrupt our regular security discussions to bring you this news bulletin: America's health insurance situation sucks. While I can't reform it on my own, I can ask you loyal readers to help find a full-time job for a smart, experienced programmer who just happens to need insurance for his ill son. Brad Choate, legendary MT plugin guy, is even offering a reward: a free Xbox, PS2, or Gamecube. Details here, or Brad's original post here.
I've been thinking about physical security a lot, mostly because I happen to be revising chapter 5. Take a minute right now to look around and see whether your physical security procedures are adequate. Could someone easily walk off with a server? (If someone can steal a DC, they can 0wn you totally, basically forever). Do you have adequate environmental protections-- power conditioning? heating/cooling? fire warning & suppression? I could write on and on about this, but I bet that if you spend a few minutes thinking about your environment you'll see what you need to do to improve it, probably at very low cost. The US Army's Field Manual 3-19.30 has some interesting thoughts that may help you.
This is really cool: as part of the Exchange Server 2003 RTM, Microsoft is passing out 7-day trial OWA accounts. This is a great idea for two reasons: it gives MS a chance to further dogfood OWA in xSP-scale deployments, and it gives those who don't have immediate plans to migrate to Exchange 2003 a taste of what the new OWA looks like. Sign up here.
So, SurfControl has been in place for the last five days. It has a fairly sophisticated set of tools, but with a much more approachable interface than Praetor. I've been using three rules: one screens out malformed MIME messages, one blocks messages with high dictionary scores (according to the spam dictionary that ships with the product), and one blocks messages that are on the collaborative filtering list that SurfControl maintains.
So far, the combination is working reasonably. There are still too many uncaught spams slipping through, largely of the variety that consist only of images (I added a rule for "Please wait while this email loads"; I bet that'll catch a bunch of them). More troubling is the rules service's tendency to abruptly stop processing inbound messages-- so far, I've gotten three or four messages from Microsoft that have choked the rules service. I have a call in to SurfControl tech support, so we'll see how competent they are at diagnosing and fixing the problem.
Update: the problem that caused
MailMarshal SurfControl to choke on inbound messages was quickly identified. They fixed it in a patch, and their tech support was very helpful in answering some questions I had about the way the product worked. (Originally I'd typed "MailMarshal" in the above; to clarify, I haven't had to call MailMarshal support so far.)
SurfControl finally bit the dust; its eval period expired, so I knew it was time to try something else. SurfControl is a decent product; my big complaint was that its "Anti-Spam Agent" (a collaborative filtering tool that requires you to download updates from SurfControl) wasn't catching much. Turns out that was due to SurfControl's failure to allow eval customers to get the updates.
As I type this, MailMarshal SMTP is installing. It has a good reputation, so I'm eager to see how it stacks up against the others I've been testing. In the meantime, I have inbound SMTP queueing up for filtering, so MailMarshal should have a fertile set of messages to start with.
Update: Wow. MailMarshal has caught something like 99.2% of the inbound spam so far. I'm very impressed.
I'm impressed with MailMarshal's efficacy, but its reporting tools don't seem to be as good as the ones in SurfControl (which tells you at a glance how long it's been up, how many messages were flagged as spam, and how many passed through.)
Update: Carrie Ward of NetIQ was kind enough to send me pricing info on MailMarshal:
NetIQ MailMarshal 5.5 SMTP is priced by the number of users in an organization and is available as a small business server license for up to
75 users for $1,295 or as an Enterprise version including a four-server license for $2,000 plus $750 per 100 users.
Here's an interesting article: Foundstone is accused of piracy, being buttheads, and probably mopery on the high seas. Interestingly, the article also claims that Microsoft dropped Foundstone as a vendor shortly after the problems came to light.
This is fascinating. Two folks at Rice's computer science department have written a paper about algorithmic complexity attacks. The basic idea is that an attacker who knows how a program processes input can overwhelm it by choosing patterns of data, or data with specific contents-- not the typical DoS caused by flooding. Here's the abstract:
We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. Frequently used data structures have ``average-case'' expected running time that's far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.
TechEd is just around the corner, and I've been invited to give a security session.
SEC306 Secure Messaging and Communications with Exchange Server
This session delivers the critical information that Exchange administrators, security architects, and messaging designers need to understand to protect their Exchange systems. Protecting your organization from malicious content, and misuse of messaging communications is becoming ever more critical as we depend on our messaging systems to provide anytime, anywhere access from a wide variety of devices. If you are serious about secure messaging and communications, you must attend this session. This session will focus on security updates in Exchange 2003 including relay restrictions, OWA security improvements, authenticated and restricted DLs, improved AV & Anti-spam features, and RPC-over-HTTP. Key security concepts for Exchange 2000 and Exchange 5.5 will also be summarized. Come in, sit down, and hold on tight for this fast-paced and demo-packed presentation.
The next product on my evaluation list is CMS' Praetor. My initial impression is that this is a complex, full-featured product, and it's expensive, too. (The fact that CMS is offering a 30% discount if you're using a competing product helps reduce the sting somewhat.) It supports X- headers for filtering and has a range of quarantine options. However, I'm not crazy about three aspects of the product:
I'm also not too impressed with the documentation; while it is complete, it's formatted using the old "ransom note" style template, and it's a reference. For a product this complex, a task-oriented doc would be much more useful.
MailEssentials has been running for the last week or so. After a little experimentation, I discovered that it wasn't catching spam because I'm an idiot. I hadn't specified any SMTP domains as inbound, so ME was looking for spam sent to *@robichaux.local-- since robichaux.net and 3sharp.com are the domains I use, it wasn't catching anything. After I fixed that, it began behaving as expected. However, its lack of a way to add subject tags to indicate spam means that I have to route all suspected spam to a public folder-- where E2K turns it into an IPM.Post item, so it loses its original addressee information. Redirecting all the spam to a single mailbox works, but that raises the question of how to redirect it; the only way I can see to do it is with a script that adds a spam tag to the subject and redirects the message. That's more trouble than I'm willing to go to for this product. In GFI's favor, their product installs and uninstalls cleanly, it's stable, and it has good documentation. However, it's time to try something else.
UPDATE: GFI support confirms that their product doesn't allow subject rewriting, and they're not likely to add it.
So, I finally decided that the volume of spam on my servers had grown past my ability to tolerate. I decided to hold a spam-off by testing several well-known products and reporting the results here. My critieria are simple if unscientific: whichever product gives the best price/performance/usability ratio wins.
I started with GFI MailEssentials, which has been widely praised in a variety of places. It downloaded and installed easily (great installer), but after three days, it hasn't caught any spam, at least according to its own logs! It doesn't offer a way to quarantine spam into a public folder, and there's no way to mark a message as suspected spam. Other than that, it's great :) I'll post an update after I check with their technical support; I can see that the event sink is working because some messages from hosts on the ORBS RBL have been NDR'd (at least according to the logs).
Hallejulah! Microsoft has released a patch that allows the Exchange System Manager tool to run on Windows XP. As it turns out, getting this done took a lot of work from several product teams at Microsoft. Good for them-- this is a welcome, if overdue, release.
Two more security-related TechNet chats to announce this week:
Sure, you could read my book; if you really wanted the straight scoop, you could buy Shinder's ISA book, which has a wealth of ISA-specific information. You could also read this free article from SecurityFocus to help you get started.
The always-subtle Kim Cameron-Webb came up with "MEC Ed" as the new name for this year's TechEd conference; for the first time, its content is being combined with the MEC of yore. Dallas in June? I'll be there. Sign up now and get a $400 discount.
I've made a couple of minor changes to the site. First, you'll notice that the dorky-looking Amazon blob is gone from the right side bar. No one was clicking on it anyway. Second, there's a new form for signing up for the goodies mailing list-- I've moved from pairlist to Topica's paid publishing service, which means that all y'all will finally have a real interface for subscribing and unsubscribing.
My wife's voice floated down the stairwell, jolting me away from my exciting task of filling out a matrix showing how OCS compares to Exchange. "Honey, the FedEx man left about a dozen packages on the front porch!"
Now, you have to understand that the arrival of the FedEx lady at our house is always a time of celebration. The best times are when she unexpectedly brings some kind of goodie, like a piece of review hardware. Next-best are when she brings something I've been anticipating, like salmon chowder or a copy of iLife. (I'll have to tell y'all about the 50 pounds of candy some other time). When I grabbed the boxes to bring them in, I was greeted by a curious sight on the address label: "AOL Time Warner Book Group".
This worried me; I was briefly afraid that I was the victim of a drive-by AOL CD dropoff. A glance at the side of the box, though, revealed that the boxes contained my author copies of the book! O joy! Sure enough, when I opened the first box, two copies were staring right out at me. That means that my contributing editors and reviewers will be getting copies over the next few days; the rest of you, alas, may have to actually buy it.
Microsoft has two upcoming webcasts that may be of interest to all you Titanium-watchers out there.
The first one, on 2/12 at 1000 PST, covers Exchange 2003 deployment methodologies. The second, on 2/20 at 1000 PST, covers Exchange security. The TechNet chat summary page lets you get reminders, add the chats to your Outlook calendar, or spam your friends with reminders. See you there!
The US Navy has helpfully posted a guide to tamper-resistant seals. What does this have to do with Exchange? Basically nothing. However, it's still cool, and it offers some interesting insight into how high-value assets can be physically protected against tampering. In particular, chapter 2 ("The Theory of Effective Sealing") has a lot of good attitudinal information that's worth reading if you're a computer security person.
MS Press still doesn't have the book's page completely put together, but so what: now I have my own samples. You can see them in the nav bar on the right-hand side of this page, or you can get them here:
All of the files are PDFs. Please feel free to tell your friends about them; however, I'd appreciate it if you tell them to come here instead of just sending them copies. My children are rapidly approaching college age, y'know.
Lots of people subscribe to the idea that keeping security vulnerabilities secret is the best way to deal with them. Dr. Matt Blaze, an eminent cryptography and security researcher, had a few thoughts on that the he shared with Dave Farber's Interesting-People list. I post it here as a cautionary tale.
Last year, I started wondering whether cryptologic approaches might be
useful for the analysis of things that don't use computers.
Mechanical locks seemed like a natural place to start, since they
provided many of the metaphors we used to think about computer
security in the first place.
So I read everything I could get my hands on about locks, which
included most of the available open literature and at least some of
the "closed" literature of that field. Once I understood the basics,
I quickly discovered, or more accurately re-discovered, a simple and
practical rights amplification (or privilege escalation) attack to
which most master-keyed locks are vulnerable. The attack uses access
to a single lock and key to get the master key to the entire system,
and is very easy to perform. For details, see #.
I wrote up the attack, in a paper aimed more at convincing computer
scientists that locks are worth our attention than anything else (I
called it "Rights amplification in master-keyed mechanical locks").
As I pointed out in the paper, surely I could not have been the first
to discover this -- locksmiths, criminals, and college students must
have figured this out long ago. Indeed, several colleagues mentioned
that my paper reminded them of their college days. There is
considerable evidence that similar methods for master key decoding
have been discovered and rediscovered over the years, used illicitly
and passed along as folklore (several people have unearthed Internet
postings dating back as much as 15 years describing how to make master
keys). Curious college students -- and professional burglars -- have
long been able to get their hands on master keys to the places that
But the method does not seem to appear in the literature of locks and
security, and certainly users of master keyed locks did not seem to
know about this risk. I submitted the paper to a journal and
circulated it to colleagues in the security community. Eventually,
the paper reached the attention of a reporter at the New York Times,
who wrote it up in a story on the front page of the business section
The response surprised me. For a few days, my e-mail inbox was full
of angry letters from locksmiths, the majority of which made both the
point that I'm a moron, because everyone knew about this already, as
well as the point that I'm irresponsible, because this method is much
too dangerous to publish. A few managed to also work in a third
point, which is that the method couldn't possible work because
obviously I'm just some egghead who doesn't know anything about locks.
Those letters, with their self-canceling inconsistency, are easy
enough to brush aside, but there seems to be a more serious problem
here, one that has led to a significant real-world vulnerability for
lock users but that is sadly all too familiar to contemporary
observers of computer security.
The existence of this method, and the reaction of the locksmithing
profession to it, strikes me as a classic instance of the complete
failure of the "keep vulnerabilities secret" security model. I'm told
that the industry has known about this vulnerability and chosen to do
nothing -- not even warn their customers -- for over a century.
Instead it was kept secret and passed along as folklore, sometimes
used as a shortcut for recovering lost master keys for paying
customers. If at some point in the last hundred years this method had
been documented properly, surely the threat could have been addressed
and lock customers allowed to make informed decisions about their own
The tragic part is that there are alternatives. There are several
lock designs that turn out to resist this threat, including master
rings and bicentric locks. While these designs aren't perfect, they
resist completely the adaptive oracle attack described in my paper.
It's a pity that stronger alternative designs have been allowed to die
a quiet death in the marketplace while customers, ignorant of the
risks, have spent over a hundred years investing in inferior systems.
Although a few people have confused my reporting of the vulnerability
with causing the vulnerability itself, I can take comfort in a story
that Richard Feynman famously told about his days on the Manhattan
project. Some simple vulnerabilities (and user interface problems)
made it easy to open most of the safes in use at Los Alamos. He
eventually demonstrated the problem to the Army officials in charge.
Horrified, they promised to do something about it. The response? A
memo ordering the staff to keep Feynman away from their safes.
26 January 2003
Mark your calendars; on 10 January at 0830 PST (that's 1630 GMT), Microsoft's scheduled a webcast with Ed Wu, product manager for Exchange 2003, to discuss its new features and cool goodies. There will probably be other such events, especially as we get closer to TechEd 2003. (Note to Microsoft: if you're going to have TechEd in the summer, why hold it in sweltering places like New Orleans and Dallas? how about Minneapolis, San Diego, Toronto, or someplace with more moderate weather?)
Microsoft's released the first public beta of Exchange Server 2003, formerly codenamed Titanium. Exchange 2003 has a ton of new features; my favorites include the ability (when running on Windows .NET Server) to do snapshot backups, and the ability to use signed and encrypted mail with OWA. You can download the Ti bits, or you can order an eval kit with Exchange 2003 beta 2, Windows .NET Server RC2, and Office 11 beta 1 for US$20. The "getting started" guide makes for interesting reading, too.
I had a network account, from a certain large software company, used for my work for them. Due to an administrative snafu, it was disabled and won't be re-enabled until the manager returns after the holidays. I needed a message that had been sent to that account? What to do?
In my case, it was simple: I fired up Outlook 11 and got the message out of my client-side cache. This really isn't a new feature; Outlook's had PST and OST files for a long while. However, Outlook 11's synchronization is seamless and automatic. As an end user, that's great. As an administrator, though, it makes me wonder: what can I do to prevent or restrict the use of cached content? I have a sneaking suspicion that Microsoft has some ideas in this direction, and that we'll be seeing them emerge in future betas of Outlook 11.
If you apply the security templates from Microsoft's Exchange 2000 security operations guide, remember that these templates are additive. You must first apply the correct templates from the W2K security operations guide.
Apart from the twin facts that they're annoying to outsiders and that they can cause mail loops, the BBC reports on a third excellent reason not to use out-of-office messages to the Internet: people will rob your house while you're away.
Well, Valentine's Day, that is. According to Amazon, the book will ship 2/5/03. This is a bit later than I'd hoped, but I suppose I should have written it faster.
If you preorder it now, though, you're assured of getting it when they do.
Microsoft is changing the way they distribute security bulletins. In the past, they've blasted out fairly technical bulletins to all subscribers, including the home users and other non-administrator types who took my advice and signed up for the bulletin service. It's a litte daunting when Mom gets a security bulletin for Exchange 2000!
To make it easier for everyone to find out what's what, their new process is a bit different:
I'm always a little leery of technical editors, because I know how most publishers choose them: they look for someone who a) is breathing and b) can spell the name of the product or technology covered in the book. I'm fortunate that MS Press chose Tony Northrup as their TE for this book; his comments have uniformly been useful (even when I didn't agree with them), and he's caught a bunch of my stupid mistakes before they got out into the wild.
There are a number of volunteer TEs, too, whom I'll be introducing over the coming weeks. In particular, a number of Microsoft PMs have volunteered to review material related to their domain expertise, which is really helping strengthen coverage of some key areas.
I basically have three weeks to finish the book. The first 10 chapters are all done and delivered to Microsoft; 9 of them have already been through author review. A total of six chapters have yet to be written, so I've got my work cut out for me. (Actually, one of those 6-- the one on POP/IMAP security-- is all done but for the chapter summary.)
Indexing, proofreading, and printing usually takes about 12 weeks for most publishers. This is my first MS Press book, so I don't know if they're faster or slower than average. As soon as I have more information on an ETA for the book, I'll post it here (although it's not showing up on Amazon.com yet).
Is this thing on?